Presentation is loading. Please wait.

Presentation is loading. Please wait.

Windows PE files Infections and Heuristic Detection Nicolas BRULEZ / Digital River PACSEC '04.

Published byElmer Gilmore Modified over 9 years ago

Similar presentations

Presentation on theme: "Windows PE files Infections and Heuristic Detection Nicolas BRULEZ / Digital River PACSEC '04."— Presentation transcript:

1

2 Windows PE files Infections and Heuristic Detection Nicolas BRULEZ / Digital River PACSEC '04

3 Introduction

4 Evolution of Computer Viruses Not Encrypted Encrypted Oligomorphic Polymorphic Metamorphic

5 PE File Format MZ Header Le PE Header Le PE File Header Le PE optional Header Le Data Directory Les Sections Headers

6 Position Independant Code Virus needs to be executable at any memory addresses. Calcul of a Delta Offset

7 Windows PE Files Infections Techniques

8 Virus Position Last Section: - New Section BEFORE : AFTER :

9 Virus Position Last Section: - New Section

10 Virus Position Last Section: - Last Section Expansion BEFORE: AFTER:

11 Virus Position Last Section: - Last Section Expansion

12 Virus Position Header Infection

13 Virus Position Cavity BEFORE:AFTER:

14 Entry Point Position In the Last Section

15 Entry Point Position In the First Section

16 Entry Point Position Before the First Section

17 e_lfanew Infection e_lfanew is a pointer to the PE Header Offset. You can find it at MZ+3Ch in the MZ HEADER. Infection by modification of e_lfanew is really straightforward. The virus is copied to the end of the file, but it doesn't need to have independant position code.

18 e_lfanew Infection Program is modified so its e_lfanew points to the Virus' PE header. Windows will therefore load the virus rather than the infected file. The virus will then make a temporary copy of the infected program and patch back the original pointer to PE header. The virus will finally run the temp file using CreateProcessA for example and will delete the temp file when this one ends.

19 Heuristic Detections on Windows PE Files

20 PE Structure Analysis Heuristic Detections are mainly based on the PE File Structure Analysis of Windows Executables. Entry Point Sections Characteristiques Sections names (with specific Characteristics) Values not Updated in the PE HEADER. Position of the PE HEADER in the file etc

21 PE Structure Analysis Entry Point in the Last Section Entry Point before the First Section

22 PE Structure Analysis Sections Characteristics : -Last Section « Executable » -First Section « Writeable » Section names AND their Characteristics

23 PE Structure Analysis « SizeOfImage » incorrect in the PE Header PE Header near the end of the File « Size of Code » incorrect

24 Code Analysis Non Standard Instruction at the Entry Point Calcul of a Delta Offset Suspicious Code Redirection: -JUMP FAR -PUSH RET etc..

25 Code Analysis Code Looking for PE Files Usage of PEB to gain system dlls Image Base Hardcoded value of systems important datas (PEB...)

26 Code Analysis Suspicious Strings Inside Code Sections. - "*.exe" - Name of Win Functions: FindFirstFileA, MapViewOfFile etc.. - Registry Keys : Run / RunOnce etc.

27 Emulation JMP FAR PUSH / RET + Various ways to redirect code flow Decryptors Emulation ( Identification of loops)

28 Anti Heuristic Techniques

29 PE Structure Non Modification of Sections Characteristics More than one section added (fake reloc / imports) Part of code section overwriting to avoid suspicion. Packing of code section to place the virus is freed place EPO: Entry Point Obscuring

30 Structure PE FF15/FF25 (call IAT slots) Patches Stack Frame Patches Updated Checksums Existing Sections are renamed (when possible) « Size of Code » Fixed

31 Anti Emulation SEH - Structured Exception Handling. Co-Processor Instructions MMX / SSE Technology Undocumented Instructions Anti Virtual Machine Code Decryption Layers with Brute Forcing of Keys Threads

32 Anti Heuristic Code Delta Offset is calculated differently Usage of Obfuscation to hide suspect actions. (PE files checking etc) No more strings in the virus loader: CRC / HASH

33 Presentation of a Basic Heuristic Engine

34 Presentation of a Basic Engine Standard Binaries : notepad, regedit, calc, MS Pain, WordPad etc…

35 Presentation of a Basic Engine

36

37

38 Analysis of infected Binaries : Polymorphic, Crypted, Standard, EPO etc

39 Presentation of a Basic Engine

40

41

42

43

44

45

46

47 Notes: Although, this is a basic engine, it detected heuristically every viruses generated with a very recent Win32 Virus Generator. (VCL32).

48 Presentation of a Basic Engine Analyse of Packed Files : PE protect, PEShield etc…

49 Presentation of a Basic Engine

50

51

52 Live Disassembly Demo

53 Live Demo New Worm infected by a new Virus and PE packed. Live Disassembly of a real virus. This virus is very recent, and is not detected by most Anti Virus vendors as im writing those slides.

54 Conclusion

55 Any Questions ? Nicolas BRULEZ / Digital River PACSEC '04

Download ppt "Windows PE files Infections and Heuristic Detection Nicolas BRULEZ / Digital River PACSEC '04."

Similar presentations

Pokas x86 Emulator for Generic Unpacking By Amr Thabet

Pokas x86 Emulator for Generic Unpacking By Amr Thabet
Sample chapter from https://training.zdresearch.com Reverse Engineering Course.

Sample chapter from Reverse Engineering Course.
Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
Smita Thaker 1 Polymorphic & Metamorphic Viruses Presented By : Smita Thaker Dated : Nov 18, 2003.

Smita Thaker 1 Polymorphic & Metamorphic Viruses Presented By : Smita Thaker Dated : Nov 18, 2003.
Chapter 3 Loaders and Linkers

Chapter 3 Loaders and Linkers
Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is AS IS without any warranty or conditions.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
RIVERSIDE RESEARCH INSTITUTE Helikaon Linux Debugger: A Stealthy Custom Debugger For Linux Jason Raber, Team Lead - Reverse Engineer.

RIVERSIDE RESEARCH INSTITUTE Helikaon Linux Debugger: A Stealthy Custom Debugger For Linux Jason Raber, Team Lead - Reverse Engineer.
Andrew Roths Fermin J. Serna MSRC Engineering and MSEC Science Microsoft Corporation.

Andrew Roths Fermin J. Serna MSRC Engineering and MSEC Science Microsoft Corporation.
Day 4-1-1 anti-virus 3-3-1.anti-virus 1 detecting a malicious file malware, detection, hiding, removing.

Day anti-virus anti-virus 1 detecting a malicious file malware, detection, hiding, removing.
1 Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code (DOME) Subha Ramanathan & Arun Krishnamurthy Nov 15, 2005.

1 Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code (DOME) Subha Ramanathan & Arun Krishnamurthy Nov 15, 2005.
Chapter 5 Anti-Anti-Virus. Anti-Anti-Virus  All viruses self-replicate  Anti-anti-virus means it’s “openly hostile” to AV  Anti-anti-virus techniques?

Chapter 5 Anti-Anti-Virus. Anti-Anti-Virus  All viruses self-replicate  Anti-anti-virus means it’s “openly hostile” to AV  Anti-anti-virus techniques?
Windows Rootkits – Userland API Hooking Robert Vinson – IT Security Analyst – University of Iowa 09/06/06.

Windows Rootkits – Userland API Hooking Robert Vinson – IT Security Analyst – University of Iowa 09/06/06.
Software-based Code Attestation for Wireless Sensors.

Software-based Code Attestation for Wireless Sensors.
Node-level Representation and System Support for Network Programming Jaein Jeong.

Node-level Representation and System Support for Network Programming Jaein Jeong.
Chapter 3.2 : Virtual Memory

Chapter 3.2 : Virtual Memory
Polymorphism in Computer Viruses CS265 Security Engineering Term Project Puneet Mishra.

Polymorphism in Computer Viruses CS265 Security Engineering Term Project Puneet Mishra.
Reverse Engineering Ian Kayne For School of Computer Science, University of Birmingham 2 nd February 2009.

Reverse Engineering Ian Kayne For School of Computer Science, University of Birmingham 2 nd February 2009.
Metamorphic Viruses Pat Walpole. Introduction What are metamorphic viruses Why they are dangerous Defenses against them.

Metamorphic Viruses Pat Walpole. Introduction What are metamorphic viruses Why they are dangerous Defenses against them.
Structure of DOS application programs. Contents: 1. PSP 2..COM and.EXE 3. TSR: Terminate and Stay Resident Programs.

Structure of DOS application programs. Contents: 1. PSP 2..COM and.EXE 3. TSR: Terminate and Stay Resident Programs.
Anti Virus Techniques Jordan & Ryan Use of Checksum The Binary for key files is added up to a number especially in the boot files When these files are.

Anti Virus Techniques Jordan & Ryan Use of Checksum The Binary for key files is added up to a number especially in the boot files When these files are.

Similar presentations

Ads by Google