top of page
Search

PE internals

  • Jul 14, 2024
  • 3 min read

Linked Libraries and Functions

  1. Imported Functions:

  • Definition: These are functions used by a program that are actually stored in different code libraries (DLLs).

  • Purpose: Programs import functions to avoid re-implementing common functionalities, thereby improving code reuse and reducing redundancy.

  1. Types of Linking:

  • Static Linking:

  • Description: Involves copying all library code into the executable at compile-time.

  • Effect: Increases executable size but enhances performance as all necessary code is bundled.

  • Analysis Challenge: Difficult to distinguish between statically linked code and the executable's own code during analysis because the PE file header doesn't differentiate them.

  • Runtime Linking:

  • Usage in Malware: Commonly used in malware, especially when packed or obfuscated.

  • Execution: Libraries are linked only when the function is needed during runtime, not at program start.

  • Key Functions: Includes LoadLibrary and GetProcAddress to dynamically load and access functions not explicitly listed in the file header.

  • Dynamic Linking:

  • Most Common Approach: Libraries are linked by the operating system when the program is loaded into memory.

  • Execution: When a program calls a linked library function, it executes within the library.

  • Information Storage: PE file header stores details about every library that will be loaded and every function used by the program.

  1. Significance for Analysis:

  • Importance: Identifying imported libraries and functions is crucial for understanding program behavior.

  • Analysis Strategy: Helps in deducing the program's purpose based on imported functions. For example, importing URLDownloadToFile suggests network-related activities like downloading content from the internet.

  1. Common DLLs and Their Functions:

  • Kernel32.dll: Core functionality for memory, file, and hardware manipulation.

  • Advapi32.dll: Provides access to advanced Windows components like the Service Manager and Registry.

  • User32.dll: Contains user interface components such as buttons and scroll bars.

  • Gdi32.dll: Functions for displaying and manipulating graphics.

  • Ntdll.dll: Interface to the Windows kernel, used for advanced tasks like process manipulation.

  • WSock32.dll and Ws2_32.dll: Networking DLLs for network-related tasks.

  • Wininet.dll: Implements higher-level networking protocols like FTP, HTTP, and NTP.


PE Headers & Sections

  1. PE File Format Overview:

  • Header: Contains metadata about the PE file itself.

  • Sections: Follow the header and contain various types of data used by the executable.

  1. Common Sections in a PE File:

  • .text:

  • Description: Contains executable code (machine code instructions).

  • Purpose: This section is where the main program logic resides.

  • .rdata:

  • Description: Holds read-only data that is globally accessible within the program.

  • Usage: Stores constants, static strings, and other read-only data used throughout the program.

  • .data:

  • Description: Stores global data accessed throughout the program.

  • Usage: Includes variables and data structures that need to be initialized and modified during program execution.

  • .idata:

  • Description: Stores import function information.

  • Usage: Lists functions imported from external DLLs or other modules. If absent, this information may be merged into the .rdata section.

  • .edata:

  • Description: Stores export function information.

  • Usage: Lists functions within the executable that can be accessed by other programs or modules. If absent, export information may also be found in the .rdata section.

  • .pdata:

  • Description: Present only in 64-bit executables and stores exception-handling information.

  • Usage: Records information needed for stack unwinding during exception handling.

  • .rsrc:

  • Description: Stores resources needed by the executable.

  • Usage: Contains resources such as icons, dialog boxes, menus, and other non-executable data used by the application.

  • .reloc:

  • Description: Contains information for relocation of library files.

  • Usage: When an executable is loaded at an address different from its preferred base address, this section helps in adjusting memory addresses.

  1. PE Header Summary (Malware Perspective):

  • Imports: Lists functions from other libraries that the malware uses.

  • Exports: Functions in the malware that can be called by other programs or libraries.

  • Time Date Stamp: Indicates the time when the program was compiled.

  • Sections: Names of sections in the file and their sizes on disk and in memory.

  • Subsystem: Indicates whether the program is a command-line application or a GUI application.

  • Resources: Contains strings, icons, menus, and other embedded data within the file.

  1. Practical Tools for PE File Analysis:

  • PEview, PEBrowser, PEExplorer, CFF Explorer, ResourceHacker:

  • Purpose: These tools assist in viewing and analyzing PE file headers, sections, imports, exports, and resources.

  • Functionality: They provide insights into the internal structure of PE files, which is crucial for understanding both legitimate applications and potentially malicious software.


 
 
 

Commentaires

Subscribe Form

Thanks for submitting!

©2021 by just dump 1. Proudly created with Wix.com

bottom of page