SlideShare a Scribd company logo

PE File Format

n|u - The Open Security Community
n|u - The Open Security Community

PE File Format by Saurabh & Chinmaya @ null Banglore Meet, October 2010

Technology
1 of 15
Download to read offline
By Saurabh & Chinmaya
Definition  The Portable Executable (PE) format is a file format for executables, object code, and DLLs, used in 32-bit and 64-bit versions of Windows operating systems.  The term "portable" refers to the format's versatility in numerous environments of operating system software architecture.
Basic Structure •Executable Code Section, named .text (Microsoft) or CODE (Borland) •Data Sections, named .data, .rdata, or .bss (Microsoft) or DATA (Borland) •Resources Section, named .rsrc •Export Data Section, named .edata •Import Data Section, named .idata •Debug Information Section, named .debug
Mapping Into Memory
Tools Of Trade Lord PE PEid PEView OllyDbg
DOS ‘MZ’ Header  64 Byte Header  First two bytes of DOS header contain the value 4Dh, 5Ah (The letters "MZ" for Mark Zbikowsky one of the original architects of MS-DOS) which signifies a valid DOS header.  Last 4 bytes point towards PE Header
DOS Stub  If the program is run from DOS, DOS can recognize it as a valid executable and run the DOS stub which is stored immediately after the header.  The DOS stub usually just prints a string something like "This program must be run under Microsoft Windows" but it can be a full-blown DOS program.  When building an application for Windows, the linker links a default stub program called WINSTUB.EXE into the executable. We can override the default linker behavior by substituting your own valid MS-DOS-based program in place of WINSTUB and using the -STUB: linker option when linking the executable file.
PE File Header  Also called as Image_NT_Header  Consists of  Signature  Image_File_Header  Image_Optional_Header
Signature  4 bytes (Dword) Signature  Value is ‘00004550’ representing characters ‘PE’
Image File Header  20 bytes header Starting Byte Type Information 1 WORD Machine 3 WORD Number of sections 5 DWORD Time Date stamp 9 DWORD Pointer to symbol table 13 DWORD Number of symbols 17 WORD Size of optional header 19 WORD Characteristics
Optional Header  It contains following important fields:  Address Of Entry Point  Image Base  Section Alignment  File Alignment  Subsystem  Data directory ○ An array of 16 IMAGE_DATA_DIRECTORY structures, each relating to an important data structure in the PE file such as the import address table etc.
Image_Section_Header  It contains information about various sections.  It contains following important fields  Name of section  Relative Virtual Address (RVA)  Virtual Size  Characteristics of Section
Sections .text • Contains the executable code • Also known as .code .data • Contains initialized data .reloc • Contains relocation information
Sections .rsrc • Contains resource information of a module .debug • Contains debug information .edata,. idata • Contains export and import data
Thank You

Recommended

Exploring the Portable Executable format
Exploring the Portable Executable formatExploring the Portable Executable format
Exploring the Portable Executable format
Ange Albertini
 
Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static Analysis
Hossein Yavari
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
Andrew McNicol
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
Prakashchand Suthar
 
CNIT 123 Ch 10: Hacking Web Servers
CNIT 123 Ch 10: Hacking Web ServersCNIT 123 Ch 10: Hacking Web Servers
CNIT 123 Ch 10: Hacking Web Servers
Sam Bowne
 
Practical Malware Analysis: Ch 8: Debugging
Practical Malware Analysis: Ch 8: Debugging Practical Malware Analysis: Ch 8: Debugging
Practical Malware Analysis: Ch 8: Debugging
Sam Bowne
 
Dll injection
Dll injectionDll injection
Dll injection
KarlFrank99
 
Malware
MalwareMalware
Malware
Anoushka Srivastava
 

Recommended

Exploring the Portable Executable format
Exploring the Portable Executable formatExploring the Portable Executable format
Exploring the Portable Executable format
Ange Albertini
 
Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static Analysis
Hossein Yavari
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
Andrew McNicol
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
Prakashchand Suthar
 
CNIT 123 Ch 10: Hacking Web Servers
CNIT 123 Ch 10: Hacking Web ServersCNIT 123 Ch 10: Hacking Web Servers
CNIT 123 Ch 10: Hacking Web Servers
Sam Bowne
 
Practical Malware Analysis: Ch 8: Debugging
Practical Malware Analysis: Ch 8: Debugging Practical Malware Analysis: Ch 8: Debugging
Practical Malware Analysis: Ch 8: Debugging
Sam Bowne
 
Dll injection
Dll injectionDll injection
Dll injection
KarlFrank99
 
Malware
MalwareMalware
Malware
Anoushka Srivastava
 
DLL Injection
DLL InjectionDLL Injection
DLL Injection
Hossein Yavari
 
1. Mobile Application (In)security
1. Mobile Application (In)security1. Mobile Application (In)security
1. Mobile Application (In)security
Sam Bowne
 
Ch04 Network Vulnerabilities and Attacks
Ch04 Network Vulnerabilities and AttacksCh04 Network Vulnerabilities and Attacks
Ch04 Network Vulnerabilities and Attacks
Information Technology
 
System hacking
System hackingSystem hacking
System hacking
CAS
 
Network security model.pptx
Network security model.pptxNetwork security model.pptx
Network security model.pptx
ssuserd24233
 
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic AnalysisCNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
Sam Bowne
 
BackDoors Seminar
BackDoors SeminarBackDoors Seminar
BackDoors Seminar
Chaitali Patel
 
02. input validation module v5
02. input validation module v502. input validation module v5
02. input validation module v5
Eoin Keary
 
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Sam Bowne
 
Malicious software
Malicious softwareMalicious software
Malicious software
Dr.Florence Dayana
 
Practical Malware Analysis: Ch 2 Malware Analysis in Virtual Machines & 3: Ba...
Practical Malware Analysis: Ch 2 Malware Analysis in Virtual Machines & 3: Ba...Practical Malware Analysis: Ch 2 Malware Analysis in Virtual Machines & 3: Ba...
Practical Malware Analysis: Ch 2 Malware Analysis in Virtual Machines & 3: Ba...
Sam Bowne
 
IDS and IPS
IDS and IPSIDS and IPS
IDS and IPS
Santosh Khadsare
 
Ethical hacking Chapter 7 - Enumeration - Eric Vanderburg
Ethical hacking Chapter 7 - Enumeration - Eric VanderburgEthical hacking Chapter 7 - Enumeration - Eric Vanderburg
Ethical hacking Chapter 7 - Enumeration - Eric Vanderburg
Eric Vanderburg
 
Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1
Michael Gough
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineering
bartblaze
 
Linux forensics
Linux forensicsLinux forensics
Linux forensics
Santosh Khadsare
 
9: OllyDbg
9: OllyDbg9: OllyDbg
9: OllyDbg
Sam Bowne
 
malware analysis
malware analysismalware analysis
malware analysis
20CS201AkashR
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff
 
CNIT 127: L9: Web Templates and .NET
CNIT 127: L9: Web Templates and .NETCNIT 127: L9: Web Templates and .NET
CNIT 127: L9: Web Templates and .NET
Sam Bowne
 
Data structure lecture 1
Data structure lecture 1Data structure lecture 1
Data structure lecture 1
Samsil Arefin
 
The Internals of "Hello World" Program
The Internals of "Hello World" ProgramThe Internals of "Hello World" Program
The Internals of "Hello World" Program
National Cheng Kung University
 

More Related Content

What's hot

Ch04 Network Vulnerabilities and Attacks
Ch04 Network Vulnerabilities and AttacksCh04 Network Vulnerabilities and Attacks
Ch04 Network Vulnerabilities and Attacks
Information Technology
 
Network security model.pptx
Network security model.pptxNetwork security model.pptx
Network security model.pptx
ssuserd24233
 

What's hot (20)

DLL Injection
DLL InjectionDLL Injection
DLL Injection
 
1. Mobile Application (In)security
1. Mobile Application (In)security1. Mobile Application (In)security
1. Mobile Application (In)security
 
Ch04 Network Vulnerabilities and Attacks
Ch04 Network Vulnerabilities and AttacksCh04 Network Vulnerabilities and Attacks
Ch04 Network Vulnerabilities and Attacks
 
System hacking
System hackingSystem hacking
System hacking
 
Network security model.pptx
Network security model.pptxNetwork security model.pptx
Network security model.pptx
 
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic AnalysisCNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
 
BackDoors Seminar
BackDoors SeminarBackDoors Seminar
BackDoors Seminar
 
02. input validation module v5
02. input validation module v502. input validation module v5
02. input validation module v5
 
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
 
Malicious software
Malicious softwareMalicious software
Malicious software
 
Practical Malware Analysis: Ch 2 Malware Analysis in Virtual Machines & 3: Ba...
Practical Malware Analysis: Ch 2 Malware Analysis in Virtual Machines & 3: Ba...Practical Malware Analysis: Ch 2 Malware Analysis in Virtual Machines & 3: Ba...
Practical Malware Analysis: Ch 2 Malware Analysis in Virtual Machines & 3: Ba...
 
IDS and IPS
IDS and IPSIDS and IPS
IDS and IPS
 
Ethical hacking Chapter 7 - Enumeration - Eric Vanderburg
Ethical hacking Chapter 7 - Enumeration - Eric VanderburgEthical hacking Chapter 7 - Enumeration - Eric Vanderburg
Ethical hacking Chapter 7 - Enumeration - Eric Vanderburg
 
Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineering
 
Linux forensics
Linux forensicsLinux forensics
Linux forensics
 
9: OllyDbg
9: OllyDbg9: OllyDbg
9: OllyDbg
 
malware analysis
malware analysismalware analysis
malware analysis
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
CNIT 127: L9: Web Templates and .NET
CNIT 127: L9: Web Templates and .NETCNIT 127: L9: Web Templates and .NET
CNIT 127: L9: Web Templates and .NET
 

Viewers also liked

Program Structure in GNU/Linux (ELF Format)
Program Structure in GNU/Linux (ELF Format)Program Structure in GNU/Linux (ELF Format)
Program Structure in GNU/Linux (ELF Format)
Varun Mahajan
 

Viewers also liked (6)

Data structure lecture 1
Data structure lecture 1Data structure lecture 1
Data structure lecture 1
 
The Internals of "Hello World" Program
The Internals of "Hello World" ProgramThe Internals of "Hello World" Program
The Internals of "Hello World" Program
 
Linkers And Loaders
Linkers And LoadersLinkers And Loaders
Linkers And Loaders
 
Program Structure in GNU/Linux (ELF Format)
Program Structure in GNU/Linux (ELF Format)Program Structure in GNU/Linux (ELF Format)
Program Structure in GNU/Linux (ELF Format)
 
Memory management
Memory managementMemory management
Memory management
 
Computer memory
Computer memoryComputer memory
Computer memory
 

Similar to PE File Format

Plsql quick guide
Plsql quick guidePlsql quick guide
Plsql quick guide
1bi08me024
 
SessionFive_ImportingandExportingData
SessionFive_ImportingandExportingDataSessionFive_ImportingandExportingData
SessionFive_ImportingandExportingData
Hellen Gakuruh
 
Advanced driver debugging (13005399) copy
Advanced driver debugging (13005399) copyAdvanced driver debugging (13005399) copy
Advanced driver debugging (13005399) copy
Burlacu Sergiu
 
Reversing & malware analysis training part 3 windows pe file format basics
Reversing & malware analysis training part 3 windows pe file format basicsReversing & malware analysis training part 3 windows pe file format basics
Reversing & malware analysis training part 3 windows pe file format basics
Abdulrahman Bassam
 

Similar to PE File Format (20)

Creating user-mode debuggers for Windows
Creating user-mode debuggers for WindowsCreating user-mode debuggers for Windows
Creating user-mode debuggers for Windows
 
Revers engineering
Revers engineeringRevers engineering
Revers engineering
 
Reversing & malware analysis training part 3 windows pe file format basics
Reversing & malware analysis training part 3 windows pe file format basicsReversing & malware analysis training part 3 windows pe file format basics
Reversing & malware analysis training part 3 windows pe file format basics
 
Reversing malware analysis training part3 windows pefile formatbasics
Reversing malware analysis training part3 windows pefile formatbasicsReversing malware analysis training part3 windows pefile formatbasics
Reversing malware analysis training part3 windows pefile formatbasics
 
intro to assembly language.pptx
intro to assembly language.pptxintro to assembly language.pptx
intro to assembly language.pptx
 
Data loader.ppt
Data loader.pptData loader.ppt
Data loader.ppt
 
Plsql quick guide
Plsql quick guidePlsql quick guide
Plsql quick guide
 
UNIT 3.2 GETTING STARTED WITH IDA.ppt
UNIT 3.2 GETTING STARTED WITH IDA.pptUNIT 3.2 GETTING STARTED WITH IDA.ppt
UNIT 3.2 GETTING STARTED WITH IDA.ppt
 
Project seminar
Project seminarProject seminar
Project seminar
 
Linking in MS-Dos System
Linking in MS-Dos SystemLinking in MS-Dos System
Linking in MS-Dos System
 
Part I_Translating & Starting a Program_Compiler, Linker, Assembler, Loader_L...
Part I_Translating & Starting a Program_Compiler, Linker, Assembler, Loader_L...Part I_Translating & Starting a Program_Compiler, Linker, Assembler, Loader_L...
Part I_Translating & Starting a Program_Compiler, Linker, Assembler, Loader_L...
 
Informatica slides
Informatica slidesInformatica slides
Informatica slides
 
Data Warehouse and Business Intelligence - Recipe 2
Data Warehouse and Business Intelligence - Recipe 2Data Warehouse and Business Intelligence - Recipe 2
Data Warehouse and Business Intelligence - Recipe 2
 
Device driver dos
Device driver dosDevice driver dos
Device driver dos
 
Project Presentation
Project PresentationProject Presentation
Project Presentation
 
SessionFive_ImportingandExportingData
SessionFive_ImportingandExportingDataSessionFive_ImportingandExportingData
SessionFive_ImportingandExportingData
 
User Group3009
User Group3009User Group3009
User Group3009
 
Advanced driver debugging (13005399) copy
Advanced driver debugging (13005399) copyAdvanced driver debugging (13005399) copy
Advanced driver debugging (13005399) copy
 
Reversing & malware analysis training part 3 windows pe file format basics
Reversing & malware analysis training part 3 windows pe file format basicsReversing & malware analysis training part 3 windows pe file format basics
Reversing & malware analysis training part 3 windows pe file format basics
 
Intro
IntroIntro
Intro
 

More from n|u - The Open Security Community

More from n|u - The Open Security Community (20)

Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
 
Osint primer
Osint primerOsint primer
Osint primer
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Metasploit primary
Metasploit primaryMetasploit primary
Metasploit primary
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Introduction to TLS 1.3
Introduction to TLS 1.3Introduction to TLS 1.3
Introduction to TLS 1.3
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
Owning a company through their logs
Owning a company through their logsOwning a company through their logs
Owning a company through their logs
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
 
Cloud security
Cloud security Cloud security
Cloud security
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windows
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usage
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Process
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 
Extensible markup language attacks
Extensible markup language attacksExtensible markup language attacks
Extensible markup language attacks
 
Linux for hackers
Linux for hackersLinux for hackers
Linux for hackers
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 

Recently uploaded

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 

Recently uploaded (20)

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 

PE File Format

  • 1. By Saurabh & Chinmaya
  • 2. Definition  The Portable Executable (PE) format is a file format for executables, object code, and DLLs, used in 32-bit and 64-bit versions of Windows operating systems.  The term "portable" refers to the format's versatility in numerous environments of operating system software architecture.
  • 3. Basic Structure •Executable Code Section, named .text (Microsoft) or CODE (Borland) •Data Sections, named .data, .rdata, or .bss (Microsoft) or DATA (Borland) •Resources Section, named .rsrc •Export Data Section, named .edata •Import Data Section, named .idata •Debug Information Section, named .debug
  • 5. Tools Of Trade Lord PE PEid PEView OllyDbg
  • 6. DOS ‘MZ’ Header  64 Byte Header  First two bytes of DOS header contain the value 4Dh, 5Ah (The letters "MZ" for Mark Zbikowsky one of the original architects of MS-DOS) which signifies a valid DOS header.  Last 4 bytes point towards PE Header
  • 7. DOS Stub  If the program is run from DOS, DOS can recognize it as a valid executable and run the DOS stub which is stored immediately after the header.  The DOS stub usually just prints a string something like "This program must be run under Microsoft Windows" but it can be a full-blown DOS program.  When building an application for Windows, the linker links a default stub program called WINSTUB.EXE into the executable. We can override the default linker behavior by substituting your own valid MS-DOS-based program in place of WINSTUB and using the -STUB: linker option when linking the executable file.
  • 8. PE File Header  Also called as Image_NT_Header  Consists of  Signature  Image_File_Header  Image_Optional_Header
  • 9. Signature  4 bytes (Dword) Signature  Value is ‘00004550’ representing characters ‘PE’
  • 10. Image File Header  20 bytes header Starting Byte Type Information 1 WORD Machine 3 WORD Number of sections 5 DWORD Time Date stamp 9 DWORD Pointer to symbol table 13 DWORD Number of symbols 17 WORD Size of optional header 19 WORD Characteristics
  • 11. Optional Header  It contains following important fields:  Address Of Entry Point  Image Base  Section Alignment  File Alignment  Subsystem  Data directory ○ An array of 16 IMAGE_DATA_DIRECTORY structures, each relating to an important data structure in the PE file such as the import address table etc.
  • 12. Image_Section_Header  It contains information about various sections.  It contains following important fields  Name of section  Relative Virtual Address (RVA)  Virtual Size  Characteristics of Section
  • 13. Sections .text • Contains the executable code • Also known as .code .data • Contains initialized data .reloc • Contains relocation information
  • 14. Sections .rsrc • Contains resource information of a module .debug • Contains debug information .edata,. idata • Contains export and import data