Name 3 major file extensions that commonly use the PE File Format?
EXE, SYS, DLL
PE Sections have a virtual size, and a size on disk – and the two may be different. In what common malware situation may be size on disk be quite a bit lower than size in memory?
Packed code – more space allocated for the unpacked version
Describe briefly (3-4 lines) why PE Files need to use Relative Virtual Addresses (RVA)
Mentioned ImageBase, having to relocate, and having things relative to that.
What is a handle?
It’s simply a pointer to the first memory address of that dll or exe. You can essentially find any part of the file in memory simply from the handle.
Name a few tools to analyse PE files?
PE Browse, Winitor, Hiew, DependencyWalker
How many sections does a PE file usually has?
Usually at least 2 sections - one for code, one for data, exist within a file. There might be one code section, but a couple of different data sections – one for Read only data, one for R/W etc.
- .text - Programs Code
- .rdata - Read-Only Data
- .data - Other Data
What is File Alignment / Section Alignment?
Sections in the file line up with a multiple of the File Alignment value - usually 512 bytes (0x200)
Sections loaded in memory line up with a multiple of the size of page of memory (Section Alignment):
- Usually 4Kb on 32-bit machines (0x1000)
- Usually 8Kb on 64-bit machines (0x2000)
What is RVA?
Relative Virtual Addresses (RVA) - Offset in memory relative to where PE file is loaded.
E.g. Exe loaded at 0x400000, code section at 0x4010000
=> RVA = Target address(0x4010000) - Load address (0x400000) = RVA (0x1000)
What’s the Image Base Address?
All files have a field in the header called “Image Base Address” which is the location in the memory the PE File would prefer to load. Sometime this area is taken and the file is loaded at a different memory address. To solve that we use Relative addresses (RVA).
What is the IAT?
The Windows Loader builds a Import Address Table (IAT) for each DLL loaded by the process containing those functions.
If you look at this table in file on disk it will simply list the functions used by the program. However when the PE File is loaded into memory this table is updated to point to the actual DLL code in memory.
What are the main sections of the PE File?
- MZ Header
- PE Header
- Code Section
- Data Section
- Imports
- Resources
What is important in the MZ header?
- E_magic: file signature (0x4D5A)
- E_Ifanew: Offset to the PE header
What is important in the PE header?
- IMAGE_FILE_HEADER
- IMAGE_OPTIONAL_HEADER (mandatory, big)
- IMAGE_SECTION_HEADER
What is important in the PE header/Image_File_Header?
- Machine: ox014C
- Number of section
- Timestamp
- Size (of optional header)
- Characteristics (16 flags; two bits indicates DLL vs EXE)
What is important in the PE header/Image_Optional_Header?
- Magic Number (01 = PE file; 02 = x64 PE file)
- Address of EntryPoint (RVA)
- ImageBase (offset in Virtual Memory; 0x400000)
- SectionAlignment
- FileAlignment
- EXPORTS
- IMPORTS
- Import Address Table
What is important in the PE header/Image_Section_Header (Sections Table)?
Section Header contains one data structure for each section in the file:
- Name
- Virtual Address (to the start of the section)
- Virtual Size (let’s you calc the end of the section)
- PointerToRawData
- SizeOfRawData
- Characteristics (16 flags; code vs. data)
Name a few tools to analyse PE files?
- PEFrame
- ExeInfo PE
- DIE (Detect It Easy)
What is the OEP?
The Original Entry Point is the field in the Optional Header that shows the RVA of the memory address for the first piece of code to be executed.
