Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSC 497/583 Advanced Topics in Computer Security

Published byNela Hájková Modified over 5 years ago

Similar presentations

Presentation on theme: "CSC 497/583 Advanced Topics in Computer Security"— Presentation transcript:

1 CSC 497/583 Advanced Topics in Computer Security
Class5 CSC 497/583 Advanced Topics in Computer Security Modern Malware Analysis PE Format (2): NT Header, IAT, EAT Si Chen

2 Portable Executable (PE) file
A Portable Executable (PE) file is the standard binary file format for an Executable (.exe) or DLL under Windows NT, Windows 95, and Win32. Derived from COFF (Common Object File Format) in UNIX platform, and it is not really “portable”.  Now here is the kicker. Even though this specification is spelled out by Microsoft, compilers/linkers chose to ignore some parts of it. To make things even worse, the Microsoft loader doesn't enforce a good portion of this specification and instead makes assumptions if things start getting weird. So even though the spec outlined here says a particular field is supposed to hold a certain value, the compiler/linker or even a malicious actor could put whatever they want in there and the program will likely still run...

3 Portable Executable (PE) file
PE formatted files include: .exe, .scr (executable) .dll, .ocx, .cpl, drv (library) .sys, .vxd (driver files) .obj (objective file) All PE formatted files can be executed, except obj file. .exe, .scr can be directly executed inside Shell (explorer.exe) others can be executed by other program/service PE refers to 32 bit executable file, or PE bit executable file is named as PE+ or PE32+. (Note that it is not PE64).

4 PE Example – Notepad.exe

5 Load PE file (Notepad.exe) into Memory

6 DOS Header The first 2 letters are always the letters "MZ", the initials of Mark Zbikowski, who created the first linker for DOS. To some people, the first few bytes in a file that determine the type of file are called the "magic number,"

7 DOS Header e_lfanew  E0

8 DOS stub

9 NT Header

10 NT Header

11 Non-Executable, read/write
Section Header Name Privilege .text/.code Executable, read .data Non-Executable, read/write .resource/.rsrc Non-Executable, read

12 Section Header

13 Section Header Members Meaning VirtualSize The total size of the section when loaded into memory, in bytes.  VirtualAddress The address of the first byte of the section when loaded into memory (RVA) SizeOfRaw Data The size of the section data on disk, in bytes. PointerToRawData The address of the first byte of the section on disk. Characteristics The characteristics of the image.

14 Section Header

15 Inspecting PE Header Information in Linux

16 Inspecting PE Header Information

17 Examining PE Section Table and Sections

18 IAT (Import Address Table)

19 IAT (Import Address Table)
Let’s review the concept of DLL (Dynamic Link Library) again…

20 Dynamic Linking

21 16-Bit DOS System import Library  Put binary code of stdio library into the executable file

22 Static Linking Waste space Hard to maintain Memory Program2
Program2.obj Lib.obj Program1 Program1.obj Lib.obj Program2 Program2.obj Lib.obj Program1 Program1.obj Lib.obj

23 Dynamic Linking Memory Lib.dll Program2 Lib.obj Program2.obj Program1
Dynamic linking has the following advantages: Saves memory Saves disk space. Upgrades to the DLL are easier. Provides after-market support. Supports multi language programs. Eases the creation of international versions  Memory Lib.dll Lib.obj Program2 Program2.obj Program1 Program1.obj Program2 Program2.obj Lib.dll Lib.obj Program1 Program1.obj

24 Two ways to Load DLL

25 Two ways to Load DLL An executable file links to (or loads) a DLL in one of two ways: Explicit Linking (run-time dynamic linking) the executable using the DLL must make function calls to explicitly load and unload the DLL, and to access the DLL's exported functions.  Implicit Linking (load-time dynamic linking) The operating system loads the DLL when the executable using it is loaded.

26 Two ways to Load DLL Explicit Linking (run-time dynamic linking)
Implicit Linking (load-time dynamic linking)

27 DLL Injection IAT Table Two ways to Load DLL
An executable file links to (or loads) a DLL in one of two ways: DLL Injection Explicit Linking (run-time dynamic linking) the executable using the DLL must make function calls to explicitly load and unload the DLL, and to access the DLL's exported functions.  Implicit Linking (load-time dynamic linking) The operating system loads the DLL when the executable using it is loaded. IAT Table

28 Implicit Linking and IAT (Import Address Table)
Notepad.exe Call CreateFileW()  Call 0x  Call 0x7C810CD9

29 Implicit Linking and IAT (Import Address Table)
Notepad.exe Call CreateFileW()  Call 0x  Call 0x7C810CD9 Call 0x Look up IAT Table Function Name IAT Address Real Address CreateFileW() 0x 0x7C810CD9 When the application was first compiled, it was designed so that all API calls will NOT use direct hardcoded addresses but rather work through a function pointer. This was accomplished through the use of an import address table. This is a table of function pointers filled in by the windows loader as the dlls are loaded. 

30 IAT (Import Address Table)
Why IAT?

31 IAT (Import Address Table)
Support different Windows Version (9X, 2K, XP, Vista, 7, 8, 10) Call CreateFileW() --> Call 0x Look up XP IAT Table Function Name IAT Address Real Address CreateFileW() 0x 0x7C810CD9 Windows 7 Function Name IAT Address Real Address CreateFileW() 0x 0x7C81FFFF

32 IAT (Import Address Table)
Support DLL Relocation

33 Look up IAT Table with PEview

34 Import Directory Table
The Import Directory Table contains entries for every DLL which is loaded by the executable. Each entry contains, among other, Import Lookup Table (ILT) and Import Address Table (IAT)

35 Inspecting file imports with pefile library

36

37 EAT (Export Address Table)
Similar to IAT, EAT data is stored in IMAGE_EXPORT_DIRECTORY EAT contains an RVA that points to an array of pointers to (RVAs of) the functions in the module. 

38 Inspecting file export with pefile library

39 Exploring Dynamically Linked Functions with Dependency Walker

40 Common DLLs

41 Exploring Dynamically Linked Functions with Dependency Walker

42 Packed and Obfuscated Malware
Malware writers often use packing or obfuscation to make their files more difficult to detect or analyze. Obfuscated programs are ones whose execution the malware author has attempted to hide. Packed programs are a subset of obfuscated programs in which the malicious program is compressed and cannot be analyzed. Both techniques will severely limit your attempts to statically analyze the malware.

43 Packers and Cryptos

44 Packed and Obfuscated Malware

45 DLL Injection

46 Q & A

Download ppt "CSC 497/583 Advanced Topics in Computer Security"

Similar presentations

Sample chapter from https://training.zdresearch.com Reverse Engineering Course.

Sample chapter from Reverse Engineering Course.
Memory Protection: Kernel and User Address Spaces  Background  Address binding  How memory protection is achieved.

Memory Protection: Kernel and User Address Spaces  Background  Address binding  How memory protection is achieved.
Assembler/Linker/Loader Mooly Sagiv html://www.cs.tau.ac.il/~msagiv/courses/wcc11-12.html Chapter 4.3 J. Levine: Linkers & Loaders

Assembler/Linker/Loader Mooly Sagiv html:// Chapter 4.3 J. Levine: Linkers & Loaders
Linking & Loading CS-502 Operating Systems

Linking & Loading CS-502 Operating Systems
Lecture 10: Linking and loading. Lecture 10 / Page 2AE4B33OSS 2011 Contents Linker vs. loader Linking the executable Libraries Loading executable ELF.

Lecture 10: Linking and loading. Lecture 10 / Page 2AE4B33OSS 2011 Contents Linker vs. loader Linking the executable Libraries Loading executable ELF.
Operating System Security : David Phillips A Study of Windows Rootkits.

Operating System Security : David Phillips A Study of Windows Rootkits.
CS 31003: Compilers ANIRUDDHA GUPTA 11CS10004 G2 CLASS DATE : 24/07/2013.

CS 31003: Compilers ANIRUDDHA GUPTA 11CS10004 G2 CLASS DATE : 24/07/2013.
Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is AS IS without any warranty or conditions.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Memory Management (II)

Memory Management (II)
1 CE6130 現代作業系統核心 Modern Operating System Kernels 許 富 皓.

1 CE6130 現代作業系統核心 Modern Operating System Kernels 許 富 皓.
Tanenbaum, Structured Computer Organization, Fifth Edition, (c) 2006 Pearson Education, Inc. All rights reserved. 0-13-148521-0 The Assembly Language Level.

Tanenbaum, Structured Computer Organization, Fifth Edition, (c) 2006 Pearson Education, Inc. All rights reserved The Assembly Language Level.
OBJECT MODULE FORMATS. The object module format we have employed as an educational device is called OMF (relocatable object format). It’s one of the earliest.

OBJECT MODULE FORMATS. The object module format we have employed as an educational device is called OMF (relocatable object format). It’s one of the earliest.
Trying to like a boss… REVERSE ENGINEERING. WHAT EVEN IS… REVERSE ENGINEERING?? Reverse engineering is the process of disassembling and analyzing a particular.

Trying to like a boss… REVERSE ENGINEERING. WHAT EVEN IS… REVERSE ENGINEERING?? Reverse engineering is the process of disassembling and analyzing a particular.
MIPS coding. SPIM Some links can be found such as:

MIPS coding. SPIM Some links can be found such as:
Rootkits in Windows XP  What they are and how they work.

Rootkits in Windows XP  What they are and how they work.
Windows PE files Infections and Heuristic Detection Nicolas BRULEZ / Digital River PACSEC '04.

Windows PE files Infections and Heuristic Detection Nicolas BRULEZ / Digital River PACSEC '04.
File System Interface. File Concept Access Methods Directory Structure File-System Mounting File Sharing (skip)‏ File Protection.

File System Interface. File Concept Access Methods Directory Structure File-System Mounting File Sharing (skip)‏ File Protection.
File Systems (1). Readings r Reading: Disks, disk scheduling (3.7 of textbook; “How Stuff Works”) r Reading: File System Implementation (5.1- 5.3 of textbook)

File Systems (1). Readings r Reading: Disks, disk scheduling (3.7 of textbook; “How Stuff Works”) r Reading: File System Implementation ( of textbook)
CSE451 Linking and Loading Autumn 2002 Gary Kimura Lecture #21 December 9, 2002.

CSE451 Linking and Loading Autumn 2002 Gary Kimura Lecture #21 December 9, 2002.
© Janice Regan, CMPT 300, May 2007 0 CMPT 300 Introduction to Operating Systems Memory: Relocation.

© Janice Regan, CMPT 300, May CMPT 300 Introduction to Operating Systems Memory: Relocation.

Similar presentations

Ads by Google