killchain-compendium/Reverse Engineering/Portable Executable.md

54 lines
1.5 KiB
Markdown

# Portable Executable
* [Windows PE doc](https://docs.microsoft.com/en-us/windows/win32/debug/pe-format)
* An executable binary in the windows world
The file format consists of
* PE Header
* Data Sections
## Headers
1. IMAGE_DOS_HEADER, 0x00 to 0x63 of the binary
* `e_magic` as the Magic Bytes: 'MZ' -> 0x4D5A (0x5A4D in little endian)
* `e_lfanew` contains the starting offset of `IMAGE_NT_HEADERS`
2. DOS_STUB
* Contains `!This program cannot be run in DOS mode`
3. .ntdata
3. FILE_HEADER
4. OPTIONAL_HEADER
5. IMAGE_SECTION_HEADER
6. IMAGE_NT_HEADERS
* NT_HEADERS
* Signature
* FILE_HEADER
* OPTIONAL_HEADER
## Data Section
The data section consists of
* __.text__, program code
* __.data__, initialized variables
* __.bss__, unanitialized variables
* __.edata__, exportable objects and related table info
* __.idata__, imported objects and related table info
* __.reloc__, image relocation info
* __.rsrc__, links external resources, e.g. icons, images, manifests
## Starting a PE
If a process starts, the PE is read in the following order
1. Header sections
* File signatue is __MZ__, and magic number are read
* Architecture of the platform
* timestamp
2. Section table details is parsed
3. Content is mapped into memory based on
* Entry point address and offset of ImageBase
* Relative Virtual Address (RVA), addresses related to Imagebase
4. Libraries and imports are loaded
5. Entrypoint address of the main function is run
## Tools
[pe-tree](https://github.com/blackberry/pe_tree)