Visite Guidée D'un Exécutable Windows

PE
Ange Albertini
101
ortable
corkami.com
xecutable
PE dcortiqu
Contenu hexadcimal
Contenu ASCII
4D 5A 00 00-00 00 00 00-00 00 00 00-00 00 00 00
MZ..............
signature constante
offset de len-tte PE 1
PE..L...........
....a...
Signature
Machine
NumberOfSections
SizeOfOptionalHeader
Characteristics
'PE', 0, 0
0x14c [intel 386]
3
0xe0
0x102 [32b EXE]
signature constante
processeur: ARM/MIPS/Intel/...
nombre de sections 2
offset relatif de la table des sections 2
EXE/DLL/...
00
00
00
00
00
00
........
................
......@.........
................
.@..............
................
........
Magic
AddressOfEntryPoint
ImageBase
SectionAlignment
FileAlignment
MajorSubsystemVersion
SizeOfImage
SizeOfHeaders
Subsystem
NumberOfRvaAndSizes
0x10b [32b]
0x1000
0x400000
0x1000
0x200
4 [NT 4 ou ult.]
0x4000
0x200
2 [GUI]
16
32 bits/64 bits
o commence lexcution 5
addresse o le fichier sera charg en mmoire 3
o les sections dbutent en mmoire 2
o les sections dbutent dans le fichier 2
version requise de Windows
espace mmoire total requis
taille totale des en-ttes 3
pilote/graphique/ligne de commande/...
nombre de data directories 4
...00 00 00 00-00 00 00 00
00 20 00 00-00 00 00 00-00 00 00 00-00 00 00 00
00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
........
................
................
ImportsVA
0x2000
RVA* des imports 4
Offset:0x40
50 45 00 00-4C 01 03 00-00 00 00 00-00 00 00 00

00 00 00 00-E0 00 02 01...
Offset:0x58
en-tte DOS
MZ..............
que00cest
un binaire
00 00 00 00-00 00 00 indique
00-00 00
00-40
00 00 00
............@...
en-tte PE
50 45 00 00-4C 01 03 00-00 00 00 00-00 00 00 00 PE..L...........

00 00 00 00-E0 00 02
....a..
indique que cest un binaire rcent
0000
4D 5A 00 00-00 00 00 00-00 00 00 00-00 00 00 00
MZ..............
0030
00
50
00
00
00
00
00
00
00
00
00
00
45
00
00
00
00
40
00
00
20
00
00
00
00
00
00
00
00
00
00
00
00
00-00
00-4C
00-E0
00-00
00-00
00-00
00-00
00-00
00-10
00-00
00-00
00
01
00
00
00
00
02
00
00
00
00
00
03
02
00
40
00
00
00
00
00
00
00-00
00-00
01-0B
00-00
00-00
00-04
00-00
00-00
00-00
00-00
00-00
00
00
01
10
10
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00-40
00-00
00-00
00-00
00-00
00-00
00-02
00-00
00-00
00-00
00-00
00
00
00
00
02
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
............@...
PE..L...........
....a...........
................
......@.........
................
.@..............
................
................
................
................
0130
00
00
00
2E
00
00
00
00
00
00
10
00
72
02
00
10
00
00
00
00
00
64
00
00
00
00
00
00-00
00-00
00-00
61-74
00-00
00-40
00-00
00-00
00-00
00
10
00
61
04
00
30
00
00
00
00
00
00
00
00
00
00
00
00-2E
00-00
00-00
00-00
00-00
40-2E
00-00
00-00
00-00
74
02
00
10
00
64
02
00
00
65
00
00
00
00
61
00
00
00
78-74
00-00
00-20
00-00
00-00
74-61
00-00
00-40
00-00
00
02
00
20
00
00
06
00
00
00
00
00
00
00
00
00
00
00
00
00
60
00
00
00
00
C0
00
.........text...
................
...............`
.rdata..........
................
....@..@.data...
.....0..........
............@..+
................
0200
6A 00 68 00-30 40 00 68-17 30 40 00-6A 00 FF 15
70 20 40 00-6A 00 FF 15-68 20 40 00-00 00 00 00
00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
j.h.0@.h.0@.j. .
p.@.j. .h.@.....
................
0400
3C
68
85
00
00
69
61
5A
2E
00
00
00
00
00
78
73
00
32
00
00
<...........x...
h...D...........
...p...........
............L...
....Z.........Ex
itProcess...Mess
ageBoxA.L.......
Z.......kernel32
.dll.user32.dll.
................
0600
61 20 73 69-6D 70 6C 65-20 50 45 20-65 78 65 63
75 74 61 62-6C 65 00 48-65 6C 6C 6F-20 77 6F 72
6C 64 21 00-00 00 00 00-00 00 00 00-00 00 00 00
a.simple.PE.exec
utable.Hello.wor
ld!.............
simple.exe
00
00
00
00
00
65
41
00
73
00
00-00
00-00
00-00
00-00
00-00
73-73
00-4C
00-6B
65-72
00-00
00
00
00
00
00
00
20
65
33
00
00
00
00
00
00
00
00
72
32
00
00-78
00-00
00-00
00-4C
00-00
00-4D
00-00
6E-65
2E-64
00-00
20
00
00
20
00
65
00
6C
6C
00
00
00
00
00
45
73
00
33
6C
00
............@...
PE..L...........
....a...........
................
......@.........
................
.@..............
................
................
................
................
00
00
00
2E
00
00
00
00
00
00
10
00
72
02
00
10
00
00
00
00
00
00
00
00
00
00
00
00
00
00-00
00-4C
00-E0
00-00
00-00
00-00
00-00
00-00
00-10
00-00
00-00
00
01
00
00
00
00
02
00
00
00
00
00
03
02
00
40
00
00
00
00
00
00
00-00
00-00
01-0B
00-00
00-00
00-04
00-00
00-00
00-00
00-00
00-00
00
00
01
10
10
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00-40
00-00
00-00
00-00
00-00
00-00
00-02
00-00
00-00
00-00
00-00
00
00
00
00
02
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
en-tte
00
60
00
00
00
00
C0
00
................
...............`
.rdata..........
................
....@..@.data...
.....0..........
............@..+
................
6A 00 68 00-30 40 00 68-17 30 40 00-6A 00 FF 15

70 20 40 00-6A 00 FF 15-68 20 40 00-00 00 00 00
00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
j.h.0@.h.0@.j. .
p.@.j. .h.@.....
................
3C
68
85
00
00
69
61
5A
2E
00
00
00
00
00
78
73
00
32
00
00
<...........x...
h...D...........
...p...........
............L...
....Z.........Ex
itProcess...Mess
ageBoxA.L.......
Z.......kernel32
.dll.user32.dll.
................
61 20 73 69-6D 70 6C 65-20 50 45 20-65 78 65 63

75 74 61 62-6C 65 00 48-65 6C 6C 6F-20 77 6F 72
6C 64 21 00-00 00 00 00-00 00 00 00-00 00 00 00
a.simple.PE.exec
utable.Hello.wor
ld!.............
20
20
20
00
00
74
67
20
64
00
00
00
00
00
00
50
65
00
6C
00
00-00
00-00
61-74
00-00
00-40
00-00
00-00
00-00
00-00
00-44
00-70
00-00
00-5A
72-6F
42-6F
00-00
6C-00
00-00
10
00
61
04
00
30
00
00
00
20
20
00
20
63
78
00
75
00
00
00
00
00
00
00
00
00
00
00
00
00
00
65
41
00
73
00
00-00
00-00
00-00
00-00
40-2E
00-00
00-00
00-00
00-00
00-00
00-00
00-00
00-00
73-73
00-4C
00-6B
65-72
00-00
02
00
10
00
64
02
00
00
00
00
00
00
00
00
20
65
33
00
00
00
00
00
61
00
00
00
00
00
00
00
00
00
00
72
32
00
00-00
00-20
00-00
00-00
74-61
00-00
00-40
00-00
00-78
00-00
00-00
00-4C
00-00
00-4D
00-00
6E-65
2E-64
00-00
02
00
20
00
00
06
00
00
20
00
00
20
00
65
00
6C
6C
00
00
00
00
00
00
00
00
00
00
00
00
00
45
73
00
33
6C
00
00
00
00
00
00
00
00-00
00-00
00-00
00-00
00-00
00-10
00
00
00
02
00
00
01-0B 01 00 00-00 00 00 00
00 00-00 10 00 00-00 00 00 00
40 00-00 10 00 00-00 02 00 00
00 00-04 00 00 00-00 00 00 00
00informations
00-00 00 00sur
00-02
00 00 00
lexcutable
00 00-00 00 00 00-00 00 00 00
00 00
.........
................
......@.........
................
.@..............
................
................
00
00
2E
00
00
00
00
00
10
00
72
02
00
10
00
00
00
00
64
00
00
00
00
00
2E 74 65 78-74 00 00 00
.text...
00-00 10 00 00-00 02 00 00-00 02 00 00 ................
00-00 00 00 00-00 00 00 00-20 00 00 60 ...............`
61-74 61 00 00-00 10 00 00-00 20 00 00 .rdata..........
00-00 04 00 00-00 00 00 00-00 00 00 00 ................
dfinit
fichier
est charg
00-40
00comment
00 40-2Ele64
61 74-61
00 00en00mmoire
....@..@.data...
00-00 30 00 00-00 02 00 00-00 06 00 00 .....0..........
00-00 00 00 00-00 00 00 00-40 00 00 C0 ............@..+
00-00 00 00 00-00 00 00 00-00 00 00 00 ................
table des sections
code
6A 00 68 00-30 40 00 68-17 30 40 00-6A 00 FF 15

70 20 40 00-6A 00 FF 15-68 20 40 00-00 00 00 00
ce 00
qui00
est00-00
excut
00 00 00 00-00 00 00 00-00
00 00 00
sections
00
00
00
00
00
00
00
00
00
40
00
00
00
00
00
00
00
00
00-00
00-00
00-00
00-00
00-00
00-10
00
00
00
02
00
00
00
40
00
00
00
00
...0B
00-00
00-00
00-04
00-00
00-00
00...
01
10
10
00
00
00
00
00
00
00
00
00
00-00
00-00
00-00
00-00
00-02
00-00
00
00
02
00
00
00
00
00
00
00
00
00
............@...
en-tte optionnel
data directories
dtails
de00lexcutable
00 00-00 00techniques
00 00-2E 74 65 78-74
00 00 .........text...
00
00
64
00
00
00
00
00
00
00
00
40
00
00
00 00 00 00-00 00 00 00 ................
00 20 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................
vers00
des
imports,...)
00 pointeurs
00 00 00-00
00structures
00-00 00 supplmentaires
00 00-00 00 00 (exports,
00 ................
Offset:0x138
00
00
2E
00
00
00
00
10
00
72
02
00
10
00
00
00
64
00
00
00
00
00-00
00-00
61-74
00-00
00-40
00-00
00-00
10
00
61
04
00
30
00
00
00
00
00
00
00
00
2E
00-00
00-00
00-00
00-00
40-2E
00-00
00-00
74
02
00
10
00
64
02
00
65
00
00
00
00
61
00
00
78-74
00-00
00-20
00-00
00-00
74-61
00-00
00-40
00
02
00
20
00
00
06
00
00
00
00
00
00
00
00
00
00
00
60
00
00
00
00
C0
.text...
................
...............`
.rdata..........
................
....@..@.data...
.....0..........
............@..+
contenu de lexcutable
20
20
20
00
00
74
67
20
64
00
00
00
00
00
00
50
65
00
6C
00
00-00 00 00 00-00 00 00 00-78 20 00 00 <...........x...

00-44 20 00 00-00 00 00 00-00 00 00 00 h...D...........
00-70 20 00 00-00 00 00 00-00 00 00 00 ...p...........
00-00 00 00 00-00 00 00 00-4C 20 00 00 ............L...
00-5A 20 00 00-00 00 00 00-00 00 45 78 ....Z.........Ex
72-6F 63 65 73-73 00 00 00-4D 65 73 73 itProcess...Mess
lien entre lexcutable et les bibliothques (Windows)
42-6F 78 41 00-4C 20 00 00-00 00 00 00 ageBoxA.L.......
00-00 00 00 00-6B 65 72 6E-65 6C 33 32 Z.......kernel32
6C-00 75 73 65-72 33 32 2E-64 6C 6C 00 .dll.user32.dll.
00-00 00 00 00-00 00 00 00-00 00 00 00 ................
6A 00 68 00-30 40 00 68-17 30 40 00-6A 00 FF 15

70 20 40 00-6A 00 FF 15-68 20 40 00
j.h.0@.h.0@.j. .
p.@.j. .h.@.
imports
donnes
61 20 73 69-6D 70 6C 65-20 50 45 20-65 78 65 63

75 74 61 62-6C 65 00 48-65 6C 6C 6F-20 77 6F 72
information
par00
le code
6C 64 21 00-00 00 00
00-00 00 utilise
00 00-00
00 00
a.simple.PE.exec
utable.Hello.wor
ld!.............
Table des sections

*
RVA*
taille physique
offset physique
VirtualSize VirtualAddress SizeOfRawData PointerToRawData Characteristics
0x1000
0x1000
0x200
0x200
CODE EXECUTE READ
0x1000
0x2000
0x200
0x400
INITIALIZED READ
0x1000
0x3000
0x200
0x600
DATA READ WRITE
RVA
Name
.text
.rdata
.data
Pour chaque section, un bloc de taille SizeofRawData est lu dans le fichier loffset PointerToRawData. Il sera charg
en mmoire ladresse ImageBase + VirtualAddress dans un bloc de taille VirtualSize, aux caractristiques spcifiques.
Code C quivalent
Code assembleur x86
j.h.0@.h.0@.j. .
p.@.j. .h.@.....
................
Offset:0x200/RVA:0x401000
3C
68
85
00
00
69
61
5A
2E
00
push
push
push
push
call
push
call
0
0x403000
0x403017
0
[0x402070]
0
[0x402068]
MessageBox(0, Hello World!,a simple PE executable, 0);

ExitProcess(0);
Consquences
Structure des imports

3C
68
85
00
00
69
61
5A
2E
20
20
20
00
00
74
67
20
64
00
00
00
00
00
50
65
00
6C
00-00
00-44
00-70
00-00
00-5A
72-6F
42-6F
00-00
6C-00
00
20
20
00
20
63
78
00
75
00
00
00
00
00
65
41
00
73
00-00
00-00
00-00
00-00
00-00
73-73
00-4C
00-6B
65-72
00
00
00
00
00
00
20
65
33
00
00
00
00
00
00
00
72
32
00-78
00-00
00-00
00-4C
00-00
00-4D
00-00
6E-65
2E-64
20
00
00
20
00
65
00
6C
6C
00
00
00
00
45
73
00
33
6C
00
00
00
00
78
73
00
32
00
<...........x...
h...D...........
...p...........
............L...
....Z.........Ex
itProcess...Mess
ageBoxA.L.......
Z.......kernel32
.dll.user32.dll.
descriptors
0x203c
0x2078
0x204c, 0
kernel32.dll
0x2044
0x205a, 0
a.simple.PE.exec
utable.Hello.wor
ld!.
IAT
INT
aprs chargement,
0x402068 pointera vers ExitProcess, de kernel32.dll
0x402070 pointera vers MessageBoxA, de user32.dll
Hint,Name
user32.dll
0,MessageBoxA
0x205a, 0
0 0 0 0 0
61 20 73 69-6D 70 6C 65-20 50 45 20-65 78 65 63

75 74 61 62-6C 65 00 48-65 6C 6C 6F-20 77 6F 72
6C 64 21 00
Hint,Name
0x204c, 0
0x2085
INT
0,ExitProcess
0x2068
0x2070
IAT
toutes les addresses ici sont relatives.
Chanes
a simple PE executable\0
Hello world!\0
Ceci est lintgralit du fichier. En revanche, la plupart des fichiers PE contiennet plus dlments. Les explications sont simplifies, par soucis de concision.
Notes
Etapes du chargement
3 Chargement
FileAlignments et SectionAlignments
PointertoRawData
Section 1
PointertoRawData
Section 2
PointertoRawData
Addresse virtuelle
relative
les DataDirectories sont parcourus

ils suivent lOptionalHeader
leur nombre est NumOfRVAAndSizes
les Imports sont toujours 2me
les Imports sont parcourus
chaque descriptor dfinie un DLLname
cette DLL est charge en mmoire
IAT et INT sont parcourus en parallle
pour chaque API dans lINT
laddresse correspondante est crite
dans lentre correspondante de lIAT
0x200
0x400200
0x400
0x401000
0x600
0x800
SizeOfHeaders
VirtualAddress
0x403000
IAT
Section 1
Section 2
VirtualAddress
Section 3
IAT
bibliothque.dll
Hint,"nom dAPI"
Le code est appel lEntryPoint

les appels dans le code vont aux APIs via lIAT
En-tte MZ ou DOS_HEADER
Commence par 'MZ' (initiales de Mark Zbikowski, dveloppeur de MS-DOS)
En-tte PE ou IMAGE_FILE_HEADERS / en-tte COFF

Commence par 'PE' (Portable Executable)
En-tte optionnel ou IMAGE_OPTIONAL_HEADER
Optionnel uniquement dans les cas non standards, requis pour les excutables
RVA Adresse Virtuelle Relative

Adresse relative lImageBase ( lImageBase, RVA = 0)
Presques toutes les adresses des en-ttes sont relatives
Dans le code, les adresses ne sont pas relatives
INT Table de noms des imports

liste de pointeurs (finissante par 0) vers structures Hint, Name
VirtualAddress
0x402000
0x404000
ImageBase
SizeOfImage
Section 3
0x400000
SizeOf
Headers
elle contient NumberOfSections lments

elle doit tre conforme aux alignements:
0x0
VirtualSize
(elle est situe : offset(OptionalHeader) + SizeOfOptionalHeader)
VirtualSize
la table des sections est parcourue
VirtualSize
2 Table des sections
Offset
(il suit len-tte PE)
SizeOf
Headers
(son offset vaut e_lfanew de len-tte DOS)
len-tte Optionnel est parcouru
5 Excution
4 Imports
le fichier est charg en mmoire en fonction de

la base mmoire, lImageBase
la taille des en-tte, SizeOfHeaders
la table des sections
SizeOf
RawData
len-tte DOS est parcouru

len-tte PE est parcouru
SizeOf
RawData
1 En-ttes
SizeOf
RawData
00
20
20
00
20
63
78
00
75
00
00
45
00
00
00
00
40
00
00
20
00
Section Alignment
00-00
00-44
00-70
00-00
00-5A
72-6F
42-6F
00-00
6C-00
00-00
00
50
00
00
00
00
00
00
00
00
00
File
Alignment
00
00
00
00
00
50
65
00
6C
00
MZ..............
NumberOfSections
20
20
20
00
00
74
67
20
64
00
4D 5A 00 00-00 00 00 00-00 00 00 00-00 00 00 00
00
00
00
00
00
00
Explications
'MZ'
0x40
00 00 00 00-00 00 00 00-00 00 00 00-40 00 00 00
4D 5A 00 00-00 00 00 00-00 00 00 00-00 00 00 00
Valeurs
e_magic
e_lfanew
Offset:0x30
SHA-1 b7af4cb51ce38e43e030656eb2698fab408cf9cb
tlchargeable pe101.corkami.com
Champs
Adresse_API:
IAT Table dadresses des imports

liste de pointeurs finissante par 0
Identique lINT dans le fichier
pointe vers les APIs importes aprs chargement
HINT
Index dans la table dexports de la DLL importer
Non requis, mais procure un gain de temps au chargement
version 0.99fr, 16 Mai 2012

Visite Guidée D'un Exécutable Windows

Diunggah oleh

Informasi Dokumen

Judul Asli

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Visite Guidée D'un Exécutable Windows

Diunggah oleh

Hak Cipta:

Format Tersedia

PE

4D 5A 00 00-00 00 00 00-00 00 00 00-00 00 00 00

RVA* des imports 4

50 45 00 00-4C 01 03 00-00 00 00 00-00 00 00 00

50 45 00 00-4C 01 03 00-00 00 00 00-00 00 00 00 PE..L...........

6A 00 68 00-30 40 00 68-17 30 40 00-6A 00 FF 15

61 20 73 69-6D 70 6C 65-20 50 45 20-65 78 65 63

table des sections

6A 00 68 00-30 40 00 68-17 30 40 00-6A 00 FF 15

00-00 00 00 00-00 00 00 00-78 20 00 00 <...........x...

6A 00 68 00-30 40 00 68-17 30 40 00-6A 00 FF 15

61 20 73 69-6D 70 6C 65-20 50 45 20-65 78 65 63

Table des sections

Code assembleur x86

MessageBox(0, Hello World!,a simple PE executable, 0);

Structure des imports

61 20 73 69-6D 70 6C 65-20 50 45 20-65 78 65 63

toutes les addresses ici sont relatives.

les DataDirectories sont parcourus

Le code est appel lEntryPoint

En-tte PE ou IMAGE_FILE_HEADERS / en-tte COFF

RVA Adresse Virtuelle Relative

INT Table de noms des imports

elle contient NumberOfSections lments

(elle est situe : offset(OptionalHeader) + SizeOfOptionalHeader)

la table des sections est parcourue

2 Table des sections

(il suit len-tte PE)

(son offset vaut e_lfanew de len-tte DOS)

len-tte Optionnel est parcouru

le fichier est charg en mmoire en fonction de

len-tte DOS est parcouru

4D 5A 00 00-00 00 00 00-00 00 00 00-00 00 00 00

00 00 00 00-00 00 00 00-00 00 00 00-40 00 00 00

4D 5A 00 00-00 00 00 00-00 00 00 00-00 00 00 00

IAT Table dadresses des imports

version 0.99fr, 16 Mai 2012

Anda mungkin juga menyukai