PErfidious: Make PE backdooring great again!

Presented at BSidesDC 2019, Oct. 26, 2019, 3:30 p.m. (50 minutes).

Until now, the techniques used for backdooring and code injection in PE files have been restricted mainly to the following: - Finding code-caves, injecting the malicious code in those code-caves, changing the entry-point of the program to point to these code caves. - Adding a new section to the PE file, adding malicious code to the section, making the section executable. These approaches impose restrictions on the size of code that can be injected and they’re extremely prone to identification by endpoint detection systems. The endpoint detection systems can: - verify whether the sizes of various sections mentioned in the section table match with their actual sizes in the PE file. - check for unusual section names in the PE file to identify sections that have been appended to the end of the PE file. - check the section table for permissions granted to various sections of the PE file to identify sections other than .text or other standard section that have been granted suspicious permissions. This is where PErfidious comes into play. PErfidious is a Python3 tool that aims to directly take a benign PE executable and malicious shellcode, transform the malicious shellcode and inject the transformed shellcode into various parts of the executable’s .text section, thus completely avoiding the need to look for code-caves or creating additional sections. After injection, PErfidious recalculates the size of the .text section and all the virtual address changes caused by the increase in the size of the .text section and modifies respective fields in the PE header, thus making sure that the PE file doesn’t look injected.

Presenters:

  • Shreyans Doshi - Malware Research Intern at Cybrary Inc.
    My name is Shreyans Devendra Doshi. I am a Cybersecurity Graduate Student at the University of Maryland, College Park. I have previously worked as a Malware Research Intern at Cybrary Inc., where I created PErfidious and researched on other techniques that can be used to bypass modern endpoint detection systems. I have also worked as a teaching assistant for a graduate course on Big Data Analytics and as a research intern with the Department of Science and Technology, Government of India. My main areas of interests are reverse-engineering, malware analysis, exploit development and intersection between software security and machine learning. I am also an avid anime and movie fan.

Links:

Similar Presentations: