Portable Executable is file format which is used in Windows OS for executable files like .exe, .dll, .cpl etc. It is based on COFF (Common Object File Format).

A PE file is a data structure that holds information necessary for OS loader to load that executable into memory and execute it.

This article serves as basic overview of PE structure, understanding of which is useful for reverse engineering and understanding not just malware binaries.

Note

Examples provided in this article will be taken from random executable file, opened using analytics tool named PE-bear.

Code examples are from winnt.h WinAPI file. You can download these files as part of Visual Studio.

Structure

DOS Header

Is represented by first 64 bytes of every PE file. Following parts are the most important:
e_magic - Every PE File starts with 2 byte magic number 0x5A4D. It is used to verify if it is valid executable. The value can be seen in reverse order in screenshot below, due to Windows using little endian encoding
e_lfanew - These 4 bytes contain the offset of PE header. When the program needs to be loaded by Windows loader, it looks for this value to skip the DOS Stub and go directly to NT headers.

DOS Stub

Usually contains message "This program cannot be run in DOS mode". It is used as fallback for older DOS systems that cannot process PE files.

NT Headers

Are accesssed from address in e_lfanew

Signature - Serves for checking validity of the structure, has value of Ox4550 (PE)
File Headers - Contains information about structure of the whole file, such as the machine type of the executable code, a time stamp, a pointer to symbol table and various flags. Value in machine type can help you determine whether the executable is 32(value 0x4c) or 64 bit (value 0x64)
Optional Headers - Unlike name suggests, this header is not actually optional. It contains additional important information to File Headers, another magic number that determines whether file is 32/64bit, information about running subsystem, Preffered base address and security flags. Another important part is import,export, resource tables etc. which contain used APIs, imported functions, string and other static resources.

Section Header

Is an array that contains memory locations for each section.

Sections

.text - Contains the executable code. This section includes all compiled instructions that the processor will execute. The section is typically marked as executable and read-only for security purposes.

.data - Contains initialized global data. This includes variables with initial values that the program requires during execution. The section is marked as readable and writable.

.rdata - Contains read-only data, including import and export tables. It stores constant data, string literals, and critical tables that support dynamic linking functionality.

.rsrc - Contains resources such as icons, images, and strings. This section organizes resources in a hierarchical structure that applications can access during runtime.

.reloc - Contains relocation table that is used by loader for recalculating addresses in case the executable is not loaded at base address.

.tls(Thread Local Storage)- is a special storage class that contains thread specific data.

This list of sections is not exhaustive, just explains the most common ones.

When analyzing PE file, malicious executables can have unusually small or large headers or sections. Unusually large header can be a sign of obfuscation and for example small or empty import table can be sign of dynamic loading of libraries which is common for malware.

The post Portable Executable (PE) Format first appeared on Hard Wired.

Windows Architecture

Windows architecture follows layered design with two main components:

User Mode

This mode is made of system processes, services, application and environments running on the system. All of these components have limited access to hardware and rely on kernel mode for hardware interaction.
Interface between user mode and kernel functions is called environment subsystem.
Each of these implement different API sets.
Three main environment subsystems exist:
1.Win32
2.OS/2
3.POSIX

Security subsystem

Deals with security tokens, manages access to resources based on permissions, handles authentication. Manages Active Directory

Kernel Mode

Has full access to system hardware and resources and runs code in Protected Memory. Kernel mode handles memory management, device drivers, process management, thread prioritization etc.

System Call

When user mode program needs access to any restricted resource or hardware, it makes system call. This call is processed by kernel mode.

Hardware Abstraction Layer

Acts as a bridge between kernel mode and hardware. Translates generic kernel instructions to specific instructions for given hardware.

Memory Management

Windows has sophisticated memory management system for physical(RAM) and virtual(RAM and Disk) memory utilization.

Virtual Address Space - is set of virtual memory that process can use. This memory is private and cannot be accessed by other processes unless shared.
Virtual address does not represent physical location in memory. System maintains internal data structure Page Table for each process. Every time thread references virtual address, system translates it to physical one.
Virtual address space is divided into two partitions - system and process.

Memory Types

• User mode/Kernel mode:
  Memory allocations are segregated based on mode to ensure security
• x86/x64:
  Represent addressable memory space for different CPU architectures. Every 32-bit(x86) app has up to 4GB of virtual memory space, while 64-bit (x64) has up to 8TB.
• Paged Pool:
  Dynamically allocated memory that can be swapped between RAM and paging file on disk. This serves as memory usage optimization, or when RAM memory is full.
• Non-paged pool:
  Hold critical kernel mode data that must be always accessible in RAM as long as corresponding objects are allocated. This data is not paged to disk.

Page States

• Free: The page is available to be reserved, committed, or simultaneously reserved and committed
• Reserved: The page is reserved for future use, but it does not have any physical storage associated with it. Reserved memory cannot be used by other functions
• Committed: Memory have been allocated in RAM/paging file(s) on disk. Page is accessible and access is controlled by Memory Protection Constants

Memory Protection Constants

These constants specify permissions, which define operations that can be done on specified memory region. There is many of them, so I will list just a few that are probably most common, the rest can be found in Microsoft Documentation.

• PAGE_EXECUTE_READWRITE - Enables execute, read-only, or read/write access to the committed region of pages
• PAGE_READWRITE - Enables read-only or read/write access to the committed region of pages
• PAGE_READONLY - Enables read-only access to the committed region of pages
  ...

C++ Code Example

Let's apply previous information to allocate memory in a process.

LPVOID memBlock = VirtualAllocEx(hProcess, NULL, sizeof(payload), (MEM_RESERVE | MEM_COMMIT), PAGE_EXECUTE_READWRITE);

Here, we allocate variable 'memBlock' of 'LPVOID' type, assigning it result of 'VirtualAllocEx'(memoryapi.h) function. LPVOID represents address of any type.
Executing this function commits memory to which we can write data later.
Parameters:

1. hProcess is handle to process in which virtual address space the memory will be allocated
2. This parameter specifies starting address. NULL means function will determine where to allocate the region
3. Size of memory region to allocate in bytes
4. Set page state, multiple can be used with bitwise '|' operator
5. Requires memory protection constant

Data Execution Prevention (DEP)

Is a security technology, that makes some pages in memory non-executable. This prevents potential attackers from executing malicious code in these regions of memory using exploits like buffer overflow.

Address Space Layout Randomization (ASLR)

Is a security technique that randomizes base addresses of processes, DLL's and critical data structures like stack and heap. This prevents the attacker from hardcoding memory locations, which are like to be changed on each application restart. It also makes mistakes expensive, since writing to wrong address leads to application crash.
Effectiveness of this technique can be significantly diminished by reducing entropy.

WinAPI

WinAPI is a collection of functions, divided between many DLL's, that allow applications to interact with underlying Windows functionalities through code.
Many of these functions are documented in Win32 API MSDN.

Important Windows DLL's

• kernel32.dll - Exposes functions for memory management, file system access and console I/O, thread creation...
• user32.dll - Provides functions for managing windows, menus, controls and handling user input
• ntdll.dll - Many user mode API's rely on ntdll, as it exposes Native API
• ws2_32.dll - Implements Windows Websocket API, it is crutial for network programming
• advapi32.dll - Provides security features like authentication, access control and registry manipulation

The post Windows Architecture & WinAPI first appeared on Hard Wired.