COMMSEC: PErfidious: Make PE Backdooring Great Again!


PErfidious is a Python3 tool that aims to directly take a benign PE executable and malicious shellcode as input. Next, it transforms the shellcode into individual pieces of independent code that can be connected via jumps and calls and then converts the transformed code back into individual collection of bytes. These collections are then injected into appropriate locations in the .text section of the PE file. After injection, PErfidious performs all the recalculations required to incorporate the changes in the .text section. This makes sure that all the regular traces of code injection are gotten rid of. The only way for the endpoint detection system to verify that the program was injected is to calculate or read the hash/checksum of the PE file and compare it with the has/checksum provided by the original author of the benign application that was injected by us.

Apart from being a tool, PErfidious is also a Python3 library that can be used for inspecting, dissecting and injecting PE files. It extracts every data structure inside a PE file and convert it into an editable class file with appropriately nested subclasses(it even outputs the entire structure in XML so that a user can develop web applications around it). It aims at being a modern and extensible replacement for pefile package and the go-to library for working with anything related to PE32/PE32+/DLL type files.

Location: BALLROOM 2 Date: August 30, 2019 Time: 11:00 am - 11:30 am Shreyans Doshi