Lost in the Loader - The Many Faces of the Windows PE File Format

Explore a 25-minute Black Hat conference talk on parser differentials for the Windows PE file format. Dive into custom language development for creating formal models of PE loaders across various Windows versions and reverse-engineering tools. Learn about a framework that leverages these models to perform analyses aiding reverse-engineering tasks. Discover the intricacies of PE headers, section tables, and the subtle challenges within the PE ecosystem. Examine the implications of PE discrepancies, constraints modelling, and the language used for modelling constraints. Gain insights into the analysis framework's validation and generation modes, differential test case generation, and differences enumeration. Investigate memory mapping discrepancies, notable test cases, and the results of a malware hunt campaign. Presented by Dario Nisi, Mariano Graziano, Yanick Fratantonio, and Davide Balzarotti, this talk offers valuable takeaways for professionals working with Windows PE file formats and reverse engineering.

Intro
The PE File Format
PE Headers
Section Table
The Subtle Problem of the PE Ecosystem
Implications of PE discrepancies
The Big Picture
Constraints Modelling
Modelling Phase
Language for Modelling Constraints
INPUT statements
Symbol Definition
(Terminal) Predicates
Conditional Statements
Analysis Framework
Validation Mode
Generation Mode
Model SMT Equivalence
Differential Test Case Generation
Differences Enumeration
Corner Case Generation
Modelled Software
Windows vs Windows
Windows vs. ClamAV
Memory Mapping Discrepancies
Notable Test Case
Malware Hunt Campaign Results
Takeaways