2011
07.02
One constant challenge of modern security will always be the difference between published and implemented specifications. Evolving projects, by their very nature, open up a host of exploit areas and implementation ambiguities that cannot be fixed. As such, complex documentation such as that for PECOFF or PDF are goldmines of possibilities.
In this talk we will disclose our recent findings about never before seen PE or Portable executable format malformations. These findings have serious consequences on security and reverse engineering tools and lead to multiple exploit vectors.
PE is the main executable image file format on Windows operating system since its introduction in Windows NT 18 years ago. PE file format itself can be found on numerous Windows-based devices including PCs, mobile and gaming devices, BIOS environments and others. Its proper understanding is the key for securing these platforms. The talk will focus on all aspects of PE file format parsing that leads to undesired behavior or prevents security and reverse engineering tools from inspecting malformated files due to incorrect parsing. Special attention will be given to differences between PECOFF documentation and the actual implementation done by the operating system loader. With respect to these differences we will demonstrate existence of files that can't possibly be considered valid from a documentation standpoint but which are still correctly processed and loaded by the operating system. These differences and numerous design logic flaws can lead to PE processing errors that have serious and hardly detectable security implications. Effects of these PE file format malformations will be compared against several reverse engineering tools, security applications and unpacking systems. Special attention will be given to following PE file format aspects and their malformation consequences:
- General PE header layout in respect to data positioning and consequences of different memory model implementations as specified by PECOFF documentation. Use of multiple PE headers in a single file along with self-destructing headers.
- Alignment fields with their impact on disk and memory layout with the section layout issues that can occur due to disk or memory data overlapping or splicing. In addition to this, section table content will be inspected for issues of data hiding and its limits will be tested for upper and lower content boundaries. We will demonstrate how such issues affect existing static and dynamic PE unpacking systems.
- Data tables, including imports and exports, will be discussed in detail to show how their malformated content can break analysis tools but is still considered valid from the operating system loader standpoint. We will demonstrate existence of files that can miss use existing PE features in order to cloak important file information and omit reverse engineering process. Furthermore based upon these methods a unique undetectable method of API hooking that requires no code for hooks insertion will be presented.
- PE file format will be inspected for integer overflows and we will show how their presence can lead to arbitrary code execution in otherwise safe analysis environments. We will show how PE fields themselves could be used to deliver code payload resulting in a completely new field of programming; via the file format itself.
- In addition to single field and table malformations more complex ones involving multiple fields and tables will also be discussed. As a demonstration of such use case scenario a unique malformation requiring multiple fields working together to establish custom file encryption will be presented. This simple, yet effective, encryption that is reversed during runtime by the operating system loader itself requires no code in the malformated binary itself to be executed. Its effectiveness is in a unique approach to encryption trough file format features themselves in order to prevent static and dynamic file analysis tools from processing such files.
This talk will be a Black Hat exclusive; Whitepaper accompanying the presentation materials will contain detailed description of all malformations discussed during the talk. This whitepaper aims to be a mandatory reading material for security analysts. It will continue to be maintained as new information on PE format malformations are discovered.
More information here.
VN:F [1.9.17_1161]
Rating: +6 (from 6 votes)
2011
07.02
Reverse engineering compressed binaries has been a necessity for more than a two decades now, and we as reverse engineers are always on a lookout for newest and fastest ways of accomplishing our goal. In that spirit numerous presentations, during the last few years, have been held involving the great abundance of ways one can make a single generic solution that unpacks it all. This presentation is its exact opposite as it will focus on reverse engineering specifics for numerous commonly used software compressions.
When building a system for automated file analysis our goal is to make an optimal system that accurately identifies files and unpacks them in the blink of an eye. Such system must be able to be deployed in any environment without the risk of anything going even remotely wrong. That kind of requirements eliminate most generic unpacking solutions making us focus on what is without a doubt hardest unpacking scenario; static unpacking. Writing static unpackers is a hard task which is why it is more than often avoided by reverse engineers. However it is necessary as their performance far overtakes the difficulty of implementation.
We will focus on reverse engineering of all known and possible implementations of various transformations performed by the compression solution in an aim to show that the best way to observe the software compression is as subset of its parts. Detailed descriptions of reverse engineering procedures needed to analyze internal data structures along with ways to restore them to original PECOFF format will be provided. These techniques will be applied to both custom and traditional compression & encryption algorithms with examples that shows how to reverse engineer vital functions from assembly back to source code. In addition to this first step in reversing we will tackle the problems of data layout and import, resource, relocation and TLS table transformation and analysis. Differences between x86, x64 and .net packers and the ways to unpack them will also be covered. Solution to all of these problems will be presented from a standpoint of writing a high load static unpacker that operates in a multi-threaded environment. As an implementation platform upcoming TitanEngine3 unique design will be presented along with approach it uses to solve the problems that come with writing static unpackers.
More information here.
VN:F [1.9.17_1161]
Rating: +3 (from 3 votes)
2011
07.02
Learn how to do in depth analysis of compressed and encrypted binary files. Attendees will receive hands-on experience working with the tools designed to do static and dynamic analysis of the PECOFF file format and formats derived from it covering both x86 and x64 platforms.
Instructors: Tomislav Pericin and Nicolas Brulez
Dates: 6-7 July 2011
Availability: 20 Seats
Day 1: Inside the PECOFF file format
During the first day of the training we will focus on reviewing the PECOFF file format and examining its aspects to determine the structures and tables most commonly compressed and protected by PE modifiers. General memory models used by all known PE format modifiers will be described based upon which software compressions will be classified into groups. Key features of crypters, packers and protectors will be analyzed on real world samples and the most representative formats will be manually unpacked.
PE file format properties obscured by the format modifier will be discussed. These properties include import, export, resource, relocation and tls tables and the ways that PE modifiers transform them from standard PECOFF to packer specific formats. By applying reverse engineering techniques we will decipher these internal packer specific formats and restore them to their original state. In addition to this attendees will learn how to reverse engineer custom compression and encryption algorithms and implement them in their code in order to produce fully functional format unpackers. Special attention will be given to static unpacker coding layout and the benefits of using TitanEngine to minimize the time it takes to create an unpacker.
Attendees will learn how to identify and reverse engineer key PE file format modifier sections. Single PE packer format that supports x86/x64/.net packing will be inspected in detail for which static unpacker will be coded.
Day 2: Inside the nightmares of file analysis
During the second day of the training we will focus on analyzing and unpacking complex software protections. Special attention will be given to methods used to harden against format reverse engineering and prevent unpacking. We will describe common protection techniques utilized by both legitimate software protectors and those specifically designed for use in malware. We will then use information to show coding techniques needed for such complex static unpackers and ways to counter all the tricks used to harden detection, analysis and unpacking.
Single PE protection format will be inspected in detail for which dynamic and/or static unpackers will be coded.
Class Requirements
Very basic knowledge of C/C++ or any other programming language.
Very basic understanding of assembly, debugging and Windows internals.
OllyDBG 1.10 and IDA Pro 5 (free version will be sufficient).
Microsoft Visual Studio 2008 (express will be sufficient).
Additional tools and scripts will be provided by the instrutor.
More information here.
VN:F [1.9.17_1161]
Rating: +2 (from 2 votes)
