Articles

Malware Theory – Portable Executable Resources

June 27, 2019



what comes a moment forehead shocks today we look into PE resources how they are located in a PE with a person for instance and how the resources the meter information about the resources are structured so we start with the P file itself if you haven't watched the previous video about the basic P structure please watch that before this video I will put a link in the description below and yeah check that out first because I assume you know what I covered there so the actual resources or the starting point to find them is the optional header and the optional header has a so-called data directory the data directory is simply a list of entries which point to certain data structures they have addresses virtual addresses and they have the sizes of these data structures in the data directory and that's also where the resources or the resource table is located so the powers of a parse the data directory entry for the resource table and then it narrows where to find the resources itself so in our example we have two sections and I will mark the resource green I got used to bring meaning resources because that's the default kind of resources and products analyzer visualization so that's just the way I associated yeah so our resource entry in our case it will point to section one you so today when we yeah so we point section 1 it points to the start of the data structure in the data structure for the resource information is a tree so in our example we will have a tree with two resources every leaf of the tree is one resource basically and the path to it contains the meter information that is nice to know so we will do close up into the resource tree itself soon also you know we know that the section one is contains the resource tree so this section is a so-called resource section and our PE example and there's a convention for section names if it's a resource section it's usually dot R s RC or dot our data but well you can always violate conventions these names are for humans so well but usually doesn't care ok now the closer into our resource tree I actually tried to draw a tree as you know trees in computer science are they grow from the top to the bottom so the root of the tree is this that's the root in the air and then we have our basic structure here yes now on Windows there is the convention that every tree has three levels and there's the meaning to every level so level one would be the type of the resource so let's say that's level one the root level two is the name of the resource and level three is the language of the resource so you might have different languages for if you have a text resource you might have different versions of that depending on the language and yeah the type says well there there's a fixed number of types but it will say whether it's an icon and image or version information or something else so the name directory okay almost done the name directory has a name identifier or a name pointer so if it's a pointer it points to an address of a string a Unicode string the string can be anywhere on the file and the parser needs to know how long that string is so it will start up the length of the string and then it will there will be the actual unicode string which is the name of the resource so the language directory it has a language identifier every ID stands for a certain language there are also some tables out there where you can look them up with usually if you have paz' it will interpret this for you so most of the time you don't need the tables but more importantly the language directly has a data entry pointer and the pointer points to a small data structure the so called data entry which determines the size and the location of the actual raw data for the resource so let's quickly complete this for the other resource as well now with the actual raw data that's a green green one here and the data entry says how large it is and where it starts in the file can be anywhere in the phone and yeah indicated by ones and zeros so that's the raw data right here it depends what it is so if it's an image it's an image if it's text it's some text there can be anything could also be another part of X could have a phone because you know some but another executable in there and well same for the other resource so we have our two resources here and as I said the type directory the type directory has one entry for every type that exists for all the resources and in our case we have two entries so there are two different types for each of the two resources and let's fill this out by example on the right side we have an icon so we say the resource type is RT icon and again there there are some tables with the IDs and the corresponding type and let's say that's a hedgehog icon we won't say our name is Hedgehog and it has 8 characters and here's the actual icon so that's it already I think you I hope you understood now how this works let's see you next time thanks for watching

You Might Also Like

6 Comments

  • Reply nop 0x90 June 27, 2019 at 12:42 pm

    You are awesome! thank you for doing these videos! Your really good at explaining concepts used in MA/RE and making it easier to understand. Love your vids

  • Reply Michael Texa June 27, 2019 at 12:42 pm

    thanks for those quality videos ! I just have moldy ears , as the sound is ringing I encounter some problems to understand what you are saying sometime , but anyway , continue to produce quality content , we are not so much here but those who are , are really interested I guess 🙂

  • Reply Andy Andes June 27, 2019 at 12:42 pm

    Btw, I really find very interesting these videos about the PE format, please keep doing them since there are not so many videos about it!

  • Reply Andy Andes June 27, 2019 at 12:42 pm

    I appreciate the effort you put into these videos 🙂
    I have a doubt about ransomware virus. Do they use symmetric encryption? if so how do they get the key to decrypt the data, can't it be obtained through re or even simplier just by looking into strings (after de-obfuscating/unpacking)
    Thanks!

  • Reply zproxy June 27, 2019 at 12:42 pm

    Ya hand drawing?

  • Reply Rohan Sahu June 27, 2019 at 12:42 pm

    awesome video as always

  • Leave a Reply