SlideShare a Scribd company logo

A basic approach to Understanding Win32 Binaries

Sujit Ghosal
Sujit Ghosal

A small presentation dedicated to understanding Win32 Binary basics and how their structure works. We will go through Win32 exe file structures, how do they work. Afterwards we will go through how packing/unpacking works along with some real-time unpacking demos through few popular tools like OllyDbg Debugger, Immunity Debugger, ImpREC, 010 Hex Editor, Python, Python pefile module and so on.

Presentations & Public Speaking
1 of 14
Win32BinaryDissection Sujit Ghosal
Agenda ▪ Analysis Classifications ▪ Binary Formats (Unix, Windows and Mac) ▪ Why PE/COFF format? ▪ Some statistical data ▪ PE Format Walkthrough ▪ Tools of the trade ▪ Few demos…  ▪ Q & A 2Win32 Binary Dissection
AnalysisClassifications ▪ Static  Evaluation of an application behavior without the application execution. i.e. Disassemblers (IDA Pro, Hiew) or any Binary Structure Parser tools etc.  Time consuming and can be partially automated. ▪ Dynamic  Understanding of the binary behavior by executing the binary in a “non-controlled” environment by affecting the host machine and mapping the behaviors i.e. Open File handles, API calls inspection, Registry entries, Windows start-up entries etc.  Takes few minutes. Can be (fully/partially) automated. Win32 Binary Dissection 3
BinaryFormats •PE/COFF [Portable Executable/Common Object File Format] •Ref: http://goo.gl/avLg2 Windows •ELF [Executable and Linkable Format] •Ref: http://goo.gl/Nd1yvG Unix/Linux •Mach-O File Format. Recognizes ELF formats too. •Ref: http://goo.gl/RXKgE0 Macintosh 4Win32 Binary Dissection
WhyPE/COFF format is so importantto know? ▪ Native File Format (mostly undocumented) for Windows PE based files e.g. .exe // .dll // .ocx // .cpl // .sys // .drv // .scr ▪ Malware binary behavior in-depth understanding ▪ Understanding anti-debugging implementations ▪ Malware heuristics implementations ▪ Quintessential requirement for manual/automated binary unpacking ▪ Automation through idapython, pefile , immlib , mona , pydbg libraries ▪ Binary patching for fun and profit ▪ Addition of your own custom sections into the executable ▪ IAT (Import Address Table) reconstructions ▪ And many more !!! … Win32 Binary Dissection 5
ShadowServerBinariesStats . .. https://www.shadowserver.org/wiki/pmwiki.php/Stats/PackerStatistics Win32 Binary Dissection 6
PEFormat Walkthrough– And the boring stuff begins…  sample.exe (windows loader kicks in here) Header MZ Stub [64] DOS Stub [64] PE Header [24] Optional Header [96] Data Directories [16] Sections Sections Table [40] CODE or .text Imports [IAT] / Exports [EAT] Data [Strings, Icons, Bitmaps etc.] 7Win32 Binary Dissection
Toolsof thetrade • IDA Pro [GUI] • ImmLib [Python] • OllyDbg//Immunity Debugger [GUI] • PEFile [Python] • AnalyzePE [Python] • PE View / PE-Bear [GUI] • WinDbg [GUI] • 010 Hex Editor [GUI] • IDAPython [Python] • CFF Explorer [GUI] Static Tools • RegShot [GUI] • Cuckoo Framework [GUI/Web] • FakeNet [Cmd] • Sandboxie [GUI] • Process Explorer [GUI] • ZeroWine Sandbox [GUI] • RegMon [GUI] • INetSim [Cmd] • Process Hacker [GUI] • TCPView [GUI] • IDA Pro/Olly/WinDbg [GUI] • ProcMon [GUI] Dynamic Tools 8Win32 Binary Dissection
EXEStructure Walkthrough 9 Win32 Binary Dissection
Letsunderstandbinariesthroughdemos!!  10Win32 Binary Dissection ▪ 010 Hex Editor [For structure parsing] ▪ UPX Compression Tool [For packing] ▪ Immunity//OllyDbg Demo [For unpacking] ▪ ImpREC [Fix IATs]
Few real-timescenarios. .. 11Win32 Binary Dissection ▪ Level of binary compression are extremely complex these days. i.e. Themida, ASPack packages etc. ▪ Time of binary unpacking sometimes takes a week or even more! ▪ Anti-Debugging additions to the binary makes the analysis even painful ▪ Anti-VM modules are the next level of nightmares! ▪ Packed binaries can be embedded inside PDFs, MS-OLE Formats, Flash Documents, PNG, JPEG images etc! (Caution: Be very sure before opening any attachments!!)
References 12Win32 Binary Dissection ▪ Binary compression: http://goo.gl/ZanFYf ▪ Iczelion’s PE Overview: http://goo.gl/apruSo ▪ UPX: http://goo.gl/KJNWyW
13Win32 Binary Dissection
14

Recommended

«Introduction to malware reverse engineering» by Sergey Kharyuk aka ximerus
«Introduction to malware reverse engineering» by Sergey Kharyuk aka ximerus «Introduction to malware reverse engineering» by Sergey Kharyuk aka ximerus
«Introduction to malware reverse engineering» by Sergey Kharyuk aka ximerus
0xdec0de
 
Pe Format
Pe FormatPe Format
Pe Format
Hexxx
 
Resume
ResumeResume
Resume
Nick Bilogorskiy
 
openioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsopenioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensics
Takahiro Haruyama
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
Aj MaChInE
 
PyCon AU 2012 - Debugging Live Python Web Applications
PyCon AU 2012 - Debugging Live Python Web ApplicationsPyCon AU 2012 - Debugging Live Python Web Applications
PyCon AU 2012 - Debugging Live Python Web Applications
Graham Dumpleton
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon china
Peter Hlavaty
 
Thrombus Training Dec. 2013
Thrombus Training Dec. 2013Thrombus Training Dec. 2013
Thrombus Training Dec. 2013
CREATIS
 

Recommended

«Introduction to malware reverse engineering» by Sergey Kharyuk aka ximerus
«Introduction to malware reverse engineering» by Sergey Kharyuk aka ximerus «Introduction to malware reverse engineering» by Sergey Kharyuk aka ximerus
«Introduction to malware reverse engineering» by Sergey Kharyuk aka ximerus
0xdec0de
 
Pe Format
Pe FormatPe Format
Pe Format
Hexxx
 
Resume
ResumeResume
Resume
Nick Bilogorskiy
 
openioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsopenioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensics
Takahiro Haruyama
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
Aj MaChInE
 
PyCon AU 2012 - Debugging Live Python Web Applications
PyCon AU 2012 - Debugging Live Python Web ApplicationsPyCon AU 2012 - Debugging Live Python Web Applications
PyCon AU 2012 - Debugging Live Python Web Applications
Graham Dumpleton
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon china
Peter Hlavaty
 
Thrombus Training Dec. 2013
Thrombus Training Dec. 2013Thrombus Training Dec. 2013
Thrombus Training Dec. 2013
CREATIS
 
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
Felipe Prado
 
Tools
ToolsTools
Tools
Volodymyr Shymanskyy
 
Spug pt session2 - debuggingl
Spug pt session2 - debugginglSpug pt session2 - debuggingl
Spug pt session2 - debuggingl
Comunidade Portuguesa de SharePoiint
 
Remote code execution in restricted windows environments
Remote code execution in restricted windows environmentsRemote code execution in restricted windows environments
Remote code execution in restricted windows environments
Borja Merino
 
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
DefCamp
 
Present and Future of the Pharo VM: Headless and Beyond
Present and Future of the Pharo VM: Headless and Beyond Present and Future of the Pharo VM: Headless and Beyond
Present and Future of the Pharo VM: Headless and Beyond
ESUG
 
Reproducibility and automation of machine learning process
Reproducibility and automation of machine learning processReproducibility and automation of machine learning process
Reproducibility and automation of machine learning process
Denis Dus
 
.Net Debugging Techniques
.Net Debugging Techniques.Net Debugging Techniques
.Net Debugging Techniques
Bala Subra
 
.NET Debugging Tips and Techniques
.NET Debugging Tips and Techniques.NET Debugging Tips and Techniques
.NET Debugging Tips and Techniques
Bala Subra
 
Programming for non tech entrepreneurs
Programming for non tech entrepreneursProgramming for non tech entrepreneurs
Programming for non tech entrepreneurs
Rodrigo Gil
 
Fuzzing the Media Framework in Android
Fuzzing the Media Framework in AndroidFuzzing the Media Framework in Android
Fuzzing the Media Framework in Android
E Hacking
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
midnite_runr
 
Productivity Enhencement with Visual Studio
Productivity Enhencement with Visual StudioProductivity Enhencement with Visual Studio
Productivity Enhencement with Visual Studio
Ahasan Habib
 
Clean architecture: Android
Clean architecture: AndroidClean architecture: Android
Clean architecture: Android
intive
 
Griffon for the Enterprise
Griffon for the EnterpriseGriffon for the Enterprise
Griffon for the Enterprise
James Williams
 
cinema_time_new.pdf
cinema_time_new.pdfcinema_time_new.pdf
cinema_time_new.pdf
MaxDmitriev
 
[CONFidence 2016] Andrey Plastunov - Simple bugs to pwn the devs
[CONFidence 2016] Andrey Plastunov - Simple bugs to pwn the devs [CONFidence 2016] Andrey Plastunov - Simple bugs to pwn the devs
[CONFidence 2016] Andrey Plastunov - Simple bugs to pwn the devs
PROIDEA
 
Auto it - AnhPC
Auto it - AnhPCAuto it - AnhPC
Auto it - AnhPC
Framgia Vietnam
 
cse581_03_EventProgramming.ppt
cse581_03_EventProgramming.pptcse581_03_EventProgramming.ppt
cse581_03_EventProgramming.ppt
tadudemise
 
technical overview - endpoint protection 10.3.3
technical overview - endpoint protection 10.3.3technical overview - endpoint protection 10.3.3
technical overview - endpoint protection 10.3.3
Muhammad Denis Iqbal
 
lONG QUESTION ANSWER PAKISTAN STUDIES10.
lONG QUESTION ANSWER PAKISTAN STUDIES10.lONG QUESTION ANSWER PAKISTAN STUDIES10.
lONG QUESTION ANSWER PAKISTAN STUDIES10.
lodhisaajjda
 
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdfAWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
SkillCertProExams
 

More Related Content

Similar to A basic approach to Understanding Win32 Binaries

Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
DefCamp
 
Programming for non tech entrepreneurs
Programming for non tech entrepreneursProgramming for non tech entrepreneurs
Programming for non tech entrepreneurs
Rodrigo Gil
 
Productivity Enhencement with Visual Studio
Productivity Enhencement with Visual StudioProductivity Enhencement with Visual Studio
Productivity Enhencement with Visual Studio
Ahasan Habib
 
Clean architecture: Android
Clean architecture: AndroidClean architecture: Android
Clean architecture: Android
intive
 
cinema_time_new.pdf
cinema_time_new.pdfcinema_time_new.pdf
cinema_time_new.pdf
MaxDmitriev
 

Similar to A basic approach to Understanding Win32 Binaries (20)

DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
 
Tools
ToolsTools
Tools
 
Spug pt session2 - debuggingl
Spug pt session2 - debugginglSpug pt session2 - debuggingl
Spug pt session2 - debuggingl
 
Remote code execution in restricted windows environments
Remote code execution in restricted windows environmentsRemote code execution in restricted windows environments
Remote code execution in restricted windows environments
 
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
 
Present and Future of the Pharo VM: Headless and Beyond
Present and Future of the Pharo VM: Headless and Beyond Present and Future of the Pharo VM: Headless and Beyond
Present and Future of the Pharo VM: Headless and Beyond
 
Reproducibility and automation of machine learning process
Reproducibility and automation of machine learning processReproducibility and automation of machine learning process
Reproducibility and automation of machine learning process
 
.Net Debugging Techniques
.Net Debugging Techniques.Net Debugging Techniques
.Net Debugging Techniques
 
.NET Debugging Tips and Techniques
.NET Debugging Tips and Techniques.NET Debugging Tips and Techniques
.NET Debugging Tips and Techniques
 
Programming for non tech entrepreneurs
Programming for non tech entrepreneursProgramming for non tech entrepreneurs
Programming for non tech entrepreneurs
 
Fuzzing the Media Framework in Android
Fuzzing the Media Framework in AndroidFuzzing the Media Framework in Android
Fuzzing the Media Framework in Android
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
 
Productivity Enhencement with Visual Studio
Productivity Enhencement with Visual StudioProductivity Enhencement with Visual Studio
Productivity Enhencement with Visual Studio
 
Clean architecture: Android
Clean architecture: AndroidClean architecture: Android
Clean architecture: Android
 
Griffon for the Enterprise
Griffon for the EnterpriseGriffon for the Enterprise
Griffon for the Enterprise
 
cinema_time_new.pdf
cinema_time_new.pdfcinema_time_new.pdf
cinema_time_new.pdf
 
[CONFidence 2016] Andrey Plastunov - Simple bugs to pwn the devs
[CONFidence 2016] Andrey Plastunov - Simple bugs to pwn the devs [CONFidence 2016] Andrey Plastunov - Simple bugs to pwn the devs
[CONFidence 2016] Andrey Plastunov - Simple bugs to pwn the devs
 
Auto it - AnhPC
Auto it - AnhPCAuto it - AnhPC
Auto it - AnhPC
 
cse581_03_EventProgramming.ppt
cse581_03_EventProgramming.pptcse581_03_EventProgramming.ppt
cse581_03_EventProgramming.ppt
 
technical overview - endpoint protection 10.3.3
technical overview - endpoint protection 10.3.3technical overview - endpoint protection 10.3.3
technical overview - endpoint protection 10.3.3
 

Recently uploaded

Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Kayode Fayemi
 
If this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaIf this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New Nigeria
Kayode Fayemi
 
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
Delhi Call girls
 
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
Delhi Call girls
 
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Delhi Call girls
 

Recently uploaded (20)

lONG QUESTION ANSWER PAKISTAN STUDIES10.
lONG QUESTION ANSWER PAKISTAN STUDIES10.lONG QUESTION ANSWER PAKISTAN STUDIES10.
lONG QUESTION ANSWER PAKISTAN STUDIES10.
 
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdfAWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
 
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
 
Air breathing and respiratory adaptations in diver animals
Air breathing and respiratory adaptations in diver animalsAir breathing and respiratory adaptations in diver animals
Air breathing and respiratory adaptations in diver animals
 
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara ServicesVVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
 
My Presentation "In Your Hands" by Halle Bailey
My Presentation "In Your Hands" by Halle BaileyMy Presentation "In Your Hands" by Halle Bailey
My Presentation "In Your Hands" by Halle Bailey
 
Dreaming Music Video Treatment _ Project & Portfolio III
Dreaming Music Video Treatment _ Project & Portfolio IIIDreaming Music Video Treatment _ Project & Portfolio III
Dreaming Music Video Treatment _ Project & Portfolio III
 
If this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaIf this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New Nigeria
 
SaaStr Workshop Wednesday w/ Lucas Price, Yardstick
SaaStr Workshop Wednesday w/ Lucas Price, YardstickSaaStr Workshop Wednesday w/ Lucas Price, Yardstick
SaaStr Workshop Wednesday w/ Lucas Price, Yardstick
 
ANCHORING SCRIPT FOR A CULTURAL EVENT.docx
ANCHORING SCRIPT FOR A CULTURAL EVENT.docxANCHORING SCRIPT FOR A CULTURAL EVENT.docx
ANCHORING SCRIPT FOR A CULTURAL EVENT.docx
 
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
 
Report Writing Webinar Training
Report Writing Webinar TrainingReport Writing Webinar Training
Report Writing Webinar Training
 
Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)
 
Presentation on Engagement in Book Clubs
Presentation on Engagement in Book ClubsPresentation on Engagement in Book Clubs
Presentation on Engagement in Book Clubs
 
Causes of poverty in France presentation.pptx
Causes of poverty in France presentation.pptxCauses of poverty in France presentation.pptx
Causes of poverty in France presentation.pptx
 
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdfThe workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
 
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptxMohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptx
 
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
 
ICT role in 21st century education and it's challenges.pdf
ICT role in 21st century education and it's challenges.pdfICT role in 21st century education and it's challenges.pdf
ICT role in 21st century education and it's challenges.pdf
 
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
 

A basic approach to Understanding Win32 Binaries

  • 2. Agenda ▪ Analysis Classifications ▪ Binary Formats (Unix, Windows and Mac) ▪ Why PE/COFF format? ▪ Some statistical data ▪ PE Format Walkthrough ▪ Tools of the trade ▪ Few demos…  ▪ Q & A 2Win32 Binary Dissection
  • 3. AnalysisClassifications ▪ Static  Evaluation of an application behavior without the application execution. i.e. Disassemblers (IDA Pro, Hiew) or any Binary Structure Parser tools etc.  Time consuming and can be partially automated. ▪ Dynamic  Understanding of the binary behavior by executing the binary in a “non-controlled” environment by affecting the host machine and mapping the behaviors i.e. Open File handles, API calls inspection, Registry entries, Windows start-up entries etc.  Takes few minutes. Can be (fully/partially) automated. Win32 Binary Dissection 3
  • 4. BinaryFormats •PE/COFF [Portable Executable/Common Object File Format] •Ref: http://goo.gl/avLg2 Windows •ELF [Executable and Linkable Format] •Ref: http://goo.gl/Nd1yvG Unix/Linux •Mach-O File Format. Recognizes ELF formats too. •Ref: http://goo.gl/RXKgE0 Macintosh 4Win32 Binary Dissection
  • 5. WhyPE/COFF format is so importantto know? ▪ Native File Format (mostly undocumented) for Windows PE based files e.g. .exe // .dll // .ocx // .cpl // .sys // .drv // .scr ▪ Malware binary behavior in-depth understanding ▪ Understanding anti-debugging implementations ▪ Malware heuristics implementations ▪ Quintessential requirement for manual/automated binary unpacking ▪ Automation through idapython, pefile , immlib , mona , pydbg libraries ▪ Binary patching for fun and profit ▪ Addition of your own custom sections into the executable ▪ IAT (Import Address Table) reconstructions ▪ And many more !!! … Win32 Binary Dissection 5
  • 7. PEFormat Walkthrough– And the boring stuff begins…  sample.exe (windows loader kicks in here) Header MZ Stub [64] DOS Stub [64] PE Header [24] Optional Header [96] Data Directories [16] Sections Sections Table [40] CODE or .text Imports [IAT] / Exports [EAT] Data [Strings, Icons, Bitmaps etc.] 7Win32 Binary Dissection
  • 8. Toolsof thetrade • IDA Pro [GUI] • ImmLib [Python] • OllyDbg//Immunity Debugger [GUI] • PEFile [Python] • AnalyzePE [Python] • PE View / PE-Bear [GUI] • WinDbg [GUI] • 010 Hex Editor [GUI] • IDAPython [Python] • CFF Explorer [GUI] Static Tools • RegShot [GUI] • Cuckoo Framework [GUI/Web] • FakeNet [Cmd] • Sandboxie [GUI] • Process Explorer [GUI] • ZeroWine Sandbox [GUI] • RegMon [GUI] • INetSim [Cmd] • Process Hacker [GUI] • TCPView [GUI] • IDA Pro/Olly/WinDbg [GUI] • ProcMon [GUI] Dynamic Tools 8Win32 Binary Dissection
  • 10. Letsunderstandbinariesthroughdemos!!  10Win32 Binary Dissection ▪ 010 Hex Editor [For structure parsing] ▪ UPX Compression Tool [For packing] ▪ Immunity//OllyDbg Demo [For unpacking] ▪ ImpREC [Fix IATs]
  • 11. Few real-timescenarios. .. 11Win32 Binary Dissection ▪ Level of binary compression are extremely complex these days. i.e. Themida, ASPack packages etc. ▪ Time of binary unpacking sometimes takes a week or even more! ▪ Anti-Debugging additions to the binary makes the analysis even painful ▪ Anti-VM modules are the next level of nightmares! ▪ Packed binaries can be embedded inside PDFs, MS-OLE Formats, Flash Documents, PNG, JPEG images etc! (Caution: Be very sure before opening any attachments!!)
  • 12. References 12Win32 Binary Dissection ▪ Binary compression: http://goo.gl/ZanFYf ▪ Iczelion’s PE Overview: http://goo.gl/apruSo ▪ UPX: http://goo.gl/KJNWyW
  • 14. 14