Plik exe od środka

Plik exe od środka



ppioi

IBort.iblo iHI^Hfcxecu tobie


a Windows executable walkthrough



Ange Albertini

córkami.com


Dissected PE


SHA-1 b7nf4cOS1cc38e43o030656c&2696fab4Ci8cf9cb downtoad @ pe 101.cofkami com


Hexadecimal dump

ASCII dump

Fields

Values

Explanation

4D 5A 00 00-00 00 00 00-00 00 00 00-00 00 00 00

offset:8x30

00 00 00 00-00 00 00 00-00 00 00 00-40 00 00 00

MZ..............

............@...

e_magi c

e_lfanew

•mz’

0x40

constant signature offset of the PE Header O

Off$et:8x40

50 45 00 00-4C 01 03 00-00 00 00 00-00 00 00 00 00 00 00 00-E0 00 02 01...

PE..L...........

Signature

Machinę

NumberOfSections Si zeofopti onalHeader

Characteristics

'PE', 0, 0

0xl4c [intel 386]

3

OxeO

0x102 [32b EXE]

constant signature

processor: ARM/MIPS/Intel/...

number of sections ©

relative offset of the section table ©

EXE/DLL/...



simple


40 SA 88 80-88 ee 00 88-88 80 00 00-80 00 08 80 MZ.


00 00 08 88-88 88 88 08-80 00 08 80-40 68 08 50 4S 88 80-4C 01 03 00-88 08 80 88-ee 68 80 88 80 88 08-E0 e9 82 01-8B 01 ee 88-88 e0 88

80 88 88 80-88 08 08 88-e8 18 88 88-80 08 88 00 ee ee 00-00 ee 48 00-00 ie ee 00-00 02 00 ee ......$

pp pp a;1 aa-aa aa Pd aa-dj aa aa aa-aa aa aa aa

header


PE


.1

.3


technical details about the executable

80 18 00 08-80 18 88 00-88 0? 00 80-80 02 00 08 ...............

00 80 88 08-ee 80 08 88-00 88 ee 88-20 60 88 68 ...............

2E 72 64 61-74 61 08 88-88 18 88 88-80 20 88 88 .rdata.........

80 02 08 80-88 64 08 00-88 88 08 88-80 08 80 88    ...............

ee 00 ee ee-4e 00 ee 48-?e 64 6i 74-61 ee ee 88    g.data..

88 10 08 88-08 38 88 08-80 02 88 88-80 06 68 88 .....8.........

80 68 80 00-88 60 08 08-08 60 08 88-48 88 00 C8 .......

ŁŁ..sa.ż2.ae;S8-ga,8g-aŁżż ea.gg.ss:*s,ea,.a£.2B


.0.


69    80    68    88-38    40    68    68-17    38    48    88-68    00    FF    15    J.h.0(l.h. $1. j.

70    20    48    88-68    80    FF    15-68    26    48    88-80    00    88    88    p.g.J.

ee 00    88    88-00    08    88    ee-ee    00    eo    00-80    00    00    00    ..............

3t 20 88 08-80 88 88 88-88 89 e8 60-78 20 88 88 <...........1.

68 28 6S 20 88 00 80 80 69 74


sections


6fl 88 68 00-30 40 00 68-70 20 40 08-60 08 FF 15-88 00 00 00-00 00 08 00-


61 67 58 28


contents of the executable

r 64 . .    ..    ......................

88 88 88 08-80 80 88 00-88 80 08 80-88 88 88 88 .......


... .Ex

..MfSS

rne!32

-2.dll.


61 28 73 69-60 78 6C 6S-20 58 45 28-65 78 65 63 a.f1»plt.PC.ti«c 75 74 61 62-6C 65 88 40-65 6C 6C 6F-28 77 6F 72 uta&le.HeMo.uer 6C 64 21 80-08 80 80 88-ee 08 80 08-00 80 00 88 ld!.............


3C 28

68    29 85 28 08 08 00 08

69    74 61 67 Sfl 20 2E 64 30 88


e0 80-88    08    00    08-00    00    80    00-78    20    88    00    <

00 08-44    20    08    80-00    00    00    80-00    88    80    08    h

00 08-70    20    68    00-80    00    00    08-08    80    00    08    a

80 80 50

link between the executable and (Windows) libraries


imports



00 00-00 80 00 80-68 65 72 6E-6S 6C 33 32 6C 6C-88 75 73 65-72 33 32 2E-64 6C 6C 88 80 00-80 00 08 00-80 00 88 00-08 88 08 08


Z.......kernel32

.d11.user32.dll.


61 28 73 69-60 78 t    _j_a_    J a.siąpie.PE.exec

75 74 61 62-6C 65 6    ClCllct    » utable.Hel lo.uor

GC 64 2! 80-00 f; information used by the codę


40 $fl 08 88-88 88 88 88-08 08 88 ee-88 88 88 88 ftZ.


8850


80 88 88 80-88 88 88 58 45 08 e8-4C 81 83 68 88 88 88-E8 88 82 88 88 88 80-88 88 80 08 88 08 88-08 08 48 88 88 00 80-88 88 88 88 40 00 88-00 82 80

88 88 80 e0-08 08 88 88 88 80 80-18 88 88 00 28 08 88-08 80 88 88 88 08 e8-08 88 80


eo-eo 00 88 88-48

88-88 ee 88 ee-ee 81-88


ee-88

80-84

88-80


85 88 10 68 ie 88 08 88


88-88 08 88


88-88

88-88

e8*08

80-88

88-8?

ee-88

88-e8

08-80

88-88


0130


88 08    88    00-08    80    80    ee-2€    74    65    70-74

88 18    08    88-00    18    88    e8-08    02    88    ee-88

08 88 88 88-80 88 88 ee-88 88 88 88-28

2£ 72    64    61-74    61    80    08-80    18    88    88-80

(VO <*•>    AA    Aa-AA    A#    AA    AA - AA    AA    AA    AA. AA


08 88 88 88 88 80 08 88 80 88 80 80 8? 88 ee 08 80 00 ee ee 88 88 ee ee 88 88 80 88 ee 80 88 ee ee

88 60 00 8? ee ee 08 88 68 28 00 80


PE


• rd*U..


simple.exe


78 28 40 80-68 88 FF 15-68 28 48 80-80 08 80 ee p.0.J.

88 ee 88 80-00 ee 88 ee-08 ee 88 00-00 08 ee 80 ..............


eiee


3C 28    88    80-88    00    88    80-88    08    88    88-78    28    88    80    <....

68    28    88    88-44    28    80    08-00    00    00    88-00    88    80    80    h...O

85 28    08    e8-78    28    88    e8-08    88    80    e8-00    00    88    80    4...p

08 88    60    80-88    68    88    ee-88    08    80    88-4C    28    88    00    .....

00 Ge    80    80-50    28    88    00-80    88    88    88-08    80    45    78    ....2

69    74    50    72-6F    63    65    73-73    08    80    80-40    65    73    73

61 67    65    42-6F    78    41    88-4C    28    88    88-e0    88    88    e8

50 20    08    80-08    08    88    86-68    65    72    6E-65    6C    33    32

2E 64    6C    6C-08    75    73    65-72    33    32    2E-64    6C    6C    88

68 88    88    80-08    98    88    80-68    88    88    88-00    88    80    80


.....E*

itProcess...Mess

egcBoiB.L.......

2.......kcrneł32

.dn.usor32.dll.


8688


61 28 73 69-60 70 6C 6S-28 50 45 20-65 78 65 63 75 74 61 62-6C 65 88 40-65 6C 6C 6F-20 77 6F 72 6C 64 21 88-08 88 80 88-80 80 e0 80-00 08 60 80


d.siapte .P£.exec utable.Hello.uor ld!.............


40 Sfl 00 00-00 00 l


DOS header

shows it‘s a binary


J HZ.


0.


50 45 00 00-4C 0! 0 00 00 00 00-E0 00 0.


PE header

shows ił's a 'modern' binary


10


PE..L. ____a.


l... a... • • •


tcxt


-rrrrw¥¥¥

00 00 00 00-00 08 80 80-00 10 08 00-00 80 00 00 00 08 00 80-00 80 00 00 00-00

executable information

00 08 88 80-00 BB BB BB-BB BB BB BB-88 BB B0 BB

808.. .88. .9.9.-19.3009_


-UJ-


optional header


•O-


Offset:fl»S8

...0B 01 00 00-00 00 00 00


00

00

00

00-

-00

00

00

00-

-00

10

00

00-

-00

00

00

00

00

00

00

00-

-00 10 00 00-

-00 02 00 00

00

00

00

00-

-00

00

00

00-

-04

00

00

00-

-00

00

00

00

00

40

00

00-

-00

02

00

00-

-00

00

00

00-

-02

00

00

00

00

00

00

00-

-00

00

00

00-

-00

00

00

00-

-00

00

00

00

00

00

00

00-

10

00

00

00.

• •


Magie


0xl0b [32b]

AddressofEntryPoi nt

0x1000

ImageBase

0x400000

SectionAlignment

0x1000

......0.........

FileAlignment

0x200

MajorSubsystemversion

4 [NT 4 or later]

• 0..............

SizeOfImage

0x4000

SizeOfHeaders

0x200

• •••••••

Subsystem

2 [GUI]

NumberOfRvaAndsi zes

16


32 bits/64 bits where execution starts

address where the file should be mapped in memory where sections should start in memory © where sections should start on file © required version of Windows total memory space required total size of the headers o driver/graphical/command linę/... number of data directories o


es 09 00 e data directories

00 •    pointers to extra structurcs (exports, imports,...)

2E

74

65

78-74

88

00

00

. text...

00

10

00

00-

■80

18 00

00-80

02

88

00-00

02

00

80 . .

80

00

88

00-

■00

RR RR

RR-RR

RR

AA

RR-PR

AA

RR

AR

2E

00

72

02

64

80

61-

80-

-74

■06

sections table

ddtd..........

00

00

80

88-

-4e

defines how the file

s loaded in memory

..@..@.data...

00

10

8e

00-

■00

30 80

08-80

02

00

88-08

06

00

00 ..

.. .0..........

00

00

00

80-

■00

80 00

00-00

00

08

00-40

80

00

C0 . .

..........0.-*

00

08

00

00-

■08

88 80

00-00

00

88

00-00

88

80

00 ..


codę

what is executed


FF 15 00 08 08 08


j.h.0@.h.0@.j. P-8-J* -h.@.....


...00 00 00 00-00 00 00 00 00 20 00 00-00 00 00 00-00 00 00 00-00 00 00 00

ImportsVA

0x2000

RVA of the imports ©

00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00

OffSCt:0xl38



00    10    00    00-00    10    00    00-00    02    00    00-1

00    00    00    00-00    00    00    00-00    00    00    00-20    00    00

2E    72    64    mm    61    00    00-00    10    00    00-00    20    00    00

00    02    00    00-00    04    00    00-00    00    00    00-00    00    00    00

00    00    00    00-40    00    00    40-2E    64    61    74-61    00    00    00

00    10    00    00-00    30    00    00-00    02    00    00-00    06    00    00

00    00    00    00-00    00    00    00-00    00    00    00-40    00    00    C0


.text...


.rdata.


..............

____0..@.data.

L7.7. 0 ........

............0.


Sections table


Name

RVA*

vi rtualsize

RVA*

Vi rtualAddress

phy*>ca! sizc

SizeofRawData

physical Offset

Poi nterToRawData

Characteri sti cs

1.text

0x1000

0x1000

0x200

0x200

CODĘ EXECUTE

READ]

.rdata

0x1000

0x2000

0x200

0x400

INITIALIZED

READ

DATA... RE AD ..WBITE:


For each section, a SizeofRawData sized błock is read from the file at PointerToRawData offset.

It will be loaded in memory at address ImageBase + VirtualAddress in a VirtualSize sized błock, with specific characteristics.


Offset:0x2O8/R. ':0X^1000_ _ _ .

6A 00 68 00-30 40 00 68-17 30 40 00-6R 00 FF 15 j.h.00.h.00.j. 70 20 40 00-6ft 00 FF 15-68 20 40 00    p.0.j. .h.0.


Loading process

O Headers

the DOS Header is parsed the PE Header is parsed

(its offset is DOS Header s ejfanew) the Optional Header is parsed (il follows the PE Header)


©Sections table

Sections table is parsed

(it is located at: offset (OptionalHeader) + SizeOfOptionalHeader)

it contains NumberOfSections elements it is checked for validity with alignments:

FileAlignments and SectionAlignments


© Mapping

the file is mapped in memory according to: the ImageBase the SizeOfHeaders the Sections table


0 Execution

Codę is called at the EntryPoint

the calls of the codę go via the IAT to the APls


a simple PE executa...



I


%

mt

i


PomtertoRawData

Section 1

PomtertoRawData

Section 2

PointenoRawData

Section 3


fi

** i


ii


•0x0

•0x200

■0x400

•0x600

•0x800


0x:    0«

0x 200-

0x 1000-


li


0x 2000-


0x 3000-


- ImageBase —


SizoOfHeaders


•    WtualAddresa

Section 1

•    VrftualAddress

Secloo 2

•    ViftualAddress

Section 3


push 0

push 0x403000 push 0x403017 push 0


cali [0x402070] push 0

cali [0x402068]


x86 assembly


Equivalent C codę


•MessageBox(0, Hello world!", a simple PE executable", 0);


ExitProcess(0);


OffSCt:8x400/R. :0x    2000


3C 20    00    00-00    00    00    00

85 20    00    00-70    20    00    00

00'00 00 00-00 00 00 00 00 00    00    00-5R    20    00    00

69 74    50    72-6F    63    65    73

61 67    65    42-6F    78    41    00

5A 20    00    00-00    00    00    00

2E 64    6C    6C-00    75    73    65


-00 00 00 -00 00 00 -00 00 00 -00 001 00 -00 00 00 -73 00 00


-68 65 72

-72 33 32


00-78 20 00 00 00-00 00 00 00 00-00 00 00 00 00-4C 20 00 00 00-00 00 45 78 00-4D 65 73 73


6E-65 6C 33 32

2E-64 6C 6C 00


Imports structures


Conseguences


descriptors 0x203c


0x204c, 0


INT


0x2078-kernel32.dll


0x2068


0x2044


0x2085 —user32.dl 1


0x2070 8 8 0 8 0


_    .    Htnl.Namo

0,ExitProcess


0x204c, 0


IAT


0x205a. O1"1*

Hint.Namo

-OtMessageBoxA

0x205a, 0,AT*


after loading,

0x 2068 will point to kernel32.dll's ExitProcess 0x 2070 will point to user32.dll's MessageBoxA


< .

...X. . .

h.

. D...

a.

• ... ‘a

.z....

.....Ex


itProcess...Mess

ageBoxA.L.......

Z.......kernel32

.dll.user32.dll.


AJI addresses herc aro RVAs*

Offset:8x600/RVA:0x^:3000

61 20 73 69-6D 70 6C 65-20 50 45 20-65 78 65 63

a.simple.PE.exec

Strings

a simple PE executable\0

75 74 61 62-6C 65 00 48-65 6C 6C 6F-20 77 6F 72

utable.Hello.uor

Hello world!\0

6C 64 21 00

ld!.

Tłus is the whote howevef. most PE files eon tam morę elements. Expłanat#ons are sunpłifced. for coociseoess

vers»on 1. 3rd May 2012


© Imports

DataDirectories are parsed they follow the OptionalHeader their number is NumOfRVAAndSizes imports are always #2 Imports are parsed each descriptor specifies a DLLname this DLL is loaded in memory IAT and INT are parsed simultaneously for each API in INT its address is written in the IATentry


Ili A- 1

IAT

T

_ ii

_I\

Hint, nri name


IflT


1 ibrar^dl 1

•flPI Address: !




Notes

MZ HEADER aka DOS_HEADER

Starts with 'MZ* (initials of Mark Zbikowski MS-DOS developer)

PE HEADER aka IMAGE_FILE_HEADERS / COFF file header Starts with 'PE' (Portable Executable)

OPTIONAL HEADER aka IMAGE_OPTIONAL_HEADER Optional only for non-standard PEs but required for executables

RVA Relative Virtual Address

Address relative to ImageBase (at ImageBase, RVA = 0) Almost all addresses of the headers are RVAs In codę, addresses are not relative.


INT Import Name Table

Null-terminated list of pointers to Hint, Name structures

IAT Import Address Table Null-terminated list of pointers On file it is a copy of the INT After loading it points to the imported APls

HINT

Index in the exports table of a DLL to be imported

Not required but provides a speed-up by reducing look-up


0X4 4000-


□ => &



Wyszukiwarka

Podobne podstrony:
•    Serwisy od środka - Zastosowanie wybranego algorytmu sztucznej inteligencji Zbad
gli dowiedzieć się, jak funkcjonuje prestiżowa Uczelnia od środka, poznać jej bazę infrastrukturalną
Scan10498 Patyczek do szaszłyków dokładamy do drucika w odległości 2 cm od środka. za
Resize of1 W celu otwarcia drzwi przestrzeni bagażowej od środka pojazdu należy pociągnąć za uchwyt
str13 (14) POMIAR ODLEGŁOŚCI I KĄTA. Oddalenie plamki świetlnej od środka ekranu wyznacza odleg
Inga Iwasiów Gender dla średniozaawansowanych8 jako tajemnicę rozsadzającą od środka teksty kobie
Instrukcja obslugi COLT CZ5 5 Za im lutnie I otwieranieZamykanie i otwieranie samochodu od środka.
Slajd53 Natężenie pola zgodnie z piątym prawem Newtona wynosi gdzie: M - masa Ziemi, r - odległość o
kralU Warunek ten zostanie spełniony, jeżeli mimośród e, określający odległość od środka ciężkości

więcej podobnych podstron