Portable Executable 101

PEL01 a windows executable walkthrough Ange Albertini corkami.com ortable Hexadecimal dump ASCII dump Fields Values Explanation Dissected PE 4D SA 00 00-00 00 00 00-0e 00 00 00-00 00 00 00 MZ.... e_magic e_lfanew 'MZ' constant signature Ox40 offset of the PE Header 00 08 00 08-00 00 00 00-0e 0e 0e 00-40 98 00 00 orrseti 58 45 00 08-4C 01 03 00-0e e0 00 00-00 e0 00 00 PE..L.. 00 ве ее ве-Ев ва в2 01... signature Machine Numberofsections 'PE', 0, 0 Ox14c [intel 386] constant signature processor: ARM/MIPS/Intel/. number of sections 2 relative offset of the section table e SHA-1 b7ar4cb61ce38e43e0306sbet0tabotcrcb downioad a pe101.cokami.com sizeofoptionalHeader Characteristics Охео Ox102 [32b EXE] EXE/DLL. Ox10b [32b] Ox1000 Ox400000 Ox1000 Ox200 4 [NT 4 or later] Ox4000 Magic AddressofentryPoint 32 bits/64 bits orrsetiayse where execution starts 6 address where the file should be mapped in memory where sections should start in memory 2 where sections should start on file 2 required version of Windows total memory space required total size of the headers 3 driverigraphical/command line/. number of data directories 4 ...BB 01 00 00-00 00 00 00 00 0e 00 08-00 00 00 00-8e 10 00 08-00 ee 00 00 00 00 00 00-00 00 48 00-8e 10 00 00-00 02 00 e8 4D SA BO а8-ве ва ImageBase sectionAlignment FileAlignment Majorsubsystemversion sizeofImage sizeofHeaders Subsystem NumberofrvaAndsizes DOS header вя во ва ав-ве оа 1о shows it's a binary 00 00 00 00-00 00 00 00-84 00 00 00-00 00 00 00 simple sa 45 ea e-4c e1 e: PE header PE. 00 48 00 08-00 02 08 08-0e 00 00 08-82 a8 00 00 00 00 00 00-00 00 00 00-0e 00 00 00-00 0e 00 00 00 00 00 00-10 00 00 00... ea 80 ea 0e-E0 88 shows it's a modern' binary Ox200 2 [GUI) вв ве ва ве-ее ее ве ра-о 19 00 ва-ра ав вя ва |в8 в0 ва ав-во 16 optional header ее 40 ее ев-ве |ве ее ва ае-ве ва ев ва-ае ве ва ее-ва ве ее ва Bexecutable information 08 ...00 00 00 00-00 00 00 ee аа 20 88 ва-ев ве ее ве-ее ве ое ее-00 ее 00 ве ImportsVA Ox2000 RVA of the imports 0 se 45 6e 6e-40 BL 83 08-09 e9 ee e8-ee ee ee ee PE.. 00 00 00 00-00 00 00 00-0e 00 00 00-00 00 00 00 ee 20 00 e 08 ee ee e pointers to extra structures (exports, imports,.) data directories 2E 74 65 78-74 00 00 08 aв 10 ее ва-ве 10 ве ва-ве 02 ве eв-ва в2 ва ва 00 00 00 00-00 00 00 00-00 00 00 00-20 00 00 68 2E 72 64 61-74 61 00 08-0e 10 00 08-00 20 00 08 88 02 08 08-00 04 88 08-8e 0e 0e 08-00 ee 00 00 00 00 00 00-40 00 08 48-2E 64 61 74-61 08 00 08 80 10 ве ве-80 за ве ва-ве в2 ве ве-ва в6 ва ве за ве ве ве-ее ве ее ве-ве ее ве ее-4а ае ва са |. text... Sections table header 2E 74 65 78-74 00 00 00 RVA RVA phynical otet physical se 08 10 00 00-00 10 00 00-00 82 08 00-08 e2 80 08 вв ве ва в0-ее ое ое ра 0000 о0 о0-2а ао оа со 2E 72 64 61-74 virtualsize virtualaddress sizeofrawData PointerTorawData Ox1000 Ox1000 Name Characteristics rdata.. .text rdata data Ох1000 Ox2000 Ox3000 Ox200 Ox200 Ox200 Ox200 CODE EXECUTE READ INITIALIZED READ DATA.READ.WRITE: technical details about the executable ee ee e9-e9 e9 ee 08-2E 74 65 78-74 00 ee ee 0e e2 ee ee-de sections table 0x400 0e 09-e9 19 ee e8-ee 82 ee e8-ee 92 ee ee on 00 09 ge-4e defines how the file is loaded in memorye..0. data.. Ox1000. Ox600 ...0..0. data... ....0. 2E 12 4 61-74 6L Be - 10 a e-ee 20 0e ae rdata 88 10 e8 0e-80 38 80 88-80 82 08 80-88 86 80 88 9-2E 64 61 74-61 0 0e 9 . -00 e0 00 e0-40 00 00 ce For each section, a SizeofRawData sized block read from the file at PointerToRawData offset. simple.exe ва ее ез ве-ее өа ве ва-ае ев өа ес-еа ве вв өа It will be loaded in memory at address ImageBase + VirtualAddress in a VirtualSize sized block, with specific characteristics. x86 assembly Equivalent C code Ка Ра 6в AR-За 4В Ра 6В. 70 20 48 80-6A e0 FF 15 lae 8a ae ae-08 ae ea ae- what is executed oa ae................ code FF 15 J.h. ee.h. 8g. j. 08 00 p.8.J. .h.e..... 18 28 40 0-of o FF 15-68 28 48 08-00 00 ee ee p.e.j. h.. push 0 push Ox403000 E sections push Ox403017 push 0 call [0x402070} push 0 call [0x402068] Вс 2а ве во-08 0е ва ав-ее ее 68 2а ее ее-44 28 ва ае-ав ва as 20 lae ea ae a0 ав ва ав e8-78 20 08 00 ...........X... 88-0e 00 0a ae h...D........... pa-00 89 Ae ee a...p........... 6A 88 68 88-30 40 00 68-17 30 40 88-6A a8 FF 15 j.h. 00.h.00.j. . 70 28 40 08-6A 00 FF 15-68 28 40 88 [email protected]. .h.@. - MessageBox(0, Hello world!","a simple PE executable", 0); 69 74 58 72-6F 63 65 73-73 0e e8 e8-40 65 73 73 iterocess...tess SA 29 09 89-09 ea e8 e8-68 65 72 6E-65 60 33 32 z....ter nel32 contents of the executable rnel12 imports -EXİtProcessco); ...Ex 61 67 65 ink between the executable and (Windowsi librariess... Hess SA 20 00 00-08 ee ea 00-6B 65 72 6E-65 6C 33 32 Z.......kerne132 2E 64 6C 6C-08 75 73 65-72 33 32 2E-64 6C 6C ee 61 29 73 69-60 79 60 65-28 se 45 28-65 78 65 63 0.simple. PE.erec 75 74 6L 62-6C 65 88 48-65 6t 6t 6F-20 77 6F 72 utable.Hello.wor 1 28 13 69-40 79 C -22a sa 4s 2-65 28 65 63 0.simple. PE. exec 75 74 61 62-6C 65 Da -5 C C Gr-20 77 6r 72 utable.Helle.wor -dl1.user 32. dl1. Imports structures Consequences descriptors 61 28 73 69-60 7e éC 75 74 61 62-6C 65 E 6C 64 21 00-0e 00 e information used by the code BC 20 00 00-00 00 00 00-00 00 00 00-78 28 00 00 68 20 00 00-44 20 00 00-0e 00 00 00-00 00 00 00 K......... X... h...D........... 85 20 00 00-70 20 00 00-0e ee 00 08-00 00 00 00 à...p........ ве ве ее ее-Ө0 Ө0 ее ее-0е ее өө өе-4с20 е8 ва .............l... 08 00 00 00-SA 20 00 00-00 00 00 00-00 98 45 78 ....z.........Ex i tProcess...Mess 61 67 65 42-6F 78 41 00-4C 20 00 08-00 88 e0 ee ageBoxA. L....... SA 20 00 00-08 00 00 00-6B 65 72 6E-65 6C 33 32 z.......kernel32 .dl1.user32. dl1. 63 a.simple. PE. exec utable. Hello.uor Ох204с. 0w" Ox203c data Id1............. Ox2078-kerne132.d11 -0,ExitProce after loading, Ox402068 will point to kernel32.dll's ExitProcess Ox 402070 will point to user32.dll's MessageBoxA Ox2068 Ох204с, 0kr* 69 74 50 72-6E 63 65 73-73 80 00 08-40 65 73 73 Ox2044 Ox205a, o* Ox2085-user32.d11 Hint Name -0, MessageBoXA 2E 64 6C 6C-00 75 73 65-72 33 32 2E-64 6C 6C 00 Ox2070 Ox205a, oar" All addresaes here are RVA 61. 28 73 69-60 70 6C 65-20 50 45 20-65 78 65 63 75 74 61 62-6C 65 00 48-65 6C 6C 6F-20 77 6F 72 utable. Hello.wor 6C 64 21 00 Strings a simple PE executable\0 Hello world!\0 a.simple. PE. exec 1d!. This is the whole file, however, most PE files contain more elements Explanations are simpited, for conciseness version 1, Srd May 2012 Loading process Notes MZ HEADER aka DOS_HEADER Starts with 'MZ' (initials of Mark Zbikowski MS-DOS developer) О Нeaders the DOS Header is parsed the PE Header is parsed Э Марping 4 Imports DataDirectories are parsed 6 Execution the file is mapped in memory according to: the ImageBase the SizeOfHeaders Code is called at the EntryPoint the calls of the code go via the IAT to the APIs PE HEADER aka IMAGE_FILE_HEADERS / COFF file header Starts with 'PE' (Portable Executable) they follow the OptionalHeader (its offset is DOS Header's e_lfanew) the Optional Header is parsed (it follows the PE Header) OPTIONAL HEADER aka IMAGE_OPTIONAL_HEADER Optional only for non-standard PEs but required for executables their number is NumofRVAAndSizes the Sections table imports are always #2 Imports are parsed a simple PE executa. each descriptor specifies a DLLname this DLL is loaded in memory IAT and INT are parsed simultaneously for each API in INT its address is written in the lAT entry RVA Relative Virtual Address Address relative to ImageBase (at ImageBase, RVA = 0) Almost all addresses of the headers are RVAS In code, addresses are not relative. 2 Sections table Hello world! Sections table is parsed (it is located at: offset (Optionaleader) + SizeorOptionalHeader) it contains NumberOfSections elements PointertoRawDwta SieOteaders INT Import Name Table Null-terminated list of pointers to Hint, Name structures IAT Import Address Table Null-terminated list of pointers On file it is a copy of the INT After loading it points to the imported APIS Secion 1 it is checked for validity with alignments: PointertoRawData alhddress IAT IAT FileAignments and SectionAlignments Section2 OK PointernoRawDota ----Ibrary. di 1 Hint,"API name"= Oy2000 VirtualAddres +API_Address: HINT Ox403000 VirualAddre Index in the exports table of a DLL to be imported Not required but provides a speed-up by reducing look-up Section 3