The PE - Header
of 4
-
Upload
ivan-portilla -
Category
Documents
-
view
216 -
download
0
Transcript of The PE - Header
-
8/6/2019 The PE - Header
1/4
The PE - Header
The PE - Header^^^^^^^^^^^^^^^
by Renegade
The portable executable file format begins with the DOS header:
-----------| DOS Header|
__________-----------_____________________|dw e_magic: the magic number; 0x05A4 = MZ ||------------------------------------------||dw e_cblp: bytes of last page ||------------------------------------------||dw e_cp: number of pages ||------------------------------------------||dw e_crlc: reloc. ||------------------------------------------||dw e_cparhdr: header-size ||------------------------------------------||dw e_minalloc: min. of alloc. paragraphs ||------------------------------------------|
|dw e_maxalloc: max. of alloc. paragraphs ||------------------------------------------||dw e_ss: SS value ||------------------------------------------||dw e_sp: SP value ||------------------------------------------||dw e_csum: checksum ||------------------------------------------||dw e_ip: IP value ||------------------------------------------||dw e_cs: CS value ||------------------------------------------||dw e_lfarlc: address of reloc. table ||------------------------------------------||dw e_ovno: overlays ||------------------------------------------||dw e_oemid: OEM - Identifier ||------------------------------------------||dw e_oeminfo: OEM Info ||------------------------------------------||dd e_lfanew: address of NE ||------------------------------------------|
dd e_lfanew: This RVA points also to the PE Header
________|DOS Stub|--------
The stub contains informations about the OS where the program must be run,eg " This program must be run under Microsoft Windows" or something like
that.
The actual PE-Header^^^^^^^^^^^^^^^^^^^^
|--------------------------|-----------------------|--------------------|| Signature | CPU | Sections ||--------------------------|-----------------------|--------------------|| Time / Date Stamp | Pointer to symbol table ||--------------------------|-----------------------|--------------------|| Symbols | NT Header size | Flags ||---------|----------------|-----------------------|--------------------|| LMAJOR | LMINOR | Size of code |
Page 1
-
8/6/2019 The PE - Header
2/4
The PE - Header|---------|----------------|--------------------------------------------|| Initalized data | Uninitalized data ||--------------------------|--------------------------------------------|| Entrypoint RVA | Base of code ||--------------------------|--------------------------------------------|| Base of data | Image base ||--------------------------|--------------------------------------------|| Section alignment | File alignment ||-----------|--------------|-----------------------|--------------------|| OS MAJOR | OS MINOR | User MAJOR | User MINOR ||-----------|-|------------|-----------------------|--------------------|
| Subsys MAJ. | Subsys MIN.| Version ||-------------|------------|--------------------------------------------|| Image size | Header size ||--------------------------|---------------------|----------------------|| Checksum | Subsystem | DLL Flags ||--------------------------|---------------------|----------------------|| Stack reserve size | Stack commit size ||--------------------------|--------------------------------------------|| Heap reserve size | Heap commit size ||--------------------------|--------------------------------------------|| Loader Flags | # interesting RVA / Sizes ||--------------------------|--------------------------------------------|| Export table RVA | Total export data size ||--------------------------|--------------------------------------------|| Import table RVA | Total import data size |
|--------------------------|--------------------------------------------|| Resource table RVA | Total resource data size ||--------------------------|--------------------------------------------|| Exception table RVA | Total exception data size ||--------------------------|--------------------------------------------|| Security table RVA | Total security data size ||--------------------------|--------------------------------------------|| Fixup table RVA | Total fixup data size ||--------------------------|--------------------------------------------|| Debug table RVA | Total debug directories ||--------------------------|--------------------------------------------|| Image description RVA | Total description size ||--------------------------|--------------------------------------------|| Machine specific RVA | Machine specific size ||--------------------------|--------------------------------------------|| Thread local storage RVA | Total TLS size ||--------------------------|--------------------------------------------|| Loader configuration RVA | Loader data size ||--------------------------|--------------------------------------------|| Bounded imports table | Bounded imports data size ||--------------------------|--------------------------------------------|| Import addresses table | Total IAT size ||-----------------------------------------------------------------------|
Signature: 0454E = NE 04550 = PE^^^^^^^^^CPU:^^^ 0000 = unknown
014c = 386
014d = 486014e = 586
Sections: Number of sections in the section table^^^^^^^^Time / Date stamp: All infos about creation/modification of the file^^^^^^^^^^^^^^^^^NT Header size: bytes remaining in the NT header^^^^^^^^^^^^^^Flags: 0000 = image of program^^^^^ 0002 = image is executable
0200 = fixed image2000 = lib. image
Page 2
-
8/6/2019 The PE - Header
3/4
The PE - HeaderLMAJOR/LMINOR: LinkerMajor/LinkerMinor version^^^^^^^^^^^^^Entrypoint RVA: Starting address for program images^^^^^^^^^^^^^^Image base: Virtual address of the first byte of a file^^^^^^^^^^Section alignment: default is 64K^^^^^^^^^^^^^^^^^File alignment: Value between 515 and 64K^^^^^^^^^^^^^^OS MAJOR/OS MINOR: required version of OS to run the program
^^^^^^^^^^^^^^^^^User MAJOR/User MINOR: values for images / dll's set by user^^^^^^^^^^^^^^^^^^^^^Image size: Virtual size of the image^^^^^^^^^^Header size: Total header size^^^^^^^^^^^Checksum: Complete file checksum^^^^^^^^Subsystem: required NT subsystem to run program^^^^^^^^^
0000 = unknown0001 = native0002 = Win GUI0003 = Win Char.
0005 = OS/20007 = Posix
DLL Flags: Loader requirements^^^^^^^^^
0001 = process lib. init.0002 = process lib. term.0004 = thread lib. init.0008 = thread lib. term.
Stack reserve size: stack needed for program^^^^^^^^^^^^^^^^^^Stack commit size: committed size of stack^^^^^^^^^^^^^^^^^Heap reserve size: size of heap to reserve^^^^^^^^^^^^^^^^^Heap commit size: size to commit in heap^^^^^^^^^^^^^^^^Interesting RVA/Size: size of RVA array^^^^^^^^^^^^^^^^^^^^Export table RVA: RVA of export table^^^^^^^^^^^^^^^^Import table RVA: RVA of import table^^^^^^^^^^^^^^^^--------| etc... |--------
After that we have the Section header with all the sections like .text,.dataand so on.
short summary:-----------------| PhysicalAddress || VirtualSize || SizeofRawData || PointertoR.Data || Pointertoreloc. || Pointertolinenum|| Numberofrelocs || Numberoflinenum || Characteristics |-----------------
Page 3
-
8/6/2019 The PE - Header
4/4
The PE - Header
--------------------------------------------------------------------------NB: Between the last section header,sections itself and the beginning of |
data there is some unused space because of the alignment.This space |can be used for saving code and data, things we use for our virii. |
_________________________________________________________________________ |
Image base and RVA^^^^^^^^^^^^^^^^^^
The imagebase is the linear address on which the loader will map the exeimage or load a dll, which changes from exe to exe.Nevertheless theabsolute address of the image base of a exe is 0x400000, because the loaderis not always able to load the image of the preferred image base.That's whythe relative virtual addresses of the absolute addresses were introduced.So if you want to get a dw at the RVA, let's say 4444, you have to add theimage base and you'll get the virtual address:
VA = RVA + IB0x404444 = 4444 + 400000
RAW OFS = (VA - Image base - SVirtual Address ) + PointertoRawdata0834 404444 - 400000 - 01000 + 0600
Page 4
