killchain-compendium/reverse engineering/windows/portable-executable.md

34 lines
1.0 KiB
Markdown
Raw Normal View History

2022-09-04 23:50:45 +02:00
# Portable Executable
* [Windows PE doc](https://docs.microsoft.com/en-us/windows/win32/debug/pe-format)
* An executable binary in the windows world
The file format consists of
* PE Header
* Data Sections
## Data Section
The data section consists of
* __.text__, program code
* __.data__, initialized variables
* __.bss__, unanitialized variables
* __.edata__, exportable objects and related table info
* __.idata__, imported objects and related table info
* __.reloc__, image relocation info
* __.rsrc__, links external resources, e.g. icons, images, manifests
## Starting a PE
If a process starts, the PE is read in the following order
1. Header sections
* File signatue is __MZ__, and magic number are read
* Architecture of the platform
* timestamp
2. Section table details is parsed
3. Content is mapped into memory based on
* Entry point address and offset of ImageBase
* Relative Virtual Address (RVA), addresses related to Imagebase
4. Libraries and imports are loaded
5. Entrypoint address of the main function is run