PPEE (puppy) new features, 1.09-1.12

Since my last blog post, PPEE (puppy) has changed a lot and lots of new features have been added. In this post I’ll review some of the prominent features.

  • Rich Header supported (Experimental):

Rich Header is not documented by Microsoft and as stated by Kaspersky and McAfee, contents of the Rich Header can be used to identify similar malware, different versions of malware, and when malware has been built under different environment. Lots of work has been done to understand structure and specifications of Rich Header. The article written by Daniel Pistelli is one of the excellent attempts to unveil this structure in detail. I also came across the great article in Bytepointer and the research done by Webster G.D. et al. which explain the structure comprehensively.

Rich Header contains an array of blocks which represent information related to the tools that were used as part of building the final executable. Interpreting these blocks is something experimental and such a work is done by dishather.

PPEE (puppy) in version 1.12 can parse Rich Headers.The MD5 of this header is also calculated to make it easier for finding identical Rich headers. The checksum validation would be added soon.

  • Resolve ordinal to name in imported APIs

Modules can import functions by ordinals rather than by names. In such cases, there is no name for imported function. This method can be employed by malware authors to remain less clues for static analysis. PPEE (puppy) 1.12, can resolve ordinal numbers to their equivalent names. These names are shown in Ordinal column, in parentheses.Resolve rdinal to name

  • File description of imported modules is shown

To make it easier during inspecting imported modules (Imported, Delayloaded and Bound), a new column named Description is added which shows the file description of the imported module. This description is read from imported module itself and can be faked by malware authors.Imported module file description

  • PE type icon added in statusbar

There are many times that the investigator wants to know the PE type without further analysis. Now it’s possible to find that at a glance. Using three different icons in statusbar, PPEE (puppy) will show you the type of PE dealing with.

  • Authentihash (PE256), ImpHash and SHA256 added in FileInfo plugin

Three new hash values added to PPEE (puppy). Authentihash is introduced by Microsoft and its documentation is available here. Authentihash can be used to verify that the relevant sections of a PE image file have not been altered. FileInfo plugin shows Authentihash as Authentihash (PE256).Import Hash - Authentihash (PE256) - SHA256ImpHash which stands for Import Hash, is derived from PE Imports. ImpHash is useful for identifying malwares of the same family or related malware samples. Calculating ImpHash is a little tricky and using PPEE (puppy) you can get the ImpHash of PE files easily.

  • Set string length in ini file

Since PPEE (puppy) 1.11, a configuration file has been added to store settings like window position, recent files, maximum length of strings, color of the listview an so on. Some of these options are already implemented and the others would be implemented in the coming releases. Below is the content of a sample config file:

[NewVersionDlg]
ShowDialog=1
[MainWindow]
Botton=703
Right=1281
Top=58
Left=173
[Splitter]
Vertical=239
Horizontal=229
[StringLength]
MinLength=4

It’s possible to limit the length of the string shown in ASCII/UNICODE items to a specific value. For example to limit it to 4 characters you can add the following option in .ini file.

[StringLength]
MinLength=4

PPEE (puppy) at its start-up, checks for a new version. If a new one is released then it will prompt you. You may also disable this check via .ini file. To do so, add the following option in .ini file.

[NewVersionDlg]
ShowDialog=0

It’s also possible to check the related checkbox in new version dialog to get the same result.

  • Yara rules supported (New plugin)

Yara is a powerful pattern matching tool that aims malware researchers and threat hunters to find the files that meet their defined rules or signatures. Yara is becoming increasingly used in digital forensics, incident response and reverse engineering. You can write your own rules or use the rulesets in repository of Yara. A new plugin named YaraPlugin is written for PPEE (puppy) which enables you check opened file against a given rule.YaraRules support

  • Resource type detection added

Resource section is one of the favorite places for malware authors to hide their components. PPEE (puppy) can detect some of the common resource types used by malwares. However this feature is limited, the number of detected resource types will be increased in the future releases.Embedded resource type detection

  • Filter/Search box added

Now it is feasible to filter items in listview based on the text you desire. For example, show only sections with 0x42000040 characteristics or show only items that contain “.exe”.Filter or Search boxAt the time, filtering is limited to the first listview.

One of the features of PPEE (puppy), I’d like to emphasize, is the edit capability. You can easily edit almost every data structure of a PE file. Simply double-click on the item and enter new value.Edit PE structure

I always preferred to release a new version of PPEE (puppy) only when a remarkable feature is added but for the ever-evolving arena of the malwares it’s better to reduce the time between releases. This will be considered for the next releases.

Any feature request or bug report is warmly appreciated 😉

Professional PE Explorer compatibility

PE analysis tools are common every where but one of the important features for these malware analysis tools is the ability to run in different environments and operating systems. Nowadays due to the complexity and cross-platformness of malwares in addition to the variety of tools used in malware analysis labs, researchers prefer to have labs in different operating systems. For example some investigators may prefer to use GNU/Linux, macOS or older versions of Microsoft windows for some circumstances. It sometimes depends on the malware that is being analyzed and sometimes on the tools, services and ….

I’m glad to tell you that PPEE(puppy) is compatible with most operating systems used in malware analysis process. In windows, users can successfully launch it in Windows XP, Seven and 10.

PE analysis using PPEE in Windows 10
PE analysis using PPEE in Windows XP
PE analysis using PPEE in Windows 10
PE analysis using PPEE in Windows 10

The only dependency for Microsoft environments is that Visual C++ 2010 Redistributable Package(https://www.microsoft.com/en-us/download/confirmation.aspx?id=5555) should be installed which is a package also necessary for lots of the other tools to be launched. Hence in most cases it’s pre-installed.

With the thanks to Wine project, PPEE can also be launched in GNU/Linux and macOS environments. If at the moment it’s not installed at your machine, you can download and install it from here(https://www.winehq.org/download).

Now everything is OK. Just drop the binary in the PPEE or choose open from File menu.

PE analysis using PPEE in macOS Sierra
PE analysis using PPEE in macOS Sierra
PE analysis using PPEE in Xubuntu
PE analysis using PPEE in Xubuntu

I’ll try to keep the compatibility 😉

I always welcome the ideas and suggestions. Feel free to drop me an email.

Puppy is free and tries to be small, fast, nimble and friendly as your puppy!

Professional PE Explorer – PPEE

Portable Executable file structure is still in progress and extending specially for PE64 images. In the other side malware creators and developers are constantly changing their techniques and writing malicious codes to evade AVs and other security tools. It’s an ongoing challenge…

To deal with it, I’ve added some new features and changed some of the existing features to make PPEE compatible and easier to use.

Professional PE Explorer
Some of the most important changes are as follows:
• Toolbar and Statusbar are added. Toolbar includes some of the frequently used menu items. There is nothing to do with statusbar at the moment. It will be used in the next versions.

• Check update is added to check whether new version of PPEE is released or not. The check can also be done at startup but I think it would be a little annoying to show a dialog every time that program runs. May be in the next versions an option to disable/enable showing update dialog at startup would be added.

• Looking for a string, for example an URL in the file is a tedious task. I’ve added four child nodes to the tree to separate ASCII, UNICODE, URL and Registry strings. If you need something else please let me know.

• As said before, Anomaly detection is added. There are two colors for this. Orange for Warning and red for Error. Most of the anomalies and thresholds are taken from documents and specifications. Anomaly rules for example strange section names are embedded in PPEE. This is not suitable for long rules. Maybe in the next versions add a blacklist file beside main executable to store strange or blacklisted items.

• Right click context menu is added to Copy, Search, Whois and Dump. Copy item, copies the selected field and Copy Row, copies entire selected rows. In the search menu you can search selected field in the Google and MSDN. Whois is only shown for strings. It’s really useful for urls. If you know any other site that can be added to this list please let me know. Dump menu item is also added. It’s only shown for “Section Headers”, resources, COM(.Net) directory and MetaData. Clicking on Dump a save as dialog would be shown. At the moment “Follow in Hex editor” is not functioning.

• Load config structure has been changed again! It seems like this:
typedef struct __NEW_IMAGE_LOAD_CONFIG_DIRECTORY32 {
DWORD Size;
DWORD TimeDateStamp;
WORD MajorVersion;
WORD MinorVersion;
DWORD GlobalFlagsClear;
DWORD GlobalFlagsSet;
DWORD CriticalSectionDefaultTimeout;
DWORD DeCommitFreeBlockThreshold;
DWORD DeCommitTotalFreeThreshold;
DWORD LockPrefixTable; // VA
DWORD MaximumAllocationSize;
DWORD VirtualMemoryThreshold;
DWORD ProcessHeapFlags;
DWORD ProcessAffinityMask;
WORD CSDVersion;
WORD Reserved1;
DWORD EditList; // VA
DWORD SecurityCookie; // VA
DWORD SEHandlerTable; // VA
DWORD SEHandlerCount;
DWORD GuardCFCheckFunctionPointer; // VA
DWORD GuardCFDispatchFunctionPointer; // VA
DWORD GuardCFFunctionTable; // VA
DWORD GuardCFFunctionCount;
DWORD GuardFlags;
IMAGE_LOAD_CONFIG_CODE_INTEGRITY CodeIntegrity;

// Added
DWORD GuardAddressTakenIatEntryTable; // VA
DWORD GuardAddressTakenIatEntryCount;
DWORD GuardLongJumpTargetTable; // VA
DWORD GuardLongJumpTargetCount;

DWORD DynamicValueRelocTable; // VA
} NEW_IMAGE_LOAD_CONFIG_DIRECTORY32, *PNEW_IMAGE_LOAD_CONFIG_DIRECTORY32;

typedef struct _NEW_IMAGE_LOAD_CONFIG_DIRECTORY64 {
DWORD Size;
DWORD TimeDateStamp;
WORD MajorVersion;
WORD MinorVersion;
DWORD GlobalFlagsClear;
DWORD GlobalFlagsSet;
DWORD CriticalSectionDefaultTimeout;
ULONGLONG DeCommitFreeBlockThreshold;
ULONGLONG DeCommitTotalFreeThreshold;
ULONGLONG LockPrefixTable; // VA
ULONGLONG MaximumAllocationSize;
ULONGLONG VirtualMemoryThreshold;
ULONGLONG ProcessAffinityMask;
DWORD ProcessHeapFlags;
WORD CSDVersion;
WORD Reserved1;
ULONGLONG EditList; // VA
ULONGLONG SecurityCookie; // VA
ULONGLONG SEHandlerTable; // VA
ULONGLONG SEHandlerCount;
ULONGLONG GuardCFCheckFunctionPointer; // VA
ULONGLONG GuardCFDispatchFunctionPointer; // VA
ULONGLONG GuardCFFunctionTable; // VA
ULONGLONG GuardCFFunctionCount;
DWORD GuardFlags;
IMAGE_LOAD_CONFIG_CODE_INTEGRITY CodeIntegrity;

// Added
ULONGLONG GuardAddressTakenIatEntryTable; // VA
ULONGLONG GuardAddressTakenIatEntryCount;
ULONGLONG GuardLongJumpTargetTable; // VA
ULONGLONG GuardLongJumpTargetCount;

ULONGLONG DynamicValueRelocTable; // VA
} NEW_IMAGE_LOAD_CONFIG_DIRECTORY64, *PNEW_IMAGE_LOAD_CONFIG_DIRECTORY64;

Professional PE Explorer supports the latest load config structure.

• Edit every structure that is shown, was one of the features that I demanded to be supported in PPEE. Now just double-click on a field that you want to edit, write the new value and press Enter or click somewhere else. When you press Enter, the next row would be selected, press Enter again to edit that field. If the value didn’t changed it means that it’s not editable. Press Esc to cancel editing.

For the plugin I decided to add Virustotal query result and some descriptive information about the file which would be useful for novices. If you know any other online scanning engine that is up to date and reliable please let me know.
Finally, any idea is welcome 😉

 

PE64 and PPEE puppy 1.05

PE64 file structure is changing in many ways. I’ve made some changes to the GUI and improved parsing and better understanding of PE files both in PE64 and .Net assemblies.

I’ll release the new version of Professional PE Explorer(PPEE) puppy (1.05) in next few days.

What’s new in version 1.05:

  • Listview rows are neater than before.

NeaterListview

  • Some Entries that have zero value are grayed out. For example in Data Directories:

pe64 - GrayedOut

Anomaly Detection is one of the features that I like to add it to PPEE (puppy). I’ll use color highlighting as an anomaly sign for this purpose.

  • Each treeview node has an icon. I hope icons are self-explanatory.

TreeviewIconIn addition to those mentioned above there are some other minor changes in the GUI.

In PE parsing, there are some improvements:

  • PEs with “IMAGE_DLLCHARACTERISTICS_GUARD_CF” flag set, store CFG table handlers in DIRECTORY_ENTRY_LOAD_CONFIG directory. Now puppy can show them. Just scroll the second listview to the row written “Guarded Function:”

pe64 - Loadconfig

  • VtableFixup in .Net assemblies is now supported.

Vtable

  • Also, puppy can now properly handle confused .Net assemblies that have one mischievous dword!

These are the main issues that are added or updated since the previous version. The companion plugin, built in hex editor and save function remained untouched.

The malware creators and some packer/protector developers are always trying to find new techniques and methods to make it harder for security researchers to analyze and dissect PE files. Using obfuscating tools and creating specially crafted files that break the manual rules but are accepted and launched by loader is an ongoing challenge.

I always welcome to the crafted and malformed files.

Puppy is free and tries to be small, fast, nimble and friendly as your puppy!

Have fun 😉

Does PPEE puppy 1.04 have a Trojan inside?

Two days ago I noticed that a zip file named as PPEE puppy, is submitted to virustotal and is identified as a variant of Trojan by five AVs. The file name was in the form of files downloaded from woodmann.org tool library.

Screenshot_1Based on the virustotal report, it was the main exe (PPEE.exe) which was infected.

Screenshot_2So I compared the SHA256 hashes of the zip file submitted to virustotal and the zip file which I uploaded to the woodmann library. Amazingly, they had the same hash! It really scared me!

I guessed that probably my computer was infected by a trojan before I compile the code. Hence I installed Avira free AV on a fresh system and compiled the code from scratch. But at the time of building project, Avira prevented the creation of PPEE.exe in release mode. I concluded that it’s a false positive. After several times reviewing code I found the line that caused those AVs to mark PPEE.exe as a trojan.

#pragma comment(linker, "/merge:.rdata=.text")

Yes, merging sections and silly AVs! Such AVs could misdirect people who trust on them.

It’s obvious that to keep binary files as small as possible, I’ve packed them using upx which is very prevalent among developers but it seems that some AVs have never heard of it! That’s why the TheHacker false positively marks PPEE.exe as a Posible_Worm32.

After all, I repackaged the PPEE(puppy) 1.04.zip with new build of PPEE.exe which is now downloadable from mzrst.com . Feel free to use it and report the bugs 😉