SecureArtisan

My Road to Digital Forensics Excellence

PE Extraction

Posted by Paul Bobby on November 4, 2008

In a recent case I am working I had the need to extract executable files from captured physical memory and from unallocated space. The Volatility framework is capable of extracting from Physical Memory (yep even captured memory from Encase with a couple of steps thrown in), but accurate executable carving from UA is not accurate.

Whether using the File Carving enscript or Scalpel, or whatever, the process of extraction does not attempt to validate the PE prior to extraction, and to extract only the correct filesize. I didn’t have time to mess with this system, I wanted actual executables I could hash, analyze and compare against known malware sets.

The only problem with extraction from UA is that the executable could be fragmented across UA – and there’s nothing I can do about that unfortunately.

Here’s my algorithm; it’s somewhat simplistic I know, so please, offer suggestions for improvement.

1. Search for the signature ‘MZ’ (Case sensitive) or ‘\x4d\x5a’ (GREP)

2. For each search hit, perform the following two tests to determine if we have an executable

2a. Does the word ‘Program’ exist in the 64bytes Offset 64 from the search hit

image

I’ve seen two possibilities for this section, either

  • This program cannot be run in DOS mode, or
  • This program must be run under Win32

2b. Verify that the PE signature is in the right place

  • The Address of the EXE header is found 60 bytes from the start of the file

image

  • Determine if the PE signature is at this location

image

  • These are just two simple tests, that if the search hit passes, we proceed to the next step.

3. Exporting a validated Executable is a matter of calculating the number of Code Sections present in the Executable, the size of each section, and then exporting enough bytes to cover it (plus 1024bytes for the PE header structure).

3a. How many sections?

image

We have three sections to enumerate. Here’s what I mean by sections:

image

8 bytes for each section name, 40 bytes per section name.

The section length is found 16bytes from the start of any given section:

image

This section is 00007800bytes (hex) in length or 30,720bytes.

4. Once the final count is known, it is a simple matter of creating a LocalFileClass object in Enscript, and writing out each byte to a local file.

The complete source code is tracked in this thread. The enscript is more of a demonstration; I plan on expanding the usefulness to carving out specific Executable files, such as Packed files etc.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: