Portable Execution (PE)

Headers in PE file

PE Headers contains instructions for Windows, that it needs to execute the binary file.

How to read PE headers?

PE Headers can be read in hexeditor, but they are only binary data and that is hard to read. We can use program called pe-tree to analyze PE header.

PE Headers are STRUCT datatype. They are user-defined meaning we need to see the documentation to understand the type for each STRUCT variable.

4D 5A

Each PE file has 4D 5A at the begining meaning MZ named after Mark Zbikowski - Microsoft architects that created MS-DOS file format.

When 4D 5A are present at the start of file, Windows considers it Portable Executable format file.

IMAGE_DOS_HEADER - backwards combability stuff

This header is not very usefull and is there mostly for backwards compatibility reasons. Not much interesting in this header for reverse engineer. Only maybe the first and last field, see below.

First entry of IMAGE_DOS_HEADER is e_magic

This so called e_magic could be either 0x5a4d or 0x4d5a depending, if the computer is running X86 or ARM. Refer to endianness.

Last entry is e_lfanew and it tells us where the next IMAGE_DOS_HEADER begins. for example, it could have value of 0x000000d8.

DOS_STUB - wrong system stuff

The DOS STUB only runs if PE file is incompatible with the system it is being run on-

• size - size of the section in bytes. Not the size of the proggram or PE file.
• entropy - amount of randomness found in data.
• hashes - TODO

IMAGE_NT_HEADERS - the important stuff

This header contains most of the viral information of PE file. Also take a look at Microsoft Documentation

NT_HEADERS

signature

First 4 bytes on NT_HEADERS are reserver for signature. For example signature might be 50 45 00 00, PE in ascii. TODO: what is the purpose of signature?

FILE_HEADER

MS DOCUMENTATION

Fields:

• Machine - what architecture PE file was written
• NumberOfSections - Number of Sections of PE file. Sections could be code, variables ot other stored resources.
• TimeDateStamp - When was this binary file compiled.
• PointerToSymbolTable and NumberOfSymbols - not related. here due COFF file headers.
• SizeOfOptionalHeader - size in bytes.
• Characteristics - Critical field that tells us different charasteristics of PE file. TODO: undestand this

OPTIONAL_HEADER

!IMPORTANT information

• magic = 32bit (0x010B,) or 64bit (0x020B)
• AddressOfEntryPoint = first instruction to be executed is present at this address.
• ImageBase = preferred loading address of the PE file in memory.
• Subsystem = subsystem required to run the image e.g. GUI, CUI.. Refer Microsoft Documentation.
• DataDirectory = import and export information. “What the PE file might be trying to do?”
• Refer to MS Documentation

IMAGE_SECTION_HEADER

code, images, elements etc., are stored in different sections. Such as - .text = executable code - can be read and executed - .data = initialized data - can be read and write - .rdata / .idata = import information of PE file. - .ndata = uninitialized data - .reloc = relocation information - .rsrc = icons, images and other resources for app UI

These sections include: - VirtualAddress = sections relative virtual address (RVA) - VirtualSize = size once loaded into memory - SizeOfRawData = size on disk - Characteristics = permissions of the section such as READ, WRITE, EXECUTE

IMAGE_IMPORT_DESCRIPTOR

Contains information about the different Window APIs that the PE file loads when executed.

Identify packed executables

Malware authors and software developers package their PE-files to avoid piracy or detection.

Packed PE-headers can be analyzed from: - import functions - section headers and their permission, size and randomness

Detection: - High entropy (randomness) - Execute permissions on multiple sections - empty or random section names - Big difference in SizeOfRawData and Misc_VirtualSize of PE sections - few import functions