research-article

Lost in the Loader:The Many Faces of the Windows PE File Format

Authors:

Dario Nisi,

Mariano Graziano,

Yanick Fratantonio,

Davide BalzarottiAuthors Info & Claims

RAID '21: Proceedings of the 24th International Symposium on Research in Attacks, Intrusions and Defenses

Pages 177 - 192

https://doi.org/10.1145/3471621.3471848

Published: 07 October 2021 Publication History

Get Access

Abstract

A known problem in the security industry is that programs that deal with executable file formats, such as OS loaders, reverse-engineering tools, and antivirus software, often have little discrepancies in the way they interpret an input file. These differences can be abused by attackers to evade detection or complicate reverse engineering, and are often found by researchers through a manual, trial-and-error process.

In this paper, we present the first systematic analysis and exploration of PE parsers. To this end, we developed a framework to easily capture the details on how different software parses, checks, and validates whether a file is compliant with a set of specifications. We then used this framework to create models for the loaders of three versions of Windows (XP, 7, and 10) and for several reverse-engineering and antivirus tools. Finally, we used this framework to automatically compare different models, generate new samples from a model, or validate an executable according to a chosen model. Our system also supports more complex tasks, such as “generating samples that would load on Windows 10 but not on Windows 7.”

The results of our analysis have consequences on several aspects of system security. We show that popular analysis tools can be completely bypassed, that the information extracted by these analysis tools can be easily manipulated, and that it is trivial for malware authors to fingerprint and “target” only specific versions of an operating system in ways that are not obvious to someone analyzing the executable. But, more importantly, we show that there is not one correct way to parse PE files, and therefore that it is not sufficient for security tools to fix the many inconsistencies we found in our experiments. Instead, to tackle the problem at its roots, tools should allow the analyst to select which of the several loader models they should emulate.

References

[1]

A. Albertini. [n.d.]. Corkami PE files corpus. https://github.com/corkami/pocs/tree/master/PE.

Abstract

References

Cited By

Recommendations

The Detection of 8 Type Malware botnet using Hybrid Malware Analysis in Executable File Windows Operating Systems

MalGene: Automatic Extraction of Malware Analysis Evasion Signature

MGeT: Malware Gene-Based Malware Dynamic Analyses

Comments

Information

Published In

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Funding Sources

Conference

Acceptance Rates

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

Get Access

Login options

Full Access

View options

PDF

eReader

HTML Format

Figures

Other

Share

Share this Publication link

Share on social media

Affiliations