Professional Documents
Culture Documents
As Assignment 3
As Assignment 3
Introduction to the tools : CFF Explorer was designed to make PE editing as easy as possible,
but without losing sight on the portable executable’s internal structure. This application
includes a series of tools which might help not only reverse engineers but also programmers.
It offers a multi-file environment and a switchable interface.
Tool details : It’s the first PE editor with full support for the .NET file format. With this tool
you can easily edit metadata’s fields and flags. If you’re programming something that has to
do with .NET metadata, you will need this tool. The resource viewer supports .NET image
formats like icons, bitmaps, pngs. You’ll be able to analyze .NET files without having to install
the .NET framework, this tool has its own functions to access the .NET format.
Behaviour :
Features: -> Process Viewer -> Drivers Viewer -> Windows Viewer -> PE and Memory
Dumper -> Full support for PE32/64 -> Special fields description and modification (.NET
supported) -> PE Utilities -> PE Rebuilder (with Realigner, IT Binder, Reloc Remover, Strong
Name Signature Remover, Image Base Changer) -> View and modification of .NET internal
structures -> Resource Editor (full support for Windows Vista icons) -> Support in the
Resource Editor for .NET resources (dumpable as well) -> Hex Editor -> Import Adder -> PE
integrity checks -> Extension support -> Visual Studio Extensions Wizard -> Powerful
scripting language -> Dependency Walker -> Quick Disassembler (x86, x64, MSIL) -> Name
Unmangler -> Extension support -> File Scanner -> Directory Scanner -> Deep Scan method -
> Recursive Scan method -> Multiple results -> Report generation -> Signatures Manager ->
Signatures Updater -> Signatures Collisions Checker -> Signatures Retriever
Malware details :
History : Created by Erik Pistelli, a freeware suite of tools including a PE editor called CFF
Explorer and a process viewer. The PE editor has full support for PE32/64. Special fields
description and modification (.NET supported), utilities, rebuilder, hex editor, import adder,
signature scanner, signature manager, extension support, scripting, disassembler,
dependency walker etc. First PE editor with support for .NET internal structures. Resource
Editor (Windows Vista icons supported) capable of handling .NET manifest resources. The
suite is available for x86 and x64.
Malware details : The .exe extension of a file name displays an executable file. In some
cases, executable files can damage your computer. But further reading needs to be done to
decide for yourself whether the cff explorer.exe file on your computer is a virus or malware
that you should delete, or if in fact it is a valid Windows operating system file or reliable
application.
The first thing that will help you determine if a particular file is a legitimate Windows process
or a virus, is the location of the executable itself. With cff explorer.exe for example, it's path
will probably be something like C:\Program Files\Daniel Pistelli\CFF Explorer\cff explorer.exe
To determine it's path, open Task Manager, go to View -> Select Columns and select "Image
Path Name" to add a location column to your Task Manager. If you find a suspicious
directory here, it may be a good idea to investigate this process further.
Another tool that can sometimes help you detect bad processes is Microsoft's Process
Explorer. Start the program (it does not require installation) and activate "Check Legends"
under Options. Now go to View -> Select Columns and add "Verified Signer" as one of the
columns.
If the "Verified Signer" status of a process is listed as "Unable to Verify", you should take a
moment look at the process. Not all good Windows processes have a Verified Signature
label, but neither do any of the bad ones.
SHA1: 8f76ad283a7485a17a3c6d14e9cbbb5917ffb820
SHA256: f716b1bbde9ca4603660c07feb695298020de59ac71def5ec152734e6597cd17
MD5: ffc218143d392023ed4a0a025e95e1d0
If you had any difficulties with this executable, you should determine if it's trustworthy
before deleting cff explorer.exe. To do this, find this process in Task Manager.
Find its location and compare the size etc with the above facts.
If you suspect that you may be infected with a virus, then you must attempt to fix it
immediately. To delete the cff explorer.exe virus, you must download and install a full
security application like this. Note that not all tools can detect every type of malware, so you
may need to try several options before you're successful.
In addition, the functionality of the virus may itself affect the deletion of cff explorer.exe. In
this case, you must enable Safe Mode with Networking - a secure environment that disables
most processes and loads only the most required services and drivers. When there, you can
run a security program and a complete system analysis.
You should not delete a safe executable file without a valid reason, as this may affect the
performance of any associated programs that use that file. Be sure to keep your software
and programs up to date to avoid future problems caused by corrupted files. With regard to
software functionality issues, check driver and software updates more often, so there is little
or no risk of such problems occurring.
The best diagnosis for these suspicious files is a complete system analysis with either ASR
Pro or this antivirus and malware remover. If the file is classified as malicious, these
applications will also delete cff explorer.exe and get rid of the associated malware.
However, if it is not a virus and you need to delete cff explorer.exe, then you can uninstall
CFF Explorer from your computer using its uninstaller. If you cannot find it's uninstaller, then
you may need to uninstall CFF Explorer to completely delete cff explorer.exe. You can use
the Add/Remove Program function in the Windows Control Panel.
Behaviour : The most common cff explorer.exe errors that can appear are:
• "cff explorer.exe has encountered a problem and needs to close. We are sorry for the
inconvenience."
These .exe error messages can occur during the installation of a program, during the
execution of it's associate software program, CFF Explorer, during the startup or shutdown
of Windows, or even during the installation of the Windows operating system. Keeping a
record of when and where your cff explorer.exe error occurs is important information when
it comes to troubleshooting.
A clean and tidy computer is one of the best ways to avoid problems with cff explorer.exe.
This means performing malware scans, cleaning your hard disk with cleanmgr and sfc
/scannow, uninstalling programs you no longer need, monitoring any auto-start programs
(with msconfig), and enabling automatic Windows updates. Don't forget to always make
regular backups or at least define recovery points.
If you have a bigger problem, try to remember the last thing you did or the last thing you
installed before the problem. Use the resmon command to identify the processes that are
causing your problem. Even in case of serious problems, instead of reinstalling Windows, you
should try to repair your installation or, in the case of Windows 8, by executing the
command DISM.exe /Online /Cleanup-image /Restorehealth. This allows you to repair the
operating system without data loss.
To help you analyze the cff explorer.exe process on your computer, you may find the
following programs useful: Security Task Manager displays all Windows tasks running,
including built-in hidden processes such as keyboard and browser monitoring or auto-start
entries. A single security risk rating indicates the probability that it is spyware, malware or a
potential Trojan horse. This anti-virus detects and removes spyware, adware, Trojans,
keyloggers, malware and trackers from your hard disk.
History : cff explorer.exe is an executable file that is part of CFF Explorer developed by
Daniel Pistelli. The Windows 7 version of the software: 7.9.0.0 is usually about 3493376
bytes in size, but the version you have may differ. The .exe extension of a file name displays
an executable file. In some cases, executable files can damage your computer. But further
reading needs to be done to decide for yourself whether the cff explorer.exe file on your
computer is a virus or malware that you should delete, or if in fact it is a valid Windows
operating system file or reliable application.
Introduction to the tools : The DOS MZ executable format is the executable file format used
for .EXE files in DOS. The file can be identified by the ASCII string "MZ" (hexadecimal: 4D 5A)
at the beginning of the file (the "magic number"). "MZ" are the initials of Mark Zbikowski,
one of the leading developers of MS-DOS. The DOS executable header contains relocation
information, which allows multiple segments to be loaded at arbitrary memory addresses,
and it supports executables larger than 64k; however, the format still requires relatively low
memory limits. These limits were later bypassed using DOS extenders.
Tool details : DOS header starts with the first 64 bytes of every PE file. It’s there because
DOS can recognize it as a valid executable and can run it in the DOS stub mode. As we can
investigate on the winnt.h/Windows.inc we can see below details.
Same thing can be found on the cff-explorer which is very popular malware analysis tool for
PE file validation. We also have a same implementation as a picture (below).
As we can see we have a list of structure that came under DOS header such as magic and
ifanew structure.
Behaviour : The first field, e_magic, is the so-called magic number. This field is used to
identify an MS-DOS-compatible file type. All MS-DOS-compatible executable files set this
value to 0x54AD, which represents the ASCII characters MZ. MS-DOS headers are sometimes
referred to as MZ headers for this reason. It starts at offset 0 (this can be view with a hex
editor). This one is developed by Mark Zbikowski (MZ).
We can see above that we have list of structure for Image_DOS_Header and the important
header, as we already discussed
Here, using CFF, explorer we can verify the offset value of the structure and DOS MZ header
and we also see that the file has the data type WORD.
ifanew is the only required element (besides the signature) of the DOS HEADER to turn the
EXE into a PE. It is relative offset to the NT headers. The windows loader looks for this offset
so it can skip the DOS stub and go directly to the PE header.
Segment handling
The environment of an EXE program run by DOS is found in its Program Segment Prefix.
EXE files normally have separate segments for the code, data, and stack. Program execution
begins at address 0 of the code segment, and the stack pointer register is set to whatever
value is contained in the header information (thus if the header specifies a 512 byte stack,
the stack pointer is set to 200h). It is possible to not use a separate stack segment and
simply use the code segment for the stack if desired.
The DS (data segment) register normally contains the same value as the CS (code segment)
register and is not loaded with the actual segment address of the data segment when an EXE
file is initialized; it is necessary for the programmer to set it themselves, generally done via
the following instructions:
MOV DS, AX
Termination
In the original DOS 1.x API, it was also necessary to have the DS register pointing to the
segment with the PSP at program termination; this was done via the following instructions:
PUSH DS
XOR AX, AX
PUSH AX
Program termination would then be performed by a RETF instruction, which would retrieve
the original segment address with the PSP from the stack and then jump to address 0, which
contained an INT 20h instruction.
The DOS 2.x API introduced a new program termination function, INT 21h Function 4Ch
which does not require saving the PSP segment address at the start of the program, and
Microsoft advised against the use of the older DOS 1.x method.
Malware details :
What does it do: installs a backdoor into computers - hijack browsers to change the default
search engine, and track their web traffic - ability to remotely run any code on the victim's
machine, or download new malicious files.
History : The DOS MZ executable format is the executable file format used for .EXE files in
DOS. The file can be identified by the ASCII string "MZ" (hexadecimal: 4D 5A) at the
beginning of the file (the "magic number"). "MZ" are the initials of Mark Zbikowski, one of
the leading developers of MS-DOS. The MZ DOS executable file is newer than the COM
executable format and differs from it. The DOS executable header contains relocation
information, which allows multiple segments to be loaded at arbitrary memory addresses,
and it supports executables larger than 64k; however, the format still requires relatively low
memory limits.
Compatibility
MZ DOS executables can be run from DOS and Windows 9x-based operating systems. 32-bit
Windows NT-based operating systems can execute them using their built-in Virtual DOS
machine (although some graphics modes are unsupported). 64-bit versions of Windows
cannot execute them. Alternative ways to run these executables include DOSBox, DOSEMU,
Wine, and Cygwin.
MZ DOS executables can be created by linkers, like Digital Mars Optlink, MS linker, VALX or
Open Watcom's WLINK; additionally, FASM can create them directly.
The following code is in 16-bit MASM. This will be our MS-DOS stub program.
After assembling and linking we get the 16-bit DOS executable.
Introduction to the tools : VirusTotal was founded in 2004 as a free service that analyzes
files and URLs for viruses, worms, trojans and other kinds of malicious content. VirusTotal
inspects items with over 70 antivirus scanners and URL/domain blocklisting services, in
addition to a myriad of tools to extract signals from the studied content. Any user can select
a file from their computer using their browser and send it to VirusTotal. VirusTotal offers a
number of file submission methods, including the primary public web interface, desktop
uploaders, browser extensions and a programmatic API. The web interface has the highest
scanning priority among the publicly available submission methods. Submissions may be
scripted in any programming language using the HTTP-based public API.
Tool details :
Windows Uploader
VirusTotal's Windows Uploader was an application that integrates into the Explorer's (right-
click) contextual menu, listed under Send To > Virus Total. The application also launches
manually for submitting a URL or a program that is currently running in the OS.
VirusTotal stores the name and various hashes for each scanned file. Already scanned files
can be identified by their known (e.g., VT default) SHA256 hash without uploading complete
files. The SHA256 query URL has the form https://www.virustotal.com/latest-scan/SHA256.
File uploads are normally limited to 128 MB. In 2017 VirusTotal discontinued support of the
Windows Uploader.
There are several browser extensions available, such as VT4Browsers for Mozilla Firefox, and
Google Chrome and vtExplorer for Internet Explorer. They allow the user to download files
directly with VirusTotal's web application prior to storing them in the computer, as well as
scanning URLs.
The service also offers an Android App that employs the public API to search any installed
application for VirusTotal's previously scanned ones and show its status. Any application not
previously scanned can be submitted, but an API key must be provided and other restrictions
to public API usage may apply (see #Public API).
Public API
VirusTotal provides as a free service a public API that allows for automation of some of its
online features such as "upload and scan files, submit and scan URLs, access finished scan
reports and make automatic comments on URLs and samples". Some restrictions apply for
requests made through the public API, such as requiring an individual API key freely
obtained by online signing up, low priority scan queue, limited number of requests per time
frame, etc.
Malware details :
What does it do: installs a backdoor into computers - hijack browsers to change the default
search engine, and track their web traffic - ability to remotely run any code on the victim's
machine, or download new malicious files.
Behaviour : VirusTotal aggregates many antivirus products and online scan engines called
Contributors. In November, 2018, the Cyber National Mission Force, a unit subordinate to
the U.S. Cyber Command became a Contributor. The aggregated data from these
Contributors allows a user to check for viruses that the user's own antivirus software may
have missed, or to verify against any false positives. Files up to 650 MB can be uploaded to
the website, or sent via email (max. 32MB). Anti-virus software vendors can receive copies
of files that were flagged by other scans but passed by their own engine, to help improve
their software and, by extension, VirusTotal's own capability. Users can also scan suspect
URLs and search through the VirusTotal dataset. VirusTotal uses the Cuckoo sandbox for
dynamic analysis of malware. VirusTotal was selected by PC World as one of the best 100
products of 2007.
History : VirusTotal is a website created by the Spanish security company Hispasec Sistemas.
Launched in June 2004, it was acquired by Google in September 2012. The company's
ownership switched in January 2018 to Chronicle, a subsidiary of Google.
Introduction to the tools : Exports are functions that a DLL/EXE may “export” or share that
allow other programs to leverage. While any PE file may have an “export” table, this table is
more commonly found inside of DLLs, as they contain the code needed by many executables
to function.
Tool details : The first entry of IMAGE_DATA_DIRECTORY of the optional header field
contains information about the export table. The 4 bytes located at PE + 0x78 (i.e., offset 120
bytes) is the relative address (relative to DLL base address) of the export table, and the next
byte (at offset 0x7C) is the size of the export table.
Behaviour : We now start to analyze the code, starting at 0x40105C. Set a hardware
breakpoint at 0x40105C (in code pane, right click -> Go To Expression (0x40105c) and then
right click -> breakpoints -> hardware, on execution). Press F9 to run to the point. The first
instruction should be PUSH DS:[EAX+8]. If you see a bunch of BYTE DATA instructions, that's
caused by the byte scission of the code. Highlight all these BYTE DATA instructions, right click
-> Treat as Command during next analysis and we should have the correct disassembly
displayed in IMM.
Now let us analyze the first couple of instructions starting at 0x40105C (in Figure). After
reading the module information (one by one), the code jumps out of the loop when it
encounters the ntdll.dll. At this moment, EAX contains the address of offset 0x18 of
LDR_DATA_TABLE_ENTRY. In another word, EAX points to the attribute "DllBase". Thus, the
instruction at 0x40105C, i.e., PUSH DWORD DS:[EAX+8] is to push the DllBase into the stack.
Executing this command, you will find that 0x7C900000 appearing on top of the stack.
The control flow soon jumps to 0x401077 and 0x401078. It soon follows that at 0x401070,
ECX now has value 0x7C90000 (the DLL base). Now consider the instruction 0x40107D:
Recall that the beginning of a PE file is the DOS header (which is 64 bytes) and the last 4
bytes of the DOS header contains the location of the PE header (offset relative to the DLL
base). Hex value 0x3C is decimal value 60! So we now have EAX containing of PE offset.
Observing the registry pane, we have EAX = 0xE0. We then infer that PE header is located at
0x7C9000E0 (which is 0x7C900000 base + offset 0xE0).
Note the offset 0x78, its decimal value is 120. We can soon infer that offset 0x78 is the
address of the EXPORT table data entry in the IMAGE_DATA_DIRECTORY of the optional
header. Thus, ESI now contains the entry address of the export table (offset relative to DLL
base) ! After instruction at 0x40108c, Its value is now 0x7C903400 (starting address of
EXPORT TABLE).
Applications do not directly access physical memory, they only access virtual memory. In
other words, the Virtual Addresses (VAs) are the memory addresses that are referenced by
an application.
Relative Virtual Address or RVA (here afterward) is the difference between two Virtual
Addresses (VA) and represents the highest one.
File Offsets
When we talk about offsets, we usually either refer to physical memory, a physical file on
disk or in another general in cases where we treat data as raw data.
Details :
Virtual Address is the original address in the memory whereas Relative Virtual Address (RVA)
is the relative address with respect to the ImageBase. ImageBase here means the base
address where the executable file is first loaded into the memory.
RVA = VA – ImageBase
An application is loaded into the memory having a Base Address at 0x400000 and the VA is
at 0x401000. So the RVA is calculated as:
ImageBase = 0x00400000
RVA = 0x00001000
File Offsets
The file offset is actually a location within that particular file. To make it easier for you to
understand it is actually the distance from the starting point either the start of the file or the
start of a memory address. The offset value is added to the base value to determine the
actual value.
So, if we have to calculate the file offset of the entry point in a PE file, consider the below
table which shows the important fields within the PE optional header and section header for
a particular application.
Now, the steps with which we calculate the file execution start offset are followed as below:
First, determine the Address of entry point from the field under Optional Header.
Next, check in which section's virtual space the address of entry point lies.
Once the right section header is determined, make a note of its virtual address and
pointer to raw data fields.
Now, calculate the difference between the address of entry point and the virtual address
of the earlier identified section in which the entry point lies.
Finally, add the difference to the pointer to the raw data which will give the file-based
execution start offset of that file.
In short the formula for calculating execution start file offset would be:
In this case, the address of entry point lies in the .text section as the .text section starts at
0x00001000 and ends at 0x00007748 and the address of entry point is 0x0000739D.
Behaviour :
PE File Header
The PE header is located by looking at the e_lfanew field of the MS-DOS Header. The
e_lfanew field gives the offset of the PE header location. The field e_lfanew denotes the file
header of the new .exe header. The main PE Header is a structure of type
IMAGE_NT_HEADERS and mainly contains SIGNATURE, IMAGE_FILE_HEADER, and
IMAGE_OPTIONAL_HEADER.
IMAGE_OPTIONAL_HEADER: One should not assume from the name itself that this is an
optional header and is not a relevant one. This header contains some critical information
that is beyond the basic information contained in the IMAGE_FILE_HEADER data structure.
Some of the important fields that one should be aware of are listed below:-
Magic: The magic field tells whether an executable image is of 32-bit or 64-bit. The value set
in the Magic field is IMAGE_NT_OPTIONAL_HDR_MAGIC and the value is defined as
IMAGE_NT_OPTIONAL_HDR32_MAGIC (0x10b) in a 32-bit application and as
IMAGE_NT_OPTIONAL_HDR64_MAGIC (0x20b) in a 64-bit application.
AddressOfEntryPoint: It is the address where the Windows loader will begin execution. This
holds the RVA (Relative Virtual Address) of the Entry Point (EP) of the module and is usually
found in the .text section. For executable, this is the starting address. For device drivers, this
is the address of the initialized function. The entry point function is optional for DLLs and
when no entry point is present, this member is zero.
The BaseOfCode and BaseOfData members hold the RVAs of the beginning of the code and
data sections respectively.
SizeOfRawData: This specifies the real size of the section in the file. If this is the last
section and we sum this value with the PointerToRawData value, then the result will
be the size of the value itself.
VirtualSize: This section indicates the size of the section in memory.
PointerToRawData: This is the offset where the Raw Data section starts in the file.
So, by adding this to the value above and assuming that the file alignment property
is set to default, we can obtain the offset of where the next section starts in the file.
VirtualAddress: The RVA of the section in memory. Using VirtualAddress and
VirtualSize info. we can obtain the RVA of the next section, assuming that the
memory alignment property is set to default.
History : An RVA is simply an offset in memory, relative to where the PE file was loaded.
Tool 1: Using CFF Explorer, we can view and modify the resources of a PE file, view the functions
that the DLL file can call, and modify the function entry address to achieve the purpose of creating a
crash screen. We fed the explorer 2 files (.exe files) and saw what's inside an executable and what it
does, I.e. checked them for malware using CFF explorer which is a PE editor. CFF explorer is a very
efficient tool to see what's inside an executable and what it does, verify the publisher and the
integrity of the signed executable files etc.
Tool 2: DOS executable header contains relocation information, which allows multiple segments to
be loaded at arbitrary memory addresses. DOS MZ executable format is the executable file format
used for .EXE files in DOS. We analyzed the structure of DOS header and utilized it for malware
analysis.
Tool 3: Analyzes suspicious files and URLs to detect types of malware and malicious content using
antivirus engines and website scanners. The report contains the total number of VirusTotal partners
who consider this file harmful out of the total number of partners who reviewed the file, the
reputation of the given URL as determined by VirusTotal's Community etc.
Tool 4: Exports are functions that a DLL/EXE may “export” or share that allow other programs to
leverage. Export Address Table is an array of function pointers that contain the address of exported
functions.
Tool 5: Compared, contrasted and drew parallels between Offset, Rva and Va. Also converted Offset,
Rva and Va to one another in a step by step manner.