YoVDO

Lost in the Loader - The Many Faces of the Windows PE File Format

Offered By: Black Hat via YouTube

Tags

Black Hat Courses Reverse Engineering Courses Malware Analysis Courses

Course Description

Overview

Explore a 25-minute Black Hat conference talk on parser differentials for the Windows PE file format. Dive into custom language development for creating formal models of PE loaders across various Windows versions and reverse-engineering tools. Learn about a framework that leverages these models to perform analyses aiding reverse-engineering tasks. Discover the intricacies of PE headers, section tables, and the subtle challenges within the PE ecosystem. Examine the implications of PE discrepancies, constraints modelling, and the language used for modelling constraints. Gain insights into the analysis framework's validation and generation modes, differential test case generation, and differences enumeration. Investigate memory mapping discrepancies, notable test cases, and the results of a malware hunt campaign. Presented by Dario Nisi, Mariano Graziano, Yanick Fratantonio, and Davide Balzarotti, this talk offers valuable takeaways for professionals working with Windows PE file formats and reverse engineering.

Syllabus

Intro
The PE File Format
PE Headers
Section Table
The Subtle Problem of the PE Ecosystem
Implications of PE discrepancies
The Big Picture
Constraints Modelling
Modelling Phase
Language for Modelling Constraints
INPUT statements
Symbol Definition
(Terminal) Predicates
Conditional Statements
Analysis Framework
Validation Mode
Generation Mode
Model SMT Equivalence
Differential Test Case Generation
Differences Enumeration
Corner Case Generation
Modelled Software
Windows vs Windows
Windows vs. ClamAV
Memory Mapping Discrepancies
Notable Test Case
Malware Hunt Campaign Results
Takeaways


Taught by

Black Hat

Related Courses

Attack on Titan M, Reloaded - Vulnerability Research on a Modern Security Chip
Black Hat via YouTube
Attacks From a New Front Door in 4G & 5G Mobile Networks
Black Hat via YouTube
AAD Joined Machines - The New Lateral Movement
Black Hat via YouTube
Better Privacy Through Offense - How to Build a Privacy Red Team
Black Hat via YouTube
Whip the Whisperer - Simulating Side Channel Leakage
Black Hat via YouTube