[workshop] Exploring the Portable Executable format

Transcript

1. Exploring the Portable Executable format London, England Ange Albertini 2013/09/13

2. Workshop package (PoCs+docs) http://www.xchg.info/corkami/workshop.zip Recommended PE viewer: http://icerbero.com/peinsider

3. None
4. None
5. None
6. None
7. None
8. None
9. None
10. None
11. None
12. None
13. None
14. None
15. None

16. a handmade PE simple.exe a first real example working minimal

17. None
18. None
19. None

20. detailed walkthrough

21. None

22. DOS header unused in PE mode

23. None

24. PE header PE signature

25. None

26. Optional Header NOT optional in executables

27. None

28. DataDirectories end of OptionalHeader 16 (max) * [RVA, Size] each

    entry interpreted differently
29. None

30. Sections memory mapping

31. None
32. None

33. Imports standard loader mechanism NOT required load DLL, locate APIs

34. None

35. compiled PE compiled.exe closer to reality extra non-critical structure

36. None
37. None
38. None

39. DLL exports relocations

40. None
41. None

42. driver subsystem, checksum low alignments mapping different imports

43. None

44. resources structure version, manifest/icon, APIs

45. None
46. None

47. Thread Local Storage callback list before EntryPoint & after ExitProcess

48. None

49. .Net different and integrated binary 2nd loader

50. None

51. what about 64b? very few changes • 2 magic constants

    • a few elements become QWord ◦ ImageBase, Imports thunks, callbacks • Exceptions have their own DataDirectory ◦ no need for LoadConfig (SafeSEH)

52. and ARM • a different magic constant • still 16b

    DOS Stub ! • nothing special, PE wise ◦ the beauty of ‘Portability’

53. trivial

54. None
55. None
56. None
57. None
58. None