EXAMINING PE FILES

posted onAugust 16, 2000
by hitbsecnews

WARNING: The author is NOT a proficient coder[heh!], or even a good one. All of the information in this article is NOT guaranteed to be accurate, this article is meant for BEGINNERS, or people looking to learn a bit about the PE file format, simple binary file i/o, etc.

ASSUMED: Knowledge of C, working with MSVC++, Windows API, and how to use a hex editor.

Ok, first, lets say we just want to check and see if the file is a PE file, we could just grab the Signature Bytes and compare them with 'PE' which is what a PE file is supposed to have. The signature bytes are at the START of the PE header. How do you know where the starting is ? easy, it's always at the offset 0x3C [60bytes into the file]

So a routine like this:

fseek(out,0x3c, SEEK_SET); // position file pointer where we can grab the PE header offset
fread((void *) &unf, 1, 2, out); // read in the WORD value of the offset, 2 bytes total.
/*full source = ex1.c*/

Now when i run this little program against c:windowstelnet.exe we get the following:
C:codeMISC>pe c:windowstelnet.exe

reading from file c:windowstelnet.exe

unf contains 80

So the offset to the start of the PE header is 0x80 128d, with this we can now start examining the PE header, we can find out how many sections it has, the permissions on each section, the image size, time/date stamp of when it was compiled etc etc but what we're interested in first is examining the first section, which is the PE signature bytes which are of course 'PE' the two nulls of course making it a dword, so we could do something like this:

fseek(out,0x3c, SEEK_SET);

fread((void *) &unf, 1, 2, out);

fseek(out, unf, SEEK_SET);

fread(buf, 1, 4, out);

if (strcmp(buf, cmpme) == 0) {

printf("buffer contains %sn", buf); // PE found

exit(1);

}

/*full source ex2.c*/

sample output:

C:codeMISC>ex2 c:windowstelnet.exe

reading from file c:windowstelnet.exe

buffer contains PE

C:codeMISC>ex2 ex2.exe

reading from file ex2.exe

C:codeMISC>ex2 c:windowscalc.exe

reading from file c:windowscalc.exe

buffer contains PE

How about we check what kind of CPU is needed? very easy, it's a word value located right after the signature bytes
we could modify our code to do the following:

fseek(out,0x3c, SEEK_SET);

fread((void *) &unf, 1, 2, out);

fseek(out, unf+4, SEEK_SET); // 0x3c + 4 bytes so we bypass the signature bytes!
fread((void *) &cputype, 1, 2, out);

switch (cputype) {

case 0x14c:

printf("80386 cpu neededn");

break;

case 0x14d:

printf("80486 cpu neededn");

break;

.. etc ..

/* full source ex3.c */

sample output:

C:codeMISC>ex3 c:windowscalc.exe

reading from file c:windowscalc.exe

80386 cpu needed

C:codeMISC>ex3 ex3.exe

reading from file ex3.exe

cpu needed is unknown

I couldn't find any files on my hdd thta required cpu higher than 80386 ;) ex3.exe of course isn't a PE file, so the cpu type field isn't there, thus it's unknown, which is what my default in the switch statement is.

Now, how about you read out all of the section names contained in a pe file? How? easyyyyy, the PE header is exactly 0xf8 bytes big, so when you grab the offset to the PE header, move your file pointer to peoffset+f8 and what follow the pe header? the object table of course, An object table is 40bytes long, so we could do something like this:

fseek(out, unf+6, SEEK_SET);

fread((void *) &objs, 1, 2, out);

unf += 0xF8;

fseek(out, unf, SEEK_SET);

for (i=0;i
fread(objz_arr[i], 1, 8, out);

printf("objz_arr[%d] contains %sn", i, objz_arr[i]);

unf += 0x28;

fseek(stdjoe, unf, SEEK_SET);

}

/* full source in ex4.c */

sampel output:

C:codeMISC>ex4 c:windowstelnet.exe

reading from file c:windowstelnet.exe

objs is 3

objz_arr[0] contains .text

objz_arr[1] contains .data

objz_arr[2] contains .rsrc

of course now we know that the object table direct follows the pe header, the size of the object table etc, we could manipulate it also, maybe change the flags so it's not executable or whatever.

This little textfile was written up one day when I was bored, mostly for myself because I wanted to learn about the PE format, sadly going over it now I see it's mostly just simple file i/o which I have described and not much really about the PE format, on a brighter note I've learned all about the PE format =)) I learned about the PE file format from a great text I found on wotsit.org, search for portable executable format to find ALL the details about the header, the object table, Import/Export tables, etc.

BTW, of course all this information is easily located with your favorite hex editor =>

abrams@sdf.lonestar.org | abrams@hackinthebox.org
If you want to write for us, you can contact either one of our team members. Contact information is
available here

1.) Are you a hacker? - JesterS

2.)X-Mail - JesterS

3.)Getting Under the GUI - Liquid Sphear

4.)Opening Simple Ports on Win X - madirish

5.)Commentary on Napster and the Digital Age -
SiLeRePrAeSes

6.)Commentary on the Political Aspects of the Internet
 -
SiLeRePrAeSes

7.)How to (re)build your kernel
- L33tdawg

8.)A 101 Bytez team article for Hackinthebox mag

- OZONE

9.)Examining PE Files - abrams!metaray

Source

Tags

Intel

You May Also Like

Other Articles In This Section

Recent News

Friday, November 29th

North Korean hackers posing as IT workers steal over $1B in cyberattack
OpenAI is at war with its own Sora video testers following brief public leak
Found on VirusTotal: The world’s first UEFI bootkit for Linux

Tuesday, November 19th

CISA Director Jen Easterly, in Place Since 2021, to Step Down
Korea extradites Russian, Vietnamese suspects linked to $16M ransomware scheme
WhatsApp: NSO Group Operates Pegasus Spyware for Customers

Friday, November 8th

North Korean hackers target cryptocurrency with malware
Man sick of crashes sues Intel for allegedly hiding CPU defects
Law enforcement operation takes down 22,000 malicious IP addresses worldwide

Friday, November 1st

Youth of today say passwords are old news, passkeys are the future
Chinese attackers accessed Canadian government networks – for five years
OpenAI launches ChatGPT with Search, taking Google head-on
Here’s the paper no one read before declaring the demise of modern cryptography
Not just ChatGPT anymore: Perplexity and Anthropic’s Claude get desktop apps

Tuesday, July 9th

China's APT40 gang is ready to attack vulns within hours or days of public release
AI-Powered Super Soldiers Are More Than Just a Pipe Dream
The president ordered a board to probe a massive Russian cyberattack. It never did.
Massive car dealer ransom attack is mostly over after 2 weeks of work-arounds

Wednesday, July 3rd

“RegreSSHion” vulnerability in OpenSSH gives attackers root on Linux
Two of the German military’s new spy satellites appear to have failed in orbit

Friday, June 28th

Indonesian Airports, Data Centres Hit By Worst Cyberattack in Years
Cisco Talos warns of wider security implications following Snowflake breach

Thursday, June 27th

I Wore Meta Ray-Bans in Montreal to Test Their AI Translation Skills. It Did Not Go Well
Researchers upend AI status quo by eliminating matrix multiplication in LLMs
YouTube tries convincing record labels to license music for AI song generator
Critical MOVEit vulnerability puts huge swaths of the Internet at severe risk
Julian Assange to plead guilty but is going home after long extradition fight

Thursday, June 13th

Hackers show off jailbroken checkm8-vulnerable iPad and Apple TV running iPadOS 18 & tvOS 18 respectively
One of the major sellers of detailed driver behavioral data is shutting down
Turkish student creates custom AI device for cheating university exam, gets arrested

Wednesday, June 12th

Chinese-Made Biometric Access System Has 24 Vulnerabilities
Apple and OpenAI currently have the most misunderstood partnership in tech
Adobe to update vague AI terms after users threaten to cancel subscriptions
China state hackers infected 20,000 Fortinet VPNs

Tuesday, June 11th

Russia Is Targeting Germany With Fake Information as Europe Votes