Jump to content
Tuts 4 You

Portable Executable Format (PE)

33 files

  1. PECOFF Revision 11.0

    This specification describes the structure of executable (image) files and object files under the Windows family of operating systems. These files are referred to as Portable Executable (PE) and Common Object File Format (COFF) files, respectively.

    83 downloads

    0 comments

    Submitted

  2. PE102 - A Windows Executable Format Overview

    This graphic is a Windows executable format overview that shows its dissected structure.

    110 downloads

    0 comments

    Submitted

  3. PE101 - A Windows Executable Walkthrough

    This graphic is a walk through of a simple windows executable that shows its dissected structure and explains how it's loaded by the operating system.

    131 downloads

    0 comments

    Submitted

  4. PE File Structure

    Detailed information on the makeup of the PE file structure.

    100 downloads

    0 comments

    Submitted

  5. PE Brief Notes

    Brief notes and details on the layout and structure of the PE format.

    78 downloads

    0 comments

    Submitted

  6. PE File Formats Offsets

    There are many tuts about the PE file format with detailed explanations of the structure and of the meaning of each value in the PE. But sometimes you just want to know the offset of a special value in the file so I created this simple listing of the offsets of the data.

    93 downloads

    0 comments

    Submitted

  7. PE File Format Top To Bottom

    This document was edited and released by Microsoft Developer Support. It describes the binary portable executable format for NT. The information is provided at this point because we feel it will make the work of application development easier. Unfortunately, the information in this document may change before the final release of Windows NT. Microsoft is NOT committing to stay with these formats by releasing this document. Questions or follow-ups for any of the information presented here should be posted to CompuServe MSWIN32 forum, section 6.

    94 downloads

    0 comments

    Submitted

  8. PE File Format Compendium v11

    PE is the native Win32 file format. Every win32 executable (except VxDs and 16-bit DLLs) uses PE file format. 32bit DLLs, COM files, OCX controls, Control Panel Applets (.CPL files) and .NET executables are all PE format. Even NT's kernel mode drivers use PE file format.

    Why do we need to know about it? 2 main reasons. Adding code to executables (e.g. keygen injection or adding functionality) and manually unpacking executables. With respect to the latter, most shareware nowadays comes "packed" in order to reduce size and to provide an added layer of protection.

    In a packed executable, the import tables are usually destroyed and data is often encrypted. The packer inserts code to unpack the file in memory upon execution, and then jumps to the original entry point of the file (where the original program actually starts executing). If we manage to dump this memory region after the packer finished unpacking the executable, we still need to fix the sections and import tables before our app will run. How will we do that if we don�t even know what the PE format is?

    The example executable I have used throughout this text is BASECALC.exe, a very useful app from fravia's site for calculating and converting decimal, hex, binary and octal. It is coded in Borland Delphi 2.0 which makes it ideal as an example to illustrate how Borland compilers leave the OriginalFirstThunks null (more of this later).

    291 downloads

    0 comments

    Submitted


×
×
  • Create New...