Upgrade to Pro — share decks privately, control downloads, hide ads and more …

[workshop] Exploring the Portable Executable fo...

Ange Albertini
September 13, 2013
Technology
0
470

[workshop] Exploring the Portable Executable format

44Con 2013
London, England

Ange Albertini

September 13, 2013
Tweet

More Decks by Ange Albertini

See All by Ange Albertini
Fearsome File Formats
ange
0
730
Overview of file type identifiers
ange
0
1k
A question of time
ange
0
1k
SBuD: InfoVis in InfoSec
ange
1
830
Generating Weird Files
ange
0
360
Technical challenges with file formats
ange
1
2.2k
Inside out - abusing archive file formats
ange
3
1.8k
Relations between archive formats
ange
0
2k
Beyond your studies v2
ange
2
960

Other Decks in Technology

See All in Technology
[OpsJAWS Meetup33 AIOps] Amazon Bedrockガードレールで守る安全なAI運用
akiratameto
1
140
AIエージェント元年@日本生成AIユーザ会
shukob
1
260
どちらかだけじゃもったいないかも? ECSとEKSを適材適所で併用するメリット、運用課題とそれらの対応について
tk3fftk
2
280
プロダクト開発者目線での Entra ID 活用
sansantech
PRO
0
140
スクラムというコンフォートゾーンから抜け出そう!プロジェクト全体に目を向けるインセプションデッキ / Inception Deck for seeing the whole project
takaking22
3
170
データベースの負荷を紐解く/untangle-the-database-load
emiki
2
550
マーケットプレイス版Oracle WebCenter Content For OCI
oracle4engineer
PRO
3
540
OCI Success Journey OCIの何が評価されてる?疑問に答える事例セミナー(2025年2月実施)
oracle4engineer
PRO
2
220
Exadata Database Service on Cloud@Customer セキュリティ、ネットワーク、および管理について
oracle4engineer
PRO
2
1.6k
クラウド関連のインシデントケースを収集して見えてきたもの
lhazy
9
2k
LINE NEWSにおけるバックエンド開発
lycorptech_jp
PRO
0
390
OPENLOGI Company Profile
hr01
0
60k

Featured

See All Featured
Navigating Team Friction
lara
183
15k
Java REST API Framework Comparison - PWX 2021
mraible
29
8.4k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
30
4.6k
The Cost Of JavaScript in 2023
addyosmani
47
7.4k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
330
21k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
49
2.3k
Music & Morning Musume
bryan
46
6.4k
How GitHub (no longer) Works
holman
314
140k
Bootstrapping a Software Product
garrettdimon
PRO
307
110k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
175
52k
4 Signs Your Business is Dying
shpigford
183
22k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
233
17k

Transcript

  1. Exploring the Portable Executable format London, England Ange Albertini 2013/09/13

  2. Workshop package (PoCs+docs) http://www.xchg.info/corkami/workshop.zip Recommended PE viewer: http://icerbero.com/peinsider

  3. None
  4. None
  5. None
  6. None
  7. None
  8. None
  9. None
  10. None
  11. None
  12. None
  13. None
  14. None
  15. None

  16. a handmade PE simple.exe a first real example working minimal

  17. None
  18. None
  19. None

  20. detailed walkthrough

  21. None

  22. DOS header unused in PE mode

  23. None

  24. PE header PE signature

  25. None

  26. Optional Header NOT optional in executables

  27. None

  28. DataDirectories end of OptionalHeader 16 (max) * [RVA, Size] each

    entry interpreted differently
  29. None

  30. Sections memory mapping

  31. None
  32. None

  33. Imports standard loader mechanism NOT required load DLL, locate APIs

  34. None

  35. compiled PE compiled.exe closer to reality extra non-critical structure

  36. None
  37. None
  38. None

  39. DLL exports relocations

  40. None
  41. None

  42. driver subsystem, checksum low alignments mapping different imports

  43. None

  44. resources structure version, manifest/icon, APIs

  45. None
  46. None

  47. Thread Local Storage callback list before EntryPoint & after ExitProcess

  48. None

  49. .Net different and integrated binary 2nd loader

  50. None

  51. what about 64b? very few changes • 2 magic constants

    • a few elements become QWord ◦ ImageBase, Imports thunks, callbacks • Exceptions have their own DataDirectory ◦ no need for LoadConfig (SafeSEH)

  52. and ARM • a different magic constant • still 16b

    DOS Stub ! • nothing special, PE wise ◦ the beauty of ‘Portability’

  53. trivial

  54. None
  55. None
  56. None
  57. None
  58. None