Reflective PE Unloading - Spencer McIntyre BSides Cleveland 2018 (Hacking Illustrated Series InfoSec Tutorial Videos)
Reflective PE Unloading
Spencer McIntyre

@zeroSteiner

Many in memory payload and implants utilize the tried and true technique pioneered by Stephen Fewer for "reflectively" loading a PR file into memory. This technique is fantastic and allows tools to take a blob in memory and load it as if it were a PE file existing on disk. What will be outlined in this talk is a technique to reverse this process and go from having an image loaded in memory to having a PE blob in memory suitable for writing to disk. This creates an exact byte for byte copy of an image suitable for being loaded back into memory (either reflectively or through the Windows system loader) and repeating the process. This could be used, for example to have a payload which is running in memory copy itself out and write itself to an arbitrary location for persistence without having to download a fresh copy from the network or keep an original in memory. The talk will focus on the technical challenges that were present while developing the technique, and provide a description of the differences of a PE file as it exists on disk and loaded in memory. Proof of concept code for the the x86 and x86-64 architectures will be released and demonstrated.

Spencer McIntyre works for SecureState consulting doing R&D. He is an avid open source contributor and Python enthusiast.


Back to BSides Cleveland 2018 video list



If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2020, IronGeek