One constant challenge of modern security will always be the difference between published and implemented specifications. Evolving projects, by their very nature, open up a host of exploit areas and implementation ambiguities that cannot be fixed. As such, complex documentation such as that for PECOFF or PDF are goldmines of possibilities.
In this talk we will disclose our recent findings about never before seen PE or Portable executable format malformations. These findings have serious consequences on security and reverse engineering tools and lead to multiple exploit vectors.
PE is the main executable image file format on Windows operating system since its introduction in Windows NT 18 years ago. PE file format itself can be found on numerous Windows-based devices including PCs, mobile and gaming devices, BIOS environments and others. Its proper understanding is the key for securing these platforms. The talk will focus on all aspects of PE file format parsing that leads to undesired behavior or prevents security and reverse engineering tools from inspecting malformated files due to incorrect parsing. Special attention will be given to differences between PECOFF documentation and the actual implementation done by the operating system loader. With respect to these differences we will demonstrate existence of files that can't possibly be considered valid from a documentation standpoint but which are still correctly processed and loaded by the operating system. These differences and numerous design logic flaws can lead to PE processing errors that have serious and hardly detectable security implications. Effects of these PE file format malformations will be compared against several reverse engineering tools, security applications and unpacking systems. Special attention will be given to following PE file format aspects and their malformation consequences:
This talk will be a Black Hat exclusive; Whitepaper accompanying the presentation materials will contain detailed description of all malformations discussed during the talk. This whitepaper aims to be a mandatory reading material for security analysts. It will continue to be maintained as new information on PE format malformations are discovered.
Mario Vuksan was the Director of Research at a leading provider of application and device control solutions, where he has founded and built the world's largest collection of actionable intelligence about software. He spoke at CEIC, Black Hat, RSA, Defcon, Caro Workshop, Virus Bulletin and AVAR Conferences. He is author of numerous blogs on security and has most recently authored "Protection in Untrusted Environments" chapter for the "Virtualization for Security" book. Tomislav Pericin, Founder, ReversingLabs Tomislav Pericin has been analyzing and developing packing and protection methods for the last 7 years. He is the chief architect for TitanEngine, 400+ function open source platform for file analysis. In addition, he is author of "the Art of Unpacking" and founder of the commercial software protection project RLPack.
Tomislav Pericin, Founder, ReversingLabs Tomislav Pericin has been analyzing and developing packing and protection methods for the last 7 years. He is the chief architect for TitanEngine, 400+ function open source platform for file analysis. In addition, he is author of "the Art of Unpacking" and founder of the commercial software protection project RLPack.