Skip to content

Windows PE

Windows PE

Look at Windows Executables

Detect Packers

  1. Use PEStudio to take a look
  2. Look for packers
    • Check DIE and PEEasy
  3. Run CAPA to get information

PEiD
Detect-It-Easy
Online Unpacker

A curated list of awesome resources related to executable packing

Resolve Imports

Run the exec and break on main and use the Retsync IDA plugin to Step through the running process with the de-compiled IDA code.

Then use Scylla plugin to dump that information to import into IDA.

Source

Format

https://0xrick.github.io/win-internals/pe1/

DOS Header: 64 Bits
- Magic number: 5A4D
- Bytes on last page of file: The remainder that doesn't fit into a full page
- Pages in file: The amount of 1024 blocks in the PE
- Relocations: the number of entries that exist in the relocation pointer table
- Size of header in paragraphs: Size of the DOSHEADER in 16bit chunks. Usually 4\*16=64
- Minimum extra paragraphs needed:
- Maximum extra paragraphs needed:
- Initial (relative) SS value
- Initial SP value:
- Checksum: https://www.tavi.co.uk/phobos/exeformat.html#checksum
- Initial IP value:
- Initial (relative) CS value:
- File address of relocation table: Offset from the start of the file to the relocation table
- Overlay number:
- Reserved words:
- OEM identifier (for e_oeminfo):
- OEM information; e_oemid specific:
- Reserved words:
- File address of new exe header: Offset from the start of the file to the NTHeader start
DOS Stub:
- It is a DOS Program that can be run return "This program cannot be run in DOS mode." and exit the program
Rich Header:
- This holds metadata about which Microsoft Visual Studio toolset was used to create this executable
NT Headers:
- Signature: Always just 0x50450000
- File Header:
- Machine: 0x8864 for AMD64 and 0x014c for i386
- NumberOfSections: Number of sections in the Section table
- TimeDateStamp: Unix timestamp of Creation
- PointerToSymbolTable: COFF symbol table location. Note: This has been deprecated
- NumberOfSymbols: COFF number of symbols in table. Note: This has been deprecated
- SizeOfOptionalHeader: Length of the next section.
- Characteristics Flags:
- 0x0001: Relocation Info Stripped
- 0x0002: File is an executable with no unresolved dependencies.
- 0x0004: COFF line numbers have been removed. This flag is deprecated and should be zero.
- 0x0008: COFF symbol table entries for local symbols have been removed. This flag is deprecated and should be zero.
- 0x0010: Obsolete. Aggressively trim working set. This flag is deprecated for Windows 2000 and later and must be zero.
- 0x0020: Application can handle > 2-GB addresses.
- 0x0040: This flag is reserved for future use.
- 0x0080: Should it be read in Little endian mode. This flag is deprecated and should be zero.
- 0x0100: Machine is based on a 32-bit-word architecture.
- 0x0200: Debugging information is removed from the image file.
- 0x0400: If the image is on removable media, fully load it and copy it to the swap file.
- 0x0800: If the image is on network media, fully load it and copy it to the swap file.
- 0x1000: The image file is a system file, not a user program.
- 0x2000: The image file is a dynamic-link library (DLL). Such files are considered executable files for almost all purposes, although they cannot be directly run.
- 0x4000: The file should be run only on a uniprocessor machine.
- 0x8000: Big endian: the MSB precedes the LSB in memory. This flag is deprecated and should be zero.
- Optional Header:
- Magic:
- 0x10B: Identifies the image as a PE32 executable.
- 0x20B: Identifies the image as a PE32+ executable.
- 0x107: Identifies the image as a ROM image.
- MajorLinkerVersion: The linker major version numbers.
- MinorLinkerVersion: The linker minor version numbers.
- SizeOfCode: the size of the code .text section
- SizeOfInitializedData: the size of the .data section
- SizeOfUninitializedData: the size of the .bss section
- AddressOfEntryPoint: An RVA of the entry point when the file is loaded into memory
- BaseOfCode: start of the code section when the file is loaded into memory.
- BaseOfData (PE32 Only): An RVA of the start of the data section when the file is loaded into memor
- ImageBase: This field holds the preferred address of the first byte of image when loaded into memory (the preferred base address), this value must be a multiple of 64K. Almost never used because ASLR.
- SectionAlignment: Length of a section. Like Page size
- FileAlignment: Data alignment of the file.
- MajorOperatingSystemVersion, MinorOperatingSystemVersion, MajorImageVersion, MinorImageVersion, MajorSubsystemVersion and MinorSubsystemVersion: These members of the structure specify the major version number of the required operating system, the minor version number of the required operating system, the major version number of the image, the minor version number of the image, the major version number of the subsystem and the minor version number of the subsystem respectively.
- Win32VersionValue: A reserved field that the documentation says should be set to 0.
- SizeOfImage: The size of the image file (in bytes), including all headers. It gets rounded up to a multiple of SectionAlignment because this value is used when loading the image into memory.
- SizeOfHeaders: The combined size of the DOS stub, PE header (NT Headers), and section headers rounded up to a multiple of FileAlignment.
- CheckSum: A checksum of the image file, it’s used to validate the image at load time.
- Subsystem: This field specifies the Windows subsystem (if any) that is required to run the image, A complete list of the possible values of this field can be found on the official Microsoft documentation.
- DLLCharacteristics: This field defines some characteristics of the executable image file, like if it’s NX compatible and if it can be relocated at run time. I have no idea why it’s named DLLCharacteristics, it exists within normal executable image files and it defines characteristics that can apply to normal executable files. A complete list of the possible flags for DLLCharacteristics can be found on the official Microsoft documentation.
- SizeOfStackReserve, SizeOfStackCommit, SizeOfHeapReserve and SizeOfHeapCommit: These fields specify the size of the stack to reserve, the size of the stack to commit, the size of the local heap space to reserve and the size of the local heap space to commit respectively.
- LoaderFlags: A reserved field that the documentation says should be set to 0.
- NumberOfRvaAndSizes : Size of the DataDirectory array.
- DataDirectory: An array of IMAGE_DATA_DIRECTORY structures. We will talk about this in the next post.

Section Table:
Sections: