Portable Executable format, TitaniumCore report and packers. Katja Pericin

Transcription

1 Portable Executable format, TitaniumCore report and packers Katja Pericin

2 Portable Executable format 3/21/2018 2

3 Introduction file? operating system abstraction for a data container segment(s) of physical space containing bytes file format? layout of data inside a data container we give it meaning endianness file/memory alignment 3/21/2018 Introduction 3

4 Introduction common file format fields format magic ( GIF89, PACK, ) reserved fields ( should be something = ignored) checksum fields (CRC) file table offset/address file size file names and/or paths timestamp program specific details (compression, image width, palette, ) 3/21/2018 Introduction 4

5 Introduction executable files - loaded into memory by OS OS s loader parses the file format arrange data in memory as needed load all additional dependencies execution starts from a specific point OS cleans up afterwards 3/21/2018 Introduction 5

6 Portable Executable format native Win32 / Win64 format PE32 / PE32+ Official documentation MZ Header PE Header Optional Header Section Headers Section 1 Section N Overlay 3/21/2018 PE Format 6

7 MZ Header magic bytes: 0x4D 0x5A ( MZ ) size of header = 0x40 bytes at offset 0x3C e_lfanew offset to PE header in file 3/21/2018 PE Format 7

8 PE Header magic bytes 0x50 0x45 0x00 0x00 ( PE ) size of header = 0x14 bytes target machine (i386, AMD64, MIPS, PowerPC, ) number of sections characteristics file attributes executable image DLL reversed endianness large address aware (x64) size of optional header 3/21/2018 PE Format 8

9 Optional Header magic = 0x010B\0x020B (32/64-bit) not optional for executables provides info to the loader size not fixed determined by SizeOfOptionalHeader in PE header field sizes differ for 32- and 64-bit executables usually 0xE0 for 32-bit if everything is included 3/21/2018 PE Format 9

10 Section Header header size = 0x28 bytes section name can be whatever (8 bytes) usually.text,.code,.data,.data,.rdata, section name DOES NOT define section content pointer to raw data file offset size of raw data relative virtual address address in memory virtual size size in memory characteristics: attributes (readable, writeable, executable, ) 3/21/2018 PE Format 10

11 Data Directories (address, size) pairs list of tables used by Windows loaded into memory usually 0x10 data directories index in the table determines functionality 3/21/2018 PE Format 11

12 Data Directories common directories export import resource relocation TLS Export Table Import Table Resource Table Exception Table Certificate Table Base Relocation Table Debug Architecture Global Ptr TLS Table Load Config Table Bound Import IAT Delay Import Descriptor CLR Runtime Header Reserved, must be zero 3/21/2018 PE Format 12

13 Export Directory usually present in DLLs, rarely in executables functions exported by ordinal and name we import other s exports 3/21/2018 PE Format 13

14 Import Directory describes additional dependencies which executable needs libraries and their APIs each entry size = 0x14 describes a single library points to a list of all APIs imported from the library points to locations where VAs of APIs should be stored empty entry = directory end 3/21/2018 PE Format 14

15 Resource Table multiple-level binary-sorted tree structure three levels (directories) type name language pointers to another directory table (lower level) data description (leafs) 3/21/2018 PE Format 15

16 Overlay found at the end of a file appended data not loaded into memory must be read from file commonly used to store configuration data store additional program binaries or raw data change hash of an executable 3/21/2018 PE Format 16

17 TitaniumCore report 3/21/

18 TitaniumCore report JSON Static analysis of files PE Format analysis is the most interesting for us Parsing of all headers Parsing of all data directories Example used in following slides is a part of the dataset, file fbe39061e9a75eb8da1d28d8c191f9c ff.json 3/21/2018 TC Report 18

19 3/21/2018 TC Report 19

20 3/21/2018 TC Report 20

21 3/21/2018 TC Report 21

22 3/21/2018 TC Report 22

23 3/21/2018 TC Report 23

24 3/21/2018 TC Report 24

25 3/21/2018 TC Report 25

26 3/21/2018 TC Report 26

27 3/21/2018 TC Report 27

28 3/21/2018 TC Report 28

29 3/21/2018 TC Report 29

30 Reverse Engineering 3/21/

31 RE tools Debuggers/Decompilers OllyDbg, x64dbg, IDAPro PE parsing TitaniumCore report LordPE PEView Format identification PEID (often wrong, not reliable) 3/21/2018 Reverse Engineering 31

32 Packers Single or multiple code layers Multiple compression algorithms in use aplib, lzma, lzss, lzrw, lzbrs, ffce, jcalg, Custom PECOFF table processing (if present and selected by the user) Imports are usually compressed Resources are usually compressed Relocations are usually compressed TLS can be emulated Can pack x86/x64/.net files No anti-reversing protection 3/21/2018 Reverse Engineering 32

33 Crypters Multiple protection layers Polymorphic decryptors / entry Custom encryption algorithms Numerous anti-reversing protections Anti-debugging Import protection (redirections) Original entry point protection 3/21/2018 Reverse Engineering 33

34 Protectors Multiple encrypted code layers Multiple compression algorithms in use aplib, lzma, lzss, lzrw, lzbrs, ffce, jcalg, Custom PECOFF table processing (if present and selected by the user) Imports are usually protected Resources are usually protected Relocations are usually protected TLS can be emulated Can protect x86/x64/.net files Usually come with integrated licensing Numerous anti-reversing protection 3/21/2018 Reverse Engineering 34

35 Original file layout DOS PE Sections (code, data, imports) (compression) Packed file layout DOS PE Sections Resources Resources Overlay STUB Overlay 3/21/2018 Reverse Engineering 35

36 Resource and Overlay If categorized by functionality can be in any of previous categories Protected data is stored in resources or overlay Packers/Crypters/Protectors usually store data in sections Can use any of previously described methods Encryptions Compressions Anti-reversing protections 3/21/2018 Reverse Engineering 36

37 Questions? All rights reserved ReversingLabs 2018