PErfidious: Make PE backdooring great again!

Presented at ShellCon 2019, Oct. 11, 2019, 3 p.m. (50 minutes)

PErfidious is a Python3 tool that aims to directly take a benign PE executable and malicious shellcode, transform the malicious shellcode and inject the transformed shellcode directly into various parts of the executable's .text section, thus completely avoiding the need to look for code-caves or creating additional sections. After injection, PErfidious recalculates the size of the .text section and all the virtual address changes caused by the increase in the size of the .text section and modifies respective fields in the PE header, thus making sure that the PE file doesn't look injected.

Presenters:

• Shreyans Doshi
  Shreyans is a Cybersecurity Graduate Student at the University of Maryland and has previously worked as a Malware Research Intern at Cybrary Inc. Here he created PErfidious and researched other techniques that can be used to bypass modern endpoint detection systems. His main areas of interest are reverse-engineering, malware analysis, exploit development and the intersection between software security and machine learning.

Links:

• https://2019.shellcon.io/talks/perfidious/
• https://infocon.org/cons/ShellCon/ShellCon 2019/Perfidious Make PE Backdooring Great Again.mp4
• https://infocon.org/cons/ShellCon/ShellCon 2019/Perfidious Make PE Backdooring Great Again.eng.srt (subtitles)
• https://www.youtube.com/watch?v=R5WLJJ3P8eY

Similar Presentations:

• BSidesDC 2019 / PErfidious: Make PE backdooring great again!
• Texas Cyber Summit 2019 / HX-3012 PErfidious: Make PE Backdooring Great Again!
• Black Hat USA 2015 / ROPInjector: Using Return Oriented Programming for Polymorphism and Antivirus Evasion