PPEE (puppy) new features, 1.09-1.12

Since my last blog post, PPEE (puppy) has changed a lot and lots of new features have been added. In this post I’ll review some of the prominent features.

  • Rich Header supported (Experimental):

Rich Header is not documented by Microsoft and as stated by Kaspersky and McAfee, contents of the Rich Header can be used to identify similar malware, different versions of malware, and when malware has been built under different environment. Lots of work has been done to understand structure and specifications of Rich Header. The article written by Daniel Pistelli is one of the excellent attempts to unveil this structure in detail. I also came across the great article in Bytepointer and the research done by Webster G.D. et al. which explain the structure comprehensively.

Rich Header contains an array of blocks which represent information related to the tools that were used as part of building the final executable. Interpreting these blocks is something experimental and such a work is done by dishather.

PPEE (puppy) in version 1.12 can parse Rich Headers.The MD5 of this header is also calculated to make it easier for finding identical Rich headers. The checksum validation would be added soon.

  • Resolve ordinal to name in imported APIs

Modules can import functions by ordinals rather than by names. In such cases, there is no name for imported function. This method can be employed by malware authors to remain less clues for static analysis. PPEE (puppy) 1.12, can resolve ordinal numbers to their equivalent names. These names are shown in Ordinal column, in parentheses.Resolve rdinal to name

  • File description of imported modules is shown

To make it easier during inspecting imported modules (Imported, Delayloaded and Bound), a new column named Description is added which shows the file description of the imported module. This description is read from imported module itself and can be faked by malware authors.Imported module file description

  • PE type icon added in statusbar

There are many times that the investigator wants to know the PE type without further analysis. Now it’s possible to find that at a glance. Using three different icons in statusbar, PPEE (puppy) will show you the type of PE dealing with.

  • Authentihash (PE256), ImpHash and SHA256 added in FileInfo plugin

Three new hash values added to PPEE (puppy). Authentihash is introduced by Microsoft and its documentation is available here. Authentihash can be used to verify that the relevant sections of a PE image file have not been altered. FileInfo plugin shows Authentihash as Authentihash (PE256).Import Hash - Authentihash (PE256) - SHA256ImpHash which stands for Import Hash, is derived from PE Imports. ImpHash is useful for identifying malwares of the same family or related malware samples. Calculating ImpHash is a little tricky and using PPEE (puppy) you can get the ImpHash of PE files easily.

  • Set string length in ini file

Since PPEE (puppy) 1.11, a configuration file has been added to store settings like window position, recent files, maximum length of strings, color of the listview an so on. Some of these options are already implemented and the others would be implemented in the coming releases. Below is the content of a sample config file:

[NewVersionDlg]
ShowDialog=1
[MainWindow]
Botton=703
Right=1281
Top=58
Left=173
[Splitter]
Vertical=239
Horizontal=229
[StringLength]
MinLength=4

It’s possible to limit the length of the string shown in ASCII/UNICODE items to a specific value. For example to limit it to 4 characters you can add the following option in .ini file.

[StringLength]
MinLength=4

PPEE (puppy) at its start-up, checks for a new version. If a new one is released then it will prompt you. You may also disable this check via .ini file. To do so, add the following option in .ini file.

[NewVersionDlg]
ShowDialog=0

It’s also possible to check the related checkbox in new version dialog to get the same result.

  • Yara rules supported (New plugin)

Yara is a powerful pattern matching tool that aims malware researchers and threat hunters to find the files that meet their defined rules or signatures. Yara is becoming increasingly used in digital forensics, incident response and reverse engineering. You can write your own rules or use the rulesets in repository of Yara. A new plugin named YaraPlugin is written for PPEE (puppy) which enables you check opened file against a given rule.YaraRules support

  • Resource type detection added

Resource section is one of the favorite places for malware authors to hide their components. PPEE (puppy) can detect some of the common resource types used by malwares. However this feature is limited, the number of detected resource types will be increased in the future releases.Embedded resource type detection

  • Filter/Search box added

Now it is feasible to filter items in listview based on the text you desire. For example, show only sections with 0x42000040 characteristics or show only items that contain “.exe”.Filter or Search boxAt the time, filtering is limited to the first listview.

One of the features of PPEE (puppy), I’d like to emphasize, is the edit capability. You can easily edit almost every data structure of a PE file. Simply double-click on the item and enter new value.Edit PE structure

I always preferred to release a new version of PPEE (puppy) only when a remarkable feature is added but for the ever-evolving arena of the malwares it’s better to reduce the time between releases. This will be considered for the next releases.

Any feature request or bug report is warmly appreciated 😉

Professional PE Explorer – PPEE

Portable Executable file structure is still in progress and extending specially for PE64 images. In the other side malware creators and developers are constantly changing their techniques and writing malicious codes to evade AVs and other security tools. It’s an ongoing challenge…

To deal with it, I’ve added some new features and changed some of the existing features to make PPEE compatible and easier to use.

Professional PE Explorer
Some of the most important changes are as follows:
• Toolbar and Statusbar are added. Toolbar includes some of the frequently used menu items. There is nothing to do with statusbar at the moment. It will be used in the next versions.

• Check update is added to check whether new version of PPEE is released or not. The check can also be done at startup but I think it would be a little annoying to show a dialog every time that program runs. May be in the next versions an option to disable/enable showing update dialog at startup would be added.

• Looking for a string, for example an URL in the file is a tedious task. I’ve added four child nodes to the tree to separate ASCII, UNICODE, URL and Registry strings. If you need something else please let me know.

• As said before, Anomaly detection is added. There are two colors for this. Orange for Warning and red for Error. Most of the anomalies and thresholds are taken from documents and specifications. Anomaly rules for example strange section names are embedded in PPEE. This is not suitable for long rules. Maybe in the next versions add a blacklist file beside main executable to store strange or blacklisted items.

• Right click context menu is added to Copy, Search, Whois and Dump. Copy item, copies the selected field and Copy Row, copies entire selected rows. In the search menu you can search selected field in the Google and MSDN. Whois is only shown for strings. It’s really useful for urls. If you know any other site that can be added to this list please let me know. Dump menu item is also added. It’s only shown for “Section Headers”, resources, COM(.Net) directory and MetaData. Clicking on Dump a save as dialog would be shown. At the moment “Follow in Hex editor” is not functioning.

• Load config structure has been changed again! It seems like this:
typedef struct __NEW_IMAGE_LOAD_CONFIG_DIRECTORY32 {
DWORD Size;
DWORD TimeDateStamp;
WORD MajorVersion;
WORD MinorVersion;
DWORD GlobalFlagsClear;
DWORD GlobalFlagsSet;
DWORD CriticalSectionDefaultTimeout;
DWORD DeCommitFreeBlockThreshold;
DWORD DeCommitTotalFreeThreshold;
DWORD LockPrefixTable; // VA
DWORD MaximumAllocationSize;
DWORD VirtualMemoryThreshold;
DWORD ProcessHeapFlags;
DWORD ProcessAffinityMask;
WORD CSDVersion;
WORD Reserved1;
DWORD EditList; // VA
DWORD SecurityCookie; // VA
DWORD SEHandlerTable; // VA
DWORD SEHandlerCount;
DWORD GuardCFCheckFunctionPointer; // VA
DWORD GuardCFDispatchFunctionPointer; // VA
DWORD GuardCFFunctionTable; // VA
DWORD GuardCFFunctionCount;
DWORD GuardFlags;
IMAGE_LOAD_CONFIG_CODE_INTEGRITY CodeIntegrity;

// Added
DWORD GuardAddressTakenIatEntryTable; // VA
DWORD GuardAddressTakenIatEntryCount;
DWORD GuardLongJumpTargetTable; // VA
DWORD GuardLongJumpTargetCount;

DWORD DynamicValueRelocTable; // VA
} NEW_IMAGE_LOAD_CONFIG_DIRECTORY32, *PNEW_IMAGE_LOAD_CONFIG_DIRECTORY32;

typedef struct _NEW_IMAGE_LOAD_CONFIG_DIRECTORY64 {
DWORD Size;
DWORD TimeDateStamp;
WORD MajorVersion;
WORD MinorVersion;
DWORD GlobalFlagsClear;
DWORD GlobalFlagsSet;
DWORD CriticalSectionDefaultTimeout;
ULONGLONG DeCommitFreeBlockThreshold;
ULONGLONG DeCommitTotalFreeThreshold;
ULONGLONG LockPrefixTable; // VA
ULONGLONG MaximumAllocationSize;
ULONGLONG VirtualMemoryThreshold;
ULONGLONG ProcessAffinityMask;
DWORD ProcessHeapFlags;
WORD CSDVersion;
WORD Reserved1;
ULONGLONG EditList; // VA
ULONGLONG SecurityCookie; // VA
ULONGLONG SEHandlerTable; // VA
ULONGLONG SEHandlerCount;
ULONGLONG GuardCFCheckFunctionPointer; // VA
ULONGLONG GuardCFDispatchFunctionPointer; // VA
ULONGLONG GuardCFFunctionTable; // VA
ULONGLONG GuardCFFunctionCount;
DWORD GuardFlags;
IMAGE_LOAD_CONFIG_CODE_INTEGRITY CodeIntegrity;

// Added
ULONGLONG GuardAddressTakenIatEntryTable; // VA
ULONGLONG GuardAddressTakenIatEntryCount;
ULONGLONG GuardLongJumpTargetTable; // VA
ULONGLONG GuardLongJumpTargetCount;

ULONGLONG DynamicValueRelocTable; // VA
} NEW_IMAGE_LOAD_CONFIG_DIRECTORY64, *PNEW_IMAGE_LOAD_CONFIG_DIRECTORY64;

Professional PE Explorer supports the latest load config structure.

• Edit every structure that is shown, was one of the features that I demanded to be supported in PPEE. Now just double-click on a field that you want to edit, write the new value and press Enter or click somewhere else. When you press Enter, the next row would be selected, press Enter again to edit that field. If the value didn’t changed it means that it’s not editable. Press Esc to cancel editing.

For the plugin I decided to add Virustotal query result and some descriptive information about the file which would be useful for novices. If you know any other online scanning engine that is up to date and reliable please let me know.
Finally, any idea is welcome 😉