PE 101 - a windows executable walkthrough
00
image/svg+xml
PE 101 - a windows executable walkthrough
Ange Albertini
http://corkami.com
portable executable
windows
walkthrough
2012
Dissected PE
Loading process
Notes
3
Dissected PE
Loading process
Notes
Section 3
2E 74 65 78-74 00 00 00 .text...00 10 00 00-00 10 00 00-00 02 00 00-00 02 00 00 ................00 00 00 00-00 00 00 00-00 00 00 00-20 00 00 60 ...............`2E 72 64 61-74 61 00 00-00 10 00 00-00 20 00 00 .rdata..........00 02 00 00-00 04 00 00-00 00 00 00-00 00 00 00 ................00 00 00 00-40 00 00 40-2E 64 61 74-61 00 00 00 ....@..@.data...00 10 00 00-00 30 00 00-00 02 00 00-00 06 00 00 .....0..........00 00 00 00-00 00 00 00-00 00 00 00-40 00 00 C0 ............@..+
Signature 'PE', 0, 0 Machine 0x14c [intel 386] NumberOfSections 3 SizeOfOptionalHeader 0xe0 Characteristics 0x102 [32b EXE]
0x2044 0x205a, 00x2085 user32.dll 0,MessageBoxA0x2070 0x205a, 0
6A 00 68 00-30 40 00 68-17 30 40 00-6A 00 FF 15 j.h.0@.h.0@.j. .70 20 40 00-6A 00 FF 15-68 20 40 00 p.@.j. .h.@.
4D 5A 00 00-00 00 00 00-00 00 00 00-00 00 00 00 MZ..............00 00 00 00-00 00 00 00-00 00 00 00-40 00 00 00 ............@...50 45 00 00-4C 01 03 00-00 00 00 00-00 00 00 00 PE..L...........00 00 00 00-E0 00 02 01-0B 01 00 00-00 00 00 00 ....a...........00 00 00 00-00 00 00 00-00 10 00 00-00 00 00 00 ................00 00 00 00-00 00 40 00-00 10 00 00-00 02 00 00 ......@.........00 00 00 00-00 00 00 00-04 00 00 00-00 00 00 00 ................00 40 00 00-00 02 00 00-00 00 00 00-02 00 00 00 .@..............00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................00 00 00 00-10 00 00 00-00 00 00 00-00 00 00 00 ................00 20 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................00 00 00 00-00 00 00 00-2E 74 65 78-74 00 00 00 .........text...00 10 00 00-00 10 00 00-00 02 00 00-00 02 00 00 ................00 00 00 00-00 00 00 00-00 00 00 00-20 00 00 60 ...............`2E 72 64 61-74 61 00 00-00 10 00 00-00 20 00 00 .rdata..........00 02 00 00-00 04 00 00-00 00 00 00-00 00 00 00 ................00 00 00 00-40 00 00 40-2E 64 61 74-61 00 00 00 ....@..@.data...00 10 00 00-00 30 00 00-00 02 00 00-00 06 00 00 .....0..........00 00 00 00-00 00 00 00-00 00 00 00-40 00 00 C0 ............@..+00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................6A 00 68 00-30 40 00 68-17 30 40 00-6A 00 FF 15 j.h.0@.h.0@.j. .70 20 40 00-6A 00 FF 15-68 20 40 00-00 00 00 00 p.@.j. .h.@.....00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................3C 20 00 00-00 00 00 00-00 00 00 00-78 20 00 00 <...........x...68 20 00 00-44 20 00 00-00 00 00 00-00 00 00 00 h...D...........85 20 00 00-70 20 00 00-00 00 00 00-00 00 00 00 à ...p...........00 00 00 00-00 00 00 00-00 00 00 00-4C 20 00 00 ............L...00 00 00 00-5A 20 00 00-00 00 00 00-00 00 45 78 ....Z.........Ex69 74 50 72-6F 63 65 73-73 00 00 00-4D 65 73 73 itProcess...Mess61 67 65 42-6F 78 41 00-4C 20 00 00-00 00 00 00 ageBoxA.L.......5A 20 00 00-00 00 00 00-6B 65 72 6E-65 6C 33 32 Z.......kernel322E 64 6C 6C-00 75 73 65-72 33 32 2E-64 6C 6C 00 .dll.user32.dll.00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................61 20 73 69-6D 70 6C 65-20 50 45 20-65 78 65 63 a.simple.PE.exec75 74 61 62-6C 65 00 48-65 6C 6C 6F-20 77 6F 72 utable.Hello.wor6C 64 21 00-00 00 00 00-00 00 00 00-00 00 00 00 ld!.............
000000300130020004000600
4D 5A 00 00-00 00 00 00-00 00 00 00-00 00 00 00 MZ..............00 00 00 00-00 00 00 00-00 00 00 00-40 00 00 00 ............@...50 45 00 00-4C 01 03 00-00 00 00 00-00 00 00 00 PE..L...........00 00 00 00-E0 00 02 ....a.. 01-0B 01 00 00-00 00 00 00 .........00 00 00 00-00 00 00 00-00 10 00 00-00 00 00 00 ................00 00 00 00-00 00 40 00-00 10 00 00-00 02 00 00 ......@.........00 00 00 00-00 00 00 00-04 00 00 00-00 00 00 00 ................00 40 00 00-00 02 00 00-00 00 00 00-02 00 00 00 .@..............00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................00 00 00 00-10 00 00 00 ................ 00 00 00 00-00 00 00 00 ................00 20 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................ 2E 74 65 78-74 00 00 00 .text...00 10 00 00-00 10 00 00-00 02 00 00-00 02 00 00 ................00 00 00 00-00 00 00 00-00 00 00 00-20 00 00 60 ...............`2E 72 64 61-74 61 00 00-00 10 00 00-00 20 00 00 .rdata..........00 02 00 00-00 04 00 00-00 00 00 00-00 00 00 00 ................00 00 00 00-40 00 00 40-2E 64 61 74-61 00 00 00 ....@..@.data...00 10 00 00-00 30 00 00-00 02 00 00-00 06 00 00 .....0..........00 00 00 00-00 00 00 00-00 00 00 00-40 00 00 C0 ............@..+00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................
4D 5A 00 00-00 00 00 00-00 00 00 00-00 00 00 00 MZ..............00 00 00 00-00 00 00 00-00 00 00 00-40 00 00 00 ............@...50 45 00 00-4C 01 03 00-00 00 00 00-00 00 00 00 PE..L...........00 00 00 00-E0 00 02 01-0B 01 00 00-00 00 00 00 ....a...........00 00 00 00-00 00 00 00-00 10 00 00-00 00 00 00 ................00 00 00 00-00 00 40 00-00 10 00 00-00 02 00 00 ......@.........00 00 00 00-00 00 00 00-04 00 00 00-00 00 00 00 ................00 40 00 00-00 02 00 00-00 00 00 00-02 00 00 00 .@..............00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................00 00 00 00-10 00 00 00-00 00 00 00-00 00 00 00 ................00 20 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................00 00 00 00-00 00 00 00-2E 74 65 78-74 00 00 00 .........text...00 10 00 00-00 10 00 00-00 02 00 00-00 02 00 00 ................00 00 00 00-00 00 00 00-00 00 00 00-20 00 00 60 ...............`2E 72 64 61-74 61 00 00-00 10 00 00-00 20 00 00 .rdata..........00 02 00 00-00 04 00 00-00 00 00 00-00 00 00 00 ................00 00 00 00-40 00 00 40-2E 64 61 74-61 00 00 00 ....@..@.data...00 10 00 00-00 30 00 00-00 02 00 00-00 06 00 00 .....0..........00 00 00 00-00 00 00 00-00 00 00 00-40 00 00 C0 ............@..+00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................6A 00 68 00-30 40 00 68-17 30 40 00-6A 00 FF 15 j.h.0@.h.0@.j. .70 20 40 00-6A 00 FF 15-68 20 40 00-00 00 00 00 p.@.j. .h.@.....00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................3C 20 00 00-00 00 00 00-00 00 00 00-78 20 00 00 <...........x...68 20 00 00-44 20 00 00-00 00 00 00-00 00 00 00 h...D...........85 20 00 00-70 20 00 00-00 00 00 00-00 00 00 00 à ...p...........00 00 00 00-00 00 00 00-00 00 00 00-4C 20 00 00 ............L...00 00 00 00-5A 20 00 00-00 00 00 00-00 00 45 78 ....Z.........Ex69 74 50 72-6F 63 65 73-73 00 00 00-4D 65 73 73 itProcess...Mess61 67 65 42-6F 78 41 00-4C 20 00 00-00 00 00 00 ageBoxA.L.......5A 20 00 00-00 00 00 00-6B 65 72 6E-65 6C 33 32 Z.......kernel322E 64 6C 6C-00 75 73 65-72 33 32 2E-64 6C 6C 00 .dll.user32.dll.00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................61 20 73 69-6D 70 6C 65-20 50 45 20-65 78 65 63 a.simple.PE.exec75 74 61 62-6C 65 00 48-65 6C 6C 6F-20 77 6F 72 utable.Hello.wor6C 64 21 00-00 00 00 00-00 00 00 00-00 00 00 00 ld!.............
6A 00 68 00-30 40 00 68-17 30 40 00-6A 00 FF 15 j.h.0@.h.0@.j. .70 20 40 00-6A 00 FF 15-68 20 40 00-00 00 00 00 p.@.j. .h.@.....00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................3C 20 00 00-00 00 00 00-00 00 00 00-78 20 00 00 <...........x...68 20 00 00-44 20 00 00-00 00 00 00-00 00 00 00 h...D...........85 20 00 00-70 20 00 00-00 00 00 00-00 00 00 00 à ...p...........00 00 00 00-00 00 00 00-00 00 00 00-4C 20 00 00 ............L...00 00 00 00-5A 20 00 00-00 00 00 00-00 00 45 78 ....Z.........Ex69 74 50 72-6F 63 65 73-73 00 00 00-4D 65 73 73 itProcess...Mess61 67 65 42-6F 78 41 00-4C 20 00 00-00 00 00 00 ageBoxA.L.......5A 20 00 00-00 00 00 00-6B 65 72 6E-65 6C 33 32 Z.......kernel322E 64 6C 6C-00 75 73 65-72 33 32 2E-64 6C 6C 00 .dll.user32.dll.00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................61 20 73 69-6D 70 6C 65-20 50 45 20-65 78 65 63 a.simple.PE.exec75 74 61 62-6C 65 00 48-65 6C 6C 6F-20 77 6F 72 utable.Hello.wor6C 64 21 00-00 00 00 00-00 00 00 00-00 00 00 00 ld!.............
push 0push 0x403000push 0x403017push 0call [0x402070]push 0call [0x402068]
ExitProcess(0);
4D 5A 00 00-00 00 00 00-00 00 00 00-00 00 00 00 MZ..............00 00 00 00-00 00 00 00-00 00 00 00-40 00 00 00 ............@...
50 45 00 00-4C 01 03 00-00 00 00 00-00 00 00 00 PE..L...........00 00 00 00-E0 00 02 01... ....a...
e_magic 'MZ' e_lfanew 0x40
ImportsVA 0x2000
Magic 0x10b [32b] AddressOfEntryPoint 0x1000 ImageBase 0x400000 SectionAlignment 0x1000 FileAlignment 0x200 MajorSubsystemVersion 4 [NT 4 or later] SizeOfImage 0x4000 SizeOfHeaders 0x200 Subsystem 2 [GUI] NumberOfRvaAndSizes 16
...0B 01 00 00-00 00 00 00 ........00 00 00 00-00 00 00 00-00 10 00 00-00 00 00 00 ................00 00 00 00-00 00 40 00-00 10 00 00-00 02 00 00 ......@.........00 00 00 00-00 00 00 00-04 00 00 00-00 00 00 00 ................00 40 00 00-00 02 00 00-00 00 00 00-02 00 00 00 .@..............00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................00 00 00 00-10 00 00 00... ........
...00 00 00 00-00 00 00 00 ........00 20 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................
61 20 73 69-6D 70 6C 65-20 50 45 20-65 78 65 63 a.simple.PE.exec75 74 61 62-6C 65 00 48-65 6C 6C 6F-20 77 6F 72 utable.Hello.wor6C 64 21 00 ld!.
constant signatureoffset of the PE Header
constant signatureprocessor: ARM/MIPS/Intel/...number of sectionsrelative offset of the section tableEXE/DLL/...
32 bits/64 bitswhere execution startsaddress where the file should be mapped in memorywhere sections should start in memorywhere sections should start on filerequired version of Windowstotal memory space requiredtotal size of the headersdriver/graphical/command line/...number of data directories
RVA of the imports
a simple PE executable\0Hello world!\0
Name VirtualSize VirtualAddress SizeOfRawData PointerToRawData Characteristics.text 0x1000 0x1000 0x200 0x200 CODE EXECUTE READ.rdata 0x1000 0x2000 0x200 0x400 INITIALIZED READ.data 0x1000 0x3000 0x200 0x600 DATA READ WRITE
ImageBase
SizeOfHeaders
RelativeVirtual Address
VirtualAddress
Section 1
0x0
Offset
PointertoRawData
Section 1
SizeOfHeaders
0x400000
VirtualAddress
Section 2
VirtualSize
PointertoRawData
Section 2
0x400
0x800
PointertoRawData
Section 3
0x404000
MessageBox(0, ¨Hello World!¨,¨a simple PE executable¨, 0);
IAT
API_Address:
library.dll
*
*
*
*
*
For each section, a SizeofRawData sized block is read from the file at PointerToRawData offset.It will be loaded in memory at address ImageBase + VirtualAddress in a VirtualSize sized block, with specific characteristics.
SizeOfRawData
SizeOfRawData
0x402000
VirtualSize
VirtualSize
0x600
SizeOfHeaders
SizeOfRawData
VirtualAddress
Strings
SizeOfImage
0x200
0x400200
0x401000
NumberOfSections
FileAlignment
Section Alignment
descriptors
0x203c 0x204c, 00x2078 kernel32.dll 0,ExitProcess0x2068 0x204c, 0
0 0 0 0 0
after loading,0x402068 will point to kernel32.dll´s ExitProcess0x402070 will point to user32.dll´s MessageBoxA
0x403000
3C 20 00 00-00 00 00 00-00 00 00 00-78 20 00 00 <...........x...68 20 00 00-44 20 00 00-00 00 00 00-00 00 00 00 h...D...........85 20 00 00-70 20 00 00-00 00 00 00-00 00 00 00 Ã ...p...........00 00 00 00-00 00 00 00-00 00 00 00-4C 20 00 00 ............L...00 00 00 00-5A 20 00 00-00 00 00 00-00 00 45 78 ....Z.........Ex69 74 50 72-6F 63 65 73-73 00 00 00-4D 65 73 73 itProcess...Mess61 67 65 42-6F 78 41 00-4C 20 00 00-00 00 00 00 ageBoxA.L.......5A 20 00 00-00 00 00 00-6B 65 72 6E-65 6C 33 32 Z.......kernel322E 64 6C 6C-00 75 73 65-72 33 32 2E-64 6C 6C 00 .dll.user32.dll.
*
*
*
sections table
defines how the file is loaded in memory
optional header
executable information
PE header
shows it's a 'modern' binary
simple.exe
technical details about the executable
header
what is executed
code
link between the executable and (Windows) libraries
imports
information used by the code
data
sections
contents of the executable
pointers to extra structures (exports, imports,...)
data directories
DOS header
shows it's a binary
x86 assembly
Equivalent C code
2
5
physical offset
physical size
a windows executable walkthrough
PE
ortable
xecutable
101
1
the DOS Header is parsedthe PE Header is parsed (its offset is DOS Header´s e_lfanew)the Optional Header is parsed (it follows the PE Header)
2
3
4
5
This is the whole file, however, most PE files contain more elements. Explanations are simplified, for conciseness.
INT
IAT
IAT
Hint,"API name"
Hint,Name
Hint,Name
INT
IAT
SHA-1 b7af4cb51ce38e43e030656eb2698fab408cf9cb
IAT Import Address TableNull-terminated list of pointersOn file it is a copy of the INTAfter loading it points to the imported APIs
Ange Albertini
corkami.com
Hexadecimal dump
ASCII dump
Fields
Values
Explanation
Imports structures
Offset:0x200/RVA:0x401000
Offset:0x138
Sections table
Offset:0x40
Offset:0x58
Offset:0x600/RVA:0x403000
2
1
Offset:0x400/RVA:0x402000
a windows executable walkthrough
download @ pe101.corkami.com
PE
ortable
xecutable
101
Offset:0x30
Consequences
Ange Albertini
corkami.com
Headers
Sections table
Sections table is parsed (it is located at: offset (OptionalHeader) + SizeOfOptionalHeader)it contains NumberOfSections elementsit is checked for validity with alignments: FileAlignments and SectionAlignments
Mapping
the file is mapped in memory according to: the ImageBase the SizeOfHeaders the Sections table
Imports
DataDirectories are parsed they follow the OptionalHeader their number is NumOfRVAAndSizes imports are always #2Imports are parsed each descriptor specifies a DLLname this DLL is loaded in memory IAT and INT are parsed simultaneously for each API in INT its address is written in the IAT entry
Execution
Code is called at the EntryPointthe calls of the code go via the IAT to the APIs
4
4
3
2
2
RVA Relative Virtual AddressAddress relative to ImageBase (at ImageBase, RVA = 0)Almost all addresses of the headers are RVAsIn code, addresses are not relative.
INT Import Name TableNull-terminated list of pointers to Hint, Name structures
MZ HEADER aka DOS_HEADERStarts with 'MZ' (initials of Mark Zbikowski MS-DOS developer)
OPTIONAL HEADER aka IMAGE_OPTIONAL_HEADEROptional only for non-standard PEs but required for executables
PE HEADER aka IMAGE_FILE_HEADERS / COFF file headerStarts with 'PE' (Portable Executable)
HINTIndex in the exports table of a DLL to be importedNot required but provides a speed-up by reducing look-up
RVA
RVA
All addresses here are RVAs.
version 1, 3rd May 2012