Intentional PE Corruption

Malwarebytes Anti-Malware is under constant attack. 24 hours per day, 7 days per week, 365 days per year.

If you read my recent blog post about the development of Malwarebytes Chameleon, you know that we at Malwarebytes have big red ‘X’s on our chests; the bad guys are always out to get us. Malwarebytes Anti-Malware has been downloaded 100 million times, is one of the most popular and effective anti-malware cleanup tools out there, and is a threat to the malware industry’s bottom line (what, you didn’t know there was a malware industry?) As such, it’s no surprise that malware is constantly trying to thwart our software.

One of the malware writers’ favorite tricks is to try to get our scanner to crash when scanning their malware files. Not only does this make us unable to detect and remove the malware, but it also makes us look bad. We have to play (somewhat) by the rules; the bad guys don’t. They are free to write as buggy, as corrupt, as unstable code as they want, and half the time, we take the blame for it! (You can imagine how challenging and frustrating this can be for us.)

I saw a cute new trick just the other day when I was analyzing a buggy malware binary that caused our scanner to crash.

The Windows PE executable binary format is divided into so-called “sections”, which contain different kinds of information about the binary. One section usually contains the actual executable code, another section contains read-only data, a third contains writeable global variables, another contains API import and export tables. One section, commonly called “.rsrc”, contains arbitrary “resource” data that the executable can reference. This often includes graphics, like icons or bitmaps, but it can be anything, even other binaries.

The .rsrc section is organized hierarchically into a tree data structure, where branches of the tree represent different resource “types” or classifications (like icons, or string resources), and individual leaves represent individual resource elements.

This cunning piece of malware created a tree with circular references: a tree whose leaves pointed back to its branches. In computer science terms, it created a directed cyclic graph of resources.

According to the Windows PE specification, this is illegal. As a result, not only did Windows’ own PE loader fail to parse the resources in the file (Explorer crashed spectacularly), but various security products went into an infinite loop trying to parse the resource tree.

But you can’t fool us, malware: Malwarebytes Anti-Malware now handles this correctly, along with a slew of other intentional PE corruptions we’ve seen before. One more malware writer’s trick dispatched. Do your worst, malware! Bring it on.


Doug Swanson

I’m the Chief Technology Officer and I like to write code on Notepad.