This forum uses cookies
This forum makes use of cookies to store your login information if you are registered, and your last visit if you are not. Cookies are small text documents stored on your computer; the cookies set by this forum can only be used on this website and pose no security risk. Cookies on this forum also track the specific topics you have read and when you last read them. Please confirm whether you accept or reject these cookies being set.

A cookie will be stored in your browser regardless of choice to prevent you being asked this question again. You will be able to change your cookie settings at any time using the link in the footer.

Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
PE File Format
#1
!!WORK IN PROGRESS!!
Hey people, we are going to take a look at the pe file., you might have downloaded a file off the internet that ends in exe.
This file contains instructions that windows reads to run code that the creator of the software wrote
DOS_Header:
this header can be bypassed by reading just the e_lfanew from position 60 (0x3C)
Code:
signature (short/int16) (MZ)  
lastsize (short/int16)
nblocks (short/int16)
nreloc (short/int16)
hdrsize (short/int16)
minalloc (short/int16)
maxalloc (short/int16)
ss (short/int16)
sp (short/int16)
checksum (short/int16)
ip (short/int16)
cs (short/int16)
relocpos (short/int16)
noverlay (short/int16)
reserved1_1 (short/int16)
reserved1_2 (short/int16)
reserved1_3 (short/int16)
reserved1_4 (short/int16)
oem_id (short/int16)
oem_info (short/int16)
reserved2_1 (short/int16)
reserved2_2 (short/int16)
reserved2_3 (short/int16)
reserved2_4 (short/int16)
reserved2_5 (short/int16)
reserved2_6 (short/int16)
reserved2_7 (short/int16)
reserved2_8 (short/int16)
reserved2_9 (short/int16)
reserved2_10 (short/int16)
e_lfanew (long/int32) (Offset to 'PE\0\0' signature)
after the DOS header we have the DOS program, we don't need to know anything about it since its kept for compatibility reasons.
we only need to know e_lfanew as it tells us the position of to the PE Header
PE_Header

Code:
signature (long/int32) (PE\0\0)
COFF_Header:

Code:
Machine (short/int16)
NumberOfSections (short/int16)
TimeDateStamp (long/int32)
PointerToSymbolTable (long/int32)
NumberOfSymbols (long/int32)
SizeOfOptionalHeader (short/int16)
Characteristics (short/int16)
PE Optional Header:
Immediately after the COFF header we find a PE Optional Header
This header isn't option like its name suggests. there is 2 different versions depending on the signature value (267 for 32 bit, 523 for 64 bit)

IMAGE_OPTIONAL_HEADER32



Code:
signature (short/int16)
MajorLinkerVersion (char/byte)
MinorLinkerVersion (char/byte)
SizeOfCode (long/int32)  
SizeOfInitializedData (long/int32)
SizeOfUninitializedData (long/int32)
AddressOfEntryPoint (long/int32)
BaseOfCode (long/int32)
BaseOfData (long/int32) 
ImageBase (long/int32)
SectionAlignment (long/int32)
FileAlignment (long/int32)
MajorOSVersion (short/int16)
MinorOSVersion (short/int16)
MajorImageVersion (short/int16)
MinorImageVersion (short/int16)
MajorSubsystemVersion (short/int16)
MinorSubsystemVersion (short/int16)
Win32VersionValue (long/int32)
SizeOfImage (long/int32)
SizeOfHeaders (long/int32)
Checksum (long/int32)
Subsystem (short/int16)
DLLCharacteristics (short/int16)
SizeOfStackReserve (long/int32)
SizeOfStackCommit (long/int32)
SizeOfHeapReserve (long/int32)
SizeOfHeapCommit (long/int32)
LoaderFlags (long/int32)
NumberOfRvaAndSizes (long/int32) (always 16 in PE files)

IMAGE_OPTIONAL_HEADER64



Code:
signature (short/int16)
MajorLinkerVersion (char/byte)
MinorLinkerVersion (char/byte)
SizeOfCode (long/int32) 
SizeOfInitializedData (long/int32) 
SizeOfUninitializedData (long/int32) 
AddressOfEntryPoint (long/int32) 
BaseOfCode (long/int32) 
ImageBase (longlong/int64) 
SectionAlignment (long/int32) 
FileAlignment (long/int32) 
MajorOSVersion (short/int16)
MinorOSVersion (short/int16)
MajorImageVersion (short/int16)
MinorImageVersion (short/int16)
MajorSubsystemVersion (short/int16)
MinorSubsystemVersion (short/int16)
Win32VersionValue (long/int32) 
SizeOfImage (long/int32) 
SizeOfHeaders (long/int32) 
Checksum (long/int32) 
Subsystem (short/int16)
DLLCharacteristics (short/int16)
SizeOfStackReserve (longlong/int64)
SizeOfStackCommit (longlong/int64)
SizeOfHeapReserve (longlong/int64)
SizeOfHeapCommit (longlong/int64)
LoaderFlags (long/int32) 
NumberOfRvaAndSizes (long/int32) (always 16 in PE files)

SECTION TABLE:
Immediately after the PE Optional Header we find the section tables (16 entries)
the commonly named sections are:
  • .text/.code/CODE/TEXT - Contains executable code (machine instructions)
  • .textbss/TEXTBSS - Present if Incremental Linking is enabled
  • .data/.idata/DATA/IDATA - Contains initialised data
  • .bss/BSS - Contains uninitialised data
  • .rsrc - Contains resource data
need to check this

Code:
Name (8 bytes)
VirtualAddress (long/int32) 
SizeOfRawData (long/int32) 
PointerToRawData (long/int32) 
PointerToRelocations (long/int32) 
PointerToLinenumbers (long/int32) 
NumberOfRelocations (short/int16)  
NumberOfLinenumbers (short/int16) 
Characteristics (long/int32) 
Misc

IMAGE_EXPORT_DIRECTORY:


Code:
Characteristics  (long/int32)
TimeDateStamp  (long/int32)
MajorVersion  (short/int16)
MinorVersion  (short/int16)
Name  (long/int32)
Base  (long/int32)
NumberOfFunctions  (long/int32)
NumberOfNames  (long/int32)
AddressOfFunctions  (long/int32)  (pointer)
AddressOfNames  (long/int32)  (pointer)
AddressOfNameOrdinals  (long/int32) (pointer)



IMAGE_IMPORT_DIRECTORY:

IMAGE_RESOURCE_DIRECTORY:
Disclaimer: Don't be misguided looking at my usergroup and assume whatever I say is official. When I speak in community I am just a member with personal opinions.
Reply


Messages In This Thread
PE File Format - by jamie - 12/07/2018, 12:12 AM

Forum Jump:


Users browsing this thread: 1 Guest(s)
www.000webhost.com