Tom Bonner has over 18 years experience in the cybersecurity/anti-malware industry, focusing on reverse engineering, developing detection technologies, threat intelligence, incident response, and digital forensics.View the profile
About the talk
Tom Bonner, Distinguished Threat Researcher, BlackBerry Reverse engineering of malware is an extremely time and labor-intensive process which can involve hours of disassembling and sometimes deconstructing a software program. PE Tree lowers the bar for dumping and reconstructing malware from memory and provides an open-source PE viewer code-base that the cybersecurity community can leverage in the fight against constantly evolving cyberthreats.
Good day and welcome to the malware. Reverse engineering with Petri presentation. My name, stumbo, not distinguish. Start researcher at blackberry and I'd like to show you the Petrie toilet. We've been developing. I'm in the bulk of the presentation will dive into the demo research. Going to do a walkthrough for Max to assist in helping to ease the reverse engineering process for little people. Sorry, but yeah Petrie it's stuff that we've released maybe about a year ago now
developing pipes in and buy stuff of teras PC file python library, that you may be using quite a bit better than to Ida prior to disassemble. Really, there was no rainbow view, as you can see on the left hand side that I just retrieve you, and just make it easy to navigate portable executables. And then, on top of that, it's the blossoms and a grave. And about a year ago. Now during the very first lockdown, my children was talking to Bring buy used to hang in the window is a shower support to like the healthcare workers and key. Wack is in this
country,. Very nice way of miss you lysing the structure and composition of a p file. For my keyboard is very nice visual indication of that. The structure of the file, it at a high level. So interesting in a way for I'm just being able to say that the composition Peachtree comes in a few flavors does Standalone application. Much like any regular Peevy? You're probably played with us. Peace que dijo. Can you buy peeve you things like that so you can be
and certificates but to Die 2 Lite, Cyber Shot for further manipulation and I'm purchasing which is pretty handy and just about everything you could. You could say next salsa compilation timestamps we have it, but I need you to navigate to structures appear with Menards pace of Base, find them that he had to pull out the executables reconstruct them, rebuild them and dump them with a new import table just as well as water labeling in common. So, a lot of structures and details from the PD finds back in the United States Vise, which
is pretty Hyundai, what temperature is pretty soon on its way. So pretty powerful way to operate against memory dumps and in fact breckel would allow for Life systems as well. See how much the same devotion, it can scan the entire address space for executables. The forensic platforms, haven't really done until now so we can fully reconstruct them doubling back to disk and it makes the reverse engineering And finally, the latest release is focusing on the Arkansas
from the NSA. Not so quite as for the future complete desire to pry or not. There was no Deep by Corrinne may, but it is coming. So,. It's only possible in the latest release of good roots, has been navigate to Structure, PDF files and reconstruction. I'm grabbing Pete, reinstalling it. It's up there and get Hub. Will reveal this at the end as well as plenty of places in and around. How much time until the timer's land, the fun stuff, then we're just going to do a quick so I'm sure a lot of people
are quite familiar with it. But for that we can do it a little star in and have a look about. So I'm areas Petrie then and it's the real form. We just dump this view from the popular executable on the left hand side so we can see the new approximately 50% of the file to an update to section beyond that containing. I read only dates and some resources as well as it's really nice for the summary of the top people on virus titled. So we can go if the VC and and
have a little comes around on Meyers. Fucking man has the first part of any portable executable file that at the top. I'm feeling that this is, this is why they stopped message using, but it's so strange before this. This is basically 16-bit stop. So any executable running into the mix, 16-bit 32-bit operating system. This stuff was laughing. 16-bit dust if you accidentally ran a 32-bit P file on that comes from a legacy thing. However embedded in there as well as a very interesting but it died. So I'm stuck in that stuff. This is come along for
the more recently since well, fix your Studio 6, back in the day now, but then you can play a lot of information and him now about the tools in the sources, documented failed, Turkish little while to figure it out back in the day, but I think enough to know now that you were in Houston that we can also say the color lights with other information in the NC. How does lights around the stuff can be? At least we can say we had a major Studio 2008 in the Lincoln version.
So yeah, we got the rest of the empty head is knocked out here. So immediately following on them Friends of the dust-up is the DNC Heather's containing the signature PE surprise surprise. I don't from that is to fall head over where we find interesting things like which machine types as far as it in satellite radio an introduction letter as well. So we can see things like what? Check compile error, check section alignment bits and pieces. And yesler. Beyond this.
Then we will end up with the dates directors. To this is a nice way for the PC file to at least a lot of kilo to wear interesting trends that they are. Also things like we thought this would be wise for imported from DLS that stuff tomorrow. And I'd like to see the point in memory and the size and the resources Mystic 3 last. And that's all I said, this would totally be loaded with any database load. Config. We've got things like stock, cookies, and and I-80 which is
Resolved by the key later when it's, cuz I can you file fast one here, being the duck text section. You might think this contains strings a text to some salt, but it's actually whether the code is, as we can see from the characteristics on this one, being tired, execute and read the size ratio in entropy of the section as well. Say entropy beings that were measure of How about you describe the average number of Bits? N bytes across the back side towards the most likely it is that they do respect, you can crash during Cryptid
collection, holding the code moving on from that. Next section All Dates at holds read-only data and name used by my stupid ass off. That's the latest section. So in here guys recently any any strings of constants in Yokai, Watch Define does constants. And it's it's going to wind up in all day. So sorry. I hadn't anything that can be written. So you will end up in the dissection. So this is so young that we've got the. RSL C-section. So this is resources. I'm pretty much
rule resources in the file. Should reside within him. I'm leaving on then we have the import descriptors. So this is a big long list of all of the details and libras that are imported and elati skip over that because it's pouring out from the director entry. Debug information doesn't have to be set. Can't be Spirits can be stripped out. Yeah, one interesting thing to say is that there's a timestamp in that. And again, for Fort Lauderdale. I was with exports, as well, as a timestamp in
the Expo descriptive. Now, not very very well 9 is that, Yeah, when when my world is trying by sometime stop up there at their, excuse to go to say, they will replace the timestamp field rats with one's safe from CMD. XC to make it look more legit solo. Just know it's out loud together. There are other places in the P, for whatever time, Stone. So directions to debug being one of the exports, directory being enough. And if we sneak you some of us a virus total payment statues and
we put a little bit of a Time range in there with a few seconds. I decide it couldn't quite often. Be sufficient to find similar or unrelated samples that again, like I said earlier, we've got to see a Chandler's listed in here. Dispute Pinterest. I forgot dump. Dump it. We can see quite easily. That's another executable High comes as well and doubt. Yeah, we've been gone from the address for the finally the Vs fashion in 5 o clock. So this is less severe.
And I'm finally the security director and vice a certificate for crisis, in which is quite nice. You can dump a little more info out to that, but pretty much anything besides voice actions, and resources beside not going to be exported to side shaft. And we can, do you serve brie cheese have cheese on Sarah when I'm buzzed. Yes, I are nuts. That's pretty much it top down, which was stopped, or the P file. You can say it just based off of this certificate search. We're able to find 1.4 million samples and very clearly. That was a Microsoft certificate we
were looking at I'm right side, stay around into the next one. Then say it's a bit more of us would have used case. Then 44, Petrie. We're going to be looking at injected delos with without your prior. And in this example, what we have is an apt 32 sample. It's been loaded up on the Sierra DS side-loaded, which is so I can see how is actually a decoration. Now Underwood seem like a bunch of different programs or Woodside lighting issues. And so I'm not singling anyone out here at 2. I'm
fact, I think you can back in the day. I have been responsible for writing software that was susceptible to outside lighting attacks many many many years ago. Mcrdsd signs. McCaffrey executable on a box and then dropped a little anxiety, but I'm serious words would actually pick up a liar. Show code. We're going to pack some more show, according to memory. She okayed with a lighter mechanism, and then, finally. Dealer would be used to perform your C2 Communications. After I'm packing up, the final stage.
There was a point in time where we were encountering quite a few of these should have executed was with this multi-layered Shell card. And, you know following it means higher set of execution trading through was slow and painful itch, time to to track, you know, verify everything to pull the executed without a memory to reconstruct them. To look at them to grab the dates that we were interested in. I took quite a bit of a fit. So what I've done in this particular instance, yes, it's late and it's still out
at Slater the show code and then I've attached all you did to it as the deep I got and then taking a memory snapshots of the saves, one of the segments memory regions back to the Guide tonight to buy said he can disassemble of what we can do that. I'm having a little look around. I'm going to go off and scan the other bite database looking for the allowance that I can find as you can say, it's been quite a few probably recognize the name of the thing. Was a lie from Windows 64
immediately, one stands out and let's this one with the loans too. Looking falling into this a little bit more. So, we can see the structure of it. Now, a lot of the bulk of it just seems to be a resource if we look at it. And if we click on that resources, we still buy the right that I'm working on, click on it and at least browse it in the database and see the card if we dig down as well. This is what I'm saying. Other about the Expos script for a few nights. It says that a timestamp
in that gives us the name of the deal at Kampala sign, the daylight entry. So we can quite easily find the entry point in Ida, which wasn't easy to do before work for you or just for the night in this up and see if I can blind. The resources. Well, at the end is where I know that the final final stage payload comes from too. So I know that by now being able to navigate to that one quickly and easily, I can just grab the Pella craft, the decryption key, which is the best I can to buy it. So you can
have one other thing. One of the points tonight which attracts wasn't so clear, and visible during the screening process at this point. Now we could just right click safest, be fall. Back to desk, going away from it in the front. Next to these guys are going to look like I'm parking in the sky, same price, but it works well with the ups and other similar. I'm Packers that ultimately logic reconstruct the original executable in in memory. Sorry again, if you started
to pray for this one, but I actually use the box. So I am sufficient to emulate enough of the iPic parking working. Sorry sexy. Most of the day. She has stuff to impress one and two sections the resources and left. We locate least a festive jump out as we can see how the super whites jumping back to the entry point, but we searched after, it's run out to eat bugs every two, which is a segment in memory and largely 1 Import. If I can already tell you, I remember to scrape the safe
and rebuild Imports at 3. It's now going to try and rebuild the Temple table and this is going to do is basically scam. The auction site for Tennessee. Anyway, so yes, what what is been able to do that is the code section looking for any Cool Tools, jumps references, any light at the allowance. We can resolve the module named in the API name, use that to rebuild. The only last I looked again and run it and everything's everything's as it should be. That's pretty much the the empress case after that look a little bit
now integration support and how precious is dead. I was driving his any loaded module basic in the system is the sunblock in the morning to start Rico fast. And then from within it we can use the Run. Should I come on to run Petrie? And once that's done, it will then be able to connect to Rico to be able to anymore. Right person says we can see right now from the memory of the drive is Los Angeles County just pick a few outliers. All these are my prices as wild his
sec, how you're still over the modules sleeping. Dumped out the desk. Now with outside of a reboot of exports, we can clearly see that such a driver and Lantus is composition, the bat one. However may be missing, you missing Imports for that. Once I got much like we did for Empress rebuild Imports at the Petri and we should not have a driver with a full load and bought a blunt and do the same thing for me to wrestle. I think should have some resources and bits in it that we can get to quite quickly and easily. I'm so yeah,
I'm done anything for memory. It's a much more comprehensive and say rikuro volatility right now and fix up a lot more if they had to remove like certificate directors. If I don't know why. I think it's it's definitely better. Resetting, the section sizes. So what I can find is that uniform sections, that might be modified. Text get Spotify for relocations when it's loaded update. It's a right to protection, things can change. We saw sections like that even from
efaucets been mapped into memory. The check songs can be very good for pivot session with a virus titled. So I would love to try and locate nice, sections, fast and such that he's empty 5, so I'm going to be saved. Finally, the latest feature release than is good for support and we will never left the tickets, disassembly by now. Very much so that the same as I do at this point, you know, we can stick around so he could click on anything on that the last few to tell you that that section that you can see it.
I see sorry powerful to be able to navigate to Peak Resources and realize quite nicely enough to get your disassembler as well. And any of these we can pull out and save the desk and send to the Cypress Chef etcetera etcetera. As I said a bit early around. Where, where are you playing the Jets releasing the, The Dumping coyotes in place? It does work. So as soon as the Ibaka is, it's their life with and get dressed. Then we should be able to do exactly the same. So they're dumping rebuilding of the Imports I-80 and ITT that we do with the other exes.
So yeah, that's pretty much yet. Calm slash Black Parade / p.m. To school tree. You can download it and folk it from there. You know, I'm hoping the off to the store. Pretty much anyone can go and grab it now. Becomes one of you as I know there were a lot of good ones out there and I never aim to replace them for lay there. Is that the others I used to love you. Do you sit at this assembly, has an empty bucket day today and now we're back in tomorrow, so I don't know Isabel for
me. Answered a long time. If people are interested and willing and happy for the very least, you know, if this feature has a summary of everything, we just going to have a tree's open source to reverse engineering eating in the reverse engineering brother handy, plug-ins for a GoPro record with volatility, on Mini dumps coming fairly soon explode them for reconstructive for everyone to enjoy and contribute. And that's it. Thank you very much for me, and thanks for joining. And I hope you have a great rest of the conference. Jiz.
Buy this talk
Buy this video
With ConferenceCast.tv, you get access to our library of the world's best conference talks.