┌────────────────────────────────────────────────────────────────────────────────────────────────────────┐
│ ____ ____ ____ _________ ____ __ ______ │
│\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\/ __ \/ __ \/ __ \/_ __/ | / __ )/ / / ____/\\\\\\\\\\\\\\\\\\\\\\│
│//////////////////////////////// /_/ / / / / /_/ / / / / /| | / __ / / / __//////////////////////////│
│\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\/ ____/ /_/ / _, _/ / / / ___ |/ /_/ / /___/ /\\\\\\\\\\\\\\\\\\\\\\\\\\\\│
│//////////////////////////////_/ __ \____/_/_|_|_/_/_/_/__|_/_____/_____/_____//////////////////////////│
│\\\\\\\\\\\\\\\\\\\\\\\/ ____/ |/ // ____/ ____/ / / /_ __/ | / __ )/ / / ____/\\\\\\\\\\\\\\\\\\\│
│/////////////////////// __/ | // __/ / / / / / / / / / /| | / __ / / / __///////////////////////│
│\\\\\\\\\\\\\\\\\\\\\/ /___ / |/ /___/ /___/ /_/ / / / / ___ |/ /_/ / /___/ /\\\\\\\\\\\\\\\\\\\\\\\\\│
│/////////////////////_____//_/|_/_____/\____/\____/ /_/ /_/ |_/_____/_____/_____//////////@0x6D6172636F│
│ │
│ Portable executable (PE) files are a Windows executable format. You may already recognize these as │
│ .exe, .dll, or other extensions. Executables are more than just the sum of the source code, there │
│ is also a lot of meta information which tells the operating system how to properly run it. Each PE │
│ file is comprised of several parts, which are outlined below and described within this article. │
│ Deep diving into different formats is a valuable skill, and learning PE and ELF files will give you │
│ a good idea on what to look for when you wish to learn additional formats. Note that this will be │
│ for win32 portable executables, but 64-bit will not be difficult to pick up. │
│ │
│ ┌───────────┐ ┌───────────────────────────────────────────────────────────────────┐ │
│ │DOS Headers├───┤00000000: 4d5a 9000 0300 0000 0400 0000 ffff 0000 MZ..............│ │
│ ├───────────┤ │00000010: b800 0000 0000 0000 4000 0000 0000 0000 ........@.......│ │
│ │ PE Headers├──┐│00000020: 0000 0000 0000 0000 0000 0000 0000 0000 ................│ │
│ ├───────────┤ ││00000030: 0000 0000 0000 0000 0000 0000 f000 0000 ................│ │
│ │Sectn Table├─┐││00000040: 0e1f ba0e 00b4 09cd 21b8 014c cd21 5468 ........!..L.!Th│ │
│ ├───────────┤ │││00000050: 6973 2070 726f 6772 616d 2063 616e 6e6f is program canno│ │
│ │ Sections├┐│││00000060: 7420 6265 2072 756e 2069 6e20 444f 5320 t be run in DOS │ │
│ ├───────────┤││││00000070: 6d6f 6465 2e0d 0d0a 2400 0000 0000 0000 mode....$.......│ │
│ │ .text││││└───────────────────────────────────────────────────────────────────┘ │
│ ├───────────┤│││┌───────────────────────────────────────────────────────────────────┐ │
│ │ .rdata│││└┤000000f0: 5045 0000 4c01 0500 b1c6 a062 0000 0000 PE..L......b....│ │
│ ├───────────┤││ │00000100: 0000 0000 e000 0201 0b01 0e1d 0010 0000 ................│ │
│ │ .rsrc│││ │00000110: 0016 0000 0000 0000 e613 0000 0010 0000 ................│ │
│ ├───────────┤││ │00000120: 0020 0000 0000 4000 0010 0000 0002 0000 . ....@.........│ │
│ │ .reloc│││ │00000130: 0600 0000 0000 0000 0600 0000 0000 0000 ................│ │
│ └───────────┘││ │00000140: 0060 0000 0004 0000 0000 0000 0300 4081 .`............@.│ │
│ ││ │00000150: 0000 1000 0010 0000 0000 1000 0010 0000 ................│ │
│ ││ │00000160: 0000 0000 1000 0000 0000 0000 0000 0000 ................│ │
│ ││ │00000170: 8c26 0000 a000 0000 0040 0000 e001 0000 .&.......@......│ │
│ ││ │00000180: 0000 0000 0000 0000 0000 0000 0000 0000 ................│ │
│ ││ │00000190: 0050 0000 7401 0000 e821 0000 7000 0000 .P..t....!..p...│ │
│ ││ │000001a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................│ │
│ ││ │000001b0: 0000 0000 0000 0000 5822 0000 4000 0000 ........X"..@...│ │
│ ││ │000001c0: 0000 0000 0000 0000 0020 0000 c800 0000 ......... ......│ │
│ ││ │000001d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................│ │
│ ││ └───────────────────────────────────────────────────────────────────┘ │
│ ││ ┌───────────────────────────────────────────────────────────────────┐ │
│ │└─┤000001e0: 0000 0000 0000 0000 2e74 6578 7400 0000 .........text...│ │
│ │ │000001f0: 110e 0000 0010 0000 0010 0000 0004 0000 ................│ │
│ │ │00000200: 0000 0000 0000 0000 0000 0000 2000 0060 ............ ..`│ │
│ │ │00000210: 2e72 6461 7461 0000 340c 0000 0020 0000 .rdata..4.... ..│ │
│ │ │00000220: 000e 0000 0014 0000 0000 0000 0000 0000 ................│ │
│ │ │00000230: 0000 0000 4000 0040 2e64 6174 6100 0000 ....@..@.data...│ │
│ │ │00000240: 8803 0000 0030 0000 0002 0000 0022 0000 .....0......."..│ │
│ │ │00000250: 0000 0000 0000 0000 0000 0000 4000 00c0 ............@...│ │
│ │ │00000260: 2e72 7372 6300 0000 e001 0000 0040 0000 .rsrc........@..│ │
│ │ │00000270: 0002 0000 0024 0000 0000 0000 0000 0000 .....$..........│ │
│ │ │00000280: 0000 0000 4000 0040 2e72 656c 6f63 0000 ....@..@.reloc..│ │
│ │ │00000290: 7401 0000 0050 0000 0002 0000 0026 0000 t....P.......&..│ │
│ │ │000002a0: 0000 0000 0000 0000 0000 0000 4000 0042 ............@..B│ │
│ │ └───────────────────────────────────────────────────────────────────┘ │
│ │ ┌───────────────────────────────────────────────────────────────────┐ │
│ └──┤00000400: b878 3340 00c3 cccc cccc cccc cccc cccc .x3@............│ │
│ │00000410: b870 3340 00c3 cccc cccc cccc cccc cccc .p3@............│ │
│ │00000420: 558b ec83 e4f8 5156 8b75 086a 01ff 15bc U.....QV.u.j....│ │
│ │00000430: 2040 0083 c404 8d4d 0c51 6a00 5650 e8bd @.....M.Qj.VP..│ │
│ │00000440: ffff ffff 7004 ff30 ff15 b820 4000 83c4 ....p..0... @...│ │
│ │00000450: 185e 8be5 5dc3 cccc cccc cccc cccc cccc .^..]...........│ │
│ │........: .... .... .... .... .... .... .... .... ................│ │
│ └───────────────────────────────────────────────────────────────────┘ │
│ ____ ____ _____ __ ___________ ____ __________ _____ │
│\\\\\\\\\\\\\\\\\\\\\\/ __ \/ __ \/ ___/ / / / / ____/ | / __ \/ ____/ __ \/ ___/\\\\\\\\\\\\\\\\\\│
│////////////////////// / / / / / /\__ \ / /_/ / __/ / /| | / / / / __/ / /_/ /\__ \///////////////////│
│\\\\\\\\\\\\\\\\\\\\/ /_/ / /_/ /___/ / / __ / /___/ ___ |/ /_/ / /___/ _, _/___/ /\\\\\\\\\\\\\\\\\\\│
│////////////////////_____/\____//____/ /_/ /_/_____/_/ |_/_____/_____/_/ |_|/____/////////////////////│
│ │
│ The first part of every PE file is the DOS header. There is also the DOS stub immediately after. │
│ This is to ensure backwards compatability (which you will see a lot with Windows,) in the event │
│ that a PE file is run on an MS-DOS machine. When run on MS-DOS, this will run a small self │
│ contained MS-DOS program which outputs text stating that the PE program cannot be run in DOS mode. │
│ When the executable is linked, the linker adds a default stub program. If you desire to override │
│ the default DOS stub, you can do so using the -STUB linker option. Also note that the e_lfanew │
│ member of the header struct points directly to the beginning of the PE header. │
│ │
│ ┌─────────────────────────────────────────┐ │
│ │Looking at a hex dump of the DOS Headers:│ │
│ ┌───────────────────────────────────────────────────────────────────┐ │
│ │00000000: 4d5a 9000 0300 0000 0400 0000 ffff 0000 MZ..............│ │
│ │00000010: b800 0000 0000 0000 4000 0000 0000 0000 ........@.......│ │
│ │00000020: 0000 0000 0000 0000 0000 0000 0000 0000 ................│ │
│ │00000030: 0000 0000 0000 0000 0000 0000 f000 0000 ................│ │
│ │00000040: 0e1f ba0e 00b4 09cd 21b8 014c cd21 5468 ........!..L.!Th│ │
│ │00000050: 6973 2070 726f 6772 616d 2063 616e 6e6f is program canno│ │
│ │00000060: 7420 6265 2072 756e 2069 6e20 444f 5320 t be run in DOS │ │
│ │00000070: 6d6f 6465 2e0d 0d0a 2400 0000 0000 0000 mode....$.......│ │
│ └───────────────────────────────────────────────────────────────────┘ │
│ │
│ 00400000 struct DOS_Header __dos_header = │
│ 00400000 { │
│ 00400000 char e_magic[0x2] = "MZ" // magic number │
│ 00400002 uint16_t e_cblp = 0x90 // bytes on last page │
│ 00400004 uint16_t e_cp = 0x3 // pages in file │
│ 00400006 uint16_t e_crlc = 0x0 // relocations │
│ 00400008 uint16_t e_cparhdr = 0x4 // size of paragraph header │
│ 0040000a uint16_t e_minalloc = 0x0 // min extra paragraphs needed │
│ 0040000c uint16_t e_maxalloc = 0xffff // max extra paragraphs needed │
│ 0040000e uint16_t e_ss = 0x0 // initial ss value │
│ 00400010 uint16_t e_sp = 0xb8 // initial sp value │
│ 00400012 uint16_t e_csum = 0x0 // checksum │
│ 00400014 uint16_t e_ip = 0x0 // initial ip value │
│ 00400016 uint16_t e_cs = 0x0 // initial cs value │
│ 00400018 uint16_t e_lfarlc = 0x40 // address of relocation table │
│ 0040001a uint16_t e_ovno = 0x0 // overlay number │
│ 0040001c char e_res1[0x8] = "\x00\x00\x00\x00\x00\x00\x00", 0 // reserved words │
│ 00400024 uint16_t e_oemid = 0x0 // oem identifier │
│ 00400026 uint16_t e_oeminfo = 0x0 // oem information │
│ 00400028 char e_res2[0x14] = "\x00\x00\x00\x00\x00\x00\x00... // reserved words │
│ 0040003c uint32_t e_lfanew = 0xf0 // address of pe header │
│ 00400040 } │
│ │
│ 00400040 __dos_stub: │
│ 00400040 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 ........!..L.!Th │
│ 00400050 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f is program canno │
│ 00400060 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 t be run in DOS │
│ 00400070 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 mode....$....... │
│ ____ ______ __ ___________ ____ __________ _____ │
│\\\\\\\\\\\\\\\\\\\\\\\\/ __ \/ ____/ / / / / ____/ | / __ \/ ____/ __ \/ ___/\\\\\\\\\\\\\\\\\\\\\\│
│//////////////////////// /_/ / __/ / /_/ / __/ / /| | / / / / __/ / /_/ /\__ \///////////////////////│
│\\\\\\\\\\\\\\\\\\\\\\/ ____/ /___ / __ / /___/ ___ |/ /_/ / /___/ _, _/___/ /\\\\\\\\\\\\\\\\\\\\\\\│
│//////////////////////_/ /_____/ /_/ /_/_____/_/ |_/_____/_____/_/ |_|/____/////////////////////////│
│ │
│ The PE headers contain information about the PE itself, much like how the DOS header contains │
│ information about the DOS stub so that it may be run on MS-DOS. Also similar, the PE file begins │
│ with PE much like the DOS header can always be recognized with MZ. Typically the most valuable │
│ information within the PE headers is found within the optional header, which may strike you as a │
│ surprise. In order to really dig into that, first we need to discuss RVA, which stands for relative │
│ virtual address. Keeping in mind that our executable is a file that is loaded into memory to run, │
│ virtual memory is assigned. If you subtract the base address of the file image from an object, you │
│ should be left with it's offset. Another way of phrasing this may be to that if you know an offset, │
│ you can calculate the bytes to it from your base address. For example, the address of entry point │
│ this executable is 0x13e6. If it is loaded into memory at 0x00400000 then this address will be at │
│ 0x004013e6, and if it is loaded into memory at 0x01700000, it would be at 0x017013e6. Several of │
│ the fields below allow us to calculate our way around the executable if we pay attention to │
│ offsets, alignments, and sizes. │
│ │
│ ┌────────────────────────────────────────┐ │
│ │Looking at a hex dump of the PE Headers:│ │
│ ┌───────────────────────────────────────────────────────────────────┐ │
│ │000000f0: 5045 0000 4c01 0500 b1c6 a062 0000 0000 PE..L......b....│ │
│ │00000100: 0000 0000 e000 0201 0b01 0e1d 0010 0000 ................│ │
│ │00000110: 0016 0000 0000 0000 e613 0000 0010 0000 ................│ │
│ │00000120: 0020 0000 0000 4000 0010 0000 0002 0000 . ....@.........│ │
│ │00000130: 0600 0000 0000 0000 0600 0000 0000 0000 ................│ │
│ │00000140: 0060 0000 0004 0000 0000 0000 0300 4081 .`............@.│ │
│ │00000150: 0000 1000 0010 0000 0000 1000 0010 0000 ................│ │
│ │00000160: 0000 0000 1000 0000 0000 0000 0000 0000 ................│ │
│ │00000170: 8c26 0000 a000 0000 0040 0000 e001 0000 .&.......@......│ │
│ │00000180: 0000 0000 0000 0000 0000 0000 0000 0000 ................│ │
│ │00000190: 0050 0000 7401 0000 e821 0000 7000 0000 .P..t....!..p...│ │
│ │000001a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................│ │
│ │000001b0: 0000 0000 0000 0000 5822 0000 4000 0000 ........X"..@...│ │
│ │000001c0: 0000 0000 0000 0000 0020 0000 c800 0000 ......... ......│ │
│ │000001d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................│ │
│ └───────────────────────────────────────────────────────────────────┘ │
│ │
│ 004000f0 struct COFF_Header __coff_header = │
│ 004000f0 { │
│ 004000f0 char magic[0x4] = "PE\x00", 0 // magic number │
│ 004000f4 enum coff_machine machine = IMAGE_FILE_MACHINE_I386 // cpu type │
│ 004000f6 uint16_t numberOfSections = 0x5 // number of sections │
│ 004000f8 uint32_t timeDateStamp = 0x62a0c6b1 // date/time stamp │
│ 004000fc uint32_t pointerToSymbolTable = 0x0 // pointer to symbol table │
│ 00400100 uint32_t numberOfSymbols = 0x0 // number of symbols │
│ 00400104 uint16_t sizeOfOptionalHeader = 0xe0 // optional header size │
│ 00400106 enum coff_characteristics characteristics = IMAGE... // flags │
│ 00400108 } │
│ 00400108 struct PE32_Optional_Header __pe32_optional_header = │
│ 00400108 { │
│ 00400108 enum pe_magic magic = PE_32BIT // magic number │
│ 0040010a uint8_t majorLinkerVersion = 0xe // major linker version │
│ 0040010b uint8_t minorLinkerVersion = 0x1d // minor linker version │
│ 0040010c uint32_t sizeOfCode = 0x1000 // .text size in bytes │
│ 00400110 uint32_t sizeOfInitializedData = 0x1600 // initialized data size │
│ 00400114 uint32_t sizeOfUninitializedData = 0x0 // uninitialized data size │
│ 00400118 uint32_t addressOfEntryPoint = 0x13e6 // code entry address │
│ 0040011c uint32_t baseOfCode = 0x1000 // .text start base rva │
│ 00400120 uint32_t baseOfData = 0x2000 // .data start base rva │
│ 00400124 uint32_t imageBase = 0x400000 // virtual memory load address │
│ 00400128 uint32_t sectionAlignment = 0x1000 // section memory align size* │
│ 0040012c uint32_t fileAlignment = 0x200 // section file align size* │
│ 00400130 uint16_t majorOperatingSystemVersion = 0x6 // major os version │
│ 00400132 uint16_t minorOperatingSystemVersion = 0x0 // minor os version │
│ 00400134 uint16_t majorImageVersion = 0x0 // major image version │
│ 00400136 uint16_t minorImageVersion = 0x0 // minor image version │
│ 00400138 uint16_t majorSubsystemVersion = 0x6 // major subsystem version │
│ 0040013a uint16_t minorSubsystemVersion = 0x0 // minor subsystem version │
│ 0040013c uint32_t win32VersionValue = 0x0 // win32 version value (0) │
│ 00400140 uint32_t sizeOfImage = 0x6000 // size of image in memory │
│ 00400144 uint32_t sizeOfHeaders = 0x400 // physical size of PE header* │
│ 00400148 uint32_t checkSum = 0x0 // checksum │
│ 0040014c enum pe_subsystem subsystem = IMAGE_SUBSYSTEM_WIN... // application type │
│ 0040014e enum pe_dll_characteristics dllCharacteristics = ... // dll flag │
│ 00400150 uint32_t sizeOfStackReserve = 0x100000 // memory res for thread stack │
│ 00400154 uint32_t sizeOfStackCommit = 0x1000 // memory used by stack at init │
│ 00400158 uint32_t sizeOfHeapReserve = 0x100000 // memory res for process heap │
│ 0040015c uint32_t sizeOfHeapCommit = 0x1000 // memory used by head at init │
│ 00400160 uint32_t loaderFlags = 0x0 // loader flag (0) │
│ 00400164 uint32_t numberOfRvaAndSizes = 0x10 // count of data directory files │
│ _____ __________________________ _ __ _________ ____ __ ______ │
│\\\\\\\\\\\\\\\/ ___// ____/ ____/_ __/ _/ __ \/ | / / /_ __/ | / __ )/ / / ____/\\\\\\\\\\\\\\│
│///////////////\__ \/ __/ / / / / / // / / / |/ / / / / /| | / __ / / / __//////////////////│
│\\\\\\\\\\\\\\\\\/ / /___/ /___ / / _/ // /_/ / /| / / / / ___ |/ /_/ / /___/ /\\\\\\\\\\\\\\\\\\\\│
│//////////////____/_____/\____/ /_/ /___/\____/_/ |_/ /_/ /_/ |_/_____/_____/_____//////////////////│
│ │
│ The section table is an array of the section struct, and each of the members is it's own section. │
│ While there are several sections here, note that it is entirely possible for this to be a one │
│ section array. │
│ │
│ ┌───────────────────────────────────────────┐ │
│ │Looking at a hex dump of the Section Table:│ │
│ ┌───────────────────────────────────────────────────────────────────┐ │
│ │000001e0: 0000 0000 0000 0000 2e74 6578 7400 0000 .........text...│ │
│ │000001f0: 110e 0000 0010 0000 0010 0000 0004 0000 ................│ │
│ │00000200: 0000 0000 0000 0000 0000 0000 2000 0060 ............ ..`│ │
│ │00000210: 2e72 6461 7461 0000 340c 0000 0020 0000 .rdata..4.... ..│ │
│ │00000220: 000e 0000 0014 0000 0000 0000 0000 0000 ................│ │
│ │00000230: 0000 0000 4000 0040 2e64 6174 6100 0000 ....@..@.data...│ │
│ │00000240: 8803 0000 0030 0000 0002 0000 0022 0000 .....0......."..│ │
│ │00000250: 0000 0000 0000 0000 0000 0000 4000 00c0 ............@...│ │
│ │00000260: 2e72 7372 6300 0000 e001 0000 0040 0000 .rsrc........@..│ │
│ │00000270: 0002 0000 0024 0000 0000 0000 0000 0000 .....$..........│ │
│ │00000280: 0000 0000 4000 0040 2e72 656c 6f63 0000 ....@..@.reloc..│ │
│ │00000290: 7401 0000 0050 0000 0002 0000 0026 0000 t....P.......&..│ │
│ │000002a0: 0000 0000 0000 0000 0000 0000 4000 0042 ............@..B│ │
│ └───────────────────────────────────────────────────────────────────┘ │
│ │
│ 004001e8 struct Section_Header __section_headers[0x5] = │
│ 004001e8 { │
│ 004001e8 [0x0] = │
│ 004001e8 { │
│ 004001e8 char name[0x8] = ".text\x00\x00", 0 // byte-long array name │
│ 004001f0 uint32_t virtualSize = 0xe11 // total section size in memory │
│ 004001f4 uint32_t virtualAddress = 0x1000 // address relative to img base │
│ 004001f8 uint32_t sizeOfRawData = 0x1000 // size of section on disk │
│ 004001fc uint32_t pointerToRawData = 0x400 // raw offset to section data │
│ 00400200 uint32_t pointerToRelocations = 0x0 // pointer to reloc (always 0) │
│ 00400204 uint32_t pointerToLineNumbers = 0x0 // pointer to line # (always 0) │
│ 00400208 uint16_t numberOfRelocations = 0x0 // always 0 like pointer │
│ 0040020a uint16_t numberOfLineNumbers = 0x0 // always 0 like pointer │
│ 0040020c enum pe_section_flags characteristics = IMAGE... // flags │
│ 00400210 } │
│ 00400210 [0x1] = │
│ 00400210 { │
│ 00400210 char name[0x8] = ".rdata\x00", 0 // byte-long array name │
│ 00400218 uint32_t virtualSize = 0xc34 // total section size in memory │
│ 0040021c uint32_t virtualAddress = 0x2000 // address relative to img base │
│ 00400220 uint32_t sizeOfRawData = 0xe00 // size of section on disk │
│ 00400224 uint32_t pointerToRawData = 0x1400 // raw offset to section data │
│ 00400228 uint32_t pointerToRelocations = 0x0 // pointer to reloc (always 0) │
│ 0040022c uint32_t pointerToLineNumbers = 0x0 // pointer to line # (always 0) │
│ 00400230 uint16_t numberOfRelocations = 0x0 // always 0 like pointer │
│ 00400232 uint16_t numberOfLineNumbers = 0x0 // always 0 like pointer │
│ 00400234 enum pe_section_flags characteristics = IMAGE... // flags │
│ 00400238 } │
│ 00400238 [0x2] = │
│ 00400238 { │
│ 00400238 char name[0x8] = ".data\x00\x00", 0 // byte-long array name │
│ 00400240 uint32_t virtualSize = 0x388 // total section size in memory │
│ 00400244 uint32_t virtualAddress = 0x3000 // address relative to img base │
│ 00400248 uint32_t sizeOfRawData = 0x200 // size of section on disk │
│ 0040024c uint32_t pointerToRawData = 0x2200 // raw offset to section data │
│ 00400250 uint32_t pointerToRelocations = 0x0 // pointer to reloc (always 0) │
│ 00400254 uint32_t pointerToLineNumbers = 0x0 // pointer to line # (always 0) │
│ 00400258 uint16_t numberOfRelocations = 0x0 // always 0 like pointer │
│ 0040025a uint16_t numberOfLineNumbers = 0x0 // always 0 like pointer │
│ 0040025c enum pe_section_flags characteristics = IMAGE... // flags │
│ 00400260 } │
│ 00400260 [0x3] = │
│ 00400260 { │
│ 00400260 char name[0x8] = ".rsrc\x00\x00", 0 // byte-long array name │
│ 00400268 uint32_t virtualSize = 0x1e0 // total section size in memory │
│ 0040026c uint32_t virtualAddress = 0x4000 // address relative to img base │
│ 00400270 uint32_t sizeOfRawData = 0x200 // size of section on disk │
│ 00400274 uint32_t pointerToRawData = 0x2400 // raw offset to section data │
│ 00400278 uint32_t pointerToRelocations = 0x0 // pointer to reloc (always 0) │
│ 0040027c uint32_t pointerToLineNumbers = 0x0 // pointer to line # (always 0) │
│ 00400280 uint16_t numberOfRelocations = 0x0 // always 0 like pointer │
│ 00400282 uint16_t numberOfLineNumbers = 0x0 // always 0 like pointer │
│ 00400284 enum pe_section_flags characteristics = IMAGE... // flags │
│ 00400288 } │
│ 00400288 [0x4] = │
│ 00400288 { │
│ 00400288 char name[0x8] = ".reloc\x00", 0 // byte-long array name │
│ 00400290 uint32_t virtualSize = 0x174 // total section size in memory │
│ 00400294 uint32_t virtualAddress = 0x5000 // address relative to img base │
│ 00400298 uint32_t sizeOfRawData = 0x200 // size of section on disk │
│ 0040029c uint32_t pointerToRawData = 0x2600 // raw offset to section data │
│ 004002a0 uint32_t pointerToRelocations = 0x0 // pointer to reloc (always 0) │
│ 004002a4 uint32_t pointerToLineNumbers = 0x0 // pointer to line # (always 0) │
│ 004002a8 uint16_t numberOfRelocations = 0x0 // always 0 like pointer │
│ 004002aa uint16_t numberOfLineNumbers = 0x0 // always 0 like pointer │
│ 004002ac enum pe_section_flags characteristics = IMAGE... // flags │
│ 004002b0 } │
│ 004002b0 } │
│ │
│ Notice the permissions for each of these sections. Code is readable and executable, and the other │
│ sections are readable, sometimes writeable. │
│ │
│ Segments: │
│ r-- 0x00400000-0x00400400 ; Read only (DOS headers through section table) │
│ r-x 0x00401000-0x00401e11 {Code} ; Read & execute │
│ r-- 0x00402000-0x00402c34 {Data} ; Read only │
│ rw- 0x00403000-0x00403388 {Data} ; Read & write │
│ r-- 0x00404000-0x004041e0 {Data} ; Read only │
│ r-- 0x00405000-0x00405174 {Data} ; Read only │
│ │
│ Sections: │
│ 0x00401000-0x00401e11 .text {Code} ; Read & execute │
│ 0x00402000-0x00402c34 .rdata {Read-only data} ; Read only │
│ 0x00403000-0x00403388 .data {Writable data} ; Read & write │
│ 0x00404000-0x004041e0 .rsrc {Read-only data} ; Read only │
│ 0x00405000-0x00405174 .reloc {Read-only data} ; Read only │
│ │
│ There are many different section types which can be looked up in the MS dev documentation for PE │
│ files, but here are a few: │
│ .text: executable code │
│ .bss: uninitialized data │
│ .data: writeable initialized data │
│ .rdata: read-only initialized data │
│ .idata: import tables │
│ .edata: export tables │
│ .reloc: image relocation info │
│ .rsrc: contains embeds │
│ .tls: storage for executing threads │
│ │
│\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\│
│////////////////////////////////////////////////////////////////////////////////////////////////////////│
│\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\│
│////////////////////////////////////////////////////////////////////////////////////////////////////////│
│...to be continued... │
└────────────────────────────────────────────────────────────────────────────────────────────────────────┘