Binary art         Byte-ing the PE that fails you   Ange Albertini      3rd November 2012http://corkami.com    Lucerne, Sw...
agendawhats a PE?  the problem, and my approachoverview of the PE formatclassic tricksnew tricks                          ...
Portable Executablebased onCommon Object File Format
PEuniversalWindows binary            since 1993
pe101.corkami.com
the problem...
aka “the gentle guide to standard PEs”
CVE-2012-2273version_mini               ibkernel
normal
...and my approach
block by block
a complete executable
pe.corkami.com
PE                             DLL...call [API]                   API: ……                                ret         Impor...
maxsecXP65535sects
1 ≤ FileAlignment == SectionAlignment ≤ 800                                        nosection*
tiny*
foldedhdr
ctxt*
★New★ tricks
mininormal64
dllnomain*
dd OriginalFirstThunkdd TimeDateStampdd ForwarderChain----------------------------dd Namedd FirstThunk                    ...
corkamix
seh_change64
fakerelocs             ibreloc
reloccrypt
reloccrypt
reloccrypt
maxvals
hdrcode
traceless
PE    .NET  ...     ...imports   ...  ...     ...  ...     ...  ...     ...  ...   relocs  ...     ...  ...     ...  ...  ...
quine
corkamix
Conclusion
Conclusion●   the Windows executable format is complex●   mostly covered, but many little traps    ●   new discoveries eve...
Questions?Thanks to              Fabian Sauter, Peter Ferrie, ‫وليد عصر‬Bernhard Treutwein, Costin Ionescu, Deroko, Ivanle...
Thank YOU!  Ange Albertini @gmail.com   @ange4771      http://corkami.com
exe2pe, dosZMXP
aa86drop.com
Binary art - Byte-ing the PE that fails you (live version)
Binary art - Byte-ing the PE that fails you (live version)
Binary art - Byte-ing the PE that fails you (live version)
Binary art - Byte-ing the PE that fails you (live version)
Binary art - Byte-ing the PE that fails you (live version)
Binary art - Byte-ing the PE that fails you (live version)
Binary art - Byte-ing the PE that fails you (live version)
Binary art - Byte-ing the PE that fails you (live version)
Binary art - Byte-ing the PE that fails you (live version)
Binary art - Byte-ing the PE that fails you (live version)
Binary art - Byte-ing the PE that fails you (live version)
Binary art - Byte-ing the PE that fails you (live version)
Binary art - Byte-ing the PE that fails you (live version)
Binary art - Byte-ing the PE that fails you (live version)
Binary art - Byte-ing the PE that fails you (live version)
Binary art - Byte-ing the PE that fails you (live version)
Binary art - Byte-ing the PE that fails you (live version)
Binary art - Byte-ing the PE that fails you (live version)
Binary art - Byte-ing the PE that fails you (live version)
Binary art - Byte-ing the PE that fails you (live version)
Binary art - Byte-ing the PE that fails you (live version)
Binary art - Byte-ing the PE that fails you (live version)
Binary art - Byte-ing the PE that fails you (live version)
Binary art - Byte-ing the PE that fails you (live version)
Binary art - Byte-ing the PE that fails you (live version)
Upcoming SlideShare
Loading in …5
×

Binary art - Byte-ing the PE that fails you (live version)

1,291 views
1,152 views

Published on

this is the live version of
an overview of the Portable Executable format and its malformations
presented at Hashdays, in Lucerne, on the 3rd November 2012

direct download link: http://corkami.googlecode.com/files/ange_albertini_hashdays_2012.zip

2 Comments
2 Likes
Statistics
Notes
No Downloads
Views
Total views
1,291
On SlideShare
0
From Embeds
0
Number of Embeds
269
Actions
Shares
0
Downloads
14
Comments
2
Likes
2
Embeds 0
No embeds

No notes for slide

Binary art - Byte-ing the PE that fails you (live version)

  1. 1. Binary art Byte-ing the PE that fails you Ange Albertini 3rd November 2012http://corkami.com Lucerne, Switzerland
  2. 2. agendawhats a PE? the problem, and my approachoverview of the PE formatclassic tricksnew tricks © ID software
  3. 3. Portable Executablebased onCommon Object File Format
  4. 4. PEuniversalWindows binary since 1993
  5. 5. pe101.corkami.com
  6. 6. the problem...
  7. 7. aka “the gentle guide to standard PEs”
  8. 8. CVE-2012-2273version_mini ibkernel
  9. 9. normal
  10. 10. ...and my approach
  11. 11. block by block
  12. 12. a complete executable
  13. 13. pe.corkami.com
  14. 14. PE DLL...call [API] API: …… ret Imports Exports
  15. 15. maxsecXP65535sects
  16. 16. 1 ≤ FileAlignment == SectionAlignment ≤ 800 nosection*
  17. 17. tiny*
  18. 18. foldedhdr
  19. 19. ctxt*
  20. 20. ★New★ tricks
  21. 21. mininormal64
  22. 22. dllnomain*
  23. 23. dd OriginalFirstThunkdd TimeDateStampdd ForwarderChain----------------------------dd Namedd FirstThunk imports_virtdesc
  24. 24. corkamix
  25. 25. seh_change64
  26. 26. fakerelocs ibreloc
  27. 27. reloccrypt
  28. 28. reloccrypt
  29. 29. reloccrypt
  30. 30. maxvals
  31. 31. hdrcode
  32. 32. traceless
  33. 33. PE .NET ... ...imports ... ... ... ... ... ... ... ... relocs ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... CLR ... ... tinynet
  34. 34. quine
  35. 35. corkamix
  36. 36. Conclusion
  37. 37. Conclusion● the Windows executable format is complex● mostly covered, but many little traps ● new discoveries every day :( http://pe101.corkami.com http://pe.corkami.com
  38. 38. Questions?Thanks to Fabian Sauter, Peter Ferrie, ‫وليد عصر‬Bernhard Treutwein, Costin Ionescu, Deroko, Ivanlef0u, Kris Kaspersky, Moritz Kroll, Thomas Siebert,Tomislav Peričin, Kris McConkey, Lyr1k, Gunther, Sergey Bratus, frank2, Ero Carrera, Jindřich Kubec, LordNoteworthy, Mohab Ali, Ashutosh Mehra, Gynvael Coldwind, Nicolas Ruff, Aurélien Lebrun, DanielPlohmann, Gorka Ramírez, 최진영 , Adam Błaszczyk, 板橋一正 , Gil Dabah, Juriaan Bremer, Bruce Dang,Mateusz Jurczyk, Markus Hinderhofer, Sebastian Biallas, Igor Skochinsky, Ильфак Гильфанов, AlexIonescu, Alexander Sotirov, Cathal Mullaney
  39. 39. Thank YOU! Ange Albertini @gmail.com @ange4771 http://corkami.com
  40. 40. exe2pe, dosZMXP
  41. 41. aa86drop.com

×