• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
the PE format 2011/01/17
 

the PE format 2011/01/17

on

  • 15,067 views

 

Statistics

Views

Total Views
15,067
Views on SlideShare
4,085
Embed Views
10,982

Actions

Likes
2
Downloads
22
Comments
0

3 Embeds 10,982

http://code-opensocial.googleusercontent.com 10970
http://translate.googleusercontent.com 11
https://code-opensocial.googleusercontent.com 1

Accessibility

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    the PE format 2011/01/17 the PE format 2011/01/17 Document Transcript

    • the PE format (17th January 2011) Ange Albertini http://corkami.blogspot.comCreative Commons Attribution 3.0
    • Table of contents3 Standard File & Memory layouts4 the PE Headers5 Data Directories 1/2: Exports, Imports, Import table6 Data Directories 2/2: Resources, Relocations, Debug, TLS, Delay imports Changelog2011/01/17 minor changes, fixed data directories, better resource directories layout2010/04/07 +data directories2010/04/03 +layouts2010/01/28 +headers
    • Virtual Physical Address Virtual file memory Stack Offset Environment 0 ImageBase MZ Header SizeOfHeaders Header SizeOfHeaders FileAlignment rounded Section[0].Offset SectionAlignment rounded push ebp BaseOfCode Section[0].Address Section .text EntryPoint Section[0].PSize code Section .text Section[0].VSize code FileAlignment rounded SizeOfCode Section[1].Offset i dd 0 SectionAlignment rounded Section .data Section[1].PSize BaseOfData Section[1].Address data FileAlignment rounded Section .data Section[1].VSize data Section[2].Offset __imp__MessageBox_: dd aMessageBox SizeOfData PE Section .idata Section[2].PSize SectionAlignment rounded imports Section[2].Address Import table FileAlignment rounded Section .idata Section[2].VSize Imports imports File Appended data filesize SectionAlignment rounded SizeOfImage offset PointerToRawData librariesthe PE Format PSize SizeOfRawDataStandard File & Memory layouts address VirtualAddress system libraries VSize VirtualSizeAnge Albertini 2010Creative Commons Attributionhttp://corkami.blogspot.com
    • offset 0 IMAGE_DOS_HEADER 0x00 dw e_magic MZ 0x02 dw e_cblp 0x04 dw e_cp exe size 0x06 dw e_crlc 0x08 dw e_cparhdr exe start 0x0a dw e_minalloc 0x0c dw e_maxalloc 0x0e dw e_ss 0x10 dw e_sp 0x12 dw e_csum 0x14 dw e_ip 0x16 dw e_cs 0x18 dw e_lfarlc 0x1a dw e_ovno 0x1c dw e_res[4] 0x24 dw e_oemid 0x26 dw e_oeminfo 0x28 dw e_res2[10] 0x3c dd e_lfanew 0x00 dd Signature PE00 IMAGE_NT_HEADERS[32/64] 0x04 FileHeader 0x00 dw Machine 0x014c [32b]/0x8664 [64b] IMAGE_FILE_HEADER 0x02 dw NumberOfSections 0x04 dd TimeDateStamp 0x08 dd PointerToSymbolTable 0x0c dd NumberOfSymbols 0x10 dw SizeOfOptionalHeader 0x12 dw Characteristics exe/dll,relocs 0x18 OptionalHeader 0x00 dw Magic 0x10b [32b]/0x20b [64b] IMAGE_OPTIONAL_HEADER[32/64] 0x02 db MajorLinkerVersion 0x03 db MinorLinkerVersion 0x04 dd SizeOfCode 0x08 dd SizeOfInitializedData 0x0c dd SizeOfUninitializedData 0x10 dd AddressOfEntryPoint 0x14 dd BaseOfCode dq in 64b 0x18 dd BaseOfData only in 32b SizeofOptionalHeader 0x1c dd ImageBase dq in 64b 0x20 dd SectionAlignment =2^y, with y≥x 0x24 dd FileAlignment =2^x 0x28 dw MajorOperatingSystemVersion the PE Format (1/2) 4/5 0x2a dw MinorOperatingSystemVersion 0x2c dw MajorImageVersion 0x2e dw MinorImageVersion the PE Headers 0x30 0x32 dw dw MajorSubsystemVersion MinorSubsystemVersion 0x34 dd Win32VersionValue 0x38 dd SizeOfImage relative offset 0x3c dd SizeOfHeaders 0x40 dd CheckSum [drivers] offset 0x44 dw Subsystem 1 driver/2 gui/3 cli RVA 0x46 dw DllCharacteristics 0x48 dd SizeOfStackReserve dq in 64b 0x4c dd SizeOfStackCommit dq in 64b 0x50 dd SizeOfHeapReserve dq in 64b 0x54 dd SizeOfHeapCommit dq in 64b Critical 0x58 dd LoaderFlags standard 0x5c dd NumberOfRvaAndSizes ≤16 minor/ignored 0x60 DataDirectory NumberOfRvaAndSizes list 0x00 dd VirtualAddress 0x04 dd Size IMAGE_DATA_DIRECTORY Data Directories 0x00 db Name[8] IMAGE_SECTION_HEADER NumberOfSections 0x08 dd PhysicalAddress | VirtualSize 0x0c dd VirtualAddress 0x10 dd SizeOfRawData 0x14 dd PointerToRawData 0x18 dd PointerToRelocations 0x1c dd PointerToLinenumbers 0x20 dw NumberOfRelocations 0x22 dw NumberOfLinenumbers 0x24 dd Characteristics RWX Section TableAnge Albertini 2009-2011Creative Commons Attributionhttp://corkami.blogspot.com
    • DATA DIRECTORIES 0 IMAGE_DIRECTORY_ENTRY_EXPORT 1 IMAGE_DIRECTORY_ENTRY_IMPORT 00 dd IMAGE_EXPORT_DIRECTORY Characteristics 2 IMAGE_DIRECTORY_ENTRY_RESOURCE 04 dd TimeDateStamp 3 IMAGE_DIRECTORY_ENTRY_SECURITY 08 dw MajorVersion 4 IMAGE_DIRECTORY_ENTRY_EXCEPTION 0a dw MinorVersion 5 IMAGE_DIRECTORY_ENTRY_BASERELOC 0c dd Name MyLib.dll 00 dd Function 6 IMAGE_DIRECTORY_ENTRY_DEBUG 10 dd Base “Export Table” 7 IMAGE_DIRECTORY_ENTRY_COPYRIGHT 8 IMAGE_DIRECTORY_ENTRY_GLOBALPTR 14 dd NumberOfFunctions 401020: MyFunction (ord:01) 9 IMAGE_DIRECTORY_ENTRY_TLS 18 dd NumberOfNames A IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG B IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 1c dd AddressOfFunctions C IMAGE_DIRECTORY_ENTRY_IAT D IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 20 dd AddressOfNames 00 dd Name E IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 24 dd AddressOfNameOrdinals F reserved 00 dd NameOrdinal IMAGE_IMPORT_DESCRIPTOR 00 OriginalFirstThunk/Characteristics 04 dd TimeDateStamp 08 dd ForwarderChain 0c dd Name Kernel32.dll 10 FirstThunk the PE Format dd 0,0,0,0,0 Data Directories 1/2 IMAGE_THUNK_DATA IMAGE_THUNK_DATA 00 dd AddressOfData 00 dd AddressOfData relative offset /Ordinal/ForwarderString/Function /Ordinal/ForwarderString/Function offset dd 0 dd 0 RVA VA (on file) IMAGE_IMPORT_BY_NAME (after loading) 00 dw Hint 02 db Name[*] IAT 7C81127A Kernel32.dll!GetVersion (hint:4)Ange Albertini 2010-2011Creative Commons Attribution - cc byhttp://corkami.blogspot.com
    • ROOT resource directory DATA DIRECTORIES IMAGE_RESOURCE_DIRECTORY 0 IMAGE_DIRECTORY_ENTRY_EXPORT 00 04 dd dd Characteristics TimeDateStamp TYPE 08 dw MajorVersion 1 IMAGE_DIRECTORY_ENTRY_IMPORT 0a dw MinorVersion LANGUAGE 2 IMAGE_DIRECTORY_ENTRY_RESOURCE 0c dw NumberOfNamedEntries IMAGE_RESOURCE_DIRECTORY 3 IMAGE_DIRECTORY_ENTRY_SECURITY 4 IMAGE_DIRECTORY_ENTRY_EXCEPTION 0e dw NumberOfIdEntries 00 dd Characteristics 5 IMAGE_DIRECTORY_ENTRY_BASERELOC 04 08 dd dw TimeDateStamp MajorVersion IMAGE_RESOURCE_DIRECTORY IMAGE_RESOURCE_DIRECTORY_ENTRY 0a dw MinorVersion 00 dd Characteristics Named 6 IMAGE_DIRECTORY_ENTRY_DEBUG 04 dd TimeDateStamp 7 IMAGE_DIRECTORY_ENTRY_COPYRIGHT 8 IMAGE_DIRECTORY_ENTRY_GLOBALPTR 00 dd Name/ID type: RT_* 0c dw NumberOfNamedEntries 08 dw MajorVersion 0a dw MinorVersion 9 IMAGE_DIRECTORY_ENTRY_TLS 04 dd OffsetToData 0e dw NumberOfIdEntries 0c dw NumberOfNamedEntries A IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG Id B IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT IMAGE_RESOURCE_DIRECTORY_ENTRY 0e dw NumberOfIdEntries Named C IMAGE_DIRECTORY_ENTRY_IAT D IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 00 dd Name/ID name IMAGE_RESOURCE_DIRECTORY_ENTRY Named E IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR F reserved 04 dd OffsetToData 00 dd Name/ID language Id 04 dd OffsetToData Id IMAGE_BASE_RELOCATION relocation block IMAGE_RESOURCE_DATA_ENTRY 00 dd VirtualAddress 00 dd OffsetToData DIRECTORY.SIZE PUSH EBP 04 dd SizeOfBlock 04 dd Size1 08 dd CodePage SizeOfBlock 0c dd Reserved dw TypeOffset PUSH offset szMyString the PE Format Data Directories 2/2 IMAGE_DEBUG_DIRECTORY 00 dd Characteristics 04 dd TimeDateStamp 08 dw MajorVersion relative offset 0a 0c dw dd MinorVersion Type 1 Coff/2 CV-PDB/9 Borland offset IMAGE_TLS_DIRECTORY 10 dd SizeOfData 00 dd StartAddressOfRawData 14 dd AddressOfRawData RVA 04 dd EndAddressOfRawData 18 dd PointerToRawData 08 LPDWORD AddressOfIndex VA 00 dd Callback 0c AddressOfCallBacks 10 dd SizeOfZeroFill 14 dd Characteristics dd 0 IMAGE_DELAY_IMPORT_DESCRIPTOR 00 dd grAttrs 04 dd szName 08 dd phmod 0c dd pIAT 10 dd pINT 14 dd pBoundIAT 18 dd pUnloadIAT 1c dd dwTimeStampAnge Albertini 2010 - 2011Creative Commons Attribution - cc byhttp://corkami.blogspot.com