Deok9_PE Structure

PE Structure CodeEngn Co-Administrator!!! and Team Sur3x5F Member Nick : Deok9 E-mail : DDeok9@gmail.com HomePage : http://deok9.sur3x5f.org Twitter :@DDeok9 1. PE << Contents >> 1) PE? 2) PE 3) PE Utility 2. PE Header 1) IMAGE_DOS_HEADER DOS Stub 2) IMAGE_NT_HEADERS 3) IMAGE_SECTION_HEADER 3. Code & Data Section 1) Basic 2) Code Section 3) Data Section! 1! Copyright 2011 Deok9 All rights Reserved

1. PE 1) PE? Portable Executable, Platform Win32 OS System. File, PE File Load VMM ( Virtual Memory Manager ) Page File, PE File Page File Mapping. WinNT.H Header File PE Image. [ 1-1 - 1 ] PE File Format! 2! Copyright 2011 Deok9 All rights Reserved

2) PE (i) RVA ( Relative Virtual Address ) Memory PE Offset. ( ) = Image Load + Offset Image Load IMAGE_OPTIONAL_HEADER ImageBase Field (ii) Section Code.text Program Code Section Data.data Section.rdata Data Section (, C++ ) Import API.idata.didat Import DLL API, IAT Section Delay-Loading Import Data Section Export API.edata Export API Section ( DLL ) Resource.rsrc Window APP Resource Data Section.reloc Section ( DLL ) TLS.tls Thread Section Debugging.debug$P Compile Header OBJ Section (iii) VAS ( Virtual Address Space ) Process ( VAS ), VMM ( Virtual Memory Manager ). RAM, Default Windows System Disk Root Hard-disk File ( PageFile.sys ). Paging File Page. Page Paging File Mapping, Mapping Page COMMIT Page, File Paging File MMF.! 3! Copyright 2011 Deok9 All rights Reserved

3) PE Utility (i) DumpBin.exe [ 1-3 - 1 ] DumpBin.exe COFF PE Format, PE Format (ii) PEBrowse Professional Interactive [ 1-3 - 2 ] PEBrowse Professional Interactive GUI Debugging Tool! 4! Copyright 2011 Deok9 All rights Reserved

2. PE Header 1) IMAGE_DOS_HEADER DOS Stub DOS Stub 40 Byte IMAGE_DOS_HEADER Program Code. "This program cannot be run in DOS mode." 16 bit DOS Program. [ 2-1 - 1 ] IMAGE_DOS_HEADER DOS Stub [ 2-1 - 2 ] IMAGE_DOS_HEADER e_magic ASCII "MZ". ( DOS Mark Zbikowski ) e_lfanew PE File IMAGE_NT_HEADER Offset. PE File IMAGE_DOS_HEADER e_magic "MZ" e_lfanew File Pointer PE.! 5! Copyright 2011 Deok9 All rights Reserved

2) IMAGE_NT_HEADERS (i) DWORD Signature [ 2-2 - 1 ] IMAGE_NT_HEADERS [ 2-2 - 2 ] DWORD Signature PE File magic number, 4 Byte "PE\x00\x00". IMAGE_DOS_HEADER e_lfanew field Offset 4 Byte. (ii) IMAGE_FILE_HEADER [ 2-2 - 3 ] IMAGE_FILE_HEADER [ 2-2 - 4 ] IMAGE_FILE_HEADER WORD Machine : File CPU ID ( Intel 386 = 0x014c, Intel 64 = 0x0200 ) WORD NumberOfSections : File Section DWORD TimeDateStamp : 1970 1 1 File! 6! Copyright 2011 Deok9 All rights Reserved

DWORD PointerToSymbolTable, NumberOfSymbols : COFF Symbol Table File Offset Symbol ( Symbol ) WORD SizeOfOptionalHeader : IMAGE_OPTIONAL_HEADER Byte 32 bit 0xE0 ( 224 Byte ), 64 bit 0xF0 ( 240 Byte ) WORD Characteristics : PE File Flag MACRO ( IMAGE_FILE ~ ) _RELOCS_STRIPPED 0x0001 _EXECUTABLE_IMAGE 0x0002 File Image _LINE_NUMS_STRIPPED 0x0004 Line _LOCAL_SYMS_STRIPPED 0x0008 Local Symbol _AGGRESIVE_WS_TRIM 0x0010 OS WorkingSet _LARGE_ADDRESS_AWARE 0x0020 Application 2G _32BIT_MACHINE 0x0100 32 bit Word Machine _DEBUG_STRIPPED 0x0200 Debug.DBG File _REMOVABLE_RUN_FROM_SWAP _NET_RUN_FROM_SWAP 0x0400 0x0800 SWAP File Disk Copy Network SWAP File Disk Copy _DLL 0x2000 DLL File _UP_SYSTEM_ONLY 0x4000 Processor [ 2-2 - 1 ] PE (iii) IMAGE_OPTIONAL_HEADER [ 2-2 - 5 ] IMAGE_DATA_DIRECTORY IMAGE_OPTIONAL_HEADER! 7! Copyright 2011 Deok9 All rights Reserved

[ 2-2 - 6 ] IMAGE_OPTIONAL_HEADER 224 Byte, 96 Byte 36 Field 8 Byte IMAGE_DATA_DIRECTORY Entry 16 ( 128 Byte ). Field WORD Magic BYTE Major & Minor LinkerVersion DWORD SizeOfCode IMAGE_OPTIONAL_HEADER Signature 32 bit 0x010B, 64 bit 0x020B File Linker Version IMAGE_SCN_CNT_CODE Section! 8! Copyright 2011 Deok9 All rights Reserved

Field DWORD SizeOfInitializedData DWORD SizeOfUninitializedData DWORD AddressOfEntryPoint DWORD BaseOfCode DWORD BaseOfData DWORD ImageBase DWORD SectionAlignment DWORD FileAlignment WORD Major & Minor OperatingSystemVersion WORD Major & Minor ImageVersion WORD Major & Minor SubsystemVersion DWORD Win32VersionValue DWORD SizeOfImage DWORD SizeOfHeaders IMAGE_SCN_CNT_ INITIALIZED_DATA Section ( File ) IMAGE_SCN_CNT_ UNINITIALIZED_DATA Section Data Section 0 Set Loader.text Section Memory Load, Code Section RVA PE Header Data Section Memory Load, Data Byte RVA PE Mapping Intel Window Memory Page 4K 0x1000, File Alignment PE Section Disk Sector File OS Version User Version File Subsystem Version 0 PE Memory Load SectionAlignment Field. Header, Section Table Byte FileAlignment DWORD CheckSum IMAGE CheckSum ( ) WORD Subsystem File ( CUI : 3, GUI : 2 )! 9! Copyright 2011 Deok9 All rights Reserved

Field WORD DllChracteristics DWORD SizeOfStackReserve/ Commit & SizeOfHeapReserve/ Commit DWORD LoaderFlags DWORD NumberOfRvaAndSizes DLL Flag Default Stack Heap Reserve 0x00100000 Commit 0x00001000 Debugging 0 Set IMAGE_DATA_DIRECTORY 16 0x00000010 [ 2-2 - 2 ] IMAGE_OPTIONAL_HEADER Field IMAGE_DATA_DIRECTORY 128 Byte ( 8 * 16 ), 16 IMAGE_OPTIONAL_HEADER NumberOfRvaAndSizes. Entry ( Index 15 ) 0 15. [ 2-2 - 7 ] IMAGE_DATA_DIRECTORY [ 2-2 - 8 ] IMAGE_DATA_DIRECTORY VirtualAddress Size Index Section Block RVA. Index. Entry Index ( ~. ) _EXPORT 0 IMAGE_EXPORT_DIRECTORY _IMPORT 1 IMAGE_IMPORT_DIRECTORY! 10! Copyright 2011 Deok9 All rights Reserved

Entry Index ( ~. ) _RESOURCE 2 IMAGE_RESOURCE_DIRECTORY _EXCEPTION 3 IMAGE_RUNTIME_FUCTION_ENTRY _SECURITY 4 WIN_CERTIFICATE _BASERELOC 5 _DEBUG 6 IMAGE_DEBUG_DIRECTORY _ARCHITECTURE 7 IMAGE_ARCHITECTURE_HEADER _GLOBALPTR 8 GP RVA IA-64. _TLS 9 Thread Local Storage Section _LOAD_CONFIG 10 IMAGE_LOAD_CONFIG_DIRECTORY _BOUND_IMPORT 11 DLL Binding. _IAT 12 IAT _DELAY_IMPORT 13 ImgDelayDescr _COM_DESCRIPTOR 14.NET DLL [ 2-2 - 3 ] IMAGE_DATA_DIRECTORY Index! 11! Copyright 2011 Deok9 All rights Reserved

3) IMAGE_SECTION_HEADER [ 2-3 - 1 ] IMAGE_SECTION_HEADER [ 2-3 - 2 ] IMAGE_SECTION_HEADER IMAGE_SECTION_HEADER IMAGE_FILE_HEADER NumberOfSections Field. Field BYTE Name [IMAGE_SIZEOF_SHORT_NAME] DWORD PhysicalAddress or Virtual Address Section ASCII 8 Byte PE Code Data Byte! 12! Copyright 2011 Deok9 All rights Reserved

Field DWORD VirtualAddress DWORD SizeOfRawData DWORD PointerToRawData DWORD PointerToRelocations DWORD PointerToLinenumbers WORD NumberOfRelocations WORD NumberOfLinenumbers DWORD Characteristics Memory Section Mics.VirtualSize Field File Alignment Round-up Section PE File File Offset, File Alignment File Offset COFF Style Line File Offset IMAGE_RELOCATION IMAGE_LINENUMBER Section Flag IMAGE_SCN Flag [ 2-3 - 1 ] IMAGE_SECTION_HEADER Field PE File Section, PointerToRawData File Offset SizeOfRawData Byte Section. Mapping RVA VirtualAddress, Mapping Pointer VirtualAddress IMAGE_OPTIONAL_HEADER ImageBase Field. Mapping Section Memory VirtualSize.! 13! Copyright 2011 Deok9 All rights Reserved

3. Code & Data Section 1) Basic Program Instance Memory 4. Program Code Code,, Data, Stack, Memory Heap Code PE Mapping.text Section, Data Mapping.data Section.rdata Section. PE.text Section.data &.rdata Section Memory Mapping Section Code Data. [ 3-1 - 1 ] Win32 Process PE Load 4G PE Mapping Reserve Mapping IMAGE_SECTION_HEADER VirtualAddress Field ( + RVA ) VirtualSize Field Commit Section Mapping Process Heap Thread Stack IMAGE_OPTIONAL_HEADER Field! 14! Copyright 2011 Deok9 All rights Reserved

2) Code Section (i).text Section IMAGE_SECTION_HEADER.text Entry Block, PE Code. Code. Thread, EIP. Code PE File.text Section PE File.text Section. [ 3-2 - 1 ].text Section IMAGE_SECTION_HEADER [ 3-2 - 2 ].text Section 0x204 4 Byte ( 0x00000400 ) PointerToRawData Field, PE File.text Section..text Section Code Assembly (ii) ( WinMain ) [ 3-2 - 3 ] WinMain hinstance Program Instance Handle, Process Resource. IMAGE_OPTIONAL_HEADER ImageBase Field EXE Default 0x00400000, DLL 0x00100000. IMAGE_OPTIONAL_HEADER AddressOfEntryPoint Field Loader, PE Memory Mapping Entry..! 15! Copyright 2011 Deok9 All rights Reserved

[ 3-2 - 4 ] IMAGE_OPTIONAL_HEADER [ 3-2 - 5 ] AddressOfEntryPoint PE Dump 0xF8 4Byte ( 0x00011181 ) AddressOfEntryPoint Field Memory Mapping 0x00411181. E9 4A 0B 00 00. Assemble 0xE9 : JMP 0x0B4A JMP, Memory Mapping JMP 00411CD0. Memory Mapping [ 3-2 - 6 ] 0x00411181 [ 3-2 - 7 ] 0x00411CD0 Main Thread 0x00411CD0 JMP WinMainCRTStartup, WinMain.! 16! Copyright 2011 Deok9 All rights Reserved

3) Data Section.data Section.rdata Section Data.bss ->.textbss Section..textbss Section Debugging mode. (i).data Section ( ) /.data Section Process Stack PE. [ 3-3 - 1 ].data Section IMAGE_SECTION_HEADER [ 3-3 - 2 ].data Section 0x254 4 Byte ( 0x00005E00 ) PointerToRawData Field, PE File.data Section, 0x520 4Byte ( 0x00000200 ) SizeOfRawData Field, Section PE File. VAS,. 0x00400000 ( Base Address ) + 0x00005E00 ( Data Section Offset ) + 0x00017000 ( VirtualAddress ) - 0x00005E00 ( PointerToRawData ) = 0x00417000 0x00400000 ( Base Address ) + 0x00005E18 ( Data Section Offset ) + 0x00017000 ( VirtualAddress ) - 0x00005E00 ( PointerToRawData ) = 0x00417018 Memory Mapping [ 3-3 - 3 ] 0x00417000! 17! Copyright 2011 Deok9 All rights Reserved

(ii).rdata Section ( ), Pointer, Runtime Library Error Message.rdata Section. [ 3-3 - 4 ].rdata Section IMAGE_SECTION_HEADER [ 3-3 - 5 ].rdata Section 0x22C 4 Byte ( 0x00004000 ) PointerToRawData Field, PE File.rdata Section, 0x228 4Byte ( 0x00001E00 ) SizeOfRawData Field, Section PE File. Characteristics Field ( 0x40000040 ).data Section 0xC0000040. VAS,. 0x00400000 ( Base Address ) + 0x00004730 ( Data Section Offset ) + 0x00015000 ( VirtualAddress ) - 0x00004000 ( PointerToRawData ) = 0x00415730 Memory Mapping [ 3-3 - 6 ] 0x00415730 Debug Section, DLL Export Section Section.rdata Section, Section.rdata Section.! 18! Copyright 2011 Deok9 All rights Reserved