Suche senden
Hochladen
PE102 - a Windows executable format overview (booklet V1)
•
4 gefällt mir
•
2,061 views
Ange Albertini
Folgen
Technologie
Kunst & Fotos
Melden
Teilen
Melden
Teilen
1 von 5
Jetzt herunterladen
Downloaden Sie, um offline zu lesen
Empfohlen
PE File Format
PE File Format
n|u - The Open Security Community
Computer graphics lab manual
Computer graphics lab manual
Uma mohan
DWARF Data Representation
DWARF Data Representation
Wang Hsiangkai
DATABASE MANAGEMENT SYSTEM LAB.pdf
DATABASE MANAGEMENT SYSTEM LAB.pdf
Prof. Dr. K. Adisesha
Kernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driver
Anne Nicolas
from Binary to Binary: How Qemu Works
from Binary to Binary: How Qemu Works
Zhen Wei
Projet de programmation la conversion entre les bases
Projet de programmation la conversion entre les bases
Tunisie collège
Linux Commands
Linux Commands
Ramasubbu .P
Empfohlen
PE File Format
PE File Format
n|u - The Open Security Community
Computer graphics lab manual
Computer graphics lab manual
Uma mohan
DWARF Data Representation
DWARF Data Representation
Wang Hsiangkai
DATABASE MANAGEMENT SYSTEM LAB.pdf
DATABASE MANAGEMENT SYSTEM LAB.pdf
Prof. Dr. K. Adisesha
Kernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driver
Anne Nicolas
from Binary to Binary: How Qemu Works
from Binary to Binary: How Qemu Works
Zhen Wei
Projet de programmation la conversion entre les bases
Projet de programmation la conversion entre les bases
Tunisie collège
Linux Commands
Linux Commands
Ramasubbu .P
Thiết lập đồ họa cho DevC++(How to setup graphics environment in DevC++)
Thiết lập đồ họa cho DevC++(How to setup graphics environment in DevC++)
tiktiktc
Oracle Personalization Restrict Subinventory And Lot Number LOV Dependent On...
Oracle Personalization Restrict Subinventory And Lot Number LOV Dependent On...
Ahmed Elshayeb
Linux binary Exploitation - Basic knowledge
Linux binary Exploitation - Basic knowledge
Angel Boy
Debug Information And Where They Come From
Debug Information And Where They Come From
Min-Yih Hsu
FISL XIV - The ELF File Format and the Linux Loader
FISL XIV - The ELF File Format and the Linux Loader
John Tortugo
2.5 bfs & dfs 02
2.5 bfs & dfs 02
Krish_ver2
Exercices en turbo pascal sur les nombres
Exercices en turbo pascal sur les nombres
salah fenni
Unix And Shell Scripting
Unix And Shell Scripting
Jaibeer Malik
VTU DSA Lab Manual
VTU DSA Lab Manual
AkhilaaReddy
Linux SMEP bypass techniques
Linux SMEP bypass techniques
Vitaly Nikolenko
Introduction To Power Shell
Introduction To Power Shell
Ivan Suhinin
Lecture8 data structure(graph)
Lecture8 data structure(graph)
Taibah University, College of Computer Science & Engineering
Infix to Postfix Conversion Using Stack
Infix to Postfix Conversion Using Stack
Soumen Santra
Les enregistrements
Les enregistrements
mohamed_SAYARI
Instruction Combine in LLVM
Instruction Combine in LLVM
Wang Hsiangkai
Pandas Cheat Sheet
Pandas Cheat Sheet
ACASH1011
Linux Shell Scripting
Linux Shell Scripting
Raghu nath
python practicals-solution-2019-20-class-xii.pdf
python practicals-solution-2019-20-class-xii.pdf
rajatxyz
PHP - PDO Objects
PHP - PDO Objects
AJINKYA N
LLVM Register Allocation (2nd Version)
LLVM Register Allocation (2nd Version)
Wang Hsiangkai
Protection
Protection
Sanjay Sharma
the PE format 2011/01/17
the PE format 2011/01/17
Ange Albertini
Weitere ähnliche Inhalte
Was ist angesagt?
Thiết lập đồ họa cho DevC++(How to setup graphics environment in DevC++)
Thiết lập đồ họa cho DevC++(How to setup graphics environment in DevC++)
tiktiktc
Oracle Personalization Restrict Subinventory And Lot Number LOV Dependent On...
Oracle Personalization Restrict Subinventory And Lot Number LOV Dependent On...
Ahmed Elshayeb
Linux binary Exploitation - Basic knowledge
Linux binary Exploitation - Basic knowledge
Angel Boy
Debug Information And Where They Come From
Debug Information And Where They Come From
Min-Yih Hsu
FISL XIV - The ELF File Format and the Linux Loader
FISL XIV - The ELF File Format and the Linux Loader
John Tortugo
2.5 bfs & dfs 02
2.5 bfs & dfs 02
Krish_ver2
Exercices en turbo pascal sur les nombres
Exercices en turbo pascal sur les nombres
salah fenni
Unix And Shell Scripting
Unix And Shell Scripting
Jaibeer Malik
VTU DSA Lab Manual
VTU DSA Lab Manual
AkhilaaReddy
Linux SMEP bypass techniques
Linux SMEP bypass techniques
Vitaly Nikolenko
Introduction To Power Shell
Introduction To Power Shell
Ivan Suhinin
Lecture8 data structure(graph)
Lecture8 data structure(graph)
Taibah University, College of Computer Science & Engineering
Infix to Postfix Conversion Using Stack
Infix to Postfix Conversion Using Stack
Soumen Santra
Les enregistrements
Les enregistrements
mohamed_SAYARI
Instruction Combine in LLVM
Instruction Combine in LLVM
Wang Hsiangkai
Pandas Cheat Sheet
Pandas Cheat Sheet
ACASH1011
Linux Shell Scripting
Linux Shell Scripting
Raghu nath
python practicals-solution-2019-20-class-xii.pdf
python practicals-solution-2019-20-class-xii.pdf
rajatxyz
PHP - PDO Objects
PHP - PDO Objects
AJINKYA N
LLVM Register Allocation (2nd Version)
LLVM Register Allocation (2nd Version)
Wang Hsiangkai
Was ist angesagt?
(20)
Thiết lập đồ họa cho DevC++(How to setup graphics environment in DevC++)
Thiết lập đồ họa cho DevC++(How to setup graphics environment in DevC++)
Oracle Personalization Restrict Subinventory And Lot Number LOV Dependent On...
Oracle Personalization Restrict Subinventory And Lot Number LOV Dependent On...
Linux binary Exploitation - Basic knowledge
Linux binary Exploitation - Basic knowledge
Debug Information And Where They Come From
Debug Information And Where They Come From
FISL XIV - The ELF File Format and the Linux Loader
FISL XIV - The ELF File Format and the Linux Loader
2.5 bfs & dfs 02
2.5 bfs & dfs 02
Exercices en turbo pascal sur les nombres
Exercices en turbo pascal sur les nombres
Unix And Shell Scripting
Unix And Shell Scripting
VTU DSA Lab Manual
VTU DSA Lab Manual
Linux SMEP bypass techniques
Linux SMEP bypass techniques
Introduction To Power Shell
Introduction To Power Shell
Lecture8 data structure(graph)
Lecture8 data structure(graph)
Infix to Postfix Conversion Using Stack
Infix to Postfix Conversion Using Stack
Les enregistrements
Les enregistrements
Instruction Combine in LLVM
Instruction Combine in LLVM
Pandas Cheat Sheet
Pandas Cheat Sheet
Linux Shell Scripting
Linux Shell Scripting
python practicals-solution-2019-20-class-xii.pdf
python practicals-solution-2019-20-class-xii.pdf
PHP - PDO Objects
PHP - PDO Objects
LLVM Register Allocation (2nd Version)
LLVM Register Allocation (2nd Version)
Andere mochten auch
Protection
Protection
Sanjay Sharma
the PE format 2011/01/17
the PE format 2011/01/17
Ange Albertini
Pe Format
Pe Format
Hexxx
PE Trojan Detection Based on the Assessment of Static File Features
PE Trojan Detection Based on the Assessment of Static File Features
Antiy Labs
PE Packers Used in Malicious Software - Part 1
PE Packers Used in Malicious Software - Part 1
amiable_indian
Exploring the Portable Executable format
Exploring the Portable Executable format
Ange Albertini
PE File Format and Packer - Inc0gnito 2016
PE File Format and Packer - Inc0gnito 2016
Hajin Jang
Smashing The Stack
Smashing The Stack
Daniele Bellavista
Andere mochten auch
(8)
Protection
Protection
the PE format 2011/01/17
the PE format 2011/01/17
Pe Format
Pe Format
PE Trojan Detection Based on the Assessment of Static File Features
PE Trojan Detection Based on the Assessment of Static File Features
PE Packers Used in Malicious Software - Part 1
PE Packers Used in Malicious Software - Part 1
Exploring the Portable Executable format
Exploring the Portable Executable format
PE File Format and Packer - Inc0gnito 2016
PE File Format and Packer - Inc0gnito 2016
Smashing The Stack
Smashing The Stack
Ähnlich wie PE102 - a Windows executable format overview (booklet V1)
Windbg랑 친해지기
Windbg랑 친해지기
Ji Hun Kim
06 - ELF format, knowing your friend
06 - ELF format, knowing your friend
Alexandre Moneger
Stability issues of user space
Stability issues of user space
晓东 杜
Creating user-mode debuggers for Windows
Creating user-mode debuggers for Windows
Mithun Shanbhag
Reverse eningeering
Reverse eningeering
Kent Huang
Getting started cpp full
Getting started cpp full
Võ Hòa
Track c-High speed transaction-based hw-sw coverification -eve
Track c-High speed transaction-based hw-sw coverification -eve
chiportal
Positive Hack Days. Матросов. Мастер-класс: Проведение криминалистической экс...
Positive Hack Days. Матросов. Мастер-класс: Проведение криминалистической экс...
Positive Hack Days
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Alex Matrosov
Troubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device Drivers
Satpal Parmar
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Jagadisha Maiya
[Pgday.Seoul 2017] 3. PostgreSQL WAL Buffers, Clog Buffers Deep Dive - 이근오
[Pgday.Seoul 2017] 3. PostgreSQL WAL Buffers, Clog Buffers Deep Dive - 이근오
PgDay.Seoul
0x01 - Breaking into Linux VMs for Fun and Profit.pdf
0x01 - Breaking into Linux VMs for Fun and Profit.pdf
scribdsituation719
International Burmese democratic forces and friends of Burma who
International Burmese democratic forces and friends of Burma who
Burma Democratic Concern (BDC)
Innodb에서의 Purge 메커니즘 deep internal (by 이근오)
Innodb에서의 Purge 메커니즘 deep internal (by 이근오)
I Goo Lee.
Code Injection in Windows
Code Injection in Windows
n|u - The Open Security Community
程式設計師的自我修養 Chapter 5
程式設計師的自我修養 Chapter 5
Shu-Yu Fu
Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)
Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)
Gavin Guo
The forgotten art of assembly
The forgotten art of assembly
Marian Marinov
x86_1.ppt
x86_1.ppt
jeronimored
Ähnlich wie PE102 - a Windows executable format overview (booklet V1)
(20)
Windbg랑 친해지기
Windbg랑 친해지기
06 - ELF format, knowing your friend
06 - ELF format, knowing your friend
Stability issues of user space
Stability issues of user space
Creating user-mode debuggers for Windows
Creating user-mode debuggers for Windows
Reverse eningeering
Reverse eningeering
Getting started cpp full
Getting started cpp full
Track c-High speed transaction-based hw-sw coverification -eve
Track c-High speed transaction-based hw-sw coverification -eve
Positive Hack Days. Матросов. Мастер-класс: Проведение криминалистической экс...
Positive Hack Days. Матросов. Мастер-класс: Проведение криминалистической экс...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Troubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
[Pgday.Seoul 2017] 3. PostgreSQL WAL Buffers, Clog Buffers Deep Dive - 이근오
[Pgday.Seoul 2017] 3. PostgreSQL WAL Buffers, Clog Buffers Deep Dive - 이근오
0x01 - Breaking into Linux VMs for Fun and Profit.pdf
0x01 - Breaking into Linux VMs for Fun and Profit.pdf
International Burmese democratic forces and friends of Burma who
International Burmese democratic forces and friends of Burma who
Innodb에서의 Purge 메커니즘 deep internal (by 이근오)
Innodb에서의 Purge 메커니즘 deep internal (by 이근오)
Code Injection in Windows
Code Injection in Windows
程式設計師的自我修養 Chapter 5
程式設計師的自我修養 Chapter 5
Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)
Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)
The forgotten art of assembly
The forgotten art of assembly
x86_1.ppt
x86_1.ppt
Mehr von Ange Albertini
Technical challenges with file formats
Technical challenges with file formats
Ange Albertini
Relations between archive formats
Relations between archive formats
Ange Albertini
Abusing archive file formats
Abusing archive file formats
Ange Albertini
TimeCryption
TimeCryption
Ange Albertini
You are *not* an idiot
You are *not* an idiot
Ange Albertini
Improving file formats
Improving file formats
Ange Albertini
KILL MD5
KILL MD5
Ange Albertini
No more dumb hex!
No more dumb hex!
Ange Albertini
Beyond your studies
Beyond your studies
Ange Albertini
An introduction to inkscape
An introduction to inkscape
Ange Albertini
The challenges of file formats
The challenges of file formats
Ange Albertini
Exploiting hash collisions
Exploiting hash collisions
Ange Albertini
Infosec & failures
Infosec & failures
Ange Albertini
Connecting communities
Connecting communities
Ange Albertini
TASBot - the perfectionist
TASBot - the perfectionist
Ange Albertini
Caring for file formats
Caring for file formats
Ange Albertini
Hacks in video games
Hacks in video games
Ange Albertini
Trusting files (and their formats)
Trusting files (and their formats)
Ange Albertini
Let's write a PDF file
Let's write a PDF file
Ange Albertini
PDF: myths vs facts
PDF: myths vs facts
Ange Albertini
Mehr von Ange Albertini
(20)
Technical challenges with file formats
Technical challenges with file formats
Relations between archive formats
Relations between archive formats
Abusing archive file formats
Abusing archive file formats
TimeCryption
TimeCryption
You are *not* an idiot
You are *not* an idiot
Improving file formats
Improving file formats
KILL MD5
KILL MD5
No more dumb hex!
No more dumb hex!
Beyond your studies
Beyond your studies
An introduction to inkscape
An introduction to inkscape
The challenges of file formats
The challenges of file formats
Exploiting hash collisions
Exploiting hash collisions
Infosec & failures
Infosec & failures
Connecting communities
Connecting communities
TASBot - the perfectionist
TASBot - the perfectionist
Caring for file formats
Caring for file formats
Hacks in video games
Hacks in video games
Trusting files (and their formats)
Trusting files (and their formats)
Let's write a PDF file
Let's write a PDF file
PDF: myths vs facts
PDF: myths vs facts
Kürzlich hochgeladen
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Neo4j
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
Anna Loughnan Colquhoun
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
How to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
naman860154
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
Rafal Los
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
Khem
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
Michael W. Hawkins
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
Malak Abu Hammad
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
hans926745
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
Martijn de Jong
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
Pixlogix Infotech
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
The Digital Insurer
Kürzlich hochgeladen
(20)
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
How to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
PE102 - a Windows executable format overview (booklet V1)
1.
Ange Albertini 2009-2013 Corkami PEortable
xecutable 102 MZ Dos header PE HEADER NT HEADERS FILE HEADER OPTIONAL HEADER DATA DIRECTORY SECTIONs EXPORT, IMPORT, Address Table Resources, exceptions, relocations debug, TLS, SAFESEH, .NET
2.
Section 3 (ex:
uninit. data) ImageBase SizeOfHeaders Relative VirtualAddress VirtualAddress (BaseOfCode) Section 1 0x0 Offset PointertoRawData Section 1 (ex:code) SizeOf Headers 0x400000 VirtualAddress (BaseOfData) Section 2 VirtualSize (SizeOfInitializedData) PointertoRawData Section 2 (ex: data) 0x... 0x... PointertoRawData Section 3 SizeOf RawData SizeOf RawData 0x40.... VirtualSize (SizeOfCode) VirtualSize (SizeOfUninitializedData) 0x... SizeOf Headers SizeOf RawData VirtualAddress SizeOfImage 0x40.... 0x... 0x400... 0x40.... NumberOfSections FileAlignment SectionAlignment 0x40.... 00+2 e_magic MZ 02+2 e_cblp 04+2 e_cp exe size 06+2 e_crlc 08+2 e_cparhdr exe start 0a+2 e_minalloc 0c+2 e_maxalloc 0e+2 e_ss initial ss 10+2 e_sp initial sp 12+2 e_csum 14+2 e_ip 16+2 e_cs 18+2 e_lfarlc 1a+2 e_ovno 1c+2 e_res[4] 24+2 e_oemid 26+2 e_oeminfo 28+2 e_res2[10] 3c+4 e_lfanew IMAGE_DOS_HEADER OFFSET 0 00+1 Name[8] 08+4 VirtualSize 0c+4 VirtualAddress 10+4 SizeOfRawData 14+4 PointerToRawData 18+4 PointerToRelocations 1c+4 PointerToLinenumbers 20+2 NumberOfRelocations 22+2 NumberOfLinenumbers 24+4 Characteristics RWX NumberOfSections IMAGE_SECTION_HEADER Section Table 00+2 Machine CPU architecture 02+2 NumberOfSections 04+4 TimeDateStamp 08+4 PointerToSymbolTable 0c+4 NumberOfSymbols 10+2 SizeOfOptionalHeader 12+2 Characteristics exe/dll,relocs 00+04 Signature PE00 04+14 FileHeader SizeofOptionalHeader IMAGE_FILE_HEADER IMAGE_NT_HEADERS(32/64) IMAGE_OPTIONAL_HEADER(32/64) 18+60/+70 OptionalHeader 64b 32b 00+2 00+2 Magic 32b or 64b 02+1 02+1 MajorLinkerVersion required with signatures 03+1 03+1 MinorLinkerVersion 04+4 04+4 SizeOfCode 08+4 08+4 SizeOfInitializedData 0c+4 0c+4 SizeOfUninitializedData 10+4 10+4 AddressOfEntryPoint 14+4 14+4 BaseOfCode ---- 18+4 BaseOfData 18+8 1c+4 ImageBase suggested address to load the file 20+4 20+4 SectionAlignment =2^y, with y≥x 24+4 24+4 FileAlignment =2^x 28+2 28+2 MajorOperatingSystemVersion 2a+2 2a+2 MinorOperatingSystemVersion 2c+2 2c+2 MajorImageVersion 2e+2 2e+2 MinorImageVersion 30+2 30+2 MajorSubsystemVersion 4:≥W95 5:≥W2000 6:≥Vista 32+2 32+2 MinorSubsystemVersion 34+4 34+4 Win32VersionValue overrides OS values in Thread Environment Block 38+4 38+4 SizeOfImage 3c+4 3c+4 SizeOfHeaders not always sizeof(Headers) 40+4 40+4 CheckSum only used for drivers 44+2 44+2 Subsystem executable/driver... 46+2 46+2 DllCharacteristics 48+8 48+4 SizeOfStackReserve 50+8 4c+4 SizeOfStackCommit 58+8 50+4 SizeOfHeapReserve 60+8 54+4 SizeOfHeapCommit 68+4 58+4 LoaderFlags 6c+4 5c+4 NumberOfRvaAndSizes ≤16 70+8 60+8 VirtualAddress, Size NumberOfRvaAndSizes Data Directories 0 EXPORT 1 IMPORT 2 RESOURCE icons, manifest, version... 3 EXCEPTION 64bits exceptions 4 SECURITY Authenticode signature 5 BASERELOC relocations 6 DEBUG symbols 7 COPYRIGHT/Architecture useless 8 GLOBALPTR only on Itanium systems 9 TLS Thread Local Storage A LOAD_CONFIG SafeSEH B BOUND_IMPORT speeds up imports loading C IAT Import Address table D DELAY_IMPORT E COM_DESCRIPTOR .NET header F reserved unused <ignored>... IMAGE_DATA_DIRECTORY[] DOS Header PE Header ant :p section start in memory section start in file where execution starts Headers & Sections File header IMAGE_FILE_MACHINE_* Machine I386 014c ARMV7 01c4 AMD64 8664 IMAGE_FILE_* Characteristics RELOCS_STRIPPED 0001 EXECUTABLE_IMAGE 0002 LINE_NUMS_STRIPPED 0004 LOCAL_SYMS_STRIPPED 0008 LARGE_ADDRESS_AWARE 0020 32BIT_MACHINE 0100 DEBUG_STRIPPED 0200 DLL 2000 Optional Header IMAGE_NT_OPTIONAL_HDR*_MAGIC Magic 32 010b 64 020b IMAGE_SUBSYSTEM_* Subsystem NATIVE (driver) 0001 WINDOWS_GUI 0002 WINDOWS_CUI (console) 0003 IMAGE_DLLCHARACTERISTICS_* DllCharacteristics DYNAMIC_BASE (aslr) 0040 NX_COMPAT (dep) 0100 NO_SEH 0400 TERMINAL_SERVER_AWARE 8000 Section IMAGE_SCN_* Characteristics CNT_* CODE 00000020 INITIALIZED_DATA 00000040 UNINITIALIZED_DATA 00000080 MEM_* DISCARDABLE 02000000 SHARED (risky!) 10000000 EXECUTE 20000000 READ 40000000 WRITE 80000000 Relocations IMAGE_REL_BASED_* TypeOffset ABSOLUTE 0 HIGHLOW 3 Resources RT_* NameID BITMAP 02 ICON 03 MENU 04 DIALOG 05 STRING 06 GROUP_ICON 0d VERSION 10 MANIFEST 18 Constants Relative Virtual Address offset relative offset Virtual Address (requires relocation)
3.
IMAGE_DELAY_IMPORT_DESCRIPTOR 00+4 dd grAttrs 04+4
szName 08+4 phmod 0c+4 pIAT 10+4 pINT 14+4 pBoundIAT 18+4 pUnloadIAT 1c+4 dwTimeStamp IMAGE_DEBUG_DIRECTORY 00+4 Characteristics 04+4 TimeDateStamp 08+2 MajorVersion 0a+2 MinorVersion 0c+4 Type 1 Coff/2 CV-PDB/9 Borland 10+4 SizeOfData 14+4 AddressOfRawData 18+4 PointerToRawData D Delay imports 6 Debug symbols 3 Signature 7 Copyright B Bound imports 00+4 Characteristics 04+4 TimeDateStamp 08+2 MajorVersion 0a+2 MinorVersion 0c+4 Name 10+4 Base 14+4 NumberOfFunctions 18+4 NumberOfNames 1c+4 AddressOfFunctions 20+4 AddressOfNames 24+4 AddressOfNameOrdinals IMAGE_EXPORT_DIRECTORY 00+4 NameOrdinal 00+4 Name 00+4 Function <address>: <api> <ordinal> or "<dll>.<name>" for imports forwarding) “Export Table” 0 Exports <dll> <copyright string> IMAGE_BOUND_IMPORT_DESCRIPTOR 00+4 TimeDateStamp 04+2 OffsetModuleName 06+2 NumberOfModuleForwarderRefs 00+4 dwLength 04+2 wRevision 06+2 wCertificateType 08+? bCertificate [] WIN_CERTIFICATE <callback code> 64b 32b 00+8 00+4 StartAddressOfRawData 08+8 04+4 EndAddressOfRawData 10+8 08+4 AddressOfIndex 18+8 0c+4 AddressOfCallBacks 20+4 10+4 SizeOfZeroFill 24+4 14+4 Characteristics +8 +4 Callback IMAGE_TLS_DIRECTORY(32/64) 9 Thread Local Storage pointer to TLS index 00000000 IMAGE_TLS_CALLBACK(32/64) A SafeSEH IMAGE_LOAD_CONFIG_DIRECTORY(32/64) HandlerTable 00+4 Handler <exception handler code> 00+4 Size 04+4 TimeDateStamp 08+2 MajorVersion 0A+2 MinorVersion 0C+4 GlobalFlagsClear 10+4 GlobalFlagsSet 14+4 CriticalSectionDefaultTimeout 18+4 DeCommitFreeBlockThreshold 1C+4 DeCommitTotalFreeThreshold 20+4 LockPrefixTable 24+4 MaximumAllocationSize 28+4 VirtualMemoryThreshold 2C+4 ProcessAffinityMask 30+4 ProcessHeapFlags 34+2 CSDVersion 36+2 Reserved1 38+4 EditList 3C+4 SecurityCookie 40+4 SEHandlerTable 44+4 SEHandlerCount 18+8 20+8 28+8 30+8 38+8 40+8 48+4 4C+2 4E+2 50+8 58+8 60+8 68+8 64b 32b Size1 DIRECTORY.SIZE IMAGE_BASE_RELOCATION +2 TypeOffset Type:4 Offset:12 00+4 VirtualAddress 04+4 SizeOfBlock PUSH EBP PUSH offset szMyString relocation block 5 Relocations IMAGE_REL_BASED_HIGHLOW 3 offset IMAGE_IMPORT_DESCRIPTOR 00+4 OriginalFirstThunk/Characteristics 04+4 TimeDateStamp 08+4 ForwarderChain 0c+4 Name 10+4 FirstThunk IMAGE_IMPORT_BY_NAME 00+2 Hint 02+1 Name[*] <address> <library> <api> <hint> IMAGE_THUNK_DATA(32/64) +8 +4 AddressOfData /Ordinal/ForwarderString/Function IMAGE_THUNK_DATA(32/64) +8 +4 AddressOfData /Ordinal/ForwarderString/Function C IAT 1 Imports Kernel32.dll 4 Exceptions 00+4 FunctionStart 04+4 FunctionEnd 08+4 UnwindInfo RUNTIME_FUNCTION UNWIND_INFO 00+1 Version/Flags :3 :5 01+1 SizeOfProlog 02+1 CountOfCodes 03+1 FrameRegister/Offset :4 :4 ??+4 ExceptionHandler/FunctionEntry +4 ExceptionData[] UNWIND_CODE 00+1 CodeOffset 01+1 UnwindOp/Opinfo :4 :4 02+2 FrameOffset DIRECTORY.SIZE(requireD)
4.
Size1Size1 <Resource data> Icons RT_ICON
3 <header-less .ICO data> Manifest RT_MANIFEST 24 <XML file> example: <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0' /> Resources (data itself) Version information RT_VERSION 16 VS_VERSION_INFO VS_FIXEDFILEINFO StringFileInfo StringTable String VarFileInfo Var 00+02 wLength 02+02 wValueLength 04+02 wType 0:bin/1:text 06+2*? szKey[] "VS_VERSION_INFO" +[0-3] Padding1 ??+34 Value ??+[0-3] Padding2 ??+? Children 00+4 dwSignature 0xFEEF04BD 04+4 dwStrucVersion 08+4 dwFileVersionMS 0c+4 dwFileVersionLS 10+4 dwProductVersionMS 14+4 dwProductVersionLS 18+4 dwFileFlagsMask 1c+4 dwFileFlags 20+4 dwFileOS 24+4 dwFileType 28+4 dwFileSubtype 2c+4 dwFileDateMS 30+4 dwFileDateLS 00+2 wLength 02+2 wValueLength 0: no value 04+2 wType 0: children are binary 08+2*? szKey "StringFileInfo" +[0-3] Padding ??+? Children 00+2 wLength 02+2 wValueLength 0 = no value 04+2 wType 1 08+2*? szKey "<language ID>" +[0-3] Padding ??+? Children 00+2 wLength 02+2 wValueLength 04+2 wType 1 text 08+2*? szKey ex:"ProductName" +[0-3] Padding +2*? Value[] ex:"Notepad" 00+2 wLength 02+2 wValueLength 0 = no value 04+2 wType 08+2*? szKey "VarFileInfo" +[0-3] Padding ??+? Children 00+2 wLength 02+2 wValueLength 04+2 wType 08+2*? szKey "Translation" +[0-3] Padding +4*? Value[] 04b00h << 16 + 409h wValueLength wLength wLength wLength wLength wLength wLength 00+2 length null=no string 02+? string 16(always) Strings RT_STRING 6 Group Icons RT_GROUP_ICON 14 GRPICONDIR 00+2 idReserved always 0 - enforced 02+2 idType always 1 for icons 04+2 idCount GRPICONDIRENTRY 00+1 bWidth 01+1 bHeight 02+1 bColorCount 03+1 bReserved 04+2 wPlanes 06+2 wBitCount 08+4 dwBytesInRes 0C+2 nId Icon Id ROOT IMAGE_RESOURCE_DIRECTORY IMAGE_RESOURCE_DIRECTORY_ENTRY 00+4 Characteristics 04+4 TimeDateStamp 08+2 MajorVersion 0a+2 MinorVersion 0c+2 NumberOfNamedEntries 0e+2 NumberOfIdEntries 00+4 Name/ID type (RT_*) 04+4 OffsetToData NamedId IMAGE_RESOURCE_DATA_ENTRY 00+4 OffsetToData 04+4 Size1 08+4 CodePage 0c+4 Reserved 2 Resources (Data Directory) language type IMAGE_RESOURCE_DIRECTORY IMAGE_RESOURCE_DIRECTORY_ENTRY 00+4 Characteristics 04+4 TimeDateStamp 08+2 MajorVersion 0a+2 MinorVersion 0c+2 NumberOfNamedEntries 0e+2 NumberOfIdEntries 00+4 Name/ID Name/ID 04+4 OffsetToData NamedId name/IDs IMAGE_RESOURCE_DIRECTORY IMAGE_RESOURCE_DIRECTORY_ENTRY 00+4 Characteristics 04+4 TimeDateStamp 08+2 MajorVersion 0a+2 MinorVersion 0c+2 NumberOfNamedEntries 0e+2 NumberOfIdEntries 00+4 Name/ID language 04+4 OffsetToData NamedId Resources
5.
00+4 cb 04+2 MajorRuntimeVersion 06+2
MinorRuntimeVersion 08+8 MetaData 10+4 Flags 14+4 EntryPointToken/RVA 18+8 Resources 30+8 StrongNameSignature 38+8 CodeManagerTable 40+8 VTableFixups 48+8 ExportAddressTableJumps 50+8 ManagedNativeHeader IMAGE_COR20_HEADER 00+4 Signature BSJB 04+2 MajorVersion 06+2 MinorVersion 08+4 Reserved 0C+4 VersionLength 10+? Version +2 Flags =0 +2 Streams METADATAHDR Size1 00+4 Reserved1 04+1 MajorVersion 05+1 MinorVersion 06+2 HeapOffsetSizes 07+1 Reserved2 08+8 MaskValid which tables are present 10+8 MaskSorted which tables are sorted +4 NumRows[≤64] how many rows in each table 00+4 offset 04+4 size 08+? string Stream name +? padding METADATATABLESHDR METADATASTREAMHDR 00+2 ResolutionScope 02+2 Name 04+2 Namespace TYPEREFTABLE 00+4 Flags 04+2 Name 06+2 Namespace 08+2 Extends 0A+2 FieldList 0C+2 MethodList TYPEDEFTABLE 00+4 RVA 04+2 ImplFlags 06+2 Flags 08+2 Name 0A+2 Signature 0C+2 ParamList METHODDEFTABLE 00+2 Class 02+2 Name 04+2 Signature MEMBERREFTABLE ASSEMBLYTABLE 00+4 HashAlgId 04+2 MajorVersion 06+2 MinorVersion 08+2 BuildNumber 0A+2 RevisionNumber 0C+4 Flags 10+2 PublicKey 12+2 Name 14+2 Culture 00+2 Generation 02+2 Name 04+2 Mvid 06+2 EncId 08+2 EncBaseId MODULETABLE ASSEMBLYREFTABLE 00+2 MajorVersion 02+2 MinorVersion 04+2 BuildNumber 06+2 RevisionNumber 08+4 Flags 0c+2 PublickKeyOrToken 0e+2 Name 10+2 Culture 12+2 HashValue CUSTOMATTRIBUTETABLE 00+2 Parent 02+2 Type 04+2 Value CUSTOMATTRIBUTETABLE E .NET mdtModule mdtTypeRef mdtTypeDef ... mdtMethodDef ... mdtMemberRef mdtCustomAttribute ... mdtAssembly mdtAssemblyRef ... MetaStream (#~) String (#Strings) ¨mscorlib0¨ ¨System0¨ ¨Object0¨ ... User String (#US) ¨Hello World!0¨ ... Blob (#Blob) publickeytoken signature ... Stream <Stream content> always 1st Disclamer: this is only a subset of .Net structures - the required ones to make a working executable. .NET
Jetzt herunterladen