A bit more of PE
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

A bit more of PE

on

  • 6,176 views

Hack in Paris 2012

Hack in Paris 2012

Statistics

Views

Total Views
6,176
Views on SlideShare
3,895
Embed Views
2,281

Actions

Likes
7
Downloads
103
Comments
2

10 Embeds 2,281

http://code-opensocial.googleusercontent.com 1687
http://www.redditmedia.com 242
http://localhost 222
https://twitter.com 118
https://si0.twimg.com 4
https://twimg0-a.akamaihd.net 2
http://pult.io 2
http://us-w1.rockmelt.com 2
http://code-opensocial.googleusercontent.com&_=1346462528340 HTTP 1
http://www.nsa.gov 1
More...

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

CC Attribution License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

A bit more of PE Presentation Transcript

  • 1. a bit more of PE (since Hashdays)Ange Albertini 22th June 2012
  • 2. Author● reverse engineer ● since dos 3.21● ashamed by a malware● back to my studies ● shared on my site
  • 3. http:// CORKAMI.com
  • 4. Fact → PoC
  • 5. made with love● Hand-made, from scratch ● patched generated compiled ● tedious – full control● Pin-pointed● Crystal clear● Clean
  • 6. technical
  • 7. be nice to your friends● ads log-in pay-wall columns● BSD/CC BY licence ● reusable commercially● free sources, using free tools ● reviews, comments, suggestions● free binaries ● downloadable in one click● free documents ● including all the graphics
  • 8. free
  • 9. goals● advertisement ● for my own use● a good reference ● learn. remember. teach.● a meaningful test set ● failed all tools ● clean
  • 10. enoughPoCs → Wiki Page → presentation
  • 11. a graphic is worth 1000 lines of doc
  • 12. useful
  • 13. Ange ↔ Corkami technical free useful
  • 14. Agenda1.Whats a PE? ● yet another doc?2.Static oddities3.Dynamic oddities
  • 15. Introduction
  • 16. Portable ExecutableCommon Object File Format
  • 17. PEuniversalwindows binary
  • 18. pe101.corkami.com
  • 19. questions?
  • 20. FASTEN YOUR SEATBELTS
  • 21. pe.corkami.com
  • 22. incompletespecs VS. reality of the OS
  • 23. FAIL
  • 24. is there a perfect documentation?
  • 25. Not at Microsoft, at least :)
  • 26. Other documentations?● mostly based on existing files● no PoCs anyway ● messy/limited/privateCorkamis is perfect? ● no! – just a hobby ● explain everything – highlight oddities
  • 27. just to make surestandard PE: ● Sections ● EntryPoint ● Imports
  • 28. Static oddities
  • 29. most basic PE● DataFile PE ● LoadlibraryEx with LOAD_LIBRARY_AS_DATAFILE● must be a PE● just a PE ● MZ / e_lfanew / PE. thats it ● machine magic imagebase alignments subsystem ● code! ● non-null! ● break parsers – Corrupt values/truncated headers
  • 30. back to classic PEs
  • 31. DOS header● Good old 16b stub ● still in Windows 7 64b !● “This program cannot be run in DOS mode.” ?
  • 32. ImageBase● multiple of 0x10000● user-mode ● any address except system DLLs ● 00000000 under XP● kernel-mode ● via relocation ● relocated to 10000 ● CVE-2012-2273
  • 33. EntryPoint● null ● MZ => dec ebp/pop edx
  • 34. EntryPoint● virtual ● 00 C0 => add al, al
  • 35. EntryPoint● external ● in a DLL / allocated via TLS
  • 36. EntryPoint● ignored ● via TLS
  • 37. Subsystem● no trick :( ● last required element of the header● no specific requirements ● low alignments – unpack drivers in user-mode – multi-subsystem PE
  • 38. Sections● 0-96/65536● oversized or not (up to 0x74xx0000)● sections in sections, duplicates, shuffled
  • 39. Dynamic oddities
  • 40. loading process 1/2● Headers are parsed on disk● Data directories are parsed in memory ● after section mapping
  • 41. loading process 2/2● sections overlap header ● true Data directories are revealed
  • 42. TLS 1/2● list of callbacks, updated on the fly● executed at threat start/stop ● before EntryPoint ● after ExitProcess● can trigger unhandled exceptions
  • 43. TLS 2/2● points to import● tricky execution conditions● different loading order● anything but ESI
  • 44. Relocations● rebase code if loaded at different address● not required in x64 ● empty relocations still in x64b binaries
  • 45. faked relocations
  • 46. manual relocations
  • 47. Relocations encryption● applied anywhere ● encryption ● on itself!● MIPS supported on Intel OS+PE
  • 48. Relocations on ImageBase● affects the EntryPoint
  • 49. one last...
  • 50. Conclusion● PE is a mess ● different OSes, different parsers ● no doc/tool is perfect● still many unknowns● simple http://pe101.corkami.com● advanced http://pe.corkami.com ● 160+ PoCs
  • 51. Acknowledgments● Peter Ferrie● Bernhard Treutwein, Costin Ionescu, Deroko, Ivanlef0u, Kris Kaspersky, Moritz Kroll, ReversingLabs, Walied Assar, ... Questions?
  • 52. Thank YOU! Ange Albertini @gmail.com @ange4771