From e7a5a3d9e334e6bc1f0847b62dfc56df392d1001 Mon Sep 17 00:00:00 2001
From: whx <stefan@stefan.works>
Date: Sun, 4 Sep 2022 23:50:45 +0200
Subject: [PATCH] windows PE reversing

---
 .../windows/portable-executable.md            | 33 +++++++++++++++++++
 1 file changed, 33 insertions(+)
 create mode 100644 reverse engineering/windows/portable-executable.md

diff --git a/reverse engineering/windows/portable-executable.md b/reverse engineering/windows/portable-executable.md
new file mode 100644
index 0000000..7f3d3a7
--- /dev/null
+++ b/reverse engineering/windows/portable-executable.md	
@@ -0,0 +1,33 @@
+# Portable Executable
+
+* [Windows PE doc](https://docs.microsoft.com/en-us/windows/win32/debug/pe-format)
+* An executable binary in the windows world
+The file format consists of
+    * PE Header
+    * Data Sections
+
+## Data Section
+
+The data section consists of
+* __.text__, program code
+* __.data__, initialized variables
+* __.bss__, unanitialized variables
+* __.edata__, exportable objects and related table info
+* __.idata__, imported objects and related table info
+* __.reloc__, image relocation info
+* __.rsrc__, links external resources, e.g. icons, images, manifests
+
+## Starting a PE
+
+If a process starts, the PE is read in the following order
+1. Header sections
+    * File signatue is __MZ__, and magic number are read
+    * Architecture of the platform
+    * timestamp
+2. Section table details is parsed
+3. Content is mapped into memory based on
+    * Entry point address and offset of ImageBase
+    * Relative Virtual Address (RVA), addresses related to Imagebase    
+4. Libraries and imports are loaded
+5. Entrypoint address of the main function is run
+