Technic





Super Moderator

Threads: 15

Likes Received: 15 in 11 posts

Likes Given: 2

Joined: Aug 2019

Reputation: Posts: 18Threads: 15Likes Received: 15 in 11 postsLikes Given: 2Joined: Aug 2019Reputation: 1 #1



- Portable Executables where introduced by microsoft and this incompasses executables and dynamic-linked-libraries (DLL's).

- The most common type of executable.

- They are important with static information because it gives information about the executable.



- One of the windows libraries that works with PE files is the `WINNT.h` header.



- The Portable Executables contents are organized in a linear stream of data which follows a certain format as show in the table below.





Code: +----------------+

| MS-DOS Header |

| MZ Header |

+----------------+

|MS-DOS Real-Mode|

| Stub Program |

|----------------+

| Pe File |

| Signature |

+----------------+

| PE File Header |

+----------------+ |Export Table

|File's Optional | <-------------------+Import Table

| Header | |Resource Table

+----------------+ |Exception handling table

| .text Section | |Other...

| Header |

+----------------+

| .bss Section |

| Header |

+----------------+

| + | <----- Section Table

| + |

| + |

+----------------+

| .debug Section |

| Header |

+----------------+

| .text Section |

+----------------+

| .bss Section |

+----------------+

| + | <----- Other sections

| + |

| + |

+----------------+

| .debug Section |

+----------------+

[THIS IS AN OVERSIMPLIFIED EXAMPLE ABOVE THERE ARE A TON MORE ADDRESSES AND ACTUAL COLUMNS TO THE TABLE]





MS-DOS Header

+ This is used to declare our file as an executable binary.

+ This will always be the first 64bits of the executable.



e_magic

- This is the so called magic number because if our file is MS-DOS compatible it will always equal 0x54AD.



ifanew

- This just tells the PE to turn itself into an executable at runtime.

- Its a relative offset to the NT-Header so it can be calculated.







DOS STUB

+ Exists in the majority of PE, it exists for compatability reasons, you can actually see "This program cannot be run in DOS mode", this will be printed if its ran in DOS mode.



Import Table

+ Shows the imports of the executable (Which dlls its importing).

+ An executable cannot know what it should be importing unless it has an import table for runtime.



PE File Header

+ Contains images,data, imports and code: says what the executable requires to run.

+ The local variable e_lfanew is located here and we can use this to return the offset for our PE siganture because it acts as a pointer to the PE Signature.



Files Optional Header

+ Contains most of the meaningful information about our program.

+ The programs initial stack size

+ Programs Entry point



The Section Table

+ You can find the section table by locating the first byte after the header.

+ The Section Table acts as an array directories (You can have a total of 16 entries).



Section Headers

- Contains all the headers for the sections.

- .idata

- .data

- .rsc

- .text

- .src



IN ALL PE FILES



.idata Section

- Contains information about our imported functions, including import directory and import address table.



.data Section

- Section where you have all your runtime data.



.text Section

- Where general purpose code is stored to be used.



.rdata Section

- rdata is short for read only data, so this section is for reading.



.src Section

- Where all your raw assembly is stored.



.rsc Section

- This is the resource section of our portable executable, it containst stuff like images, strings, and constants.



SOMETIMES IN PE FILES



.bss Section

- Unused information by the PE.



.edata Section (Only for dll's)

- Contains information for the export directory of our dll



Conclusion

- An executable is incredibly complex, its not as straight forward as one might think, the overview I gave is an incredibly simplified version. When trying to create something like a crypter your goal is to change its signature which can be done in a variety of methods such as, self unpacking executable which loads its decryption code into the PE File header.





Sources



![800px-Portable_Executable_32_bit_Structure_in_SVG_fixed.svg.png](



[Malware Researcher’s Handbook (Demystifying PE File)](



[JagSkap: Portable Executable File](







Look forward to part 2 when I discuss packers, crypters, and stubs The Portable Executable File Format- Portable Executables where introduced by microsoft and this incompasses executables and dynamic-linked-libraries (DLL's).- The most common type of executable.- They are important with static information because it gives information about the executable.- One of the windows libraries that works with PE files is the `WINNT.h` header.- The Portable Executables contents are organized in a linear stream of data which follows a certain format as show in the table below.[THIS IS AN OVERSIMPLIFIED EXAMPLE ABOVE THERE ARE A TON MORE ADDRESSES AND ACTUAL COLUMNS TO THE TABLE]MS-DOS Header+ This is used to declare our file as an executable binary.+ This will always be the first 64bits of the executable.e_magic- This is the so called magic number because if our file is MS-DOS compatible it will always equal 0x54AD.ifanew- This just tells the PE to turn itself into an executable at runtime.- Its a relative offset to the NT-Header so it can be calculated.DOS STUB+ Exists in the majority of PE, it exists for compatability reasons, you can actually see "This program cannot be run in DOS mode", this will be printed if its ran in DOS mode.Import Table+ Shows the imports of the executable (Which dlls its importing).+ An executable cannot know what it should be importing unless it has an import table for runtime.PE File Header+ Contains images,data, imports and code: says what the executable requires to run.+ The local variable e_lfanew is located here and we can use this to return the offset for our PE siganture because it acts as a pointer to the PE Signature.Files Optional Header+ Contains most of the meaningful information about our program.+ The programs initial stack size+ Programs Entry pointThe Section Table+ You can find the section table by locating the first byte after the header.+ The Section Table acts as an array directories (You can have a total of 16 entries).Section Headers- Contains all the headers for the sections.- .idata- .data- .rsc- .text- .srcIN ALL PE FILES.idata Section- Contains information about our imported functions, including import directory and import address table..data Section- Section where you have all your runtime data..text Section- Where general purpose code is stored to be used..rdata Section- rdata is short for read only data, so this section is for reading..src Section- Where all your raw assembly is stored..rsc Section- This is the resource section of our portable executable, it containst stuff like images, strings, and constants.SOMETIMES IN PE FILES.bss Section- Unused information by the PE..edata Section (Only for dll's)- Contains information for the export directory of our dllConclusion- An executable is incredibly complex, its not as straight forward as one might think, the overview I gave is an incredibly simplified version. When trying to create something like a crypter your goal is to change its signature which can be done in a variety of methods such as, self unpacking executable which loads its decryption code into the PE File header.Sources![800px-Portable_Executable_32_bit_Structure_in_SVG_fixed.svg.png]( https://upload.wikimedia.org/wikipedia/c...ed.svg.png [Malware Researcher’s Handbook (Demystifying PE File)]( https://resources.infosecinstitute.com/2...g-pe-file/ [JagSkap: Portable Executable File]( https://jagskap.blogspot.com/2019/09/por...-file.html Look forward to part 2 when I discuss packers, crypters, and stubs The following 2 users Like Technic 's post: 2 users Like Technic 's post

0xadmin , Muted Reply