Invalid detection of PE mode (raw vs virtual)

hasherezade / libpeconv

A library to load, manipulate, dump PE files. See also: https://github.com/hasherezade/libpeconv_tpl

https://hasherezade.github.io/libpeconv

BSD 2-Clause "Simplified" License

1.07k stars 176 forks source link

Invalid detection of PE mode (raw vs virtual) #3

Closed hasherezade closed 5 years ago

hasherezade commented 5 years ago

Currently the function is_pe_raw checks where the first section starts. If it starts at the raw address, the PE is recognized as raw format. However, this way of format detection is inaccurate.

Example - UPX packed sample (raw): upx_hdrs And the same sample loaded in the memory: upx_example The area between the headers and the first section contains artefact of the first section.

In such cases, a PE in virtual format is mistakenly recognized as raw.

hasherezade commented 5 years ago

Test cases:

Banker Mekotio: full package: 1131624ba8d17448c628bc89a8e650c7, the malicious DLL: 106e9deece0f1298bb2559fe29f38ef7f2f67c7974478c845435b4d4ca4f7980
Shade ransomware (with UPX packed payload): c1d656f523274f8af119e05658173aa49c52d3bba63e083ca8adc7c7346f2147
Ramnit (with UPX packed payload): b36dc51cd0a519033ce77c8cb2cfa3ad98f87594ec74ed21057a2df9a8101f01
Reflective Loader (the original PoC) - 32 and 64 build

hasherezade commented 5 years ago

Current version of is_pe_raw works for 4 out of 4 test cases.