In this talk we will disclose our recent findings about never before seen PE or Portable executable format malformations. These findings have serious consequences on security and reverse engineering tools and lead to multiple exploit vectors.

PE is the main executable image file format on Windows operating system since its introduction in Windows NT 18 years ago. PE file format itself can be found on numerous Windows-based devices including PCs, mobile and gaming devices, BIOS environments and others. Its proper understanding is the key for securing these platforms. The talk will focus on all aspects of PE file format parsing that leads to undesired behavior or prevents security and reverse engineering tools from inspecting malformated files due to incorrect parsing. Special attention will be given to differences between PECOFF documentation and the actual implementation done by the operating system loader. With respect to these differences we will demonstrate existence of files that can't possibly be considered valid from a documentation standpoint but which are still correctly processed and loaded by the operating system. These differences and numerous design logic flaws can lead to PE processing errors that have serious and hardly detectable security implications. Effects of these PE file format malformations will be compared against several reverse engineering tools, security applications and unpacking systems. Special attention will be given to following PE file format aspects and their malformation consequences:

• General PE header layout in respect to data positioning and consequences of different memory model implementations as specified by PECOFF documentation. Use of multiple PE headers in a single file along with self-destructing headers.
• Alignment fields with their impact on disk and memory layout with the section layout issues that can occur due to disk or memory data overlapping or splicing. In addition to this, section table content will be inspected for issues of data hiding and its limits will be tested for upper and lower content boundaries. We will demonstrate how such issues affect existing static and dynamic PE unpacking systems.
• Data tables, including imports and exports, will be discussed in detail to show how their malformated content can break analysis tools but is still considered valid from the operating system loader standpoint. We will demonstrate existence of files that can miss use existing PE features in order to cloak important file information and omit reverse engineering process. Furthermore based upon these methods a unique undetectable method of API hooking that requires no code for hooks insertion will be presented.
• PE file format will be inspected for integer overflows and we will show how their presence can lead to arbitrary code execution in otherwise safe analysis environments. We will show how PE fields themselves could be used to deliver code payload resulting in a completely new field of programming; via the file format itself.
• In addition to single field and table malformations more complex ones involving multiple fields and tables will also be discussed. As a demonstration of such use case scenario a unique malformation requiring multiple fields working together to establish custom file encryption will be presented. This simple, yet effective, encryption that is reversed during runtime by the operating system loader itself requires no code in the malformated binary itself to be executed. Its effectiveness is in a unique approach to encryption trough file format features themselves in order to prevent static and dynamic file analysis tools from processing such files.

This talk will be a Black Hat exclusive; Whitepaper accompanying the presentation materials will contain detailed description of all malformations discussed during the talk. This whitepaper aims to be a mandatory reading material for security analysts. It will continue to be maintained as new information on PE format malformations are discovered.

More information here.

Instructors: Tomislav Pericin and Nicolas Brulez
Dates: 6-7 July 2011
Availability: 20 Seats

Day 1: Inside the PECOFF file format

During the first day of the training we will focus on reviewing the PECOFF file format and examining its aspects to determine the structures and tables most commonly compressed and protected by PE modifiers. General memory models used by all known PE format modifiers will be described based upon which software compressions will be classified into groups. Key features of crypters, packers and protectors will be analyzed on real world samples and the most representative formats will be manually unpacked.

PE file format properties obscured by the format modifier will be discussed. These properties include import, export, resource, relocation and tls tables and the ways that PE modifiers transform them from standard PECOFF to packer specific formats. By applying reverse engineering techniques we will decipher these internal packer specific formats and restore them to their original state. In addition to this attendees will learn how to reverse engineer custom compression and encryption algorithms and implement them in their code in order to produce fully functional format unpackers. Special attention will be given to static unpacker coding layout and the benefits of using TitanEngine to minimize the time it takes to create an unpacker.

Attendees will learn how to identify and reverse engineer key PE file format modifier sections. Single PE packer format that supports x86/x64/.net packing will be inspected in detail for which static unpacker will be coded.

Day 2: Inside the nightmares of file analysis

During the second day of the training we will focus on analyzing and unpacking complex software protections. Special attention will be given to methods used to harden against format reverse engineering and prevent unpacking. We will describe common protection techniques utilized by both legitimate software protectors and those specifically designed for use in malware. We will then use information to show coding techniques needed for such complex static unpackers and ways to counter all the tricks used to harden detection, analysis and unpacking.

Single PE protection format will be inspected in detail for which dynamic and/or static unpackers will be coded.

Class Requirements

Very basic knowledge of C/C++ or any other programming language.
Very basic understanding of assembly, debugging and Windows internals.
OllyDBG 1.10 and IDA Pro 5 (free version will be sufficient).
Microsoft Visual Studio 2008 (express will be sufficient).
Additional tools and scripts will be provided by the instrutor.

More information here.

Reverse engineering is the only weapon of choice when it comes to malware unpacking and analysis. It gives us an inside look into the malware creations and enables us to understand their ins and outs. One such malicious sample was sent to us today for analysis. The file in question is an update for a rogue anti-virus solution and it uses an interesting encryption and packing options to hide its presence from legitimate security software solutions. For our today's blog we demonstrate the actions needed to remove the protections utilized by malicious software in order to get to the core malware functionality. Until next week...

TitanMist, the newest project from ReversingLabs, was presented at this year's BlackHat USA. Being our youngest product, it got the most attention. As a sign of our high hopes for this project, we've dedicated ourselves to creating a detailed roadmap for it, a roadmap based on your desires, your expectations, and best of all: your contributions. Below are the milestones for the project's future:

• Deploying an easy to use installer for the project (done)
• Deploying a QA system and integrating it with our wiki format knowledge base
• Extending the TitanMist database with more signatures and unpackers
• Extending the TitanMist database with quality tested PeID signatures
• Extending the TitanMist database with quality tested OllyDBG scripts
• Extending the TitanScript capabilities by enabling the DLL unpacking
• Introducing more TitanMist plugins along with the Nexus plugin
• Graphical user interface

That is our TODO list, our focus. We've received many suggestions from people who have tried TitanMist in the brief time since its release - some of which immediately found their way onto on our roadmap list. We encourage you to contribute to our little project, making it a true "go-to" tool when it comes to file analysis. Until the next update on the TitanMist...

TitanMist ReversingLabs Corporation

TitanMist installer (package contains the installer for the tool)

BlackHat, one of the world's biggest security conferences, was held in Las Vegas two weeks ago. Among the BlackHat conferences this year, Las Vegas was by far the biggest event  - bringing thousands of security researchers to the heart of the Sin City. Bigger then ever before, BlackHat featured eleven tracks with an impressive number of high quality talks and trainings. We were there, and we were more than proud to present our newest file analysis tool, TitanMist, to the World.

In a fairly full room, for a reversing track that is, we presented the TitanMist project we have been working on for the past couple of months. Best described as  an automated PE32 file format identification and unpacking tool, TitanMist aims to improve collaboration among reverse engineers across the globe. That is an ambitious goal, but we have high hopes for this project and believe that we can grow it into something of great value in the coming months. Our detailed project roadmap will be unveiled on our blog next week.

The TitanMist presentation was accompanied by the Arsenal presentation that featured all of our tools: TitanEngine, NyxEngine and TitanMist. This kind of tool demo was introduced at this year's BlackHat USA and we must admit that we like the idea of tool presentations, during which authors receive direct feedback from the community. This feedback enables us to add new features and improve our tools even further. We got  many great ideas from talking to attendees with an interest in our tools and what we do. Ones attendees with particularly intriguing questions or ideas questions were rewarded with one of our TitanEngine T-Shirts. But t-shirt winner or not, we thank you all for your continuing support of ReversingLabs and the TitanEngine project!

In the picture on the left you can see our Arsenal booth and one of our senior software engineers, Mario Suvajac. Mario is one of the guys behind the TitanMist project, in charge of the byte pattern matching and overall tool design.

That is it for this report, until next week...

Security is notoriously disunited. Every year multiple tools and projects are released and never maintained. TitanMist is its inverse opposite. Built on top of TitanEngine, it provides automation and manages all known and good PEID signatures, unpacking scripts and other tools in one unified tool. TitanMist is the nicely packaged and open source catch all tool that will become your first line of defense. The project also goes beyond pure tool development. It builds a forum to share information and reverse engineering experience built around the biggest online and collaborative knowledge base about software packers.

With the increase in packed and protected malicious payloads, collaboration and quick response between researchers has become critical. As new sample numbers are quickly closing to 40M samples per year, solution to this problem has to come from reverse engineers themselves, integrating the work that they have done in the past and they continue to do. Huge databases of format identification data and unpacking scripts can be reused in a way to maximize automation. Yet, where do we find a definite collection of functional tools, identification signatures and unpacking tools? And how do we integrate them in a meaningful and accurate way?

TitanMist approaches these problems in a manner recognizable to every reverse engineer. It aims to mimic, but automate, the reversing process enabling everyone to easily create unpackers and integrate them in an extensible system. This builds a powerful and fast growing community analysis tool. Overcoming the most basic problems of reverse engineering problems was the top priority for the TitanMist project. Hoping to bridge the programming knowledge barrier which troubles many reverse engineers TitanMist introduces a variety of programming languages in which unpackers can be written in.

TitanMist goes beyond languages that compile to native code relying heavily on popular and easy to learn script languages. Backed up by LUA and Python this project makes coding unpackers a much simpler task. However the challenge of making TitanMist as easy to adopt and extend as possible meant that the project has to go further than extending support for more programming languages. Knowing that most of reverse engineers are familiar with debugger level script language OllyScript we added the support for it as well. Combined with the full TitanEngine functionality these scripts become powerful automated unpackers which combined with the layer of file format identification create a unique database of file analysis tools.

Download

• TitanMist / TitanMist Source
• BlackHat Vegas 2010 whitepaper
• BlackHat Vegas 2010 presentation

TitanMist ReversingLabs Corporation

TitanMist 1.0 released!

Looks cool? Want one? All you have to do is solve this challenge and tell us what is the password we seek. Sounds easy? Its not... Mail us with your solution at: blog(at)reversinglabs(dot)com; Challenge is now closed! Thanks to everyone who participated. Click read more for the solution...

We didn't even dream about getting so many people to participate in our little challenge. The sheer number of emails simply flooded our mailbox with possible solutions and compliments about  our challenge! One of those compliments expresses just what we want to do in the not-so-distant future, we quote: "Fun challenge, do more of these!" We definitely will!

Now to the solution, and discussion of the parts that proved troublesome for many...

We start by downloading the file and doing our initial analysis. Since the file is a ZIP archive we open it with any program that works with this archive format to find a folder named "r" with the file named "r.zip" in it. This part of the challenge is just a decoy to keep you busy and distracted from the real content which is appended to the archive as an archive comment. That real content is another archive in 7Zip file format, which once extracted produces a single CAB file, and that is where the things get interesting. The CAB file has a single PNG file in it, but to solve this challenge we must observe the image and the archive as two separate objects.

First the image part of the puzzle. The image, once opened, shows a normal picture with the logo of our company. However the picture itself has embedded steganography data. Since we didn't want to do any hard stego which can be solved by inspecting image pixels we embedded our hidden information between valid records inside the PNG file header. Something very similar to what we demonstrated on BlackHat Barcelona earlier this year. With the obvious difference that the file format is an image not an archive. Nonetheless the principle is the same. So, what's hidden? If you open the image file with any hex editor you will see a string "pSWD" near the start of the file. That string is followed by a 16 number sequence: 538B327278BBAB654747288999FBCDA1 which isn't the password we need. Nope, its not - even though many of you thought that that was the end solution. Why isn't it?

Because of the fact that the CAB file that compressed that PNG image holds the last piece of the puzzle. If we scan that CAB file with our NyxEngine we get the following output:

Steganography ID: 0x00000b
Possible steganography due to suspicious CAB extra data present between entries!
Data start: 0x5a; Data size: 0x0000f6

And in that data there is the following text block:

UmFyIRoHAM6Zc4AADQAAAAAAAAA8MSAOyRZcWCVhcEFcUfp
P4JdbtU2derwgjSYp+BpxVYkWJPDtQ/TITifo4qO7qyYz+yLpd9+6
nkwwxmomWHbHK0Bt6UPHOwL/pEKm6IGXo/5dioeP66Fq5brTldgi
Z7do5bbFjykQIsx6PMCBre4iUJ7jcwrwD2MDs69XwuuHL+fMKy9hD
UJQPDEgDskWXFjp6jPWFXoWVSNb4H1zjQpW

Which is, in fact, a base64 encoded password protected RAR file. But, what's the password? The password is the PNG image number sequence converted to lower case text. So, its: 538b327278bbab654747288999fbcda1 which isn't an MD5 and needs not to be bruteforced. Once its entered and the RAR file is decrypted we can see the file named "file" containing the following text: "Password is: 9ec4c12949a4f31474f299058ce2b22a". And that's it, the challenge is successfully completed at that point. No more stego or hidden files.

There are six accepted solutions to this challenge, but the one that simply astonished us is the following python script which solves our challenge:

#! /usr/bin/env python
URL="http://blog.reversinglabs.com/wp-content/uploads/2010/07/r.zip"

import os
import urllib2
import struct

os.chdir("/tmp")
rzip=urllib2.urlopen("http://blog.reversinglabs.com/wp-content/uploads/2010/07/r.zip").read()
r7z = rzip[rzip.find("7z"):]
open("r.7z","w").write(r7z)
os.system("7z e r.7z")
cab = open("puzzle.cab").read()
os.system("cabextract puzzle.cab")
open("r.rar","w").write(cab[0x5a:0x5a+250].decode("base64"))
png = open("ReversingLabs.png").read()
ppos = png.find("pSWD")
sz, = struct.unpack(">I", png[ppos-4:ppos])
pwd = png[ppos+4:ppos+4+sz]
os.system("unrar e -P%s r.rar" % pwd.encode("hex"))
print open("file").read()

Thanks to everyone who participated in our little competition. Winners, your T-shirts are in the mail. Until our next challenge...

NyxEngine ReversingLabs Corporation

Our challenge got beaten by our own NyxEngine! Oh, Nyx...

We had a great time during this year's REcon Conference last week.  Now it is the time to sort out our impressions. First of all, thanks to all that attended our TitanEngine training and during the course of 3 days learned how to make unpackers with our engine. We covered coding of both static and dynamic unpackers and showed how to deal with the complex protection options that reverse engineers come across on a daily basis. In addition to training attendees, we also want to thank everyone who grabbed one of our TitanEngine T-shirts to show support for the project. You want one too? Click here...

We can, without any false flattering, call REcon our favorite small conference and promise to be back next year too! But that doesn't mean that everything went smoothly, as there were some problems with the air conditioning that flooded the conference twitter feed with AC related rants. The heat was so bad that the conference opening talk dedicated a good amount of time to it. Being slightly older than the average REcon attendee, Richard Thieme, made a parallel between Woodstock and the problems we had. He argued that Woodstock wasn't that great either but that over time it became a myth due to people, rain and mud and that the same can be said about the heat in Montreal which will probably make us say on some later REcon "remember the one when the AC was broken? That one was great!" Because indeed it was, and as the AC problems went away, everyone's will to commune ignited. And the people who  attend the conference on a regular basis are probably the best thing about the conference. Don't get us wrong, the trainings were great, the talks were awesome but it was the people who impressed us the most. And it is these great people that we will meet again in two weeks at BlackHat US. Until then...