PE101-v1.pdf
Hochgeladen von
Vishnu Gorantla0 Bewertungen0% fanden dieses Dokument nützlich (0 Abstimmungen)
29 Ansichten1 SeiteDatum des Uploads
Apr 26, 2018
Copyright
© © All Rights Reserved
Verfügbare Formate
PDF, TXT oder online auf Scribd lesen
Dieses Dokument teilen
Dokument teilen oder einbetten
Stufen Sie dieses Dokument als nützlich ein?
Sind diese Inhalte unangemessen?
Dieses Dokument meldenBeschreibung:
Copyright:
© All Rights Reserved
Verfügbare Formate
Als PDF, TXT herunterladen oder online auf Scribd lesen
0 Bewertungen0% fanden dieses Dokument nützlich (0 Abstimmungen)
29 Ansichten1 SeitePE101-v1.pdf
Hochgeladen von
Vishnu GorantlaBeschreibung:
Copyright:
© All Rights Reserved
Verfügbare Formate
Als PDF, TXT herunterladen oder online auf Scribd lesen
Verwandte Titel
![Virtualization[1]](https://imgv2-2-f.scribdassets.com/img/document/76813662/149x198/b084872a94/1353049836?v=1)
![Exos_pointeurs Avec Solution[1]](https://imgv2-2-f.scribdassets.com/img/document/251277927/149x198/9bd6245ea1/1419892296?v=1)
Sie sind auf Seite 1von 1
PE
ortable
101
xecutable
Hexadecimal dump ASCII dump Fields Values
Ange Albertini
Explanation
corkami.com
Dissected PE 4D 5A 00 00-00 00 00 00-00 00 00 00-00 00 00 00
Offset:0x30
MZ..............
e_magic
e_lfanew
'MZ'
0x40
constant signature
offset of the PE Header 1
00 00 00 00-00 00 00 00-00 00 00 00-40 00 00 00 ............@...
Signature 'PE', 0, 0 constant signature
Offset:0x40
Machine 0x14c [intel 386] processor: ARM/MIPS/Intel/...
50 45 00 00-4C 01 03 00-00 00 00 00-00 00 00 00 PE..L...........
NumberOfSections 3 number of sections 2
SHA-1 b7af4cb51ce38e43e030656eb2698fab408cf9cb 00 00 00 00-E0 00 02 01... ....a...
download @ pe101.corkami.com SizeOfOptionalHeader 0xe0 relative offset of the section table 2
Characteristics 0x102 [32b EXE] EXE/DLL/...
Magic 0x10b [32b] 32 bits/64 bits
Offset:0x58
AddressOfEntryPoint 0x1000 where execution starts 5
...0B 01 00 00-00 00 00 00 ........
ImageBase 0x400000 address where the file should be mapped in memory
3
DOS header
4D 5A 00 00-00 00 00 00-00 00 00 00-00 00 00 00 MZ..............
00 00 00 00-00 00 00 00-00 10 00 00-00 00 00 00 ................
SectionAlignment 0x1000 where sections should start in memory 2
shows
00 00 00 00-00 00 00 00-00 it's00-40
00 00 a binary
00 00 00 ............@... 00 00 00 00-00 00 40 00-00 10 00 00-00 02 00 00 ......@......... FileAlignment 0x200 where sections should start on file 2
00 00 00 00-00 00 00 00-04 00 00 00-00 00 00 00 ................ MajorSubsystemVersion 4 [NT 4 or later] required version of Windows
50 45 00 00-4C 01 03 00-00 00 00 00-00 00 00 00
00 00 00 00-E0 00 02
shows it's a 'modern' binary
PE header PE..L...........
....a..
00 40 00 00-00 02 00 00-00 00 00 00-02 00 00 00 .@.............. SizeOfImage 0x4000 total memory space required
00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................ SizeOfHeaders 0x200 total size of the headers 3
01-0B 01 00 00-00 00 00 00 ......... 00 00 00 00-10 00 00 00... ........ Subsystem 2 [GUI] driver/graphical/command line/...
00 00 00 00-00 00 00 00-00 10 00 00-00 00 00 00 ................
NumberOfRvaAndSizes 16 number of data directories 4
00
00
00
00
00
00
00-00
00-00 optional header
00
00
40
00
00-00 10 00 00-00 02 00
00-04 00 00 00-00 00 00
00
00
......@.........
................
00 40 00 00-00 02 00 00-00 00 00 information
executable 00-02 00 00 00 .@..............
0000
4D 5A 00 00-00 00 00 00-00 00 00 00-00 00 00 00 MZ..............
4D 5A 00 00-00 00 00 00-00 00 00 00-00 00 00 00 MZ..............
00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................
...00 00 00 00-00 00 00 00 ........
0030 00 00 00 00-00 00 00 00-00 00 00 00-40 00 00 00 ............@... 00 00 00 00-10 00 00 00 ................ 00 20 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................ ImportsVA 0x2000 RVA*of the imports 4
00 00 00 00-00 00 00 00-00 00 00 00-40 00 00 00 ............@...
50 45 00 00-4C 01 03 00-00 00 00 00-00 00 00 00 PE..L...........
50 45 00 00-4C 01 03 00-00 00 00 00-00 00 00 00 PE..L...........
00 00 00 00-E0 00 02 01-0B 01 00 00-00 00 00 00 ....a........... 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................
data directories
00 00 00 00-E0 00 02 01-0B 01 00 00-00 00 00 00 ....a...........
00 00 00 00-00 00 00 00-00 10 00 00-00 00 00 00 ................ 00 00 00 00-00 00 00 00 ................
00 00 00 00-00 00 00 00-00 10 00 00-00 00 00 00 ................
00 00 00 00-00 00 40 00-00 10 00 00-00 02 00 00 ......@......... 00 20 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................ Offset:0x138
00 00 00 00-00 00 40 00-00 10 00 00-00 02 00 00 ......@.........
00 00 00 00-00 00 00 00-04 00 00 00-00 00 00 00 ................ pointers
00 00 00 00-00 00 00to 00-00
extra structures (exports,
00 00 00-00 00 00 imports,...)
00 ................
header
00
00
00
40
00
00
00-00
00-00
00
02
00
00
00-04
00-00
00
00
00
00
00-00
00-02
00
00
00
00
00
00
................
.@..............
00 40 00 00-00 02 00 00-00 00 00 00-02 00 00 00 .@.............. 2E 74 65 78-74 00 00 00 .text... Sections table
00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................
00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................
00 00 00 00-10 00 00 00-00 00 00 00-00 00 00 00 ................ 2E 74 65 78-74 00 00 00 .text... 00 10 00 00-00 10 00 00-00 02 00 00-00 02 00 00 ................ *RVA RVA* physical size physical offset
00 00 00 00-10 00 00 00-00 00 00 00-00 00 00 00 ................
00 20 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................
00
00
20
00
00
00
00-00
00-00
00
00
00
00
00-00
00-00
00
00
00
00
00-00
00-00
00
00
00
00
00
00
................
................
00 10 00 00-00 10 00 00-00 02 00 00-00 02 00 00 ................ 00 00 00 00-00 00 00 00-00 00 00 00-20 00 00 60 ...............` Name VirtualSize VirtualAddress SizeOfRawData PointerToRawData Characteristics
00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................ 00 00 00 00-00 00 00 00-00 00 00 00-20 00 00 60 ...............`
technical
00 00 00-00 00 details
00 00-2E 74about the executable 2E 72 64 61-74 61 00 00-00 10 00 00-00 20 00 00 .rdata.......... .text 0x1000 0x1000 0x200 0x200 CODE EXECUTE READ
0130
00
00
00
10
00
00
00-00
00-00
00
10
00
00
00-2E
00-00
74
02
65
00
78-74
00-00
00
02
00
00
00
00
.........text...
................
00
00
00
10
00
00
00
00-00
00-00
10
00
65 78-74 00
00
00
00-00
00-00
00 00
02
00
.........text...
00
00
00-00
00-20
02
00
00
00
00
60
................
...............`
2E
00
72
02
64
00 sections table
61-74 61 00 00-00 10 00 00-00 20 00 00 .rdata..........
00-00 04 00 00-00 00 00 00-00 00 00 00 ................ 00 02 00 00-00 04 00 00-00 00 00 00-00 00 00 00 ................ .rdata 0x1000 0x2000 0x200 0x400 INITIALIZED READ
00 00 00 00-00 00 00 00-00 00 00 00-20 00 00 60 ...............`
2E 72 64 61-74 61 00 00-00 10 00 00-00 20 00 00 .rdata.......... 00 00 00 00-40 defines how the
00 00 40-2E 64file
61 is74-61
loaded
00in00
memory
00 ....@..@.data... 00 00 00 00-40 00 00 40-2E 64 61 74-61 00 00 00 ....@..@.data... .data 0x1000 0x3000 0x200 0x600 DATA READ WRITE
2E 72 64 61-74 61 00 00-00 10 00 00-00 20 00 00 .rdata..........
00 02 00 00-00 04 00 00-00 00 00 00-00 00 00 00 ................ 00 10 00 00-00 30 00 00-00 02 00 00-00 06 00 00 .....0..........
00 02 00 00-00 04 00 00-00 00 00 00-00 00 00 00 ................ 00 10 00 00-00 30 00 00-00 02 00 00-00 06 00 00 .....0.......... For each section, a SizeofRawData sized block is read from the file at PointerToRawData offset.
simple.exe
00 00 00 00-40 00 00 40-2E 64 61 74-61 00 00 00 ....@..@.data... 00 00 00 00-00 00 00 00-00 00 00 00-40 00 00 C0 ............@..+
00 00 00 00-40 00 00 40-2E 64 61 74-61 00 00 00 ....@..@.data...
00 10 00 00-00 30 00 00-00 02 00 00-00 06 00 00 .....0..........
00 10 00 00-00 30 00 00-00 02 00 00-00 06 00 00 .....0..........
00 00 00 00-00 00 00 00-00 00 00 00-40 00 00 C0 ............@..+ 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................ 00 00 00 00-00 00 00 00-00 00 00 00-40 00 00 C0 ............@..+ It will be loaded in memory at address ImageBase + VirtualAddress in a VirtualSize sized block, with specific characteristics.
00 00 00 00-00 00 00 00-00 00 00 00-40 00 00 C0 ............@..+
00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................
00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................
0200 6A 00 68 00-30 40 00 68-17 30 40 00-6A 00 FF 15 j.h.0@.h.0@.j. .
6A 00 68 00-30 40 00 68-17 30 40 00-6A 00 FF 15 j.h.0@.h.0@.j. .
70 20 40 00-6A 00 FF 15-68 20 40 00-00 00 00 00 p.@.j. .h.@..... x86 assembly Equivalent C code
code
70 20 40 00-6A 00 FF 15-68 20 40 00-00 00 00 00 p.@.j. .h.@.....
00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................ 6A 00 68 00-30 40 00 68-17 30 40 00-6A 00 FF 15 j.h.0@.h.0@.j. .
00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................
70 20 40 00-6A 00 FF 15-68 20 40 00-00 00 00 00 p.@.j. .h.@..... push 0
0400 3C 20 00 00-00 00 00 00-00 00 00 00-78 20 00 00 <...........x...
3C 20 00 00-00 00 00 00-00 00 00 00-78 20 00 00 <...........x... 00 00 00 00-00 00 00 00-00what
00 is
00executed
00-00 00 00 00 ................ push 0x403000
sections
68 20 00 00-44 20 00 00-00 00 00 00-00 00 00 00 h...D...........
68 20 00 00-44 20 00 00-00 00 00 00-00 00 00 00 h...D...........
85 20 00 00-70 20 00 00-00 00 00 00-00 00 00 00 à...p........... Offset:0x200/RVA:0x401000
85 20 00 00-70 20 00 00-00 00 00 00-00 00 00 00 à...p........... push 0x403017
00 00 00 00-00 00 00 00-00 00 00 00-4C 20 00 00 ............L...
00
00
00
00
00
00
00-00
00-5A
00
20
00
00
00-00
00-00
00
00
00
00
00-4C
00-00
20
00
00
45
00
78
............L...
....Z.........Ex
3C 20 00 00-00 00 00 00-00 00 00 00-78 20 00 00 <...........x... 6A 00 68 00-30 40 00 68-17 30 40 00-6A 00 FF 15 j.h.0@.h.0@.j. . push 0
00 00 00 00-5A 20 00 00-00 00 00 00-00 00 45 78 ....Z.........Ex 68 20 00 00-44 20 00 00-00 00 00 00-00 00 00 00 h...D...........
69 74 50 72-6F 63 65 73-73 00 00 00-4D 65 73 73 itProcess...Mess
69
61
74
67
50
65
72-6F
42-6F
63
78
65
41
73-73
00-4C
00
20
00
00
00-4D
00-00
65
00
73
00
73
00
itProcess...Mess
ageBoxA.L....... 85 20 00 00-70 20 00 00-00 00 00 00-00 00 00 00 à...p...........
70 20 40 00-6A 00 FF 15-68 20 40 00 p.@.j. .h.@. call [0x402070] MessageBox(0, ¨Hello World!¨,¨a simple PE executable¨, 0);
61 67 65 42-6F 78 41 00-4C 20 00 00-00 00 00 00 ageBoxA.L.......
5A 20 00 contents of the executable
00-00 00 00 00-6B 65 72 6E-65 6C 33 32 Z.......kernel32 00 00 00 00-00 00 00 00-00 00 00 00-4C 20 00 00 ............L... push 0
imports
5A 20 00 00-00 00 00 00-6B 65 72 6E-65 6C 33 32 Z.......kernel32
2E 64 6C 6C-00 75 73 65-72 33 32 2E-64 6C 6C 00 .dll.user32.dll.
2E 64 6C 6C-00 75 73 65-72 33 32 2E-64 6C 6C 00 .dll.user32.dll.
00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................ 00 00 00 00-5A 20 00 00-00 00 00 00-00 00 45 78 ....Z.........Ex call [0x402068] ExitProcess(0);
00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................
69 74 50 72-6F 63 65 73-73 00 00 00-4D 65 73 73 itProcess...Mess
0600 61 20 73 69-6D 70 6C 65-20 50 45 20-65 78 65 63 a.simple.PE.exec link between the executable and (Windows) libraries
61 20 73 69-6D 70 6C 65-20 50 45 20-65 78 65 63 a.simple.PE.exec 61 67 65 42-6F 78 41 00-4C 20 00 00-00 00 00 00 ageBoxA.L.......
75 74 61 62-6C 65 00 48-65 6C 6C 6F-20 77 6F 72 utable.Hello.wor
75 74 61 62-6C 65 00 48-65 6C 6C 6F-20 77 6F 72 utable.Hello.wor
6C 64 21 00-00 00 00 00-00 00 00 00-00 00 00 00 ld!............. 5A 20 00 00-00 00 00 00-6B 65 72 6E-65 6C 33 32 Z.......kernel32
6C 64 21 00-00 00 00 00-00 00 00 00-00 00 00 00 ld!.............
2E 64 6C 6C-00 75 73 65-72 33 32 2E-64 6C 6C 00 .dll.user32.dll. Imports structures Consequences
00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................
Offset:0x400/RVA:0x402000 descriptors
3C 20 00 00-00 00 00 00-00 00 00 00-78 20 00 00 <...........x... INT*
data
61 20 73 69-6D 70 6C 65-20 50 45 20-65 78 65 63 a.simple.PE.exec 0x203c 0x204c, 0
75 74 61 62-6C 65 00 48-65 6C 6C 6F-20 77 6F 72 utable.Hello.wor 68 20 00 00-44 20 00 00-00 00 00 00-00 00 00 00 h...D...........
6C 64 21 00-00 00 00information used
00-00 00 00 by the
00-00 00 code
00 00 ld!............. Hint,Name
85 20 00 00-70 20 00 00-00 00 00 00-00 00 00 00 à...p........... 0x2078 kernel32.dll 0,ExitProcess
after loading,
00 00 00 00-00 00 00 00-00 00 00 00-4C 20 00 00 ............L...
IAT * 0x402068 will point to kernel32.dll´s ExitProcess
00 00 00 00-5A 20 00 00-00 00 00 00-00 00 45 78 ....Z.........Ex 0x2068 0x204c, 0
69 74 50 72-6F 63 65 73-73 00 00 00-4D 65 73 73 itProcess...Mess INT* 0x402070 will point to user32.dll´s MessageBoxA
0x2044 0x205a, 0
61 67 65 42-6F 78 41 00-4C 20 00 00-00 00 00 00 ageBoxA.L.......
Hint,Name
5A 20 00 00-00 00 00 00-6B 65 72 6E-65 6C 33 32 Z.......kernel32 0x2085 user32.dll 0,MessageBoxA
2E 64 6C 6C-00 75 73 65-72 33 32 2E-64 6C 6C 00 .dll.user32.dll. *
IAT
0x2070 0x205a, 0
0 0 0 0 0
*
All addresses here are RVAs.
Offset:0x600/RVA:0x403000 Strings
61 20 73 69-6D 70 6C 65-20 50 45 20-65 78 65 63 a.simple.PE.exec a simple PE executable\0
75 74 61 62-6C 65 00 48-65 6C 6C 6F-20 77 6F 72 utable.Hello.wor Hello world!\0
6C 64 21 00 ld!.
This is the whole file, however, most PE files contain more elements. Explanations are simplified, for conciseness. version 1, 3rd May 2012
Loading process Notes
MZ HEADER aka DOS_HEADER
1 Headers 3 Mapping 4 Imports 5 Execution Starts with 'MZ' (initials of Mark Zbikowski MS-DOS developer)
the DOS Header is parsed the file is mapped in memory according to: DataDirectories are parsed Code is called at the EntryPoint PE HEADER aka IMAGE_FILE_HEADERS / COFF file header
the PE Header is parsed the ImageBase they follow the OptionalHeader the calls of the code go via the IAT to the APIs Starts with 'PE' (Portable Executable)
(its offset is DOS Header´s e_lfanew) the SizeOfHeaders their number is NumOfRVAAndSizes OPTIONAL HEADER aka IMAGE_OPTIONAL_HEADER
the Optional Header is parsed the Sections table imports are always #2 Optional only for non-standard PEs but required for executables
(it follows the PE Header)
Imports are parsed RVA Relative Virtual Address
each descriptor specifies a DLLname Address relative to ImageBase (at ImageBase, RVA = 0)
Virtual Address
this DLL is loaded in memory
Alignment
Almost all addresses of the headers are RVAs
Section Alignment
File
IAT and INT are parsed simultaneously
2 Sections table In code, addresses are not relative.
Relative
Offset
for each API in INT
Sections table is parsed 0x0 0x400000 ImageBase its address is written in the IAT entry
Headers
Headers
SizeOf
SizeOf
(it is located at: offset (OptionalHeader) + SizeOfOptionalHeader)
PointertoRawData 0x200 0x400200 SizeOfHeaders
it contains NumberOfSections elements
RawData
INT Import Name Table
SizeOf
Section 1
it is checked for validity with alignments:
NumberOfSections
PointertoRawData 0x400 0x401000 VirtualAddress
IAT IAT Null-terminated list of pointers to Hint, Name structures
RawData
FileAlignments and SectionAlignments
SizeOf
Section 2
VirtualSize
PointertoRawData 0x600 Section 1
library.dll IAT Import Address Table
RawData
Null-terminated list of pointers
SizeOf
Section 3
SizeOfImage
Hint,"API name" API_Address:
0x800 0x402000 VirtualAddress
On file it is a copy of the INT
VirtualSize
Section 2
After loading it points to the imported APIs
HINT
0x403000 VirtualAddress
Index in the exports table of a DLL to be imported
VirtualSize
Section 3 Not required but provides a speed-up by reducing look-up
0x404000
![LartDetreChef [Ww.worldmediafiles.com]](https://imgv2-1-f.scribdassets.com/img/document/180591682/149x198/c92a5e62d6/1435488280?v=1)
