Xavier's diary entry "A 'Zip Bomb' to Bypass Security Controls & Sandboxes" reminded me of something. I've seen huge PE files like Xavier saw, but I've also seen a couple of huge PE files that are signed. I will explain here how you can reduce their size.

The PE file that Xavier talked about, can be represented as follows (picture not to scale):

To recover the original PE file, and make it much smaller, suitable for analysis, one removes the NULL block. As Xavier explained.

I've seen PE files like this. What I've also seen a couple of times, is a huge PE file like this (again, picture not to scale):

So right after the huge block of NULLs, comes a digital signature (Authenticode). It's a very small block, but not NULL. The examples I've seen were fake signatures, but this can be done with valid signatures to.

To recover the original PE file, one needs to remove the NULL block and the signature, and also update the reference to the signature inside the PE file (directory entry with offset & size of signature).

This can be done as follows.

As I'm not at liberty to share the samples I have, I took Xavier's sample and added a fake signature with my disitool.py.

Taking a look at that PE file with pecheck.py, you get a warning from the pefile module that the PE file contains a huge amount of NULL bytes.

The file is huge: 400 MB. But when you look at the sections, they are in total less than 2 MB:

The file contains a digital signature:

It is fake:

We remove the digital signature with my disitool.py like this:

We verify that the signature is removed:

And then we run pecheck.py again:

We have a huge overlay of 398MB that consists of NULL bytes only (MAGIC 00000000, entropy 0.0, only 1 unique byte).

We can strip that overlay with pecheck.py using option -o s (s = stripped PE file) and writing the result to disk -D + file redirection:

The result is a PE file less than 2 MB:

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com