Exploring the Portable Executable format
-
Upload
ange-albertini -
Category
Business
-
view
1.061 -
download
8
description
Transcript of Exploring the Portable Executable format
![Page 1: Exploring the Portable Executable format](https://reader030.fdocuments.in/reader030/viewer/2022012319/54b701884a7959943a8b45d7/html5/thumbnails/1.jpg)
Exploringthe Portable Executable
format
London, EnglandAnge Albertini 2013/09/13
![Page 2: Exploring the Portable Executable format](https://reader030.fdocuments.in/reader030/viewer/2022012319/54b701884a7959943a8b45d7/html5/thumbnails/2.jpg)
Workshop package (PoCs+docs)
http://www.xchg.info/corkami/workshop.zip
Recommended PE viewer:http://icerbero.com/peinsider
![Page 3: Exploring the Portable Executable format](https://reader030.fdocuments.in/reader030/viewer/2022012319/54b701884a7959943a8b45d7/html5/thumbnails/3.jpg)
![Page 4: Exploring the Portable Executable format](https://reader030.fdocuments.in/reader030/viewer/2022012319/54b701884a7959943a8b45d7/html5/thumbnails/4.jpg)
![Page 5: Exploring the Portable Executable format](https://reader030.fdocuments.in/reader030/viewer/2022012319/54b701884a7959943a8b45d7/html5/thumbnails/5.jpg)
![Page 6: Exploring the Portable Executable format](https://reader030.fdocuments.in/reader030/viewer/2022012319/54b701884a7959943a8b45d7/html5/thumbnails/6.jpg)
![Page 7: Exploring the Portable Executable format](https://reader030.fdocuments.in/reader030/viewer/2022012319/54b701884a7959943a8b45d7/html5/thumbnails/7.jpg)
![Page 8: Exploring the Portable Executable format](https://reader030.fdocuments.in/reader030/viewer/2022012319/54b701884a7959943a8b45d7/html5/thumbnails/8.jpg)
![Page 9: Exploring the Portable Executable format](https://reader030.fdocuments.in/reader030/viewer/2022012319/54b701884a7959943a8b45d7/html5/thumbnails/9.jpg)
![Page 10: Exploring the Portable Executable format](https://reader030.fdocuments.in/reader030/viewer/2022012319/54b701884a7959943a8b45d7/html5/thumbnails/10.jpg)
![Page 11: Exploring the Portable Executable format](https://reader030.fdocuments.in/reader030/viewer/2022012319/54b701884a7959943a8b45d7/html5/thumbnails/11.jpg)
![Page 12: Exploring the Portable Executable format](https://reader030.fdocuments.in/reader030/viewer/2022012319/54b701884a7959943a8b45d7/html5/thumbnails/12.jpg)
![Page 13: Exploring the Portable Executable format](https://reader030.fdocuments.in/reader030/viewer/2022012319/54b701884a7959943a8b45d7/html5/thumbnails/13.jpg)
![Page 14: Exploring the Portable Executable format](https://reader030.fdocuments.in/reader030/viewer/2022012319/54b701884a7959943a8b45d7/html5/thumbnails/14.jpg)
![Page 15: Exploring the Portable Executable format](https://reader030.fdocuments.in/reader030/viewer/2022012319/54b701884a7959943a8b45d7/html5/thumbnails/15.jpg)
![Page 16: Exploring the Portable Executable format](https://reader030.fdocuments.in/reader030/viewer/2022012319/54b701884a7959943a8b45d7/html5/thumbnails/16.jpg)
a handmade PEsimple.exe
a first real exampleworking minimal
![Page 17: Exploring the Portable Executable format](https://reader030.fdocuments.in/reader030/viewer/2022012319/54b701884a7959943a8b45d7/html5/thumbnails/17.jpg)
![Page 18: Exploring the Portable Executable format](https://reader030.fdocuments.in/reader030/viewer/2022012319/54b701884a7959943a8b45d7/html5/thumbnails/18.jpg)
![Page 19: Exploring the Portable Executable format](https://reader030.fdocuments.in/reader030/viewer/2022012319/54b701884a7959943a8b45d7/html5/thumbnails/19.jpg)
![Page 20: Exploring the Portable Executable format](https://reader030.fdocuments.in/reader030/viewer/2022012319/54b701884a7959943a8b45d7/html5/thumbnails/20.jpg)
detailedwalkthrough
![Page 21: Exploring the Portable Executable format](https://reader030.fdocuments.in/reader030/viewer/2022012319/54b701884a7959943a8b45d7/html5/thumbnails/21.jpg)
![Page 22: Exploring the Portable Executable format](https://reader030.fdocuments.in/reader030/viewer/2022012319/54b701884a7959943a8b45d7/html5/thumbnails/22.jpg)
DOS headerunused in PE mode
![Page 23: Exploring the Portable Executable format](https://reader030.fdocuments.in/reader030/viewer/2022012319/54b701884a7959943a8b45d7/html5/thumbnails/23.jpg)
![Page 24: Exploring the Portable Executable format](https://reader030.fdocuments.in/reader030/viewer/2022012319/54b701884a7959943a8b45d7/html5/thumbnails/24.jpg)
PE headerPE signature
![Page 25: Exploring the Portable Executable format](https://reader030.fdocuments.in/reader030/viewer/2022012319/54b701884a7959943a8b45d7/html5/thumbnails/25.jpg)
![Page 26: Exploring the Portable Executable format](https://reader030.fdocuments.in/reader030/viewer/2022012319/54b701884a7959943a8b45d7/html5/thumbnails/26.jpg)
Optional HeaderNOT optional in executables
![Page 27: Exploring the Portable Executable format](https://reader030.fdocuments.in/reader030/viewer/2022012319/54b701884a7959943a8b45d7/html5/thumbnails/27.jpg)
![Page 28: Exploring the Portable Executable format](https://reader030.fdocuments.in/reader030/viewer/2022012319/54b701884a7959943a8b45d7/html5/thumbnails/28.jpg)
DataDirectoriesend of OptionalHeader16 (max) * [RVA, Size]
each entry interpreted differently
![Page 29: Exploring the Portable Executable format](https://reader030.fdocuments.in/reader030/viewer/2022012319/54b701884a7959943a8b45d7/html5/thumbnails/29.jpg)
![Page 30: Exploring the Portable Executable format](https://reader030.fdocuments.in/reader030/viewer/2022012319/54b701884a7959943a8b45d7/html5/thumbnails/30.jpg)
Sectionsmemory mapping
![Page 31: Exploring the Portable Executable format](https://reader030.fdocuments.in/reader030/viewer/2022012319/54b701884a7959943a8b45d7/html5/thumbnails/31.jpg)
![Page 32: Exploring the Portable Executable format](https://reader030.fdocuments.in/reader030/viewer/2022012319/54b701884a7959943a8b45d7/html5/thumbnails/32.jpg)
![Page 33: Exploring the Portable Executable format](https://reader030.fdocuments.in/reader030/viewer/2022012319/54b701884a7959943a8b45d7/html5/thumbnails/33.jpg)
Importsstandard loader mechanism
NOT requiredload DLL, locate APIs
![Page 34: Exploring the Portable Executable format](https://reader030.fdocuments.in/reader030/viewer/2022012319/54b701884a7959943a8b45d7/html5/thumbnails/34.jpg)
![Page 35: Exploring the Portable Executable format](https://reader030.fdocuments.in/reader030/viewer/2022012319/54b701884a7959943a8b45d7/html5/thumbnails/35.jpg)
compiled PEcompiled.execloser to reality
extra non-critical structure
![Page 36: Exploring the Portable Executable format](https://reader030.fdocuments.in/reader030/viewer/2022012319/54b701884a7959943a8b45d7/html5/thumbnails/36.jpg)
![Page 37: Exploring the Portable Executable format](https://reader030.fdocuments.in/reader030/viewer/2022012319/54b701884a7959943a8b45d7/html5/thumbnails/37.jpg)
![Page 38: Exploring the Portable Executable format](https://reader030.fdocuments.in/reader030/viewer/2022012319/54b701884a7959943a8b45d7/html5/thumbnails/38.jpg)
![Page 39: Exploring the Portable Executable format](https://reader030.fdocuments.in/reader030/viewer/2022012319/54b701884a7959943a8b45d7/html5/thumbnails/39.jpg)
DLLexports
relocations
![Page 40: Exploring the Portable Executable format](https://reader030.fdocuments.in/reader030/viewer/2022012319/54b701884a7959943a8b45d7/html5/thumbnails/40.jpg)
![Page 41: Exploring the Portable Executable format](https://reader030.fdocuments.in/reader030/viewer/2022012319/54b701884a7959943a8b45d7/html5/thumbnails/41.jpg)
![Page 42: Exploring the Portable Executable format](https://reader030.fdocuments.in/reader030/viewer/2022012319/54b701884a7959943a8b45d7/html5/thumbnails/42.jpg)
driversubsystem, checksum
low alignments mappingdifferent imports
![Page 43: Exploring the Portable Executable format](https://reader030.fdocuments.in/reader030/viewer/2022012319/54b701884a7959943a8b45d7/html5/thumbnails/43.jpg)
![Page 44: Exploring the Portable Executable format](https://reader030.fdocuments.in/reader030/viewer/2022012319/54b701884a7959943a8b45d7/html5/thumbnails/44.jpg)
resourcesstructure
version, manifest/icon, APIs
![Page 45: Exploring the Portable Executable format](https://reader030.fdocuments.in/reader030/viewer/2022012319/54b701884a7959943a8b45d7/html5/thumbnails/45.jpg)
![Page 46: Exploring the Portable Executable format](https://reader030.fdocuments.in/reader030/viewer/2022012319/54b701884a7959943a8b45d7/html5/thumbnails/46.jpg)
![Page 47: Exploring the Portable Executable format](https://reader030.fdocuments.in/reader030/viewer/2022012319/54b701884a7959943a8b45d7/html5/thumbnails/47.jpg)
Thread Local Storagecallback list
before EntryPoint & after ExitProcess
![Page 48: Exploring the Portable Executable format](https://reader030.fdocuments.in/reader030/viewer/2022012319/54b701884a7959943a8b45d7/html5/thumbnails/48.jpg)
![Page 49: Exploring the Portable Executable format](https://reader030.fdocuments.in/reader030/viewer/2022012319/54b701884a7959943a8b45d7/html5/thumbnails/49.jpg)
.Netdifferent and integrated binary
2nd loader
![Page 50: Exploring the Portable Executable format](https://reader030.fdocuments.in/reader030/viewer/2022012319/54b701884a7959943a8b45d7/html5/thumbnails/50.jpg)
![Page 51: Exploring the Portable Executable format](https://reader030.fdocuments.in/reader030/viewer/2022012319/54b701884a7959943a8b45d7/html5/thumbnails/51.jpg)
what about 64b?
very few changes● 2 magic constants● a few elements become QWord
○ ImageBase, Imports thunks, callbacks● Exceptions have their own DataDirectory
○ no need for LoadConfig (SafeSEH)
![Page 52: Exploring the Portable Executable format](https://reader030.fdocuments.in/reader030/viewer/2022012319/54b701884a7959943a8b45d7/html5/thumbnails/52.jpg)
and ARM
● a different magic constant● still 16b DOS Stub !● nothing special, PE wise
○ the beauty of ‘Portability’
![Page 53: Exploring the Portable Executable format](https://reader030.fdocuments.in/reader030/viewer/2022012319/54b701884a7959943a8b45d7/html5/thumbnails/53.jpg)
trivial
![Page 54: Exploring the Portable Executable format](https://reader030.fdocuments.in/reader030/viewer/2022012319/54b701884a7959943a8b45d7/html5/thumbnails/54.jpg)
![Page 55: Exploring the Portable Executable format](https://reader030.fdocuments.in/reader030/viewer/2022012319/54b701884a7959943a8b45d7/html5/thumbnails/55.jpg)
![Page 56: Exploring the Portable Executable format](https://reader030.fdocuments.in/reader030/viewer/2022012319/54b701884a7959943a8b45d7/html5/thumbnails/56.jpg)
![Page 57: Exploring the Portable Executable format](https://reader030.fdocuments.in/reader030/viewer/2022012319/54b701884a7959943a8b45d7/html5/thumbnails/57.jpg)
![Page 58: Exploring the Portable Executable format](https://reader030.fdocuments.in/reader030/viewer/2022012319/54b701884a7959943a8b45d7/html5/thumbnails/58.jpg)