Analysing PE files

PE files or Portable Executable files is an format for executables in the Windows Operating System.

PE file header hold a host of information, about the executable. The header preceeds the actual information of the file. In any windows executable file these day, the DOS header occupies the first 64 bytes of the file, it is present so that the program runs fine if loaded form DOS mode, then followed by PX header.

Name	What it does
.text	Contains the actual excutable code
.rdata or .idata	Read only data for the program
.data	changing data
.pdata	Only present in 64-bit
.rsrc	stores stuff needed by the programs aka resources

Viewing PE files is simplified using tools like PEview.

Click the image to enlarge, you will see that the IDATA PE header contains all the Dll's that it loads, even the functions it calls, do not expect malware to be like this, they are heavily obfuscated. Using PEView, we can find out if an program has been packed or not.

Look at the Size of Raw Data and the Virtual Size, if you find that Virtual Size is insanely large that Size of Raw Data, you can safely assume that it is packed.(look in IMAGE_SECTION_HEADER .text ).

For example look at StuxNet, the Virtual Store is 16AD while Size of Raw Data is 1800, meaning that it unpacks and the process kills itself, i.e spawns itself. The PE shows a lot of useful info about the program.

About hacktohell

Love technology.

HackToHell

Analysing PE files

About hacktohell

Video Of Day

Analysing PE files

About hacktohell

RELATED POSTS