A small presentation dedicated to understanding Win32 Binary basics and how their structure works. We will go through Win32 exe file structures, how do they work. Afterwards we will go through how packing/unpacking works along with some real-time unpacking demos through few popular tools like OllyDbg Debugger, Immunity Debugger, ImpREC, 010 Hex Editor, Python, Python pefile module and so on.
2. Agenda
▪ Analysis Classifications
▪ Binary Formats (Unix, Windows and Mac)
▪ Why PE/COFF format?
▪ Some statistical data
▪ PE Format Walkthrough
▪ Tools of the trade
▪ Few demos…
▪ Q & A
2Win32 Binary Dissection
3. AnalysisClassifications
▪ Static
Evaluation of an application behavior without the application execution.
i.e. Disassemblers (IDA Pro, Hiew) or any Binary Structure Parser tools etc.
Time consuming and can be partially automated.
▪ Dynamic
Understanding of the binary behavior by executing the binary in a “non-controlled”
environment by affecting the host machine and mapping the behaviors i.e. Open
File handles, API calls inspection, Registry entries, Windows start-up entries etc.
Takes few minutes. Can be (fully/partially) automated.
Win32 Binary Dissection 3
5. WhyPE/COFF format is so importantto know?
▪ Native File Format (mostly undocumented) for Windows PE based files
e.g. .exe // .dll // .ocx // .cpl // .sys // .drv // .scr
▪ Malware binary behavior in-depth understanding
▪ Understanding anti-debugging implementations
▪ Malware heuristics implementations
▪ Quintessential requirement for manual/automated binary unpacking
▪ Automation through idapython, pefile , immlib , mona , pydbg libraries
▪ Binary patching for fun and profit
▪ Addition of your own custom sections into the executable
▪ IAT (Import Address Table) reconstructions
▪ And many more !!! …
Win32 Binary Dissection 5
11. Few real-timescenarios. ..
11Win32 Binary Dissection
▪ Level of binary compression are extremely complex these days. i.e.
Themida, ASPack packages etc.
▪ Time of binary unpacking sometimes takes a week or even more!
▪ Anti-Debugging additions to the binary makes the analysis even painful
▪ Anti-VM modules are the next level of nightmares!
▪ Packed binaries can be embedded inside PDFs, MS-OLE Formats, Flash
Documents, PNG, JPEG images etc! (Caution: Be very sure before
opening any attachments!!)