Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Exploring the Portable Executable format

3,200 views

Published on

a 44CON 2013 workshop

Published in: Business, Technology
  • Be the first to comment

Exploring the Portable Executable format

  1. 1. Exploring the Portable Executable format London, England Ange Albertini 2013/09/13
  2. 2. Workshop package (PoCs+docs) http://www.xchg.info/corkami/workshop.zip Recommended PE viewer: http://icerbero.com/peinsider
  3. 3. a handmade PE simple.exe a first real example working minimal
  4. 4. detailed walkthrough
  5. 5. DOS header unused in PE mode
  6. 6. PE header PE signature
  7. 7. Optional Header NOT optional in executables
  8. 8. DataDirectories end of OptionalHeader 16 (max) * [RVA, Size] each entry interpreted differently
  9. 9. Sections memory mapping
  10. 10. Imports standard loader mechanism NOT required load DLL, locate APIs
  11. 11. compiled PE compiled.exe closer to reality extra non-critical structure
  12. 12. DLL exports relocations
  13. 13. driver subsystem, checksum low alignments mapping different imports
  14. 14. resources structure version, manifest/icon, APIs
  15. 15. Thread Local Storage callback list before EntryPoint & after ExitProcess
  16. 16. .Net different and integrated binary 2nd loader
  17. 17. what about 64b? very few changes ● 2 magic constants ● a few elements become QWord ○ ImageBase, Imports thunks, callbacks ● Exceptions have their own DataDirectory ○ no need for LoadConfig (SafeSEH)
  18. 18. and ARM ● a different magic constant ● still 16b DOS Stub ! ● nothing special, PE wise ○ the beauty of ‘Portability’
  19. 19. trivial

×