SlideShare a Scribd company logo

PE 101 v1

Ange Albertini
Ange Albertini

a windows executable walkthrough

Technology
1 of 1
Download to read offline
PE ortable 101 xecutable Hexadecimal dump ASCII dump Fields Values Ange Albertini Explanation corkami.com Dissected PE 4D 5A 00 00-00 00 00 00-00 00 00 00-00 00 00 00 Offset:0x30 MZ.............. e_magic e_lfanew 'MZ' 0x40 constant signature offset of the PE Header 1 00 00 00 00-00 00 00 00-00 00 00 00-40 00 00 00 ............@... Signature 'PE', 0, 0 constant signature Offset:0x40 Machine 0x14c [intel 386] processor: ARM/MIPS/Intel/... 50 45 00 00-4C 01 03 00-00 00 00 00-00 00 00 00 PE..L........... NumberOfSections 3 number of sections 2 SHA-1 b7af4cb51ce38e43e030656eb2698fab408cf9cb 00 00 00 00-E0 00 02 01... ....a... download @ pe101.corkami.com SizeOfOptionalHeader 0xe0 relative offset of the section table 2 Characteristics 0x102 [32b EXE] EXE/DLL/... Magic 0x10b [32b] 32 bits/64 bits Offset:0x58 AddressOfEntryPoint 0x1000 where execution starts 5 ...0B 01 00 00-00 00 00 00 ........ ImageBase 0x400000 address where the file should be mapped in memory 3 DOS header 4D 5A 00 00-00 00 00 00-00 00 00 00-00 00 00 00 MZ.............. 00 00 00 00-00 00 00 00-00 10 00 00-00 00 00 00 ................ SectionAlignment 0x1000 where sections should start in memory 2 shows it's a binary 00 00 00 00-00 00 00 00-00 00 00 00-40 00 00 00 ............@... 00 00 00 00-00 00 40 00-00 10 00 00-00 02 00 00 ......@......... FileAlignment 0x200 where sections should start on file 2 00 00 00 00-00 00 00 00-04 00 00 00-00 00 00 00 ................ MajorSubsystemVersion 4 [NT 4 or later] required version of Windows 50 45 00 00-4C 01 03 00-00 00 00 00-00 00 00 00 00 00 00 00-E0 00 02 shows it's a 'modern' binary PE header PE..L........... ....a.. 00 40 00 00-00 02 00 00-00 00 00 00-02 00 00 00 .@.............. SizeOfImage 0x4000 total memory space required 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................ SizeOfHeaders 0x200 total size of the headers 3 01-0B 01 00 00-00 00 00 00 ......... 00 00 00 00-10 00 00 00... ........ Subsystem 2 [GUI] driver/graphical/command line/... 00 00 00 00-00 00 00 00-00 10 00 00-00 00 00 00 ................ NumberOfRvaAndSizes 16 number of data directories 4 00 00 00 00 00 00 00-00 00-00 optional header 00 00 40 00 00-00 10 00 00-00 02 00 00-04 00 00 00-00 00 00 00 00 ......@......... ................ 00 40 00 00-00 02 00 00-00 00 00 information executable 00-02 00 00 00 .@.............. 0000 4D 5A 00 00-00 00 00 00-00 00 00 00-00 00 00 00 MZ.............. 4D 5A 00 00-00 00 00 00-00 00 00 00-00 00 00 00 MZ.............. 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................ ...00 00 00 00-00 00 00 00 ........ 0030 00 00 00 00-00 00 00 00-00 00 00 00-40 00 00 00 ............@... 00 00 00 00-10 00 00 00 ................ 00 20 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................ ImportsVA 0x2000 RVA*of the imports 4 00 00 00 00-00 00 00 00-00 00 00 00-40 00 00 00 ............@... 50 45 00 00-4C 01 03 00-00 00 00 00-00 00 00 00 PE..L........... 50 45 00 00-4C 01 03 00-00 00 00 00-00 00 00 00 PE..L........... 00 00 00 00-E0 00 02 01-0B 01 00 00-00 00 00 00 ....a........... 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................ data directories 00 00 00 00-E0 00 02 01-0B 01 00 00-00 00 00 00 ....a........... 00 00 00 00-00 00 00 00-00 10 00 00-00 00 00 00 ................ 00 00 00 00-00 00 00 00 ................ 00 00 00 00-00 00 00 00-00 10 00 00-00 00 00 00 ................ 00 00 00 00-00 00 40 00-00 10 00 00-00 02 00 00 ......@......... 00 20 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................ Offset:0x138 00 00 00 00-00 00 40 00-00 10 00 00-00 02 00 00 ......@......... 00 00 00 00-00 00 00 00-04 00 00 00-00 00 00 00 ................ 00 00 00 00-00 00 00 00-00 structures (exports, imports,...) pointers to extra 00 00 00-00 00 00 00 ................ header 00 00 00 40 00 00 00-00 00-00 00 02 00 00 00-04 00-00 00 00 00 00 00-00 00-02 00 00 00 00 00 00 ................ .@.............. 00 40 00 00-00 02 00 00-00 00 00 00-02 00 00 00 .@.............. 2E 74 65 78-74 00 00 00 .text... Sections table 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................ 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................ 00 00 00 00-10 00 00 00-00 00 00 00-00 00 00 00 ................ 2E 74 65 78-74 00 00 00 .text... 00 10 00 00-00 10 00 00-00 02 00 00-00 02 00 00 ................ *RVA RVA* physical size physical offset 00 00 00 00-10 00 00 00-00 00 00 00-00 00 00 00 ................ 00 20 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................ 00 00 20 00 00 00 00-00 00-00 00 00 00 00 00-00 00-00 00 00 00 00 00-00 00-00 00 00 00 00 00 00 ................ ................ 00 10 00 00-00 10 00 00-00 02 00 00-00 02 00 00 ................ 00 00 00 00-00 00 00 00-00 00 00 00-20 00 00 60 ...............` Name VirtualSize VirtualAddress SizeOfRawData PointerToRawData Characteristics 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................ 00 00 00 00-00 00 00 00-00 00 00 00-20 00 00 60 ...............` technical details about 00 00 00 .........text... 00 00 00-00 00 00 00-2E 74 65 78-74 the executable 2E 72 64 61-74 61 00 00-00 10 00 00-00 20 00 00 .rdata.......... .text 0x1000 0x1000 0x200 0x200 CODE EXECUTE READ 0130 00 00 00 10 00 00 00-00 00-00 00 10 00 00 00-2E 00-00 74 02 65 00 78-74 00-00 00 02 00 00 00 00 .........text... ................ 00 00 00 10 00 00 00 00-00 00-00 10 00 00 00 00-00 00-00 02 00 00 00 00-00 00-20 02 00 00 00 00 60 ................ ...............` 2E 00 72 02 64 00 sections table 61-74 61 00 00-00 10 00 00-00 20 00 00 .rdata.......... 00-00 04 00 00-00 00 00 00-00 00 00 00 ................ 00 02 00 00-00 04 00 00-00 00 00 00-00 00 00 00 ................ .rdata 0x1000 0x2000 0x200 0x400 INITIALIZED READ 00 00 00 00-00 00 00 00-00 00 00 00-20 00 00 60 ...............` 2E 72 64 61-74 61 00 00-00 10 00 00-00 20 00 00 .rdata.......... 00 00 00 00-40 defines40-2Ethe file is loaded in memory 00 00 how 64 61 74-61 00 00 00 ....@..@.data... 00 00 00 00-40 00 00 40-2E 64 61 74-61 00 00 00 ....@..@.data... .data 0x1000 0x3000 0x200 0x600 DATA READ WRITE 2E 72 64 61-74 61 00 00-00 10 00 00-00 20 00 00 .rdata.......... 00 02 00 00-00 04 00 00-00 00 00 00-00 00 00 00 ................ 00 10 00 00-00 30 00 00-00 02 00 00-00 06 00 00 .....0.......... 00 02 00 00-00 04 00 00-00 00 00 00-00 00 00 00 ................ 00 10 00 00-00 30 00 00-00 02 00 00-00 06 00 00 .....0.......... For each section, a SizeofRawData sized block is read from the file at PointerToRawData offset. simple.exe 00 00 00 00-40 00 00 40-2E 64 61 74-61 00 00 00 ....@..@.data... 00 00 00 00-00 00 00 00-00 00 00 00-40 00 00 C0 ............@..+ 00 00 00 00-40 00 00 40-2E 64 61 74-61 00 00 00 ....@..@.data... 00 10 00 00-00 30 00 00-00 02 00 00-00 06 00 00 .....0.......... 00 10 00 00-00 30 00 00-00 02 00 00-00 06 00 00 .....0.......... 00 00 00 00-00 00 00 00-00 00 00 00-40 00 00 C0 ............@..+ 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................ 00 00 00 00-00 00 00 00-00 00 00 00-40 00 00 C0 ............@..+ It will be loaded in memory at address ImageBase + VirtualAddress in a VirtualSize sized block, with specific characteristics. 00 00 00 00-00 00 00 00-00 00 00 00-40 00 00 C0 ............@..+ 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................ 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................ 0200 6A 00 68 00-30 40 00 68-17 30 40 00-6A 00 FF 15 j.h.0@.h.0@.j. . 6A 00 68 00-30 40 00 68-17 30 40 00-6A 00 FF 15 j.h.0@.h.0@.j. . 70 20 40 00-6A 00 FF 15-68 20 40 00-00 00 00 00 p.@.j. .h.@..... x86 assembly Equivalent C code code 70 20 40 00-6A 00 FF 15-68 20 40 00-00 00 00 00 p.@.j. .h.@..... 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................ 6A 00 68 00-30 40 00 68-17 30 40 00-6A 00 FF 15 j.h.0@.h.0@.j. . 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................ 70 20 40 00-6A 00 FF 15-68 20 40 00-00 00 00 00 p.@.j. .h.@..... push 0 0400 3C 20 00 00-00 00 00 00-00 00 00 00-78 20 00 00 <...........x... 3C 20 00 00-00 00 00 00-00 00 00 00-78 20 00 00 <...........x... 00 00 00 00-00 00 00 00-00 00 is executed 00 00 what 00 00-00 00 ................ push 0x403000 sections 68 20 00 00-44 20 00 00-00 00 00 00-00 00 00 00 h...D........... 68 20 00 00-44 20 00 00-00 00 00 00-00 00 00 00 h...D........... 85 20 00 00-70 20 00 00-00 00 00 00-00 00 00 00 à...p........... Offset:0x200/RVA:0x401000 85 20 00 00-70 20 00 00-00 00 00 00-00 00 00 00 à...p........... push 0x403017 00 00 00 00-00 00 00 00-00 00 00 00-4C 20 00 00 ............L... 00 00 00 00 00 00 00-00 00-5A 00 20 00 00 00-00 00-00 00 00 00 00 00-4C 00-00 20 00 00 45 00 78 ............L... ....Z.........Ex 3C 20 00 00-00 00 00 00-00 00 00 00-78 20 00 00 <...........x... 6A 00 68 00-30 40 00 68-17 30 40 00-6A 00 FF 15 j.h.0@.h.0@.j. . push 0 00 00 00 00-5A 20 00 00-00 00 00 00-00 00 45 78 ....Z.........Ex 68 20 00 00-44 20 00 00-00 00 00 00-00 00 00 00 h...D........... 69 74 50 72-6F 63 65 73-73 00 00 00-4D 65 73 73 itProcess...Mess 69 61 74 67 50 65 72-6F 42-6F 63 78 65 41 73-73 00-4C 00 20 00 00 00-4D 00-00 65 00 73 00 73 00 itProcess...Mess ageBoxA.L....... 85 20 00 00-70 20 00 00-00 00 00 00-00 00 00 00 à...p........... 70 20 40 00-6A 00 FF 15-68 20 40 00 p.@.j. .h.@. call [0x402070] MessageBox(0, ¨Hello World!¨,¨a simple PE executable¨, 0); 61 67 65 42-6F 78 41 00-4C 20 00 00-00 00 00 00 ageBoxA.L....... 5A 20 00 contents of the executable 00-00 00 00 00-6B 65 72 6E-65 6C 33 32 Z.......kernel32 00 00 00 00-00 00 00 00-00 00 00 00-4C 20 00 00 ............L... push 0 imports 5A 20 00 00-00 00 00 00-6B 65 72 6E-65 6C 33 32 Z.......kernel32 2E 64 6C 6C-00 75 73 65-72 33 32 2E-64 6C 6C 00 .dll.user32.dll. 2E 64 6C 6C-00 75 73 65-72 33 32 2E-64 6C 6C 00 .dll.user32.dll. 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................ 00 00 00 00-5A 20 00 00-00 00 00 00-00 00 45 78 ....Z.........Ex call [0x402068] ExitProcess(0); 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................ 69 74 50 72-6F 63 65 73-73 00 00 00-4D 65 73 73 itProcess...Mess 0600 61 20 73 69-6D 70 6C 65-20 50 45 20-65 78 65 63 a.simple.PE.exec link between the executable and (Windows) libraries 61 20 73 69-6D 70 6C 65-20 50 45 20-65 78 65 63 a.simple.PE.exec 61 67 65 42-6F 78 41 00-4C 20 00 00-00 00 00 00 ageBoxA.L....... 75 74 61 62-6C 65 00 48-65 6C 6C 6F-20 77 6F 72 utable.Hello.wor 75 74 61 62-6C 65 00 48-65 6C 6C 6F-20 77 6F 72 utable.Hello.wor 6C 64 21 00-00 00 00 00-00 00 00 00-00 00 00 00 ld!............. 5A 20 00 00-00 00 00 00-6B 65 72 6E-65 6C 33 32 Z.......kernel32 6C 64 21 00-00 00 00 00-00 00 00 00-00 00 00 00 ld!............. 2E 64 6C 6C-00 75 73 65-72 33 32 2E-64 6C 6C 00 .dll.user32.dll. Imports structures Consequences 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................ Offset:0x400/RVA:0x402000 descriptors 3C 20 00 00-00 00 00 00-00 00 00 00-78 20 00 00 <...........x... INT* data 61 20 73 69-6D 70 6C 65-20 50 45 20-65 78 65 63 a.simple.PE.exec 0x203c 0x204c, 0 75 74 61 62-6C 65 00 48-65 6C 6C 6F-20 77 6F 72 utable.Hello.wor 68 20 00 00-44 20 00 00-00 00 00 00-00 00 00 00 h...D........... 6C 64 21 00-00 00 00 00-00 00 00 00-00the code information used by 00 00 00 ld!............. Hint,Name 85 20 00 00-70 20 00 00-00 00 00 00-00 00 00 00 à...p........... 0x2078 kernel32.dll 0,ExitProcess after loading, 00 00 00 00-00 00 00 00-00 00 00 00-4C 20 00 00 ............L... IAT * 0x402068 will point to kernel32.dll´s ExitProcess 00 00 00 00-5A 20 00 00-00 00 00 00-00 00 45 78 ....Z.........Ex 0x2068 0x204c, 0 69 74 50 72-6F 63 65 73-73 00 00 00-4D 65 73 73 itProcess...Mess INT* 0x402070 will point to user32.dll´s MessageBoxA 0x2044 0x205a, 0 61 67 65 42-6F 78 41 00-4C 20 00 00-00 00 00 00 ageBoxA.L....... Hint,Name 5A 20 00 00-00 00 00 00-6B 65 72 6E-65 6C 33 32 Z.......kernel32 0x2085 user32.dll 0,MessageBoxA 2E 64 6C 6C-00 75 73 65-72 33 32 2E-64 6C 6C 00 .dll.user32.dll. * IAT 0x2070 0x205a, 0 0 0 0 0 0 * All addresses here are RVAs. Offset:0x600/RVA:0x403000 Strings 61 20 73 69-6D 70 6C 65-20 50 45 20-65 78 65 63 a.simple.PE.exec a simple PE executable0 75 74 61 62-6C 65 00 48-65 6C 6C 6F-20 77 6F 72 utable.Hello.wor Hello world!0 6C 64 21 00 ld!. This is the whole file, however, most PE files contain more elements. Explanations are simplified, for conciseness. version 1, 3rd May 2012 Loading process Notes MZ HEADER aka DOS_HEADER 1 Headers 3 Mapping 4 Imports 5 Execution Starts with 'MZ' (initials of Mark Zbikowski MS-DOS developer) the DOS Header is parsed the file is mapped in memory according to: DataDirectories are parsed Code is called at the EntryPoint PE HEADER aka IMAGE_FILE_HEADERS / COFF file header the PE Header is parsed the ImageBase they follow the OptionalHeader the calls of the code go via the IAT to the APIs Starts with 'PE' (Portable Executable) (its offset is DOS Header´s e_lfanew) the SizeOfHeaders their number is NumOfRVAAndSizes OPTIONAL HEADER aka IMAGE_OPTIONAL_HEADER the Optional Header is parsed the Sections table imports are always #2 Optional only for non-standard PEs but required for executables (it follows the PE Header) Imports are parsed RVA Relative Virtual Address each descriptor specifies a DLLname Address relative to ImageBase (at ImageBase, RVA = 0) Virtual Address this DLL is loaded in memory Alignment Almost all addresses of the headers are RVAs Section Alignment File IAT and INT are parsed simultaneously 2 Sections table In code, addresses are not relative. Relative Offset for each API in INT Sections table is parsed 0x0 0x400000 ImageBase its address is written in the IAT entry Headers Headers SizeOf SizeOf (it is located at: offset (OptionalHeader) + SizeOfOptionalHeader) PointertoRawData 0x200 0x400200 SizeOfHeaders it contains NumberOfSections elements RawData INT Import Name Table SizeOf Section 1 it is checked for validity with alignments: NumberOfSections PointertoRawData 0x400 0x401000 VirtualAddress IAT IAT Null-terminated list of pointers to Hint, Name structures RawData FileAlignments and SectionAlignments SizeOf Section 2

Recommended

Profiling of Oracle Function Calls
Profiling of Oracle Function CallsProfiling of Oracle Function Calls
Profiling of Oracle Function CallsEnkitec
 
My portfolio
My portfolioMy portfolio
My portfoliowilly207
 
Details in skechup
Details in skechupDetails in skechup
Details in skechupAsif Haroon
 
INTERIOR CRAVINGS - EDESIGN entryway
INTERIOR CRAVINGS - EDESIGN entrywayINTERIOR CRAVINGS - EDESIGN entryway
INTERIOR CRAVINGS - EDESIGN entrywayInteriorCravings
 
Company crt connected
Company crt connectedCompany crt connected
Company crt connectedERIK MANO
 
두바퀴 희망 자전거
두바퀴 희망 자전거두바퀴 희망 자전거
두바퀴 희망 자전거Jinho Jung
 
Mapa vial del departamento de Ayacucho
Mapa vial del departamento de AyacuchoMapa vial del departamento de Ayacucho
Mapa vial del departamento de AyacuchoPECSA Perú
 
Summer ATV Map (Color Photo)
Summer ATV Map (Color Photo)Summer ATV Map (Color Photo)
Summer ATV Map (Color Photo)sgaletka
 

Recommended

Profiling of Oracle Function Calls
Profiling of Oracle Function CallsProfiling of Oracle Function Calls
Profiling of Oracle Function CallsEnkitec
 
My portfolio
My portfolioMy portfolio
My portfoliowilly207
 
Details in skechup
Details in skechupDetails in skechup
Details in skechupAsif Haroon
 
INTERIOR CRAVINGS - EDESIGN entryway
INTERIOR CRAVINGS - EDESIGN entrywayINTERIOR CRAVINGS - EDESIGN entryway
INTERIOR CRAVINGS - EDESIGN entrywayInteriorCravings
 
Company crt connected
Company crt connectedCompany crt connected
Company crt connectedERIK MANO
 
두바퀴 희망 자전거
두바퀴 희망 자전거두바퀴 희망 자전거
두바퀴 희망 자전거Jinho Jung
 
Mapa vial del departamento de Ayacucho
Mapa vial del departamento de AyacuchoMapa vial del departamento de Ayacucho
Mapa vial del departamento de AyacuchoPECSA Perú
 
Summer ATV Map (Color Photo)
Summer ATV Map (Color Photo)Summer ATV Map (Color Photo)
Summer ATV Map (Color Photo)sgaletka
 
Upworthy: 10 Ways To Win The Internets
Upworthy: 10 Ways To Win The InternetsUpworthy: 10 Ways To Win The Internets
Upworthy: 10 Ways To Win The InternetsUpworthy
 
Ενότητα 1.1
Ενότητα 1.1Ενότητα 1.1
Ενότητα 1.1makrib
 
Adele album
Adele albumAdele album
Adele albumClaudineiCamara
 
Trans Main Oblique
Trans Main ObliqueTrans Main Oblique
Trans Main Obliquetkaufm5050
 
Citrix Presentation
Citrix PresentationCitrix Presentation
Citrix Presentationyoon1
 
Brand Universe
Brand UniverseBrand Universe
Brand Universeemidey75
 
Elder Beerman Banner
Elder Beerman BannerElder Beerman Banner
Elder Beerman Bannerwholmes3
 
처음 만져보는 Mac
처음 만져보는 Mac처음 만져보는 Mac
처음 만져보는 MacJinho Jung
 
SNC Casos Práticos
SNC Casos PráticosSNC Casos Práticos
SNC Casos PráticosMaria Santos
 
Holstein Development
Holstein DevelopmentHolstein Development
Holstein DevelopmentAshish Banik
 
Mi Ciudad
Mi CiudadMi Ciudad
Mi Ciudadleister27
 
Mapa vial del departamento de Junín
Mapa vial del departamento de JunínMapa vial del departamento de Junín
Mapa vial del departamento de JunínPECSA Perú
 
Strategic Talent Acquisition-brochure
Strategic Talent Acquisition-brochureStrategic Talent Acquisition-brochure
Strategic Talent Acquisition-brochureHilina Legesse
 
Prepaid Expo in Perspective Infographic
Prepaid Expo in Perspective InfographicPrepaid Expo in Perspective Infographic
Prepaid Expo in Perspective InfographicIIR USA
 
Neighborhoods2010
Neighborhoods2010Neighborhoods2010
Neighborhoods2010tkaufm5050
 
23 1-3191-03-fa534
23 1-3191-03-fa53423 1-3191-03-fa534
23 1-3191-03-fa534Kamil Kamil
 
DBA Verde - Blue Planet Run
DBA Verde - Blue Planet RunDBA Verde - Blue Planet Run
DBA Verde - Blue Planet RunLa Red DBAccess
 
Condo - Approved Plans
Condo - Approved PlansCondo - Approved Plans
Condo - Approved PlansLindal Cedar Homes
 
Map2007 2009
Map2007 2009Map2007 2009
Map2007 2009Absolute Video & Multimedia
 
Arch samples
Arch samplesArch samples
Arch samplesT T
 
Technical challenges with file formats
Technical challenges with file formatsTechnical challenges with file formats
Technical challenges with file formatsAnge Albertini
 
Relations between archive formats
Relations between archive formatsRelations between archive formats
Relations between archive formatsAnge Albertini
 

More Related Content

Similar to PE 101 v1

Upworthy: 10 Ways To Win The Internets
Upworthy: 10 Ways To Win The InternetsUpworthy: 10 Ways To Win The Internets
Upworthy: 10 Ways To Win The InternetsUpworthy
 
Ενότητα 1.1
Ενότητα 1.1Ενότητα 1.1
Ενότητα 1.1makrib
 
Trans Main Oblique
Trans Main ObliqueTrans Main Oblique
Trans Main Obliquetkaufm5050
 
Citrix Presentation
Citrix PresentationCitrix Presentation
Citrix Presentationyoon1
 
Brand Universe
Brand UniverseBrand Universe
Brand Universeemidey75
 
Elder Beerman Banner
Elder Beerman BannerElder Beerman Banner
Elder Beerman Bannerwholmes3
 
처음 만져보는 Mac
처음 만져보는 Mac처음 만져보는 Mac
처음 만져보는 MacJinho Jung
 
SNC Casos Práticos
SNC Casos PráticosSNC Casos Práticos
SNC Casos PráticosMaria Santos
 
Holstein Development
Holstein DevelopmentHolstein Development
Holstein DevelopmentAshish Banik
 
Mapa vial del departamento de Junín
Mapa vial del departamento de JunínMapa vial del departamento de Junín
Mapa vial del departamento de JunínPECSA Perú
 
Strategic Talent Acquisition-brochure
Strategic Talent Acquisition-brochureStrategic Talent Acquisition-brochure
Strategic Talent Acquisition-brochureHilina Legesse
 
Prepaid Expo in Perspective Infographic
Prepaid Expo in Perspective InfographicPrepaid Expo in Perspective Infographic
Prepaid Expo in Perspective InfographicIIR USA
 
Neighborhoods2010
Neighborhoods2010Neighborhoods2010
Neighborhoods2010tkaufm5050
 
23 1-3191-03-fa534
23 1-3191-03-fa53423 1-3191-03-fa534
23 1-3191-03-fa534Kamil Kamil
 
DBA Verde - Blue Planet Run
DBA Verde - Blue Planet RunDBA Verde - Blue Planet Run
DBA Verde - Blue Planet RunLa Red DBAccess
 
Arch samples
Arch samplesArch samples
Arch samplesT T
 

Similar to PE 101 v1 (20)

Upworthy: 10 Ways To Win The Internets
Upworthy: 10 Ways To Win The InternetsUpworthy: 10 Ways To Win The Internets
Upworthy: 10 Ways To Win The Internets
 
Ενότητα 1.1
Ενότητα 1.1Ενότητα 1.1
Ενότητα 1.1
 
Adele album
Adele albumAdele album
Adele album
 
Trans Main Oblique
Trans Main ObliqueTrans Main Oblique
Trans Main Oblique
 
Citrix Presentation
Citrix PresentationCitrix Presentation
Citrix Presentation
 
Brand Universe
Brand UniverseBrand Universe
Brand Universe
 
Elder Beerman Banner
Elder Beerman BannerElder Beerman Banner
Elder Beerman Banner
 
처음 만져보는 Mac
처음 만져보는 Mac처음 만져보는 Mac
처음 만져보는 Mac
 
SNC Casos Práticos
SNC Casos PráticosSNC Casos Práticos
SNC Casos Práticos
 
Holstein Development
Holstein DevelopmentHolstein Development
Holstein Development
 
Mi Ciudad
Mi CiudadMi Ciudad
Mi Ciudad
 
Mapa vial del departamento de Junín
Mapa vial del departamento de JunínMapa vial del departamento de Junín
Mapa vial del departamento de Junín
 
Strategic Talent Acquisition-brochure
Strategic Talent Acquisition-brochureStrategic Talent Acquisition-brochure
Strategic Talent Acquisition-brochure
 
Prepaid Expo in Perspective Infographic
Prepaid Expo in Perspective InfographicPrepaid Expo in Perspective Infographic
Prepaid Expo in Perspective Infographic
 
Neighborhoods2010
Neighborhoods2010Neighborhoods2010
Neighborhoods2010
 
23 1-3191-03-fa534
23 1-3191-03-fa53423 1-3191-03-fa534
23 1-3191-03-fa534
 
DBA Verde - Blue Planet Run
DBA Verde - Blue Planet RunDBA Verde - Blue Planet Run
DBA Verde - Blue Planet Run
 
Condo - Approved Plans
Condo - Approved PlansCondo - Approved Plans
Condo - Approved Plans
 
Map2007 2009
Map2007 2009Map2007 2009
Map2007 2009
 
Arch samples
Arch samplesArch samples
Arch samples
 

More from Ange Albertini

Technical challenges with file formats
Technical challenges with file formatsTechnical challenges with file formats
Technical challenges with file formatsAnge Albertini
 
Relations between archive formats
Relations between archive formatsRelations between archive formats
Relations between archive formatsAnge Albertini
 
Abusing archive file formats
Abusing archive file formatsAbusing archive file formats
Abusing archive file formatsAnge Albertini
 
You are *not* an idiot
You are *not* an idiotYou are *not* an idiot
You are *not* an idiotAnge Albertini
 
Improving file formats
Improving file formatsImproving file formats
Improving file formatsAnge Albertini
 
An introduction to inkscape
An introduction to inkscapeAn introduction to inkscape
An introduction to inkscapeAnge Albertini
 
The challenges of file formats
The challenges of file formatsThe challenges of file formats
The challenges of file formatsAnge Albertini
 
Exploiting hash collisions
Exploiting hash collisionsExploiting hash collisions
Exploiting hash collisionsAnge Albertini
 
Connecting communities
Connecting communitiesConnecting communities
Connecting communitiesAnge Albertini
 
TASBot - the perfectionist
TASBot - the perfectionistTASBot - the perfectionist
TASBot - the perfectionistAnge Albertini
 
Caring for file formats
Caring for file formatsCaring for file formats
Caring for file formatsAnge Albertini
 
Trusting files (and their formats)
Trusting files (and their formats)Trusting files (and their formats)
Trusting files (and their formats)Ange Albertini
 
Let's write a PDF file
Let's write a PDF fileLet's write a PDF file
Let's write a PDF fileAnge Albertini
 

More from Ange Albertini (20)

Technical challenges with file formats
Technical challenges with file formatsTechnical challenges with file formats
Technical challenges with file formats
 
Relations between archive formats
Relations between archive formatsRelations between archive formats
Relations between archive formats
 
Abusing archive file formats
Abusing archive file formatsAbusing archive file formats
Abusing archive file formats
 
TimeCryption
TimeCryptionTimeCryption
TimeCryption
 
You are *not* an idiot
You are *not* an idiotYou are *not* an idiot
You are *not* an idiot
 
Improving file formats
Improving file formatsImproving file formats
Improving file formats
 
KILL MD5
KILL MD5KILL MD5
KILL MD5
 
No more dumb hex!
No more dumb hex!No more dumb hex!
No more dumb hex!
 
Beyond your studies
Beyond your studiesBeyond your studies
Beyond your studies
 
An introduction to inkscape
An introduction to inkscapeAn introduction to inkscape
An introduction to inkscape
 
The challenges of file formats
The challenges of file formatsThe challenges of file formats
The challenges of file formats
 
Exploiting hash collisions
Exploiting hash collisionsExploiting hash collisions
Exploiting hash collisions
 
Infosec & failures
Infosec & failuresInfosec & failures
Infosec & failures
 
Connecting communities
Connecting communitiesConnecting communities
Connecting communities
 
TASBot - the perfectionist
TASBot - the perfectionistTASBot - the perfectionist
TASBot - the perfectionist
 
Caring for file formats
Caring for file formatsCaring for file formats
Caring for file formats
 
Hacks in video games
Hacks in video gamesHacks in video games
Hacks in video games
 
Trusting files (and their formats)
Trusting files (and their formats)Trusting files (and their formats)
Trusting files (and their formats)
 
Let's write a PDF file
Let's write a PDF fileLet's write a PDF file
Let's write a PDF file
 
PDF: myths vs facts
PDF: myths vs factsPDF: myths vs facts
PDF: myths vs facts
 

Recently uploaded

Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Hyundai Motor Group
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 

Recently uploaded (20)

Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 

PE 101 v1

  • 1. PE ortable 101 xecutable Hexadecimal dump ASCII dump Fields Values Ange Albertini Explanation corkami.com Dissected PE 4D 5A 00 00-00 00 00 00-00 00 00 00-00 00 00 00 Offset:0x30 MZ.............. e_magic e_lfanew 'MZ' 0x40 constant signature offset of the PE Header 1 00 00 00 00-00 00 00 00-00 00 00 00-40 00 00 00 ............@... Signature 'PE', 0, 0 constant signature Offset:0x40 Machine 0x14c [intel 386] processor: ARM/MIPS/Intel/... 50 45 00 00-4C 01 03 00-00 00 00 00-00 00 00 00 PE..L........... NumberOfSections 3 number of sections 2 SHA-1 b7af4cb51ce38e43e030656eb2698fab408cf9cb 00 00 00 00-E0 00 02 01... ....a... download @ pe101.corkami.com SizeOfOptionalHeader 0xe0 relative offset of the section table 2 Characteristics 0x102 [32b EXE] EXE/DLL/... Magic 0x10b [32b] 32 bits/64 bits Offset:0x58 AddressOfEntryPoint 0x1000 where execution starts 5 ...0B 01 00 00-00 00 00 00 ........ ImageBase 0x400000 address where the file should be mapped in memory 3 DOS header 4D 5A 00 00-00 00 00 00-00 00 00 00-00 00 00 00 MZ.............. 00 00 00 00-00 00 00 00-00 10 00 00-00 00 00 00 ................ SectionAlignment 0x1000 where sections should start in memory 2 shows it's a binary 00 00 00 00-00 00 00 00-00 00 00 00-40 00 00 00 ............@... 00 00 00 00-00 00 40 00-00 10 00 00-00 02 00 00 ......@......... FileAlignment 0x200 where sections should start on file 2 00 00 00 00-00 00 00 00-04 00 00 00-00 00 00 00 ................ MajorSubsystemVersion 4 [NT 4 or later] required version of Windows 50 45 00 00-4C 01 03 00-00 00 00 00-00 00 00 00 00 00 00 00-E0 00 02 shows it's a 'modern' binary PE header PE..L........... ....a.. 00 40 00 00-00 02 00 00-00 00 00 00-02 00 00 00 .@.............. SizeOfImage 0x4000 total memory space required 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................ SizeOfHeaders 0x200 total size of the headers 3 01-0B 01 00 00-00 00 00 00 ......... 00 00 00 00-10 00 00 00... ........ Subsystem 2 [GUI] driver/graphical/command line/... 00 00 00 00-00 00 00 00-00 10 00 00-00 00 00 00 ................ NumberOfRvaAndSizes 16 number of data directories 4 00 00 00 00 00 00 00-00 00-00 optional header 00 00 40 00 00-00 10 00 00-00 02 00 00-04 00 00 00-00 00 00 00 00 ......@......... ................ 00 40 00 00-00 02 00 00-00 00 00 information executable 00-02 00 00 00 .@.............. 0000 4D 5A 00 00-00 00 00 00-00 00 00 00-00 00 00 00 MZ.............. 4D 5A 00 00-00 00 00 00-00 00 00 00-00 00 00 00 MZ.............. 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................ ...00 00 00 00-00 00 00 00 ........ 0030 00 00 00 00-00 00 00 00-00 00 00 00-40 00 00 00 ............@... 00 00 00 00-10 00 00 00 ................ 00 20 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................ ImportsVA 0x2000 RVA*of the imports 4 00 00 00 00-00 00 00 00-00 00 00 00-40 00 00 00 ............@... 50 45 00 00-4C 01 03 00-00 00 00 00-00 00 00 00 PE..L........... 50 45 00 00-4C 01 03 00-00 00 00 00-00 00 00 00 PE..L........... 00 00 00 00-E0 00 02 01-0B 01 00 00-00 00 00 00 ....a........... 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................ data directories 00 00 00 00-E0 00 02 01-0B 01 00 00-00 00 00 00 ....a........... 00 00 00 00-00 00 00 00-00 10 00 00-00 00 00 00 ................ 00 00 00 00-00 00 00 00 ................ 00 00 00 00-00 00 00 00-00 10 00 00-00 00 00 00 ................ 00 00 00 00-00 00 40 00-00 10 00 00-00 02 00 00 ......@......... 00 20 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................ Offset:0x138 00 00 00 00-00 00 40 00-00 10 00 00-00 02 00 00 ......@......... 00 00 00 00-00 00 00 00-04 00 00 00-00 00 00 00 ................ 00 00 00 00-00 00 00 00-00 structures (exports, imports,...) pointers to extra 00 00 00-00 00 00 00 ................ header 00 00 00 40 00 00 00-00 00-00 00 02 00 00 00-04 00-00 00 00 00 00 00-00 00-02 00 00 00 00 00 00 ................ .@.............. 00 40 00 00-00 02 00 00-00 00 00 00-02 00 00 00 .@.............. 2E 74 65 78-74 00 00 00 .text... Sections table 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................ 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................ 00 00 00 00-10 00 00 00-00 00 00 00-00 00 00 00 ................ 2E 74 65 78-74 00 00 00 .text... 00 10 00 00-00 10 00 00-00 02 00 00-00 02 00 00 ................ *RVA RVA* physical size physical offset 00 00 00 00-10 00 00 00-00 00 00 00-00 00 00 00 ................ 00 20 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................ 00 00 20 00 00 00 00-00 00-00 00 00 00 00 00-00 00-00 00 00 00 00 00-00 00-00 00 00 00 00 00 00 ................ ................ 00 10 00 00-00 10 00 00-00 02 00 00-00 02 00 00 ................ 00 00 00 00-00 00 00 00-00 00 00 00-20 00 00 60 ...............` Name VirtualSize VirtualAddress SizeOfRawData PointerToRawData Characteristics 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................ 00 00 00 00-00 00 00 00-00 00 00 00-20 00 00 60 ...............` technical details about 00 00 00 .........text... 00 00 00-00 00 00 00-2E 74 65 78-74 the executable 2E 72 64 61-74 61 00 00-00 10 00 00-00 20 00 00 .rdata.......... .text 0x1000 0x1000 0x200 0x200 CODE EXECUTE READ 0130 00 00 00 10 00 00 00-00 00-00 00 10 00 00 00-2E 00-00 74 02 65 00 78-74 00-00 00 02 00 00 00 00 .........text... ................ 00 00 00 10 00 00 00 00-00 00-00 10 00 00 00 00-00 00-00 02 00 00 00 00-00 00-20 02 00 00 00 00 60 ................ ...............` 2E 00 72 02 64 00 sections table 61-74 61 00 00-00 10 00 00-00 20 00 00 .rdata.......... 00-00 04 00 00-00 00 00 00-00 00 00 00 ................ 00 02 00 00-00 04 00 00-00 00 00 00-00 00 00 00 ................ .rdata 0x1000 0x2000 0x200 0x400 INITIALIZED READ 00 00 00 00-00 00 00 00-00 00 00 00-20 00 00 60 ...............` 2E 72 64 61-74 61 00 00-00 10 00 00-00 20 00 00 .rdata.......... 00 00 00 00-40 defines40-2Ethe file is loaded in memory 00 00 how 64 61 74-61 00 00 00 ....@..@.data... 00 00 00 00-40 00 00 40-2E 64 61 74-61 00 00 00 ....@..@.data... .data 0x1000 0x3000 0x200 0x600 DATA READ WRITE 2E 72 64 61-74 61 00 00-00 10 00 00-00 20 00 00 .rdata.......... 00 02 00 00-00 04 00 00-00 00 00 00-00 00 00 00 ................ 00 10 00 00-00 30 00 00-00 02 00 00-00 06 00 00 .....0.......... 00 02 00 00-00 04 00 00-00 00 00 00-00 00 00 00 ................ 00 10 00 00-00 30 00 00-00 02 00 00-00 06 00 00 .....0.......... For each section, a SizeofRawData sized block is read from the file at PointerToRawData offset. simple.exe 00 00 00 00-40 00 00 40-2E 64 61 74-61 00 00 00 ....@..@.data... 00 00 00 00-00 00 00 00-00 00 00 00-40 00 00 C0 ............@..+ 00 00 00 00-40 00 00 40-2E 64 61 74-61 00 00 00 ....@..@.data... 00 10 00 00-00 30 00 00-00 02 00 00-00 06 00 00 .....0.......... 00 10 00 00-00 30 00 00-00 02 00 00-00 06 00 00 .....0.......... 00 00 00 00-00 00 00 00-00 00 00 00-40 00 00 C0 ............@..+ 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................ 00 00 00 00-00 00 00 00-00 00 00 00-40 00 00 C0 ............@..+ It will be loaded in memory at address ImageBase + VirtualAddress in a VirtualSize sized block, with specific characteristics. 00 00 00 00-00 00 00 00-00 00 00 00-40 00 00 C0 ............@..+ 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................ 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................ 0200 6A 00 68 00-30 40 00 68-17 30 40 00-6A 00 FF 15 j.h.0@.h.0@.j. . 6A 00 68 00-30 40 00 68-17 30 40 00-6A 00 FF 15 j.h.0@.h.0@.j. . 70 20 40 00-6A 00 FF 15-68 20 40 00-00 00 00 00 p.@.j. .h.@..... x86 assembly Equivalent C code code 70 20 40 00-6A 00 FF 15-68 20 40 00-00 00 00 00 p.@.j. .h.@..... 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................ 6A 00 68 00-30 40 00 68-17 30 40 00-6A 00 FF 15 j.h.0@.h.0@.j. . 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................ 70 20 40 00-6A 00 FF 15-68 20 40 00-00 00 00 00 p.@.j. .h.@..... push 0 0400 3C 20 00 00-00 00 00 00-00 00 00 00-78 20 00 00 <...........x... 3C 20 00 00-00 00 00 00-00 00 00 00-78 20 00 00 <...........x... 00 00 00 00-00 00 00 00-00 00 is executed 00 00 what 00 00-00 00 ................ push 0x403000 sections 68 20 00 00-44 20 00 00-00 00 00 00-00 00 00 00 h...D........... 68 20 00 00-44 20 00 00-00 00 00 00-00 00 00 00 h...D........... 85 20 00 00-70 20 00 00-00 00 00 00-00 00 00 00 à...p........... Offset:0x200/RVA:0x401000 85 20 00 00-70 20 00 00-00 00 00 00-00 00 00 00 à...p........... push 0x403017 00 00 00 00-00 00 00 00-00 00 00 00-4C 20 00 00 ............L... 00 00 00 00 00 00 00-00 00-5A 00 20 00 00 00-00 00-00 00 00 00 00 00-4C 00-00 20 00 00 45 00 78 ............L... ....Z.........Ex 3C 20 00 00-00 00 00 00-00 00 00 00-78 20 00 00 <...........x... 6A 00 68 00-30 40 00 68-17 30 40 00-6A 00 FF 15 j.h.0@.h.0@.j. . push 0 00 00 00 00-5A 20 00 00-00 00 00 00-00 00 45 78 ....Z.........Ex 68 20 00 00-44 20 00 00-00 00 00 00-00 00 00 00 h...D........... 69 74 50 72-6F 63 65 73-73 00 00 00-4D 65 73 73 itProcess...Mess 69 61 74 67 50 65 72-6F 42-6F 63 78 65 41 73-73 00-4C 00 20 00 00 00-4D 00-00 65 00 73 00 73 00 itProcess...Mess ageBoxA.L....... 85 20 00 00-70 20 00 00-00 00 00 00-00 00 00 00 à...p........... 70 20 40 00-6A 00 FF 15-68 20 40 00 p.@.j. .h.@. call [0x402070] MessageBox(0, ¨Hello World!¨,¨a simple PE executable¨, 0); 61 67 65 42-6F 78 41 00-4C 20 00 00-00 00 00 00 ageBoxA.L....... 5A 20 00 contents of the executable 00-00 00 00 00-6B 65 72 6E-65 6C 33 32 Z.......kernel32 00 00 00 00-00 00 00 00-00 00 00 00-4C 20 00 00 ............L... push 0 imports 5A 20 00 00-00 00 00 00-6B 65 72 6E-65 6C 33 32 Z.......kernel32 2E 64 6C 6C-00 75 73 65-72 33 32 2E-64 6C 6C 00 .dll.user32.dll. 2E 64 6C 6C-00 75 73 65-72 33 32 2E-64 6C 6C 00 .dll.user32.dll. 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................ 00 00 00 00-5A 20 00 00-00 00 00 00-00 00 45 78 ....Z.........Ex call [0x402068] ExitProcess(0); 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................ 69 74 50 72-6F 63 65 73-73 00 00 00-4D 65 73 73 itProcess...Mess 0600 61 20 73 69-6D 70 6C 65-20 50 45 20-65 78 65 63 a.simple.PE.exec link between the executable and (Windows) libraries 61 20 73 69-6D 70 6C 65-20 50 45 20-65 78 65 63 a.simple.PE.exec 61 67 65 42-6F 78 41 00-4C 20 00 00-00 00 00 00 ageBoxA.L....... 75 74 61 62-6C 65 00 48-65 6C 6C 6F-20 77 6F 72 utable.Hello.wor 75 74 61 62-6C 65 00 48-65 6C 6C 6F-20 77 6F 72 utable.Hello.wor 6C 64 21 00-00 00 00 00-00 00 00 00-00 00 00 00 ld!............. 5A 20 00 00-00 00 00 00-6B 65 72 6E-65 6C 33 32 Z.......kernel32 6C 64 21 00-00 00 00 00-00 00 00 00-00 00 00 00 ld!............. 2E 64 6C 6C-00 75 73 65-72 33 32 2E-64 6C 6C 00 .dll.user32.dll. Imports structures Consequences 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................ Offset:0x400/RVA:0x402000 descriptors 3C 20 00 00-00 00 00 00-00 00 00 00-78 20 00 00 <...........x... INT* data 61 20 73 69-6D 70 6C 65-20 50 45 20-65 78 65 63 a.simple.PE.exec 0x203c 0x204c, 0 75 74 61 62-6C 65 00 48-65 6C 6C 6F-20 77 6F 72 utable.Hello.wor 68 20 00 00-44 20 00 00-00 00 00 00-00 00 00 00 h...D........... 6C 64 21 00-00 00 00 00-00 00 00 00-00the code information used by 00 00 00 ld!............. Hint,Name 85 20 00 00-70 20 00 00-00 00 00 00-00 00 00 00 à...p........... 0x2078 kernel32.dll 0,ExitProcess after loading, 00 00 00 00-00 00 00 00-00 00 00 00-4C 20 00 00 ............L... IAT * 0x402068 will point to kernel32.dll´s ExitProcess 00 00 00 00-5A 20 00 00-00 00 00 00-00 00 45 78 ....Z.........Ex 0x2068 0x204c, 0 69 74 50 72-6F 63 65 73-73 00 00 00-4D 65 73 73 itProcess...Mess INT* 0x402070 will point to user32.dll´s MessageBoxA 0x2044 0x205a, 0 61 67 65 42-6F 78 41 00-4C 20 00 00-00 00 00 00 ageBoxA.L....... Hint,Name 5A 20 00 00-00 00 00 00-6B 65 72 6E-65 6C 33 32 Z.......kernel32 0x2085 user32.dll 0,MessageBoxA 2E 64 6C 6C-00 75 73 65-72 33 32 2E-64 6C 6C 00 .dll.user32.dll. * IAT 0x2070 0x205a, 0 0 0 0 0 0 * All addresses here are RVAs. Offset:0x600/RVA:0x403000 Strings 61 20 73 69-6D 70 6C 65-20 50 45 20-65 78 65 63 a.simple.PE.exec a simple PE executable0 75 74 61 62-6C 65 00 48-65 6C 6C 6F-20 77 6F 72 utable.Hello.wor Hello world!0 6C 64 21 00 ld!. This is the whole file, however, most PE files contain more elements. Explanations are simplified, for conciseness. version 1, 3rd May 2012 Loading process Notes MZ HEADER aka DOS_HEADER 1 Headers 3 Mapping 4 Imports 5 Execution Starts with 'MZ' (initials of Mark Zbikowski MS-DOS developer) the DOS Header is parsed the file is mapped in memory according to: DataDirectories are parsed Code is called at the EntryPoint PE HEADER aka IMAGE_FILE_HEADERS / COFF file header the PE Header is parsed the ImageBase they follow the OptionalHeader the calls of the code go via the IAT to the APIs Starts with 'PE' (Portable Executable) (its offset is DOS Header´s e_lfanew) the SizeOfHeaders their number is NumOfRVAAndSizes OPTIONAL HEADER aka IMAGE_OPTIONAL_HEADER the Optional Header is parsed the Sections table imports are always #2 Optional only for non-standard PEs but required for executables (it follows the PE Header) Imports are parsed RVA Relative Virtual Address each descriptor specifies a DLLname Address relative to ImageBase (at ImageBase, RVA = 0) Virtual Address this DLL is loaded in memory Alignment Almost all addresses of the headers are RVAs Section Alignment File IAT and INT are parsed simultaneously 2 Sections table In code, addresses are not relative. Relative Offset for each API in INT Sections table is parsed 0x0 0x400000 ImageBase its address is written in the IAT entry Headers Headers SizeOf SizeOf (it is located at: offset (OptionalHeader) + SizeOfOptionalHeader) PointertoRawData 0x200 0x400200 SizeOfHeaders it contains NumberOfSections elements RawData INT Import Name Table SizeOf Section 1 it is checked for validity with alignments: NumberOfSections PointertoRawData 0x400 0x401000 VirtualAddress IAT IAT Null-terminated list of pointers to Hint, Name structures RawData FileAlignments and SectionAlignments SizeOf Section 2