rever_ser Posted December 9, 2014 Posted December 9, 2014 hi guys!can anybody say in detail WHAT IS OVERLAY? i just know the overlay in somewhere outside of PE. but what is this meaning indeed.thanks in advance!
mrexodia Posted December 9, 2014 Posted December 9, 2014 (edited) If you looked for "overlay pe" in Google you could get the following results: Tutorial: https://tuts4you.com/download.php?view.1249 Image about overlays (from http://reverseengineering.stackexchange.com/questions/2014/how-can-one-extract-the-appended-data-of-a-portable-executable): To end with a famous quote: Teddy Rogers said: An overlay (aka extra-data) is simply data appended to the physical image of a Portable Executable. Take a PE, append stuff to the end without adjusting the header, and it has an overlay. This data area is not defined as part of the image by the PE header and therefore isn't part of the virtual image of the loaded PE. Greetings, Mr. eXoDia Edited December 9, 2014 by Mr. eXoDia 6
GIV Posted December 9, 2014 Posted December 9, 2014 (edited) Some packers hide data in overlay in order to create a invalid file if you try to unpack. Edited December 10, 2014 by GIV 2
FastLife Posted December 9, 2014 Posted December 9, 2014 On 12/9/2014 at 1:43 PM, GIV said: Some packers hide date in overlay in order to create a invalid file if you try to unpack. that is no answer to the question
mudlord Posted December 10, 2014 Posted December 10, 2014 On 12/9/2014 at 1:43 PM, GIV said: Some packers hide date in overlay in order to create a invalid file if you try to unpack. Question: What about then packers that use said data, but also pack executables that use overlays?
GIV Posted December 10, 2014 Posted December 10, 2014 On 12/9/2014 at 9:25 PM, FastLife said: that is no answer to the question That is no manner to respond. 2
rever_ser Posted December 14, 2014 Author Posted December 14, 2014 i understand whay is overlay in depth. so suppose that a PE file contain with packed overlay. how can i get overlay in physical memo? another question is that Is it possible overlay including the original executable code? in other word the mail purpose of the exe included i the overlay? thanks. mart
atom0s Posted December 14, 2014 Posted December 14, 2014 On 12/14/2014 at 10:15 AM, rever_ser said: i understand whay is overlay in depth. so suppose that a PE file contain with packed overlay. how can i get overlay in physical memo? another question is that Is it possible overlay including the original executable code? in other word the mail purpose of the exe included i the overlay? thanks. mart You can obtain the overlay from your own app by calculating the size of the file based on its size seen by the operating system and the size of the file in the header. The overlay will be the difference of the two. And yes, the executable can store code inside of the overlay and reuse it later on during execution as a form of protection. The main executable could even be a loader/unpacker for the overlay itself which is a whole other executable to run from memory etc. Overlay files have no restriction to what they can be. You can use anything as an overlay.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now