Portable Executable Format (PE)
33 files
-
PE Runtime Data Structures 1.0
By Teddy Rogers
This is a diagram of PE runtime data structures. I used OmniGraffle. I will post the OmniGraffle files when I get ahold of them again. They are on another computer.
I was inspired by Ero Carrera's [1] diagrams and Corkami [2]. I made this diagram because I was teaching myself Windows data structures and was unsatisfied with what was out there. The information for these structures was obtained from "Windows Internals 6" by Russinovich, Solomon, and Ionescu [3].
It is not finished, but I figured I should just upload it now instead of whenever I get around to finishing it. Hopefully I haven't made any mistakes. It will probably go through many iterations, maybe end up being interactive.
14 downloads
0 comments
Updated
-
Inserting A Splash Screen Into An Exe File
By Teddy Rogers
Welcome back! A lot of people asked me after they've read my article about inserting a message box at program start of an exe file if it's possible/how to add a splash screen to a PE. Well, yes it is possible! You can inject (theoretically) everything you want to an exe file, it just depends of your reverse engineering skills! (of your time and of your perseverance. Actually I thought about doing this, so my first step was to think about what is necessary. So let's just think about all the steps.
18 downloads
0 comments
Submitted
-
Overview of PE File Format
By Teddy Rogers
This is the complete rewrite of the old PE tutorial no1 which I considered the worst tutorial I have ever written. So I decided to replace it with this new one.
PE stands for Portable Executable. It's the native file format of Win32. Its specification is derived somewhat from the Unix Coff (common object file format). The meaning of "portable executable" is that the file format is universal across win32 platform: the PE loader of every win32 platform recognizes and uses this file format even when Windows is running on CPU platforms other than Intel. It doesn't mean your PE executables would be able to port to other CPU platforms without change. Every win32 executable (except VxDs and 16-bit Dlls) uses PE file format. Even NT's kernel mode drivers use PE file format. Thus studying the PE file format gives you valuable insights into the structure of Windows.
12 downloads
0 comments
Submitted
-
Parsing Malicious and Malformed Executables
By Teddy Rogers
A foundational requirement in the security world is the capability to robustly parse and analyze Windows Portable Executable files. Coping with the full spectrum of PE's found in the wild is, in fact, quite challenging. While white files are typically well structured, malicious files can be quite difficult to analyze, often due to deliberate malformations intended to stymie static analysis. In this paper we will survey and attempt to classify some common and interesting malformations we have studied in our work at Sunbelt Software. We will analyze PE structural information, discuss the PE specification, and highlight specific hurdles we have overcome in the course of developing a parsing facility capable of dealing reliably with the full range of images found in the wild, especially malware. We will also cover specific problems we faced along the way, examine structural heuristics we've developed in the course of classifying common malformations, and include a discussion of some interesting tools and techniques we've developed.
7 downloads
0 comments
Submitted
-
Overlays and Extra Data
By Teddy Rogers
An overlay (aka extra-data) is simply data appended to the physical image of a Portable Executable. Take a PE, append stuff to the end without adjusting the header, and it has an overlay. This data area is not defined as part of the image by the PE header and therefore isn't part of the virtual image of the loaded PE.
12 downloads
0 comments
Submitted
-
Manually Adding A Section
By Teddy Rogers
Sometimes a new section is useful if there is not enough place to insert your code somewhere else in the PE. I know a lot of editors etc. are able to make this for you. But doing this by hand has one advantage: you learn very much about the PE file format, especially about sections.
15 downloads
0 comments
Submitted
-
New Approach of Hidden Data in the Portable Executable File
By Teddy Rogers
The rapid development of multimedia and internet allows for wide distribution of digital media data. It becomes much easier to edit, modify and duplicate digital information. In additional, digital document is also easy to copy and distribute, therefore it may face many threats. It became necessary to find an appropriate protection due to the significance, accuracy and sensitivity of the information. The strength of the hiding science is due to the non-existence of standard algorithms to be used in hiding secret messages. Also there is randomness in hiding methods such as combining several media (covers) with different methods to pass a secret message. Furthermore, there is no formal method to be followed to discover a hidden data. In this paper, a new information hiding system is presented. The aim of the proposed system is to hide information (data file) in an execution file (EXE) without change the size of execution file. The new proposed system is able to embed information in an execution file without change the size of execution file. Meanwhile, since the cover file might be used to identify hiding information, the proposed system considers overcoming this dilemma by using the execution file as a cover file.
2 downloads
0 comments
Submitted
-
Fixing DLL Relocations Using ReloX
By Teddy Rogers
Lately DMichael asked me how to resolve relocations. On the internet I found a tool called ReloX from the same author as ImpREC and I decided to make a brief paper with screenshots on how to do it
Tutorial archive contains:
2-paged PDF file with some screens A packed DLL for testing Small tool that loads a DLL with two different image bases5 downloads
0 comments
Submitted
-
How To Add Your Own Relocations
By Teddy Rogers
Today I show you an example of how to add own relocations into your file. Lets imagine you have any none protected file like a DLL / OCX / DRV or ASLR exe file which gets loaded dynamic (ASLR) and you want to patch this file with direct VA addresses to prevent creating much patch code + creating a dynamic patch. We want to create our own code part who looks same as usually and want working with VA addresses. So to get this also working with ALSR you need to add relocations for all your new VA addresses you have added in your patch code and now I show you how you can handle this manually. So I also have never seen any relocation tool where you can do this.
3 downloads
0 comments
Submitted
-
In-Depth Look into the Win32 Portable Executable File Format
By Teddy Rogers
A good understanding of the Portable Executable (PE) file format leads to a good understanding of the operating system. If you know what's in your DLLs and EXEs, you'll be a more knowledgeable programmer. This article, the first of a two-part series, looks at the changes to the PE format that have occurred over the last few years, along with an overview of the format itself.
After this update, the author discusses how the PE format fits into applications written for .NET, PE file sections, RVAs, the DataDirectory, and the importing of functions. An appendix includes lists of the relevant image header structures and their descriptions.
Note: I have updated the archive to include the second part of this paper and have included the PE32 file used for reference.
5 downloads
0 comments
Submitted
-
Crafting a Valid PE File
By Teddy Rogers
The PE file format described at its most basic is a wrapper with information for the windows loader, which envelops an executable image. This information allows the windows loader to place the executable image and its associated resources into memory so that execution can begin and resources can be correctly accessed. Using a description of the PE file layout it is possible to produce a valid PE file, which is accepted by the windows loader even wothout an executable image present. The best description of the PE layout available is the ARTeam PE Tutorial authored by Goppit. Using the information from this tutorial I decided to build a PE file from scratch in a Hex editor in order to better understand the structure of the file. It is definately best to follow this tutorial with a hex editor open and filled in as you go as well as a PE tutorial for full explanation of the sections.
7 downloads
0 comments
Submitted
-
ELF101 - A Linux Executable Walkthrough
By Teddy Rogers
This graphic is a walk through of a simple Linux executable that shows its dissected structure and explains how it's loaded by the operating system.
2 downloads
0 comments
Submitted
-
Code Injection - Inserting A MessageBox
By Teddy Rogers
Ok, here comes the tut about injecting code. We will insert a MessageBox at program start like a little "nagbox". We will use my little example program in the zip file so I can better explain what we do. Note: it's important that our target program import the MessageBoxA function! That makes sense cause without it we can't use it. In this case we have to import it by hand which I will discuss in another tutorial. So check with Wdasm, PEditor, my Import Table Viewer or any other tool that MessageBoxA function is imported.
5 downloads
0 comments
Submitted
-
Add Section and Import Function Manually
By Teddy Rogers
I will discuss how you add a section to your files and also how to import function from DLL and this process useful for us in unpacking process and put unpacking information in a new section and now we will add 100h (256 bytes) to the program and the information of section occupy 40 bytes.
4 downloads
0 comments
Submitted
-
Advanced PE Image Rebuilding
By Teddy Rogers
This article is targeted at programmer’s who have some knowledge of the PE File format (Microsoft’s Portable Executable format “EXE”) and want to become experts. Chances are you found this article through a search engine while trying to make your own PE builder.
7 downloads
0 comments
Submitted
-
Undocumented PECOFF 1.1
By Teddy Rogers
The Portable Executable (PE) format is a file format for executables, object code and DLLs. It is used in 32-bit and 64-bit versions of Windows operating systems. The term "portable" refers to format's versatility within numerous environments of operating system software architecture. The PE format is a data structure that encapsulates necessary information so that Windows OS loader can manage wrapped executable code. This includes dynamic library references for linking, API export and import tables, resource management data and thread-local storage (TLS) data. On NT operating systems, the PE format is used for EXE, DLL, SYS (device driver), and other file types. The Extensible Firmware Interface (EFI) specification states that PE is the standard executable format in EFI environments.
PE is a modified version of the Unix COFF file format. PE/COFF is an alternative term in Windows development.
On Windows NT operating systems, PE currently supports the IA-32, IA-64, and x86-64 (AMD64/Intel64) instruction set architectures (ISAs). Prior to Windows 2000, Windows NT (and thus PE) supported the MIPS, Alpha, and PowerPC ISAs. Because PE is used on Windows CE, it continues to support several variants of the MIPS, ARM (including Thumb), and SuperH ISAs.
One constant challenge of modern security will always be the difference between published and implemented specifications. Evolving projects, by their very nature, open up a host of exploit areas and implementation ambiguities that cannot be fixed. As such, complex documentation such as that for PECOFF opens up a window of opportunity for misinterpretation and mistakes in parsing implementation.
This document will focus on all aspects of PE file format parsing that leads to undesired behaviour or prevents security and reverse engineering tools from inspecting malformed files due to incorrect parsing. Special attention will be given to differences between PECOFF documentation and the actual implementation done by the operating system loader. With respect to these differences it will describe the existence of files that can't possibly be considered valid from a documentation standpoint but which are still correctly processed and loaded by the operating system. These differences and numerous design logic flaws can lead to PE processing errors that have serious and hardly detectable security implications. Effects of these PE file format malformations will be compared against several reverse engineering tools, security applications and unpacking systems.
Due to the nature of this document it is recommended that it's read in parallel with the official Microsoft PECOFF documentation.
7 downloads
0 comments
Submitted
-
Visualizations of the Portable Executable File Format
By Teddy Rogers
I finally found some time to find and share the full PDF versions of the PE format diagrams. I learned a lot about the PE format back when I made them. I really have to thank Ange Albertini for motivating me to share them!
These visualizations were originally intended as posters that I put up in Cafepress, thanks to everybody that bought them!! Slightly older versions were hosted in OpenRCE.
For those who might be interested, I used the great OmniGraffle to create these diagrams.
4 downloads
0 comments
Submitted
-
Win32 Resource File
By Teddy Rogers
This document details the structure of the resource binary file (.RES) format for Win32 platforms (W95 and WNT). The structure is very similar to the existing Win16 (W3/W3.1/3.11) structure, but it supports some new data types and data structures. One important enhancement is the DWORD/WORD alignment of structures/fields which increases performance of new 32 bit microprocessors but makes resource reading/writing a bit more complex (structures are of dynamic size). The order of the fields of resource data structures is not changed due to alignment, but some padding is required between fields.
The Win32 resource file contains one or more binary resources merged in a single file and aligned on DWORD boundaries. Each resource has its own header structure followed by resource data. Immediately after the resource data comes the header for the next resource followed by resource data, and so on.
1 download
0 comments
Submitted
-
The Portable Executable File Format
By Teddy Rogers
This chapter gives you a comprehensive picture of the Portable Executable file format for Windows NT. The PE format is portable across all Microsoft 32-bit operating systems.
MICROSOFT INTRODUCED A NEW executable file format with Windows NT. This format is called the Portable Executable (PE) format because it is supposed to be portable across all 32-bit operating systems by Microsoft. The same PE format executable can be executed on any version of Windows NT, Windows 95, and Win32s. Also, the same format is used for executables for Windows NT running on processors other than Intel x86, such as MIPS, Alpha, and Power PC. The 32-bit DLLs and Windows NT device drivers also follow the same PE format.
It is helpful to understand the PE file format because PE files are almost identical on disk and in RAM. Learning about the PE format is also helpful for understanding many operating system concepts. For example, how operating system loader works to support dynamic linking of DLL functions, the data structures involved in dynamic linking such as import table, export table, and so on.
The PE format is not really undocumented. The WINNT.H file has several structure definitions representing the PE format. The Microsoft Developer's Network (MSDN) CD-ROMs contain several descriptions of the PE format. However, these descriptions are in bits and pieces, and are by no means complete. In this chapter, we try to give you a comprehensive picture of the PE format.
Microsoft also provides a DLL with the SDK that has utility functions for interpreting PE files. We also discuss these functions and correlate them with other information about the PE format.
5 downloads
0 comments
Submitted
-
Tiny PE
By Teddy Rogers
Creating the smallest possible PE executable.
This work was inspired by the Tiny PE challenge by Gil Dabah. The object of the challenge was to write the smallest PE file that downloads a file from the Internet and executes it.
In the process of writing increasingly smaller PE files for the challenge I learned a lot of interesting details about the PE file format and the Windows loader. The goal of this document is to preserve this knowledge for future reference. In this, I have followed the example of the famous Whirlwind Tutorial on Creating Really Teensy ELF Executables for Linux.
1 download
0 comments
Submitted
-
The .NET File Format
By Teddy Rogers
The standards of the .NET format are public, you can find them on Microsoft and in your .NET SDK (look after "Partition II Metadata.doc"), but they are intended to be more like a reference, not really a guide. So, the truth is that a description of the format can be useful. I mean, there's a huge difference between having the WinNT.h and having the full explanation of its structures and stuff. The documentation given by Microsoft has some explanations, but a lot of passages aren't very clear at all. Of course, it's required that you know quite well the PE File Format. If that's not the case, you should start with that first, otherwise you won't be able to make heads or tails of this article. A little warning: I'm not going to explain how to use the libraries given by Microsoft to access the .NET format, I'm going to explain the format itself. This article is based on the Framework 2.0.
6 downloads
0 comments
Submitted
-
Submitted
-
The PE Format
By Teddy Rogers
A visual representation of the Portable Executable format.
4 downloads
0 comments
Submitted
-
Portable Executable Poster
By Teddy Rogers
A PDF poster showing the structure of the Portable Executable format.
2 downloads
0 comments
Submitted
-
Rebasing Win32 DLL
By Teddy Rogers
In this article, I discuss why rebasing a DLL is desirable and what it involves. Then I present a post-link utility, called Libase (for library base) to automate the procedure. Libase differs from the Platform SDK utility Rebase in that it chooses the new base address for the DLL based on a hash of the filename, instead of asking you to provide a base address explicitly.
3 downloads
0 comments
Submitted