Upgrade to Pro — share decks privately, control downloads, hide ads and more …

[workshop] Exploring the Portable Executable fo...

Ange Albertini
September 13, 2013
Technology
0
440

[workshop] Exploring the Portable Executable format

44Con 2013
London, England

Ange Albertini

September 13, 2013
Tweet

More Decks by Ange Albertini

See All by Ange Albertini
Overview of file type identifiers
ange
0
870
A question of time
ange
0
990
SBuD: InfoVis in InfoSec
ange
1
800
Generating Weird Files
ange
0
260
Technical challenges with file formats
ange
1
2.1k
Inside out - abusing archive file formats
ange
3
1.8k
Relations between archive formats
ange
0
1.9k
Beyond your studies v2
ange
2
920
Generating weird files
ange
0
3.5k

Other Decks in Technology

See All in Technology
社内イベント管理システムを1週間でAKSからACAに移行した話し
shingo_kawahara
0
200
能動的ドメイン名ライフサイクル管理のすゝめ / Practice on Active Domain Name Lifecycle Management
nttcom
0
250
podman_update_2024-12
orimanabu
1
290
なぜCodeceptJSを選んだか
goataka
0
180
生成AIのガバナンスの全体像と現実解
fnifni
1
210
開発生産性向上! 育成を「改善」と捉えるエンジニア育成戦略
shoota
2
470
組み込みアプリパフォーマンス格闘記 検索画面編
wataruhigasi
1
150
Google Cloud で始める Cloud Run 〜AWSとの比較と実例デモで解説〜
risatube
PRO
0
120
オプトインカメラ:UWB測位を応用したオプトイン型のカメラ計測
matthewlujp
0
210
WACATE2024冬セッション資料(ユーザビリティ)
scarletplover
0
330
AWS re:Invent 2024 ふりかえり勉強会
yhana
0
480
[Oracle TechNight#85] Oracle Autonomous Databaseを使ったAI活用入門
oracle4engineer
PRO
1
140

Featured

See All Featured
Git: the NoSQL Database
bkeepers
PRO
427
64k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
29
2k
Become a Pro
speakerdeck
PRO
26
5k
Imperfection Machines: The Place of Print at Facebook
scottboms
266
13k
How to Ace a Technical Interview
jacobian
276
23k
No one is an island. Learnings from fostering a developers community.
thoeni
19
3k
Building Better People: How to give real-time feedback that sticks.
wjessup
366
19k
It's Worth the Effort
3n
183
28k
Java REST API Framework Comparison - PWX 2021
mraible
28
8.3k
Building a Scalable Design System with Sketch
lauravandoore
460
33k
GraphQLとの向き合い方2022年版
quramy
44
13k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
8
1.2k

Transcript

  1. Exploring the Portable Executable format London, England Ange Albertini 2013/09/13

  2. Workshop package (PoCs+docs) http://www.xchg.info/corkami/workshop.zip Recommended PE viewer: http://icerbero.com/peinsider

  3. None
  4. None
  5. None
  6. None
  7. None
  8. None
  9. None
  10. None
  11. None
  12. None
  13. None
  14. None
  15. None

  16. a handmade PE simple.exe a first real example working minimal

  17. None
  18. None
  19. None

  20. detailed walkthrough

  21. None

  22. DOS header unused in PE mode

  23. None

  24. PE header PE signature

  25. None

  26. Optional Header NOT optional in executables

  27. None

  28. DataDirectories end of OptionalHeader 16 (max) * [RVA, Size] each

    entry interpreted differently
  29. None

  30. Sections memory mapping

  31. None
  32. None

  33. Imports standard loader mechanism NOT required load DLL, locate APIs

  34. None

  35. compiled PE compiled.exe closer to reality extra non-critical structure

  36. None
  37. None
  38. None

  39. DLL exports relocations

  40. None
  41. None

  42. driver subsystem, checksum low alignments mapping different imports

  43. None

  44. resources structure version, manifest/icon, APIs

  45. None
  46. None

  47. Thread Local Storage callback list before EntryPoint & after ExitProcess

  48. None

  49. .Net different and integrated binary 2nd loader

  50. None

  51. what about 64b? very few changes • 2 magic constants

    • a few elements become QWord ◦ ImageBase, Imports thunks, callbacks • Exceptions have their own DataDirectory ◦ no need for LoadConfig (SafeSEH)

  52. and ARM • a different magic constant • still 16b

    DOS Stub ! • nothing special, PE wise ◦ the beauty of ‘Portability’

  53. trivial

  54. None
  55. None
  56. None
  57. None
  58. None