Windows PE Binary: Structure, Sections, and Stealth Techniques
The Windows Portable Executable (PE) format is the cornerstone of Windows executables, whether they be applications or system binaries. In this article, we’ll dive deep into the architecture of the PE format, its various sections, and explore how certain manipulations, such as embedding custom resources in the .rsrc section, can be leveraged in the world of cybersecurity, potentially for evasive techniques.
By embedding an AES encrypted MSFVenom generated reverse shell shellcode into a EXE binary’s resource section, it was possible to bypass the latest running Windows Defender on a Windows 11 machine, successfully obtaining a reverse shell connection a remote Kali machine.
What is a Windows PE Binary?
Windows PE stands for Portable Executable. It’s the native file format for executables, DLLs, and others in Windows. PE is pivotal in telling the Windows loader how the code should be loaded and how it should start executing, making it crucial for anyone diving into Windows internals or cybersecurity.
Key Sections of a PE File
The PE format comes with several sections, each designed to hold specific types of information:
- .text: This is the section containing the executable code.
- .data: Contains initialized global and static data.
- .rdata: Contains read-only, initialized data such as constants.
- .bss: Has uninitialized global and static data.
- .idata: Stores import data, i.e., functions and data imported from DLLs.
- .edata: Contains exported data, functions, and data made available to other programs.
- .rsrc: The resource section, it holds resources like icons, menus, and other elements.
- .reloc: Contains relocation information. Necessary if the binary can’t be loaded at its preferred base address.
These are the most common sections, but PE files can contain other sections, depending on the compiler and linker settings.
Embedding in the .rsrc Section
The .rsrc or resource section is intriguing. Typically, it contains elements like icons, images, or strings. But its generic structure allows embedding virtually any kind of data, including other binaries or custom payloads.
By embedding data into the .rsrc section, malicious actors can potentially evade some security solutions, especially those that only scan typical sections like .text for malicious code. When a PE loader reads the binary, it treats the embedded data in the .rsrc section as resources, and unless the security solution is explicitly checking for anomalies in the resource section, this embedded data might go unnoticed.
How Does Embedding Work?
- Preparation: First, a malicious actor prepares their payload, which could be another binary or custom data.
- Embedding: Tools or custom scripts are used to inject this payload into the
.rsrcsection of a benign PE file. - Execution: Once embedded, the main PE file would contain code to extract and execute this payload from the resource section at runtime.
Countermeasures & Detection
Advanced cybersecurity solutions are aware of such evasive techniques. Here are a few countermeasures:
- Anomaly Detection: Check for unusually large
.rsrcsections or those containing non-standard data. - Behavioral Analysis: Rather than just statically scanning the file, monitor its behavior when executed.
- Heuristics: Use heuristics to identify patterns typical of embedded payloads.
Conclusion
The Windows PE format, while serving as the foundation for Windows executables, can be leveraged in crafty ways by those with ill intent. While embedding custom binaries in the .rsrc section is a known technique, it's a constant cat-and-mouse game between attackers finding new evasive techniques and defenders catching up. Always ensure your security solutions are updated and employ multiple layers of defenses to catch such stealth techniques.
Check out a practical demonstration on embedding payloads into the .rsrc of a EXE binary, bypassing Windows Defender!