PE Alchemy with PEEL

Presented at ToorCon San Diego 14 (2012), Oct. 20, 2012, 11 a.m. (50 minutes).

You know what irritates me? Converting offsets to RVAs and VAs and back to offsets to be converted to VAs and oh my god kill me. That's what the PEEL project started out as: a wrapper that sat on top of Ero Carrera's pefile that eventually evolved into some sort of magical manipulation of Windows executables. Anyone who's dealt with PE files can tell you it's a sort of rite of passage once you actually get to the point where you think you understand what the hell is actually going on in that clusterfuck of a structure. As a result, PEEL lowers the bar-- or, at the very least, makes that clusterfuck more like spaghetti. (The kind with plenty of sauce, mind you.)

PEEL-- whose redundant definition stands for "PE Executable Library"-- is a python-based library for manipulating PE files. From rewriting DWORDs to import rebuilding to reconstructing a destroyed PE header to even creating your very own PE executable, PEEL is a highly flexible library. This presentation will introduce the audience to PEEL and offer examples of what it can accomplish.

Presenters:

• frank^2   as frank2
  After becoming addicted to fine imported thunks, frank2 has been known to lurk in relocations for IATs. Caught up in the chaos of TLS, they soon found themselves bound by the delays of forwarding chains as the addiction to table configurations grew strong. With a reserved directory of resources-- and a little magic from Mark Zbikowski-- frank2 eventually found solace and security in metadata. Currently, frank2 is exporting hints and names on the open market-- with the exception of architecture, of course.

Similar Presentations:

• DEF CON 26 (2018) / Relocation Bonus: Attacking the Windows Loader Makes Analysts Switch Careers
• Texas Cyber Summit 2019 / HX-3012 PErfidious: Make PE Backdooring Great Again!
• Black Hat Europe 2021 / Lost in the Loader: The Many Faces of the Windows PE File Format