1 / 54

Windows PE files Infections and Heuristic Detection

Windows PE files Infections and Heuristic Detection. Nicolas BRULEZ / Digital River. PACSEC '04. Introduction. Evolution of Computer Viruses. Not Encrypted Encrypted Oligomorphic Polymorphic Metamorphic. PE File Format. MZ Header Le PE Header Le PE File Header Le PE optional Header

zihna
Download Presentation

Windows PE files Infections and Heuristic Detection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Windows PE files Infections and Heuristic Detection Nicolas BRULEZ / Digital River PACSEC '04

  2. Introduction

  3. Evolution of Computer Viruses • Not Encrypted • Encrypted • Oligomorphic • Polymorphic • Metamorphic

  4. PE File Format • MZ Header • Le PE Header • Le PE File Header • Le PE optional Header • Le Data Directory • Les Sections Headers

  5. Position Independant Code • Virus needs to be executable at any memory addresses. • Calcul of a Delta Offset

  6. Windows PE Files Infections Techniques

  7. Virus Position • Last Section: - New Section BEFORE :AFTER :

  8. Virus Position • Last Section: - New Section

  9. Virus Position • Last Section: - Last Section Expansion BEFORE: AFTER:

  10. Virus Position • Last Section: - Last Section Expansion

  11. Virus Position • Header Infection

  12. Virus Position • Cavity BEFORE:AFTER:

  13. Entry Point Position • In the Last Section

  14. Entry Point Position • In the First Section

  15. Entry Point Position • Before the First Section

  16. e_lfanew Infection • e_lfanew is a pointer to the PE Header Offset. • You can find it at MZ+3Ch in the MZ HEADER. • Infection by modification of e_lfanew is really straightforward. • The virus is copied to the end of the file, but it doesn't need to have independant position code.

  17. e_lfanew Infection • Program is modified so its e_lfanew points to the Virus' PE header. • Windows will therefore load the virus rather than the infected file. • The virus will then make a temporary copy of the infected program and patch back the original pointer to PE header. • The virus will finally run the temp file using CreateProcessA for example and will delete the temp file when this one ends.

  18. Heuristic Detections on Windows PE Files

  19. PE Structure Analysis Heuristic Detections are mainly based on the PE File Structure Analysis of Windows Executables. • Entry Point • Sections Characteristiques • Sections names (with specific Characteristics) • Values not Updated in the PE HEADER. • Position of the PE HEADER in the file etc

  20. PE Structure Analysis • Entry Point in the Last Section • Entry Point before the First Section

  21. PE Structure Analysis • Sections Characteristics : - Last Section « Executable » - First Section « Writeable » • Section names AND their Characteristics

  22. PE Structure Analysis • « SizeOfImage » incorrect in the PE Header • PE Header near the end of the File • « Size of Code » incorrect

  23. Code Analysis • Non Standard Instruction at the Entry Point • Calcul of a Delta Offset • Suspicious Code Redirection: - JUMP FAR - PUSH RET etc..

  24. Code Analysis • Code Looking for PE Files • Usage of PEB to gain system dlls Image Base • Hardcoded value of systems important datas (PEB ...)

  25. Code Analysis • Suspicious Strings Inside Code Sections. - "*.exe" - Name of Win Functions: FindFirstFileA, MapViewOfFile etc.. - Registry Keys : Run / RunOnce etc.

  26. Emulation • JMP FAR • PUSH / RET • + Various ways to redirect code flow • Decryptors Emulation ( Identification of loops)

  27. Anti Heuristic Techniques

  28. PE Structure • Non Modification of Sections Characteristics • More than one section added (fake reloc / imports) • Part of code section overwriting to avoid suspicion. • Packing of code section to place the virus is freed place • EPO: Entry Point Obscuring

  29. Structure PE • FF15/FF25 (call IAT slots) Patches • Stack Frame Patches • Updated Checksums • Existing Sections are renamed (when possible) • « Size of Code » Fixed

  30. Anti Emulation • SEH - Structured Exception Handling. • Co-Processor Instructions • MMX / SSE Technology • Undocumented Instructions • Anti Virtual Machine Code • Decryption Layers with Brute Forcing of Keys • Threads

  31. Anti Heuristic Code • Delta Offset is calculated differently • Usage of Obfuscation to hide suspect actions. (PE files checking etc) • No more strings in the virus loader: CRC / HASH

  32. Presentation of a Basic Heuristic Engine

  33. Presentation of a Basic Engine • Standard Binaries : notepad, regedit, calc, MS Pain, WordPad etc…

  34. Presentation of a Basic Engine

  35. Presentation of a Basic Engine

  36. Presentation of a Basic Engine

  37. Presentation of a Basic Engine • Analysis of infected Binaries : Polymorphic, Crypted, Standard, EPO etc

  38. Presentation of a Basic Engine

  39. Presentation of a Basic Engine

  40. Presentation of a Basic Engine

  41. Presentation of a Basic Engine

  42. Presentation of a Basic Engine

  43. Presentation of a Basic Engine

  44. Presentation of a Basic Engine

  45. Presentation of a Basic Engine

  46. Presentation of a Basic Engine Notes: Although, this is a basic engine, it detected heuristically every viruses generated with a very recent Win32 Virus Generator. (VCL32).

  47. Presentation of a Basic Engine • Analyse of Packed Files : PE protect, PEShield etc…

  48. Presentation of a Basic Engine

  49. Presentation of a Basic Engine

  50. Presentation of a Basic Engine

More Related