Exploring the Portable Executable format

1,671 views

Published on

a 44CON 2013 workshop

Published in: Business, Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,671
On SlideShare
0
From Embeds
0
Number of Embeds
23
Actions
Shares
0
Downloads
40
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Exploring the Portable Executable format

  1. 1. Exploring the Portable Executable format London, England Ange Albertini 2013/09/13
  2. 2. Workshop package (PoCs+docs) http://www.xchg.info/corkami/workshop.zip Recommended PE viewer: http://icerbero.com/peinsider
  3. 3. a handmade PE simple.exe a first real example working minimal
  4. 4. detailed walkthrough
  5. 5. DOS header unused in PE mode
  6. 6. PE header PE signature
  7. 7. Optional Header NOT optional in executables
  8. 8. DataDirectories end of OptionalHeader 16 (max) * [RVA, Size] each entry interpreted differently
  9. 9. Sections memory mapping
  10. 10. Imports standard loader mechanism NOT required load DLL, locate APIs
  11. 11. compiled PE compiled.exe closer to reality extra non-critical structure
  12. 12. DLL exports relocations
  13. 13. driver subsystem, checksum low alignments mapping different imports
  14. 14. resources structure version, manifest/icon, APIs
  15. 15. Thread Local Storage callback list before EntryPoint & after ExitProcess
  16. 16. .Net different and integrated binary 2nd loader
  17. 17. what about 64b? very few changes ● 2 magic constants ● a few elements become QWord ○ ImageBase, Imports thunks, callbacks ● Exceptions have their own DataDirectory ○ no need for LoadConfig (SafeSEH)
  18. 18. and ARM ● a different magic constant ● still 16b DOS Stub ! ● nothing special, PE wise ○ the beauty of ‘Portability’
  19. 19. trivial

×