Binary art - Byte-ing the PE that fails you (live version)

66
Binary art Byte-ing the PE that fails you 3 rd November 2012 Lucerne, Switzerland Ange Albertini http://corkami.com

TAGS:

description

this is the live version of an overview of the Portable Executable format and its malformations presented at Hashdays, in Lucerne, on the 3rd November 2012 direct download link: http://corkami.googlecode.com/files/ange_albertini_hashdays_2012.zip

Transcript of Binary art - Byte-ing the PE that fails you (live version)

Page 1: Binary art - Byte-ing the PE that fails you (live version)

Binary artByte-ing the PE that fails you

3rd November 2012Lucerne, Switzerland

Ange Albertinihttp://corkami.com

http://corkami.com/
Page 2: Binary art - Byte-ing the PE that fails you (live version)

agenda

what's a PE?the problem, and my approach

overview of the PE formatclassic tricksnew tricks

© ID software

Page 3: Binary art - Byte-ing the PE that fails you (live version)

PPortable EExecutable

CCommon OObject FFile FFormatbased on

Page 4: Binary art - Byte-ing the PE that fails you (live version)
Page 5: Binary art - Byte-ing the PE that fails you (live version)
Page 6: Binary art - Byte-ing the PE that fails you (live version)

PEuniversal universal Windows binaryWindows binarysince 1993

Page 7: Binary art - Byte-ing the PE that fails you (live version)

pe101pe101.corkami.com.corkami.com

Page 8: Binary art - Byte-ing the PE that fails you (live version)

the problem...

Page 9: Binary art - Byte-ing the PE that fails you (live version)

aka “the gentle guide to standard PEs”

Page 10: Binary art - Byte-ing the PE that fails you (live version)

CVE-2012-2273

version_mini

ibke

rnel

Page 11: Binary art - Byte-ing the PE that fails you (live version)

normal

Page 12: Binary art - Byte-ing the PE that fails you (live version)
Page 13: Binary art - Byte-ing the PE that fails you (live version)
Page 14: Binary art - Byte-ing the PE that fails you (live version)
Page 15: Binary art - Byte-ing the PE that fails you (live version)

...and my approach

Page 16: Binary art - Byte-ing the PE that fails you (live version)
Page 17: Binary art - Byte-ing the PE that fails you (live version)

block by block

Page 18: Binary art - Byte-ing the PE that fails you (live version)

a completecomplete executable

Page 19: Binary art - Byte-ing the PE that fails you (live version)

pepe.corkami.com.corkami.com

Page 20: Binary art - Byte-ing the PE that fails you (live version)
Page 21: Binary art - Byte-ing the PE that fails you (live version)
Page 22: Binary art - Byte-ing the PE that fails you (live version)
Page 23: Binary art - Byte-ing the PE that fails you (live version)
Page 24: Binary art - Byte-ing the PE that fails you (live version)
Page 25: Binary art - Byte-ing the PE that fails you (live version)
Page 26: Binary art - Byte-ing the PE that fails you (live version)
Page 27: Binary art - Byte-ing the PE that fails you (live version)
Page 28: Binary art - Byte-ing the PE that fails you (live version)

...call [API]…

Imports

PE

API: … ret

Exports

DLL

Page 29: Binary art - Byte-ing the PE that fails you (live version)
Page 30: Binary art - Byte-ing the PE that fails you (live version)
Page 31: Binary art - Byte-ing the PE that fails you (live version)
Page 32: Binary art - Byte-ing the PE that fails you (live version)
Page 33: Binary art - Byte-ing the PE that fails you (live version)
Page 34: Binary art - Byte-ing the PE that fails you (live version)
Page 35: Binary art - Byte-ing the PE that fails you (live version)

65535sects

maxsecXP

Page 36: Binary art - Byte-ing the PE that fails you (live version)
Page 37: Binary art - Byte-ing the PE that fails you (live version)

nosection*

1 ≤ FileAlignment == SectionAlignment ≤ 800

Page 38: Binary art - Byte-ing the PE that fails you (live version)

tiny*

Page 39: Binary art - Byte-ing the PE that fails you (live version)
Page 40: Binary art - Byte-ing the PE that fails you (live version)

foldedhdr

Page 41: Binary art - Byte-ing the PE that fails you (live version)

ctxt*ctxt*

Page 42: Binary art - Byte-ing the PE that fails you (live version)

★★NNeeww★★ tricks

Page 43: Binary art - Byte-ing the PE that fails you (live version)

mininormal64

Page 44: Binary art - Byte-ing the PE that fails you (live version)

dllnomain*

Page 45: Binary art - Byte-ing the PE that fails you (live version)

imports_virtdesc

dd OriginalFirstThunkdd TimeDateStampdd ForwarderChain----------------------------dd Namedd FirstThunk

Page 46: Binary art - Byte-ing the PE that fails you (live version)

corkamix

Page 47: Binary art - Byte-ing the PE that fails you (live version)

seh_change64

Page 48: Binary art - Byte-ing the PE that fails you (live version)

ibreloc

fakerelocs

Page 49: Binary art - Byte-ing the PE that fails you (live version)
Page 50: Binary art - Byte-ing the PE that fails you (live version)

reloccrypt

Page 51: Binary art - Byte-ing the PE that fails you (live version)

reloccrypt

Page 52: Binary art - Byte-ing the PE that fails you (live version)

reloccrypt

Page 53: Binary art - Byte-ing the PE that fails you (live version)

maxvals

Page 54: Binary art - Byte-ing the PE that fails you (live version)

hdrcode

Page 55: Binary art - Byte-ing the PE that fails you (live version)

traceless

Page 56: Binary art - Byte-ing the PE that fails you (live version)

tinynet

PE

...imports

...

...

...

...

...

...

...

...

...

...

...

...

...

...

.NET

...

...

...

...

...relocs

...

...

...

...

...

...

...

...CLR

...

Page 57: Binary art - Byte-ing the PE that fails you (live version)

quine

Page 58: Binary art - Byte-ing the PE that fails you (live version)

corkamix

Page 59: Binary art - Byte-ing the PE that fails you (live version)

Conclusion

Page 60: Binary art - Byte-ing the PE that fails you (live version)

Conclusion● the Windows executable format is complex● mostly covered, but many little traps

● new discoveries every day :(

http://pe101.corkami.comhttp://pe.corkami.com

http://pe101.corkami.com/
http://pe.corkami.com/
Page 61: Binary art - Byte-ing the PE that fails you (live version)

Questions?Thanks to

Fabian Sauter, Peter Ferrie, وليد عصرBernhard Treutwein, Costin Ionescu, Deroko, Ivanlef0u, Kris Kaspersky, Moritz Kroll, Thomas Siebert, Tomislav Peričin, Kris McConkey, Lyr1k, Gunther, Sergey Bratus, frank2, Ero Carrera, Jindřich Kubec, Lord Noteworthy, Mohab Ali, Ashutosh Mehra, Gynvael Coldwind, Nicolas Ruff, Aurélien Lebrun, Daniel Plohmann, Gorka Ramírez, 최진영 , Adam Błaszczyk, 板橋一正 , Gil Dabah, Juriaan Bremer, Bruce Dang, Mateusz Jurczyk, Markus Hinderhofer, Sebastian Biallas, Igor Skochinsky, Ильфак Гильфанов, Alex Ionescu, Alexander Sotirov, Cathal Mullaney

Page 62: Binary art - Byte-ing the PE that fails you (live version)

Thank YOU!

@ange4771@ange4771Ange Albertini @gmail.com

http://corkami.com

http://twitter.com/ange4771
http://corkami.com/
Page 63: Binary art - Byte-ing the PE that fails you (live version)

exe2pe, dosZMXP

Page 64: Binary art - Byte-ing the PE that fails you (live version)

aa86drop.com

Page 65: Binary art - Byte-ing the PE that fails you (live version)
Page 66: Binary art - Byte-ing the PE that fails you (live version)

Binary Representation of Information bit: 0 byte: 0110 11000 "word": 01011100 11101111 00010000 11110000 chapter 8.

Binary Representation of Information bit: 0 byte: 0110 11000 "word": 01011100 11101111 00010000 11110000 chapter 8.

Bits and Bytes January 17, 2002 Topics Why bits? Representing information as bits –Binary/Hexadecimal –Byte representations »numbers »characters and strings.

Bits and Bytes January 17, 2002 Topics Why bits? Representing information as bits –Binary/Hexadecimal –Byte representations »numbers »characters and strings.

Binary art - Byte-ing the PE that fails you (extended offline version)

Binary art - Byte-ing the PE that fails you (extended offline version)

BITS, BYTES, AND INTEGERSdjp3.westmont.edu/classes/2017_01_CS045/Lectures/Lecture_07.pdf · BITS, BYTES, AND INTEGERS ... • Byte = 8 bits • Binary 00000000 2 to 11111111 2 ...

BITS, BYTES, AND INTEGERSdjp3.westmont.edu/classes/2017_01_CS045/Lectures/Lecture_07.pdf · BITS, BYTES, AND INTEGERS ... • Byte = 8 bits • Binary 00000000 2 to 11111111 2 ...

ATA Extensions Document - T13 · Web viewIn memory byte 0 of a Word is stored in the lower byte address and byte 1 is stored in the higher byte address. On Paper: Byte 1 Byte 0 15

ATA Extensions Document - T13 · Web viewIn memory byte 0 of a Word is stored in the lower byte address and byte 1 is stored in the higher byte address. On Paper: Byte 1 Byte 0 15

CRT 591 M001 Protocol - marrginal.rumarrginal.ru/files/dispenser/creator/crt591/CRT_591_M001_Protocol.… · LENH (1 byte) LENL (1 byte) CMT (1 byte) CM (1 byte) PM (1 byte) DATA

CRT 591 M001 Protocol - marrginal.rumarrginal.ru/files/dispenser/creator/crt591/CRT_591_M001_Protocol.… · LENH (1 byte) LENL (1 byte) CMT (1 byte) CM (1 byte) PM (1 byte) DATA

Bits and Bytes Topics Why bits? Tell me Representing information as bits Binary/Hexadecimal Byte representations »numbers »characters and strings »Instructions.

Bits and Bytes Topics Why bits? Tell me Representing information as bits Binary/Hexadecimal Byte representations »numbers »characters and strings »Instructions.

Folio Byte by Byte 2009

Folio Byte by Byte 2009

File Organization Terms and Concepts Bit: Smallest unit of data; binary digit (0,1) Byte: Group of bits that represents a single character Field: Group.

File Organization Terms and Concepts Bit: Smallest unit of data; binary digit (0,1) Byte: Group of bits that represents a single character Field: Group.

6 Chapter Databases and Information Management. File Organization Terms and Concepts Bit: Smallest unit of data; binary digit (0,1) Byte: Group of bits.

6 Chapter Databases and Information Management. File Organization Terms and Concepts Bit: Smallest unit of data; binary digit (0,1) Byte: Group of bits.

Binary Numbers - courses.cs.washington.edu · 1 bit 2 things, 1 nibble 16 things, 1 byte 256 things 21. L05: Binary Numbers CSE120, Winter 2018 So What’s It Mean? A ...

Binary Numbers - courses.cs.washington.edu · 1 bit 2 things, 1 nibble 16 things, 1 byte 256 things 21. L05: Binary Numbers CSE120, Winter 2018 So What’s It Mean? A ...

Bits and Bytes Topics Why bits? Representing information as bits Binary/Hexadecimal Byte representations »numbers »characters and strings »Instructions.

Bits and Bytes Topics Why bits? Representing information as bits Binary/Hexadecimal Byte representations »numbers »characters and strings »Instructions.

10101011 MSBLSB A byte comprises eight bits. The number shown above is a binary number, which is one byte in length. The rightmost 1 st bit, i.e., is known.

10101011 MSBLSB A byte comprises eight bits. The number shown above is a binary number, which is one byte in length. The rightmost 1 st bit, i.e., is known.

Bits and Bytes 4/2/2008 Topics Physics, transistors, Moore’s law Why bits? Representing information as bits Binary/Hexadecimal Byte representations »numbers.

Bits and Bytes 4/2/2008 Topics Physics, transistors, Moore’s law Why bits? Representing information as bits Binary/Hexadecimal Byte representations »numbers.

Coding Interview Questions - Home - Byte by Byte

Coding Interview Questions - Home - Byte by Byte

Unit-III (1) Explain instruction format and Opcode format ...Each instruction of 8085 has 1 byte opcode. With 8 bit binary code, we can generate 256 different binary codes. In this,

Unit-III (1) Explain instruction format and Opcode format ...Each instruction of 8085 has 1 byte opcode. With 8 bit binary code, we can generate 256 different binary codes. In this,

X10 Tester - · PDF fileX10_Tester.can Page 3 of 128. 151 BYTE hasToSendWriteColumnConfig = 0; 152 BYTE hasToSendWriteColumnDefault = 0; 153 154 BYTE StartLogicControl[6]; 155 BYTE

X10 Tester - · PDF fileX10_Tester.can Page 3 of 128. 151 BYTE hasToSendWriteColumnConfig = 0; 152 BYTE hasToSendWriteColumnDefault = 0; 153 154 BYTE StartLogicControl[6]; 155 BYTE

REQUIREDBYCONTRACT - Federation of American · PDF fileWalls Project Los Alamos National ... byte binary or packed binary coded decimal (BCD) ... converter (ADC) and adjust as required

REQUIREDBYCONTRACT - Federation of American · PDF fileWalls Project Los Alamos National ... byte binary or packed binary coded decimal (BCD) ... converter (ADC) and adjust as required

Fabián E. Bustamante, Spring 2007 Bits and Bytes Today Why bits? Binary/hexadecimal Byte representations Boolean algebra Expressing in C.

Fabián E. Bustamante, Spring 2007 Bits and Bytes Today Why bits? Binary/hexadecimal Byte representations Boolean algebra Expressing in C.

Queensland University of Technology. Dreaming bad…. PhD fails Job application fails Promotion application fails Grant proposal fails ( internal.

Queensland University of Technology. Dreaming bad…. PhD fails Job application fails Promotion application fails Grant proposal fails ( internal.