You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: content/posts/insideapefile.md
+7-7Lines changed: 7 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -40,7 +40,7 @@ Based on the forementioned information, we can state the following computation e
40
40
## PE structure
41
41
The structure which presents the fields and parts that a PE file contains can be seen in the following simplified picture:
42
42
43
-
43
+
44
44
45
45
Every one of these parts is called header, and each header is defined by a structure which holds relevant information about the PE file.
46
46
Let's start breaking down each of these headers to get an idea of what they contain and what relation they have to each other.
@@ -76,12 +76,12 @@ A few examples of how the DOS Header can be utilized is:
76
76
77
77
We can view the DOS header struct of mspaint.exe by opening it in CFF Explorer:
78
78
79
-
79
+
80
80
81
81
We can verify our claims about the e_magic being 0x5A4D and e_lfanew being at offset 0x3C.
82
82
Also, we can see that the e_lfanew is a raw address to NT Header, as the PE[e_lfanew] = PE[0x3C] = 0xFB. If we view the offset of the NT Header at CFF explorer, we will evaluate this claim:
83
83
84
-
84
+
85
85
86
86
### DOS Stub
87
87
Before proceeding to the NT Header, let's first talk about DOS Stub. This stub is next to the DOS header and is not really relevant. It contains the popular message "This program cannot be run in DOS mode" which has remained over the years. The string can of course be modified at compile time. To clarify, this is not a header, but just a part of a PE file containing the prementioned string.
@@ -137,7 +137,7 @@ The most important members of this struct are:
137
137
- SizeOfOptionalHeader: This contains the size of the OptionalHeader.
138
138
139
139
We can view the Characteristics of our PE by clicking on the corresponding field inside CFF Explorer:
140
-
140
+
141
141
142
142
### OptionalHeader
143
143
This header is very important for the execution of a PE file. The word 'Optional' might be misleading. It is named that way because some files (specifically, object files) do not have it.
@@ -191,7 +191,7 @@ The optional header contains a ton of information that can be used. Below are so
191
191
192
192
We can again view the mentioned fields with the help of CFF Explorer:
193
193
194
-
194
+
195
195
196
196
Having loaded the NT Header, we can parse the Optional Header and get some information regarding the PE. Some examples are:
197
197
```c
@@ -232,7 +232,7 @@ A specific data directory can be accessed using its index in the array:
232
232
#define IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 14 // COM Runtime descriptor
233
233
```
234
234
And through CFF Explorer:
235
-
235
+
236
236
237
237
We could also view this inside the winnt.h header file inside a visual studio project.
238
238
The following two sections will mention two of the most important data directories, the Export Directory and Import Address Table.
@@ -256,7 +256,7 @@ The following are the most important PE sections and are present in nearly every
256
256
257
257
Each PE section has an associated IMAGE_SECTION_HEADER data structure that provides essential information about that section. These structures are stored beneath the NT headers in a PE file and are arranged sequentially, with each structure representing a different section:
0 commit comments