PEortable                          101                           xecutable                                                ...
Upcoming SlideShare
Loading in …5
×

PE 101 v1

803 views

Published on

a windows executable walkthrough

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
803
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
21
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

PE 101 v1

  1. 1. PEortable 101 xecutable Hexadecimal dump ASCII dump Fields Values Ange Albertini Explanation corkami.comDissected PE 4D 5A 00 00-00 00 00 00-00 00 00 00-00 00 00 00 Offset:0x30 MZ.............. e_magic e_lfanew MZ 0x40 constant signature offset of the PE Header 1 00 00 00 00-00 00 00 00-00 00 00 00-40 00 00 00 ............@... Signature PE, 0, 0 constant signature Offset:0x40 Machine 0x14c [intel 386] processor: ARM/MIPS/Intel/... 50 45 00 00-4C 01 03 00-00 00 00 00-00 00 00 00 PE..L........... NumberOfSections 3 number of sections 2 SHA-1 b7af4cb51ce38e43e030656eb2698fab408cf9cb 00 00 00 00-E0 00 02 01... ....a... download @ pe101.corkami.com SizeOfOptionalHeader 0xe0 relative offset of the section table 2 Characteristics 0x102 [32b EXE] EXE/DLL/... Magic 0x10b [32b] 32 bits/64 bits Offset:0x58 AddressOfEntryPoint 0x1000 where execution starts 5 ...0B 01 00 00-00 00 00 00 ........ ImageBase 0x400000 address where the file should be mapped in memory 3 DOS header 4D 5A 00 00-00 00 00 00-00 00 00 00-00 00 00 00 MZ.............. 00 00 00 00-00 00 00 00-00 10 00 00-00 00 00 00 ................ SectionAlignment 0x1000 where sections should start in memory 2 shows its a binary 00 00 00 00-00 00 00 00-00 00 00 00-40 00 00 00 ............@... 00 00 00 00-00 00 40 00-00 10 00 00-00 02 00 00 ......@......... FileAlignment 0x200 where sections should start on file 2 00 00 00 00-00 00 00 00-04 00 00 00-00 00 00 00 ................ MajorSubsystemVersion 4 [NT 4 or later] required version of Windows 50 45 00 00-4C 01 03 00-00 00 00 00-00 00 00 00 00 00 00 00-E0 00 02 shows its a modern binary PE header PE..L........... ....a.. 00 40 00 00-00 02 00 00-00 00 00 00-02 00 00 00 .@.............. SizeOfImage 0x4000 total memory space required 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................ SizeOfHeaders 0x200 total size of the headers 3 01-0B 01 00 00-00 00 00 00 ......... 00 00 00 00-10 00 00 00... ........ Subsystem 2 [GUI] driver/graphical/command line/... 00 00 00 00-00 00 00 00-00 10 00 00-00 00 00 00 ................ NumberOfRvaAndSizes 16 number of data directories 4 00 00 00 00 00 00 00-00 00-00 optional header 00 00 40 00 00-00 10 00 00-00 02 00 00-04 00 00 00-00 00 00 00 00 ......@......... ................ 00 40 00 00-00 02 00 00-00 00 00 information executable 00-02 00 00 00 .@.............. 0000 4D 5A 00 00-00 00 00 00-00 00 00 00-00 00 00 00 MZ.............. 4D 5A 00 00-00 00 00 00-00 00 00 00-00 00 00 00 MZ.............. 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................ ...00 00 00 00-00 00 00 00 ........ 0030 00 00 00 00-00 00 00 00-00 00 00 00-40 00 00 00 ............@... 00 00 00 00-10 00 00 00 ................ 00 20 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................ ImportsVA 0x2000 RVA*of the imports 4 00 00 00 00-00 00 00 00-00 00 00 00-40 00 00 00 ............@... 50 45 00 00-4C 01 03 00-00 00 00 00-00 00 00 00 PE..L........... 50 45 00 00-4C 01 03 00-00 00 00 00-00 00 00 00 PE..L........... 00 00 00 00-E0 00 02 01-0B 01 00 00-00 00 00 00 ....a........... 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................ data directories 00 00 00 00-E0 00 02 01-0B 01 00 00-00 00 00 00 ....a........... 00 00 00 00-00 00 00 00-00 10 00 00-00 00 00 00 ................ 00 00 00 00-00 00 00 00 ................ 00 00 00 00-00 00 00 00-00 10 00 00-00 00 00 00 ................ 00 00 00 00-00 00 40 00-00 10 00 00-00 02 00 00 ......@......... 00 20 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................ Offset:0x138 00 00 00 00-00 00 40 00-00 10 00 00-00 02 00 00 ......@......... 00 00 00 00-00 00 00 00-04 00 00 00-00 00 00 00 ................ 00 00 00 00-00 00 00 00-00 structures (exports, imports,...) pointers to extra 00 00 00-00 00 00 00 ................ header 00 00 00 40 00 00 00-00 00-00 00 02 00 00 00-04 00-00 00 00 00 00 00-00 00-02 00 00 00 00 00 00 ................ .@.............. 00 40 00 00-00 02 00 00-00 00 00 00-02 00 00 00 .@.............. 2E 74 65 78-74 00 00 00 .text... Sections table 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................ 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................ 00 00 00 00-10 00 00 00-00 00 00 00-00 00 00 00 ................ 2E 74 65 78-74 00 00 00 .text... 00 10 00 00-00 10 00 00-00 02 00 00-00 02 00 00 ................ *RVA RVA* physical size physical offset 00 00 00 00-10 00 00 00-00 00 00 00-00 00 00 00 ................ 00 20 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................ 00 00 20 00 00 00 00-00 00-00 00 00 00 00 00-00 00-00 00 00 00 00 00-00 00-00 00 00 00 00 00 00 ................ ................ 00 10 00 00-00 10 00 00-00 02 00 00-00 02 00 00 ................ 00 00 00 00-00 00 00 00-00 00 00 00-20 00 00 60 ...............` Name VirtualSize VirtualAddress SizeOfRawData PointerToRawData Characteristics 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................ 00 00 00 00-00 00 00 00-00 00 00 00-20 00 00 60 ...............` technical details about 00 00 00 .........text... 00 00 00-00 00 00 00-2E 74 65 78-74 the executable 2E 72 64 61-74 61 00 00-00 10 00 00-00 20 00 00 .rdata.......... .text 0x1000 0x1000 0x200 0x200 CODE EXECUTE READ 0130 00 00 00 10 00 00 00-00 00-00 00 10 00 00 00-2E 00-00 74 02 65 00 78-74 00-00 00 02 00 00 00 00 .........text... ................ 00 00 00 10 00 00 00 00-00 00-00 10 00 00 00 00-00 00-00 02 00 00 00 00-00 00-20 02 00 00 00 00 60 ................ ...............` 2E 00 72 02 64 00 sections table 61-74 61 00 00-00 10 00 00-00 20 00 00 .rdata.......... 00-00 04 00 00-00 00 00 00-00 00 00 00 ................ 00 02 00 00-00 04 00 00-00 00 00 00-00 00 00 00 ................ .rdata 0x1000 0x2000 0x200 0x400 INITIALIZED READ 00 00 00 00-00 00 00 00-00 00 00 00-20 00 00 60 ...............` 2E 72 64 61-74 61 00 00-00 10 00 00-00 20 00 00 .rdata.......... 00 00 00 00-40 defines40-2Ethe file is loaded in memory 00 00 how 64 61 74-61 00 00 00 ....@..@.data... 00 00 00 00-40 00 00 40-2E 64 61 74-61 00 00 00 ....@..@.data... .data 0x1000 0x3000 0x200 0x600 DATA READ WRITE 2E 72 64 61-74 61 00 00-00 10 00 00-00 20 00 00 .rdata.......... 00 02 00 00-00 04 00 00-00 00 00 00-00 00 00 00 ................ 00 10 00 00-00 30 00 00-00 02 00 00-00 06 00 00 .....0.......... 00 02 00 00-00 04 00 00-00 00 00 00-00 00 00 00 ................ 00 10 00 00-00 30 00 00-00 02 00 00-00 06 00 00 .....0.......... For each section, a SizeofRawData sized block is read from the file at PointerToRawData offset. simple.exe 00 00 00 00-40 00 00 40-2E 64 61 74-61 00 00 00 ....@..@.data... 00 00 00 00-00 00 00 00-00 00 00 00-40 00 00 C0 ............@..+ 00 00 00 00-40 00 00 40-2E 64 61 74-61 00 00 00 ....@..@.data... 00 10 00 00-00 30 00 00-00 02 00 00-00 06 00 00 .....0.......... 00 10 00 00-00 30 00 00-00 02 00 00-00 06 00 00 .....0.......... 00 00 00 00-00 00 00 00-00 00 00 00-40 00 00 C0 ............@..+ 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................ 00 00 00 00-00 00 00 00-00 00 00 00-40 00 00 C0 ............@..+ It will be loaded in memory at address ImageBase + VirtualAddress in a VirtualSize sized block, with specific characteristics. 00 00 00 00-00 00 00 00-00 00 00 00-40 00 00 C0 ............@..+ 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................ 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................ 0200 6A 00 68 00-30 40 00 68-17 30 40 00-6A 00 FF 15 j.h.0@.h.0@.j. . 6A 00 68 00-30 40 00 68-17 30 40 00-6A 00 FF 15 j.h.0@.h.0@.j. . 70 20 40 00-6A 00 FF 15-68 20 40 00-00 00 00 00 p.@.j. .h.@..... x86 assembly Equivalent C code code 70 20 40 00-6A 00 FF 15-68 20 40 00-00 00 00 00 p.@.j. .h.@..... 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................ 6A 00 68 00-30 40 00 68-17 30 40 00-6A 00 FF 15 j.h.0@.h.0@.j. . 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................ 70 20 40 00-6A 00 FF 15-68 20 40 00-00 00 00 00 p.@.j. .h.@..... push 0 0400 3C 20 00 00-00 00 00 00-00 00 00 00-78 20 00 00 <...........x... 3C 20 00 00-00 00 00 00-00 00 00 00-78 20 00 00 <...........x... 00 00 00 00-00 00 00 00-00 00 is executed 00 00 what 00 00-00 00 ................ push 0x403000 sections 68 20 00 00-44 20 00 00-00 00 00 00-00 00 00 00 h...D........... 68 20 00 00-44 20 00 00-00 00 00 00-00 00 00 00 h...D........... 85 20 00 00-70 20 00 00-00 00 00 00-00 00 00 00 à...p........... Offset:0x200/RVA:0x401000 85 20 00 00-70 20 00 00-00 00 00 00-00 00 00 00 à...p........... push 0x403017 00 00 00 00-00 00 00 00-00 00 00 00-4C 20 00 00 ............L... 00 00 00 00 00 00 00-00 00-5A 00 20 00 00 00-00 00-00 00 00 00 00 00-4C 00-00 20 00 00 45 00 78 ............L... ....Z.........Ex 3C 20 00 00-00 00 00 00-00 00 00 00-78 20 00 00 <...........x... 6A 00 68 00-30 40 00 68-17 30 40 00-6A 00 FF 15 j.h.0@.h.0@.j. . push 0 00 00 00 00-5A 20 00 00-00 00 00 00-00 00 45 78 ....Z.........Ex 68 20 00 00-44 20 00 00-00 00 00 00-00 00 00 00 h...D........... 69 74 50 72-6F 63 65 73-73 00 00 00-4D 65 73 73 itProcess...Mess 69 61 74 67 50 65 72-6F 42-6F 63 78 65 41 73-73 00-4C 00 20 00 00 00-4D 00-00 65 00 73 00 73 00 itProcess...Mess ageBoxA.L....... 85 20 00 00-70 20 00 00-00 00 00 00-00 00 00 00 à...p........... 70 20 40 00-6A 00 FF 15-68 20 40 00 p.@.j. .h.@. call [0x402070] MessageBox(0, ¨Hello World!¨,¨a simple PE executable¨, 0); 61 67 65 42-6F 78 41 00-4C 20 00 00-00 00 00 00 ageBoxA.L....... 5A 20 00 contents of the executable 00-00 00 00 00-6B 65 72 6E-65 6C 33 32 Z.......kernel32 00 00 00 00-00 00 00 00-00 00 00 00-4C 20 00 00 ............L... push 0 imports 5A 20 00 00-00 00 00 00-6B 65 72 6E-65 6C 33 32 Z.......kernel32 2E 64 6C 6C-00 75 73 65-72 33 32 2E-64 6C 6C 00 .dll.user32.dll. 2E 64 6C 6C-00 75 73 65-72 33 32 2E-64 6C 6C 00 .dll.user32.dll. 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................ 00 00 00 00-5A 20 00 00-00 00 00 00-00 00 45 78 ....Z.........Ex call [0x402068] ExitProcess(0); 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................ 69 74 50 72-6F 63 65 73-73 00 00 00-4D 65 73 73 itProcess...Mess 0600 61 20 73 69-6D 70 6C 65-20 50 45 20-65 78 65 63 a.simple.PE.exec link between the executable and (Windows) libraries 61 20 73 69-6D 70 6C 65-20 50 45 20-65 78 65 63 a.simple.PE.exec 61 67 65 42-6F 78 41 00-4C 20 00 00-00 00 00 00 ageBoxA.L....... 75 74 61 62-6C 65 00 48-65 6C 6C 6F-20 77 6F 72 utable.Hello.wor 75 74 61 62-6C 65 00 48-65 6C 6C 6F-20 77 6F 72 utable.Hello.wor 6C 64 21 00-00 00 00 00-00 00 00 00-00 00 00 00 ld!............. 5A 20 00 00-00 00 00 00-6B 65 72 6E-65 6C 33 32 Z.......kernel32 6C 64 21 00-00 00 00 00-00 00 00 00-00 00 00 00 ld!............. 2E 64 6C 6C-00 75 73 65-72 33 32 2E-64 6C 6C 00 .dll.user32.dll. Imports structures Consequences 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................ Offset:0x400/RVA:0x402000 descriptors 3C 20 00 00-00 00 00 00-00 00 00 00-78 20 00 00 <...........x... INT* data 61 20 73 69-6D 70 6C 65-20 50 45 20-65 78 65 63 a.simple.PE.exec 0x203c 0x204c, 0 75 74 61 62-6C 65 00 48-65 6C 6C 6F-20 77 6F 72 utable.Hello.wor 68 20 00 00-44 20 00 00-00 00 00 00-00 00 00 00 h...D........... 6C 64 21 00-00 00 00 00-00 00 00 00-00the code information used by 00 00 00 ld!............. Hint,Name 85 20 00 00-70 20 00 00-00 00 00 00-00 00 00 00 à...p........... 0x2078 kernel32.dll 0,ExitProcess after loading, 00 00 00 00-00 00 00 00-00 00 00 00-4C 20 00 00 ............L... IAT * 0x402068 will point to kernel32.dll´s ExitProcess 00 00 00 00-5A 20 00 00-00 00 00 00-00 00 45 78 ....Z.........Ex 0x2068 0x204c, 0 69 74 50 72-6F 63 65 73-73 00 00 00-4D 65 73 73 itProcess...Mess INT* 0x402070 will point to user32.dll´s MessageBoxA 0x2044 0x205a, 0 61 67 65 42-6F 78 41 00-4C 20 00 00-00 00 00 00 ageBoxA.L....... Hint,Name 5A 20 00 00-00 00 00 00-6B 65 72 6E-65 6C 33 32 Z.......kernel32 0x2085 user32.dll 0,MessageBoxA 2E 64 6C 6C-00 75 73 65-72 33 32 2E-64 6C 6C 00 .dll.user32.dll. * IAT 0x2070 0x205a, 0 0 0 0 0 0 * All addresses here are RVAs. Offset:0x600/RVA:0x403000 Strings 61 20 73 69-6D 70 6C 65-20 50 45 20-65 78 65 63 a.simple.PE.exec a simple PE executable0 75 74 61 62-6C 65 00 48-65 6C 6C 6F-20 77 6F 72 utable.Hello.wor Hello world!0 6C 64 21 00 ld!. This is the whole file, however, most PE files contain more elements. Explanations are simplified, for conciseness. version 1, 3rd May 2012 Loading process Notes MZ HEADER aka DOS_HEADER 1 Headers 3 Mapping 4 Imports 5 Execution Starts with MZ (initials of Mark Zbikowski MS-DOS developer) the DOS Header is parsed the file is mapped in memory according to: DataDirectories are parsed Code is called at the EntryPoint PE HEADER aka IMAGE_FILE_HEADERS / COFF file header the PE Header is parsed the ImageBase they follow the OptionalHeader the calls of the code go via the IAT to the APIs Starts with PE (Portable Executable) (its offset is DOS Header´s e_lfanew) the SizeOfHeaders their number is NumOfRVAAndSizes OPTIONAL HEADER aka IMAGE_OPTIONAL_HEADER the Optional Header is parsed the Sections table imports are always #2 Optional only for non-standard PEs but required for executables (it follows the PE Header) Imports are parsed RVA Relative Virtual Address each descriptor specifies a DLLname Address relative to ImageBase (at ImageBase, RVA = 0) Virtual Address this DLL is loaded in memory Alignment Almost all addresses of the headers are RVAs Section Alignment File IAT and INT are parsed simultaneously 2 Sections table In code, addresses are not relative. Relative Offset for each API in INT Sections table is parsed 0x0 0x400000 ImageBase its address is written in the IAT entry Headers Headers SizeOf SizeOf (it is located at: offset (OptionalHeader) + SizeOfOptionalHeader) PointertoRawData 0x200 0x400200 SizeOfHeaders it contains NumberOfSections elements RawData INT Import Name Table SizeOf Section 1 it is checked for validity with alignments: NumberOfSections PointertoRawData 0x400 0x401000 VirtualAddress IAT IAT Null-terminated list of pointers to Hint, Name structures RawData FileAl

×