Pimp my PE: taming malicious and malformed executables

Casey Sheehan Sunbelt Software

  download slides (PDF)

A foundational requirement in the security world is the ability to robustly parse and analyse Windows Portable Executable files. Many malicious PEs currently found in the wild are actually quite difficult to analyse, due to packing and purposely malformed header structures. As a result, many PEs can actually be quite difficult to analyse.

This fast-paced, highly technical presentation will survey and attempt to classify some common and interesting malformations we have examined in our work at Sunbelt Software. We will analyse PE structural information and demonstrate how tolerant the Windows loader is to fuzzing this data. We will discuss the PE specification and highlight specific hurdles we have overcome in the course of developing a parsing framework capable of dealing reliably with modern malware. We also will cover specific problems and hurdles we faced along the way, and include a discussion of some interesting tools and techniques we've developed.


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.