Upgrade to Pro — share decks privately, control downloads, hide ads and more …

[workshop] Exploring the Portable Executable fo...

Avatar for Ange Albertini Ange Albertini
September 13, 2013
Technology
0
510

[workshop] Exploring the Portable Executable format

44Con 2013
London, England

Avatar for Ange Albertini

Ange Albertini

September 13, 2013
Tweet

More Decks by Ange Albertini

See All by Ange Albertini
Fearsome File Formats
Avatar for Ange Albertini ange
0
900
Overview of file type identifiers
Avatar for Ange Albertini ange
0
1.2k
A question of time
Avatar for Ange Albertini ange
0
1.1k
SBuD: InfoVis in InfoSec
Avatar for Ange Albertini ange
1
900
Generating Weird Files
Avatar for Ange Albertini ange
0
420
Technical challenges with file formats
Avatar for Ange Albertini ange
1
2.3k
Inside out - abusing archive file formats
Avatar for Ange Albertini ange
3
1.9k
Relations between archive formats
Avatar for Ange Albertini ange
0
2.2k
Beyond your studies v2
Avatar for Ange Albertini ange
2
1k

Other Decks in Technology

See All in Technology
社内報はAIにやらせよう / Let AI handle the company newsletter
Avatar for Jumpei Sakatsu saka2jp
8
1.3k
OCI Network Firewall 概要
Avatar for oracle4engineer oracle4engineer
PRO
1
7.8k
AI時代だからこそ考える、僕らが本当につくりたいスクラムチーム / A Scrum Team we really want to create in this AI era
Avatar for TAKAKING22 takaking22
7
4k
オープンソースでどこまでできる?フォーマル検証チャレンジ
Avatar for msyksphinz msyksphinz
0
120
そのWAFのブロック、どう活かす? サービスを守るための実践的多層防御と思考法 / WAF blocks defense decision
Avatar for 株式会社カミナシ kaminashi
0
120
ガバメントクラウド(AWS)へのデータ移行戦略の立て方【虎の巻】 / 20251011 Mitsutosi Matsuo
Avatar for SHIFT EVOLVE shift_evolve
PRO
2
180
Why Governance Matters: The Key to Reducing Risk Without Slowing Down
Avatar for Sarah Wells sarahjwells
0
120
ガバメントクラウドの概要と自治体事例(名古屋市)
Avatar for 高橋広和 techniczna
2
210
Wasmのエコシステムを使った ツール作成方法
Avatar for asuka askua
0
100
大規模サーバーレスAPIの堅牢性・信頼性設計 〜AWSのベストプラクティスから始まる現実的制約との向き合い方〜
Avatar for maimyyym maimyyym
5
3.6k
Modern_Data_Stack最新動向クイズ_買収_AI_激動の2025年_.pdf
Avatar for Sagara sagara
0
230
「AI駆動PO」を考えてみる - 作る速さから価値のスループットへ:検査・適応で未来を開発 / AI-driven product owner. scrummat2025
Avatar for yosuke nagai yosuke_nagai
3
800

Featured

See All Featured
Rails Girls Zürich Keynote
Avatar for Gregor Martynus gr2m
95
14k
VelocityConf: Rendering Performance Case Studies
Avatar for Addy Osmani addyosmani
332
24k
Dealing with People You Can't Stand - Big Design 2015
Avatar for Cassini Nazir cassininazir
367
27k
Art, The Web, and Tiny UX
Avatar for Lynn Fisher lynnandtonic
303
21k
The Power of CSS Pseudo Elements
Avatar for Geoffrey Crofte geoffreycrofte
79
6k
Building Better People: How to give real-time feedback that sticks.
Avatar for Will Jessup wjessup
368
20k
Build your cross-platform service in a week with App Engine
Avatar for Jose L jlugia
232
18k
Sharpening the Axe: The Primacy of Toolmaking
Avatar for Bryan Cantrill bcantrill
45
2.5k
No one is an island. Learnings from fostering a developers community.
Avatar for Antonio thoeni
21
3.5k
The World Runs on Bad Software
Avatar for Brandon Keepers bkeepers
PRO
71
11k
What's in a price? How to price your products and services
Avatar for Michael Herold michaelherold
246
12k
For a Future-Friendly Web
Avatar for Brad Frost brad_frost
180
9.9k

Transcript

  1. Exploring the Portable Executable format London, England Ange Albertini 2013/09/13

  2. Workshop package (PoCs+docs) http://www.xchg.info/corkami/workshop.zip Recommended PE viewer: http://icerbero.com/peinsider

  3. None
  4. None
  5. None
  6. None
  7. None
  8. None
  9. None
  10. None
  11. None
  12. None
  13. None
  14. None
  15. None

  16. a handmade PE simple.exe a first real example working minimal

  17. None
  18. None
  19. None

  20. detailed walkthrough

  21. None

  22. DOS header unused in PE mode

  23. None

  24. PE header PE signature

  25. None

  26. Optional Header NOT optional in executables

  27. None

  28. DataDirectories end of OptionalHeader 16 (max) * [RVA, Size] each

    entry interpreted differently
  29. None

  30. Sections memory mapping

  31. None
  32. None

  33. Imports standard loader mechanism NOT required load DLL, locate APIs

  34. None

  35. compiled PE compiled.exe closer to reality extra non-critical structure

  36. None
  37. None
  38. None

  39. DLL exports relocations

  40. None
  41. None

  42. driver subsystem, checksum low alignments mapping different imports

  43. None

  44. resources structure version, manifest/icon, APIs

  45. None
  46. None

  47. Thread Local Storage callback list before EntryPoint & after ExitProcess

  48. None

  49. .Net different and integrated binary 2nd loader

  50. None

  51. what about 64b? very few changes • 2 magic constants

    • a few elements become QWord ◦ ImageBase, Imports thunks, callbacks • Exceptions have their own DataDirectory ◦ no need for LoadConfig (SafeSEH)

  52. and ARM • a different magic constant • still 16b

    DOS Stub ! • nothing special, PE wise ◦ the beauty of ‘Portability’

  53. trivial

  54. None
  55. None
  56. None
  57. None
  58. None