Differences

This shows you the differences between two versions of the page.

--- exploiting:theory:start [2020/01/02 11:00] – titannet
+++ exploiting:theory:start [2020/01/02 11:44] (current) – titannet
@@ Line 53: / Line 53: @@
 </code>
-<spoiler | PE Headers>
+<spoiler | PE File Header (0x10)>
 |0x00 |	DWORD | Signature | PE Magic Value |
 |0x04 |	WORD  | Machine | For a list of values, see machine types section |
@@ Line 63: / Line 63: @@
 |0x16 |	WORD  | Characteristics | The flags that indicate the attributes of the file. For list of values, refer to the Image Characteristics section. |
 </spoiler>
+<spoiler| PE Optional Header (0x18)>
+| 0x18 | WORD  | Magic | The unsigned integer that identifies the state of the image file. The most common number is 0x10B, which identifies it as a normal executable file (PE32). 0x107 identifies it as a ROM image, and 0x20B identifies it as a PE32+ executable.|
+| 0x1A | BYTE  | MajorLinkerVersion | The linker major version number.|
+| 0x1B | BYTE  | MinorLinkerVersion | The linker minor version number.|
+| 0x1C | DWORD | SizeOfCode | The size of the code (text) section, or the sum of all code sections if there are multiple sections.|
+| 0x20 | DWORD | SizeOfInitializedData | The size of the initialized data section, or the sum of all such sections if there are multiple data sections.|
+| 0x24 | DWORD | SizeOfUninitializedData | The size of the uninitialized data section (BSS), or the sum of all such sections if there are multiple BSS sections.|
+| 0x28 | DWORD | AddressOfEntryPoint | The address of the entry point relative to the image base when the executable file is loaded into memory. For program images, this is the starting address. For device drivers, this is the address of the initialization function. An entry point is optional for DLLs. When no entry point is present, this field must be zero.|
+| 0x2C | DWORD | BaseOfCode | The address that is relative to the image base of the beginning-of-code section when it is loaded into memory.|
+| 0x30 | DWORD | BaseOfData | This field does not appear in PE32+. The address that is relative to the image base of the beginning-of-data section when it is loaded into memory.|
+| 0x34 | DWORD | ImageBase | The preferred address of the first byte of image when loaded into memory; must be a multiple of 64 K. The default for DLLs is 0x10000000. The default for Windows CE EXEs is 0x00010000. The default for Windows NT, Windows 2000, Windows XP, Windows 95, Windows 98, and Windows Me is 0x00400000.|
+| 0x38 | DWORD | SectionAlignment | The alignment (in bytes) of sections when they are loaded into memory. It must be greater than or equal to FileAlignment. The default is the page size for the architecture.|
+| 0x3C | DWORD | FileAlignment | The alignment factor (in bytes) that is used to align the raw data of sections in the image file. The value should be a power of 2 between 512 and 64 K, inclusive. The default is 512. If the SectionAlignment is less than the architecture's page size, then FileAlignment must match SectionAlignment.|
+| 0x40 | WORD  | MajorOperatingSystemVersion | The major version number of the required operating system.|
+| 0x42 | WORD  | MinorOperatingSystemVersion | The minor version number of the required operating system.|
+| 0x44 | WORD  | MajorImageVersion | The major version number of the image.|
+| 0x46 | WORD  | MinorImageVersion | The minor version number of the image.|
+| 0x48 | WORD  | MajorSubsystemVersion | The major version number of the subsystem.|
+| 0x4A | WORD  | MinorSubsystemVersion | The minor version number of the subsystem.|
+| 0x4C | DWORD | Win32VersionValue | Reserved, must be zero.|
+| 0x50 | DWORD | SizeOfImage | The size (in bytes) of the image, including all headers, as the image is loaded in memory. It must be a multiple of SectionAlignment.|
+| 0x54 | DWORD | SizeOfHeaders | The combined size of an MS‑DOS stub, PE header, and section headers rounded up to a multiple of FileAlignment.|
+| 0x58 | DWORD | CheckSum | The image file checksum. The algorithm for computing the checksum is incorporated into IMAGHELP.DLL. The following are checked for validation at load time: all drivers, any DLL loaded at boot time, and any DLL that is loaded into a critical Windows process.|
+| 0x5C | WORD  | Subsystem | The subsystem that is required to run this image. For list of values, refer to the Windows Subsystem section.|
+| 0x5E | WORD  | DllCharacteristics | For list of values, refer to the DLL Characteristics section.|
+| 0x60 | DWORD | SizeOfStackReserve | The size of the stack to reserve. Only SizeOfStackCommit is committed; the rest is made available one page at a time until the reserve size is reached.|
+| 0x64 | DWORD | SizeOfStackCommit | The size of the stack to commit.|
+| 0x68 | DWORD | SizeOfHeapReserve | The size of the local heap space to reserve. Only SizeOfHeapCommit is committed; the rest is made available one page at a time until the reserve size is reached.|
+| 0x6C | DWORD | SizeOfHeapCommit | The size of the local heap space to commit.|
+| 0x70 | DWORD | LoaderFlags | Reserved, must be zero.|
+| 0x74 | DWORD | NumberOfRvaAndSizes | The number of data-directory entries in the remainder of the optional header. Each describes a location and size.|
+</spoiler>
+<code>
+Magic -> 32 or 64
+AddressOfEntryPoints -> RVA of Entry Point (EP) ~ location of first instruction
+BaseOfCode, BaseOfData -> Code and Data Sections
+ImageBase -> Preferred VA for PE file in memory (default: 0x00400000 for .exe, 0x10000000 for DLLs)
+SectionAlignment, FileAlignment -> Alignment in memory
+SizeOfImage -> MemorySize of PE file at runtime, must be multiple of SectionAlignment
+</code>
+DataDirectory Array:
+<code c>
+typedef struct _IMAGE_DATA_DIRECTORY {
+  DWORD VirtualAddress;
+  DWORD Size;
+} IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY;
+* 16 Data Directory Structures per default htat point to RVA and size of specific data inside PE image on runtime.
+* Example: ExportTableAddress (exported functions), ImportTableAddress (imported functions), ResourceTable (embedded resources), ImportAddressTable (IAT, runtime addresses of imported functions)
+</code>