![BinaryFormats
•PE/COFF [Portable Executable/Common Object File
Format]
•Ref: http://goo.gl/avLg2
Windows
•ELF [Executable and Linkable Format]
•Ref: http://goo.gl/Nd1yvG
Unix/Linux
•Mach-O File Format. Recognizes ELF formats too.
•Ref: http://goo.gl/RXKgE0
Macintosh
4Win32 Binary Dissection](https://image.slidesharecdn.com/win32binarydissection-150924113221-lva1-app6892/75/A-basic-approach-to-Understanding-Win32-Binaries-4-2048.jpg)
![PEFormat Walkthrough– And the boring stuff begins…
sample.exe
(windows loader kicks
in here)
Header
MZ Stub [64]
DOS Stub
[64]
PE Header [24]
Optional Header [96]
Data Directories [16]
Sections
Sections Table
[40]
CODE or .text
Imports [IAT] / Exports [EAT]
Data [Strings, Icons, Bitmaps etc.] 7Win32 Binary Dissection](https://image.slidesharecdn.com/win32binarydissection-150924113221-lva1-app6892/75/A-basic-approach-to-Understanding-Win32-Binaries-7-2048.jpg)
![Toolsof thetrade
• IDA Pro [GUI] • ImmLib [Python]
• OllyDbg//Immunity Debugger [GUI] • PEFile [Python]
• AnalyzePE [Python] • PE View / PE-Bear [GUI]
• WinDbg [GUI] • 010 Hex Editor [GUI]
• IDAPython [Python] • CFF Explorer [GUI]
Static Tools
• RegShot [GUI] • Cuckoo Framework [GUI/Web]
• FakeNet [Cmd] • Sandboxie [GUI]
• Process Explorer [GUI] • ZeroWine Sandbox [GUI]
• RegMon [GUI] • INetSim [Cmd]
• Process Hacker [GUI] • TCPView [GUI]
• IDA Pro/Olly/WinDbg [GUI] • ProcMon [GUI]
Dynamic Tools
8Win32 Binary Dissection](https://image.slidesharecdn.com/win32binarydissection-150924113221-lva1-app6892/75/A-basic-approach-to-Understanding-Win32-Binaries-8-2048.jpg)
![Letsunderstandbinariesthroughdemos!!
10Win32 Binary Dissection
▪ 010 Hex Editor [For structure parsing]
▪ UPX Compression Tool [For packing]
▪ Immunity//OllyDbg Demo [For unpacking]
▪ ImpREC [Fix IATs]](https://image.slidesharecdn.com/win32binarydissection-150924113221-lva1-app6892/75/A-basic-approach-to-Understanding-Win32-Binaries-10-2048.jpg)
Uploaded bySujit Ghosal
A basic approach to Understanding Win32 Binaries
The document discusses Win32 binary dissection, focusing on the analysis and classification of binary formats, specifically the PE/COFF format used in Windows. It covers static and dynamic analysis techniques, essential tools for dissecting binaries, and the complexity of binary compression and anti-debugging measures. Additionally, it highlights the importance of PE format for understanding malware behavior and performing binary unpacking.
A basic approach to Understanding Win32 Binaries
- 1.
- 2. Agenda ▪ Analysis Classifications ▪Binary Formats (Unix, Windows and Mac) ▪ Why PE/COFF format? ▪ Some statistical data ▪ PE Format Walkthrough ▪ Tools of the trade ▪ Few demos… ▪ Q & A 2Win32 Binary Dissection
- 3. AnalysisClassifications ▪ Static Evaluationof an application behavior without the application execution. i.e. Disassemblers (IDA Pro, Hiew) or any Binary Structure Parser tools etc. Time consuming and can be partially automated. ▪ Dynamic Understanding of the binary behavior by executing the binary in a “non-controlled” environment by affecting the host machine and mapping the behaviors i.e. Open File handles, API calls inspection, Registry entries, Windows start-up entries etc. Takes few minutes. Can be (fully/partially) automated. Win32 Binary Dissection 3
- 4. BinaryFormats •PE/COFF [Portable Executable/CommonObject File Format] •Ref: http://goo.gl/avLg2 Windows •ELF [Executable and Linkable Format] •Ref: http://goo.gl/Nd1yvG Unix/Linux •Mach-O File Format. Recognizes ELF formats too. •Ref: http://goo.gl/RXKgE0 Macintosh 4Win32 Binary Dissection
- 5. WhyPE/COFF format isso importantto know? ▪ Native File Format (mostly undocumented) for Windows PE based files e.g. .exe // .dll // .ocx // .cpl // .sys // .drv // .scr ▪ Malware binary behavior in-depth understanding ▪ Understanding anti-debugging implementations ▪ Malware heuristics implementations ▪ Quintessential requirement for manual/automated binary unpacking ▪ Automation through idapython, pefile , immlib , mona , pydbg libraries ▪ Binary patching for fun and profit ▪ Addition of your own custom sections into the executable ▪ IAT (Import Address Table) reconstructions ▪ And many more !!! … Win32 Binary Dissection 5
- 6.
- 7. PEFormat Walkthrough– Andthe boring stuff begins… sample.exe (windows loader kicks in here) Header MZ Stub [64] DOS Stub [64] PE Header [24] Optional Header [96] Data Directories [16] Sections Sections Table [40] CODE or .text Imports [IAT] / Exports [EAT] Data [Strings, Icons, Bitmaps etc.] 7Win32 Binary Dissection
- 8. Toolsof thetrade • IDAPro [GUI] • ImmLib [Python] • OllyDbg//Immunity Debugger [GUI] • PEFile [Python] • AnalyzePE [Python] • PE View / PE-Bear [GUI] • WinDbg [GUI] • 010 Hex Editor [GUI] • IDAPython [Python] • CFF Explorer [GUI] Static Tools • RegShot [GUI] • Cuckoo Framework [GUI/Web] • FakeNet [Cmd] • Sandboxie [GUI] • Process Explorer [GUI] • ZeroWine Sandbox [GUI] • RegMon [GUI] • INetSim [Cmd] • Process Hacker [GUI] • TCPView [GUI] • IDA Pro/Olly/WinDbg [GUI] • ProcMon [GUI] Dynamic Tools 8Win32 Binary Dissection
- 9. EXEStructure Walkthrough 9 Win32 BinaryDissection
- 10. Letsunderstandbinariesthroughdemos!! 10Win32 BinaryDissection ▪ 010 Hex Editor [For structure parsing] ▪ UPX Compression Tool [For packing] ▪ Immunity//OllyDbg Demo [For unpacking] ▪ ImpREC [Fix IATs]
- 11. Few real-timescenarios. .. 11Win32Binary Dissection ▪ Level of binary compression are extremely complex these days. i.e. Themida, ASPack packages etc. ▪ Time of binary unpacking sometimes takes a week or even more! ▪ Anti-Debugging additions to the binary makes the analysis even painful ▪ Anti-VM modules are the next level of nightmares! ▪ Packed binaries can be embedded inside PDFs, MS-OLE Formats, Flash Documents, PNG, JPEG images etc! (Caution: Be very sure before opening any attachments!!)
- 12. References 12Win32 Binary Dissection ▪Binary compression: http://goo.gl/ZanFYf ▪ Iczelion’s PE Overview: http://goo.gl/apruSo ▪ UPX: http://goo.gl/KJNWyW
- 13.
- 14.