PE Section names – re-visited, again

July 26, 2019 in Batch Analysis, Malware Analysis

In my old post I listed lots of different, unique, characteristic PE Section names. I have updated that post (and its predecessor) a number of times over the years.

For a long time I was sitting in a comfort zone thinking that this data had to be like a superset of most, if not all PE Sections one would expect to find in the wild….

Wrong. A classic availability error.

The thing is that the list was sourced from a large malicious sampleset, and a small set of well-known clean files. There is tho, it seems, a lot files that I missed.

In an effort to address this bias (in my defense, I suspected it to exist, this is why this post is here), I started a process of mass-downloading clean samples ~5 years ago. Now I have got tones of them. After running various statistical analysis on them I am confident to say that my original PE Section set is not complete. Far from it. My point is supported by the superficial metadata analysis that follows.

Surprisingly, I have never listed these sections:

  • RT_CODE
  • RT_DATA
  • RT_CONST
  • RT_BSS

I am shocked, because they are actually very common inside the clean files!

Same goes for IPP* sections (used by OpenCV):

  • IPPCODE
  • IPPDATA

and Hewlett-Packard sections:

  • TulipLog – HP test/verification tools

and NVidia section:

  • _NVTEXT3 – unknown purpose; code?

A couple of ‘obvious ones’ we can guess the purpose of, by looking at the names only:

  • .SHAREDS
  • _LTEXT
  • _LDATA
  • COMPRESS
  • FlashPix
  • NONPAGED
  • INITCONS
  • COMMONDA
  • PRIVATE
  • ApiHooks

And then the whole collection of PAGE* sections:

  • PAGECONS, PAGEDATA, PAGE_COM, PAGE_INI, PAGEDC11, PAGE_DDC, PAGEDC80, PAGEDFER, PAGECFER, PAGE_CAI, PAGE_ISR, PAGEDC60, PAGEDC10, PAGESER, PAGEDC50, PAGEDC40, PAGEcKPL, PAGEcFRM, PAGE_DAL, PAGEcRMA, PAGEcRM, PAGE_MCM, PAGEdMXL, PAGEdKPL, PAGEdFRM, PAGEcMXL, PAGE_RW, PAGE_RO, PAGE_CPR, PAGE_CPC, PAGE_PPL, PAGEDTES, PAGEDNLG, PAGECTES, PAGECNLG, NON_PAGE, PAGESRP0, PAGEdreg, PAGEdjaw, PAGEcsrv, PAGEcjaw, PAGEcsec, PAGEcTSL, PAGEdctw, PAGEcctw, PAGEcwfd, PAGEcpsm, PAGEcnlo, PAGEcast, PAGELK, PAGEdsv_, PAGEdcln, PAGEcsv_, PAGEccln, PAGE_DEV, PAGEdStn, PAGE_IVI, PAGE_ISI, PAGE_IKV, PAGE_IIL, PAGE_ICZ, PAGE_ICI, PAGEdscn, PAGEdimg, PAGEdSnF, PAGEcimg, PAGEDC12, PAGE_ITN, PAGE_ILN, PAGE_IEG, PAGE_IBT, PAGEdoid, PAGEDC41, PAGE_WSV, PAGEdwi2, PAGEdwi1, PAGE_CRM, PAGEdPSL, PAGEcPSL, PAGEdPsr, PAGErPSL, PAGErMXL, PAGErKPL, PAGErFRM, PAGEdTSL, PAGE_PWR, PAGE_TOP, PAGE_PMC, PAGE_MEM, PAGE_DBG, PAGED, PAGE_OSS, PAGECODE, PAGEDLEG, PAGECLEG, PAGEcwkp, PAGEcptw, PAGE_LK, PAGE_IGN, PAGEdSnd, PAGE_DAT, PAGEdWsP, PAGEdrlg, PAGEKD, PAGE_IRV, PAGEipp, PAGEABLE, PAGEdtyl, PAGEdpma, PAGEdkmr, PAGEdcpk, PAGEctyl, PAGEcpma, PAGEckmr, PAGEccpk, PAGED_DA, PAGEcLGC, PAGEI028, PAGEI027, PAGEI026, PAGEI025, PAGEI024, PAGEI023, PAGEI022, PAGEI021, PAGEI020, PAGEI019, PAGEI018, PAGEI017, PAGEI016, PAGEI015, PAGEI014, PAGEI013, PAGEI012, PAGEI011, PAGEI010, PAGEI009, PAGEI008, PAGEI007, PAGEI006, PAGEI005, PAGEI004, PAGEI003, PAGEI002, PAGEI001, PAGEI000, PAGE_BIO, PAGEVRFY, PAGED_CO, PAGEPARW, PAGEVRFD, PAGEVRFC, PAGEHDLS, PAGEWMI, PAGESPEC, PAGE_VCN, PAGE_SMU, PAGE_PSP, PAGE_ISP, PAGE_GVM, PAGE_GC_, PAGE_BGM, PAGE0003, PAGE0002, PAGE0001, PAGEdQua, PAGESRP, PAGESENM, PAGE_NO_, PageIVUE, PAGErVLT, PAGEdVLT, PAGEccpt, PAGEcVLT, PAGELKCO, PAGE_DF_, PAGEdThP, PAGE_VCE, PAGE_UVD, PAGEI029, PAGECNST, PAGELKD, PAGEtext, PAGErdat, PAGEdata, PAGE_IOM, PAGEnPSL, PAGEnMXL, PAGEnKPL, PAGEnFRM, PAGE_DYN, PAGEUSBS, PAGEPOWR, PAGEWdfV, PAGEiVAC, PAGESPR0, PAGE_M, PAGE_IOC, PAGE_DIS, PAGE_CX, PAGEWCE1, PAGEWCE0, PAGEUBS0, PAGEcrea, PAGEDNLD, PAGErGEN, PAGEfull, PAGESCAN, PAGER32R, PAGER32C, PAGELK16, PAGEBTTS, NOPAGED, .no_page, nonpage, PAGEopen, PAGE_INV, PAGE_ATA, PAGE_AFP, PAGEVRFB, PAGEUSB, PAGEUMDM, PAGESAN, PAGENDSW, PAGENDST, PAGENDSM, PAGENDSI, PAGENDSF, PAGENDSE, PAGENDSA, PAGEMOUC, PAGELOCK, PAGEIPMc, PAGEI042, PAGEI041, PAGEI040, PAGEI039, PAGEI038, PAGEI037, PAGEI036, PAGEI035, PAGEI034, PAGEI033, PAGEI032, PAGEI031, PAGEI030, PAGEEAWR, PAGEEADS, PAGEC, PAGEBGFX, PAGEAFD

Finally, sections named in a somehow intriguing way:

  • .secure
  • .DllShar
  • .DllDebu
  • HookShar
  • DebugDat
  • DebugCod
  • DeathAnd
  • .ELIOT
  • EWTPHOOK
  • FINDSHAR
  • .Process
  • .PwrMoni
  • .remotep
  • .remoteF
  • .HOOKVAR
  • .DLLShar

There are also tones of randomly named sections – indicating that vendors do not shy away from using crypters/virtualizers. While it makes a lot of sense (code/IP protection), it also makes it harder to incorporate these ‘anomalies’ into a proper Machine Learning/AI model.

I actually suspect that a careful sampleset analyst will be in a position to fool any ‘AI-driven’, or ‘Next-gen’ antivirus by manipulating PE file properties alone. We have already seen a good example of such work e.g. by Skylight Cyber, but it’s a tip of an iceberg.

Share this :)

Comments are closed.