binary art - byte-ing the pe that fails you (live version)
DESCRIPTION
this is the live version of an overview of the Portable Executable format and its malformations presented at Hashdays, in Lucerne, on the 3rd November 2012 direct download link: http://corkami.googlecode.com/files/ange_albertini_hashdays_2012.zipTRANSCRIPT
![Page 1: Binary art - Byte-ing the PE that fails you (live version)](https://reader033.vdocument.in/reader033/viewer/2022051110/54b701984a795930278b4742/html5/thumbnails/1.jpg)
Binary artByte-ing the PE that fails you
3rd November 2012Lucerne, Switzerland
Ange Albertinihttp://corkami.com
![Page 2: Binary art - Byte-ing the PE that fails you (live version)](https://reader033.vdocument.in/reader033/viewer/2022051110/54b701984a795930278b4742/html5/thumbnails/2.jpg)
agenda
what's a PE?the problem, and my approach
overview of the PE formatclassic tricksnew tricks
© ID software
![Page 3: Binary art - Byte-ing the PE that fails you (live version)](https://reader033.vdocument.in/reader033/viewer/2022051110/54b701984a795930278b4742/html5/thumbnails/3.jpg)
PPortable EExecutable
CCommon OObject FFile FFormatbased on
![Page 4: Binary art - Byte-ing the PE that fails you (live version)](https://reader033.vdocument.in/reader033/viewer/2022051110/54b701984a795930278b4742/html5/thumbnails/4.jpg)
![Page 5: Binary art - Byte-ing the PE that fails you (live version)](https://reader033.vdocument.in/reader033/viewer/2022051110/54b701984a795930278b4742/html5/thumbnails/5.jpg)
![Page 6: Binary art - Byte-ing the PE that fails you (live version)](https://reader033.vdocument.in/reader033/viewer/2022051110/54b701984a795930278b4742/html5/thumbnails/6.jpg)
PEuniversal universal Windows binaryWindows binarysince 1993
![Page 7: Binary art - Byte-ing the PE that fails you (live version)](https://reader033.vdocument.in/reader033/viewer/2022051110/54b701984a795930278b4742/html5/thumbnails/7.jpg)
pe101pe101.corkami.com.corkami.com
![Page 8: Binary art - Byte-ing the PE that fails you (live version)](https://reader033.vdocument.in/reader033/viewer/2022051110/54b701984a795930278b4742/html5/thumbnails/8.jpg)
the problem...
![Page 9: Binary art - Byte-ing the PE that fails you (live version)](https://reader033.vdocument.in/reader033/viewer/2022051110/54b701984a795930278b4742/html5/thumbnails/9.jpg)
aka “the gentle guide to standard PEs”
![Page 10: Binary art - Byte-ing the PE that fails you (live version)](https://reader033.vdocument.in/reader033/viewer/2022051110/54b701984a795930278b4742/html5/thumbnails/10.jpg)
CVE-2012-2273
version_mini
ibke
rnel
![Page 11: Binary art - Byte-ing the PE that fails you (live version)](https://reader033.vdocument.in/reader033/viewer/2022051110/54b701984a795930278b4742/html5/thumbnails/11.jpg)
normal
![Page 12: Binary art - Byte-ing the PE that fails you (live version)](https://reader033.vdocument.in/reader033/viewer/2022051110/54b701984a795930278b4742/html5/thumbnails/12.jpg)
![Page 13: Binary art - Byte-ing the PE that fails you (live version)](https://reader033.vdocument.in/reader033/viewer/2022051110/54b701984a795930278b4742/html5/thumbnails/13.jpg)
![Page 14: Binary art - Byte-ing the PE that fails you (live version)](https://reader033.vdocument.in/reader033/viewer/2022051110/54b701984a795930278b4742/html5/thumbnails/14.jpg)
![Page 15: Binary art - Byte-ing the PE that fails you (live version)](https://reader033.vdocument.in/reader033/viewer/2022051110/54b701984a795930278b4742/html5/thumbnails/15.jpg)
...and my approach
![Page 16: Binary art - Byte-ing the PE that fails you (live version)](https://reader033.vdocument.in/reader033/viewer/2022051110/54b701984a795930278b4742/html5/thumbnails/16.jpg)
![Page 17: Binary art - Byte-ing the PE that fails you (live version)](https://reader033.vdocument.in/reader033/viewer/2022051110/54b701984a795930278b4742/html5/thumbnails/17.jpg)
block by block
![Page 18: Binary art - Byte-ing the PE that fails you (live version)](https://reader033.vdocument.in/reader033/viewer/2022051110/54b701984a795930278b4742/html5/thumbnails/18.jpg)
a completecomplete executable
![Page 19: Binary art - Byte-ing the PE that fails you (live version)](https://reader033.vdocument.in/reader033/viewer/2022051110/54b701984a795930278b4742/html5/thumbnails/19.jpg)
pepe.corkami.com.corkami.com
![Page 20: Binary art - Byte-ing the PE that fails you (live version)](https://reader033.vdocument.in/reader033/viewer/2022051110/54b701984a795930278b4742/html5/thumbnails/20.jpg)
![Page 21: Binary art - Byte-ing the PE that fails you (live version)](https://reader033.vdocument.in/reader033/viewer/2022051110/54b701984a795930278b4742/html5/thumbnails/21.jpg)
![Page 22: Binary art - Byte-ing the PE that fails you (live version)](https://reader033.vdocument.in/reader033/viewer/2022051110/54b701984a795930278b4742/html5/thumbnails/22.jpg)
![Page 23: Binary art - Byte-ing the PE that fails you (live version)](https://reader033.vdocument.in/reader033/viewer/2022051110/54b701984a795930278b4742/html5/thumbnails/23.jpg)
![Page 24: Binary art - Byte-ing the PE that fails you (live version)](https://reader033.vdocument.in/reader033/viewer/2022051110/54b701984a795930278b4742/html5/thumbnails/24.jpg)
![Page 25: Binary art - Byte-ing the PE that fails you (live version)](https://reader033.vdocument.in/reader033/viewer/2022051110/54b701984a795930278b4742/html5/thumbnails/25.jpg)
![Page 26: Binary art - Byte-ing the PE that fails you (live version)](https://reader033.vdocument.in/reader033/viewer/2022051110/54b701984a795930278b4742/html5/thumbnails/26.jpg)
![Page 27: Binary art - Byte-ing the PE that fails you (live version)](https://reader033.vdocument.in/reader033/viewer/2022051110/54b701984a795930278b4742/html5/thumbnails/27.jpg)
![Page 28: Binary art - Byte-ing the PE that fails you (live version)](https://reader033.vdocument.in/reader033/viewer/2022051110/54b701984a795930278b4742/html5/thumbnails/28.jpg)
...call [API]…
Imports
PE
API: … ret
Exports
DLL
![Page 29: Binary art - Byte-ing the PE that fails you (live version)](https://reader033.vdocument.in/reader033/viewer/2022051110/54b701984a795930278b4742/html5/thumbnails/29.jpg)
![Page 30: Binary art - Byte-ing the PE that fails you (live version)](https://reader033.vdocument.in/reader033/viewer/2022051110/54b701984a795930278b4742/html5/thumbnails/30.jpg)
![Page 31: Binary art - Byte-ing the PE that fails you (live version)](https://reader033.vdocument.in/reader033/viewer/2022051110/54b701984a795930278b4742/html5/thumbnails/31.jpg)
![Page 32: Binary art - Byte-ing the PE that fails you (live version)](https://reader033.vdocument.in/reader033/viewer/2022051110/54b701984a795930278b4742/html5/thumbnails/32.jpg)
![Page 33: Binary art - Byte-ing the PE that fails you (live version)](https://reader033.vdocument.in/reader033/viewer/2022051110/54b701984a795930278b4742/html5/thumbnails/33.jpg)
![Page 34: Binary art - Byte-ing the PE that fails you (live version)](https://reader033.vdocument.in/reader033/viewer/2022051110/54b701984a795930278b4742/html5/thumbnails/34.jpg)
![Page 35: Binary art - Byte-ing the PE that fails you (live version)](https://reader033.vdocument.in/reader033/viewer/2022051110/54b701984a795930278b4742/html5/thumbnails/35.jpg)
65535sects
maxsecXP
![Page 36: Binary art - Byte-ing the PE that fails you (live version)](https://reader033.vdocument.in/reader033/viewer/2022051110/54b701984a795930278b4742/html5/thumbnails/36.jpg)
![Page 37: Binary art - Byte-ing the PE that fails you (live version)](https://reader033.vdocument.in/reader033/viewer/2022051110/54b701984a795930278b4742/html5/thumbnails/37.jpg)
nosection*
1 ≤ FileAlignment == SectionAlignment ≤ 800
![Page 38: Binary art - Byte-ing the PE that fails you (live version)](https://reader033.vdocument.in/reader033/viewer/2022051110/54b701984a795930278b4742/html5/thumbnails/38.jpg)
tiny*
![Page 39: Binary art - Byte-ing the PE that fails you (live version)](https://reader033.vdocument.in/reader033/viewer/2022051110/54b701984a795930278b4742/html5/thumbnails/39.jpg)
![Page 40: Binary art - Byte-ing the PE that fails you (live version)](https://reader033.vdocument.in/reader033/viewer/2022051110/54b701984a795930278b4742/html5/thumbnails/40.jpg)
foldedhdr
![Page 41: Binary art - Byte-ing the PE that fails you (live version)](https://reader033.vdocument.in/reader033/viewer/2022051110/54b701984a795930278b4742/html5/thumbnails/41.jpg)
ctxt*ctxt*
![Page 42: Binary art - Byte-ing the PE that fails you (live version)](https://reader033.vdocument.in/reader033/viewer/2022051110/54b701984a795930278b4742/html5/thumbnails/42.jpg)
★★NNeeww★★ tricks
![Page 43: Binary art - Byte-ing the PE that fails you (live version)](https://reader033.vdocument.in/reader033/viewer/2022051110/54b701984a795930278b4742/html5/thumbnails/43.jpg)
mininormal64
![Page 44: Binary art - Byte-ing the PE that fails you (live version)](https://reader033.vdocument.in/reader033/viewer/2022051110/54b701984a795930278b4742/html5/thumbnails/44.jpg)
dllnomain*
![Page 45: Binary art - Byte-ing the PE that fails you (live version)](https://reader033.vdocument.in/reader033/viewer/2022051110/54b701984a795930278b4742/html5/thumbnails/45.jpg)
imports_virtdesc
dd OriginalFirstThunkdd TimeDateStampdd ForwarderChain----------------------------dd Namedd FirstThunk
![Page 46: Binary art - Byte-ing the PE that fails you (live version)](https://reader033.vdocument.in/reader033/viewer/2022051110/54b701984a795930278b4742/html5/thumbnails/46.jpg)
corkamix
![Page 47: Binary art - Byte-ing the PE that fails you (live version)](https://reader033.vdocument.in/reader033/viewer/2022051110/54b701984a795930278b4742/html5/thumbnails/47.jpg)
seh_change64
![Page 48: Binary art - Byte-ing the PE that fails you (live version)](https://reader033.vdocument.in/reader033/viewer/2022051110/54b701984a795930278b4742/html5/thumbnails/48.jpg)
ibreloc
fakerelocs
![Page 49: Binary art - Byte-ing the PE that fails you (live version)](https://reader033.vdocument.in/reader033/viewer/2022051110/54b701984a795930278b4742/html5/thumbnails/49.jpg)
![Page 50: Binary art - Byte-ing the PE that fails you (live version)](https://reader033.vdocument.in/reader033/viewer/2022051110/54b701984a795930278b4742/html5/thumbnails/50.jpg)
reloccrypt
![Page 51: Binary art - Byte-ing the PE that fails you (live version)](https://reader033.vdocument.in/reader033/viewer/2022051110/54b701984a795930278b4742/html5/thumbnails/51.jpg)
reloccrypt
![Page 52: Binary art - Byte-ing the PE that fails you (live version)](https://reader033.vdocument.in/reader033/viewer/2022051110/54b701984a795930278b4742/html5/thumbnails/52.jpg)
reloccrypt
![Page 53: Binary art - Byte-ing the PE that fails you (live version)](https://reader033.vdocument.in/reader033/viewer/2022051110/54b701984a795930278b4742/html5/thumbnails/53.jpg)
maxvals
![Page 54: Binary art - Byte-ing the PE that fails you (live version)](https://reader033.vdocument.in/reader033/viewer/2022051110/54b701984a795930278b4742/html5/thumbnails/54.jpg)
hdrcode
![Page 55: Binary art - Byte-ing the PE that fails you (live version)](https://reader033.vdocument.in/reader033/viewer/2022051110/54b701984a795930278b4742/html5/thumbnails/55.jpg)
traceless
![Page 56: Binary art - Byte-ing the PE that fails you (live version)](https://reader033.vdocument.in/reader033/viewer/2022051110/54b701984a795930278b4742/html5/thumbnails/56.jpg)
tinynet
PE
...imports
...
...
...
...
...
...
...
...
...
...
...
...
...
...
.NET
...
...
...
...
...relocs
...
...
...
...
...
...
...
...CLR
...
![Page 57: Binary art - Byte-ing the PE that fails you (live version)](https://reader033.vdocument.in/reader033/viewer/2022051110/54b701984a795930278b4742/html5/thumbnails/57.jpg)
quine
![Page 58: Binary art - Byte-ing the PE that fails you (live version)](https://reader033.vdocument.in/reader033/viewer/2022051110/54b701984a795930278b4742/html5/thumbnails/58.jpg)
corkamix
![Page 59: Binary art - Byte-ing the PE that fails you (live version)](https://reader033.vdocument.in/reader033/viewer/2022051110/54b701984a795930278b4742/html5/thumbnails/59.jpg)
Conclusion
![Page 60: Binary art - Byte-ing the PE that fails you (live version)](https://reader033.vdocument.in/reader033/viewer/2022051110/54b701984a795930278b4742/html5/thumbnails/60.jpg)
Conclusion● the Windows executable format is complex● mostly covered, but many little traps
● new discoveries every day :(
http://pe101.corkami.comhttp://pe.corkami.com
![Page 61: Binary art - Byte-ing the PE that fails you (live version)](https://reader033.vdocument.in/reader033/viewer/2022051110/54b701984a795930278b4742/html5/thumbnails/61.jpg)
Questions?Thanks to
Fabian Sauter, Peter Ferrie, وليد عصرBernhard Treutwein, Costin Ionescu, Deroko, Ivanlef0u, Kris Kaspersky, Moritz Kroll, Thomas Siebert, Tomislav Peričin, Kris McConkey, Lyr1k, Gunther, Sergey Bratus, frank2, Ero Carrera, Jindřich Kubec, Lord Noteworthy, Mohab Ali, Ashutosh Mehra, Gynvael Coldwind, Nicolas Ruff, Aurélien Lebrun, Daniel Plohmann, Gorka Ramírez, 최진영 , Adam Błaszczyk, 板橋一正 , Gil Dabah, Juriaan Bremer, Bruce Dang, Mateusz Jurczyk, Markus Hinderhofer, Sebastian Biallas, Igor Skochinsky, Ильфак Гильфанов, Alex Ionescu, Alexander Sotirov, Cathal Mullaney
![Page 62: Binary art - Byte-ing the PE that fails you (live version)](https://reader033.vdocument.in/reader033/viewer/2022051110/54b701984a795930278b4742/html5/thumbnails/62.jpg)
Thank YOU!
@ange4771@ange4771Ange Albertini @gmail.com
http://corkami.com
![Page 63: Binary art - Byte-ing the PE that fails you (live version)](https://reader033.vdocument.in/reader033/viewer/2022051110/54b701984a795930278b4742/html5/thumbnails/63.jpg)
exe2pe, dosZMXP
![Page 64: Binary art - Byte-ing the PE that fails you (live version)](https://reader033.vdocument.in/reader033/viewer/2022051110/54b701984a795930278b4742/html5/thumbnails/64.jpg)
aa86drop.com
![Page 65: Binary art - Byte-ing the PE that fails you (live version)](https://reader033.vdocument.in/reader033/viewer/2022051110/54b701984a795930278b4742/html5/thumbnails/65.jpg)
![Page 66: Binary art - Byte-ing the PE that fails you (live version)](https://reader033.vdocument.in/reader033/viewer/2022051110/54b701984a795930278b4742/html5/thumbnails/66.jpg)