PPEE (puppy) new features, 1.09-1.12

Since my last blog post, PPEE (puppy) has changed a lot and lots of new features have been added. In this post I’ll review some of the prominent features.

  • Rich Header supported (Experimental):

Rich Header is not documented by Microsoft and as stated by Kaspersky and McAfee, contents of the Rich Header can be used to identify similar malware, different versions of malware, and when malware has been built under different environment. Lots of work has been done to understand structure and specifications of Rich Header. The article written by Daniel Pistelli is one of the excellent attempts to unveil this structure in detail. I also came across the great article in Bytepointer and the research done by Webster G.D. et al. which explain the structure comprehensively.

Rich Header contains an array of blocks which represent information related to the tools that were used as part of building the final executable. Interpreting these blocks is something experimental and such a work is done by dishather.

PPEE (puppy) in version 1.12 can parse Rich Headers.The MD5 of this header is also calculated to make it easier for finding identical Rich headers. The checksum validation would be added soon.

  • Resolve ordinal to name in imported APIs

Modules can import functions by ordinals rather than by names. In such cases, there is no name for imported function. This method can be employed by malware authors to remain less clues for static analysis. PPEE (puppy) 1.12, can resolve ordinal numbers to their equivalent names. These names are shown in Ordinal column, in parentheses.Resolve rdinal to name

  • File description of imported modules is shown

To make it easier during inspecting imported modules (Imported, Delayloaded and Bound), a new column named Description is added which shows the file description of the imported module. This description is read from imported module itself and can be faked by malware authors.Imported module file description

  • PE type icon added in statusbar

There are many times that the investigator wants to know the PE type without further analysis. Now it’s possible to find that at a glance. Using three different icons in statusbar, PPEE (puppy) will show you the type of PE dealing with.

  • Authentihash (PE256), ImpHash and SHA256 added in FileInfo plugin

Three new hash values added to PPEE (puppy). Authentihash is introduced by Microsoft and its documentation is available here. Authentihash can be used to verify that the relevant sections of a PE image file have not been altered. FileInfo plugin shows Authentihash as Authentihash (PE256).Import Hash - Authentihash (PE256) - SHA256ImpHash which stands for Import Hash, is derived from PE Imports. ImpHash is useful for identifying malwares of the same family or related malware samples. Calculating ImpHash is a little tricky and using PPEE (puppy) you can get the ImpHash of PE files easily.

  • Set string length in ini file

Since PPEE (puppy) 1.11, a configuration file has been added to store settings like window position, recent files, maximum length of strings, color of the listview an so on. Some of these options are already implemented and the others would be implemented in the coming releases. Below is the content of a sample config file:

[NewVersionDlg]
ShowDialog=1
[MainWindow]
Botton=703
Right=1281
Top=58
Left=173
[Splitter]
Vertical=239
Horizontal=229
[StringLength]
MinLength=4

It’s possible to limit the length of the string shown in ASCII/UNICODE items to a specific value. For example to limit it to 4 characters you can add the following option in .ini file.

[StringLength]
MinLength=4

PPEE (puppy) at its start-up, checks for a new version. If a new one is released then it will prompt you. You may also disable this check via .ini file. To do so, add the following option in .ini file.

[NewVersionDlg]
ShowDialog=0

It’s also possible to check the related checkbox in new version dialog to get the same result.

  • Yara rules supported (New plugin)

Yara is a powerful pattern matching tool that aims malware researchers and threat hunters to find the files that meet their defined rules or signatures. Yara is becoming increasingly used in digital forensics, incident response and reverse engineering. You can write your own rules or use the rulesets in repository of Yara. A new plugin named YaraPlugin is written for PPEE (puppy) which enables you check opened file against a given rule.YaraRules support

  • Resource type detection added

Resource section is one of the favorite places for malware authors to hide their components. PPEE (puppy) can detect some of the common resource types used by malwares. However this feature is limited, the number of detected resource types will be increased in the future releases.Embedded resource type detection

  • Filter/Search box added

Now it is feasible to filter items in listview based on the text you desire. For example, show only sections with 0x42000040 characteristics or show only items that contain “.exe”.Filter or Search boxAt the time, filtering is limited to the first listview.

One of the features of PPEE (puppy), I’d like to emphasize, is the edit capability. You can easily edit almost every data structure of a PE file. Simply double-click on the item and enter new value.Edit PE structure

I always preferred to release a new version of PPEE (puppy) only when a remarkable feature is added but for the ever-evolving arena of the malwares it’s better to reduce the time between releases. This will be considered for the next releases.

Any feature request or bug report is warmly appreciated 😉