a bit more of                 PE    (since Hashdays)Ange Albertini                   22th June 2012
Author●   reverse engineer    ●   since dos 3.21●   ashamed by a malware●   back to my studies    ●   shared on my site
http://   CORKAMI.com
Fact → PoC
made with love●   Hand-made, from scratch    ●   patched generated compiled    ●   tedious        –   full control●   Pin-...
technical
be nice to your friends●   ads log-in pay-wall columns●   BSD/CC BY licence    ●   reusable commercially●   free sources, ...
free
goals●   advertisement    ●   for my own use●   a good reference    ●   learn. remember. teach.●   a meaningful test set  ...
enoughPoCs → Wiki Page            → presentation
a graphic is worth 1000 lines of doc
useful
Ange ↔ Corkami  technical     free    useful
Agenda1.Whats a PE?  ●   yet another doc?2.Static oddities3.Dynamic oddities
Introduction
Portable ExecutableCommon Object File Format
PEuniversalwindows binary
pe101.corkami.com
questions?
FASTEN YOUR SEATBELTS
pe.corkami.com
incompletespecs             VS.                   reality of the                   OS
FAIL
is there a perfect documentation?
Not at Microsoft, at least :)
Other documentations?●   mostly based on existing files●   no PoCs anyway    ●   messy/limited/privateCorkamis is perfect?...
just to make surestandard PE:  ● Sections  ● EntryPoint  ● Imports
Static oddities
most basic PE●   DataFile PE    ●   LoadlibraryEx with LOAD_LIBRARY_AS_DATAFILE●   must be a PE●   just a PE    ●   MZ / e...
back to classic PEs
DOS header●   Good old 16b stub    ●   still in Windows 7 64b !●   “This program cannot be run in DOS mode.” ?
ImageBase●   multiple of 0x10000●   user-mode    ●   any address except system DLLs    ●   00000000 under XP●   kernel-mod...
EntryPoint●   null    ●   MZ => dec ebp/pop edx
EntryPoint●   virtual    ●   00 C0 => add al, al
EntryPoint●   external    ●   in a DLL / allocated via TLS
EntryPoint●   ignored    ●   via TLS
Subsystem●   no trick :(    ●   last required element of the header●   no specific requirements    ●   low alignments     ...
Sections●   0-96/65536●   oversized or not (up to 0x74xx0000)●   sections in sections, duplicates, shuffled
Dynamic oddities
loading process 1/2●   Headers are parsed on disk●   Data directories are parsed in memory    ●   after section mapping
loading process 2/2●   sections overlap header    ●   true Data directories are revealed
TLS 1/2●   list of callbacks, updated on the fly●   executed at threat start/stop    ●   before EntryPoint    ●   after Ex...
TLS 2/2●   points to import●   tricky execution conditions●   different loading order●   anything but ESI
Relocations●   rebase code if loaded at different address●   not required in x64    ●   empty relocations still in x64b bi...
faked relocations
manual relocations
Relocations encryption●   applied anywhere    ●   encryption    ●   on itself!●   MIPS supported on Intel OS+PE
Relocations on ImageBase●   affects the EntryPoint
one last...
Conclusion●   PE is a mess    ●   different OSes, different parsers    ●   no doc/tool is perfect●   still many unknowns● ...
Acknowledgments●   Peter Ferrie●   Bernhard Treutwein, Costin Ionescu, Deroko,    Ivanlef0u, Kris Kaspersky, Moritz Kroll,...
Thank YOU!  Ange Albertini @gmail.com   @ange4771
A bit more of PE
A bit more of PE
A bit more of PE
A bit more of PE
A bit more of PE
A bit more of PE
A bit more of PE
A bit more of PE
A bit more of PE
A bit more of PE
A bit more of PE
A bit more of PE
A bit more of PE
A bit more of PE
A bit more of PE
A bit more of PE
A bit more of PE
Upcoming SlideShare
Loading in …5
×

A bit more of PE

7,682 views
6,792 views

Published on

Hack in Paris 2012

Published in: Technology
2 Comments
8 Likes
Statistics
Notes
No Downloads
Views
Total views
7,682
On SlideShare
0
From Embeds
0
Number of Embeds
2,188
Actions
Shares
0
Downloads
119
Comments
2
Likes
8
Embeds 0
No embeds

No notes for slide

A bit more of PE

  1. a bit more of PE (since Hashdays)Ange Albertini 22th June 2012
  2. Author● reverse engineer ● since dos 3.21● ashamed by a malware● back to my studies ● shared on my site
  3. http:// CORKAMI.com
  4. Fact → PoC
  5. made with love● Hand-made, from scratch ● patched generated compiled ● tedious – full control● Pin-pointed● Crystal clear● Clean
  6. technical
  7. be nice to your friends● ads log-in pay-wall columns● BSD/CC BY licence ● reusable commercially● free sources, using free tools ● reviews, comments, suggestions● free binaries ● downloadable in one click● free documents ● including all the graphics
  8. free
  9. goals● advertisement ● for my own use● a good reference ● learn. remember. teach.● a meaningful test set ● failed all tools ● clean
  10. enoughPoCs → Wiki Page → presentation
  11. a graphic is worth 1000 lines of doc
  12. useful
  13. Ange ↔ Corkami technical free useful
  14. Agenda1.Whats a PE? ● yet another doc?2.Static oddities3.Dynamic oddities
  15. Introduction
  16. Portable ExecutableCommon Object File Format
  17. PEuniversalwindows binary
  18. pe101.corkami.com
  19. questions?
  20. FASTEN YOUR SEATBELTS
  21. pe.corkami.com
  22. incompletespecs VS. reality of the OS
  23. FAIL
  24. is there a perfect documentation?
  25. Not at Microsoft, at least :)
  26. Other documentations?● mostly based on existing files● no PoCs anyway ● messy/limited/privateCorkamis is perfect? ● no! – just a hobby ● explain everything – highlight oddities
  27. just to make surestandard PE: ● Sections ● EntryPoint ● Imports
  28. Static oddities
  29. most basic PE● DataFile PE ● LoadlibraryEx with LOAD_LIBRARY_AS_DATAFILE● must be a PE● just a PE ● MZ / e_lfanew / PE. thats it ● machine magic imagebase alignments subsystem ● code! ● non-null! ● break parsers – Corrupt values/truncated headers
  30. back to classic PEs
  31. DOS header● Good old 16b stub ● still in Windows 7 64b !● “This program cannot be run in DOS mode.” ?
  32. ImageBase● multiple of 0x10000● user-mode ● any address except system DLLs ● 00000000 under XP● kernel-mode ● via relocation ● relocated to 10000 ● CVE-2012-2273
  33. EntryPoint● null ● MZ => dec ebp/pop edx
  34. EntryPoint● virtual ● 00 C0 => add al, al
  35. EntryPoint● external ● in a DLL / allocated via TLS
  36. EntryPoint● ignored ● via TLS
  37. Subsystem● no trick :( ● last required element of the header● no specific requirements ● low alignments – unpack drivers in user-mode – multi-subsystem PE
  38. Sections● 0-96/65536● oversized or not (up to 0x74xx0000)● sections in sections, duplicates, shuffled
  39. Dynamic oddities
  40. loading process 1/2● Headers are parsed on disk● Data directories are parsed in memory ● after section mapping
  41. loading process 2/2● sections overlap header ● true Data directories are revealed
  42. TLS 1/2● list of callbacks, updated on the fly● executed at threat start/stop ● before EntryPoint ● after ExitProcess● can trigger unhandled exceptions
  43. TLS 2/2● points to import● tricky execution conditions● different loading order● anything but ESI
  44. Relocations● rebase code if loaded at different address● not required in x64 ● empty relocations still in x64b binaries
  45. faked relocations
  46. manual relocations
  47. Relocations encryption● applied anywhere ● encryption ● on itself!● MIPS supported on Intel OS+PE
  48. Relocations on ImageBase● affects the EntryPoint
  49. one last...
  50. Conclusion● PE is a mess ● different OSes, different parsers ● no doc/tool is perfect● still many unknowns● simple http://pe101.corkami.com● advanced http://pe.corkami.com ● 160+ PoCs
  51. Acknowledgments● Peter Ferrie● Bernhard Treutwein, Costin Ionescu, Deroko, Ivanlef0u, Kris Kaspersky, Moritz Kroll, ReversingLabs, Walied Assar, ... Questions?
  52. Thank YOU! Ange Albertini @gmail.com @ange4771

×