Hackers of India

COMMSEC: PErfidious: Make PE Backdooring Great Again!

By  Shreyans Doshi  on 30 Aug 2019 @ Hitb Sec Conf


Presentation Material

Abstract

PErfidious is a Python3 tool that aims to directly take a benign PE executable and malicious shellcode as input. Next, it transforms the shellcode into individual pieces of independent code that can be connected via jumps and calls and then converts the transformed code back into individual collection of bytes. These collections are then injected into appropriate locations in the .text section of the PE file. After injection, PErfidious performs all the recalculations required to incorporate the changes in the .text section. This makes sure that all the regular traces of code injection are gotten rid of. The only way for the endpoint detection system to verify that the program was injected is to calculate or read the hash/checksum of the PE file and compare it with the has/checksum provided by the original author of the benign application that was injected by us.

Apart from being a tool, PErfidious is also a Python3 library that can be used for inspecting, dissecting and injecting PE files. It extracts every data structure inside a PE file and convert it into an editable class file with appropriately nested subclasses(it even outputs the entire structure in XML so that a user can develop web applications around it). It aims at being a modern and extensible replacement for pefile package and the go-to library for working with anything related to PE32/PE32+/DLL type files.

AI Generated Summarymay contain errors

Here is a summarized version of the conversation:

The topic of discussion revolves around executable files, specifically PE (Portable Executable) files, which are used in Windows operating systems. The conversation starts with a question about how an app compatibility shim modifies the header of an executable file to make it backward compatible with older Windows versions.

The speaker explains that when an app is made to run on an older version of Windows, the shim makes registry entries and modifies the header of the PE file structure. However, the Windows loader ignores newer fields in the PE file structure and only uses the fields relevant to the specific version of Windows it’s running on.

Another question is asked about rebuilding and recalculating addresses of calls when injecting code into a PE file with a relocation section. The speaker responds that they are working on parsing data directories and expects to be able to calculate relocations as well, aiming for compatibility with both 32-bit and 64-bit Windows.

The conversation then shifts to the topic of behavioral-based detection systems, such as Windows Defender, which can detect malicious behavior in shell code. The speaker notes that their approach may not work in environments with these types of detection systems.

Finally, a question is asked about whether there’s a good reason to fall back on PE executable-based injection payloads again, given the increasing use of PowerShell-based attacks. The speaker suggests that PowerShell-based malware can be easily detected by endpoint detection systems, making PE executable-based injection payloads a potentially more viable option in certain scenarios.

Throughout the conversation, the speaker references their work on building a Python library that emulates the Windows loader’s functionality for parsing and implementing PE file structures.