Upgrade to Pro — share decks privately, control downloads, hide ads and more …

[workshop] Exploring the Portable Executable fo...

Ange Albertini
September 13, 2013
Technology
0
470

[workshop] Exploring the Portable Executable format

44Con 2013
London, England

Ange Albertini

September 13, 2013
Tweet

More Decks by Ange Albertini

See All by Ange Albertini
Fearsome File Formats
ange
0
730
Overview of file type identifiers
ange
0
1k
A question of time
ange
0
1k
SBuD: InfoVis in InfoSec
ange
1
830
Generating Weird Files
ange
0
360
Technical challenges with file formats
ange
1
2.2k
Inside out - abusing archive file formats
ange
3
1.8k
Relations between archive formats
ange
0
2k
Beyond your studies v2
ange
2
960

Other Decks in Technology

See All in Technology
わたしがEMとして入社した「最初の100日」の過ごし方 / EMConfJp2025
daiksy
14
5.3k
データベースの負荷を紐解く/untangle-the-database-load
emiki
2
540
Ruby on Railsで持続可能な開発を行うために取り組んでいること
am1157154
3
160
AI自体のOps 〜LLMアプリの運用、AWSサービスとOSSの使い分け〜
minorun365
PRO
9
750
ABWG2024採択者が語るエンジニアとしての自分自身の見つけ方〜発信して、つながって、世界を広げていく〜
maimyyym
1
190
OPENLOGI Company Profile for engineer
hr01
1
20k
2025/3/1 公共交通オープンデータデイ2025
morohoshi
0
100
Two Blades, One Journey: Engineering While Managing
ohbarye
4
2.3k
手を動かしてレベルアップしよう!
maruto
0
240
30→150人のエンジニア組織拡大に伴うアジャイル文化を醸成する役割と取り組みの変化
nagata03
0
200
自分だけの仮想クラスタを高速かつ効率的に作る kubefork
donkomura
0
110
JAWS DAYS 2025 アーキテクチャ道場 事前説明会 / JAWS DAYS 2025 briefing document
naospon
0
2.6k

Featured

See All Featured
How GitHub (no longer) Works
holman
314
140k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
11
1.3k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
29
2.5k
Thoughts on Productivity
jonyablonski
69
4.5k
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
29
1k
How to Think Like a Performance Engineer
csswizardry
22
1.4k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
46
2.4k
The Illustrated Children's Guide to Kubernetes
chrisshort
48
49k
Put a Button on it: Removing Barriers to Going Fast.
kastner
60
3.7k
Rails Girls Zürich Keynote
gr2m
94
13k
How To Stay Up To Date on Web Technology
chriscoyier
790
250k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
49
2.3k

Transcript

  1. Exploring the Portable Executable format London, England Ange Albertini 2013/09/13

  2. Workshop package (PoCs+docs) http://www.xchg.info/corkami/workshop.zip Recommended PE viewer: http://icerbero.com/peinsider

  3. None
  4. None
  5. None
  6. None
  7. None
  8. None
  9. None
  10. None
  11. None
  12. None
  13. None
  14. None
  15. None

  16. a handmade PE simple.exe a first real example working minimal

  17. None
  18. None
  19. None

  20. detailed walkthrough

  21. None

  22. DOS header unused in PE mode

  23. None

  24. PE header PE signature

  25. None

  26. Optional Header NOT optional in executables

  27. None

  28. DataDirectories end of OptionalHeader 16 (max) * [RVA, Size] each

    entry interpreted differently
  29. None

  30. Sections memory mapping

  31. None
  32. None

  33. Imports standard loader mechanism NOT required load DLL, locate APIs

  34. None

  35. compiled PE compiled.exe closer to reality extra non-critical structure

  36. None
  37. None
  38. None

  39. DLL exports relocations

  40. None
  41. None

  42. driver subsystem, checksum low alignments mapping different imports

  43. None

  44. resources structure version, manifest/icon, APIs

  45. None
  46. None

  47. Thread Local Storage callback list before EntryPoint & after ExitProcess

  48. None

  49. .Net different and integrated binary 2nd loader

  50. None

  51. what about 64b? very few changes • 2 magic constants

    • a few elements become QWord ◦ ImageBase, Imports thunks, callbacks • Exceptions have their own DataDirectory ◦ no need for LoadConfig (SafeSEH)

  52. and ARM • a different magic constant • still 16b

    DOS Stub ! • nothing special, PE wise ◦ the beauty of ‘Portability’

  53. trivial

  54. None
  55. None
  56. None
  57. None
  58. None