PE Files Going Deep - Gr00t's Security Research Lab

# Portable Executables: Going Deep If you've read our [[PE File Format Foundations]] post, you're already familiar with the foundations of PE files. Ready to dive a bit deeper? Grab your favourite beverage, because we're about to explore some of the more fascinating (and sometimes sneaky) aspects of PE files that malware analysts deal with daily. ## The PE Header Family Tree Remember how we talked about headers in our basics post? Well, there's a lot more to these than meets the eye. Think of PE headers like Russian nesting dolls - open one up, and you'll find another one inside! ### NT Headers: Where the Magic Happens The NT headers are where Windows really starts to understand what it's dealing with. It all kicks off with a signature that literally spells out "`PE\0\0`" (those zeros at the end are important - they're like the full stop at the end of a sentence). Inside these headers, we find two crucial bits: 1. **IMAGE_FILE_HEADER**: This is like the file's ID card. It tells us: - What type of machine it's meant to run on - When it was created - Whether it's a normal program or a DLL - Special characteristics (like whether it can handle being moved around in memory) 2. **IMAGE_OPTIONAL_HEADER**: Despite the name, this isn't actually optional! It's more like those "optional extras" that come standard with your car. It contains: - Where the program wants to be loaded in memory - Where to start executing code - How much space it needs - And loads more goodies we'll dig into ### Data Directories: The Grand Tour Here's where things get really interesting. The PE format includes 16 data directories, each pointing to different parts of the file. Think of them as a detailed map of where everything important lives. Some of the most interesting ones for malware analysis are: - **Export Directory**: Like a phone book of functions this program shares with others - **Import Directory**: The shopping list of functions it needs from other files - **Resource Directory**: Where all the program's assets live (and sometimes where malware hides nasty surprises!) - **TLS Directory**: A sneaky little directory that can run code before the main program starts ## Sneaky Tricks and Where to Find Them Now for the fun part - let's look at some tricks that malware authors love to use! ### The Rich Header: A Hidden Gem >[!hint] Fun fact: Two malware samples with identical Rich Headers were probably built by the same tools, possibly by the same author! There's a secret header that Microsoft doesn't document - the Rich Header. It's like a fingerprint left by the development environment used to create the file. Malware analysts love this because it can help identify malware families based on how they were built. ### Overlay Data: The Hidden Compartment Ever noticed how some files are bigger than they should be? That extra data at the end of a PE file is called overlay data. While legitimate programs use it for things like installer data, malware authors often use it to hide additional payloads. It's like having a secret compartment in your car - totally fine if you're using it to store your emergency roadside kit, a bit suspicious if you're using it for... other things. ### TLS Callbacks: The Early Birds Here's a clever trick: Thread Local Storage (TLS) callbacks are functions that run before the program's main entry point. Legitimate programs use them for initialisation, but malware authors? They use them to try to outsmart debuggers. Think of it like this: if you're watching the front door of a house (the main entry point), TLS callbacks are like someone sneaking in through the back door before you even started watching! ## Tools of the Trade When you're diving into PE analysis, you'll want some reliable tools in your kit: - **PE Bear**: Brilliant for quick analysis and visualising PE structure - **DIE (Detect It Easy)**: Great at spotting packers and compilers - **PEView**: Old but gold for viewing PE structures - **PEstudio**: Your go-to for malware analysis ## Looking for Trouble: Common Red Flags When analysing PE files, here are some things that should make you raise an eyebrow: 1. **Suspicious Section Names**: Normal sections are named things like .text, .data, .rdata. If you see sections named like .xyz or .whatever, that's worth investigating. 2. **High Entropy in Sections**: If a section looks really random (high entropy), it might be packed or encrypted. 3. **Size Mismatches**: When the size on disk doesn't match what's in the headers, something fishy might be going on. (This might be as simple as the `Virtual Size` and the `Size of Raw Data` found in the .text section headers, a mismatch here can indicate a packed binary). 4. **Weird Imports**: If a simple program is importing functions for process injection or network communication, you might want to take a closer look! ## Wrapping Up We've covered a lot of ground here, from the nitty-gritty of PE headers to the tricks malware authors use to hide their code. Remember, understanding these concepts isn't just about spotting malware - it's about understanding how Windows executables work at a fundamental level. Want to practice what we've covered? Grab a copy of PEBear and start looking at some legitimate executables on your system. Nothing beats hands-on experience! Coming up next, we'll dive into how malware authors manipulate these structures and how we can detect their modifications. Stay tuned! > [!tip] Always analyse suspicious files in a secure environment like the one we built in our [[Azure Malware Lab Design]] series. Better safe than sorry!