Binary art - Byte-ing the PE that fails you (live version)
Upcoming SlideShare
Loading in...5
×
 

Binary art - Byte-ing the PE that fails you (live version)

on

  • 1,144 views

this is the live version of ...

this is the live version of
an overview of the Portable Executable format and its malformations
presented at Hashdays, in Lucerne, on the 3rd November 2012

direct download link: http://corkami.googlecode.com/files/ange_albertini_hashdays_2012.zip

Statistics

Views

Total Views
1,144
Views on SlideShare
780
Embed Views
364

Actions

Likes
1
Downloads
9
Comments
2

2 Embeds 364

http://code-opensocial.googleusercontent.com 362
https://twitter.com 2

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

CC Attribution License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel

12 of 2

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Binary art - Byte-ing the PE that fails you (live version) Binary art - Byte-ing the PE that fails you (live version) Presentation Transcript

    • Binary art Byte-ing the PE that fails you Ange Albertini 3rd November 2012http://corkami.com Lucerne, Switzerland
    • agendawhats a PE? the problem, and my approachoverview of the PE formatclassic tricksnew tricks © ID software
    • Portable Executablebased onCommon Object File Format
    • PEuniversalWindows binary since 1993
    • pe101.corkami.com
    • the problem...
    • aka “the gentle guide to standard PEs”
    • CVE-2012-2273version_mini ibkernel
    • normal
    • ...and my approach
    • block by block
    • a complete executable
    • pe.corkami.com
    • PE DLL...call [API] API: …… ret Imports Exports
    • maxsecXP65535sects
    • 1 ≤ FileAlignment == SectionAlignment ≤ 800 nosection*
    • tiny*
    • foldedhdr
    • ctxt*
    • ★New★ tricks
    • mininormal64
    • dllnomain*
    • dd OriginalFirstThunkdd TimeDateStampdd ForwarderChain----------------------------dd Namedd FirstThunk imports_virtdesc
    • corkamix
    • seh_change64
    • fakerelocs ibreloc
    • reloccrypt
    • reloccrypt
    • reloccrypt
    • maxvals
    • hdrcode
    • traceless
    • PE .NET ... ...imports ... ... ... ... ... ... ... ... relocs ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... CLR ... ... tinynet
    • quine
    • corkamix
    • Conclusion
    • Conclusion● the Windows executable format is complex● mostly covered, but many little traps ● new discoveries every day :( http://pe101.corkami.com http://pe.corkami.com
    • Questions?Thanks to Fabian Sauter, Peter Ferrie, ‫وليد عصر‬Bernhard Treutwein, Costin Ionescu, Deroko, Ivanlef0u, Kris Kaspersky, Moritz Kroll, Thomas Siebert,Tomislav Peričin, Kris McConkey, Lyr1k, Gunther, Sergey Bratus, frank2, Ero Carrera, Jindřich Kubec, LordNoteworthy, Mohab Ali, Ashutosh Mehra, Gynvael Coldwind, Nicolas Ruff, Aurélien Lebrun, DanielPlohmann, Gorka Ramírez, 최진영 , Adam Błaszczyk, 板橋一正 , Gil Dabah, Juriaan Bremer, Bruce Dang,Mateusz Jurczyk, Markus Hinderhofer, Sebastian Biallas, Igor Skochinsky, Ильфак Гильфанов, AlexIonescu, Alexander Sotirov, Cathal Mullaney
    • Thank YOU! Ange Albertini @gmail.com @ange4771 http://corkami.com
    • exe2pe, dosZMXP
    • aa86drop.com