What is it? @.@

Here is the place where I record some tactics about wargame, systems, and other security issues.

2013-05-24

Notes for the PE File Headers and Sections


From: Basic Static Techniques - Practical Malware Analysis

The PE file format contains a header followed by a series of sections. The header contains metadata about the file itself. Following the header are the actual sections of the file, each of which contains useful information.


Article:

Image:

Description:
  • The following are the most common and interesting sections in a PE file:
  • .text    The  .text section contains the instructions that the CPU executes. All other sections store data and supporting information. Generally, this is the only section that can execute, and it should be the only section that includes code.
     .rdata    The .rdata section typically contains the import and export information, which is the same information available  from both Dependency Walker and PEview. This section can also store other read-only data used by the program. Sometime a file will contain an .idata and .edata section, which store the import and export information.
    .data    The .data section contains the program's global data, which is accessible from anywhere in the program. Local data is not stored in this section, or anywhere else in the PE file. 
     .rsrc    The .rsrc section includes the resources used by the executable that are not considered part of the executable, such as icons, images, menus, and strings. Strings can be  stored either in the .rsrc section or in the main program, but they are often stored in the .rsrc section for multilanguage support.
  • Sections of a PE file for a Windows Executable
    ExecutableDescription
    .textContains the executable code
    .rdataHolds read-only data that is globally accessible within the program
    .dataStores global data accessed throughout the program
    .idataSometimes present and stores the import function information; if this section is not present, the import function information is stored in the .rdata section
    .edataSometimes present and stores the export function information; if this section is not present, the export function information is stored in the .rdata section
    .pdataPresent only in 64-bit executables and store exception-handling information
    .rsrcStores resources needed by the executable
    .relocContains information for relocation of library files

PE Header Summary:
  • The PE header contains useful information for the malware analyst. Below is the key information that can be obtained from a PE header.
    FieldInformation revealed
    ImportsFunctions from other libraries that are used by the malware
    ExportsFunctions in the malware that are meant to be called by other programs of libraries
    Time Date StampTime when the program was compiled
    SectionsNames of sections in the field and their sizes on disk and in memory
    SubsystemIndicates whether the program is a command-line or GUI application
    ResourcesStrings, icons, menus, and other information included in the file


No comments:

Post a Comment