killchain-compendium/Reverse Engineering/Portable Executable.md

# Portable Executable

* [Windows PE doc](https://docs.microsoft.com/en-us/windows/win32/debug/pe-format)
* An executable binary in the windows world
The file format consists of
    * PE Header
    * Data Sections

## Headers

1. IMAGE_DOS_HEADER, 0x00 to 0x63 of the binary
    * `e_magic` as the Magic Bytes: 'MZ' -> 0x4D5A (0x5A4D in little endian)
    * `e_lfanew` contains the starting offset of `IMAGE_NT_HEADERS` 
2. DOS_STUB
    * Contains `!This program cannot be run in DOS mode`
3. .ntdata
3. FILE_HEADER
4. OPTIONAL_HEADER
5. IMAGE_SECTION_HEADER
6. IMAGE_NT_HEADERS
    * NT_HEADERS
        * Signature
        * FILE_HEADER
        * OPTIONAL_HEADER
    
## Data Section

The data section consists of
* __.text__, program code
* __.data__, initialized variables
* __.bss__, unanitialized variables
* __.edata__, exportable objects and related table info
* __.idata__, imported objects and related table info
* __.reloc__, image relocation info
* __.rsrc__, links external resources, e.g. icons, images, manifests

## Starting a PE

If a process starts, the PE is read in the following order
1. Header sections
    * File signatue is __MZ__, and magic number are read
    * Architecture of the platform
    * timestamp
2. Section table details is parsed
3. Content is mapped into memory based on
    * Entry point address and offset of ImageBase
    * Relative Virtual Address (RVA), addresses related to Imagebase    
4. Libraries and imports are loaded
5. Entrypoint address of the main function is run

## Tools

[pe-tree](https://github.com/blackberry/pe_tree)
further restructuring 2022-11-12 23:18:06 +01:00			`# Portable Executable`

			`* [Windows PE doc](https://docs.microsoft.com/en-us/windows/win32/debug/pe-format)`
			`* An executable binary in the windows world`
			`The file format consists of`
			`* PE Header`
			`* Data Sections`

added IOT to Exploit 2022-12-22 17:30:06 +01:00			`## Headers`

			`1. IMAGE_DOS_HEADER, 0x00 to 0x63 of the binary`
			* `e_magic` as the Magic Bytes: 'MZ' -> 0x4D5A (0x5A4D in little endian)
			* `e_lfanew` contains the starting offset of `IMAGE_NT_HEADERS`
			`2. DOS_STUB`
			* Contains `!This program cannot be run in DOS mode`
			`3. .ntdata`
			`3. FILE_HEADER`
			`4. OPTIONAL_HEADER`
			`5. IMAGE_SECTION_HEADER`
			`6. IMAGE_NT_HEADERS`
			`* NT_HEADERS`
			`* Signature`
			`* FILE_HEADER`
			`* OPTIONAL_HEADER`

further restructuring 2022-11-12 23:18:06 +01:00			`## Data Section`

			`The data section consists of`
			`* __.text__, program code`
			`* __.data__, initialized variables`
			`* __.bss__, unanitialized variables`
			`* __.edata__, exportable objects and related table info`
			`* __.idata__, imported objects and related table info`
			`* __.reloc__, image relocation info`
			`* __.rsrc__, links external resources, e.g. icons, images, manifests`

			`## Starting a PE`

			`If a process starts, the PE is read in the following order`
			`1. Header sections`
			`* File signatue is __MZ__, and magic number are read`
			`* Architecture of the platform`
			`* timestamp`
			`2. Section table details is parsed`
			`3. Content is mapped into memory based on`
			`* Entry point address and offset of ImageBase`
			`* Relative Virtual Address (RVA), addresses related to Imagebase`
			`4. Libraries and imports are loaded`
			`5. Entrypoint address of the main function is run`

added IOT to Exploit 2022-12-22 17:30:06 +01:00			`## Tools`

			`[pe-tree](https://github.com/blackberry/pe_tree)`