Your SlideShare is downloading. ×
0
Exploring the Portable Executable format
Exploring the Portable Executable format
Exploring the Portable Executable format
Exploring the Portable Executable format
Exploring the Portable Executable format
Exploring the Portable Executable format
Exploring the Portable Executable format
Exploring the Portable Executable format
Exploring the Portable Executable format
Exploring the Portable Executable format
Exploring the Portable Executable format
Exploring the Portable Executable format
Exploring the Portable Executable format
Exploring the Portable Executable format
Exploring the Portable Executable format
Exploring the Portable Executable format
Exploring the Portable Executable format
Exploring the Portable Executable format
Exploring the Portable Executable format
Exploring the Portable Executable format
Exploring the Portable Executable format
Exploring the Portable Executable format
Exploring the Portable Executable format
Exploring the Portable Executable format
Exploring the Portable Executable format
Exploring the Portable Executable format
Exploring the Portable Executable format
Exploring the Portable Executable format
Exploring the Portable Executable format
Exploring the Portable Executable format
Exploring the Portable Executable format
Exploring the Portable Executable format
Exploring the Portable Executable format
Exploring the Portable Executable format
Exploring the Portable Executable format
Exploring the Portable Executable format
Exploring the Portable Executable format
Exploring the Portable Executable format
Exploring the Portable Executable format
Exploring the Portable Executable format
Exploring the Portable Executable format
Exploring the Portable Executable format
Exploring the Portable Executable format
Exploring the Portable Executable format
Exploring the Portable Executable format
Exploring the Portable Executable format
Exploring the Portable Executable format
Exploring the Portable Executable format
Exploring the Portable Executable format
Exploring the Portable Executable format
Exploring the Portable Executable format
Exploring the Portable Executable format
Exploring the Portable Executable format
Exploring the Portable Executable format
Exploring the Portable Executable format
Exploring the Portable Executable format
Exploring the Portable Executable format
Exploring the Portable Executable format
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Exploring the Portable Executable format

1,110

Published on

a 44CON 2013 workshop

a 44CON 2013 workshop

Published in: Business, Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,110
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
34
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Exploring the Portable Executable format London, England Ange Albertini 2013/09/13
  • 2. Workshop package (PoCs+docs) http://www.xchg.info/corkami/workshop.zip Recommended PE viewer: http://icerbero.com/peinsider
  • 3. a handmade PE simple.exe a first real example working minimal
  • 4. detailed walkthrough
  • 5. DOS header unused in PE mode
  • 6. PE header PE signature
  • 7. Optional Header NOT optional in executables
  • 8. DataDirectories end of OptionalHeader 16 (max) * [RVA, Size] each entry interpreted differently
  • 9. Sections memory mapping
  • 10. Imports standard loader mechanism NOT required load DLL, locate APIs
  • 11. compiled PE compiled.exe closer to reality extra non-critical structure
  • 12. DLL exports relocations
  • 13. driver subsystem, checksum low alignments mapping different imports
  • 14. resources structure version, manifest/icon, APIs
  • 15. Thread Local Storage callback list before EntryPoint & after ExitProcess
  • 16. .Net different and integrated binary 2nd loader
  • 17. what about 64b? very few changes ● 2 magic constants ● a few elements become QWord ○ ImageBase, Imports thunks, callbacks ● Exceptions have their own DataDirectory ○ no need for LoadConfig (SafeSEH)
  • 18. and ARM ● a different magic constant ● still 16b DOS Stub ! ● nothing special, PE wise ○ the beauty of ‘Portability’
  • 19. trivial

×