{"id":6620,"date":"2019-07-26T23:43:50","date_gmt":"2019-07-26T23:43:50","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=6620"},"modified":"2019-07-27T21:52:57","modified_gmt":"2019-07-27T21:52:57","slug":"pe-section-names-re-visited-again","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2019\/07\/26\/pe-section-names-re-visited-again\/","title":{"rendered":"PE Section names \u2013 re-visited, again"},"content":{"rendered":"\n<p>In my <a href=\"https:\/\/www.hexacorn.com\/blog\/2016\/12\/15\/pe-section-names-re-visited\/\">old post<\/a> I listed lots of different, unique, characteristic PE Section names. I have updated that post (and its <a href=\"https:\/\/www.hexacorn.com\/blog\/2012\/10\/14\/random-stats-from-1-2m-samples-pe-section-names\/\">predecessor<\/a>) a number of times over the years.<\/p>\n\n\n\n<p>For a long time I was sitting in a comfort zone thinking that <em>this data<\/em> had to be like a <em>superset <\/em>of most, if not all PE Sections one would expect to find in the wild&#8230;.<\/p>\n\n\n\n<p>Wrong. A classic <a href=\"https:\/\/psychology.wikia.org\/wiki\/Availability_error\">availability error<\/a>.<\/p>\n\n\n\n<p>The thing is that the list was sourced from a large malicious sampleset, and a small set of well-known clean files. There is tho, it seems, a lot files that I missed.<\/p>\n\n\n\n<p>In an effort to address this bias (in my defense, I suspected it to exist, this is why this post is here), I started a process of mass-downloading clean samples ~5 years ago. Now I have got tones of them. After running various statistical analysis on them I am confident to say that my original PE Section set is not complete. Far from it. My point is supported by the superficial metadata analysis that follows.<\/p>\n\n\n\n<p>Surprisingly, I have never listed these sections:<\/p>\n\n\n\n<ul><li>RT_CODE<\/li><li>RT_DATA<\/li><li>RT_CONST<\/li><li>RT_BSS<\/li><\/ul>\n\n\n\n<p>I am shocked, because they are actually very common inside the clean files! <\/p>\n\n\n\n<p>Same goes for IPP* sections (used by <a href=\"https:\/\/en.wikipedia.org\/wiki\/OpenCV\">OpenCV<\/a>):<\/p>\n\n\n\n<ul><li>IPPCODE<\/li><li>IPPDATA<\/li><\/ul>\n\n\n\n<p>and Hewlett-Packard sections:<\/p>\n\n\n\n<ul><li>TulipLog &#8211; HP test\/verification tools<\/li><\/ul>\n\n\n\n<p>and NVidia section:<\/p>\n\n\n\n<ul><li>_NVTEXT3 &#8211; unknown purpose; code?<\/li><\/ul>\n\n\n\n<p>A couple of &#8216;obvious ones&#8217; we can guess the purpose of, by looking at the names only:<\/p>\n\n\n\n<ul><li>.SHAREDS<\/li><li>_LTEXT<\/li><li> _LDATA<\/li><li>COMPRESS<\/li><li>FlashPix<\/li><li>NONPAGED<\/li><li> INITCONS<\/li><li>COMMONDA<\/li><li>PRIVATE<\/li><li>ApiHooks<\/li><\/ul>\n\n\n\n<p>And then the whole collection of PAGE* sections:<\/p>\n\n\n\n<ul><li>PAGECONS, PAGEDATA, PAGE_COM, PAGE_INI, PAGEDC11, PAGE_DDC, PAGEDC80, PAGEDFER, PAGECFER, PAGE_CAI, PAGE_ISR, PAGEDC60, PAGEDC10, PAGESER, PAGEDC50, PAGEDC40, PAGEcKPL, PAGEcFRM, PAGE_DAL, PAGEcRMA, PAGEcRM, PAGE_MCM, PAGEdMXL, PAGEdKPL, PAGEdFRM, PAGEcMXL, PAGE_RW, PAGE_RO, PAGE_CPR, PAGE_CPC, PAGE_PPL, PAGEDTES, PAGEDNLG, PAGECTES, PAGECNLG, NON_PAGE, PAGESRP0, PAGEdreg, PAGEdjaw, PAGEcsrv, PAGEcjaw, PAGEcsec, PAGEcTSL, PAGEdctw, PAGEcctw, PAGEcwfd, PAGEcpsm, PAGEcnlo, PAGEcast, PAGELK, PAGEdsv_, PAGEdcln, PAGEcsv_, PAGEccln, PAGE_DEV, PAGEdStn, PAGE_IVI, PAGE_ISI, PAGE_IKV, PAGE_IIL, PAGE_ICZ, PAGE_ICI, PAGEdscn, PAGEdimg, PAGEdSnF, PAGEcimg, PAGEDC12, PAGE_ITN, PAGE_ILN, PAGE_IEG, PAGE_IBT, PAGEdoid, PAGEDC41, PAGE_WSV, PAGEdwi2, PAGEdwi1, PAGE_CRM, PAGEdPSL, PAGEcPSL, PAGEdPsr, PAGErPSL, PAGErMXL, PAGErKPL, PAGErFRM, PAGEdTSL, PAGE_PWR, PAGE_TOP, PAGE_PMC, PAGE_MEM, PAGE_DBG, PAGED, PAGE_OSS, PAGECODE, PAGEDLEG, PAGECLEG, PAGEcwkp, PAGEcptw, PAGE_LK, PAGE_IGN, PAGEdSnd, PAGE_DAT, PAGEdWsP, PAGEdrlg, PAGEKD, PAGE_IRV, PAGEipp, PAGEABLE, PAGEdtyl, PAGEdpma, PAGEdkmr, PAGEdcpk, PAGEctyl, PAGEcpma, PAGEckmr, PAGEccpk, PAGED_DA, PAGEcLGC, PAGEI028, PAGEI027, PAGEI026, PAGEI025, PAGEI024, PAGEI023, PAGEI022, PAGEI021, PAGEI020, PAGEI019, PAGEI018, PAGEI017, PAGEI016, PAGEI015, PAGEI014, PAGEI013, PAGEI012, PAGEI011, PAGEI010, PAGEI009, PAGEI008, PAGEI007, PAGEI006, PAGEI005, PAGEI004, PAGEI003, PAGEI002, PAGEI001, PAGEI000, PAGE_BIO, PAGEVRFY, PAGED_CO, PAGEPARW, PAGEVRFD, PAGEVRFC, PAGEHDLS, PAGEWMI, PAGESPEC, PAGE_VCN, PAGE_SMU, PAGE_PSP, PAGE_ISP, PAGE_GVM, PAGE_GC_, PAGE_BGM, PAGE0003, PAGE0002, PAGE0001, PAGEdQua, PAGESRP, PAGESENM, PAGE_NO_, PageIVUE, PAGErVLT, PAGEdVLT, PAGEccpt, PAGEcVLT, PAGELKCO, PAGE_DF_, PAGEdThP, PAGE_VCE, PAGE_UVD, PAGEI029, PAGECNST, PAGELKD, PAGEtext, PAGErdat, PAGEdata, PAGE_IOM, PAGEnPSL, PAGEnMXL, PAGEnKPL, PAGEnFRM, PAGE_DYN, PAGEUSBS, PAGEPOWR, PAGEWdfV, PAGEiVAC, PAGESPR0, PAGE_M, PAGE_IOC, PAGE_DIS, PAGE_CX, PAGEWCE1, PAGEWCE0, PAGEUBS0, PAGEcrea, PAGEDNLD, PAGErGEN, PAGEfull, PAGESCAN, PAGER32R, PAGER32C, PAGELK16, PAGEBTTS, NOPAGED, .no_page, nonpage, PAGEopen, PAGE_INV, PAGE_ATA, PAGE_AFP, PAGEVRFB, PAGEUSB, PAGEUMDM, PAGESAN, PAGENDSW, PAGENDST, PAGENDSM, PAGENDSI, PAGENDSF, PAGENDSE, PAGENDSA, PAGEMOUC, PAGELOCK, PAGEIPMc, PAGEI042, PAGEI041, PAGEI040, PAGEI039, PAGEI038, PAGEI037, PAGEI036, PAGEI035, PAGEI034, PAGEI033, PAGEI032, PAGEI031, PAGEI030, PAGEEAWR, PAGEEADS, PAGEC, PAGEBGFX, PAGEAFD<\/li><\/ul>\n\n\n\n<p>Finally, sections named in a somehow intriguing way:<\/p>\n\n\n\n<ul><li>.secure<\/li><li>.DllShar<\/li><li> .DllDebu<\/li><li>HookShar<\/li><li>DebugDat<\/li><li>DebugCod<\/li><li>DeathAnd<\/li><li>.ELIOT<\/li><li>EWTPHOOK<\/li><li>FINDSHAR<\/li><li>.Process<\/li><li>.PwrMoni<\/li><li>.remotep<\/li><li>.remoteF<\/li><li>.HOOKVAR<\/li><li>.DLLShar<\/li><\/ul>\n\n\n\n<p>There are also tones of randomly named sections &#8211; indicating that vendors do not shy away from using crypters\/virtualizers. While it makes a lot of sense (code\/IP protection), it also makes it harder to incorporate these &#8216;anomalies&#8217; into a proper Machine Learning\/AI model. <\/p>\n\n\n\n<p>I actually suspect that a careful sampleset analyst will be in a position to fool any &#8216;AI-driven&#8217;, or &#8216;Next-gen&#8217; antivirus by manipulating PE file properties alone. We have already seen a good example of such work e.g. by <a href=\"https:\/\/skylightcyber.com\/2019\/07\/18\/cylance-i-kill-you\/\">Skylight Cyber<\/a>, but it&#8217;s a tip of an iceberg.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<ul><li><\/li><\/ul>\n","protected":false},"excerpt":{"rendered":"<p>In my old post I listed lots of different, unique, characteristic PE Section names. I have updated that post (and its predecessor) a number of times over the years. For a long time I was sitting in a comfort zone &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2019\/07\/26\/pe-section-names-re-visited-again\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[28,9],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/6620"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=6620"}],"version-history":[{"count":4,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/6620\/revisions"}],"predecessor-version":[{"id":6624,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/6620\/revisions\/6624"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=6620"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=6620"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=6620"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}