Professional PE Explorer compatibility

PE analysis tools are common every where but one of the important features for these malware analysis tools is the ability to run in different environments and operating systems. Nowadays due to the complexity and cross-platformness of malwares in addition to the variety of tools used in malware analysis labs, researchers prefer to have labs in different operating systems. For example some investigators may prefer to use GNU/Linux, macOS or older versions of Microsoft windows for some circumstances. It sometimes depends on the malware that is being analyzed and sometimes on the tools, services and ….

I’m glad to tell you that PPEE(puppy) is compatible with most operating systems used in malware analysis process. In windows, users can successfully launch it in Windows XP, Seven and 10.

PE analysis using PPEE in Windows 10
PE analysis using PPEE in Windows XP
PE analysis using PPEE in Windows 10
PE analysis using PPEE in Windows 10

The only dependency for Microsoft environments is that Visual C++ 2010 Redistributable Package(https://www.microsoft.com/en-us/download/confirmation.aspx?id=5555) should be installed which is a package also necessary for lots of the other tools to be launched. Hence in most cases it’s pre-installed.

With the thanks to Wine project, PPEE can also be launched in GNU/Linux and macOS environments. If at the moment it’s not installed at your machine, you can download and install it from here(https://www.winehq.org/download).

Now everything is OK. Just drop the binary in the PPEE or choose open from File menu.

PE analysis using PPEE in macOS Sierra
PE analysis using PPEE in macOS Sierra
PE analysis using PPEE in Xubuntu
PE analysis using PPEE in Xubuntu

I’ll try to keep the compatibility 😉

I always welcome the ideas and suggestions. Feel free to drop me an email.

Puppy is free and tries to be small, fast, nimble and friendly as your puppy!

Professional PE Explorer – PPEE

Portable Executable file structure is still in progress and extending specially for PE64 images. In the other side malware creators and developers are constantly changing their techniques and writing malicious codes to evade AVs and other security tools. It’s an ongoing challenge…

To deal with it, I’ve added some new features and changed some of the existing features to make PPEE compatible and easier to use.

Professional PE Explorer
Some of the most important changes are as follows:
• Toolbar and Statusbar are added. Toolbar includes some of the frequently used menu items. There is nothing to do with statusbar at the moment. It will be used in the next versions.

• Check update is added to check whether new version of PPEE is released or not. The check can also be done at startup but I think it would be a little annoying to show a dialog every time that program runs. May be in the next versions an option to disable/enable showing update dialog at startup would be added.

• Looking for a string, for example an URL in the file is a tedious task. I’ve added four child nodes to the tree to separate ASCII, UNICODE, URL and Registry strings. If you need something else please let me know.

• As said before, Anomaly detection is added. There are two colors for this. Orange for Warning and red for Error. Most of the anomalies and thresholds are taken from documents and specifications. Anomaly rules for example strange section names are embedded in PPEE. This is not suitable for long rules. Maybe in the next versions add a blacklist file beside main executable to store strange or blacklisted items.

• Right click context menu is added to Copy, Search, Whois and Dump. Copy item, copies the selected field and Copy Row, copies entire selected rows. In the search menu you can search selected field in the Google and MSDN. Whois is only shown for strings. It’s really useful for urls. If you know any other site that can be added to this list please let me know. Dump menu item is also added. It’s only shown for “Section Headers”, resources, COM(.Net) directory and MetaData. Clicking on Dump a save as dialog would be shown. At the moment “Follow in Hex editor” is not functioning.

• Load config structure has been changed again! It seems like this:
typedef struct __NEW_IMAGE_LOAD_CONFIG_DIRECTORY32 {
DWORD Size;
DWORD TimeDateStamp;
WORD MajorVersion;
WORD MinorVersion;
DWORD GlobalFlagsClear;
DWORD GlobalFlagsSet;
DWORD CriticalSectionDefaultTimeout;
DWORD DeCommitFreeBlockThreshold;
DWORD DeCommitTotalFreeThreshold;
DWORD LockPrefixTable; // VA
DWORD MaximumAllocationSize;
DWORD VirtualMemoryThreshold;
DWORD ProcessHeapFlags;
DWORD ProcessAffinityMask;
WORD CSDVersion;
WORD Reserved1;
DWORD EditList; // VA
DWORD SecurityCookie; // VA
DWORD SEHandlerTable; // VA
DWORD SEHandlerCount;
DWORD GuardCFCheckFunctionPointer; // VA
DWORD GuardCFDispatchFunctionPointer; // VA
DWORD GuardCFFunctionTable; // VA
DWORD GuardCFFunctionCount;
DWORD GuardFlags;
IMAGE_LOAD_CONFIG_CODE_INTEGRITY CodeIntegrity;

// Added
DWORD GuardAddressTakenIatEntryTable; // VA
DWORD GuardAddressTakenIatEntryCount;
DWORD GuardLongJumpTargetTable; // VA
DWORD GuardLongJumpTargetCount;

DWORD DynamicValueRelocTable; // VA
} NEW_IMAGE_LOAD_CONFIG_DIRECTORY32, *PNEW_IMAGE_LOAD_CONFIG_DIRECTORY32;

typedef struct _NEW_IMAGE_LOAD_CONFIG_DIRECTORY64 {
DWORD Size;
DWORD TimeDateStamp;
WORD MajorVersion;
WORD MinorVersion;
DWORD GlobalFlagsClear;
DWORD GlobalFlagsSet;
DWORD CriticalSectionDefaultTimeout;
ULONGLONG DeCommitFreeBlockThreshold;
ULONGLONG DeCommitTotalFreeThreshold;
ULONGLONG LockPrefixTable; // VA
ULONGLONG MaximumAllocationSize;
ULONGLONG VirtualMemoryThreshold;
ULONGLONG ProcessAffinityMask;
DWORD ProcessHeapFlags;
WORD CSDVersion;
WORD Reserved1;
ULONGLONG EditList; // VA
ULONGLONG SecurityCookie; // VA
ULONGLONG SEHandlerTable; // VA
ULONGLONG SEHandlerCount;
ULONGLONG GuardCFCheckFunctionPointer; // VA
ULONGLONG GuardCFDispatchFunctionPointer; // VA
ULONGLONG GuardCFFunctionTable; // VA
ULONGLONG GuardCFFunctionCount;
DWORD GuardFlags;
IMAGE_LOAD_CONFIG_CODE_INTEGRITY CodeIntegrity;

// Added
ULONGLONG GuardAddressTakenIatEntryTable; // VA
ULONGLONG GuardAddressTakenIatEntryCount;
ULONGLONG GuardLongJumpTargetTable; // VA
ULONGLONG GuardLongJumpTargetCount;

ULONGLONG DynamicValueRelocTable; // VA
} NEW_IMAGE_LOAD_CONFIG_DIRECTORY64, *PNEW_IMAGE_LOAD_CONFIG_DIRECTORY64;

Professional PE Explorer supports the latest load config structure.

• Edit every structure that is shown, was one of the features that I demanded to be supported in PPEE. Now just double-click on a field that you want to edit, write the new value and press Enter or click somewhere else. When you press Enter, the next row would be selected, press Enter again to edit that field. If the value didn’t changed it means that it’s not editable. Press Esc to cancel editing.

For the plugin I decided to add Virustotal query result and some descriptive information about the file which would be useful for novices. If you know any other online scanning engine that is up to date and reliable please let me know.
Finally, any idea is welcome 😉

 

PE64 and PPEE puppy 1.05

PE64 file structure is changing in many ways. I’ve made some changes to the GUI and improved parsing and better understanding of PE files both in PE64 and .Net assemblies.

I’ll release the new version of Professional PE Explorer(PPEE) puppy (1.05) in next few days.

What’s new in version 1.05:

  • Listview rows are neater than before.

NeaterListview

  • Some Entries that have zero value are grayed out. For example in Data Directories:

pe64 - GrayedOut

Anomaly Detection is one of the features that I like to add it to PPEE (puppy). I’ll use color highlighting as an anomaly sign for this purpose.

  • Each treeview node has an icon. I hope icons are self-explanatory.

TreeviewIconIn addition to those mentioned above there are some other minor changes in the GUI.

In PE parsing, there are some improvements:

  • PEs with “IMAGE_DLLCHARACTERISTICS_GUARD_CF” flag set, store CFG table handlers in DIRECTORY_ENTRY_LOAD_CONFIG directory. Now puppy can show them. Just scroll the second listview to the row written “Guarded Function:”

pe64 - Loadconfig

  • VtableFixup in .Net assemblies is now supported.

Vtable

  • Also, puppy can now properly handle confused .Net assemblies that have one mischievous dword!

These are the main issues that are added or updated since the previous version. The companion plugin, built in hex editor and save function remained untouched.

The malware creators and some packer/protector developers are always trying to find new techniques and methods to make it harder for security researchers to analyze and dissect PE files. Using obfuscating tools and creating specially crafted files that break the manual rules but are accepted and launched by loader is an ongoing challenge.

I always welcome to the crafted and malformed files.

Puppy is free and tries to be small, fast, nimble and friendly as your puppy!

Have fun 😉

Does PPEE puppy 1.04 have a Trojan inside?

Two days ago I noticed that a zip file named as PPEE puppy, is submitted to virustotal and is identified as a variant of Trojan by five AVs. The file name was in the form of files downloaded from woodmann.org tool library.

Screenshot_1Based on the virustotal report, it was the main exe (PPEE.exe) which was infected.

Screenshot_2So I compared the SHA256 hashes of the zip file submitted to virustotal and the zip file which I uploaded to the woodmann library. Amazingly, they had the same hash! It really scared me!

I guessed that probably my computer was infected by a trojan before I compile the code. Hence I installed Avira free AV on a fresh system and compiled the code from scratch. But at the time of building project, Avira prevented the creation of PPEE.exe in release mode. I concluded that it’s a false positive. After several times reviewing code I found the line that caused those AVs to mark PPEE.exe as a trojan.

#pragma comment(linker, "/merge:.rdata=.text")

Yes, merging sections and silly AVs! Such AVs could misdirect people who trust on them.

It’s obvious that to keep binary files as small as possible, I’ve packed them using upx which is very prevalent among developers but it seems that some AVs have never heard of it! That’s why the TheHacker false positively marks PPEE.exe as a Posible_Worm32.

After all, I repackaged the PPEE(puppy) 1.04.zip with new build of PPEE.exe which is now downloadable from mzrst.com . Feel free to use it and report the bugs 😉