Successfully reported this slideshow.
Your SlideShare is downloading. ×

Exploring the Portable Executable format

Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Upcoming SlideShare
PE File Format
PE File Format
Loading in …3
×

Check these out next

1 of 58 Ad
Advertisement

More Related Content

Slideshows for you (20)

Advertisement

Recently uploaded (20)

Advertisement

Exploring the Portable Executable format

  1. 1. Exploring the Portable Executable format London, England Ange Albertini 2013/09/13
  2. 2. Workshop package (PoCs+docs) http://www.xchg.info/corkami/workshop.zip Recommended PE viewer: http://icerbero.com/peinsider
  3. 3. a handmade PE simple.exe a first real example working minimal
  4. 4. detailed walkthrough
  5. 5. DOS header unused in PE mode
  6. 6. PE header PE signature
  7. 7. Optional Header NOT optional in executables
  8. 8. DataDirectories end of OptionalHeader 16 (max) * [RVA, Size] each entry interpreted differently
  9. 9. Sections memory mapping
  10. 10. Imports standard loader mechanism NOT required load DLL, locate APIs
  11. 11. compiled PE compiled.exe closer to reality extra non-critical structure
  12. 12. DLL exports relocations
  13. 13. driver subsystem, checksum low alignments mapping different imports
  14. 14. resources structure version, manifest/icon, APIs
  15. 15. Thread Local Storage callback list before EntryPoint & after ExitProcess
  16. 16. .Net different and integrated binary 2nd loader
  17. 17. what about 64b? very few changes ● 2 magic constants ● a few elements become QWord ○ ImageBase, Imports thunks, callbacks ● Exceptions have their own DataDirectory ○ no need for LoadConfig (SafeSEH)
  18. 18. and ARM ● a different magic constant ● still 16b DOS Stub ! ● nothing special, PE wise ○ the beauty of ‘Portability’
  19. 19. trivial

×