Copy Link
Add to Bookmark
Report
Xine - issue #5 - Phile 106
Ú-----------------------------¿
| Xine - issue #5 - Phile 106 |
À-----------------------------Ù
A short re-view of the PE format
---------------------------------
Intro
-------
As the 1st documents I had was a bit old and out dated, the second text was
too unreadable and unusable for the little assembler programmer like me. I
decided to rebuild the last file in a text, who should be much easy in
structure and usable for our little infectors. Hope you enjoy it!
Starzero-
PE format
-----------
MZ header... etc etc, we begin at address pointed by [03Ch]
Offset Size Description
------- ------- ---------------------------------------------------------
0 4 Magic Word, should be 'P','E',0,0
4 2 Machine type: 014Ch - I386
014Dh - I486
014Eh - I586 or better
0160h - R3000 (big endian)
0162h - R3000 (little endian)
0166h - R4000 (little endian)
0168h - R10000 (little)
0184h - Dec Alpha AXP
01F0h - IBM Power PC
6 2 Number of section
8 4 Time/Date Stamp (seconds since 1 january 1970 0:0:0)
12 4 Pointer to symbol table
16 4 Number of symbol
20 2 Size of optional header
22 2 Flags: bit 0: Reloc Stripped
1: Executable
2: Line number info Stripped
3: Symbol Stripped
4: Agresive WS_TRIM
7: little endianess
8: Machine excepted 32 bit
9: Debug stripped
10: Loaded from removable disk
11: Should not run from network
12: Set if the file is a driver
13: Set if the file is a DLL
14: Not designed for multiprocessor
15: Big endianess(estonishing no?)
Here begin the optional header...
24 2 Magic, 010bh
26 2 Major/Minor version of the linker
28 4 Size of code
32 4 Size of Initialized data
36 4 Size of Uninitialized data
40 4 Entrypoint RVA
44 4 Code Offset
48 4 Data Offset
52 4 Image Base (the preffered load address)
56 4 Section Alignment (Usually 1000h)
60 4 File Alignment (Usually 200h)
64 2 Major Operating System Version
66 2 Minor Operating System Version
68 2 Major Image Version
70 2 Minor Image Version
72 2 Major Sub-system Version
74 2 Minor Sub-system Version
76 4 Win32 Version Value (Usually 0)
80 4 Image size
84 4 Header size
88 4 File CheckSum
92 2 Sub-system: 1 = Image Subsystem native
2 = Image Subsystem Windows GUI
3 = Image Subsystem Windows CUI
4 = Image Subsystem OS2 CUI
5 = Image POSIX CUI
94 2 DLL Flags: bit 0: DLL notified about process attachments
bit 1: DLL notified about thread detachments
bit 2: DLL notified about thread attachments
bit 3: DLL notified about thread detachment
96 4 Initial reserved stack size
100 4 Initial committed stack size
104 4 Initial reserved heap size
108 4 Initial committed heap size
112 4 Loader Flags (no description aivable)
116 4 Number of RVA and Size that follow this header
120 4 Export Table RVA
124 4 Export Table Size
128 4 Import Table RVA
132 4 Import Table Size
136 4 Ressource Table RVA
140 4 Ressource Table Size
144 4 Exception Table RVA - Structure unknown
148 4 Exception Table Size
152 4 Security Table RVA - Structure unknown
156 4 Security Table Size
160 4 Relocation Table RVA
164 4 Relocation Table Size
168 4 Debug Table RVA (Compiler dependent)
172 4 Debug Table Size
184 4 Copyright string RVA
188 4 Copyright string size
192 4 Global Machine Pointer RVA - Structure Unkown
196 4 Global Machine Pointer size
200 4 Image Directory Entry of Thread local Storage RVA
204 4 Image Directory Entry of Thread local Storage Size
208 4 Load configuration directory RVA
212 4 Load configuration directory Size
216 4 Bound import directory RVA
220 4 Bound import directory Size
224 4 Import Address Table directory RVA
228 4 Import Address Table directory Size
Section header
Offset Size Description
------- ------- ---------------------------------------------------------
0 8 String - Name of the section
8 4 Section Virtual Size
12 4 Section RVA
16 4 Section Physical Size
20 4 Section Offset
24 4 Section Relocation Pointer
28 4 Pointer to Line numbers
32 4 Number of Relocations
36 4 Flags: bit 5 : Section contains code
bit 6 : Section contains initialized data
bit 7 : Section contains unitialized data
bit 9 : Section contain link info(libraries etc...)
bit 11: Section is supposed to left out when compiled
bit 12: Section contains "common block data"
bit 15: Section is far data ?
bit 17: Section data is purgeable
bit 18: Section memory locked (not movable)
bit 19: Section memory preloaded
bit 20 21 22 23: Alignment - Unknown
bit 24: Section contains extended relocations
bit 25: Section is discardable (not loaded)
bit 26: Section is not cachable
bit 27: Section is not paged
bit 28: Section memory is shared
bit 29: Section memory is executable
bit 30: Section memory is readable
bit 31: Section memory is writable
Export structure
Offset Size Description
------- ------- ---------------------------------------------------------
0 4 Flags (normally 0)
4 4 Time Stamp
8 2 Major Version
10 2 Minor Version
12 4 RVA to DLL name
16 4 Ordinal base
20 4 Number of exported function
24 4 Number of exported names
28 4 RVA of exported function address
if the address = 0, function unused
if the address point to export section, it's forwarded
32 4 RVA of exported function names
36 2 RVA of Name Ordinals, wich is 16 bit
Import structure
Offset Size Description
------- ------- ---------------------------------------------------------
0 4 Imported function table RVA
this table is composed of RVA of:
Ordinal (2 bytes) + String (terminated by zero)
note, ordinal are usually zero
4 4 Time Date Stamp (Usually 0)
8 4 Forwarder chain address
12 4 32 bit RVA to name of the DLL
16 4 Lookup Table RVA (RVA of the received address table)
Ressource structure
A ressource directory in fact a tree, it begin with a short header
Offset Size Description
------- ------- ---------------------------------------------------------
0 4 Flags (unused)
4 4 Time/Data stamp
8 2 Major version
10 2 Minor version
12 2 Number of Named Entries
14 2 Number of ID Entries
it's directly followed by the root directory, wich have the Number of
ID_Entries
Offset Size Description
------- ------- ---------------------------------------------------------
0 4 ID of the ressource directory it describes, in root, you
have defined number of ressource type:
1: cursor
2: bitmap
3: icon
4: menu
5: dialog
6: string table
7: font directory
8: font
9: accelerators
10: unformatted ressource data
11: message table
12: group cursor
14: group icon
16: version information
if you are not in the root directory, and the 31 bit is set
the lower 31 bits point to the name of the ressource from
the beginning of ressource section
4 4 32 bit offset to the data or offset to next subdirectory
if the 31 bit is set, you have a directory, and this directory
the lower 31 bit is an offset from the beginning of ressource
section
it's not very clear, but I think there's everything, hope you enjoy it :)
Relocation structure
The relocation section is a suite of fix up sequences
Offset Size Description
------- ------- ---------------------------------------------------------
0 4 RVA Base for these relocation
4 4 Size of block (including this header I think)
followed by entries
0 4 bits Flags: 0 = no operation
1 = apply the high 16 bit of the relocation
2 = apply the low 16 bit of the relocation
3 = apply the 32 bit of the relocation
4 = highadjust (?)
5 = MIPS_JMPADDR (unknown)
6 = SECTION (unknown)
7 = REL32 (unknown)
4 bits 12 bits Offset from RVA base to apply the relocation
it's all...
Ah yes, don't forget the source of these data:
Portable Executable Format by Michael J. O'Leary, good but a bit old
The PE file format by Bernd Luevelsmeyer, complete but unreadable :\
