Pimp my PE: taming malicious and malformed executables

Casey Sheehan Sunbelt Software

A foundational requirement in the security world is the ability to robustly parse and analyse Windows Portable Executable files. Many malicious PEs currently found in the wild are actually quite difficult to analyse, due to packing and purposely malformed header structures. As a result, many PEs can actually be quite difficult to analyse.

This fast-paced, highly technical presentation will survey and attempt to classify some common and interesting malformations we have examined in our work at Sunbelt Software. We will analyse PE structural information and demonstrate how tolerant the Windows loader is to fuzzing this data. We will discuss the PE specification and highlight specific hurdles we have overcome in the course of developing a parsing framework capable of dealing reliably with modern malware. We also will cover specific problems and hurdles we faced along the way, and include a discussion of some interesting tools and techniques we've developed.

VB Conferences

VB2011 (Barcelona)

VB2010 (Vancouver)

VB2009 (Geneva)

VB2008 (Ottawa)

VB2007 (Vienna)

VB2006 (Montréal)

VB2005 (Dublin)

VB2004 (Chicago)

VB2003 (Toronto)

VB2002 (New Orleans)

VB2001 (Prague)

VB2000 (Orlando)

VB99 (Vancouver)

VB98 (Munich)

VB97 (San Francisco)

VB96 (Brighton)

VB95 (Boston)

VB94 (Jersey)

VB93 (Amsterdam)

VB92 (Edinburgh)

VB91 (Jersey)

‘This was my first VB - it will definitely not be the last!!’

Poll

Do you use the same password(s) across multiple websites?

Leave a comment
View 4 comments

VB2010

VB2010 will take place 29 September-1 October 2009 at the Westin Bayshore, Vancouver, BC, Canada. Early bird discount available until 15th June 2010.

Virus Bulletin currently has 190,965 registered users.

Fighting malware and spam