SlideShare a Scribd company logo

Exploring the Portable Executable format

Ange Albertini, profile picture
Ange Albertini

This document provides an overview of the Portable Executable (PE) file format by exploring examples of simple, compiled, DLL, driver, and .NET binaries. It discusses the key components of a PE including the DOS header, PE header, optional header, data directories, sections, imports, and resources. It also briefly explains how the format is similar on 64-bit and ARM architectures with only minor changes needed.

BusinessTechnology
1 of 58
Downloaded 116 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
Most read
18
Most read
19
20
21
Most read
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
Exploring the Portable Executable format London, England Ange Albertini 2013/09/13
Workshop package (PoCs+docs) http://www.xchg.info/corkami/workshop.zip Recommended PE viewer: http://icerbero.com/peinsider
Exploring the Portable Executable format
Exploring the Portable Executable format
Exploring the Portable Executable format
Exploring the Portable Executable format
Exploring the Portable Executable format
Exploring the Portable Executable format
Exploring the Portable Executable format
Exploring the Portable Executable format
Exploring the Portable Executable format
Exploring the Portable Executable format
Exploring the Portable Executable format
Exploring the Portable Executable format
Exploring the Portable Executable format
a handmade PE simple.exe a first real example working minimal
Exploring the Portable Executable format
Exploring the Portable Executable format
Exploring the Portable Executable format
detailed walkthrough
Exploring the Portable Executable format
DOS header unused in PE mode
Exploring the Portable Executable format
PE header PE signature
Exploring the Portable Executable format
Optional Header NOT optional in executables
Exploring the Portable Executable format
DataDirectories end of OptionalHeader 16 (max) * [RVA, Size] each entry interpreted differently
Exploring the Portable Executable format
Sections memory mapping
Exploring the Portable Executable format
Exploring the Portable Executable format
Imports standard loader mechanism NOT required load DLL, locate APIs
Exploring the Portable Executable format
compiled PE compiled.exe closer to reality extra non-critical structure
Exploring the Portable Executable format
Exploring the Portable Executable format
Exploring the Portable Executable format
DLL exports relocations
Exploring the Portable Executable format
Exploring the Portable Executable format
driver subsystem, checksum low alignments mapping different imports
Exploring the Portable Executable format
resources structure version, manifest/icon, APIs
Exploring the Portable Executable format
Exploring the Portable Executable format
Thread Local Storage callback list before EntryPoint & after ExitProcess
Exploring the Portable Executable format
.Net different and integrated binary 2nd loader
Exploring the Portable Executable format
what about 64b? very few changes ● 2 magic constants ● a few elements become QWord ○ ImageBase, Imports thunks, callbacks ● Exceptions have their own DataDirectory ○ no need for LoadConfig (SafeSEH)
and ARM ● a different magic constant ● still 16b DOS Stub ! ● nothing special, PE wise ○ the beauty of ‘Portability’
trivial
Exploring the Portable Executable format
Exploring the Portable Executable format
Exploring the Portable Executable format
Exploring the Portable Executable format
Exploring the Portable Executable format

More Related Content

PPTX
(Ab)Using GPOs for Active Directory Pwnage
Petros Koutroumpis
 
PDF
RAT - Repurposing Adversarial Tradecraft
⭕Alexander Rymdeko-Harvey
 
PDF
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov
 
PPTX
RACE - Minimal Rights and ACE for Active Directory Dominance
Nikhil Mittal
 
PDF
Privilege escalation from 1 to 0 Workshop
Hossam .M Hamed
 
PDF
Derbycon - The Unintended Risks of Trusting Active Directory
Will Schroeder
 
PDF
Part 01 Linux Kernel Compilation (Ubuntu)
Tushar B Kute
 
PPTX
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
CODE BLUE
 
(Ab)Using GPOs for Active Directory Pwnage
Petros Koutroumpis
 
RAT - Repurposing Adversarial Tradecraft
⭕Alexander Rymdeko-Harvey
 
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov
 
RACE - Minimal Rights and ACE for Active Directory Dominance
Nikhil Mittal
 
Privilege escalation from 1 to 0 Workshop
Hossam .M Hamed
 
Derbycon - The Unintended Risks of Trusting Active Directory
Will Schroeder
 
Part 01 Linux Kernel Compilation (Ubuntu)
Tushar B Kute
 
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
CODE BLUE
 

What's hot (20)

PDF
Valgrind tutorial
Satabdi Das
 
PPTX
I Hunt Sys Admins
Will Schroeder
 
PPTX
I hunt sys admins 2.0
Will Schroeder
 
PPTX
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Andy Robbins
 
PDF
How to Hunt for Lateral Movement on Your Network
Sqrrl
 
PDF
"How to Use Bazel to Manage Monorepos: The Grammarly Front-End Team’s Experie...
Fwdays
 
PPTX
Recon with Nmap
OWASP Delhi
 
PDF
A Threat Hunter Himself
Sergey Soldatov
 
PPTX
PSConfEU - Offensive Active Directory (With PowerShell!)
Will Schroeder
 
PPTX
Bash Shell Scripting
Raghu nath
 
PDF
ReCertifying Active Directory
Will Schroeder
 
PPTX
Classification of vulnerabilities
Mayur Mehta
 
PDF
Open LDAP
Vellidin
 
PDF
PHDays 2018 Threat Hunting Hands-On Lab
Teymur Kheirkhabarov
 
PDF
BloodHound Unleashed.pdf
n00py1
 
PDF
FIDO and the Future of User Authentication
FIDO Alliance
 
PDF
Sniffing via dsniff
Kshitij Tayal
 
PPTX
Presentation on samba server
Veeral Bhateja
 
PPTX
Linux security
trilokchandra prakash
 
PDF
I Have the Power(View)
Will Schroeder
 
Valgrind tutorial
Satabdi Das
 
I Hunt Sys Admins
Will Schroeder
 
I hunt sys admins 2.0
Will Schroeder
 
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Andy Robbins
 
How to Hunt for Lateral Movement on Your Network
Sqrrl
 
"How to Use Bazel to Manage Monorepos: The Grammarly Front-End Team’s Experie...
Fwdays
 
Recon with Nmap
OWASP Delhi
 
A Threat Hunter Himself
Sergey Soldatov
 
PSConfEU - Offensive Active Directory (With PowerShell!)
Will Schroeder
 
Bash Shell Scripting
Raghu nath
 
ReCertifying Active Directory
Will Schroeder
 
Classification of vulnerabilities
Mayur Mehta
 
Open LDAP
Vellidin
 
PHDays 2018 Threat Hunting Hands-On Lab
Teymur Kheirkhabarov
 
BloodHound Unleashed.pdf
n00py1
 
FIDO and the Future of User Authentication
FIDO Alliance
 
Sniffing via dsniff
Kshitij Tayal
 
Presentation on samba server
Veeral Bhateja
 
Linux security
trilokchandra prakash
 
I Have the Power(View)
Will Schroeder
 
Ad

Viewers also liked (17)

PDF
the PE format 2011/01/17
Ange Albertini
 
PPT
Protection
Sanjay Sharma
 
PDF
PE102 - a Windows executable format overview (booklet V1)
Ange Albertini
 
PPTX
Pe Format
Hexxx
 
PPT
PE Packers Used in Malicious Software - Part 1
amiable_indian
 
PDF
PE Trojan Detection Based on the Assessment of Static File Features
Antiy Labs
 
PDF
PE File Format
n|u - The Open Security Community
 
PPTX
PE File Format and Packer - Inc0gnito 2016
Hajin Jang
 
PDF
TASBot - the perfectionist
Ange Albertini
 
PDF
PDF: myths vs facts
Ange Albertini
 
PDF
Hacks in video games
Ange Albertini
 
PDF
Trusting files (and their formats)
Ange Albertini
 
PDF
Connecting communities
Ange Albertini
 
PDF
Caring for file formats
Ange Albertini
 
PDF
Let's write a PDF file
Ange Albertini
 
PDF
Preserving arcade games - 31c3
Ange Albertini
 
PDF
Funky file formats - 31c3
Ange Albertini
 
the PE format 2011/01/17
Ange Albertini
 
Protection
Sanjay Sharma
 
PE102 - a Windows executable format overview (booklet V1)
Ange Albertini
 
Pe Format
Hexxx
 
PE Packers Used in Malicious Software - Part 1
amiable_indian
 
PE Trojan Detection Based on the Assessment of Static File Features
Antiy Labs
 
PE File Format
n|u - The Open Security Community
 
PE File Format and Packer - Inc0gnito 2016
Hajin Jang
 
TASBot - the perfectionist
Ange Albertini
 
PDF: myths vs facts
Ange Albertini
 
Hacks in video games
Ange Albertini
 
Trusting files (and their formats)
Ange Albertini
 
Connecting communities
Ange Albertini
 
Caring for file formats
Ange Albertini
 
Let's write a PDF file
Ange Albertini
 
Preserving arcade games - 31c3
Ange Albertini
 
Funky file formats - 31c3
Ange Albertini
 
Ad

Similar to Exploring the Portable Executable format (20)

PDF
Binary art - Byte-ing the PE that fails you (extended offline version)
Ange Albertini
 
PPTX
Creating user-mode debuggers for Windows
Mithun Shanbhag
 
PPTX
Reversing malware analysis training part3 windows pefile formatbasics
Cysinfo Cyber Security Community
 
PDF
Reversing & malware analysis training part 3 windows pe file format basics
Abdulrahman Bassam
 
PDF
A bit more of PE
Ange Albertini
 
PPTX
Revers engineering
AbdusSalam ALJBRI
 
PPTX
Reversing & malware analysis training part 3 windows pe file format basics
securityxploded
 
PPT
Intro reverse engineering
Nitin kumar Gupta
 
PDF
Binary art - Byte-ing the PE that fails you (live version)
Ange Albertini
 
ODP
x86 & PE
Ange Albertini
 
PDF
Finding Xori: Malware Analysis Triage with Automated Disassembly
Priyanka Aash
 
PPTX
OS Internals and Portable Executable File Format
Aitezaz Mohsin
 
PPT
PE Packers Used in Malicious Software - Part 2
amiable_indian
 
PDF
Match Column A with Column B by annotating the letter from Column B i.pdf
sonicleaner
 
PDF
A basic approach to Understanding Win32 Binaries
Sujit Ghosal
 
PDF
Finding Xori: Malware Analysis Triage with Automated Disassembly
Priyanka Aash
 
PDF
Ch 6: The Wild World of Windows
Sam Bowne
 
PDF
CNIT 127 Ch 6: The Wild World of Windows
Sam Bowne
 
PDF
Bypassing anti virus scanners
martacax
 
PPTX
Code Injection in Windows
n|u - The Open Security Community
 
Binary art - Byte-ing the PE that fails you (extended offline version)
Ange Albertini
 
Creating user-mode debuggers for Windows
Mithun Shanbhag
 
Reversing malware analysis training part3 windows pefile formatbasics
Cysinfo Cyber Security Community
 
Reversing & malware analysis training part 3 windows pe file format basics
Abdulrahman Bassam
 
A bit more of PE
Ange Albertini
 
Revers engineering
AbdusSalam ALJBRI
 
Reversing & malware analysis training part 3 windows pe file format basics
securityxploded
 
Intro reverse engineering
Nitin kumar Gupta
 
Binary art - Byte-ing the PE that fails you (live version)
Ange Albertini
 
x86 & PE
Ange Albertini
 
Finding Xori: Malware Analysis Triage with Automated Disassembly
Priyanka Aash
 
OS Internals and Portable Executable File Format
Aitezaz Mohsin
 
PE Packers Used in Malicious Software - Part 2
amiable_indian
 
Match Column A with Column B by annotating the letter from Column B i.pdf
sonicleaner
 
A basic approach to Understanding Win32 Binaries
Sujit Ghosal
 
Finding Xori: Malware Analysis Triage with Automated Disassembly
Priyanka Aash
 
Ch 6: The Wild World of Windows
Sam Bowne
 
CNIT 127 Ch 6: The Wild World of Windows
Sam Bowne
 
Bypassing anti virus scanners
martacax
 
Code Injection in Windows
n|u - The Open Security Community
 

More from Ange Albertini (20)

PDF
Overview of file type identifiers (HackLu)
Ange Albertini
 
PDF
A question of time - Troopers 2024 Keynote
Ange Albertini
 
PDF
Technical challenges with file formats
Ange Albertini
 
PDF
Relations between archive formats
Ange Albertini
 
PDF
Abusing archive file formats
Ange Albertini
 
PDF
TimeCryption
Ange Albertini
 
PDF
You are *not* an idiot
Ange Albertini
 
PDF
Improving file formats
Ange Albertini
 
PDF
KILL MD5
Ange Albertini
 
PDF
No more dumb hex!
Ange Albertini
 
PDF
Beyond your studies
Ange Albertini
 
PDF
An introduction to inkscape
Ange Albertini
 
PDF
The challenges of file formats
Ange Albertini
 
PDF
Exploiting hash collisions
Ange Albertini
 
PDF
Infosec & failures
Ange Albertini
 
PDF
An overview of potential leaks via PDF
Ange Albertini
 
PDF
Advanced Pdf Tricks
Ange Albertini
 
PDF
Preserving arcade games
Ange Albertini
 
PDF
Let's talk about...
Ange Albertini
 
PDF
Hide Android applications in images
Ange Albertini
 
Overview of file type identifiers (HackLu)
Ange Albertini
 
A question of time - Troopers 2024 Keynote
Ange Albertini
 
Technical challenges with file formats
Ange Albertini
 
Relations between archive formats
Ange Albertini
 
Abusing archive file formats
Ange Albertini
 
TimeCryption
Ange Albertini
 
You are *not* an idiot
Ange Albertini
 
Improving file formats
Ange Albertini
 
KILL MD5
Ange Albertini
 
No more dumb hex!
Ange Albertini
 
Beyond your studies
Ange Albertini
 
An introduction to inkscape
Ange Albertini
 
The challenges of file formats
Ange Albertini
 
Exploiting hash collisions
Ange Albertini
 
Infosec & failures
Ange Albertini
 
An overview of potential leaks via PDF
Ange Albertini
 
Advanced Pdf Tricks
Ange Albertini
 
Preserving arcade games
Ange Albertini
 
Let's talk about...
Ange Albertini
 
Hide Android applications in images
Ange Albertini
 

Recently uploaded (20)

PDF
MSPs in 10 Words - Created by US MSP Network
Mayur Gudka
 
PDF
Unit 1 Cost Accounting - Cost sheet
MANJU N
 
PDF
Types of control:Qualitative vs Quantitative
reshmaaslm06
 
PPT
Chapter four Project-Preparation material
argachewbochena1
 
PDF
Training And Development of Employee .pdf
nivethavm864
 
PPTX
Lecture (1)-Introduction.pptx business communication
HamzaGhani10
 
PDF
IFRS Notes in your pocket for study all the time
jjj81507
 
PDF
Roadmap Map-digital Banking feature MB,IB,AB
Alemayehu
 
PDF
Nidhal Samdaie CV - International Business Consultant
Nidhal Samdaie
 
DOCX
unit 2 cost accounting- Tender and Quotation & Reconciliation Statement
MANJU N
 
PDF
BsN 7th Sem Course GridNNNNNNNN CCN.pdf
ZAMANYousufzai1
 
PDF
COST SHEET- Tender and Quotation unit 2.pdf
MANJU N
 
PDF
Reconciliation AND MEMORANDUM RECONCILATION
MANJU N
 
PPTX
The Marketing Journey - Tracey Phillips - Marketing Matters 7-2025.pptx
shannonzipoy2
 
PDF
Outsourced Audit & Assurance in USA Why Globus Finanza is Your Trusted Choice
Globus finanza
 
PPTX
Probability Distribution, binomial distribution, poisson distribution
gayusakktivel
 
PPTX
job Avenue by vinith.pptxvnbvnvnvbnvbnbmnbmbh
kaniece
 
PPTX
CkgxkgxydkydyldylydlydyldlyddolydyoyyU2.pptx
DSAISUBRAHMANYAAASHR
 
PDF
Solara Labs: Empowering Health through Innovative Nutraceutical Solutions
The lifescience magaizne
 
PDF
Stem Cell Market Report | Trends, Growth & Forecast 2025-2034
Claight Corporation
 
MSPs in 10 Words - Created by US MSP Network
Mayur Gudka
 
Unit 1 Cost Accounting - Cost sheet
MANJU N
 
Types of control:Qualitative vs Quantitative
reshmaaslm06
 
Chapter four Project-Preparation material
argachewbochena1
 
Training And Development of Employee .pdf
nivethavm864
 
Lecture (1)-Introduction.pptx business communication
HamzaGhani10
 
IFRS Notes in your pocket for study all the time
jjj81507
 
Roadmap Map-digital Banking feature MB,IB,AB
Alemayehu
 
Nidhal Samdaie CV - International Business Consultant
Nidhal Samdaie
 
unit 2 cost accounting- Tender and Quotation & Reconciliation Statement
MANJU N
 
BsN 7th Sem Course GridNNNNNNNN CCN.pdf
ZAMANYousufzai1
 
COST SHEET- Tender and Quotation unit 2.pdf
MANJU N
 
Reconciliation AND MEMORANDUM RECONCILATION
MANJU N
 
The Marketing Journey - Tracey Phillips - Marketing Matters 7-2025.pptx
shannonzipoy2
 
Outsourced Audit & Assurance in USA Why Globus Finanza is Your Trusted Choice
Globus finanza
 
Probability Distribution, binomial distribution, poisson distribution
gayusakktivel
 
job Avenue by vinith.pptxvnbvnvnvbnvbnbmnbmbh
kaniece
 
CkgxkgxydkydyldylydlydyldlyddolydyoyyU2.pptx
DSAISUBRAHMANYAAASHR
 
Solara Labs: Empowering Health through Innovative Nutraceutical Solutions
The lifescience magaizne
 
Stem Cell Market Report | Trends, Growth & Forecast 2025-2034
Claight Corporation
 

Exploring the Portable Executable format