Pimp my PE: taming malicious and malformed executables presented at Virus Bulletin 2007

by Casey Sheehan (Sunbelt software),

Tags: Security

URL : http://www.virusbtn.com/conference/vb2007/abstracts/Sheehan.xml

Summary : "A foundational requirement in the security world is the ability to robustly parse and analyse Windows Portable
Executable files. Many malicious PEs currently found in the wild are actually quite difficult to analyse, due to
packing and purposely malformed header structures. As a result, many PEs can actually be quite difficult to analyse.
This fast-paced, highly technical presentation will survey and attempt to classify some common and interesting
malformations we have examined in our work at Sunbelt Software. We will analyse PE structural information and
demonstrate how tolerant the Windows loader is to fuzzing this data. We will discuss the PE specification and
highlight specific hurdles we have overcome in the course of developing a parsing framework capable of dealing
reliably with modern malware. We also will cover specific problems and hurdles we faced along the way, and
include a discussion of some interesting tools and techniques we've developed."