Exploringthe Portable Executable

format

London, EnglandAnge Albertini 2013/09/13

Workshop package (PoCs+docs)

http://www.xchg.info/corkami/workshop.zip

Recommended PE viewer:http://icerbero.com/peinsider

a handmade PEsimple.exe

a first real exampleworking minimal

detailedwalkthrough

DOS headerunused in PE mode

PE headerPE signature

Optional HeaderNOT optional in executables

DataDirectoriesend of OptionalHeader16 (max) * [RVA, Size]

each entry interpreted differently

Sectionsmemory mapping

Importsstandard loader mechanism

NOT requiredload DLL, locate APIs

compiled PEcompiled.execloser to reality

extra non-critical structure

DLLexports

relocations

driversubsystem, checksum

low alignments mappingdifferent imports

resourcesstructure

version, manifest/icon, APIs

Thread Local Storagecallback list

before EntryPoint & after ExitProcess

.Netdifferent and integrated binary

2nd loader

what about 64b?

very few changes● 2 magic constants● a few elements become QWord

○ ImageBase, Imports thunks, callbacks● Exceptions have their own DataDirectory

○ no need for LoadConfig (SafeSEH)

and ARM

● a different magic constant● still 16b DOS Stub !● nothing special, PE wise

○ the beauty of ‘Portability’

trivial