Windows PE files Infections and Heuristic Detection Nicolas BRULEZ / Digital River PACSEC '04.

Slides:



Advertisements
Similar presentations
Pokas x86 Emulator for Generic Unpacking By Amr Thabet
Advertisements

Sample chapter from Reverse Engineering Course.
Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
Smita Thaker 1 Polymorphic & Metamorphic Viruses Presented By : Smita Thaker Dated : Nov 18, 2003.
Chapter 3 Loaders and Linkers
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
RIVERSIDE RESEARCH INSTITUTE Helikaon Linux Debugger: A Stealthy Custom Debugger For Linux Jason Raber, Team Lead - Reverse Engineer.
Andrew Roths Fermin J. Serna MSRC Engineering and MSEC Science Microsoft Corporation.
Day anti-virus anti-virus 1 detecting a malicious file malware, detection, hiding, removing.
1 Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code (DOME) Subha Ramanathan & Arun Krishnamurthy Nov 15, 2005.
Chapter 5 Anti-Anti-Virus. Anti-Anti-Virus  All viruses self-replicate  Anti-anti-virus means it’s “openly hostile” to AV  Anti-anti-virus techniques?
Windows Rootkits – Userland API Hooking Robert Vinson – IT Security Analyst – University of Iowa 09/06/06.
Software-based Code Attestation for Wireless Sensors.
Node-level Representation and System Support for Network Programming Jaein Jeong.
Chapter 3.2 : Virtual Memory
Polymorphism in Computer Viruses CS265 Security Engineering Term Project Puneet Mishra.
Reverse Engineering Ian Kayne For School of Computer Science, University of Birmingham 2 nd February 2009.
Metamorphic Viruses Pat Walpole. Introduction What are metamorphic viruses Why they are dangerous Defenses against them.
Structure of DOS application programs. Contents: 1. PSP 2..COM and.EXE 3. TSR: Terminate and Stay Resident Programs.
Anti Virus Techniques Jordan & Ryan Use of Checksum The Binary for key files is added up to a number especially in the boot files When these files are.
Code Injection and Software Cracking’s Effect on Network Security Group 5 Jason Fritts Utsav Kanani Zener Bayudan ECE 4112 Fall 2007.
Dr. Richard Ford  Szor 11  Virus Scanners – how they work, why they matter, how to write one…
TDL3 Rootkit A Sans NewsBite Analysis by Marshall Washburn.
Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden
Software Analysis & Deobfuscation Engine. Page  2  Project Name: SADE  Project Members: Faiza Khalid, Komal Babar and Abdul Wahab  Project Supervisor.
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
OBJECT MODULE FORMATS. The object module format we have employed as an educational device is called OMF (relocatable object format). It’s one of the earliest.
Trying to like a boss… REVERSE ENGINEERING. WHAT EVEN IS… REVERSE ENGINEERING?? Reverse engineering is the process of disassembling and analyzing a particular.
Computer Viruses Preetha Annamalai Niranjan Potnis.
BY ANDREA ALMEIDA T.E COMP DON BOSCO COLLEGE OF ENGINEERING.
Paradyn Project Dyninst/MRNet Users’ Meeting Madison, Wisconsin August 7, 2014 The Evolution of Dyninst in Support of Cyber Security Emily Gember-Jacobson.
1 Higher Computing Topic 8: Supporting Software Updated
1 Chap 10 Virus. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.
1 Chapter 3.2 : Virtual Memory What is virtual memory? What is virtual memory? Virtual memory management schemes Virtual memory management schemes Paging.
Chapter 10 Malicious software. Viruses and ” Malicious Programs Computer “ Viruses ” and related programs have the ability to replicate themselves on.
EECS 354 Network Security Reverse Engineering. Introduction Preventing Reverse Engineering Reversing High Level Languages Reversing an ELF Executable.
Malware Analysis Jaimin Shah & Krunal Patel Vishal Patel & Shreyas Patel Georgia Institute of Technology School of Electrical and Computer Engineering.
For any query mail to or BITS Pilani Lecture # 1.
Telecommunications Networking II Lecture 41f Viruses and Worms.
Christopher Kruegel University of California Engin Kirda Institute Eurecom Clemens Kolbitsch Thorsten Holz Secure Systems Lab Vienna University of Technology.
MICHALIS POLYCHRONAKIS(COLUMBIA UNIVERSITY,USA), KOSTAS G. ANAGNOSTAKIS(NIOMETRICS, SINGAPORE), EVANGELOS P. MARKATOS(FORTH-ICS, GREECE) ACSAC,2010 Comprehensive.
CSE451 Linking and Loading Autumn 2002 Gary Kimura Lecture #21 December 9, 2002.
RIVERSIDE RESEARCH INSTITUTE Deobfuscator: An Automated Approach to the Identification and Removal of Code Obfuscation Eric Laspe, Reverse Engineer Jason.
Buffer Overflow Proofing of Code Binaries By Ramya Reguramalingam Graduate Student, Computer Science Advisor: Dr. Gopal Gupta.
Malicious Logic and Defenses. Malicious Logic Trojan Horse – A Trojan horse is a program with an overt (documented or known) effect and covert (undocumented.
Analyzing Malicious Code Nicolas Brulez Ryan Russell Disassembly with a time constraint Recon 2005.
Buffer Overflow Attack Proofing of Code Binary Gopal Gupta, Parag Doshi, R. Reghuramalingam, Doug Harris The University of Texas at Dallas.
Computer Systems Viruses. Virus A virus is a program which can destroy or cause damage to data stored on a computer. It’s a program that must be run in.
METAMORPHIC VIRUS NGUYEN LE VAN.
Lecture 7 Rootkits Hoglund/Butler (Chapter 5-6). Avoiding detection Two ways rootkits can avoid detection –Modify execution path of operating system to.
Lecture 5 Rootkits Hoglund/Butler (Chapters 1-3).
CNIT 127: Exploit Development Ch 8: Windows Overflows Part 1.
Introduction to InfoSec – Recitation 3 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (infosec15 at modprobe.net)
Lecture 10 Anti-debugger techniques. Anti-debuggers Making reverse-engineering and disassembly painful –Polymorphism –Encryption –Interrupt disabling.
CC410: System Programming Dr. Manal Helal – Fall 2014 – Lecture 10 – Loaders.
Object Files & Linking. Object Sections Compiled code store as object files – Linux : ELF : Extensible Linking Format – Windows : PE : Portable Execution.
Cosc 4765 Antivirus Approaches. In a Perfect world The best solution to viruses and worms to prevent infected the system –Generally considered impossible.
Rogue Wireless Router By Alex Crowell and James Kasten.
Polymorphic Virus Analysis Nicolas BRULEZ Senior Virus Researcher Websense Security Labs IMPROVISED TALK MMMKAY?!
Bringing VX back to life!
Chapter 1. Basic Static Techniques
Techniques, Tools, and Research Issues
Chap 10 Malicious Software.
CSC 382/582: Computer Security
Efficient x86 Instrumentation:
Chap 10 Malicious Software.
CMSC 491/691 Malware Analysis
CSC 497/583 Advanced Topics in Computer Security
CSC 497/583 Advanced Topics in Computer Security
Presentation transcript:

Windows PE files Infections and Heuristic Detection Nicolas BRULEZ / Digital River PACSEC '04

Introduction

Evolution of Computer Viruses Not Encrypted Encrypted Oligomorphic Polymorphic Metamorphic

PE File Format MZ Header Le PE Header Le PE File Header Le PE optional Header Le Data Directory Les Sections Headers

Position Independant Code Virus needs to be executable at any memory addresses. Calcul of a Delta Offset

Windows PE Files Infections Techniques

Virus Position Last Section: - New Section BEFORE : AFTER :

Virus Position Last Section: - New Section

Virus Position Last Section: - Last Section Expansion BEFORE: AFTER:

Virus Position Last Section: - Last Section Expansion

Virus Position Header Infection

Virus Position Cavity BEFORE:AFTER:

Entry Point Position In the Last Section

Entry Point Position In the First Section

Entry Point Position Before the First Section

e_lfanew Infection e_lfanew is a pointer to the PE Header Offset. You can find it at MZ+3Ch in the MZ HEADER. Infection by modification of e_lfanew is really straightforward. The virus is copied to the end of the file, but it doesn't need to have independant position code.

e_lfanew Infection Program is modified so its e_lfanew points to the Virus' PE header. Windows will therefore load the virus rather than the infected file. The virus will then make a temporary copy of the infected program and patch back the original pointer to PE header. The virus will finally run the temp file using CreateProcessA for example and will delete the temp file when this one ends.

Heuristic Detections on Windows PE Files

PE Structure Analysis Heuristic Detections are mainly based on the PE File Structure Analysis of Windows Executables. Entry Point Sections Characteristiques Sections names (with specific Characteristics) Values not Updated in the PE HEADER. Position of the PE HEADER in the file etc

PE Structure Analysis Entry Point in the Last Section Entry Point before the First Section

PE Structure Analysis Sections Characteristics : -Last Section « Executable » -First Section « Writeable » Section names AND their Characteristics

PE Structure Analysis « SizeOfImage » incorrect in the PE Header PE Header near the end of the File « Size of Code » incorrect

Code Analysis Non Standard Instruction at the Entry Point Calcul of a Delta Offset Suspicious Code Redirection: -JUMP FAR -PUSH RET etc..

Code Analysis Code Looking for PE Files Usage of PEB to gain system dlls Image Base Hardcoded value of systems important datas (PEB...)

Code Analysis Suspicious Strings Inside Code Sections. - "*.exe" - Name of Win Functions: FindFirstFileA, MapViewOfFile etc.. - Registry Keys : Run / RunOnce etc.

Emulation JMP FAR PUSH / RET + Various ways to redirect code flow Decryptors Emulation ( Identification of loops)

Anti Heuristic Techniques

PE Structure Non Modification of Sections Characteristics More than one section added (fake reloc / imports) Part of code section overwriting to avoid suspicion. Packing of code section to place the virus is freed place EPO: Entry Point Obscuring

Structure PE FF15/FF25 (call IAT slots) Patches Stack Frame Patches Updated Checksums Existing Sections are renamed (when possible) « Size of Code » Fixed

Anti Emulation SEH - Structured Exception Handling. Co-Processor Instructions MMX / SSE Technology Undocumented Instructions Anti Virtual Machine Code Decryption Layers with Brute Forcing of Keys Threads

Anti Heuristic Code Delta Offset is calculated differently Usage of Obfuscation to hide suspect actions. (PE files checking etc) No more strings in the virus loader: CRC / HASH

Presentation of a Basic Heuristic Engine

Presentation of a Basic Engine Standard Binaries : notepad, regedit, calc, MS Pain, WordPad etc…

Presentation of a Basic Engine

Analysis of infected Binaries : Polymorphic, Crypted, Standard, EPO etc

Presentation of a Basic Engine

Notes: Although, this is a basic engine, it detected heuristically every viruses generated with a very recent Win32 Virus Generator. (VCL32).

Presentation of a Basic Engine Analyse of Packed Files : PE protect, PEShield etc…

Presentation of a Basic Engine

Live Disassembly Demo

Live Demo New Worm infected by a new Virus and PE packed. Live Disassembly of a real virus. This virus is very recent, and is not detected by most Anti Virus vendors as im writing those slides.

Conclusion

Any Questions ? Nicolas BRULEZ / Digital River PACSEC '04

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.