1 of 24

Reverse Engineering Portable Executable files

Understanding basics of RE

Beginning to analyze PE files

N Ananthakrishnan Potti

InfoSec Enthusiast

2 of 24

About Me

  • N Ananthakrishnan Potti
  • Working as Security Operations Engineer in Ola
  • Interested in Incident Response, Threat hunting, Malware analysis, sci-fi movies and travelling.
  • If you are interested in any of the above, let’s have a chat!
  • Connect with me: https://www.linkedin.com/in/ananthakrishnanpotti/

3 of 24

What is Reverse Engineering

Why should you learn it?

4 of 24

What is Reverse Engineering?

Reverse Engineering is the process of extracting the knowledge or design blue-prints from anything man-made.

To take some product and break it down in order to understand how it was produced

In Restaurant: tasting a delicious dish and trying to recreate it at home

5 of 24

Reverse Engineering is challenging

Real life software might be

  1. Obfuscated
  2. Packed
  3. Probably huge to analyze

6 of 24

ASM overview

Now begins the fun!

7 of 24

What is assembly?

  • When you compile a program, the compiler does various things. The end goal of a compiler is to translate high-level code into a language the CPU can understand. This language is Assembly.
  • The CPU supports various instructions that all work together doing things such as moving data, performing comparisons, doing things based on comparisons, modifying values, and really anything else that you can think of.
  • While we may not have the high-level source code for any program we do have the Assembly code. An executable is simply a list of Assembly instructions that can be executed.

8 of 24

Basically,

if(x == 4){

func1();

}else{

return;

}

mov RAX, x

cmp RAX, 4

jne 5 ; Line 5 (ret)

call func1

ret

9 of 24

Compilation and Disassembly

A malware author writes code in any high-level language, say C.

The C code is compiled into machine code – a series of bytes that the computer understands.

The researcher usually has no access to the C code file, only to the bytes of the machine code.

To make life easier, a disassembler translates those bytes into an easier to read and textual representaion

10 of 24

Registers

Let's talk about General Purpose Registers (GPR).

You can think of these as variables because that's essentially what they are.

Your CPU has it's own data storage that is extremely fast. This is helpful, however, space in the CPU is extremely limited.

Any data the CPU can't store on its own is stored in memory. Memory (RAM) is much slower for the CPU to use.

Because of the slow speed, the CPU tries to put data in registers instead of memory if it can.

11 of 24

General Purpose register

  • RAX - Known as the accumulator register. Often used to store the return value of a function.
  • RBX - Sometimes known as the base register. Sometimes used as a base pointer for memory access.
  • RDX - Sometimes known as the data register.
  • RCX - Sometimes known as the counter register. Used as a loop counter.
  • RSI - Known as the source index. Used as the source pointer in string operations.
  • RDI - Known as the destination index. Used as the destination pointer in string operations.
  • RSP - The stack pointer. Holds the address of the top of the stack.
  • RBP - The base pointer. Holds the address of the base (bottom) of the stack.

12 of 24

Instructions

The ability to read and comprehend Assembly code is vital to reverse engineering. There are roughly 1,500 instructions, however, a majority of the instructions are not commonly used or they're just variations (such as MOV and MOVS).

There are three different terms you should know:

  • An immediate value (or just immediate, sometimes IM) is something like the number 12. An immediate value is not a memory address or register, instead, it's some sort of constant data.
  • A register is referring to something like RAX, RBX, R12, AL, etc.
  • Memory or a memory address refers to a location in memory (a memory address) such as 0x7FFF842B.

13 of 24

What do you think these assembly code do?

  1. Mov eax, ebx
  2. Mov eax, 0x42
  3. Mov eax, [0x3423c5]
  4. lea RAX, num1
  5. push RAX

14 of 24

They do these…

  1. Mov eax, ebx 🡪 move whats in ebx to eax
  2. Mov eax, 0x42 🡪 move 0x42 to eax
  3. Mov eax, [0x3423c5] 🡪 move whats in address [0x3423c5] to eax
  4. lea RAX, num1 🡪 RAX will contain the memory address/location of num1.
  5. push RAX 🡪 RAX is pushed onto the stack

15 of 24

Memory

There are different segments/sections in which data or code is stored. They are laid out in the following order:

Stack - Holds non-static local variables.

Heap - Contains dynamically allocated data that can be uninitialized at first.

.data - Contains global and static data initialized to a non-zero value.

.bss - Contains global and static data that is uninitialized or initialized to zero.

.text - Contains the code of the program (don't blame me for the name, I didn't make it).

16 of 24

Let us take a look at some tools

17 of 24

Portable Executable format

What is inside a PE file?

18 of 24

PE?

PE stands for Portable Executable, it’s a file format for executables used in Windows operating systems, it’s based on the COFF file format (Common Object File Format).

Not only .exe files are PE files, dynamic link libraries (.dll), Kernel modules (.srv), Control panel applications (.cpl) and many others are also PE files.

A PE file is a data structure that holds information necessary for the OS loader to be able to load that executable into memory and execute it.

19 of 24

Contents of PE file

1. DOS Header: Every PE file starts with a 64-bytes-long structure called the DOS header, it’s what makes the PE file an MS-DOS executable.

2. DOS stub: small MS-DOS 2.0 compatible executable that just prints an error message saying “This program cannot be run in DOS mode” when the program is run in DOS mode.

20 of 24

Contents of PE file contd.

3. NT Headers: contains 3 parts

- PE signature: A 4-byte signature that identifies the file as a PE file.

- File Header: A standard COFF File Header. It holds some information about the PE file.

- Optional Header: The most important header of the NT Headers, its name is the Optional Header because some files like object files don’t have it, however it’s required for image files (files like .exe files). This header provides important information to the OS loader.

4. Section table: The section table follows the Optional Header immediately, it is an array of Image Section Headers, there’s a section header for every section in the PE file.

Each header contains information about the section it refers to.

21 of 24

Contents of PE file contd..

5. Sections: it is where the actual contents of the file are stored, these include things like data and resources that the program uses, and also the actual code of the program, there are several sections each one with its own purpose.

22 of 24

Let’s see how it is done!

23 of 24

THANK YOU

24 of 24

References

  1. https://archive.org/details/LoB2013D1P1
  2. https://p.ost2.fyi/
  3. Practical Malware analysis by Michael Siroski and Andrew Honig
  4. https://github.com/0xZ0F/Z0FCourse_ReverseEngineering/
  5. https://0xrick.github.io/win-internals/pe2/
  6. https://medium.com/ax1al/a-brief-introduction-to-pe-format-6052914cc8dd
  7. https://intezer.com/blog/malware-analysis/malware-reverse-engineering-beginners/
  8. https://medium.com/@securewithsalah/lockbit-unpacked-p-1-fundamentals-of-basic-static-analysis-aa915f4a2723
  9. And more…