The basics of program analysis – PE file format, DOS, NT, Section Header by PEBrowse

In the past, as the programmer of reverse engineering, malware, such as viruses and now nuclear tools emerged as their incessant, security/ending point was such important areas. In this case, public security personnel need analysis technology is one of the most fundamental understanding in a structure called the PE Header information from a file, made fun of reverse engineering. (

1. the basics of program analysis

PE file format

First, the PE HEADER PE file format to help you understand what you need to understand.

PE file format is defined by the operating system instead of Windows Portable Executablefile format is an acronym for.

PE file format structure can write books with stores in here are different from the information they need, if you’re looking for a more in depth study is related to the MSDNbooks note is to inform in advance to.

We often on Windows PE file format of a tangent extension files that are created with the EXE, SCR, DLL, OCX, SYS, OBJ, and, except for a direct-to-run EXEfile type of OBJ, except indirectly(services, debugging, registry, etc)are a possible run as a file.

The following figure shows a long time ago and was released on MSDN PE file normally structure.

The basics of program analysis - PE file format, DOS, NT, Section Header by PEBrowse

[Figure]: PE Header structure source : MSDN

The appearance of the picture provided by a few other places, but, they are identical to the required Header. On the picture on the left should be as mandatory as the picture of the State of the file is part of that, here’s how to distinguish between each end of each structure is Null Paddinghas been so that through.

So let’s take a look at the contents of the HEX editor for more details.

And [figure] PE Header structure in the illustration on the right when you are loading into memory location of the change in the file offsetof the memory is aVA (Virtual Address), Section to express as the size and location of a PE Headerto specify the location in memory to be loaded into the lead, at least the basic unit To change the location in memory to fit becomes.

[Figure] PE Header structure Header DOS and many structures greatly, NT Header (the above MSDN typographical PE Headeror to distinguish to forward to the NT Header), Sections Tablecombined usually PE Headercalled on him Sectionthose PE Bodysays..

And here is the PE to make it easier to distinguish the structure, people, PEViewand through pictures and descriptions PEBrowsewill add, once you take this opportunity to see featured readers beyond.

So, the overall structure of the PE file format briefly looked into, from now on, this should be PE Header and an important few DataDirectory (IAT, EAT, etc)and find out more about the.

DOS Header

DOS Headeris the actual file in the above figure for understanding how to write note back.


[Figure] HxDconfirmed DOS Header’s HEXvalue

The above picture of the contents of the square inside the box contents DOS Headeris. In DOS Stubis 40hcontains, since this is a DOSmode at run time, Guide serves as a window, and, even if a part has nothing to do. DOS Stub, DOSenvironment at present that the contents of the work space should be defined as 16Bit. And the DOS Header, underlined twoimportant for one member, MZcode(ASCII), the value of the member e_magic DOS Signatureby all PE file is the code to the beginning of the beginning 16Byteis. d0h Why NULL Paddingis related to the value of e_lfanew. And the end of the structure there are 000000E0 DOS Header, you must be a member of e_lfanew, the NT Headerwith Offsetvalue that is the starting position of the display. And PEcode(ASCII),you need the right today attention is PE Signature. PE Header structure in the information that you need for running Windowsthere are.

DOS Headerand move ahead to the DOS Headerstructure is like shown below.

typedef
struct _IMAGE_DOS_HEADER { // DOS . EXE header

WORD e_magic; // Magic number

WORD e_cblp; // Bytes on last page of file

WORD e_cp; // Pages in file

WORD e_crlc; // Relocations

WORD e_cparhdr; // Size of header in paragraphs

WORD e_minalloc; // Minimum extra paragraphs needed

WORD e_maxalloc; // Maximum extra paragraphs needed

WORD e_ss; // Initial (relative) SS value

WORD e_sp; // Initial SP value

WORD e_csum; // Checksum

WORD e_ip // Initial IP value

WORD e_cs; // Initial (relative) CS value

WORD e_lfarlc; // File address of relocation table

WORD e_ovno; // Overlay number

WORD e_res[4]; // Reserved words

WORD e_oemid; // OEM identifier (for e_oeminfo)

WORD e_oeminfo; // OEM information; e_oemid specific

WORD e_res2[10]; // Reserved words

LONG e_lfanew; // File address of new exe header

} IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER;

[Contents] IMAGE_DOS_HEADERstructure: Microsoft SDK WinNT.h

So learn about DOS Header, largely because it is important information here, more will be covered. Then head to the NT Header, which

NT Header

Now since PE Header, in other words, let’s take a look on IMAGE_NT_HEADERS.

Well first let’s check out the structure of the NT Header.

typedef
struct _IMAGE_NT_HEADERS {

1 DWORD Signature;

2 IMAGE_FILE_HEADER FileHeader;

3 IMAGE_OPTIONAL_HEADER32 OptionalHeader;

} IMAGE_NT_HEADERS32, *PIMAGE_NT_HEADERS32;

[Contents] IMAGE_NT_HEADERof the structure source: Microsoft SDK WinNT.h

NT Headerhas 1member and twoheaders exist, going on and on about each Member, let’s check out the/header.

First, a member of the 1. Signature Signatureof the DOS Header, PE (ASCII), as shown in the code will inform the beginning NT Header, then keep File Header, you must be a member of let me check the structure of the degree.

typedef struct
_IMAGE_FILE_HEADER {

1 WORD Machine;

2 WORD NumberOfSections;

3 DWORD TimeDateStamp;

DWORD PointerToSymbolTable;

DWORD NumberOfSymbols;

4 WORD SizeOfOptionalHeader;

5 WORD Characteristics;

} IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;

[Contents] _IMAGE_FILE_HEADERof the structure source: Microsoft SDK WinNT.h

1. the Machineis this file contains actionable machine type code, meaning by its contents of the code, because it is defined in WinNT.h, see details below.

#define
IMAGE_FILE_MACHINE_UNKNOWN 0

#define
IMAGE_FILE_MACHINE_I386 0x014c // Intel 386.

#define
IMAGE_FILE_MACHINE_R3000 0x0162 // MIPS little-endian, 0x160 big-endian

#define
IMAGE_FILE_MACHINE_R4000 0x0166 // MIPS little-endian

#define
IMAGE_FILE_MACHINE_R10000 0x0168 // MIPS little-endian

#define
IMAGE_FILE_MACHINE_WCEMIPSV2 0x0169 // MIPS little-endian WCE v2

#define
IMAGE_FILE_MACHINE_ALPHA 0x0184 // Alpha_AXP

#define
IMAGE_FILE_MACHINE_SH3 0x01a2 // SH3 little-endian

#define
IMAGE_FILE_MACHINE_SH3DSP 0x01a3

#define
IMAGE_FILE_MACHINE_SH3E 0x01a4 // SH3E little-endian

#define
IMAGE_FILE_MACHINE_SH4 0x01a6 // SH4 little-endian

#define
IMAGE_FILE_MACHINE_SH5 0x01a8 // SH5

#define
IMAGE_FILE_MACHINE_ARM 0x01c0 // ARM Little-Endian

#define
IMAGE_FILE_MACHINE_THUMB 0x01c2

#define
IMAGE_FILE_MACHINE_AM33 0x01d3

#define
IMAGE_FILE_MACHINE_POWERPC 0x01F0 // IBM PowerPC Little-Endian

#define
IMAGE_FILE_MACHINE_POWERPCFP 0x01f1

#define
IMAGE_FILE_MACHINE_IA64 0x0200 // Intel 64

#define
IMAGE_FILE_MACHINE_MIPS16 0x0266 // MIPS

#define
IMAGE_FILE_MACHINE_ALPHA64 0x0284 // ALPHA64

#define
IMAGE_FILE_MACHINE_MIPSFPU 0x0366 // MIPS

#define
IMAGE_FILE_MACHINE_MIPSFPU16 0x0466 // MIPS

#define
IMAGE_FILE_MACHINE_AXP64 IMAGE_FILE_MACHINE_ALPHA64

#define
IMAGE_FILE_MACHINE_TRICORE 0x0520 // Infineon

#define
IMAGE_FILE_MACHINE_CEF 0x0CEF

#define
IMAGE_FILE_MACHINE_EBC 0x0EBC // EFI Byte Code

#define
IMAGE_FILE_MACHINE_AMD64 0x8664 // AMD64 (K8)

#define
IMAGE_FILE_MACHINE_M32R 0x9041 // M32R little-endian

#define
IMAGE_FILE_MACHINE_CEE 0xC0EE

 

[Contents] IMAGE_FILE_MACHINEsource: Microsoft SDK WinNT.h

2. NumberOfSectioncurrent PE files have the Section means that the number of.

3. the TimeDateStampof the file becomes the value that indicates the time to building.

4. SizeOfOptionalHeaderdrill is described in the next IMAGE_OPTIONAL_HEADER32 is a value that indicates the size of the structure and, Finally, 5. Charcteristics member PE file has information about the properties available are detailed descriptions of the WinNT.h.

#define
IMAGE_FILE_RELOCS_STRIPPED 0x0001 // Relocation info stripped from file.

#define
IMAGE_FILE_EXECUTABLE_IMAGE 0x0002 // File is executable (i.e. no unresolved externel references).

#define
IMAGE_FILE_LINE_NUMS_STRIPPED 0x0004 // Line nunbers stripped from file.

#define
IMAGE_FILE_LOCAL_SYMS_STRIPPED 0x0008 // Local symbols stripped from file.

#define
IMAGE_FILE_AGGRESIVE_WS_TRIM 0x0010 // Agressively trim working set

#define
IMAGE_FILE_LARGE_ADDRESS_AWARE 0x0020 // App can handle >2gb addresses

#define
IMAGE_FILE_BYTES_REVERSED_LO 0x0080 // Bytes of machine word are reversed.

#define
IMAGE_FILE_32BIT_MACHINE 0x0100 // 32 bit word machine.

#define
IMAGE_FILE_DEBUG_STRIPPED 0x0200 // Debugging info stripped from file in . DBG file

#define
IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP 0x0400 // If Image is on removable media, copy and run from the swap file.

#define
IMAGE_FILE_NET_RUN_FROM_SWAP 0x0800 // If Image is on Net, copy and run from the swap file.

#define
IMAGE_FILE_SYSTEM 0x1000 // System File.

#define
IMAGE_FILE_DLL 0x2000 // File is a DLL.

#define
IMAGE_FILE_UP_SYSTEM_ONLY 0x4000 // File should only be run on a UP machine

#define
IMAGE_FILE_BYTES_REVERSED_HI 0x8000 // Bytes of machine word are reversed.

 

[Contents] IMAGE_FILEsource: Microsoft SDK WinNT.h

For illustration, let’s check out the actual code of the REGEDIT


[Figure] PEBrowse File Header structure

REGEDIT. EXE Characteristicsof value of 102his expressed as the value 0x0002, 0x0100, 32bit machine, as shown in the figure above, run the file that can be used to obtain information on the. The value of the Machinedescribed in front of 14chis Intel 386 compatible models indicate that the.

Thus the FileHeaderto, from now on is important, IMAGE_OPTIONAL_HEADER32let me take a look at the structure of the.

typedef
struct _IMAGE_OPTIONAL_HEADER {

    //

    Standard fields.

    //

1
WORD Magic;

BYTE MajorLinkerVersion;

BYTE MinorLinkerVersion;

2 DWORD SizeOfCode;

DWORD SizeOfInitializedData;

DWORD SizeOfUninitializedData;

3 DWORD AddressOfEntryPoint;

4 DWORD BaseOfCode;

5 DWORD BaseOfData;

    //

    NT additional fields.

    //

6 DWORD ImageBase;

7 DWORD SectionAlignment;

8 DWORD FileAlignment;

WORD MajorOperatingSystemVersion;

WORD MinorOperatingSystemVersion;

WORD MajorImageVersion;

WORD MinorImageVersion;

WORD MajorSubsystemVersion;

WORD MinorSubsystemVersion;

DWORD Win32VersionValue;

9 DWORD SizeOfImage;

10 DWORD SizeOfHeaders;

DWORD CheckSum;

11 WORD Subsystem;

WORD DllCharacteristics;

DWORD SizeOfStackReserve;

DWORD SizeOfStackCommit;

DWORD SizeOfHeapReserve;

DWORD SizeOfHeapCommit;

DWORD LoaderFlags;

12 DWORD NumberOfRvaAndSizes;

13 IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];

} IMAGE_OPTIONAL_HEADER32, *PIMAGE_OPTIONAL_HEADER32;

[Contents] IMAGE_OPTIONAL_HEADER32of the structure source: Microsoft SDK WinNT.h

1. Magicis IMAGE_OPTIONAL_HEADER32 (32Bit), IMAGE_OPTIONAL_HEADER64 (64Bit)to distinguish whether the value, 32Bitif if 10bh, 64Bitwill have the value of 20bh. 2. SizeOfCodeis the file size of the .text Section, later to represent the .text Sectionhas the same value as the SizeOfRawDataof.

3. AddressOfEntryPointis the value of being exposed, a lot of programs are starting-point(Entry Point), and the relative address(Relative Virtual Address) represent the value. After completing the loading memory ImageBase + AddressOfEntryPointvalue assigned to the EIP register is to start program.

4. BaseOfCode, 5, BaseOfDatathe Codeand Datahave the starting address of the.

6. the ImageBaseis an in-memory file is loading has a starting address.

7. SectionAlignment, 8. FileAlignmentthe smallest unit of memory and file in the session, the session with a value that represents the size must be a multiple of FileAlignment SectionAlignment,must be filled with NULLbytes are padded.

9. the SizeOfImagewill be full size and loading into memory, 10. SizeOfHeaderin the file indicates the total size of the PE Header.

11. the Subsystemis based on the driving experience of the program indicated by value has been defined in WinNT.h.

#define
IMAGE_SUBSYSTEM_UNKNOWN 0 // Unknown subsystem.

#define
IMAGE_SUBSYSTEM_NATIVE 1 // Image doesn’t require a subsystem.

#define
IMAGE_SUBSYSTEM_WINDOWS_GUI 2 // Image runs in the Windows GUI subsystem.

#define
IMAGE_SUBSYSTEM_WINDOWS_CUI 3 // Image runs in the Windows character subsystem.

#define
IMAGE_SUBSYSTEM_OS2_CUI 5 // image runs in the OS/2 character subsystem.

#define
IMAGE_SUBSYSTEM_POSIX_CUI 7 // image runs in the Posix character subsystem.

#define
IMAGE_SUBSYSTEM_NATIVE_WINDOWS 8 // image is a native Win9x driver.

#define
IMAGE_SUBSYSTEM_WINDOWS_CE_GUI 9 // Image runs in the Windows CE subsystem.

#define
IMAGE_SUBSYSTEM_EFI_APPLICATION 10 //

#define
IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER 11 //

#define
IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER 12 //

#define
IMAGE_SUBSYSTEM_EFI_ROM 13

#define
IMAGE_SUBSYSTEM_XBOX 14

#define
IMAGE_SUBSYSTEM_WINDOWS_BOOT_APPLICATION 16

 

[Content] Subsystemsource : Microsoft SDK WinNT.h

12. NumberOfRvaAndSizesdisplay the number of the array the DataDirectory . WinNT.hin 10h (16), but it is actually defined in PE Headerrefers to the value of the.

13. the DataDirectoryis a little long because I will describe below.

So here’s the real REGEDIT’s Optional Headerhas the value check


[Figure] PEBrowse’s Optional Header information screen

REGEDIT, the value of Magic 10bhas IMAGE_OPTIONAL_HEADER32 (32bit)indicates there are.

The size of the SizeOfCode 1b600h (112128)and the starting position of theCode,the RVA (relative address)to 1000 + 1,000,000 (ImageBase) = 1001000h , and, the basic unit of the session file is 1000h (4096), and/200h (512)..

The total size of the REGEDIT 67d78h (425336)and the total size of theHeader, 400h (1024)are configured as, Subsystemis 2has Windows GUI based application indicates that.

DataDirectory number in the array are supposed to 10h (16).

Now 13. IMAGE_DATA_DIRECTORY structure of the DataDirectorymountain.

typedef struct
_IMAGE_DATA_DIRECTORY {

DWORD VirtualAddress;

DWORD Size;

} IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY;

[Contents] IMAGE_DATA_DIRECTORY structure source : Microsoft SDK WinNT.h

16under one
Directory Entryof important items were displayed in bold type below. Saw 4different items is necessary in the sense required by the PE Headeras a key part of IAT (Import Address Table), EAT (Export Address Table)and has a large connection. IAT, EATbelow Section Headerwill discuss since demonstrated. Aside from a couple of more, but aside from studying the hope show. To put it briefly, the baby in advance, the PE file provides some library/location and size of the table, you define whether the DataDirectoryis located at..

DataDirectory[0] – IMAGE_DIRECTORY_ENTRY_EXPORT

(+0x60) VirtualAddress: 0x00000000

(+0x64) Size: 0x00000000

DataDirectory[1] – IMAGE_DIRECTORY_ENTRY_IMPORT

(+0x68) VirtualAddress: 0x0001A564

(+0x6C) Size: 0x00000154

DataDirectory[2] – IMAGE_DIRECTORY_ENTRY_RESOURCE

(+0x70) VirtualAddress: 0x0005F000

(+0x74) Size: 0x00003488

DataDirectory[3] – IMAGE_DIRECTORY_ENTRY_EXCEPTION

DataDirectory[4] – IMAGE_DIRECTORY_ENTRY_SECURITY

DataDirectory[5] – IMAGE_DIRECTORY_ENTRY_BASERELOC

DataDirectory[6] – IMAGE_DIRECTORY_ENTRY_DEBUG

DataDirectory[7] – IMAGE_DIRECTORY_ENTRY_ARCHITECTURE

DataDirectory[8] – IMAGE_DIRECTORY_ENTRY_GLOBALPTR

DataDirectory[9] – IMAGE_DIRECTORY_ENTRY_TLS

DataDirectory[10] – IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG

DataDirectory[11] – IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT

DataDirectory[12] – IMAGE_DIRECTORY_ENTRY_IAT

(+0xC0) VirtualAddress: 0x00001000

(+0xC4) Size: 0x00000580

DataDirectory[13] – IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT

DataDirectory[14] – IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

DataDirectory[15]

[Content] PEBrowse DataDirectorystructures

Section Header

This IMAGE_OPTIONAL_HEADER32with the NT Header,PE Header,which is the end of the Section Headerto determine the structure of, and let.

typedef struct
_IMAGE_SECTION_HEADER {

BYTE Name[IMAGE_SIZEOF_SHORT_NAME];

union {

DWORD PhysicalAddress;

1 DWORD VirtualSize;

} Misc;

2 DWORD VirtualAddress;

3 DWORD SizeOfRawData;

4 DWORD PointerToRawData;

DWORD PointerToRelocations;

DWORD PointerToLinenumbers;

WORD NumberOfRelocations;

WORD NumberOfLinenumbers;

5 DWORD Characteristics;

} IMAGE_SECTION_HEADER, *PIMAGE_SECTION_HEADER;

[Contents] IMAGE_SECTION_HEADER structure source : Microsoft SDK WinNT.h

I description,

1. the VirtualSizeaccounted for the session in memory size and, 2. VirtualAddress, a memory Sectionstarting from the address you can see the value of the.

3. SizeOfRawDatasize occupied by the files in the session,

4. PointerToRawDatafile is the start of the session in the position value.

5. Characteristicsof the Sectionto indicate the details of the corresponding value in the WinNT.hmembers can confirm the.

IMAGE_SCN_TYPE_REG 0x00000000 // Reserved.

IMAGE_SCN_TYPE_DSECT 0x00000001 // Reserved.

IMAGE_SCN_TYPE_NOLOAD 0x00000002 // Reserved.

IMAGE_SCN_TYPE_GROUP 0x00000004 // Reserved.

#define
IMAGE_SCN_TYPE_NO_PAD 0x00000008 // Reserved.

IMAGE_SCN_TYPE_COPY 0x00000010 // Reserved.

#define
IMAGE_SCN_CNT_CODE 0x00000020 // Section contains code.

#define
IMAGE_SCN_CNT_INITIALIZED_DATA 0x00000040 // Section contains initialized data.

#define
IMAGE_SCN_CNT_UNINITIALIZED_DATA 0x00000080 // Section contains uninitialized data.

#define
IMAGE_SCN_LNK_OTHER 0x00000100 // Reserved.

#define
IMAGE_SCN_LNK_INFO 0x00000200 // Section contains comments or some other type of information.

IMAGE_SCN_TYPE_OVER 0x00000400 // Reserved.

#define
IMAGE_SCN_LNK_REMOVE 0x00000800 // Section contents will not become part of image.

#define
IMAGE_SCN_LNK_COMDAT 0x00001000 // Section contents comdat.

0x00002000 // Reserved.

IMAGE_SCN_MEM_PROTECTED – Obsolete 0x00004000

#define
IMAGE_SCN_NO_DEFER_SPEC_EXC 0x00004000 // Reset speculative exceptions handling bits in the TLB entries for this section.

#define
IMAGE_SCN_GPREL 0x00008000 // Section content can be accessed relative to GP

#define
IMAGE_SCN_MEM_FARDATA 0x00008000

IMAGE_SCN_MEM_SYSHEAP – Obsolete 0x00010000

#define
IMAGE_SCN_MEM_PURGEABLE 0x00020000

#define
IMAGE_SCN_MEM_16BIT 0x00020000

#define
IMAGE_SCN_MEM_LOCKED 0x00040000

#define
IMAGE_SCN_MEM_PRELOAD 0x00080000

#define
IMAGE_SCN_ALIGN_1BYTES 0x00100000 //

#define
IMAGE_SCN_ALIGN_2BYTES 0x00200000 //

#define
IMAGE_SCN_ALIGN_4BYTES 0x00300000 //

#define
IMAGE_SCN_ALIGN_8BYTES 0x00400000 //

#define
IMAGE_SCN_ALIGN_16BYTES 0x00500000 // Default alignment if no others are specified.

#define
IMAGE_SCN_ALIGN_32BYTES 0x00600000 //

#define
IMAGE_SCN_ALIGN_64BYTES 0x00700000 //

#define
IMAGE_SCN_ALIGN_128BYTES 0x00800000 //

#define
IMAGE_SCN_ALIGN_256BYTES 0x00900000 //

#define
IMAGE_SCN_ALIGN_512BYTES 0x00A00000 //

#define
IMAGE_SCN_ALIGN_1024BYTES 0x00B00000 //

#define
IMAGE_SCN_ALIGN_2048BYTES 0x00C00000 //

#define
IMAGE_SCN_ALIGN_4096BYTES 0x00D00000 //

#define
IMAGE_SCN_ALIGN_8192BYTES 0x00E00000 //

Unused 0x00F00000

#define
IMAGE_SCN_ALIGN_MASK 0x00F00000

#define
IMAGE_SCN_LNK_NRELOC_OVFL 0x01000000 // Section contains extended relocations.

#define
IMAGE_SCN_MEM_DISCARDABLE 0x02000000 // Section can be discarded.

#define
IMAGE_SCN_MEM_NOT_CACHED 0x04000000 // Section is not cachable.

#define
IMAGE_SCN_MEM_NOT_PAGED 0x08000000 // Section is not pageable.

#define
IMAGE_SCN_MEM_SHARED 0x10000000 // Section is shareable.

#define
IMAGE_SCN_MEM_EXECUTE 0x20000000 // Section is executable.

#define
IMAGE_SCN_MEM_READ 0x40000000 // Section is readable.

#define
IMAGE_SCN_MEM_WRITE 0x80000000 // Section is writeable.

[Content] Characteristicssource : Microsoft SDK WinNT.h

For example, REGEDIT Characteristicsof value, if the 6000020h, 20h (code regions)as 40000000h (read), 20000000h (writing)is It is possible that the meaning is.

Below are the REGEDIT, Ollydbg, check the value of the Section Headeras a result. For one thing, it is not considered a bunch of loud.

2E 74 65 78 ASCII “.text” ; SECTION

7CB40100 DD 0001B47C ; VirtualSize = 1B47C (111740.)

00100000 DD 00001000 ; VirtualAddress = 1000

00B60100 DD 0001B600 ; SizeOfRawData = 1B600 (112128.)

00040000 DD 00000400 ; PointerToRawData = 400

00000000 DD 00000000 ; PointerToRelocations = 0

00000000 DD 00000000 ; PointerToLineNumbers = 0

0000 DW 0000 ; NumberOfRelocations = 0

0000 DW 0000 ; NumberOfLineNumbers = 0

20000060 DD 60000020 ; Characteristics = CODE| EXECUTE| READ

2E 64 61 74 ASCII “.data” ; SECTION

F0120400 DD 000412F0 ; VirtualSize = 412F0 (266992.)

00D00100 DD 0001D000 ; VirtualAddress = 1D000

00080400 DD 00040800 ; SizeOfRawData = 40800 (264192.)

00BA0100 DD 0001BA00 ; PointerToRawData = 1BA00

00000000 DD 00000000 ; PointerToRelocations = 0

0000000 DD 00000000 ; PointerToLineNumbers = 0

0000 DW 0000 ; NumberOfRelocations = 0

0000 DW 0000 ; NumberOfLineNumbers = 0

400000C0 DD C0000040 ; Characteristics = INITIALIZED_DATA| READ| WRITE

2E 72 73 72 ASCII “.rsrc” ; SECTION

88340000 DD 00003488 ; VirtualSize = 3488 (13448.)

00F00500 DD 0005F000 ; VirtualAddress = 5F000

00360000 DD 00003600 ; SizeOfRawData = 3600 (13824.)

00C20500 DD 0005C200 ; PointerToRawData = 5C200

00000000 DD 00000000 ; PointerToRelocations = 0

00000000 DD 00000000 ; PointerToLineNumbers = 0

0000 DW 0000 ; NumberOfRelocations = 0

0000 DW 0000 ; NumberOfLineNumbers = 0

4000004 DD 40000040 ; Characteristics = INITIALIZED_DATA| READ

2E 72 65 6C ASCII “.reloc” ; SECTION

801A0000 DD 00001A80 ; VirtualSize = 1A80 (6784.)

00300600 DD 00063000 ; VirtualAddress = 63000

001C0000 DD 00001C00 ; SizeOfRawData = 1C00 (7168.)

00F80500 DD 0005F800 ; PointerToRawData = 5F800

00000000 DD 00000000 ; PointerToRelocations = 0

00000000 DD 00000000 ; PointerToLineNumbers = 0

0000 DW 0000 ; NumberOfRelocations = 0

0000 DW 0000 ; NumberOfLineNumbers = 0

40000042 DD 42000040 ; Characteristics = INITIALIZED_DATA| DISCARDABLE| READ

[Content] Ollydbga Section Headerof the structure

Now, ahead of the baby had an important check about IAT, EAT

 

Facebook Comments

Leave A Reply

이메일은 공개되지 않습니다. 필수 입력창은 * 로 표시되어 있습니다.