Usually, spyware or adware consists of two kinds of files: program file and data file. How to hide program file is very crucial for any spyware or adware because detectors who uncover spyware and adware always get clues from program file for the following reasons.
Any spyware or adware must have more than one program file, even if it might have not a data file.
A program file cannot be compressed or encrypted in disk when running, whereas it is possible that a data file is always compressed or encrypted in disk.
When a program is running, it is easy to find its image in memory and its location in disk. Because spyware usually need to run as long as the computer is turned on, detectors have enough time to analyses it.
In Windows, program files in spyware have two types: EXE file and DLL file. Both of them are PE format file. PE stands for Portable Executable. It is the native file format of Win32. The meaning of “portable executable” is that the file format is universal across win32 platform: the PE loader of every win32 platform recognizes and uses this file format even when Windows is running on CPU platforms other than Intel. Thus studying the PE file format gives you valuable insights into the structure of Windows and helps very much to uncover spyware.
A general layout of PE file is shown as following.
DOS MZ header: All PE files must start with a simple DOS MZ header. You need not to care it seriously. Provided that the program run from DOS, the DOS can recognize it as a valid executable and can thus run the DOS stub which is stored next to the MZ header.
DOS stub: The DOS stub is actually a valid EXE that is executed in case the operating system, for example DOS, does not know about PE file format. It can simply display a string like “This program requires Windows” or it can be a full-blown DOS program depending on the intent of the programmer. In Win32 development environment, it is usually produced by the assembler or by compiler. In most case, it simply uses int 21h, service 9 to print a string saying “This program cannot run in DOS mode”.
PE header: The PE header is a general term for the PE-related structure named IMAGE_NT_HEADERS. This structure contains many essential fields that are used by the PE loader. It includes all secrets of PE file format. In the case the program is executed in the operating system that knows about PE file format, the PE loader can find the starting offset of the PE header from the DOS MZ header. Thus it can skip the DOS stub and go directly to the PE header that is the real file header.
Section table: The real content of the PE file is divided into blocks called sections. A section is nothing more than a block of data with common attributes such as code/data, read/write etc. The section table is an array of structures. Each structure contains the information about each section in the PE file such as its attribute and offset. If there are 5 sections in the PE file, there will be exactly 5 members in this structure array.
Section 1 to n: These sections contain the executable codes or data of this PE file indexed by section table.
The layout of PE file is very important to both spyware developers and the people who detect spyware, especially to the latter. Because, they know that regardless of a large number of files in disk, the number of running files in memory is far small. Only if a spyware runs in memory, in fact a spyware have to enter into memory to work, it will be discovered probably. Then they can get the actual file in disk. By analyzing or tracking it, the related files and settings will expose totally. As you see, spyware is so vulnerable to defeat.
To overcome this shortcoming, some spyware, especially adware, creates temporary PE files instead of permanent PE files. It means that a spyware or adware divides its execution into two phases. The first is to produce the temporary PE files that take real spy functionalities. The first step is very short so that it is hard to be detected or observed. Then, the temporary PE files begin to do regular job of spyware. After these temporary files are found out and deleted by computer owners, they might be produced again only if the spyware can execute its first phase.
If designers want to create temporary PE files in spyware, they usually integrate all PE files in a single one that can release them when they are needed. Moreover, they might compress or encrypt the data of PE files when they are integrated if necessary. So the file to release other temporary PE file, namely to implement the first phase discussed previously, is the core of spyware. Basically, this PE file includes multiple files actually. We call it questionable PE file. Many spyware use this way to distribute and hide.
To identify questionable PE file is relatively difficult. You need special tool to check PE format of file and some of them maybe fit for specification exactly.