Lost in the Loader: The Many Faces of the Windows PE File Format

Presented at Black Hat Europe 2021, Nov. 11, 2021, 2:30 p.m. (30 minutes).

This Briefing presents our research on parser differentials for the PE format. We defined a custom language to write "formal models" of various PE loaders, for different versions of Windows and reverse-engineering tools. We then built a framework that, using these models, can perform a number of analyses that aid reverse-engineering tasks.<br><br>First, given a PE executable, it can determine whether a PE loader would consider it valid. This feature provides a filtering stage for dynamic malware analysis, as it can identify broken samples before running them in sandboxes. Our framework is also able to automatically generate SMT models of the various PE loaders, and it can automatically perform several powerful tasks: given a PE loader, generate a valid executable that can be loaded by it; or, it can perform "differential analysis" and automatically generate PE files that are valid for one PE loader but not for another one. This makes our framework powerful enough to perform complex tasks like "creating valid executables that reverse-engineering tools/AVs cannot correctly parse/consider invalid", thus bypassing them. Our framework can also *systematically* explore differences among various PE loaders, and it can perform "differences enumeration" and "corner-cases generation".<br><br>We wrote models for the loaders Windows XP, 7, and 10, radare2, ClamAV, and yara (which we'll publicly release, alongside the framework). Surprisingly, we discovered that they all handle the PE format differently. We also performed a live hunt on VirusTotal, and we identified malware samples that actively employ these discrepancies, likely to bypass AV products.<br><br>Finally, we conclude by pointing out that there is no one "correct way to parse an executable," and that analysis tools should start allowing users to select "which loader to simulate" when loading a binary.

Presenters:

  • Dario Nisi - PhD Student, EURECOM
    Dario Nisi is a PhD student in the Software and System Security group at EURECOM, France. His research focuses on discovering design flaws in anti-malware techniques and solutions that malware can exploit for evading detection. Besides this, he is also interested in mobile and embedded security.
  • Mariano Graziano / emdel - Technical Leader, Cisco Talos   as Mariano Graziano
    Mariano Graziano (@<span>emd3l) </span>is a technical leader for Cisco Talos. His interests are in the area of binary and malware analysis. Specifically, he focuses on automated analysis of malicious code, large-scale analysis of emerging threats, and memory forensics/analysis.
  • Yanick Fratantonio - Senior Security Researcher, Cisco Talos
    Yanick Fratantonio is a Senior Security Researcher at Cisco Talos. His research focus is systems security, and his works have covered a wide range of aspects, including mobile security, reverse engineering, malware analysis, vulnerability detection, and web security. Yanick's research has highlighted systemic flaws in many aspects of mobile devices and developed program analysis techniques to analyze Android, Windows, and Linux malware. Prior to his current position, Yanick has been an Assistant Professor at EURECOM, and he earned a PhD from UC Santa Barbara. He has published 30+ peer-reviewed academic papers, and he has been a speaker at top industry and academic conferences, such as Black Hat USA and IEEE S&P. Yanick has recently released his mobile security course to the public, whose material, recordings, and homework are available at https://mobisec.reyammer.io. He is also involved in the CTF community, and he is a member of OOO, the current DEF CON CTF organizers. He is @reyammer on social media.
  • Davide Balzarotti - Professor, EURECOM
    Davide Balzarotti is a Professor and head of the Digital Security department at Eurecom. He received his PhD from Politecnico di Milano in 2006 and his research interests include most aspects of system security and in particular the areas of binary and malware analysis, reverse engineering, embedded security, computer forensics, and web security. Davide authored more than 80 publications in leading conferences and journals. He has been the Program Chair of ACSAC 2017, RAID 2012, and Eurosec 2014 and he is a member of the editorial board of the IEEE Security & Privacy Magazine. In 2017, Davide received an ERC Consolidator Grant for his research in the analysis of compromised systems. Davide is also a member of the "Order of the Overflow" team that organizes the DEF CON CTF competition.

Links:

Similar Presentations: