whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
killchain-compendium/Reverse Engineering/Portable Executable.md

1.0 KiB
Raw Blame History

Portable Executable

  • Windows PE doc
  • An executable binary in the windows world The file format consists of
    • PE Header
    • Data Sections

Data Section

The data section consists of

  • .text, program code
  • .data, initialized variables
  • .bss, unanitialized variables
  • .edata, exportable objects and related table info
  • .idata, imported objects and related table info
  • .reloc, image relocation info
  • .rsrc, links external resources, e.g. icons, images, manifests

Starting a PE

If a process starts, the PE is read in the following order

  1. Header sections
    • File signatue is MZ, and magic number are read
    • Architecture of the platform
    • timestamp
  2. Section table details is parsed
  3. Content is mapped into memory based on
    • Entry point address and offset of ImageBase
    • Relative Virtual Address (RVA), addresses related to Imagebase
  4. Libraries and imports are loaded
  5. Entrypoint address of the main function is run