PE101 v1

PE
Ange Albertini
101
ortable
corkami.com
xecutable
Dissected PE
Hexadecimal dump
ASCII dump
4D 5A 00 00-00 00 00 00-00 00 00 00-00 00 00 00
MZ..............
constant signature
offset of the PE Header
PE..L...........
....a...
Signature
Machine
NumberOfSections
SizeOfOptionalHeader
Characteristics
'PE', 0, 0
0x14c [intel 386]
3
0xe0
0x102 [32b EXE]
constant signature
processor: ARM/MIPS/Intel/...
number of sections 2
relative offset of the section table 2
EXE/DLL/...
00
00
00
00
00
00
........
................
......@.........
................
.@..............
................
........
Magic
AddressOfEntryPoint
ImageBase
SectionAlignment
FileAlignment
MajorSubsystemVersion
SizeOfImage
SizeOfHeaders
Subsystem
NumberOfRvaAndSizes
0x10b [32b]
0x1000
0x400000
0x1000
0x200
4 [NT 4 or later]
0x4000
0x200
2 [GUI]
16
32 bits/64 bits
where execution starts 5
address where the file should be mapped in memory
3
where sections should start in memory 2
where sections should start on file 2
required version of Windows
total memory space required
total size of the headers 3
driver/graphical/command line/...
number of data directories 4
...00 00 00 00-00 00 00 00
00 20 00 00-00 00 00 00-00 00 00 00-00 00 00 00
00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
........
................
................
ImportsVA
0x2000
RVA*of the imports 4
Offset:0x40
50 45 00 00-4C 01 03 00-00 00 00 00-00 00 00 00

00 00 00 00-E0 00 02 01...
Offset:0x58
DOS header
MZ..............
shows
it's00-40
a binary
00 00 00 00-00 00 00 00-00
00 00
00 00 00
............@...
PE header
50 45 00 00-4C 01 03 00-00 00 00 00-00 00 00 00

00 00 00 00-E0 00 02
shows it's a 'modern' binary
0000
4D 5A 00 00-00 00 00 00-00 00 00 00-00 00 00 00
MZ..............
0030
00
50
00
00
00
00
00
00
00
00
00
00
45
00
00
00
00
40
00
00
20
00
00
00
00
00
00
00
00
00
00
00
00
00-00
00-4C
00-E0
00-00
00-00
00-00
00-00
00-00
00-10
00-00
00-00
00
01
00
00
00
00
02
00
00
00
00
00
03
02
00
40
00
00
00
00
00
00
00-00
00-00
01-0B
00-00
00-00
00-04
00-00
00-00
00-00
00-00
00-00
00
00
01
10
10
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00-40
00-00
00-00
00-00
00-00
00-00
00-02
00-00
00-00
00-00
00-00
00
00
00
00
02
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
............@...
PE..L...........
....a...........
................
......@.........
................
.@..............
................
................
................
................
0130
00
00
00
2E
00
00
00
00
00
00
10
00
72
02
00
10
00
00
00
00
00
64
00
00
00
00
00
00-00
00-00
00-00
61-74
00-00
00-40
00-00
00-00
00-00
00
10
00
61
04
00
30
00
00
00
00
00
00
00
00
00
00
00
00-2E
00-00
00-00
00-00
00-00
40-2E
00-00
00-00
00-00
74
02
00
10
00
64
02
00
00
65
00
00
00
00
61
00
00
00
78-74
00-00
00-20
00-00
00-00
74-61
00-00
00-40
00-00
00
02
00
20
00
00
06
00
00
00
00
00
00
00
00
00
00
00
00
00
60
00
00
00
00
C0
00
.........text...
................
...............`
.rdata..........
................
....@..@.data...
.....0..........
............@..+
................
0200
6A 00 68 00-30 40 00 68-17 30 40 00-6A 00 FF 15
70 20 40 00-6A 00 FF 15-68 20 40 00-00 00 00 00
00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
j.h.0@.h.0@.j. .
p.@.j. .h.@.....
................
0400
3C
68
85
00
00
69
61
5A
2E
00
00
00
00
00
78
73
00
32
00
00
<...........x...
h...D...........
...p...........
............L...
....Z.........Ex
itProcess...Mess
ageBoxA.L.......
Z.......kernel32
.dll.user32.dll.
................
0600
61 20 73 69-6D 70 6C 65-20 50 45 20-65 78 65 63
75 74 61 62-6C 65 00 48-65 6C 6C 6F-20 77 6F 72
6C 64 21 00-00 00 00 00-00 00 00 00-00 00 00 00
a.simple.PE.exec
utable.Hello.wor
ld!.............
simple.exe
00
00
00
00
00
65
41
00
73
00
00-00
00-00
00-00
00-00
00-00
73-73
00-4C
00-6B
65-72
00-00
00
00
00
00
00
00
20
65
33
00
00
00
00
00
00
00
00
72
32
00
00-78
00-00
00-00
00-4C
00-00
00-4D
00-00
6E-65
2E-64
00-00
20
00
00
20
00
65
00
6C
6C
00
00
00
00
00
45
73
00
33
6C
00
00
00
00
00
00
00
00
00
00
00
00
00-00
00-4C
00-E0
00-00
00-00
00-00
00-00
00-00
00-10
00-00
00-00
00
01
00
00
00
00
02
00
00
00
00
00
03
02
00
40
00
00
00
00
00
00
00-00
00-00
01-0B
00-00
00-00
00-04
00-00
00-00
00-00
00-00
00-00
00
00
01
10
10
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00-40
00-00
00-00
00-00
00-00
00-00
00-02
00-00
00-00
00-00
00-00
00
00
00
00
02
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
10
00
72
02
00
10
00
00
header
00
60
00
00
00
00
C0
00
................
...............`
.rdata..........
................
....@..@.data...
.....0..........
............@..+
................
6A 00 68 00-30 40 00 68-17 30 40 00-6A 00 FF 15

70 20 40 00-6A 00 FF 15-68 20 40 00-00 00 00 00
00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
j.h.0@.h.0@.j. .
p.@.j. .h.@.....
................
3C
68
85
00
00
69
61
5A
2E
00
00
00
00
00
78
73
00
32
00
00
<...........x...
h...D...........
...p...........
............L...
....Z.........Ex
itProcess...Mess
ageBoxA.L.......
Z.......kernel32
.dll.user32.dll.
................
61 20 73 69-6D 70 6C 65-20 50 45 20-65 78 65 63

75 74 61 62-6C 65 00 48-65 6C 6C 6F-20 77 6F 72
6C 64 21 00-00 00 00 00-00 00 00 00-00 00 00 00
a.simple.PE.exec
utable.Hello.wor
ld!.............
20
20
20
00
00
74
67
20
64
00
00
00
64
00
00
00
00
00
00
00
00
00
00
50
65
00
6C
00
00-00
00-00
61-74
00-00
00-40
00-00
00-00
00-00
00-00
00-44
00-70
00-00
00-5A
72-6F
42-6F
00-00
6C-00
00-00
10
00
61
04
00
30
00
00
00
20
20
00
20
63
78
00
75
00
00
00
00
00
00
00
00
00
00
00
00
00
00
65
41
00
73
00
00-00
00-00
00-00
00-00
40-2E
00-00
00-00
00-00
00-00
00-00
00-00
00-00
00-00
73-73
00-4C
00-6B
65-72
00-00
02
00
10
00
64
02
00
00
00
00
00
00
00
00
20
65
33
00
00
00
00
00
61
00
00
00
00
00
00
00
00
00
00
72
32
00
00-00
00-20
00-00
00-00
74-61
00-00
00-40
00-00
00-78
00-00
00-00
00-4C
00-00
00-4D
00-00
6E-65
2E-64
00-00
02
00
20
00
00
06
00
00
20
00
00
20
00
65
00
6C
6C
00
00
00
00
00
00
00
00
00
00
00
00
00
45
73
00
33
6C
00
00
00
00
00
00
00
00-00
00-00
00-00
00-00
00-00
00-10
00
00
00
02
00
00
00
40
00
00
00
00
01-0B 01 00 00-00 00 00
00-00 10 00 00-00 00 00
00-00 10 00 00-00 02 00
00-04 00 00 00-00 00 00
00-00
00 00 information
00-02 00 00
executable
00-00 00 00 00-00 00 00
00
00
00
00
00
00
00
.........
................
......@.........
................
.@..............
................
................
00
00
2E
00
00
00
00
00
10
00
72
02
00
10
00
00
00
00
64
00
00
00
00
00
2E 74 65 78-74 00 00 00
.text...
00-00 10 00 00-00 02 00 00-00 02 00 00 ................
00-00 00 00 00-00 00 00 00-20 00 00 60 ...............`
61-74 61 00 00-00 10 00 00-00 20 00 00 .rdata..........
00-00 04 00 00-00 00 00 00-00 00 00 00 ................
how the
loaded
memory
00-40 defines
00 00 40-2E
64file
61 is74-61
00in00
00 ....@..@.data...
00-00 30 00 00-00 02 00 00-00 06 00 00 .....0..........
00-00 00 00 00-00 00 00 00-40 00 00 C0 ............@..+
00-00 00 00 00-00 00 00 00-00 00 00 00 ................
sections table
code
6A 00 68 00-30 40 00 68-17 30 40 00-6A 00 FF 15

70 20 40 00-6A 00 FF 15-68 20 40 00-00 00 00 00
00 00 00 00-00 00 00 00-00what
00 is
00executed
00-00 00 00 00
sections
00
00
00
00
00
00
00
00
00
40
00
00
00
00
00
00
00
00
00-00
00-00
00-00
00-00
00-00
00-10
00
00
00
02
00
00
00
40
00
00
00
00
...0B
00-00
00-00
00-04
00-00
00-00
00...
01
10
10
00
00
00
00
00
00
00
00
00
00-00
00-00
00-00
00-00
00-02
00-00
00
00
02
00
00
00
00
00
00
00
00
00
............@...
optional header
data directories
technical
the
executable
00 00 00-00 00 details
00 00-2E 74about
65 78-74 00
00 00
.........text...
00
00
00
2E
00
00
00
00
00
00
00
00
40
00
00
00 00 00 00-00 00 00 00 ................
00 20 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................
pointers
to 00-00
extra structures
(exports,
00 00 00 00-00
00 00
00 00 00-00
00 00 imports,...)
00 ................
Offset:0x138
00
00
2E
00
00
00
00
10
00
72
02
00
10
00
00
00
64
00
00
00
00
00-00
00-00
61-74
00-00
00-40
00-00
00-00
10
00
61
04
00
30
00
00
00
00
00
00
00
00
2E
00-00
00-00
00-00
00-00
40-2E
00-00
00-00
74
02
00
10
00
64
02
00
65
00
00
00
00
61
00
00
78-74
00-00
00-20
00-00
00-00
74-61
00-00
00-40
00
02
00
20
00
00
06
00
00
00
00
00
00
00
00
00
00
00
60
00
00
00
00
C0
.text...
................
...............`
.rdata..........
................
....@..@.data...
.....0..........
............@..+
contents of the executable
20
20
20
00
00
74
67
20
64
00
00
00
00
00
00
50
65
00
6C
00
00-00 00 00 00-00 00 00 00-78 20 00 00 <...........x...

00-44 20 00 00-00 00 00 00-00 00 00 00 h...D...........
00-70 20 00 00-00 00 00 00-00 00 00 00 ...p...........
00-00 00 00 00-00 00 00 00-4C 20 00 00 ............L...
00-5A 20 00 00-00 00 00 00-00 00 45 78 ....Z.........Ex
72-6F 63 65 73-73 00 00 00-4D 65 73 73 itProcess...Mess
link between the executable and (Windows) libraries
42-6F 78 41 00-4C 20 00 00-00 00 00 00 ageBoxA.L.......
00-00 00 00 00-6B 65 72 6E-65 6C 33 32 Z.......kernel32
6C-00 75 73 65-72 33 32 2E-64 6C 6C 00 .dll.user32.dll.
00-00 00 00 00-00 00 00 00-00 00 00 00 ................
6A 00 68 00-30 40 00 68-17 30 40 00-6A 00 FF 15

70 20 40 00-6A 00 FF 15-68 20 40 00
j.h.0@.h.0@.j. .
p.@.j. .h.@.
imports
data
61 20 73 69-6D 70 6C 65-20 50 45 20-65 78 65 63

75 74 61 62-6C 65 00 48-65 6C 6C 6F-20 77 6F 72
used
by the
6C 64 21 00-00 00 00information
00-00 00 00
00-00
00 code
00 00
a.simple.PE.exec
utable.Hello.wor
ld!.............
Sections table
*
RVA*
physical size
physical offset
VirtualSize VirtualAddress SizeOfRawData PointerToRawData Characteristics
0x1000
0x1000
0x200
0x200
CODE EXECUTE READ
0x1000
0x2000
0x200
0x400
INITIALIZED READ
0x1000
0x3000
0x200
0x600
DATA READ WRITE
Name
.text
.rdata
.data
For each section, a SizeofRawData sized block is read from the file at PointerToRawData offset.
It will be loaded in memory at address ImageBase + VirtualAddress in a VirtualSize sized block, with specific characteristics.
push
push
push
push
call
push
call
Equivalent C code
0
0x403000
0x403017
0
[0x402070]
0
[0x402068]
MessageBox(0, Hello World!,a simple PE executable, 0);

ExitProcess(0);
Consequences
Imports structures
Offset:0x400/RVA:0x402000
3C
68
85
00
00
69
61
5A
2E
20
20
20
00
00
74
67
20
64
00
00
00
00
00
50
65
00
6C
00-00
00-44
00-70
00-00
00-5A
72-6F
42-6F
00-00
6C-00
00
20
20
00
20
63
78
00
75
00
00
00
00
00
65
41
00
73
00-00
00-00
00-00
00-00
00-00
73-73
00-4C
00-6B
65-72
00
00
00
00
00
00
20
65
33
00
00
00
00
00
00
00
72
32
00-78
00-00
00-00
00-4C
00-00
00-4D
00-00
6E-65
2E-64
20
00
00
20
00
65
00
6C
6C
00
00
00
00
45
73
00
33
6C
00
00
00
00
78
73
00
32
00
<...........x...
h...D...........
...p...........
............L...
....Z.........Ex
itProcess...Mess
ageBoxA.L.......
Z.......kernel32
.dll.user32.dll.
descriptors
0x203c
0x2078
0x204c, 0
kernel32.dll
0x2044
0x205a, 0
a.simple.PE.exec
utable.Hello.wor
ld!.
IAT
INT
after loading,
0x402068 will point to kernel32.dlls ExitProcess
0x402070 will point to user32.dlls MessageBoxA
Hint,Name
user32.dll
0,MessageBoxA
0x205a, 0
0 0 0 0 0
Hint,Name
0x204c, 0
0x2085
INT
0,ExitProcess
0x2068
0x2070
61 20 73 69-6D 70 6C 65-20 50 45 20-65 78 65 63

75 74 61 62-6C 65 00 48-65 6C 6C 6F-20 77 6F 72
6C 64 21 00
IAT
All addresses here are RVAs.
Strings
a simple PE executable\0
Hello world!\0
This is the whole file, however, most PE files contain more elements. Explanations are simplified, for conciseness.
3 Mapping
FileAlignments and SectionAlignments
PointertoRawData
Section 1
PointertoRawData
Section 2
PointertoRawData
Relative
Virtual Address
DataDirectories are parsed

they follow the OptionalHeader
their number is NumOfRVAAndSizes
imports are always #2
Imports are parsed
each descriptor specifies a DLLname
this DLL is loaded in memory
IAT and INT are parsed simultaneously
for each API in INT
its address is written in the IAT entry
0x200
0x400200
0x400
0x401000
0x600
0x800
SizeOfHeaders
VirtualAddress
0x402000
IAT
Section 1
VirtualAddress
0x403000
0x404000
ImageBase
Section 2
VirtualAddress
Section 3
Hint,"API name"
Code is called at the EntryPoint

the calls of the code go via the IAT to the APIs
MZ HEADER aka DOS_HEADER

Starts with 'MZ' (initials of Mark Zbikowski MS-DOS developer)
PE HEADER aka IMAGE_FILE_HEADERS / COFF file header
Starts with 'PE' (Portable Executable)
OPTIONAL HEADER aka IMAGE_OPTIONAL_HEADER
Optional only for non-standard PEs but required for executables
RVA Relative Virtual Address
Address relative to ImageBase (at ImageBase, RVA = 0)
Almost all addresses of the headers are RVAs
In code, addresses are not relative.
INT Import Name Table

Null-terminated list of pointers to Hint, Name structures
IAT
library.dll
SizeOfImage
Section 3
0x400000
SizeOf
Headers
it contains NumberOfSections elements

it is checked for validity with alignments:
0x0
VirtualSize
(it is located at: offset (OptionalHeader) + SizeOfOptionalHeader)
VirtualSize
Sections table is parsed
VirtualSize
2 Sections table
Offset
(it follows the PE Header)
SizeOf
Headers
(its offset is DOS Headers e_lfanew)
the Optional Header is parsed
5 Execution
4 Imports
the file is mapped in memory according to:

the ImageBase
the SizeOfHeaders
the Sections table
SizeOf
RawData
the DOS Header is parsed

the PE Header is parsed
SizeOf
RawData
1 Headers
version 1, 3rd May 2012
Notes
Loading process
API_Address:
RVA
x86 assembly
j.h.0@.h.0@.j. .
p.@.j. .h.@.....
................
3C
68
85
00
00
69
61
5A
2E
00
SizeOf
RawData
00
20
20
00
20
63
78
00
75
00
............@...
PE..L...........
....a...........
................
......@.........
................
.@..............
................
................
................
................
00
45
00
00
00
00
40
00
00
20
00
Section Alignment
00-00
00-44
00-70
00-00
00-5A
72-6F
42-6F
00-00
6C-00
00-00
00
50
00
00
00
00
00
00
00
00
00
File
Alignment
00
00
00
00
00
50
65
00
6C
00
MZ..............
NumberOfSections
20
20
20
00
00
74
67
20
64
00
4D 5A 00 00-00 00 00 00-00 00 00 00-00 00 00 00
00
00
00
00
00
00
PE..L...........
....a..
Explanation
'MZ'
0x40
00 00 00 00-00 00 00 00-00 00 00 00-40 00 00 00
4D 5A 00 00-00 00 00 00-00 00 00 00-00 00 00 00
Values
e_magic
e_lfanew
Offset:0x30
SHA-1 b7af4cb51ce38e43e030656eb2698fab408cf9cb
download @ pe101.corkami.com
Fields
IAT Import Address Table

Null-terminated list of pointers
On file it is a copy of the INT
After loading it points to the imported APIs
HINT
Index in the exports table of a DLL to be imported
Not required but provides a speed-up by reducing look-up

PE101 v1

Transféré par

Informations du document

Description originale:

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

PE101 v1

Transféré par

Droits d'auteur :

Formats disponibles

PE

4D 5A 00 00-00 00 00 00-00 00 00 00-00 00 00 00

RVA*of the imports 4

50 45 00 00-4C 01 03 00-00 00 00 00-00 00 00 00

50 45 00 00-4C 01 03 00-00 00 00 00-00 00 00 00

6A 00 68 00-30 40 00 68-17 30 40 00-6A 00 FF 15

61 20 73 69-6D 70 6C 65-20 50 45 20-65 78 65 63

6A 00 68 00-30 40 00 68-17 30 40 00-6A 00 FF 15

contents of the executable

00-00 00 00 00-00 00 00 00-78 20 00 00 <...........x...

6A 00 68 00-30 40 00 68-17 30 40 00-6A 00 FF 15

61 20 73 69-6D 70 6C 65-20 50 45 20-65 78 65 63

MessageBox(0, Hello World!,a simple PE executable, 0);

61 20 73 69-6D 70 6C 65-20 50 45 20-65 78 65 63

All addresses here are RVAs.

FileAlignments and SectionAlignments

DataDirectories are parsed

Code is called at the EntryPoint

MZ HEADER aka DOS_HEADER

INT Import Name Table

it contains NumberOfSections elements

(it is located at: offset (OptionalHeader) + SizeOfOptionalHeader)

Sections table is parsed

(it follows the PE Header)

(its offset is DOS Headers e_lfanew)

the Optional Header is parsed

the file is mapped in memory according to:

the DOS Header is parsed

version 1, 3rd May 2012

4D 5A 00 00-00 00 00 00-00 00 00 00-00 00 00 00

00 00 00 00-00 00 00 00-00 00 00 00-40 00 00 00

4D 5A 00 00-00 00 00 00-00 00 00 00-00 00 00 00

IAT Import Address Table

Vous aimerez peut-être aussi