Posted December 9, 201410 yr hi guys!can anybody say in detail WHAT IS OVERLAY? i just know the overlay in somewhere outside of PE. but what is this meaning indeed.thanks in advance!
December 9, 201410 yr If you looked for "overlay pe" in Google you could get the following results: Tutorial: https://tuts4you.com/download.php?view.1249 Image about overlays (from http://reverseengineering.stackexchange.com/questions/2014/how-can-one-extract-the-appended-data-of-a-portable-executable): To end with a famous quote: An overlay (aka extra-data) is simply data appended to the physical image of a Portable Executable. Take a PE, append stuff to the end without adjusting the header, and it has an overlay. This data area is not defined as part of the image by the PE header and therefore isn't part of the virtual image of the loaded PE. Greetings, Mr. eXoDia Edited December 9, 201410 yr by Mr. eXoDia
December 9, 201410 yr Some packers hide data in overlay in order to create a invalid file if you try to unpack. Edited December 10, 201410 yr by GIV
December 9, 201410 yr Some packers hide date in overlay in order to create a invalid file if you try to unpack. that is no answer to the question
December 10, 201410 yr Some packers hide date in overlay in order to create a invalid file if you try to unpack. Question: What about then packers that use said data, but also pack executables that use overlays?
December 14, 201410 yr Author i understand whay is overlay in depth. so suppose that a PE file contain with packed overlay. how can i get overlay in physical memo? another question is that Is it possible overlay including the original executable code? in other word the mail purpose of the exe included i the overlay? thanks. mart
December 14, 201410 yr i understand whay is overlay in depth. so suppose that a PE file contain with packed overlay. how can i get overlay in physical memo? another question is that Is it possible overlay including the original executable code? in other word the mail purpose of the exe included i the overlay? thanks. mart You can obtain the overlay from your own app by calculating the size of the file based on its size seen by the operating system and the size of the file in the header. The overlay will be the difference of the two. And yes, the executable can store code inside of the overlay and reuse it later on during execution as a form of protection. The main executable could even be a loader/unpacker for the overlay itself which is a whole other executable to run from memory etc. Overlay files have no restriction to what they can be. You can use anything as an overlay.
Create an account or sign in to comment