Portable Executables - caitlinmallen/TechWiki GitHub Wiki

PE File Format

  • Executable/complied code file format used by Windows
    • Why an EXE complied on one version of Windows works on another
  • Typical extensions
    • EXE, DLL
    • OCX – ActiveX Control
    • CPL – Control Panel controls
    • MUI – Multilingual user interface
    • DRV – device driver
  • Consists of headers and sections

DOS & NT Headers

  • Start of the DOS Header, first two bytes are the signature -> Always MZ
    • 4D 5A – Always a PE
  • Start of the NT Header, first two bytes are always signature -> Always PE

  • DOS Header and stub are legacy, but required
    • DOS Stub contains the messages "This program cannot be run in DOS Mode"
    • Header – Header of section
    • Stub – Code to execute when program is run
      • If no code for DOS -> This program cannot run in DOS mode
    • NT Header info
      • Flags specify the 32/64 bit, EXE/DLL, and other options
      • Some threat actors strip the compilation data
      • Characteristics -> Tell you if it is 32 bit or 64 bit, tell you if executable or DLL,
  • Optional Header
    • Mandatory actually
    • Magic -> How the OS will understand the file
      • PE32 -> Portable executable for 32 bit
    • AddressofEntryPoint – When the program wants to start executing, it should start from where the address is stated
      • In the .text section -> The code section
      • Not the first thing executed
    • ImageBase -> Called an image when loaded into memory
      • When in memory it is an image
      • Tells the OS when its loaded into memory it needs to be put in the defined location (ex. Location 1000000)
      • OS might need to negotiate the location its loaded into if something is already allocated
  • DLLs can be downloaded independently
  • Install CFF Explorer or PEInsider
  • Look at exercise in slides

Data Directories

  • -Export Directory
    • Relative virtual address and size
  • Import Directory
    • Relative virtual address
    • Libraries being used by executable are in this directory

Sections

  • Sections are defined in the section table
  • Offset, size, and flag values are typically stored
  • Both real (in file) and virtual (in memory) offsets and sizes are provided
  • Packing is a form of compression, the sample on disk is compressed but it wont show up like that in memory

Terminology

  • VA – Virtual address
    • In-memory location
  • ImageBased – Virtual address where exe/dll will be loaded in memory
  • Offset – Actual offset in file
  • RVA – Relative virtual address = VA – ImageBase
    • Distance from the ImageBase
    • If VA =46000, ImageBase = 40000 then RVA = 6000

DLL

  • Dynamically Linked Library
  • Shared code can be statically or dynamically linked to an EXE
    • Statically linked code is added to an EXE
    • Dynamically linked code is kept within DLL files
  • DLLs help promote modularization of code, code reuse, efficient memory usage, and reduced disk space
  • DLLs vs EXEs
    • DLLs export functions (and import from other DLLs)
    • EXEs import or use functions

Common Windows DLLs (Usermode)

  • (Kernel31.dll)[https://en.wikipedia.org/wiki/Microsoft_Windows_library_files#KERNEL32.DLL]
  • (User32.dll)[https://en.wikipedia.org/wiki/Microsoft_Windows_library_files#USER32.DLL]
  • (System32.dll)[https://www.file.net/process/system32.dll.html]
  • (hal.dll)[https://www.file.net/process/hal.dll.html]
  • (NTDLL.dll)[https://en.wikipedia.org/wiki/Microsoft_Windows_library_files#NTDLL.DLL]

These are present on every machine

PE File Analysis

Static Analysis

  • Analysis without executing the code
  • Calculate the hashes to compare
  • Examine PE structure
    • Compile/Link timestamps
    • Compiler/Linker type
    • DLL Exports/imports and functions
    • Section names and flags
    • Resources
  • String search
  • Entropy

Raw String Search

  • Strings are objects that represent sequences of characters
    • Formats – ASCII (1 byte), Unicode (2 byte)
  • Sysinternals strings tool
    • Retrieves all ASCII and Unicode strings by default

Packed EXE Files

  • Packing is the process of encrypting, obfuscating, and/or compressing content in a PE file
    • Usually to thwart static analysis
  • This all happens in memory

What about imports?

  • Original imports are also gone
    • DLLs and functions
  • However, a packed program always imports these functions
    • LoadLibraryA – Loads the specified DLL into memory
    • GetProcAddress – Retrieves the address for specific exported function from DLL
    • GetModuleHandleA – Gets a handle to loaded DLL
  • A packed program uses its own code to dynamically link DLLs instead of using the Windows Loader

Detecting a packed EXE

  • Look for unusual section names and characteristics flags
  • Deleting section names does absolutely nothing
  • Sections without names are weird
  • Resources section having an executable can be odd
    • Exception -> Installers might have the executables in the resource sections and that's where theyre unloaded from
  • All sections being readable, writeable, and executable are weird
  • Small sections without names are strange

Entropy

  • Measurement of data randomness
  • Calculated using the Shannon theorem
  • Expressed as a number between 0-8
    • 0 = Least random
    • 8 = Most random
  • Packed/Compressed data is more random than normal data
    • Not a perfect indicator of packing
  • Entropy calculation can be performed with tools like Entropy

DiE

  • (Detect it Easy)[https://github.com/horsicq/Detect-It-Easy]
    • File type identification tool

Cryptographic Algorithms

  • Many malware use encryption to write to disk/network
  • Standard encryption/compression/hash functions, routines, and constants can be identified using static analysis
    • DES
    • AES
    • CRC32
    • Blowfish