Some of the directories are shown below:. Each data directory entry specifies the size and relative virtual address of the directory. To locate a particular directory, we have to determine the relative address from the data directory array in the optional header. Then use the virtual address to determine which section the directory is in. Once we determine which section contains the directory, the section header for that section is then used to find the exact file offset location of the data directory.
So, to get a data directory, we first need to know about sections, which are described next. An example of how to locate data directories immediately follows this discussion.
We can see the various sections and headers in the following image, which is from a hex editor. The RVA is the address of table relative to base address of the image when the table is loaded.
The second field gives size in bytes. To make this work more practical, we can use ollydbg or Immunity Debugger here. We will use ollydbger to see the different sections of PE file, as shown below.
Check below and we can clearly see all the headers and sections. The data directory that forms the last part of the optional header is listed below.
We will discuss more about these in section table. Export table, import table, resource table, exception table, certificate table, base relocation table, debug, architecture, global ptr, TLS table, load config table, bound import, IAT, delay import descriptor, CLR runtime header. This table immediately follows the optional header. The location of this section of the section table is determined by calculating the location of the first bytes after header. For that, we have to use the size of the optional header.
The number of entries in the section table is given by noofsectionfield in the file header. Each section header has at least 40 bytes of entry. We will discuss some of the important entries below. This may be less than the size of the section on disk. This section contains the main content of the file, including code, data, resources and other executable files. Each section has a header and body. An application in Windows NT typically has nine different predefined sections, such as.
Depending on the application, some of these sections are used, but not all are used. The Executable Code: In Windows, all code segments reside in a section called. We know that windows uses a page-based virtual system, which means having one large code section that is easier to manage for both the OS and application developer. This also called as entry point and thunk table, which points to IAT.
We will discuss the thunk table in IAT. When present, this section contains information about the names and addresses of exported functions. We will discuss these in greater depth later. Windows supports multiple threads of execution per process; each thread has its own storage, called thread local storage TLS.
Below is a small link that describes TLSL. The linker defines the. This can be found by a plug-in by olly. We will discuss this in a future topic.
The following link is the reference to some good material. In the next installment, I will give details about later sections of a PE file, including some of the automation and cool stuff. Please comment below. A new tab for your requested boot camp pricing will open in 5 seconds. If it doesn't open, click here. He is also well-versed in Reverse Engineering, Malware Analysis. He's been a contributor to international magazines like Hakin9, Pentest, and E-Forensics.
In his free time, he's contributed to the Response Disclosure Program. Your email address will not be published. For the Introduction, click here PE file Portable executable file format is a type of format that is used in Windows both x86 and x Posted: November 26, We've encountered a new and totally unexpected error. Get instant boot camp pricing. Thank you! In this Series. Email forensics: desktop-based clients What is a Honey Pot?
Related Bootcamps. Incident Response. November 27, at am. Leave a Reply Cancel reply Your email address will not be published. Updated March 2, Did you like this? Follow me for more of the good stuff. About the Author Lenny Zeltser develops products and programs that use security to achieve business results. Lenny has been leading efforts to establish resilient security practices and solve hard security problems for over two decades.
A respected author and practitioner, he has been advancing tradecraft and contributing to the community. Learn more.
0コメント