Binary art - Byte-ing the PE that fails you (extended offline version)

Binary art
Byte-ing the PE that fails you

Ange Albertini 3rd November 2012
http://corkami.com Lucerne, Switzerland

extended edition
● the presentation deck had 60+ slides
● this one has 140+
● many extra explanation slides
● many extra examples

agenda
what's a PE?
the problem, and my approach
overview of the PE format
classic tricks
new tricks

© ID software

Portable Executable
based on

Common Object File Format

Windows executables and more
● since 1993, used in almost every executables
● 32bits, 64bits, .Net
● DLL, drivers, ActiveX...
● also used as data container
● icons, strings, dialogs, bitmaps...

omnipresent in Windows
also EFI boot, CE phones, Xbox,...
(but not covered here)

Binary art - Byte-ing the PE that fails you (extended offline version)

PEuniversal
Windows binary
since 1993

sins & punishments
● official documentation limited and unclear
● just describes standard PEs
● not good enough for security

● crashes (OS, security tools)
●
obstacle for 3rd party developments
● hinders automation, classification
● PE or not?
● corrupted, or malware?
● fails best tools → prevents even manual analysis

aka “the gentle guide to standard PEs”

CVE-2012-2273

version_mini

ibkernel

from bottom up
● analyzing what's in the wild
● waiting for malware/corruption to experiment?
● generate complete binaries from scratch
● manually
● no framework/compiler limitation
● concise PoCs
→ better coverage

I share knowledge and PoCs, with sources

File
PE

(Appended data)

defined by the PE header

data
PE

Appended
PE

PE
Header
Sections
code, data, <you name it>

Header
MZ

DOS header since IBM PC-DOS 1.0 (1981)
PE (or NE/LE/LX/...)

'modern' headers since Windows NT 3.1 (1993)

Header
DOS header
(DOS stub) 16 bits

(Rich header) compilation info

'PE headers'

DOS Stub

● obsolete 16b code
● prints msg & exits

● still present on all standard PEs

● even 64b binaries

PoC: compiled

'Rich' header
● compiler information
● officially undocumented

● pitiful xor32 encryption

● completely documented by Daniel Pistelli

http://ntcore.com/files/richsign.htm

PoC: compiled

Dos header
● obsolete stuff
● only used if started in DOS mode
● ignored otherwise
● tells where the PE header is

'PE Headers'
'NT Headers'

PE00

File header declares the rest

Optional header absent in .obj

Section table
mapping layout

File header
● how many sections?
● is there an Optional Header?
● 32b or 64b, DLL or EXE...

NumberOfSections values
● 0: Corkami :p
● 1: packer
● 3-6: standard
● code, data, (un)initialized data, imports, resources...

● 16: free basic FTW :D
● what for ?

Optional header
● geometry properties
● alignments, base, size
● tells where code starts
● 32/64b, driver/standard/console
● many non critical information
● data directory

Sections
● defines the mapping:
● which part of the file goes where
● what for? (writeable, executable...)

Data Directory
● (RVA, Size) DataDirectory[NumbersOfRvaAndSizes]
● each of the standard 16 firsts has a specific use
→ often called 'Data Directories'

PE DLL
...
call [API] API: …
… ret

Imports Exports

Exports
● 3 pointers to 3 lists
● defining in parallel (name, address, ordinal)
● a function can have several names

Imports
● a null-terminated list of descriptors
● typically one per imported DLL
● each descriptor specifies
● DLL's name
● 2 null-terminated lists of pointers
– API names and future API addresses

● ImportsAddressTable highlights the address table
● for write access

Relocations
● PE have standard ImageBases
● EXE: 0x400000, DLL 0x1000000
→ conflicts between DLLs
→ different ImageBase given by the loader
● absolute addresses need relocation
● most addresses of the header are relative
● immediate values in code, TLS callbacks
● adds (NewImageBase - OldImageBase)

Resources
● icons, dialogs, version information, ...
● requires only 3 APIs calls to be used
→ used everywhere
● folder & file structure
● 3 levels in standard

Thread Local Storage
● Callbacks executed on thread start and stop
● before EntryPoint
● after ExitProcess

32 bits ↔ 64 bits
● IMAGE_FILE_HEADER.Machine
● 0x14c I386 ↔ 0x8664 AMD64
● IMAGE_OPTIONAL_HEADER.Magic
● 0x10b ↔ 0x20b
● ImageBase, stack, heap
● double ↔ quad
● sizeof(OptionalHeader): 0xe0 ↔ 0xf0
● TLS, import thunks also switch to qwords

NumberOfSections
● 96 sections (XP)
● 65536 Sections (Vista or later)

→ good enough to crash tools!

SizeOfOptionalHeader
● sizeof(OptionalHeader)
● that would be 0xe0 (32b)/0xf0 (64b)
● many naive softwares fail if different
● offset(SectionTable) – offset(OptionalHeader)
● can be:
● bigger
– bigger than file (→ virtual table, xp)
● smaller or null (→ overlapping OptionalHeader)
● null (no section at all)

Section-less PE
● standard mode:
● 200 ≤ FileAlignment ≤ SectionAlignment
● 1000 ≤ SectionAlignment
● 'drivers' mode:
● 1 ≤ FileAlignment == SectionAlignment ≤ 800
→ virtual == physical
● whole file mapped as is
● sections are meaningless
● can be none, can be many (bogus or not)

1 ≤ FileAlignment == SectionAlignment ≤ 800

nosection*

TinyPE
classic example of hand-made malformation
● PE header in Dos header
● truncated OptionalHeader
● doesn't require a section
● 64b & driver compatible
● 92 bytes
● XP only (no more truncated OptionalHeader)
● extra padding is required since Vista
→ smallest universal PE: 268 bytes

Dual 'folded' headers
DD only used after mapping
http://www.reversinglabs.com/advisory/pecoff.php
1.move down header
2.fake DD overlaps starts of section (hex art FTW)
3.section area contains real values
● loading process:
1.header and sections are parsed
2.file is mapped
3.DD overwritten with real value
● imports are resolved, etc...

null EntryPoint
● for EXEs
● 'MZ' disassembled as 'dec ebp/pop edx'
(null EP for DLLs = no DllMain call)

nullEP

virtual EntryPoint
● first byte not physically in the file
● 00 C0 => add al, al

virtEP

TLS on the fly
● the list of callbacks is updated on the fly
● add callback #2 during callback #1

tls_onthefly

ignored TLS
● TLS are not executed if only kernel32 is imported
● and if no DLL importing kernel32 is imported
– Kaspersky & Ferrie

tls_k32

imports' trailing dots
● XP only
● trivial
● trailing dots are ignored after DLL name
● fails heuristics

Resources loops
● (infinite) loops
● not checked by the loader
● ignored if a different path is required to reach
resource

EntryPoint change via static DLLs
static DLLs are called before EntryPoint call
● DllMain gets thread context via lpvReserved
● which already contains the future EntryPoint

→ any static DLL can freely change the EntryPoint

documented by Skywing (http://www.nynaeve.net/?p=127),
but not widely known

Win32VersionValue
● officially reserved
● 'should be null'
● actually used to override versions info in the PEB
● simple dynamic anti-emu
● used in malwares

Characteristics
● IMAGE_FILE_32BIT_MACHINE
● true for 64b
● not required !!
● IMAGE_FILE_DLL
● not required in DLLs
– exports still useable
– no DllMain call!
● invalid EP → not an EXE
● no FILE_DLL → apparently not a DLL
→ can't be debugged

Imports descriptor tricks
● INT bogus or absent
● only DllName and IAT required
● descriptor just skipped if no thunk
● DLL name ignored
– can be null or VERY big
● parsing shouldn't abort too early
● isTerminator = (IAT == 0 || DllName == 0)
● terminator can be virtual or outside file
● first descriptor too

dd OriginalFirstThunk
dd TimeDateStamp
dd ForwarderChain
----------------------------
dd Name
dd FirstThunk

imports_virtdesc

Collapsed imports
advanced imports malformation
● extension-less DLL name
● IAT in descriptor
● pseudo-valid INT that is ignored
● name and hint/names in terminator
● valid because last dword is null

Exceptions directory
● 64 bits Structured Exception Handler
● usually with a lot of extra compiler code

● used by W32.Deelae for infection
● Peter Ferrie, Virus Bulletin September 2011

● update-able manually, on the fly
● no need to go through APIs

Relocations tricks
● allows any ImageBase
● required on VAs: code, TLS, .Net
● ignored if not required
● no ImageBase change (→ fake relocs!)
● no code
● 64 bits RIP-relative code
● IP-independant code
● can relocate anything
● relocate ImageBase → alter EntryPoint

Relocation types (in theory)
HIGHLOW
● standard ImageBase delta
ABSOLUTE
● do nothing
● just for alignment padding

Relocation types in practice
● type 6 and 7 are entirely skipped
● type 8 is forbidden
● type 4 (HIGHADJ) requires an parameter
● that is actually not taken into account (bug)
● type 2 (LOW) doesn't do anything
● because ImageBase are 64kb aligned
● type MIPS and IA64 are present on all archs
● at last, some cleanup in Windows 8!

relocations' archeology
● HIGHADJ was there all along
● MIPS was recognized but rejected by Win95
● NT3.1 introduces MIPS – available in all archs.
● LOW was rejected by Win95/WinME
● while it does nothing on other versions
● Windows 2000 had an extra relocation type,
also with a parameter
Bonus:
Win95 relocations use 2 copies of the exact same code.
code optimization FTW!

messing with relocations
● 4 relocation types actually do nothing
● All relocations can be applied on a bogus address
● HighAdj's parameter used as a trick
● Relocations can alter relocations
● one block can alter the next
● Relocations can decrypt data
● set a kernel ImageBase
● default ImageBase is known
● No static analysis possible
● but highly suspicious :D

Code in the header
● header is executable
● packers put some data or jumps there
● many unused fields
● many less important fields
● Peter Ferrie
http://pferrie.host22.com/misc/pehdr.htm

→ real code in the header

.Net
Loading process:
1.PE loader
• requires only imports (DD[1]) at this stage
2.MSCoree.dll called
3..Net Loader
● requires CLR (DD[13]) and relocations (DD[5])
● forgets to check NumberOfRvaAndSizes :(
– works with NumberOfRvaAndSizes = 2

fails IDA, reflector – but already in the wild

PE .NET

... ...
imports ...
... ...
... ...
... ...
... relocs
... ...
... ...
... ...
... ...
... ...
... ...
... ...
... ...
... CLR
... ...

tinynet

non-null PE
●
LoadlibraryEx with LOAD_LIBRARY_AS_DATAFILE
● data file PE only needs MZ, e_lfanew, 'PE00'
● 'PE' at the end of the file
● pad enough so that e_lfanew doesn't contain 00s

a non-null PE can be created and loaded

Resources-only DLL
● 1 valid section
● 65535 sections under XP!
● 1 DataDirectory

subsystems
● no fundamental differences
● low alignments for drivers
● incompatible imports: NTOSKRNL ↔ KERNEL32
● console ↔ gui : IsConsoleAttached

→ a PE with low alignments and no imports
can work in all 3 subsystems

a 'naked' PE with code
● low alignments → no section
● no imports → resolve manually APIs
● TLS only → no EntryPoint

no EntryPoint, no section, no imports,
but executed code

external EntryPoint (1/2)
● in a DLL (with no relocations)

dllextEP

external EntryPoint (2/2)
● allocated just before in a TLS

tls_virtEP

skipped EntryPoint
ignored via terminating TLS

tls_noEP

from ring 0 to ring 3
● kernel debugging is heavy
● kernel packers are limited
1.change subsystem
2.use fake kernel DLLs (ntoskrnl, etc...)
● redirect APIs
– DbgPrint → MessageBoxA, ExAllocatePool → VirtualAlloc

→ automate kernel unpacking

TLS AddressOfIndex
● pointer to dword
●
overwritten with 0, 1... on nth TLS loading
● easy dynamic trick
call <garbage> on file → call $+5 in memory
● handled before imports under XP, not in W7

same working PE, different loading process

Manifest
● XML resource
● can fail loading
● can crash the OS ! (KB921337)
● Tricky to classify
● ignored if wrong type
Minimum Manifest
<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'/>

DllMain/TLS corruption
● DllMain and TLS only requires ESI to be correct
● Even ESP can be bogus
● easy anti-emulator
● TLS can terminate with exception
● no error reported
● EntryPoint executed normally

a Quine PE
● prints its source
● totally useless – absolutely fun :D

● fills DOS header with ASCII chars
● ASM source between DOS and PE headers

● type-able manually
● types itself in new window when executed

a binary polyglot
● add %PDF within 400h bytes
→ your PE is also a PDF (→ Acrobat)
● add PK0304 anywhere
→ your PE is also a ZIP (→ PKZip)
● throw a Java .CLASS in the ZIP
→ your PE is also a JAR (→ Java)
● add <HTML> somewhere
→ your PE is also an HTML page (→ Mosaic)
● Bonus: Python, JavaScript

Conclusion
● the Windows executable format is complex
● mostly covered, but many little traps
● new discoveries every day :(

http://pe101.corkami.com
http://pe.corkami.com

Questions?
Thanks to
Fabian Sauter, Peter Ferrie, ‫وليد عصر‬
Bernhard Treutwein, Costin Ionescu, Deroko, Ivanlef0u, Kris Kaspersky, Moritz Kroll, Thomas Siebert,
Tomislav Peričin, Kris McConkey, Lyr1k, Gunther, Sergey Bratus, frank2, Ero Carrera, Jindřich Kubec, Lord
Noteworthy, Mohab Ali, Ashutosh Mehra, Gynvael Coldwind, Nicolas Ruff, Aurélien Lebrun, Daniel
Plohmann, Gorka Ramírez, 최진영 , Adam Błaszczyk, 板橋一正 , Gil Dabah, Juriaan Bremer, Bruce Dang,
Mateusz Jurczyk, Markus Hinderhofer, Sebastian Biallas, Igor Skochinsky, Ильфак Гильфанов, Alex
Ionescu, Alexander Sotirov, Cathal Mullaney

Thank YOU!
Ange Albertini @gmail.com
@ange4771
http://corkami.com

older formats
● 32b Windows still support old EXE and COM
● lower profile formats, evade detection
● an EXE can patch itself back to PE
● can use 'ZM' signature
● only works on disk :(
● a symbols-only COM file can drop a PE
● using Yosuke Hasegawa's http://utf-8.jp/public/sas/

file archeology
● bitmap fonts (.FON) are stored in NE format
● created in 1985 for Windows 1.0
● vgasys.fon still present in Windows 8
● file unchanged since 1991 (Windows 3.11)
● font copyrighted in 1984
● Properties show copyright name

→ Windows 8 still (partially) parses
a 16b executable format from 1985

Drunk opcode
● Lock:Prefetch
● can't be executed
● bogus behavior under W7 x64
● does not trigger an exception either
● modified by the OS (wrongly 'repaired')
● yet still wrong after patching!

infinite loop of silent errors

this is the end...
my only friend, the end...

Binary art - Byte-ing the PE that fails you (extended offline version)

More Related Content

What's hot (20)

Viewers also liked (7)

Similar to Binary art - Byte-ing the PE that fails you (extended offline version) (20)

More from Ange Albertini (20)

Binary art - Byte-ing the PE that fails you (extended offline version)