Casey Sheehan Sunbelt Software
download slides (PDF)
A foundational requirement in the security world is the ability to robustly parse and analyse Windows Portable Executable files. Many malicious PEs currently found in the wild are actually quite difficult to analyse, due to packing and purposely malformed header structures. As a result, many PEs can actually be quite difficult to analyse.
This fast-paced, highly technical presentation will survey and attempt to classify some common and interesting malformations we have examined in our work at Sunbelt Software. We will analyse PE structural information and demonstrate how tolerant the Windows loader is to fuzzing this data. We will discuss the PE specification and highlight specific hurdles we have overcome in the course of developing a parsing framework capable of dealing reliably with modern malware. We also will cover specific problems and hurdles we faced along the way, and include a discussion of some interesting tools and techniques we've developed.