windows PE reversing

reverse engineering/windows/portable-executable.md

@@ -0,0 +1,33 @@
+# Portable Executable
+
+* [Windows PE doc](https://docs.microsoft.com/en-us/windows/win32/debug/pe-format)
+* An executable binary in the windows world
+The file format consists of
+    * PE Header
+    * Data Sections
+
+## Data Section
+
+The data section consists of
+* __.text__, program code
+* __.data__, initialized variables
+* __.bss__, unanitialized variables
+* __.edata__, exportable objects and related table info
+* __.idata__, imported objects and related table info
+* __.reloc__, image relocation info
+* __.rsrc__, links external resources, e.g. icons, images, manifests
+
+## Starting a PE
+
+If a process starts, the PE is read in the following order
+1. Header sections
+    * File signatue is __MZ__, and magic number are read
+    * Architecture of the platform
+    * timestamp
+2. Section table details is parsed
+3. Content is mapped into memory based on
+    * Entry point address and offset of ImageBase
+    * Relative Virtual Address (RVA), addresses related to Imagebase    
+4. Libraries and imports are loaded
+5. Entrypoint address of the main function is run
+