SlideShare a Scribd company logo

Lost-In-The-Loader.pdf

S
ssuser8b461f

The document discusses discrepancies in how different software parse the Portable Executable (PE) file format used in Windows programs. It presents a systematic approach to model the constraints imposed by PE parsers in different software. This involves (1) modeling the parsing operations, (2) generating valid and differential test cases to explore differences, and (3) finding real malware exploiting discrepancies. The analysis found differences between Windows versions and other parsers that could allow malware evasion. Developing clearer specifications and modeling multiple parsers is important for security tools.

Engineering
1 of 44
Download to read offline
#BHEU @BlackHatEvents Lost in the Loader The many faces of the PE File Format Dario Nisi (EURECOM) Mariano Graziano (Cisco Talos) Yanick Fratantonio (Cisco Talos) Davide Balzarotti (EURECOM) #BHEU @BlackHatEvents 1
#BHEU @BlackHatEvents The PE File Format ● Standard Format for Programs in Windows ● Based on MS-DOS MZ Format and COFF ● Defines the “headers” Structure 2
#BHEU @BlackHatEvents PE Headers ● MZ Header ○ Points to COFF Header ● COFF Header ○ Generic Fields (ISA, Executable/DLL, … ) ● “Optional” Header ○ Not really optional for Executables ○ Entry Point ○ Section/File Alignments ○ Base Address ○ Data Directories PE Signature MZ Header COFF Header e_lfanew ... Optional Header Data Directories Section Table Section Header 1 ... Section Header n ... Section 1 ... Section n ... 3
#BHEU @BlackHatEvents Section Table ● Define the Program’s “Memory Image” ● Each Section has ○ Address/Size in Memory ○ Offset/Size in the File ○ Permission level (RWX) ● In theory, up to 216 Sections ○ NumberOfSections is 16 bits PE Signature MZ Header COFF Header e_lfanew ... Optional Header Data Directories Section Table Section Header 1 ... Section Header n ... Section 1 ... Section n ... 4
#BHEU @BlackHatEvents The Subtle Problem of the PE Ecosystem Discrepancies Reimplementation is the de facto rule No reference implementation Room for Implementation Choices Not Comprehensive Specifications 5
#BHEU @BlackHatEvents Implications of PE discrepancies ● Examples: ○ Programs running under Windows 7 but not Windows 10 ■ Potential evasion of dynamic analysis sandboxes ○ Reverse engineer tools give wrong mapping ■ Static analysis tools may get confused! ● Problematic for malware analysis & detection ○ Static/Dynamic analysis evasion ○ Antivirus signature bypass 6
#BHEU @BlackHatEvents Examples from Previous Work ● Petsios et al. @S&P 2017, Kim et al. @CCS 2017 ○ Showed how malware can bypass AVs by forging PE headers ● Corkami PE Collection by A. Albertini ○ Some samples execute only on some Windows Version ● Making a Multi-Windows PE in PoC||GTFO 0x01 ○ Executables with different behaviors exploiting relocation discrepancies ● ELF Crafting @r2con2019 ○ 1-Byte ELF Parser Breaker which Linux recognizes as valid Only single edge cases so far, no systematic study! 7
#BHEU @BlackHatEvents Systematic Approach to find Discrepancies 8
#BHEU @BlackHatEvents The Big Picture Models Reverse Engineering Validation Mode Unknown PE File Generation Mode Valid Test Cases Differential Test Cases 9
#BHEU @BlackHatEvents Constraints Modelling Models  Reverse Engineering 10
#BHEU @BlackHatEvents Modelling Phase ● Collect knowledge on the operations performed by parsing routines ● Three types of operations ○ Structural Checks (mandatory headers, magic numbers, …) ○ Compliance Checks (supported ISA, supported OS versions, …) ○ Memory Mapping (generates the memory image) All these operations can be modelled as constraints on the input! 11
#BHEU @BlackHatEvents Language for Modelling Constraints ● Types of Statements ○ Input Declaration 12
#BHEU @BlackHatEvents INPUT statements INPUT inputFile 2048 void *inputFile = SomeReadFileFunction(); Original Program Model 13
#BHEU @BlackHatEvents Language for Modelling Constraints ● Types of Statements ○ Input Declaration ○ Symbol definition 14
#BHEU @BlackHatEvents Symbol Definition INPUT inputFile 2048 P: mzHeader <- inputFile[0, sizeof IMAGE_MZ_HEADER] as IMAGE_MZ_HEADER void *inputFile = SomeReadFileFunction(); IMAGE_MZ_HEADER *mzHeader = &inputFile; Original Program Model 15
#BHEU @BlackHatEvents Language for Modelling Constraints ● Types of Statements ○ Input Declaration ○ Symbol definition ○ Predicates 16
#BHEU @BlackHatEvents Language for Modelling Constraints ● Types of Statements ○ Input Declaration ○ Symbol definition ○ Predicates ■ Terminal/Non-terminal Predicates 17
#BHEU @BlackHatEvents (Terminal) Predicates INPUT inputFile 2048 P: mzHeader <- inputFile[0, sizeof IMAGE_MZ_HEADER] as IMAGE_MZ_HEADER V1: EQ mzHeader.magic[0] "M" term V2: EQ mzHeader.magic[1] "Z" term void *inputFile = SomeReadFileFunction(); IMAGE_MZ_HEADER *mzHeader = &inputFile; if (mzHeader->Magic[0] != "M" || mzHeader->Magic[1] != "Z") { return FALSE; } Original Program Model 18
#BHEU @BlackHatEvents Language for Modelling Constraints ● Types of Statements ○ Input Declaration ○ Symbol definition ○ Predicates ■ Terminal/Non-terminal Predicates ○ Conditional Statements 19
#BHEU @BlackHatEvents Conditional Statements V1: UGE optHeader->SectionAlignment 0x1000 V2(V1): NEq coff->NumberOfSections 0 term if (optHeader->SectionAlignment > 0x1000) { ... if (coff->NumberOfSections == 0) return FALSE: ... } Original Program Model 20
#BHEU @BlackHatEvents Language for Modelling Constraints ● Types of Statements ○ Input Declaration ○ Symbol definition ○ Predicates ■ Terminal/Non-terminal Predicates ○ Conditional Statements ○ Loops 21
#BHEU @BlackHatEvents Language for Modelling Constraints ● Types of Statements ○ Input Declaration ○ Symbol definition ○ Predicates ■ Terminal/Non-terminal Predicates ○ Conditional Statements ○ Loops ○ C-like structured types declaration 22
#BHEU @BlackHatEvents Analysis Framework Models Validation Mode Unknown PE File Generation Mode Valid Test Cases Differential Test Cases 23
#BHEU @BlackHatEvents Validation Mode ● Determine whether an input file is a valid PE according to a model ● “Procedural interpretation” of the model ○ Evaluate each statement using the data from the input file ● The file is valid if all terminal statements are true, invalid otherwise 24
#BHEU @BlackHatEvents Generation Mode Models Corner Case Generation Differences Enumeration Differential Analysis Test Case Generation Z3 Backend SMT Problems Translation 25
#BHEU @BlackHatEvents Model ⇔ SMT Equivalence ● Input Declaration creates unconstrained BitVector ● Symbol/Predicate becomes mathematical formulas ● Loops are unrolled up to a certain number of iterations ● Structured types are translated into offsets/slices in the BitVector ● Terminal Predicates are combined (logic conjunction) to create the statement to assert The solutions of the SMT problem are valid PE files according to the model 26
#BHEU @BlackHatEvents Differential Test Case Generation How to generate a file valid for one model but invalid for second one? ● Solve the P1 ∧ ¬P2 ! ● Bonus: the analysis framework tells the broken constraints in P2 27
#BHEU @BlackHatEvents Differences Enumeration How to find all the differences between two models? ● Euristic iterative approach ● For each iteration, solve an SMT problem that asserts some of the previously negated constraints in P2 28
#BHEU @BlackHatEvents Corner Case Generation How to create many samples that are structurally different? ● Iterative approach that leverages non-terminal statements ● For each iteration, try asserting a different combination of non-terminal statements ○ 2n iterations (with n non-terminal statements) 29
#BHEU @BlackHatEvents Customizing Generated Samples How to fine tune the sections’ content in the generated samples? ● Add constraints that section content as a constraint of the model ● We can create samples that execute custom code! 30
#BHEU @BlackHatEvents Results & Findings 31
#BHEU @BlackHatEvents Modelled Software ● Windows Program Loader (XP, 7, 10) ○ Both Kernel-space and User-space ● ClamAV ○ PE format-specific signature engine ● Radare2 ○ PE memory mapping ● Yara ○ PE module 32
#BHEU @BlackHatEvents Windows vs Windows ● We actually found discrepancies!! ○ Win7 doesn’t accept executables with ImageBase = 0 ○ Win7 and 10 check SizeOfHeaders under specific conditions, XP does not ○ Win7 and XP accept relocation types that 10 does not ○ Win7 and 10 discard binaries with entry point within the header ○ Win7 does not load binaries whose SizeOfImage is smaller than the offset of the last byte of the section table 33
#BHEU @BlackHatEvents Windows vs. ClamAV ● We actually found discrepancies!! ○ Number of sections (ClamAV: max 96, Windows: max 65k) ○ SizeOfOptionalHeader (ClamAV: ≥ 92, Windows: no constraints) ○ Section Virtual Address (ClamAV: must always be aligned, Windows: under certain conditions not necessarily aligned) ● Acknowledged by developers as bugs. Fixes coming soon. 34
#BHEU @BlackHatEvents Memory Mapping Discrepancies ● The Source of All Evil: handling SectionAlignment < Page Size (4KB in Intel) ○ Windows: maps the file in memory as is, regardless of the section table ○ Radare2, yara, ClamAV: infer mapping from section table ● We could not find any documentation about this behavior 35
#BHEU @BlackHatEvents Notable Test Case SectionAlignment = 4 Optional Header Entry Point = 0x80 xor eax, eax; ret; 36
#BHEU @BlackHatEvents Notable Test Case Section #1 Starting address 0x1 37
#BHEU @BlackHatEvents Notable Test Case What Windows loads in memory What radare thinks Windows loads in memory 38
#BHEU @BlackHatEvents Evidence of Use in the Wild 39
#BHEU @BlackHatEvents Malware Hunting Campaign ● VirusTotal LiveHunt ● Yara rules matching discovered discrepancy sources ○ Except the relocation handling (due to limitation of the Yara language) ● 7th to 19th October 2020 ● ~5M samples scanned (est. from the average number of weekly submissions reported by VirusTotal) 40
#BHEU @BlackHatEvents Malware Hunt Campaign Results ● 467 samples reported ● Each rule matched at least once ● 301 have SectionAlignment < 4096 (may trigger different mappings) ● 77 had more than 96 sections (invalid for ClamAV) ○ Some had exactly 97 sections 🤔 41
#BHEU @BlackHatEvents Conclusions & Takeaways 42
#BHEU @BlackHatEvents Takeaways ● No “one way” to handle PE format: different versions of Windows handle it differently ● Need for clearer (formal?) specifications and reference implementations (takes time) ● Security tools should model more than one version of the Windows loader ● Our language and framework ease reverse engineering efforts to build these models ● Framework and models available at https://github.com/eurecom-s3/loaders_modeling 43
#BHEU @BlackHatEvents Questions? 44

Recommended

Dfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshopDfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshopTamas K Lengyel
 
Bsdtw17: george neville neil: realities of dtrace on free-bsd
Bsdtw17: george neville neil: realities of dtrace on free-bsdBsdtw17: george neville neil: realities of dtrace on free-bsd
Bsdtw17: george neville neil: realities of dtrace on free-bsdScott Tsai
 
Compiler design notes phases of compiler
Compiler design notes phases of compilerCompiler design notes phases of compiler
Compiler design notes phases of compilerovidlivi91
 
CodeQL a Powerful Binary Analysis Engine
CodeQL a Powerful Binary Analysis EngineCodeQL a Powerful Binary Analysis Engine
CodeQL a Powerful Binary Analysis EngineMaryEliot
 
Finding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyFinding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyPriyanka Aash
 
Stack-Based Buffer Overflows
Stack-Based Buffer OverflowsStack-Based Buffer Overflows
Stack-Based Buffer OverflowsDaniel Tumser
 
Chapter 1SyllabusCatalog Description Computer structu
Chapter 1SyllabusCatalog Description Computer structuChapter 1SyllabusCatalog Description Computer structu
Chapter 1SyllabusCatalog Description Computer structuEstelaJeffery653
 
AOT-compilation of JavaScript with V8
AOT-compilation of JavaScript with V8AOT-compilation of JavaScript with V8
AOT-compilation of JavaScript with V8Phil Eaton
 

Recommended

Dfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshopDfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshopTamas K Lengyel
 
Bsdtw17: george neville neil: realities of dtrace on free-bsd
Bsdtw17: george neville neil: realities of dtrace on free-bsdBsdtw17: george neville neil: realities of dtrace on free-bsd
Bsdtw17: george neville neil: realities of dtrace on free-bsdScott Tsai
 
Compiler design notes phases of compiler
Compiler design notes phases of compilerCompiler design notes phases of compiler
Compiler design notes phases of compilerovidlivi91
 
CodeQL a Powerful Binary Analysis Engine
CodeQL a Powerful Binary Analysis EngineCodeQL a Powerful Binary Analysis Engine
CodeQL a Powerful Binary Analysis EngineMaryEliot
 
Finding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyFinding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyPriyanka Aash
 
Stack-Based Buffer Overflows
Stack-Based Buffer OverflowsStack-Based Buffer Overflows
Stack-Based Buffer OverflowsDaniel Tumser
 
Chapter 1SyllabusCatalog Description Computer structu
Chapter 1SyllabusCatalog Description Computer structuChapter 1SyllabusCatalog Description Computer structu
Chapter 1SyllabusCatalog Description Computer structuEstelaJeffery653
 
AOT-compilation of JavaScript with V8
AOT-compilation of JavaScript with V8AOT-compilation of JavaScript with V8
AOT-compilation of JavaScript with V8Phil Eaton
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013midnite_runr
 
An In-Depth Look Into Microcontrollers
An In-Depth Look Into MicrocontrollersAn In-Depth Look Into Microcontrollers
An In-Depth Look Into MicrocontrollersICS
 
An Overview of SystemVerilog for Design and Verification
An Overview of SystemVerilog for Design and VerificationAn Overview of SystemVerilog for Design and Verification
An Overview of SystemVerilog for Design and VerificationKapilRaghunandanTrip
 
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012DefCamp
 
Generation of Random EMF Models for Benchmarks
Generation of Random EMF Models for BenchmarksGeneration of Random EMF Models for Benchmarks
Generation of Random EMF Models for BenchmarksMarkus Scheidgen
 
Skiron - Experiments in CPU Design in D
Skiron - Experiments in CPU Design in DSkiron - Experiments in CPU Design in D
Skiron - Experiments in CPU Design in DMithun Hunsur
 
Flash develop presentation
Flash develop presentationFlash develop presentation
Flash develop presentationRaimundas Banevičius
 
[Gary entsminger] turbo_pascal_for_windows_bible(book_fi.org)
[Gary entsminger] turbo_pascal_for_windows_bible(book_fi.org)[Gary entsminger] turbo_pascal_for_windows_bible(book_fi.org)
[Gary entsminger] turbo_pascal_for_windows_bible(book_fi.org)Yogi Sharo
 
Ln monitoring repositories
Ln monitoring repositoriesLn monitoring repositories
Ln monitoring repositoriessnyff
 
Schizophrenic files v2
Schizophrenic files v2Schizophrenic files v2
Schizophrenic files v2Ange Albertini
 
Top Tips Every Notes Developer Needs To Know
Top Tips Every Notes Developer Needs To KnowTop Tips Every Notes Developer Needs To Know
Top Tips Every Notes Developer Needs To KnowKathy Brown
 
Oleksandr Kutsan "Using katai struct to describe the process of working with ...
Oleksandr Kutsan "Using katai struct to describe the process of working with ...Oleksandr Kutsan "Using katai struct to describe the process of working with ...
Oleksandr Kutsan "Using katai struct to describe the process of working with ...LogeekNightUkraine
 
mloc.js 2014 - JavaScript and the browser as a platform for game development
mloc.js 2014 - JavaScript and the browser as a platform for game developmentmloc.js 2014 - JavaScript and the browser as a platform for game development
mloc.js 2014 - JavaScript and the browser as a platform for game developmentDavid Galeano
 
Linux Conference Australia 2018 : Device Tree, past, present, future
Linux Conference Australia 2018 : Device Tree, past, present, futureLinux Conference Australia 2018 : Device Tree, past, present, future
Linux Conference Australia 2018 : Device Tree, past, present, futureNeil Armstrong
 
Finding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyFinding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyPriyanka Aash
 
Introduction to Ewasm - crosslink taipei 2019
Introduction to Ewasm - crosslink taipei 2019Introduction to Ewasm - crosslink taipei 2019
Introduction to Ewasm - crosslink taipei 2019hydai
 
Debugging ZFS: From Illumos to Linux
Debugging ZFS: From Illumos to LinuxDebugging ZFS: From Illumos to Linux
Debugging ZFS: From Illumos to LinuxSerapheim-Nikolaos Dimitropoulos
 
Making Strongly-typed NETCONF Usable
Making Strongly-typed NETCONF UsableMaking Strongly-typed NETCONF Usable
Making Strongly-typed NETCONF UsableOpen Networking Summit
 
0100_Embeded_C_CompilationProcess.pdf
0100_Embeded_C_CompilationProcess.pdf0100_Embeded_C_CompilationProcess.pdf
0100_Embeded_C_CompilationProcess.pdfKhaledIbrahim10923
 
JS Fest 2019. Ryan Dahl. Deno, a new way to JavaScript
JS Fest 2019. Ryan Dahl. Deno, a new way to JavaScriptJS Fest 2019. Ryan Dahl. Deno, a new way to JavaScript
JS Fest 2019. Ryan Dahl. Deno, a new way to JavaScriptJSFestUA
 
OS-01 intro.pdf
OS-01 intro.pdfOS-01 intro.pdf
OS-01 intro.pdfssuser8b461f
 
lec3.pdf
lec3.pdflec3.pdf
lec3.pdfssuser8b461f
 

More Related Content

Similar to Lost-In-The-Loader.pdf

Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013midnite_runr
 
An In-Depth Look Into Microcontrollers
An In-Depth Look Into MicrocontrollersAn In-Depth Look Into Microcontrollers
An In-Depth Look Into MicrocontrollersICS
 
An Overview of SystemVerilog for Design and Verification
An Overview of SystemVerilog for Design and VerificationAn Overview of SystemVerilog for Design and Verification
An Overview of SystemVerilog for Design and VerificationKapilRaghunandanTrip
 
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012DefCamp
 
Generation of Random EMF Models for Benchmarks
Generation of Random EMF Models for BenchmarksGeneration of Random EMF Models for Benchmarks
Generation of Random EMF Models for BenchmarksMarkus Scheidgen
 
Skiron - Experiments in CPU Design in D
Skiron - Experiments in CPU Design in DSkiron - Experiments in CPU Design in D
Skiron - Experiments in CPU Design in DMithun Hunsur
 
[Gary entsminger] turbo_pascal_for_windows_bible(book_fi.org)
[Gary entsminger] turbo_pascal_for_windows_bible(book_fi.org)[Gary entsminger] turbo_pascal_for_windows_bible(book_fi.org)
[Gary entsminger] turbo_pascal_for_windows_bible(book_fi.org)Yogi Sharo
 
Ln monitoring repositories
Ln monitoring repositoriesLn monitoring repositories
Ln monitoring repositoriessnyff
 
Schizophrenic files v2
Schizophrenic files v2Schizophrenic files v2
Schizophrenic files v2Ange Albertini
 
Top Tips Every Notes Developer Needs To Know
Top Tips Every Notes Developer Needs To KnowTop Tips Every Notes Developer Needs To Know
Top Tips Every Notes Developer Needs To KnowKathy Brown
 
Oleksandr Kutsan "Using katai struct to describe the process of working with ...
Oleksandr Kutsan "Using katai struct to describe the process of working with ...Oleksandr Kutsan "Using katai struct to describe the process of working with ...
Oleksandr Kutsan "Using katai struct to describe the process of working with ...LogeekNightUkraine
 
mloc.js 2014 - JavaScript and the browser as a platform for game development
mloc.js 2014 - JavaScript and the browser as a platform for game developmentmloc.js 2014 - JavaScript and the browser as a platform for game development
mloc.js 2014 - JavaScript and the browser as a platform for game developmentDavid Galeano
 
Linux Conference Australia 2018 : Device Tree, past, present, future
Linux Conference Australia 2018 : Device Tree, past, present, futureLinux Conference Australia 2018 : Device Tree, past, present, future
Linux Conference Australia 2018 : Device Tree, past, present, futureNeil Armstrong
 
Finding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyFinding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyPriyanka Aash
 
Introduction to Ewasm - crosslink taipei 2019
Introduction to Ewasm - crosslink taipei 2019Introduction to Ewasm - crosslink taipei 2019
Introduction to Ewasm - crosslink taipei 2019hydai
 
0100_Embeded_C_CompilationProcess.pdf
0100_Embeded_C_CompilationProcess.pdf0100_Embeded_C_CompilationProcess.pdf
0100_Embeded_C_CompilationProcess.pdfKhaledIbrahim10923
 
JS Fest 2019. Ryan Dahl. Deno, a new way to JavaScript
JS Fest 2019. Ryan Dahl. Deno, a new way to JavaScriptJS Fest 2019. Ryan Dahl. Deno, a new way to JavaScript
JS Fest 2019. Ryan Dahl. Deno, a new way to JavaScriptJSFestUA
 

Similar to Lost-In-The-Loader.pdf (20)

Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
 
An In-Depth Look Into Microcontrollers
An In-Depth Look Into MicrocontrollersAn In-Depth Look Into Microcontrollers
An In-Depth Look Into Microcontrollers
 
An Overview of SystemVerilog for Design and Verification
An Overview of SystemVerilog for Design and VerificationAn Overview of SystemVerilog for Design and Verification
An Overview of SystemVerilog for Design and Verification
 
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
 
Generation of Random EMF Models for Benchmarks
Generation of Random EMF Models for BenchmarksGeneration of Random EMF Models for Benchmarks
Generation of Random EMF Models for Benchmarks
 
Skiron - Experiments in CPU Design in D
Skiron - Experiments in CPU Design in DSkiron - Experiments in CPU Design in D
Skiron - Experiments in CPU Design in D
 
Flash develop presentation
Flash develop presentationFlash develop presentation
Flash develop presentation
 
[Gary entsminger] turbo_pascal_for_windows_bible(book_fi.org)
[Gary entsminger] turbo_pascal_for_windows_bible(book_fi.org)[Gary entsminger] turbo_pascal_for_windows_bible(book_fi.org)
[Gary entsminger] turbo_pascal_for_windows_bible(book_fi.org)
 
Ln monitoring repositories
Ln monitoring repositoriesLn monitoring repositories
Ln monitoring repositories
 
Schizophrenic files v2
Schizophrenic files v2Schizophrenic files v2
Schizophrenic files v2
 
Top Tips Every Notes Developer Needs To Know
Top Tips Every Notes Developer Needs To KnowTop Tips Every Notes Developer Needs To Know
Top Tips Every Notes Developer Needs To Know
 
Oleksandr Kutsan "Using katai struct to describe the process of working with ...
Oleksandr Kutsan "Using katai struct to describe the process of working with ...Oleksandr Kutsan "Using katai struct to describe the process of working with ...
Oleksandr Kutsan "Using katai struct to describe the process of working with ...
 
mloc.js 2014 - JavaScript and the browser as a platform for game development
mloc.js 2014 - JavaScript and the browser as a platform for game developmentmloc.js 2014 - JavaScript and the browser as a platform for game development
mloc.js 2014 - JavaScript and the browser as a platform for game development
 
Linux Conference Australia 2018 : Device Tree, past, present, future
Linux Conference Australia 2018 : Device Tree, past, present, futureLinux Conference Australia 2018 : Device Tree, past, present, future
Linux Conference Australia 2018 : Device Tree, past, present, future
 
Finding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyFinding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated Disassembly
 
Introduction to Ewasm - crosslink taipei 2019
Introduction to Ewasm - crosslink taipei 2019Introduction to Ewasm - crosslink taipei 2019
Introduction to Ewasm - crosslink taipei 2019
 
Debugging ZFS: From Illumos to Linux
Debugging ZFS: From Illumos to LinuxDebugging ZFS: From Illumos to Linux
Debugging ZFS: From Illumos to Linux
 
Making Strongly-typed NETCONF Usable
Making Strongly-typed NETCONF UsableMaking Strongly-typed NETCONF Usable
Making Strongly-typed NETCONF Usable
 
0100_Embeded_C_CompilationProcess.pdf
0100_Embeded_C_CompilationProcess.pdf0100_Embeded_C_CompilationProcess.pdf
0100_Embeded_C_CompilationProcess.pdf
 
JS Fest 2019. Ryan Dahl. Deno, a new way to JavaScript
JS Fest 2019. Ryan Dahl. Deno, a new way to JavaScriptJS Fest 2019. Ryan Dahl. Deno, a new way to JavaScript
JS Fest 2019. Ryan Dahl. Deno, a new way to JavaScript
 

More from ssuser8b461f

Quantum factorization.pdf
Quantum factorization.pdfQuantum factorization.pdf
Quantum factorization.pdfssuser8b461f
 
VulnScan_PenTest.pdf
VulnScan_PenTest.pdfVulnScan_PenTest.pdf
VulnScan_PenTest.pdfssuser8b461f
 
Off-Path-Attacks-Against-PKI.pdf
Off-Path-Attacks-Against-PKI.pdfOff-Path-Attacks-Against-PKI.pdf
Off-Path-Attacks-Against-PKI.pdfssuser8b461f
 
Attacks-From-a-New-Front-Door-in-4G-5G-Mobile-Networks.pdf
Attacks-From-a-New-Front-Door-in-4G-5G-Mobile-Networks.pdfAttacks-From-a-New-Front-Door-in-4G-5G-Mobile-Networks.pdf
Attacks-From-a-New-Front-Door-in-4G-5G-Mobile-Networks.pdfssuser8b461f
 

More from ssuser8b461f (9)

OS-01 intro.pdf
OS-01 intro.pdfOS-01 intro.pdf
OS-01 intro.pdf
 
lec3.pdf
lec3.pdflec3.pdf
lec3.pdf
 
lec2.pdf
lec2.pdflec2.pdf
lec2.pdf
 
lec1.pdf
lec1.pdflec1.pdf
lec1.pdf
 
2021-1577.pdf
2021-1577.pdf2021-1577.pdf
2021-1577.pdf
 
Quantum factorization.pdf
Quantum factorization.pdfQuantum factorization.pdf
Quantum factorization.pdf
 
VulnScan_PenTest.pdf
VulnScan_PenTest.pdfVulnScan_PenTest.pdf
VulnScan_PenTest.pdf
 
Off-Path-Attacks-Against-PKI.pdf
Off-Path-Attacks-Against-PKI.pdfOff-Path-Attacks-Against-PKI.pdf
Off-Path-Attacks-Against-PKI.pdf
 
Attacks-From-a-New-Front-Door-in-4G-5G-Mobile-Networks.pdf
Attacks-From-a-New-Front-Door-in-4G-5G-Mobile-Networks.pdfAttacks-From-a-New-Front-Door-in-4G-5G-Mobile-Networks.pdf
Attacks-From-a-New-Front-Door-in-4G-5G-Mobile-Networks.pdf
 

Recently uploaded

NEWLETTER FRANCE HELICES/ SDS SURFACE DRIVES - MAY 2024
NEWLETTER FRANCE HELICES/ SDS SURFACE DRIVES - MAY 2024NEWLETTER FRANCE HELICES/ SDS SURFACE DRIVES - MAY 2024
NEWLETTER FRANCE HELICES/ SDS SURFACE DRIVES - MAY 2024EMMANUELLEFRANCEHELI
 
CLOUD COMPUTING SERVICES - Cloud Reference Modal
CLOUD COMPUTING SERVICES - Cloud Reference ModalCLOUD COMPUTING SERVICES - Cloud Reference Modal
CLOUD COMPUTING SERVICES - Cloud Reference ModalSwarnaSLcse
 
litvinenko_Henry_Intrusion_Hong-Kong_2024.pdf
litvinenko_Henry_Intrusion_Hong-Kong_2024.pdflitvinenko_Henry_Intrusion_Hong-Kong_2024.pdf
litvinenko_Henry_Intrusion_Hong-Kong_2024.pdfAlexander Litvinenko
 
What is Coordinate Measuring Machine? CMM Types, Features, Functions
What is Coordinate Measuring Machine? CMM Types, Features, FunctionsWhat is Coordinate Measuring Machine? CMM Types, Features, Functions
What is Coordinate Measuring Machine? CMM Types, Features, FunctionsVIEW
 
21scheme vtu syllabus of visveraya technological university
21scheme vtu syllabus of visveraya technological university21scheme vtu syllabus of visveraya technological university
21scheme vtu syllabus of visveraya technological universityMohd Saifudeen
 
Tembisa Central Terminating Pills +27838792658 PHOMOLONG Top Abortion Pills F...
Tembisa Central Terminating Pills +27838792658 PHOMOLONG Top Abortion Pills F...Tembisa Central Terminating Pills +27838792658 PHOMOLONG Top Abortion Pills F...
Tembisa Central Terminating Pills +27838792658 PHOMOLONG Top Abortion Pills F...drjose256
 
History of Indian Railways - the story of Growth & Modernization
History of Indian Railways - the story of Growth & ModernizationHistory of Indian Railways - the story of Growth & Modernization
History of Indian Railways - the story of Growth & ModernizationEmaan Sharma
 
Maximizing Incident Investigation Efficacy in Oil & Gas: Techniques and Tools
Maximizing Incident Investigation Efficacy in Oil & Gas: Techniques and ToolsMaximizing Incident Investigation Efficacy in Oil & Gas: Techniques and Tools
Maximizing Incident Investigation Efficacy in Oil & Gas: Techniques and Toolssoginsider
 
Artificial intelligence presentation2-171219131633.pdf
Artificial intelligence presentation2-171219131633.pdfArtificial intelligence presentation2-171219131633.pdf
Artificial intelligence presentation2-171219131633.pdfKira Dess
 
Seismic Hazard Assessment Software in Python by Prof. Dr. Costas Sachpazis
Seismic Hazard Assessment Software in Python by Prof. Dr. Costas SachpazisSeismic Hazard Assessment Software in Python by Prof. Dr. Costas Sachpazis
Seismic Hazard Assessment Software in Python by Prof. Dr. Costas SachpazisDr.Costas Sachpazis
 
Autodesk Construction Cloud (Autodesk Build).pptx
Autodesk Construction Cloud (Autodesk Build).pptxAutodesk Construction Cloud (Autodesk Build).pptx
Autodesk Construction Cloud (Autodesk Build).pptxMustafa Ahmed
 
Developing a smart system for infant incubators using the internet of things ...
Developing a smart system for infant incubators using the internet of things ...Developing a smart system for infant incubators using the internet of things ...
Developing a smart system for infant incubators using the internet of things ...IJECEIAES
 
SLIDESHARE PPT-DECISION MAKING METHODS.pptx
SLIDESHARE PPT-DECISION MAKING METHODS.pptxSLIDESHARE PPT-DECISION MAKING METHODS.pptx
SLIDESHARE PPT-DECISION MAKING METHODS.pptxCHAIRMAN M
 
15-Minute City: A Completely New Horizon
15-Minute City: A Completely New Horizon15-Minute City: A Completely New Horizon
15-Minute City: A Completely New HorizonMorshed Ahmed Rahath
 
Filters for Electromagnetic Compatibility Applications
Filters for Electromagnetic Compatibility ApplicationsFilters for Electromagnetic Compatibility Applications
Filters for Electromagnetic Compatibility ApplicationsMathias Magdowski
 
Independent Solar-Powered Electric Vehicle Charging Station
Independent Solar-Powered Electric Vehicle Charging StationIndependent Solar-Powered Electric Vehicle Charging Station
Independent Solar-Powered Electric Vehicle Charging Stationsiddharthteach18
 
Passive Air Cooling System and Solar Water Heater.ppt
Passive Air Cooling System and Solar Water Heater.pptPassive Air Cooling System and Solar Water Heater.ppt
Passive Air Cooling System and Solar Water Heater.pptamrabdallah9
 
Software Engineering Practical File Front Pages.pdf
Software Engineering Practical File Front Pages.pdfSoftware Engineering Practical File Front Pages.pdf
Software Engineering Practical File Front Pages.pdfssuser5c9d4b1
 
Intro to Design (for Engineers) at Sydney Uni
Intro to Design (for Engineers) at Sydney UniIntro to Design (for Engineers) at Sydney Uni
Intro to Design (for Engineers) at Sydney UniR. Sosa
 
Instruct Nirmaana 24-Smart and Lean Construction Through Technology.pdf
Instruct Nirmaana 24-Smart and Lean Construction Through Technology.pdfInstruct Nirmaana 24-Smart and Lean Construction Through Technology.pdf
Instruct Nirmaana 24-Smart and Lean Construction Through Technology.pdfEr.Sonali Nasikkar
 

Recently uploaded (20)

NEWLETTER FRANCE HELICES/ SDS SURFACE DRIVES - MAY 2024
NEWLETTER FRANCE HELICES/ SDS SURFACE DRIVES - MAY 2024NEWLETTER FRANCE HELICES/ SDS SURFACE DRIVES - MAY 2024
NEWLETTER FRANCE HELICES/ SDS SURFACE DRIVES - MAY 2024
 
CLOUD COMPUTING SERVICES - Cloud Reference Modal
CLOUD COMPUTING SERVICES - Cloud Reference ModalCLOUD COMPUTING SERVICES - Cloud Reference Modal
CLOUD COMPUTING SERVICES - Cloud Reference Modal
 
litvinenko_Henry_Intrusion_Hong-Kong_2024.pdf
litvinenko_Henry_Intrusion_Hong-Kong_2024.pdflitvinenko_Henry_Intrusion_Hong-Kong_2024.pdf
litvinenko_Henry_Intrusion_Hong-Kong_2024.pdf
 
What is Coordinate Measuring Machine? CMM Types, Features, Functions
What is Coordinate Measuring Machine? CMM Types, Features, FunctionsWhat is Coordinate Measuring Machine? CMM Types, Features, Functions
What is Coordinate Measuring Machine? CMM Types, Features, Functions
 
21scheme vtu syllabus of visveraya technological university
21scheme vtu syllabus of visveraya technological university21scheme vtu syllabus of visveraya technological university
21scheme vtu syllabus of visveraya technological university
 
Tembisa Central Terminating Pills +27838792658 PHOMOLONG Top Abortion Pills F...
Tembisa Central Terminating Pills +27838792658 PHOMOLONG Top Abortion Pills F...Tembisa Central Terminating Pills +27838792658 PHOMOLONG Top Abortion Pills F...
Tembisa Central Terminating Pills +27838792658 PHOMOLONG Top Abortion Pills F...
 
History of Indian Railways - the story of Growth & Modernization
History of Indian Railways - the story of Growth & ModernizationHistory of Indian Railways - the story of Growth & Modernization
History of Indian Railways - the story of Growth & Modernization
 
Maximizing Incident Investigation Efficacy in Oil & Gas: Techniques and Tools
Maximizing Incident Investigation Efficacy in Oil & Gas: Techniques and ToolsMaximizing Incident Investigation Efficacy in Oil & Gas: Techniques and Tools
Maximizing Incident Investigation Efficacy in Oil & Gas: Techniques and Tools
 
Artificial intelligence presentation2-171219131633.pdf
Artificial intelligence presentation2-171219131633.pdfArtificial intelligence presentation2-171219131633.pdf
Artificial intelligence presentation2-171219131633.pdf
 
Seismic Hazard Assessment Software in Python by Prof. Dr. Costas Sachpazis
Seismic Hazard Assessment Software in Python by Prof. Dr. Costas SachpazisSeismic Hazard Assessment Software in Python by Prof. Dr. Costas Sachpazis
Seismic Hazard Assessment Software in Python by Prof. Dr. Costas Sachpazis
 
Autodesk Construction Cloud (Autodesk Build).pptx
Autodesk Construction Cloud (Autodesk Build).pptxAutodesk Construction Cloud (Autodesk Build).pptx
Autodesk Construction Cloud (Autodesk Build).pptx
 
Developing a smart system for infant incubators using the internet of things ...
Developing a smart system for infant incubators using the internet of things ...Developing a smart system for infant incubators using the internet of things ...
Developing a smart system for infant incubators using the internet of things ...
 
SLIDESHARE PPT-DECISION MAKING METHODS.pptx
SLIDESHARE PPT-DECISION MAKING METHODS.pptxSLIDESHARE PPT-DECISION MAKING METHODS.pptx
SLIDESHARE PPT-DECISION MAKING METHODS.pptx
 
15-Minute City: A Completely New Horizon
15-Minute City: A Completely New Horizon15-Minute City: A Completely New Horizon
15-Minute City: A Completely New Horizon
 
Filters for Electromagnetic Compatibility Applications
Filters for Electromagnetic Compatibility ApplicationsFilters for Electromagnetic Compatibility Applications
Filters for Electromagnetic Compatibility Applications
 
Independent Solar-Powered Electric Vehicle Charging Station
Independent Solar-Powered Electric Vehicle Charging StationIndependent Solar-Powered Electric Vehicle Charging Station
Independent Solar-Powered Electric Vehicle Charging Station
 
Passive Air Cooling System and Solar Water Heater.ppt
Passive Air Cooling System and Solar Water Heater.pptPassive Air Cooling System and Solar Water Heater.ppt
Passive Air Cooling System and Solar Water Heater.ppt
 
Software Engineering Practical File Front Pages.pdf
Software Engineering Practical File Front Pages.pdfSoftware Engineering Practical File Front Pages.pdf
Software Engineering Practical File Front Pages.pdf
 
Intro to Design (for Engineers) at Sydney Uni
Intro to Design (for Engineers) at Sydney UniIntro to Design (for Engineers) at Sydney Uni
Intro to Design (for Engineers) at Sydney Uni
 
Instruct Nirmaana 24-Smart and Lean Construction Through Technology.pdf
Instruct Nirmaana 24-Smart and Lean Construction Through Technology.pdfInstruct Nirmaana 24-Smart and Lean Construction Through Technology.pdf
Instruct Nirmaana 24-Smart and Lean Construction Through Technology.pdf
 

Lost-In-The-Loader.pdf

  • 1. #BHEU @BlackHatEvents Lost in the Loader The many faces of the PE File Format Dario Nisi (EURECOM) Mariano Graziano (Cisco Talos) Yanick Fratantonio (Cisco Talos) Davide Balzarotti (EURECOM) #BHEU @BlackHatEvents 1
  • 2. #BHEU @BlackHatEvents The PE File Format ● Standard Format for Programs in Windows ● Based on MS-DOS MZ Format and COFF ● Defines the “headers” Structure 2
  • 3. #BHEU @BlackHatEvents PE Headers ● MZ Header ○ Points to COFF Header ● COFF Header ○ Generic Fields (ISA, Executable/DLL, … ) ● “Optional” Header ○ Not really optional for Executables ○ Entry Point ○ Section/File Alignments ○ Base Address ○ Data Directories PE Signature MZ Header COFF Header e_lfanew ... Optional Header Data Directories Section Table Section Header 1 ... Section Header n ... Section 1 ... Section n ... 3
  • 4. #BHEU @BlackHatEvents Section Table ● Define the Program’s “Memory Image” ● Each Section has ○ Address/Size in Memory ○ Offset/Size in the File ○ Permission level (RWX) ● In theory, up to 216 Sections ○ NumberOfSections is 16 bits PE Signature MZ Header COFF Header e_lfanew ... Optional Header Data Directories Section Table Section Header 1 ... Section Header n ... Section 1 ... Section n ... 4
  • 5. #BHEU @BlackHatEvents The Subtle Problem of the PE Ecosystem Discrepancies Reimplementation is the de facto rule No reference implementation Room for Implementation Choices Not Comprehensive Specifications 5
  • 6. #BHEU @BlackHatEvents Implications of PE discrepancies ● Examples: ○ Programs running under Windows 7 but not Windows 10 ■ Potential evasion of dynamic analysis sandboxes ○ Reverse engineer tools give wrong mapping ■ Static analysis tools may get confused! ● Problematic for malware analysis & detection ○ Static/Dynamic analysis evasion ○ Antivirus signature bypass 6
  • 7. #BHEU @BlackHatEvents Examples from Previous Work ● Petsios et al. @S&P 2017, Kim et al. @CCS 2017 ○ Showed how malware can bypass AVs by forging PE headers ● Corkami PE Collection by A. Albertini ○ Some samples execute only on some Windows Version ● Making a Multi-Windows PE in PoC||GTFO 0x01 ○ Executables with different behaviors exploiting relocation discrepancies ● ELF Crafting @r2con2019 ○ 1-Byte ELF Parser Breaker which Linux recognizes as valid Only single edge cases so far, no systematic study! 7
  • 9. #BHEU @BlackHatEvents The Big Picture Models Reverse Engineering Validation Mode Unknown PE File Generation Mode Valid Test Cases Differential Test Cases 9
  • 11. #BHEU @BlackHatEvents Modelling Phase ● Collect knowledge on the operations performed by parsing routines ● Three types of operations ○ Structural Checks (mandatory headers, magic numbers, …) ○ Compliance Checks (supported ISA, supported OS versions, …) ○ Memory Mapping (generates the memory image) All these operations can be modelled as constraints on the input! 11
  • 12. #BHEU @BlackHatEvents Language for Modelling Constraints ● Types of Statements ○ Input Declaration 12
  • 13. #BHEU @BlackHatEvents INPUT statements INPUT inputFile 2048 void *inputFile = SomeReadFileFunction(); Original Program Model 13
  • 14. #BHEU @BlackHatEvents Language for Modelling Constraints ● Types of Statements ○ Input Declaration ○ Symbol definition 14
  • 15. #BHEU @BlackHatEvents Symbol Definition INPUT inputFile 2048 P: mzHeader <- inputFile[0, sizeof IMAGE_MZ_HEADER] as IMAGE_MZ_HEADER void *inputFile = SomeReadFileFunction(); IMAGE_MZ_HEADER *mzHeader = &inputFile; Original Program Model 15
  • 16. #BHEU @BlackHatEvents Language for Modelling Constraints ● Types of Statements ○ Input Declaration ○ Symbol definition ○ Predicates 16
  • 17. #BHEU @BlackHatEvents Language for Modelling Constraints ● Types of Statements ○ Input Declaration ○ Symbol definition ○ Predicates ■ Terminal/Non-terminal Predicates 17
  • 18. #BHEU @BlackHatEvents (Terminal) Predicates INPUT inputFile 2048 P: mzHeader <- inputFile[0, sizeof IMAGE_MZ_HEADER] as IMAGE_MZ_HEADER V1: EQ mzHeader.magic[0] "M" term V2: EQ mzHeader.magic[1] "Z" term void *inputFile = SomeReadFileFunction(); IMAGE_MZ_HEADER *mzHeader = &inputFile; if (mzHeader->Magic[0] != "M" || mzHeader->Magic[1] != "Z") { return FALSE; } Original Program Model 18
  • 19. #BHEU @BlackHatEvents Language for Modelling Constraints ● Types of Statements ○ Input Declaration ○ Symbol definition ○ Predicates ■ Terminal/Non-terminal Predicates ○ Conditional Statements 19
  • 20. #BHEU @BlackHatEvents Conditional Statements V1: UGE optHeader->SectionAlignment 0x1000 V2(V1): NEq coff->NumberOfSections 0 term if (optHeader->SectionAlignment > 0x1000) { ... if (coff->NumberOfSections == 0) return FALSE: ... } Original Program Model 20
  • 21. #BHEU @BlackHatEvents Language for Modelling Constraints ● Types of Statements ○ Input Declaration ○ Symbol definition ○ Predicates ■ Terminal/Non-terminal Predicates ○ Conditional Statements ○ Loops 21
  • 22. #BHEU @BlackHatEvents Language for Modelling Constraints ● Types of Statements ○ Input Declaration ○ Symbol definition ○ Predicates ■ Terminal/Non-terminal Predicates ○ Conditional Statements ○ Loops ○ C-like structured types declaration 22
  • 23. #BHEU @BlackHatEvents Analysis Framework Models Validation Mode Unknown PE File Generation Mode Valid Test Cases Differential Test Cases 23
  • 24. #BHEU @BlackHatEvents Validation Mode ● Determine whether an input file is a valid PE according to a model ● “Procedural interpretation” of the model ○ Evaluate each statement using the data from the input file ● The file is valid if all terminal statements are true, invalid otherwise 24
  • 25. #BHEU @BlackHatEvents Generation Mode Models Corner Case Generation Differences Enumeration Differential Analysis Test Case Generation Z3 Backend SMT Problems Translation 25
  • 26. #BHEU @BlackHatEvents Model ⇔ SMT Equivalence ● Input Declaration creates unconstrained BitVector ● Symbol/Predicate becomes mathematical formulas ● Loops are unrolled up to a certain number of iterations ● Structured types are translated into offsets/slices in the BitVector ● Terminal Predicates are combined (logic conjunction) to create the statement to assert The solutions of the SMT problem are valid PE files according to the model 26
  • 27. #BHEU @BlackHatEvents Differential Test Case Generation How to generate a file valid for one model but invalid for second one? ● Solve the P1 ∧ ¬P2 ! ● Bonus: the analysis framework tells the broken constraints in P2 27
  • 28. #BHEU @BlackHatEvents Differences Enumeration How to find all the differences between two models? ● Euristic iterative approach ● For each iteration, solve an SMT problem that asserts some of the previously negated constraints in P2 28
  • 29. #BHEU @BlackHatEvents Corner Case Generation How to create many samples that are structurally different? ● Iterative approach that leverages non-terminal statements ● For each iteration, try asserting a different combination of non-terminal statements ○ 2n iterations (with n non-terminal statements) 29
  • 30. #BHEU @BlackHatEvents Customizing Generated Samples How to fine tune the sections’ content in the generated samples? ● Add constraints that section content as a constraint of the model ● We can create samples that execute custom code! 30
  • 32. #BHEU @BlackHatEvents Modelled Software ● Windows Program Loader (XP, 7, 10) ○ Both Kernel-space and User-space ● ClamAV ○ PE format-specific signature engine ● Radare2 ○ PE memory mapping ● Yara ○ PE module 32
  • 33. #BHEU @BlackHatEvents Windows vs Windows ● We actually found discrepancies!! ○ Win7 doesn’t accept executables with ImageBase = 0 ○ Win7 and 10 check SizeOfHeaders under specific conditions, XP does not ○ Win7 and XP accept relocation types that 10 does not ○ Win7 and 10 discard binaries with entry point within the header ○ Win7 does not load binaries whose SizeOfImage is smaller than the offset of the last byte of the section table 33
  • 34. #BHEU @BlackHatEvents Windows vs. ClamAV ● We actually found discrepancies!! ○ Number of sections (ClamAV: max 96, Windows: max 65k) ○ SizeOfOptionalHeader (ClamAV: ≥ 92, Windows: no constraints) ○ Section Virtual Address (ClamAV: must always be aligned, Windows: under certain conditions not necessarily aligned) ● Acknowledged by developers as bugs. Fixes coming soon. 34
  • 35. #BHEU @BlackHatEvents Memory Mapping Discrepancies ● The Source of All Evil: handling SectionAlignment < Page Size (4KB in Intel) ○ Windows: maps the file in memory as is, regardless of the section table ○ Radare2, yara, ClamAV: infer mapping from section table ● We could not find any documentation about this behavior 35
  • 36. #BHEU @BlackHatEvents Notable Test Case SectionAlignment = 4 Optional Header Entry Point = 0x80 xor eax, eax; ret; 36
  • 37. #BHEU @BlackHatEvents Notable Test Case Section #1 Starting address 0x1 37
  • 38. #BHEU @BlackHatEvents Notable Test Case What Windows loads in memory What radare thinks Windows loads in memory 38
  • 39. #BHEU @BlackHatEvents Evidence of Use in the Wild 39
  • 40. #BHEU @BlackHatEvents Malware Hunting Campaign ● VirusTotal LiveHunt ● Yara rules matching discovered discrepancy sources ○ Except the relocation handling (due to limitation of the Yara language) ● 7th to 19th October 2020 ● ~5M samples scanned (est. from the average number of weekly submissions reported by VirusTotal) 40
  • 41. #BHEU @BlackHatEvents Malware Hunt Campaign Results ● 467 samples reported ● Each rule matched at least once ● 301 have SectionAlignment < 4096 (may trigger different mappings) ● 77 had more than 96 sections (invalid for ClamAV) ○ Some had exactly 97 sections 🤔 41
  • 43. #BHEU @BlackHatEvents Takeaways ● No “one way” to handle PE format: different versions of Windows handle it differently ● Need for clearer (formal?) specifications and reference implementations (takes time) ● Security tools should model more than one version of the Windows loader ● Our language and framework ease reverse engineering efforts to build these models ● Framework and models available at https://github.com/eurecom-s3/loaders_modeling 43