Suche senden
Hochladen
the PE format 2011/01/17
•
3 gefällt mir
•
5,010 views
Ange Albertini
Folgen
Technologie
Wirtschaft & Finanzen
Melden
Teilen
Melden
Teilen
1 von 6
Jetzt herunterladen
Downloaden Sie, um offline zu lesen
Empfohlen
October Rules Fest 2008 - Distributed Data Processing with ILOG JRules
October Rules Fest 2008 - Distributed Data Processing with ILOG JRules
Dan Selman
BIS and DDE In Action
BIS and DDE In Action
Jerry Merrill
BIS and COM in Action
BIS and COM in Action
Jerry Merrill
PE File Format
PE File Format
n|u - The Open Security Community
Protection
Protection
Sanjay Sharma
PE102 - a Windows executable format overview (booklet V1)
PE102 - a Windows executable format overview (booklet V1)
Ange Albertini
Pe Format
Pe Format
Hexxx
PE Packers Used in Malicious Software - Part 1
PE Packers Used in Malicious Software - Part 1
amiable_indian
Empfohlen
October Rules Fest 2008 - Distributed Data Processing with ILOG JRules
October Rules Fest 2008 - Distributed Data Processing with ILOG JRules
Dan Selman
BIS and DDE In Action
BIS and DDE In Action
Jerry Merrill
BIS and COM in Action
BIS and COM in Action
Jerry Merrill
PE File Format
PE File Format
n|u - The Open Security Community
Protection
Protection
Sanjay Sharma
PE102 - a Windows executable format overview (booklet V1)
PE102 - a Windows executable format overview (booklet V1)
Ange Albertini
Pe Format
Pe Format
Hexxx
PE Packers Used in Malicious Software - Part 1
PE Packers Used in Malicious Software - Part 1
amiable_indian
Technical challenges with file formats
Technical challenges with file formats
Ange Albertini
Relations between archive formats
Relations between archive formats
Ange Albertini
Abusing archive file formats
Abusing archive file formats
Ange Albertini
TimeCryption
TimeCryption
Ange Albertini
You are *not* an idiot
You are *not* an idiot
Ange Albertini
Improving file formats
Improving file formats
Ange Albertini
KILL MD5
KILL MD5
Ange Albertini
No more dumb hex!
No more dumb hex!
Ange Albertini
Beyond your studies
Beyond your studies
Ange Albertini
An introduction to inkscape
An introduction to inkscape
Ange Albertini
The challenges of file formats
The challenges of file formats
Ange Albertini
Exploiting hash collisions
Exploiting hash collisions
Ange Albertini
Infosec & failures
Infosec & failures
Ange Albertini
Connecting communities
Connecting communities
Ange Albertini
TASBot - the perfectionist
TASBot - the perfectionist
Ange Albertini
Caring for file formats
Caring for file formats
Ange Albertini
Hacks in video games
Hacks in video games
Ange Albertini
Trusting files (and their formats)
Trusting files (and their formats)
Ange Albertini
Let's write a PDF file
Let's write a PDF file
Ange Albertini
PDF: myths vs facts
PDF: myths vs facts
Ange Albertini
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Puma Security, LLC
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
HampshireHUG
Weitere ähnliche Inhalte
Mehr von Ange Albertini
Technical challenges with file formats
Technical challenges with file formats
Ange Albertini
Relations between archive formats
Relations between archive formats
Ange Albertini
Abusing archive file formats
Abusing archive file formats
Ange Albertini
TimeCryption
TimeCryption
Ange Albertini
You are *not* an idiot
You are *not* an idiot
Ange Albertini
Improving file formats
Improving file formats
Ange Albertini
KILL MD5
KILL MD5
Ange Albertini
No more dumb hex!
No more dumb hex!
Ange Albertini
Beyond your studies
Beyond your studies
Ange Albertini
An introduction to inkscape
An introduction to inkscape
Ange Albertini
The challenges of file formats
The challenges of file formats
Ange Albertini
Exploiting hash collisions
Exploiting hash collisions
Ange Albertini
Infosec & failures
Infosec & failures
Ange Albertini
Connecting communities
Connecting communities
Ange Albertini
TASBot - the perfectionist
TASBot - the perfectionist
Ange Albertini
Caring for file formats
Caring for file formats
Ange Albertini
Hacks in video games
Hacks in video games
Ange Albertini
Trusting files (and their formats)
Trusting files (and their formats)
Ange Albertini
Let's write a PDF file
Let's write a PDF file
Ange Albertini
PDF: myths vs facts
PDF: myths vs facts
Ange Albertini
Mehr von Ange Albertini
(20)
Technical challenges with file formats
Technical challenges with file formats
Relations between archive formats
Relations between archive formats
Abusing archive file formats
Abusing archive file formats
TimeCryption
TimeCryption
You are *not* an idiot
You are *not* an idiot
Improving file formats
Improving file formats
KILL MD5
KILL MD5
No more dumb hex!
No more dumb hex!
Beyond your studies
Beyond your studies
An introduction to inkscape
An introduction to inkscape
The challenges of file formats
The challenges of file formats
Exploiting hash collisions
Exploiting hash collisions
Infosec & failures
Infosec & failures
Connecting communities
Connecting communities
TASBot - the perfectionist
TASBot - the perfectionist
Caring for file formats
Caring for file formats
Hacks in video games
Hacks in video games
Trusting files (and their formats)
Trusting files (and their formats)
Let's write a PDF file
Let's write a PDF file
PDF: myths vs facts
PDF: myths vs facts
Kürzlich hochgeladen
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Puma Security, LLC
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
HampshireHUG
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
Radu Cotescu
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
Michael W. Hawkins
How to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
naman860154
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
naman860154
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
wesley chun
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
wesley chun
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
RTylerCroy
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
Martijn de Jong
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
Malak Abu Hammad
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
Anna Loughnan Colquhoun
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
Gabriella Davis
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Katpro Technologies
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
hans926745
Kürzlich hochgeladen
(20)
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
How to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
the PE format 2011/01/17
1.
the PE format
(17th January 2011) Ange Albertini http://corkami.blogspot.com Creative Commons Attribution 3.0
2.
Table of contents 3
Standard File & Memory layouts 4 the PE Headers 5 Data Directories 1/2: Exports, Imports, Import table 6 Data Directories 2/2: Resources, Relocations, Debug, TLS, Delay imports Changelog 2011/01/17 minor changes, fixed data directories, better resource directories layout 2010/04/07 +data directories 2010/04/03 +layouts 2010/01/28 +headers
3.
Virtual
Physical Address Virtual file memory Stack Offset Environment 0 ImageBase MZ Header SizeOfHeaders Header SizeOfHeaders FileAlignment rounded Section[0].Offset SectionAlignment rounded push ebp BaseOfCode Section[0].Address Section .text EntryPoint Section[0].PSize code Section .text Section[0].VSize code FileAlignment rounded SizeOfCode Section[1].Offset i dd 0 SectionAlignment rounded Section .data Section[1].PSize BaseOfData Section[1].Address data FileAlignment rounded Section .data Section[1].VSize data Section[2].Offset __imp__MessageBox_: dd aMessageBox SizeOfData PE Section .idata Section[2].PSize SectionAlignment rounded imports Section[2].Address Import table FileAlignment rounded Section .idata Section[2].VSize Imports imports File Appended data filesize SectionAlignment rounded SizeOfImage offset PointerToRawData libraries the PE Format PSize SizeOfRawData Standard File & Memory layouts address VirtualAddress system libraries VSize VirtualSize Ange Albertini 2010 Creative Commons Attribution http://corkami.blogspot.com
4.
offset 0
IMAGE_DOS_HEADER 0x00 dw e_magic MZ 0x02 dw e_cblp 0x04 dw e_cp exe size 0x06 dw e_crlc 0x08 dw e_cparhdr exe start 0x0a dw e_minalloc 0x0c dw e_maxalloc 0x0e dw e_ss 0x10 dw e_sp 0x12 dw e_csum 0x14 dw e_ip 0x16 dw e_cs 0x18 dw e_lfarlc 0x1a dw e_ovno 0x1c dw e_res[4] 0x24 dw e_oemid 0x26 dw e_oeminfo 0x28 dw e_res2[10] 0x3c dd e_lfanew 0x00 dd Signature PE00 IMAGE_NT_HEADERS[32/64] 0x04 FileHeader 0x00 dw Machine 0x014c [32b]/0x8664 [64b] IMAGE_FILE_HEADER 0x02 dw NumberOfSections 0x04 dd TimeDateStamp 0x08 dd PointerToSymbolTable 0x0c dd NumberOfSymbols 0x10 dw SizeOfOptionalHeader 0x12 dw Characteristics exe/dll,relocs 0x18 OptionalHeader 0x00 dw Magic 0x10b [32b]/0x20b [64b] IMAGE_OPTIONAL_HEADER[32/64] 0x02 db MajorLinkerVersion 0x03 db MinorLinkerVersion 0x04 dd SizeOfCode 0x08 dd SizeOfInitializedData 0x0c dd SizeOfUninitializedData 0x10 dd AddressOfEntryPoint 0x14 dd BaseOfCode dq in 64b 0x18 dd BaseOfData only in 32b SizeofOptionalHeader 0x1c dd ImageBase dq in 64b 0x20 dd SectionAlignment =2^y, with y≥x 0x24 dd FileAlignment =2^x 0x28 dw MajorOperatingSystemVersion the PE Format (1/2) 4/5 0x2a dw MinorOperatingSystemVersion 0x2c dw MajorImageVersion 0x2e dw MinorImageVersion the PE Headers 0x30 0x32 dw dw MajorSubsystemVersion MinorSubsystemVersion 0x34 dd Win32VersionValue 0x38 dd SizeOfImage relative offset 0x3c dd SizeOfHeaders 0x40 dd CheckSum [drivers] offset 0x44 dw Subsystem 1 driver/2 gui/3 cli RVA 0x46 dw DllCharacteristics 0x48 dd SizeOfStackReserve dq in 64b 0x4c dd SizeOfStackCommit dq in 64b 0x50 dd SizeOfHeapReserve dq in 64b 0x54 dd SizeOfHeapCommit dq in 64b Critical 0x58 dd LoaderFlags standard 0x5c dd NumberOfRvaAndSizes ≤16 minor/ignored 0x60 DataDirectory NumberOfRvaAndSizes list 0x00 dd VirtualAddress 0x04 dd Size IMAGE_DATA_DIRECTORY Data Directories 0x00 db Name[8] IMAGE_SECTION_HEADER NumberOfSections 0x08 dd PhysicalAddress | VirtualSize 0x0c dd VirtualAddress 0x10 dd SizeOfRawData 0x14 dd PointerToRawData 0x18 dd PointerToRelocations 0x1c dd PointerToLinenumbers 0x20 dw NumberOfRelocations 0x22 dw NumberOfLinenumbers 0x24 dd Characteristics RWX Section Table Ange Albertini 2009-2011 Creative Commons Attribution http://corkami.blogspot.com
5.
DATA DIRECTORIES
0 IMAGE_DIRECTORY_ENTRY_EXPORT 1 IMAGE_DIRECTORY_ENTRY_IMPORT 00 dd IMAGE_EXPORT_DIRECTORY Characteristics 2 IMAGE_DIRECTORY_ENTRY_RESOURCE 04 dd TimeDateStamp 3 IMAGE_DIRECTORY_ENTRY_SECURITY 08 dw MajorVersion 4 IMAGE_DIRECTORY_ENTRY_EXCEPTION 0a dw MinorVersion 5 IMAGE_DIRECTORY_ENTRY_BASERELOC 0c dd Name MyLib.dll 00 dd Function 6 IMAGE_DIRECTORY_ENTRY_DEBUG 10 dd Base “Export Table” 7 IMAGE_DIRECTORY_ENTRY_COPYRIGHT 8 IMAGE_DIRECTORY_ENTRY_GLOBALPTR 14 dd NumberOfFunctions 401020: MyFunction (ord:01) 9 IMAGE_DIRECTORY_ENTRY_TLS 18 dd NumberOfNames A IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG B IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 1c dd AddressOfFunctions C IMAGE_DIRECTORY_ENTRY_IAT D IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 20 dd AddressOfNames 00 dd Name E IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 24 dd AddressOfNameOrdinals F reserved 00 dd NameOrdinal IMAGE_IMPORT_DESCRIPTOR 00 OriginalFirstThunk/Characteristics 04 dd TimeDateStamp 08 dd ForwarderChain 0c dd Name Kernel32.dll 10 FirstThunk the PE Format dd 0,0,0,0,0 Data Directories 1/2 IMAGE_THUNK_DATA IMAGE_THUNK_DATA 00 dd AddressOfData 00 dd AddressOfData relative offset /Ordinal/ForwarderString/Function /Ordinal/ForwarderString/Function offset dd 0 dd 0 RVA VA (on file) IMAGE_IMPORT_BY_NAME (after loading) 00 dw Hint 02 db Name[*] IAT 7C81127A Kernel32.dll!GetVersion (hint:4) Ange Albertini 2010-2011 Creative Commons Attribution - cc by http://corkami.blogspot.com
6.
ROOT
resource directory DATA DIRECTORIES IMAGE_RESOURCE_DIRECTORY 0 IMAGE_DIRECTORY_ENTRY_EXPORT 00 04 dd dd Characteristics TimeDateStamp TYPE 08 dw MajorVersion 1 IMAGE_DIRECTORY_ENTRY_IMPORT 0a dw MinorVersion LANGUAGE 2 IMAGE_DIRECTORY_ENTRY_RESOURCE 0c dw NumberOfNamedEntries IMAGE_RESOURCE_DIRECTORY 3 IMAGE_DIRECTORY_ENTRY_SECURITY 4 IMAGE_DIRECTORY_ENTRY_EXCEPTION 0e dw NumberOfIdEntries 00 dd Characteristics 5 IMAGE_DIRECTORY_ENTRY_BASERELOC 04 08 dd dw TimeDateStamp MajorVersion IMAGE_RESOURCE_DIRECTORY IMAGE_RESOURCE_DIRECTORY_ENTRY 0a dw MinorVersion 00 dd Characteristics Named 6 IMAGE_DIRECTORY_ENTRY_DEBUG 04 dd TimeDateStamp 7 IMAGE_DIRECTORY_ENTRY_COPYRIGHT 8 IMAGE_DIRECTORY_ENTRY_GLOBALPTR 00 dd Name/ID type: RT_* 0c dw NumberOfNamedEntries 08 dw MajorVersion 0a dw MinorVersion 9 IMAGE_DIRECTORY_ENTRY_TLS 04 dd OffsetToData 0e dw NumberOfIdEntries 0c dw NumberOfNamedEntries A IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG Id B IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT IMAGE_RESOURCE_DIRECTORY_ENTRY 0e dw NumberOfIdEntries Named C IMAGE_DIRECTORY_ENTRY_IAT D IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 00 dd Name/ID name IMAGE_RESOURCE_DIRECTORY_ENTRY Named E IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR F reserved 04 dd OffsetToData 00 dd Name/ID language Id 04 dd OffsetToData Id IMAGE_BASE_RELOCATION relocation block IMAGE_RESOURCE_DATA_ENTRY 00 dd VirtualAddress 00 dd OffsetToData DIRECTORY.SIZE PUSH EBP 04 dd SizeOfBlock 04 dd Size1 08 dd CodePage SizeOfBlock 0c dd Reserved dw TypeOffset PUSH offset szMyString the PE Format Data Directories 2/2 IMAGE_DEBUG_DIRECTORY 00 dd Characteristics 04 dd TimeDateStamp 08 dw MajorVersion relative offset 0a 0c dw dd MinorVersion Type 1 Coff/2 CV-PDB/9 Borland offset IMAGE_TLS_DIRECTORY 10 dd SizeOfData 00 dd StartAddressOfRawData 14 dd AddressOfRawData RVA 04 dd EndAddressOfRawData 18 dd PointerToRawData 08 LPDWORD AddressOfIndex VA 00 dd Callback 0c AddressOfCallBacks 10 dd SizeOfZeroFill 14 dd Characteristics dd 0 IMAGE_DELAY_IMPORT_DESCRIPTOR 00 dd grAttrs 04 dd szName 08 dd phmod 0c dd pIAT 10 dd pINT 14 dd pBoundIAT 18 dd pUnloadIAT 1c dd dwTimeStamp Ange Albertini 2010 - 2011 Creative Commons Attribution - cc by http://corkami.blogspot.com
Jetzt herunterladen