34 lines
1.0 KiB
Markdown
34 lines
1.0 KiB
Markdown
|
# Portable Executable
|
||
|
|
|
||
|
|
* [Windows PE doc](https://docs.microsoft.com/en-us/windows/win32/debug/pe-format)
|
||
|
|
* An executable binary in the windows world
|
||
|
|
The file format consists of
|
||
|
|
* PE Header
|
||
|
|
* Data Sections
|
||
|
|
|
||
|
|
## Data Section
|
||
|
|
|
||
|
|
The data section consists of
|
||
|
|
* __.text__, program code
|
||
|
|
* __.data__, initialized variables
|
||
|
|
* __.bss__, unanitialized variables
|
||
|
|
* __.edata__, exportable objects and related table info
|
||
|
|
* __.idata__, imported objects and related table info
|
||
|
|
* __.reloc__, image relocation info
|
||
|
|
* __.rsrc__, links external resources, e.g. icons, images, manifests
|
||
|
|
|
||
|
|
## Starting a PE
|
||
|
|
|
||
|
|
If a process starts, the PE is read in the following order
|
||
|
|
1. Header sections
|
||
|
|
* File signatue is __MZ__, and magic number are read
|
||
|
|
* Architecture of the platform
|
||
|
|
* timestamp
|
||
|
|
2. Section table details is parsed
|
||
|
|
3. Content is mapped into memory based on
|
||
|
|
* Entry point address and offset of ImageBase
|
||
|
|
* Relative Virtual Address (RVA), addresses related to Imagebase
|
||
|
|
4. Libraries and imports are loaded
|
||
|
|
5. Entrypoint address of the main function is run
|
||
|
|
|