PE (Portable Executable format)

Table of Contents

PE (Portable Executable format)
- tags: Security PWN ReverseEngineering
Reference
Softwares
knowledge

tags: `Security` `PWN` `ReverseEngineering`

Reference

NTU-Computer-Security-2019-Fall

Softwares

PEview

讀 32-bit PE / COFF file 的結構和內容

PE-bear
CFF Explorer

knowledge

Special Sections

.text: Code
.data: Initialized data
.bss: Uninitialized data
.rdata: Const/read-only (and initialized) data
.edata: Export descriptors
.idata: Import descriptors
.reloc: Relocation table (for code instructions with absolute addressing when the module could not be loaded at its preferred base address)
.rsrc: Resources (icon, bitmap, dialog, …)
.tls: __declspec(thread) data (Fails with dynamically loaded DLLs -> hard to find bugs)

COFF file

IMAGE_FILE_HEADER 後會接著一連串的 IMAGE_SECTION_HEADER

IMAGE_FILE_HEADER

IMAGE_FILE_HEADER 會標明 section 的數量

IMAGE_SECTION_HEADER

PE file

Optional Header

Win32 Process

PEB/TEB(TIB)

最大的用處在於儲存關於 process 本身的資訊，讓 process 可以不呼叫 Win32 API

Structured Exception Handling

SEH is a feature to support try{} catch (...) {}
Vectored exception handling is an extension to structured exception handling
需要在 visual studio 啟用設定