In this post, I will be talking about The Portable Executable File Format. For reversing our next target we must be familiar with PE file format.
PE File Format :
The PE file format is a data structure, a file format for executable files for Windows OS(32 bits and 64 bits). It contains all the necessary information required by the OS loader to manage the wrapped exe file.
Basic Structure of PE :
The PE file structure is organized as linear stream of data. The table below explains it in a better way.
The table above is the basic structure of a PE file, every file starts with a DOS header followed by DOS Stub, then by PE Header, and then the rest. Each section needs a little explanation so that we can understand the need of this topic in RE. So let us start.
DOS Header(MZ Header) :
- In any PE file, the initial 64 bits are occupied by the DOS Header. This is also known as the MZ header after the name of Mark Zibolosky( one of the developers of DOS ). Also the first two bytes in each file are 4D and 5A respectively( which when converted to ASCII converts to MZ ).
- The function of the DOS Header is to check if the environment is suitable for the application or not(that is if the application can run on the OS or not) and run the DOS Stub.
- The last four bytes of the DOS Header is a PE Header pointer which points to the PE Header.For example, let us say the last four bytes are "00 00 01 00" then the address at which the PE header must start is "00 00 10 00 + the base address". The address is inverted here because it is going to be stored in reverse order in the stack.
- Followed by these four bytes is the DOS Stub.
DOS Stub :
- When we are developing an application in windows the linker(windows linker) automatically adds a default stub program to the application, this stub program is the DOS Stub and the Stub can also be overridden by substituting it with a different but valid DOS program.
- The Stub is placed just after the DOS Header.
- This default stub program is known as "winstub.exe".
- The stub contains the statement like "This application is not supported on this version of Windows" which are displayed depending upon the DOS Header.
The PE Header :
- The PE Header contains important information(like physical and logical structures of the code) which is used by the loader.
- This header is a general name for IMAGE_NT_HEADERS structure.
- The header has three members and these are Signature, File Header, and Optional Header.
- All of the three members store different information. As the name suggests the signature is the signature of PE File, is of 4 Bytes( DWORD ), and has values 50 45 00 00 stored in the respective 4 bytes.
- The File Header stores the information about the physical layout of the PE file, like the number of sections present in the file.
- The Optional Header contains the information about the logical layout of the PE file. For example address of entry point( AddOfEntryPoint ).
We need to learn more about he Optional header for understanding the relation of PE files with RE.
So let us first see these
Address Of Entry Point : It stores the RVA of the first instruction that sis going to be executed when the file is run. From a Reverser's point of view, if changes are to made in the flow of the execution, this is the place where changes have to made.
Data Directory : This is the final section of Optional Header, it occupies 128 Bytes of space. This is because this is an array which relates to the important data structures in PE file.
Section Table :
- It is an array, this array also contains information about each PE File Section present in hte PE file.
- For each section in PE file, there will be an entry in the Section Table.
PE File Section :
- These are those areas of the PE file where all the data is present.
- This contains the codes, data, resources and other stuff.
- Each section has a header and a body, the body though does not have a fixed structure.
An application typically has 9 sections, the table below explains the 9 sections.
It is not necessary that every application will have 9 section but it is compulsory to have at least two section.
This is all for this post, In the next post we will be focusing on the PE header and the use of Olly to reverse our target app.
2 comments
Very informational and eye-opening. Thanks
ReplyAs we know there are many companies which are converting into Google Cloud Big Data Services with the right direction we can definitely predict the future.
ReplyPost a Comment