Pimp my PE: taming malicious and malformed executables

Casey Sheehan Sunbelt Software

Technical stream: Wednesday 19 September 2007, 14:40 - 15:20.

A foundational requirement in the security world is the ability to robustly parse and analyse Windows Portable Executable files. Many malicious PEs currently found in the wild are actually quite difficult to analyse, due to packing and purposely malformed header structures. As a result, many PEs can actually be quite difficult to analyse.

This fast-paced, highly technical presentation will survey and attempt to classify some common and interesting malformations we have examined in our work at Sunbelt Software. We will analyse PE structural information and demonstrate how tolerant the Windows loader is to fuzzing this data. We will discuss the PE specification and highlight specific hurdles we have overcome in the course of developing a parsing framework capable of dealing reliably with modern malware. We also will cover specific problems and hurdles we faced along the way, and include a discussion of some interesting tools and techniques we've developed.

VB Conferences

VB2008 (Ottawa)

VB2007 (Vienna)

VB2006 (Montréal)

VB2005 (Dublin)

VB2004 (Chicago)

VB2003 (Toronto)

VB2002 (New Orleans)

VB2001 (Prague)

VB2000 (Orlando)

VB99 (Vancouver)

VB98 (Munich)

VB97 (San Francisco)

VB96 (Brighton)

VB95 (Boston)

VB94 (Jersey)

VB93 (Amsterdam)

VB92 (Edinburgh)

VB91 (Jersey)

‘My first VB conference. I am very impressed and will be back next year for sure.’

Poll

Will the current banking crisis lead to an increase in phishing attacks?

Leave a comment

Jobs

In Virus Bulletin's jobs pages among others:

Spam Analyst/Spam filterers/Security analysts/AntiSpam researches (Dublin, Ireland, Ireland)
Malware analyst (Lysaker,, Norway)

Virus Bulletin currently has 137,969 registered users.

Fighting malware and spam