Upgrade to Pro — share decks privately, control downloads, hide ads and more …

[workshop] Exploring the Portable Executable fo...

Sponsored · Your Podcast. Everywhere. Effortlessly. Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
Avatar for Ange Albertini Ange Albertini
September 13, 2013
Technology
540
0

[workshop] Exploring the Portable Executable format

44Con 2013
London, England

Avatar for Ange Albertini

Ange Albertini

September 13, 2013

More Decks by Ange Albertini

See All by Ange Albertini
Fearsome File Formats
Avatar for Ange Albertini ange
0
1.1k
Overview of file type identifiers
Avatar for Ange Albertini ange
0
1.5k
A question of time
Avatar for Ange Albertini ange
0
1.2k
SBuD: InfoVis in InfoSec
Avatar for Ange Albertini ange
1
980
Generating Weird Files
Avatar for Ange Albertini ange
0
500
Technical challenges with file formats
Avatar for Ange Albertini ange
1
2.4k
Inside out - abusing archive file formats
Avatar for Ange Albertini ange
3
2k
Relations between archive formats
Avatar for Ange Albertini ange
0
2.4k
Beyond your studies v2
Avatar for Ange Albertini ange
2
1.1k

Other Decks in Technology

See All in Technology
AIガバナンス実践 - 生成AIコネクタのデータ漏洩リスクと実務対策
Avatar for 西岡 賢一郎 (Kenichiro Nishioka) knishioka
0
160
「コーディング」しない人のための Claude Code 入門 ChatGPT の次の一歩 — 業務に組み込む 育成・共有・自動化
Avatar for ふくだ(fukuda ryu) rfdnxbro
2
1.1k
関西に縁あるMicrosoft MVPsが語るCopilotの未来
Avatar for Kaz Asada | しがない情シス kasada
0
990
個人最適 から 全体最適 へ AI情報共有会・AIギルド・AI-DLC で進める カンリーの組織展開
Avatar for ふくだ(fukuda ryu) rfdnxbro
0
590
AIを「創る」と「使う」の循環 — HRテックが実践するリアルなAI組織実装
Avatar for Taketo Sasaki taketo957
0
620
新規ゲーム開発におけるAI駆動開発のリアル
Avatar for ENSAPIA Engineering株式会社 202409e2
0
1.6k
AI駆動開発が変える、大規模開発の前提 ーHuman in the Loop から Human on the Loop へ / AIE2026
Avatar for Visional Engineering & Design visional_engineering_and_design
2
1.5k
OpenID Connectによるサービス間連携
Avatar for Shigeki Shoji takesection
0
150
oracle-to-databricks-migration-with-llm-and-dbt
Avatar for case-k-git casek
1
410
Generative UI × A2UI で AI エージェントを作った話 AI-DLC も使ってみた!
Avatar for たけのこ kmiya84377
1
310
はじめてのDatadog
Avatar for KairiM kairim0
0
260
Diagnosing performance problems without the guesswork
Avatar for Elena Tanasoiu elenatanasoiu
0
150

Featured

See All Featured
The AI Revolution Will Not Be Monopolized: How open-source beats economies of scale, even for LLMs
Avatar for Ines Montani inesmontani
PRO
3
3.5k
Making the Leap to Tech Lead
Avatar for Ryan Cromwell cromwellryan
135
9.9k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
Avatar for Eileen M. Uchitelle eileencodes
28
3.5k
Technical Leadership for Architectural Decision Making
Avatar for Kenny Baas-Schwegler baasie
3
390
Visualization
Avatar for Eitan Lees eitanlees
152
17k
The Invisible Side of Design
Avatar for Vitaly Friedman smashingmag
302
52k
Self-Hosted WebAssembly Runtime for Runtime-Neutral Checkpoint/Restore in Edge–Cloud Continuum
Avatar for Yuki Nakata chikuwait chikuwait
0
560
Building a Modern Day 
E-commerce SEO Strategy
Avatar for Aleyda Solis aleyda
45
9.1k
Beyond borders and beyond the search box: How to win the global "messy middle" with AI-driven SEO
Avatar for David Carrasco davidcarrasco
3
150
Public Speaking Without Barfing On Your Shoes - THAT 2023
Avatar for David Neal reverentgeek
1
410
The State of eCommerce SEO: How to Win in Today's Products SERPs - #SEOweek
Avatar for Aleyda Solis aleyda
2
11k
The SEO Collaboration Effect
Avatar for Kristina Bergwall kristinabergwall1
1
470

Transcript

  1. Exploring the Portable Executable format London, England Ange Albertini 2013/09/13

  2. Workshop package (PoCs+docs) http://www.xchg.info/corkami/workshop.zip Recommended PE viewer: http://icerbero.com/peinsider

  3. None
  4. None
  5. None
  6. None
  7. None
  8. None
  9. None
  10. None
  11. None
  12. None
  13. None
  14. None
  15. None

  16. a handmade PE simple.exe a first real example working minimal

  17. None
  18. None
  19. None

  20. detailed walkthrough

  21. None

  22. DOS header unused in PE mode

  23. None

  24. PE header PE signature

  25. None

  26. Optional Header NOT optional in executables

  27. None

  28. DataDirectories end of OptionalHeader 16 (max) * [RVA, Size] each

    entry interpreted differently
  29. None

  30. Sections memory mapping

  31. None
  32. None

  33. Imports standard loader mechanism NOT required load DLL, locate APIs

  34. None

  35. compiled PE compiled.exe closer to reality extra non-critical structure

  36. None
  37. None
  38. None

  39. DLL exports relocations

  40. None
  41. None

  42. driver subsystem, checksum low alignments mapping different imports

  43. None

  44. resources structure version, manifest/icon, APIs

  45. None
  46. None

  47. Thread Local Storage callback list before EntryPoint & after ExitProcess

  48. None

  49. .Net different and integrated binary 2nd loader

  50. None

  51. what about 64b? very few changes • 2 magic constants

    • a few elements become QWord ◦ ImageBase, Imports thunks, callbacks • Exceptions have their own DataDirectory ◦ no need for LoadConfig (SafeSEH)

  52. and ARM • a different magic constant • still 16b

    DOS Stub ! • nothing special, PE wise ◦ the beauty of ‘Portability’

  53. trivial

  54. None
  55. None
  56. None
  57. None
  58. None