• Like
  • Save
Pe Format
Upcoming SlideShare
Loading in...5
×
 

Pe Format

on

  • 1,584 views

Portable executable format

Portable executable format

Statistics

Views

Total Views
1,584
Views on SlideShare
1,577
Embed Views
7

Actions

Likes
1
Downloads
39
Comments
0

2 Embeds 7

http://192.168.0.11 6
http://wp 1

Accessibility

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Pe Format Pe Format Presentation Transcript

    • PE File structure IMAGE_NT_HEADERS32 MZ header PE header Section 1 Section … Section N IMAGE_DOS_HEADER Image Section Directory Information Information IMAGE_OPTIONAL_HEADER32 IMAGE_SECTION_HEADER
    • Image Information typedef struct _IMAGE_OPTIONAL_HEADER { // Standard fields. WORD Magic; … DWORD AddressOfEntryPoint; DWORD BaseOfCode; DWORD BaseOfData; DWORD ImageBase; … DWORD SizeOfImage; DWORD SizeOfHeaders; … DWORD LoaderFlags; … IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES]; } IMAGE_OPTIONAL_HEADER32
    • Section Information typedef struct _IMAGE_SECTION_HEADER { BYTE Name[IMAGE_SIZEOF_SHORT_NAME]; union { DWORD PhysicalAddress; DWORD VirtualSize; } Misc; DWORD VirtualAddress; DWORD SizeOfRawData; DWORD PointerToRawData; DWORD PointerToRelocations; DWORD PointerToLinenumbers; WORD NumberOfRelocations; WORD NumberOfLinenumbers; DWORD Characteristics; } IMAGE_SECTION_HEADER
    • Directory Import Export Relocation Debug info Resources TLS
    • Import
    • Import Import Descriptors Table Import Names Table for kernel32.dll “LoadLibraryA” “GetProcAddress” Import Address Table for kernel32.dll Kernel32.dll RVA for LoadLibraryA() pointer RVA for GetProcAddress() pointer Import Names Table for ws2_32.dll “socket” “WSAStartup” Import Address Table for ws2_32.dll Ws2_32.dll RVA for socket() pointer RVA for WSAStartup() pointer
    • Import typedef struct _IMAGE_IMPORT_DESCRIPTOR { union { DWORD Characteristics; // 0 for terminating null import descriptor DWORD OriginalFirstThunk; // RVA to original unbound IAT (PIMAGE_THUNK_DATA) }; DWORD TimeDateStamp; DWORD ForwarderChain; // -1 if no forwarders DWORD Name; DWORD FirstThunk; // RVA to IAT } IMAGE_IMPORT_DESCRIPTOR; typedef struct _IMAGE_THUNK_DATA32 { union { DWORD ForwarderString; // PBYTE DWORD Function; // PDWORD DWORD Ordinal; DWORD AddressOfData; // PIMAGE_IMPORT_BY_NAME } u1; } IMAGE_THUNK_DATA32;
    • Export
    • Export Names Table Function Pointers Table Ordinals Table “StubData” 17138 0x00000001
    • Export typedef struct _IMAGE_EXPORT_DIRECTORY { DWORD Characteristics; DWORD TimeDateStamp; WORD MajorVersion; WORD MinorVersion; DWORD Name; DWORD Base; DWORD NumberOfFunctions; DWORD NumberOfNames; DWORD AddressOfFunctions; // RVA from base of image DWORD AddressOfNames; // RVA from base of image DWORD AddressOfNameOrdinals; // RVA from base of image } IMAGE_EXPORT_DIRECTORY, *PIMAGE_EXPORT_DIRECTORY;
    • Relocations
    • Relocation Header offs1 … offsN Header offs1 … offsN Header 0x401000 0x402000 Section
    • Relocation typedef struct _IMAGE_BASE_RELOCATION { DWORD VirtualAddress; DWORD SizeOfBlock; // WORD TypeOffset[1]; } IMAGE_BASE_RELOCATION; typedef struct TypeOffset { WORD Offset: 12; CHAR Type: 4; }; #define IMAGE_REL_BASED_HIGHLOW 3
    • Loader