Jump to content
Tuts 4 You

what is overlay meaning in detail?


rever_ser

Recommended Posts

Posted

hi guys!


can anybody say in detail WHAT IS OVERLAY? i just know the overlay in somewhere outside of PE. but what is this meaning indeed.


thanks in advance!


Posted (edited)

If you looked for "overlay pe" in Google you could get the following results:

Tutorial:

https://tuts4you.com/download.php?view.1249

Image about overlays (from http://reverseengineering.stackexchange.com/questions/2014/how-can-one-extract-the-appended-data-of-a-portable-executable):

p1tXR.png

To end with a famous quote:

An overlay (aka extra-data) is simply data appended to the physical image of a Portable Executable. Take a PE, append stuff to the end without adjusting the header, and it has an overlay. This data area is not defined as part of the image by the PE header and therefore isn't part of the virtual image of the loaded PE.

Greetings,

Mr. eXoDia

Edited by Mr. eXoDia
  • Like 6
Posted

perfect!!!


 


thanks Mr. eXoDia

Posted (edited)

Some packers hide data in overlay in order to create a invalid file if you try to unpack.


:)


Edited by GIV
  • Like 2
Posted

Some packers hide date in overlay in order to create a invalid file if you try to unpack.

:)

 

that is no answer to the question

Posted

Some packers hide date in overlay in order to create a invalid file if you try to unpack.

:)

Question: What about then packers that use said data, but also pack executables that use overlays?

Posted

that is no answer to the question

That is no manner to respond.

:)

  • Like 2
Posted

i understand whay is overlay in depth.


 


so suppose that a PE file contain  with packed overlay. how can i get overlay in physical memo?


 


another question is that Is it possible overlay including the original executable code? in other word the mail purpose of the exe included i the overlay?


 


thanks. mart

Posted

i understand whay is overlay in depth.

 

so suppose that a PE file contain  with packed overlay. how can i get overlay in physical memo?

 

another question is that Is it possible overlay including the original executable code? in other word the mail purpose of the exe included i the overlay?

 

thanks. mart

 

You can obtain the overlay from your own app by calculating the size of the file based on its size seen by the operating system and the size of the file in the header. The overlay will be the difference of the two. 

 

And yes, the executable can store code inside of the overlay and reuse it later on during execution as a form of protection. The main executable could even be a loader/unpacker for the overlay itself which is a whole other executable to run from memory etc. Overlay files have no restriction to what they can be. You can use anything as an overlay.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...