Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: SANS.edu Internet Storm Center - SANS Internet Storm Center SANS.edu Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Huge Signed PE File

Published: 2022-05-26
Last Updated: 2022-05-26 08:32:23 UTC
by Didier Stevens (Version: 1)
0 comment(s)

Xavier's diary entry "A 'Zip Bomb' to Bypass Security Controls & Sandboxes" reminded me of something. I've seen huge PE files like Xavier saw, but I've also seen a couple of huge PE files that are signed. I will explain here how you can reduce their size.

The PE file that Xavier talked about, can be represented as follows (picture not to scale):

To recover the original PE file, and make it much smaller, suitable for analysis, one removes the NULL block. As Xavier explained.

I've seen PE files like this. What I've also seen a couple of times, is a huge PE file like this (again, picture not to scale):

So right after the huge block of NULLs, comes a digital signature (Authenticode). It's a very small block, but not NULL. The examples I've seen were fake signatures, but this can be done with valid signatures to.

To recover the original PE file, one needs to remove the NULL block and the signature, and also update the reference to the signature inside the PE file (directory entry with offset & size of signature).

This can be done as follows.

As I'm not at liberty to share the samples I have, I took Xavier's sample and added a fake signature with my disitool.py.

Taking a look at that PE file with pecheck.py, you get a warning from the pefile module that the PE file contains a huge amount of NULL bytes.

The file is huge: 400 MB. But when you look at the sections, they are in total less than 2 MB:

The file contains a digital signature:

It is fake:

We remove the digital signature with my disitool.py like this:

We verify that the signature is removed:

And then we run pecheck.py again:

We have a huge overlay of 398MB that consists of NULL bytes only (MAGIC 00000000, entropy 0.0, only 1 unique byte).

We can strip that overlay with pecheck.py using option -o s (s = stripped PE file) and writing the result to disk -D + file redirection:


The result is a PE file less than 2 MB:

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com

Keywords: huge pefile signature
0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Using NMAP to Assess Hosts in Load Balanced Clusters
May 25th 2022
2 days ago by Rob VandenBrink (0 comments)

ctx Python Library Updated with "Extra" Features
May 24th 2022
3 days ago by Yee Ching (0 comments)

Attacker Scanning for jQuery-File-Upload
May 23rd 2022
4 days ago by Johannes (0 comments)

A 'Zip Bomb' to Bypass Security Controls & Sandboxes
May 20th 2022
1 week ago by Xme (0 comments)

View All Diaries →

Latest Discussions

Dshield Sensor
created Jun 8th 2021
11 months ago by Rick (0 replies)

API port data
created Apr 25th 2021
1 year ago by JJ (1 reply)

RSS feed containing non-XML compatible characters
created Apr 14th 2021
1 year ago by Anonymous (1 reply)

Handler's Diary (Full text) RSS Feeds stopt working due to a typo
created Mar 5th 2021
1 year ago by bas.auer@auerplace.nl (0 replies)

port_scan issue in Snort3
created Feb 23rd 2021
1 year ago by astraea (0 replies)

View All Forums →

Latest News

Top Diaries

Mixed VBA & Excel4 Macro In a Targeted Excel Sheet
Jan 22nd 2022
4 months ago by Xme (0 comments)

A Quick CVE-2022-21907 FAQ
Jan 14th 2022
4 months ago by Johannes (0 comments)

Method For String Extraction Filtering
Apr 9th 2022
1 month ago by DidierStevens (0 comments)

CinaRAT Delivered Through HTML ID Attributes
Feb 11th 2022
3 months ago by Xme (0 comments)

Obscure Wininet.dll Feature?
Jan 21st 2022
4 months ago by Xme (0 comments)