PE Format

In general modern Windows binaries are arranged like this diagram

PE32 is the 32-bit version of this file format

PE32+ is the 64-bit version, sometimes people write PE64

MS-DOS Header

We'll go over Windbg later in the semester

  • Mostly irrelevant to us
  • e_magic should be 0x4D5A
  • e_lfanew is the relative virtual address (RVA) of the NT Header

Why would we not care about most of this?

Virtual Address?

This is not related to the concept of virtual addressing in relation to memory mangement

When a PE is loaded into memory, all virtual addressing is based on that load address

Virtual Addressing will use this address as it's base for this specific loaded instance of chrome

NT Header

Which parts do you think are important?

NT Header

Click Me

Let's see what the official docs say about this one

When reversing Windows, in general, Microsoft has very good documentation

Image Data Directory

Lets look at the docs again

Not much to go off just looking at the struct

Official Docs are our friend again...

This won't always be the case, especially when you're trying to do unintended things or call undocumented API's

Finding Executable Sections

How do we find sections? We only know how many there are from looking at the Image File Header

The Image Section Header Struct is directly after the Image Optional Header

Docs

This tells us if it's executable (and other stuff aswell)

Guess where this link goes...

CFF Explorer

Allows us to browse through the PE file easily 

Can also edit header fields with this tool

Good for rapid triage of a windows file

PE

By Drake P

Made with Slides.com

PE

  • 145

More from Drake P