[go: up one dir, main page]
Scribd
Upload
124 views3 pages

PE File Format

The Portable Executable (PE) file format is used for Windows executable files, including .exe, DLLs, and kernel-mode drivers. It consists of five main sections: MS-Dos Header, MS-Dos Stub, PE Header, DATA Directory, and Section Table, with the PE Header containing crucial information for execution. Additionally, the Import and Export Tables manage the loading of necessary DLLs and functions, while the Original Entry Point (OEP) indicates where execution begins in the module.

Uploaded by

viruscatchers2523
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOC, PDF, TXT or read online on Scribd
124 views3 pages

PE File Format

The Portable Executable (PE) file format is used for Windows executable files, including .exe, DLLs, and kernel-mode drivers. It consists of five main sections: MS-Dos Header, MS-Dos Stub, PE Header, DATA Directory, and Section Table, with the PE Header containing crucial information for execution. Additionally, the Import and Export Tables manage the loading of necessary DLLs and functions, while the Original Entry Point (OEP) indicates where execution begins in the module.

Uploaded by

viruscatchers2523
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOC, PDF, TXT or read online on Scribd
You are on page 1/ 3

Portable Executable file: PE file

Window’s executable file format is called the Portable Executable (PE). The PE file
format not only applies to executable files .exe, but also to DLLs and kernel-mode
drivers.
A PE files is also called a module, whereas a module implies that a single executable file
that is a part of a program.

PE file consists of five main sections as:

MS-Dos Header
MS-Dos Stub
PE Header
DATA Directory
Section Table

MS-Dos Header:
Every PE file starts with the MS-Dos header section which contains a pointer to the PE
header section.

MS-Dos Stub section provided for legacy reason. This section informs the user that this
file cannot be run in DOS mode when the user attempts to run it with DOS command.
PE Header contains important needed to run the executable such as: the base address of
the PE file, the address of the Entry point, and the number of sections in the section table.

PE File Sections: sections generated by windows loader.

.text stores main code of PE file

.code contains read only data such as String literals, debug


directory etc

stores all static data and initialized global variables


.data

store details for relocating the image while loading


.rdata

store details for relocating the image while loading


.reloc

contains all un initialized global


.bss
Entry point:
Entry point is the address of the first instruction to be executed when the module is
loaded. The RVA of the entry point to the executable

OEP: Original Entry Point


When a program is protected, the EP is hidden and replaced by protector entry point. The
program is called original entry point.
A JMP or Call to EAX may indicate the OEP possibly preceded by POPA or POPAD
where the original program actually starts executing

Tricky jumps: SEH, RET, CALL

Get correct OEP, try breaking on unpacker’s calls to LoadLibraryA() or


GetProcAddress()

Import Table:
 When the system loads the executable file, it uses the information in import table
to load all DLL files that are by current executable and to resolve.
 Locates the address of the exported function using IAT.
 It contains a list of all functions the current executable imports grouped under
each module name.

IAT: Import Address Table

Every PE file has a list of functions that aren’t originally part of that PE. These functions
are called Import which is located in OS DLL’s (Dynamic Link Library) while PE
doesn’t know where they are located so every win32 executable has IAT inside PE.

Export table:
Export Table contains names & RVA of every exported function

Run time linking: It loads the DLL files and then imports to required function manually
at run time
 No import table is provided
 Executable imports the right function by loading DLL file first
 Using win32 API LoadLibrary() / LoadLibraryEx() followed by win32API
GetProcAddress()

In the PE file, the magic part of the DOS header contains the value 4Dh, 5Ah (the letters
“MZ”) which signifies a valid DOS header.

A PE header begins with its signature 50h, 45h, 00h, 00h (the letters “PE” followed by
two terminating zeroes) i.e. the PE signature at start of PE Header
Terminology:

Pointer to Raw Data


Offset of section data within the executable file.

Size of Raw Data Amount of section data within the executable file.
Relative Virtual Address. Memory offset from the beginning of
RVA
the executable
Virtual Address Absolute memories address (RVA + Base). The PE Header fields
(VA) named Virtual Address actually contain RVA
Virtual Size Amount of section data in memory

Base Address Offset in memory that the executable module is loaded

Image Base Base address requested in the PE header of a module

Module An PE formatted file loaded into memory. Typically EXE or DLL

Pointer A memory address

Import table DLL functions required for use by an executable module


Functions provided by a DLL which may be imported by another
Export table
module

You might also like