PMA 122: PE Headers (10 pts + 40 extra)
What you need
- A Windows machine, preferably the "Windows 10 with Analysis Tools" VM
Purpose
To examine how EXE files work,
and how the UPX packer modifies them.
Use the "Windows 10 with Analysis Tools" VM
You can use any Windows system, but it's easiest
to use the
"Windows 10 with Analysis Tools" machine from an
earlier project.
Making a Hello Program
Click Start. Scroll down to the
V section,
click
"Visual Studio 2017",
and click
"x86 Native Tools Command Prompt for VS 2017".
In the "x86 Native Tools Command Prompt for VS 2017"
window,
execute these commands,
as shown below:
mkdir c:\pe
cd c:\pe
notepad hello.cpp
Notepad asks if you want to create a
new file. Click Yes.
Enter this source code,
as shown below:
#include <iostream>
using namespace std;
void main()
{
printf("Hello!\n");
}
Save the file.
In the "x86 Native Tools Command Prompt for VS 2017"
window,
execute these commands,
as shown below:
cl /EHsc hello.cpp
hello.exe
MS-DOS Header
Click Start and type PEview. Launch PEview.
Open the C:\pe\hello.exe file in
PEview.
In the left pane, click
IMAGE_DOS_HEADER.
This header is now unused. The
only important features are the
first and last item,
as shown below.
- Signature: 5A4D or MZ -- the start of every PE file
- Offset to new EXE Header: value varies
MS-DOS Stub Program
This program merely prints a message
on obsolete MS-DOS systems and is unimportant
to us.
IMAGE_NT_HEADERS
This header is important.
Note these features,
as shown below.
- Signature: PE
- IMAGE_FILE_HEADER: The Time Date Stamp here is useful for attribution
- IMAGE_OPTIONAL_HEADER: this is very important, as detailed below.
IMAGE_OPTIONAL_HEADER
Note these features,
as shown below.
- Image Base: The preferred RAM location the program will load into, often 400000
- Size of Image: the total size of all sections when loaded into memory
- IMPORT Table: RVA is the Relative Virtual Address, the location of the IMPORT Table relative to the base address of the image. In the image below, the value is 16B2C, which, added to the start of the image 400, results in an address of 16F2C in this file.
Scrolling down, we see the
Import Address Table, at RVA
11000. As we'll see below, that
matches the start of the .rdata
section.
Section Headers
For each section, note these
features,
as shown below.
- Name: Limited to 8 bytes
- Virtual Size: the total size of the section when loaded into memory
- RVA: where the section is loaded into memory, relative to the base address of the image
- Size of Raw Data: size of the section on disk
- Pointer to Raw Data: location of the section within the EXE file
Calculating Memory Layout
Examine each secton in turn and find the RVA
and "Virtual Size" values of each one.
Then you can calculate the actual memory layout
of the program,
by adding the RVA to the Image Base,
as shown below.
(The Image Base is in the IMAGE_OPTIONAL_HEADER.)
| Section | RVA | | Memory Address |
|---|
| Image Base | | | 400000 |
| .text | 1000 | | 401000 |
| .rdata | 12000 | | 412000 |
| .data | 19000 | | 419000 |
| .reloc | 1B000 | | 41B000 |
Memory Map
To verify the addresses,
open hello.exe in x32dbg or OllyDbg
and click View,
Memory Map.
As shown below, the
layout matches the pattern,
although the base address was
not 400000 on my system.
IMPORT Address Table
In the .rdata section,
the first item is the IMPORT
Address Table, starting at
address 10E00, as shown below.
PMA 122.1: Missing Section (10 pts)
Download this file:
hello2.exe
Examine that file. It has four sections,
unlike the one we examined above.
What is the name of the missing section?
That is, what section is present in hello.exe
but not present in hello2.exe?
That's the flag.
|
PMA 122.2: Broken (20 pts)
Download this file:
peflagh.exe
The file is damaged and cannot run.
Fix it and run it to see the flag.
Hint: Use CFF Explorer. Examine the headers. Invalid fields turn red.
|
PMA 122.3: Broken (20 pts)
Download this file:
peflag2h.exe
The file is damaged and cannot run.
Fix it and run it to see the flag.
Hint: If SmartScreen blocks the file, unblock
it in the file Properties.
Hint: In the Section Header, all the Virtual Addresses should end with "000".
|
Sources
PE Format from Microsoft
PE File Format Offsets - by Sunshine
Understanding the Import Address Table
Understanding Import Tables #2 - Manually add imports - by Sunshine
Posted 9-23-2020
SmartScreen hint added 9-29-20
brackets around iostream HTML-encoded 9-30-20
Updated 5-30-2021
Extra points enumerated 8-31-2021
FLARE-VM reference removed 9-7-2021
122.1 explanation expanded 9-19-22
122.2 hint added 10-12-22
122.3 hint added 10-14-22