Submit Search
Upload
PE 101 v1
•
1 like
•
1,338 views
Ange Albertini
Follow
a windows executable walkthrough
Read less
Read more
Technology
Report
Share
Report
Share
1 of 1
Download now
Download to read offline
Recommended
Profiling of Oracle Function Calls
Profiling of Oracle Function Calls
Enkitec
My portfolio
My portfolio
willy207
Details in skechup
Details in skechup
Asif Haroon
INTERIOR CRAVINGS - EDESIGN entryway
INTERIOR CRAVINGS - EDESIGN entryway
InteriorCravings
Company crt connected
Company crt connected
ERIK MANO
두바퀴 희망 자전거
두바퀴 희망 자전거
Jinho Jung
Mapa vial del departamento de Ayacucho
Mapa vial del departamento de Ayacucho
PECSA Perú
Summer ATV Map (Color Photo)
Summer ATV Map (Color Photo)
sgaletka
Recommended
Profiling of Oracle Function Calls
Profiling of Oracle Function Calls
Enkitec
My portfolio
My portfolio
willy207
Details in skechup
Details in skechup
Asif Haroon
INTERIOR CRAVINGS - EDESIGN entryway
INTERIOR CRAVINGS - EDESIGN entryway
InteriorCravings
Company crt connected
Company crt connected
ERIK MANO
두바퀴 희망 자전거
두바퀴 희망 자전거
Jinho Jung
Mapa vial del departamento de Ayacucho
Mapa vial del departamento de Ayacucho
PECSA Perú
Summer ATV Map (Color Photo)
Summer ATV Map (Color Photo)
sgaletka
Upworthy: 10 Ways To Win The Internets
Upworthy: 10 Ways To Win The Internets
Upworthy
Ενότητα 1.1
Ενότητα 1.1
makrib
Adele album
Adele album
ClaudineiCamara
Trans Main Oblique
Trans Main Oblique
tkaufm5050
Citrix Presentation
Citrix Presentation
yoon1
Brand Universe
Brand Universe
emidey75
Elder Beerman Banner
Elder Beerman Banner
wholmes3
처음 만져보는 Mac
처음 만져보는 Mac
Jinho Jung
SNC Casos Práticos
SNC Casos Práticos
Maria Santos
Holstein Development
Holstein Development
Ashish Banik
Mi Ciudad
Mi Ciudad
leister27
Mapa vial del departamento de Junín
Mapa vial del departamento de Junín
PECSA Perú
Strategic Talent Acquisition-brochure
Strategic Talent Acquisition-brochure
Hilina Legesse
Prepaid Expo in Perspective Infographic
Prepaid Expo in Perspective Infographic
IIR USA
Neighborhoods2010
Neighborhoods2010
tkaufm5050
23 1-3191-03-fa534
23 1-3191-03-fa534
Kamil Kamil
DBA Verde - Blue Planet Run
DBA Verde - Blue Planet Run
La Red DBAccess
Condo - Approved Plans
Condo - Approved Plans
Lindal Cedar Homes
Map2007 2009
Map2007 2009
Absolute Video & Multimedia
Arch samples
Arch samples
T T
Technical challenges with file formats
Technical challenges with file formats
Ange Albertini
Relations between archive formats
Relations between archive formats
Ange Albertini
More Related Content
Similar to PE 101 v1
Upworthy: 10 Ways To Win The Internets
Upworthy: 10 Ways To Win The Internets
Upworthy
Ενότητα 1.1
Ενότητα 1.1
makrib
Adele album
Adele album
ClaudineiCamara
Trans Main Oblique
Trans Main Oblique
tkaufm5050
Citrix Presentation
Citrix Presentation
yoon1
Brand Universe
Brand Universe
emidey75
Elder Beerman Banner
Elder Beerman Banner
wholmes3
처음 만져보는 Mac
처음 만져보는 Mac
Jinho Jung
SNC Casos Práticos
SNC Casos Práticos
Maria Santos
Holstein Development
Holstein Development
Ashish Banik
Mi Ciudad
Mi Ciudad
leister27
Mapa vial del departamento de Junín
Mapa vial del departamento de Junín
PECSA Perú
Strategic Talent Acquisition-brochure
Strategic Talent Acquisition-brochure
Hilina Legesse
Prepaid Expo in Perspective Infographic
Prepaid Expo in Perspective Infographic
IIR USA
Neighborhoods2010
Neighborhoods2010
tkaufm5050
23 1-3191-03-fa534
23 1-3191-03-fa534
Kamil Kamil
DBA Verde - Blue Planet Run
DBA Verde - Blue Planet Run
La Red DBAccess
Condo - Approved Plans
Condo - Approved Plans
Lindal Cedar Homes
Map2007 2009
Map2007 2009
Absolute Video & Multimedia
Arch samples
Arch samples
T T
Similar to PE 101 v1
(20)
Upworthy: 10 Ways To Win The Internets
Upworthy: 10 Ways To Win The Internets
Ενότητα 1.1
Ενότητα 1.1
Adele album
Adele album
Trans Main Oblique
Trans Main Oblique
Citrix Presentation
Citrix Presentation
Brand Universe
Brand Universe
Elder Beerman Banner
Elder Beerman Banner
처음 만져보는 Mac
처음 만져보는 Mac
SNC Casos Práticos
SNC Casos Práticos
Holstein Development
Holstein Development
Mi Ciudad
Mi Ciudad
Mapa vial del departamento de Junín
Mapa vial del departamento de Junín
Strategic Talent Acquisition-brochure
Strategic Talent Acquisition-brochure
Prepaid Expo in Perspective Infographic
Prepaid Expo in Perspective Infographic
Neighborhoods2010
Neighborhoods2010
23 1-3191-03-fa534
23 1-3191-03-fa534
DBA Verde - Blue Planet Run
DBA Verde - Blue Planet Run
Condo - Approved Plans
Condo - Approved Plans
Map2007 2009
Map2007 2009
Arch samples
Arch samples
More from Ange Albertini
Technical challenges with file formats
Technical challenges with file formats
Ange Albertini
Relations between archive formats
Relations between archive formats
Ange Albertini
Abusing archive file formats
Abusing archive file formats
Ange Albertini
TimeCryption
TimeCryption
Ange Albertini
You are *not* an idiot
You are *not* an idiot
Ange Albertini
Improving file formats
Improving file formats
Ange Albertini
KILL MD5
KILL MD5
Ange Albertini
No more dumb hex!
No more dumb hex!
Ange Albertini
Beyond your studies
Beyond your studies
Ange Albertini
An introduction to inkscape
An introduction to inkscape
Ange Albertini
The challenges of file formats
The challenges of file formats
Ange Albertini
Exploiting hash collisions
Exploiting hash collisions
Ange Albertini
Infosec & failures
Infosec & failures
Ange Albertini
Connecting communities
Connecting communities
Ange Albertini
TASBot - the perfectionist
TASBot - the perfectionist
Ange Albertini
Caring for file formats
Caring for file formats
Ange Albertini
Hacks in video games
Hacks in video games
Ange Albertini
Trusting files (and their formats)
Trusting files (and their formats)
Ange Albertini
Let's write a PDF file
Let's write a PDF file
Ange Albertini
PDF: myths vs facts
PDF: myths vs facts
Ange Albertini
More from Ange Albertini
(20)
Technical challenges with file formats
Technical challenges with file formats
Relations between archive formats
Relations between archive formats
Abusing archive file formats
Abusing archive file formats
TimeCryption
TimeCryption
You are *not* an idiot
You are *not* an idiot
Improving file formats
Improving file formats
KILL MD5
KILL MD5
No more dumb hex!
No more dumb hex!
Beyond your studies
Beyond your studies
An introduction to inkscape
An introduction to inkscape
The challenges of file formats
The challenges of file formats
Exploiting hash collisions
Exploiting hash collisions
Infosec & failures
Infosec & failures
Connecting communities
Connecting communities
TASBot - the perfectionist
TASBot - the perfectionist
Caring for file formats
Caring for file formats
Hacks in video games
Hacks in video games
Trusting files (and their formats)
Trusting files (and their formats)
Let's write a PDF file
Let's write a PDF file
PDF: myths vs facts
PDF: myths vs facts
Recently uploaded
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
rafiqahmad00786416
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
Product Anonymous
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
apidays
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
danishmna97
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
Dropbox
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
johnbeverley2021
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
apidays
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
WSO2
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
ThousandEyes
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
Andrey Devyatkin
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
Christopher Logan Kennedy
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
Nanddeep Nachan
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
sudhanshuwaghmare1
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Deepika Singh
Recently uploaded
(20)
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
PE 101 v1
1.
PE ortable
101 xecutable Hexadecimal dump ASCII dump Fields Values Ange Albertini Explanation corkami.com Dissected PE 4D 5A 00 00-00 00 00 00-00 00 00 00-00 00 00 00 Offset:0x30 MZ.............. e_magic e_lfanew 'MZ' 0x40 constant signature offset of the PE Header 1 00 00 00 00-00 00 00 00-00 00 00 00-40 00 00 00 ............@... Signature 'PE', 0, 0 constant signature Offset:0x40 Machine 0x14c [intel 386] processor: ARM/MIPS/Intel/... 50 45 00 00-4C 01 03 00-00 00 00 00-00 00 00 00 PE..L........... NumberOfSections 3 number of sections 2 SHA-1 b7af4cb51ce38e43e030656eb2698fab408cf9cb 00 00 00 00-E0 00 02 01... ....a... download @ pe101.corkami.com SizeOfOptionalHeader 0xe0 relative offset of the section table 2 Characteristics 0x102 [32b EXE] EXE/DLL/... Magic 0x10b [32b] 32 bits/64 bits Offset:0x58 AddressOfEntryPoint 0x1000 where execution starts 5 ...0B 01 00 00-00 00 00 00 ........ ImageBase 0x400000 address where the file should be mapped in memory 3 DOS header 4D 5A 00 00-00 00 00 00-00 00 00 00-00 00 00 00 MZ.............. 00 00 00 00-00 00 00 00-00 10 00 00-00 00 00 00 ................ SectionAlignment 0x1000 where sections should start in memory 2 shows it's a binary 00 00 00 00-00 00 00 00-00 00 00 00-40 00 00 00 ............@... 00 00 00 00-00 00 40 00-00 10 00 00-00 02 00 00 ......@......... FileAlignment 0x200 where sections should start on file 2 00 00 00 00-00 00 00 00-04 00 00 00-00 00 00 00 ................ MajorSubsystemVersion 4 [NT 4 or later] required version of Windows 50 45 00 00-4C 01 03 00-00 00 00 00-00 00 00 00 00 00 00 00-E0 00 02 shows it's a 'modern' binary PE header PE..L........... ....a.. 00 40 00 00-00 02 00 00-00 00 00 00-02 00 00 00 .@.............. SizeOfImage 0x4000 total memory space required 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................ SizeOfHeaders 0x200 total size of the headers 3 01-0B 01 00 00-00 00 00 00 ......... 00 00 00 00-10 00 00 00... ........ Subsystem 2 [GUI] driver/graphical/command line/... 00 00 00 00-00 00 00 00-00 10 00 00-00 00 00 00 ................ NumberOfRvaAndSizes 16 number of data directories 4 00 00 00 00 00 00 00-00 00-00 optional header 00 00 40 00 00-00 10 00 00-00 02 00 00-04 00 00 00-00 00 00 00 00 ......@......... ................ 00 40 00 00-00 02 00 00-00 00 00 information executable 00-02 00 00 00 .@.............. 0000 4D 5A 00 00-00 00 00 00-00 00 00 00-00 00 00 00 MZ.............. 4D 5A 00 00-00 00 00 00-00 00 00 00-00 00 00 00 MZ.............. 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................ ...00 00 00 00-00 00 00 00 ........ 0030 00 00 00 00-00 00 00 00-00 00 00 00-40 00 00 00 ............@... 00 00 00 00-10 00 00 00 ................ 00 20 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................ ImportsVA 0x2000 RVA*of the imports 4 00 00 00 00-00 00 00 00-00 00 00 00-40 00 00 00 ............@... 50 45 00 00-4C 01 03 00-00 00 00 00-00 00 00 00 PE..L........... 50 45 00 00-4C 01 03 00-00 00 00 00-00 00 00 00 PE..L........... 00 00 00 00-E0 00 02 01-0B 01 00 00-00 00 00 00 ....a........... 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................ data directories 00 00 00 00-E0 00 02 01-0B 01 00 00-00 00 00 00 ....a........... 00 00 00 00-00 00 00 00-00 10 00 00-00 00 00 00 ................ 00 00 00 00-00 00 00 00 ................ 00 00 00 00-00 00 00 00-00 10 00 00-00 00 00 00 ................ 00 00 00 00-00 00 40 00-00 10 00 00-00 02 00 00 ......@......... 00 20 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................ Offset:0x138 00 00 00 00-00 00 40 00-00 10 00 00-00 02 00 00 ......@......... 00 00 00 00-00 00 00 00-04 00 00 00-00 00 00 00 ................ 00 00 00 00-00 00 00 00-00 structures (exports, imports,...) pointers to extra 00 00 00-00 00 00 00 ................ header 00 00 00 40 00 00 00-00 00-00 00 02 00 00 00-04 00-00 00 00 00 00 00-00 00-02 00 00 00 00 00 00 ................ .@.............. 00 40 00 00-00 02 00 00-00 00 00 00-02 00 00 00 .@.............. 2E 74 65 78-74 00 00 00 .text... Sections table 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................ 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................ 00 00 00 00-10 00 00 00-00 00 00 00-00 00 00 00 ................ 2E 74 65 78-74 00 00 00 .text... 00 10 00 00-00 10 00 00-00 02 00 00-00 02 00 00 ................ *RVA RVA* physical size physical offset 00 00 00 00-10 00 00 00-00 00 00 00-00 00 00 00 ................ 00 20 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................ 00 00 20 00 00 00 00-00 00-00 00 00 00 00 00-00 00-00 00 00 00 00 00-00 00-00 00 00 00 00 00 00 ................ ................ 00 10 00 00-00 10 00 00-00 02 00 00-00 02 00 00 ................ 00 00 00 00-00 00 00 00-00 00 00 00-20 00 00 60 ...............` Name VirtualSize VirtualAddress SizeOfRawData PointerToRawData Characteristics 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................ 00 00 00 00-00 00 00 00-00 00 00 00-20 00 00 60 ...............` technical details about 00 00 00 .........text... 00 00 00-00 00 00 00-2E 74 65 78-74 the executable 2E 72 64 61-74 61 00 00-00 10 00 00-00 20 00 00 .rdata.......... .text 0x1000 0x1000 0x200 0x200 CODE EXECUTE READ 0130 00 00 00 10 00 00 00-00 00-00 00 10 00 00 00-2E 00-00 74 02 65 00 78-74 00-00 00 02 00 00 00 00 .........text... ................ 00 00 00 10 00 00 00 00-00 00-00 10 00 00 00 00-00 00-00 02 00 00 00 00-00 00-20 02 00 00 00 00 60 ................ ...............` 2E 00 72 02 64 00 sections table 61-74 61 00 00-00 10 00 00-00 20 00 00 .rdata.......... 00-00 04 00 00-00 00 00 00-00 00 00 00 ................ 00 02 00 00-00 04 00 00-00 00 00 00-00 00 00 00 ................ .rdata 0x1000 0x2000 0x200 0x400 INITIALIZED READ 00 00 00 00-00 00 00 00-00 00 00 00-20 00 00 60 ...............` 2E 72 64 61-74 61 00 00-00 10 00 00-00 20 00 00 .rdata.......... 00 00 00 00-40 defines40-2Ethe file is loaded in memory 00 00 how 64 61 74-61 00 00 00 ....@..@.data... 00 00 00 00-40 00 00 40-2E 64 61 74-61 00 00 00 ....@..@.data... .data 0x1000 0x3000 0x200 0x600 DATA READ WRITE 2E 72 64 61-74 61 00 00-00 10 00 00-00 20 00 00 .rdata.......... 00 02 00 00-00 04 00 00-00 00 00 00-00 00 00 00 ................ 00 10 00 00-00 30 00 00-00 02 00 00-00 06 00 00 .....0.......... 00 02 00 00-00 04 00 00-00 00 00 00-00 00 00 00 ................ 00 10 00 00-00 30 00 00-00 02 00 00-00 06 00 00 .....0.......... For each section, a SizeofRawData sized block is read from the file at PointerToRawData offset. simple.exe 00 00 00 00-40 00 00 40-2E 64 61 74-61 00 00 00 ....@..@.data... 00 00 00 00-00 00 00 00-00 00 00 00-40 00 00 C0 ............@..+ 00 00 00 00-40 00 00 40-2E 64 61 74-61 00 00 00 ....@..@.data... 00 10 00 00-00 30 00 00-00 02 00 00-00 06 00 00 .....0.......... 00 10 00 00-00 30 00 00-00 02 00 00-00 06 00 00 .....0.......... 00 00 00 00-00 00 00 00-00 00 00 00-40 00 00 C0 ............@..+ 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................ 00 00 00 00-00 00 00 00-00 00 00 00-40 00 00 C0 ............@..+ It will be loaded in memory at address ImageBase + VirtualAddress in a VirtualSize sized block, with specific characteristics. 00 00 00 00-00 00 00 00-00 00 00 00-40 00 00 C0 ............@..+ 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................ 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................ 0200 6A 00 68 00-30 40 00 68-17 30 40 00-6A 00 FF 15 j.h.0@.h.0@.j. . 6A 00 68 00-30 40 00 68-17 30 40 00-6A 00 FF 15 j.h.0@.h.0@.j. . 70 20 40 00-6A 00 FF 15-68 20 40 00-00 00 00 00 p.@.j. .h.@..... x86 assembly Equivalent C code code 70 20 40 00-6A 00 FF 15-68 20 40 00-00 00 00 00 p.@.j. .h.@..... 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................ 6A 00 68 00-30 40 00 68-17 30 40 00-6A 00 FF 15 j.h.0@.h.0@.j. . 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................ 70 20 40 00-6A 00 FF 15-68 20 40 00-00 00 00 00 p.@.j. .h.@..... push 0 0400 3C 20 00 00-00 00 00 00-00 00 00 00-78 20 00 00 <...........x... 3C 20 00 00-00 00 00 00-00 00 00 00-78 20 00 00 <...........x... 00 00 00 00-00 00 00 00-00 00 is executed 00 00 what 00 00-00 00 ................ push 0x403000 sections 68 20 00 00-44 20 00 00-00 00 00 00-00 00 00 00 h...D........... 68 20 00 00-44 20 00 00-00 00 00 00-00 00 00 00 h...D........... 85 20 00 00-70 20 00 00-00 00 00 00-00 00 00 00 à...p........... Offset:0x200/RVA:0x401000 85 20 00 00-70 20 00 00-00 00 00 00-00 00 00 00 à...p........... push 0x403017 00 00 00 00-00 00 00 00-00 00 00 00-4C 20 00 00 ............L... 00 00 00 00 00 00 00-00 00-5A 00 20 00 00 00-00 00-00 00 00 00 00 00-4C 00-00 20 00 00 45 00 78 ............L... ....Z.........Ex 3C 20 00 00-00 00 00 00-00 00 00 00-78 20 00 00 <...........x... 6A 00 68 00-30 40 00 68-17 30 40 00-6A 00 FF 15 j.h.0@.h.0@.j. . push 0 00 00 00 00-5A 20 00 00-00 00 00 00-00 00 45 78 ....Z.........Ex 68 20 00 00-44 20 00 00-00 00 00 00-00 00 00 00 h...D........... 69 74 50 72-6F 63 65 73-73 00 00 00-4D 65 73 73 itProcess...Mess 69 61 74 67 50 65 72-6F 42-6F 63 78 65 41 73-73 00-4C 00 20 00 00 00-4D 00-00 65 00 73 00 73 00 itProcess...Mess ageBoxA.L....... 85 20 00 00-70 20 00 00-00 00 00 00-00 00 00 00 à...p........... 70 20 40 00-6A 00 FF 15-68 20 40 00 p.@.j. .h.@. call [0x402070] MessageBox(0, ¨Hello World!¨,¨a simple PE executable¨, 0); 61 67 65 42-6F 78 41 00-4C 20 00 00-00 00 00 00 ageBoxA.L....... 5A 20 00 contents of the executable 00-00 00 00 00-6B 65 72 6E-65 6C 33 32 Z.......kernel32 00 00 00 00-00 00 00 00-00 00 00 00-4C 20 00 00 ............L... push 0 imports 5A 20 00 00-00 00 00 00-6B 65 72 6E-65 6C 33 32 Z.......kernel32 2E 64 6C 6C-00 75 73 65-72 33 32 2E-64 6C 6C 00 .dll.user32.dll. 2E 64 6C 6C-00 75 73 65-72 33 32 2E-64 6C 6C 00 .dll.user32.dll. 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................ 00 00 00 00-5A 20 00 00-00 00 00 00-00 00 45 78 ....Z.........Ex call [0x402068] ExitProcess(0); 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................ 69 74 50 72-6F 63 65 73-73 00 00 00-4D 65 73 73 itProcess...Mess 0600 61 20 73 69-6D 70 6C 65-20 50 45 20-65 78 65 63 a.simple.PE.exec link between the executable and (Windows) libraries 61 20 73 69-6D 70 6C 65-20 50 45 20-65 78 65 63 a.simple.PE.exec 61 67 65 42-6F 78 41 00-4C 20 00 00-00 00 00 00 ageBoxA.L....... 75 74 61 62-6C 65 00 48-65 6C 6C 6F-20 77 6F 72 utable.Hello.wor 75 74 61 62-6C 65 00 48-65 6C 6C 6F-20 77 6F 72 utable.Hello.wor 6C 64 21 00-00 00 00 00-00 00 00 00-00 00 00 00 ld!............. 5A 20 00 00-00 00 00 00-6B 65 72 6E-65 6C 33 32 Z.......kernel32 6C 64 21 00-00 00 00 00-00 00 00 00-00 00 00 00 ld!............. 2E 64 6C 6C-00 75 73 65-72 33 32 2E-64 6C 6C 00 .dll.user32.dll. Imports structures Consequences 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................ Offset:0x400/RVA:0x402000 descriptors 3C 20 00 00-00 00 00 00-00 00 00 00-78 20 00 00 <...........x... INT* data 61 20 73 69-6D 70 6C 65-20 50 45 20-65 78 65 63 a.simple.PE.exec 0x203c 0x204c, 0 75 74 61 62-6C 65 00 48-65 6C 6C 6F-20 77 6F 72 utable.Hello.wor 68 20 00 00-44 20 00 00-00 00 00 00-00 00 00 00 h...D........... 6C 64 21 00-00 00 00 00-00 00 00 00-00the code information used by 00 00 00 ld!............. Hint,Name 85 20 00 00-70 20 00 00-00 00 00 00-00 00 00 00 à...p........... 0x2078 kernel32.dll 0,ExitProcess after loading, 00 00 00 00-00 00 00 00-00 00 00 00-4C 20 00 00 ............L... IAT * 0x402068 will point to kernel32.dll´s ExitProcess 00 00 00 00-5A 20 00 00-00 00 00 00-00 00 45 78 ....Z.........Ex 0x2068 0x204c, 0 69 74 50 72-6F 63 65 73-73 00 00 00-4D 65 73 73 itProcess...Mess INT* 0x402070 will point to user32.dll´s MessageBoxA 0x2044 0x205a, 0 61 67 65 42-6F 78 41 00-4C 20 00 00-00 00 00 00 ageBoxA.L....... Hint,Name 5A 20 00 00-00 00 00 00-6B 65 72 6E-65 6C 33 32 Z.......kernel32 0x2085 user32.dll 0,MessageBoxA 2E 64 6C 6C-00 75 73 65-72 33 32 2E-64 6C 6C 00 .dll.user32.dll. * IAT 0x2070 0x205a, 0 0 0 0 0 0 * All addresses here are RVAs. Offset:0x600/RVA:0x403000 Strings 61 20 73 69-6D 70 6C 65-20 50 45 20-65 78 65 63 a.simple.PE.exec a simple PE executable0 75 74 61 62-6C 65 00 48-65 6C 6C 6F-20 77 6F 72 utable.Hello.wor Hello world!0 6C 64 21 00 ld!. This is the whole file, however, most PE files contain more elements. Explanations are simplified, for conciseness. version 1, 3rd May 2012 Loading process Notes MZ HEADER aka DOS_HEADER 1 Headers 3 Mapping 4 Imports 5 Execution Starts with 'MZ' (initials of Mark Zbikowski MS-DOS developer) the DOS Header is parsed the file is mapped in memory according to: DataDirectories are parsed Code is called at the EntryPoint PE HEADER aka IMAGE_FILE_HEADERS / COFF file header the PE Header is parsed the ImageBase they follow the OptionalHeader the calls of the code go via the IAT to the APIs Starts with 'PE' (Portable Executable) (its offset is DOS Header´s e_lfanew) the SizeOfHeaders their number is NumOfRVAAndSizes OPTIONAL HEADER aka IMAGE_OPTIONAL_HEADER the Optional Header is parsed the Sections table imports are always #2 Optional only for non-standard PEs but required for executables (it follows the PE Header) Imports are parsed RVA Relative Virtual Address each descriptor specifies a DLLname Address relative to ImageBase (at ImageBase, RVA = 0) Virtual Address this DLL is loaded in memory Alignment Almost all addresses of the headers are RVAs Section Alignment File IAT and INT are parsed simultaneously 2 Sections table In code, addresses are not relative. Relative Offset for each API in INT Sections table is parsed 0x0 0x400000 ImageBase its address is written in the IAT entry Headers Headers SizeOf SizeOf (it is located at: offset (OptionalHeader) + SizeOfOptionalHeader) PointertoRawData 0x200 0x400200 SizeOfHeaders it contains NumberOfSections elements RawData INT Import Name Table SizeOf Section 1 it is checked for validity with alignments: NumberOfSections PointertoRawData 0x400 0x401000 VirtualAddress IAT IAT Null-terminated list of pointers to Hint, Name structures RawData FileAlignments and SectionAlignments SizeOf Section 2
Download now