top of page
Search

PE internals

  • Writer: Abhilasha
    Abhilasha
  • Jul 14, 2024
  • 3 min read

Linked Libraries and Functions

  1. Imported Functions:

  • Definition: These are functions used by a program that are actually stored in different code libraries (DLLs).

  • Purpose: Programs import functions to avoid re-implementing common functionalities, thereby improving code reuse and reducing redundancy.

  1. Types of Linking:

  • Static Linking:

  • Description: Involves copying all library code into the executable at compile-time.

  • Effect: Increases executable size but enhances performance as all necessary code is bundled.

  • Analysis Challenge: Difficult to distinguish between statically linked code and the executable's own code during analysis because the PE file header doesn't differentiate them.

  • Runtime Linking:

  • Usage in Malware: Commonly used in malware, especially when packed or obfuscated.

  • Execution: Libraries are linked only when the function is needed during runtime, not at program start.

  • Key Functions: Includes LoadLibrary and GetProcAddress to dynamically load and access functions not explicitly listed in the file header.

  • Dynamic Linking:

  • Most Common Approach: Libraries are linked by the operating system when the program is loaded into memory.

  • Execution: When a program calls a linked library function, it executes within the library.

  • Information Storage: PE file header stores details about every library that will be loaded and every function used by the program.

  1. Significance for Analysis:

  • Importance: Identifying imported libraries and functions is crucial for understanding program behavior.

  • Analysis Strategy: Helps in deducing the program's purpose based on imported functions. For example, importing URLDownloadToFile suggests network-related activities like downloading content from the internet.

  1. Common DLLs and Their Functions:

  • Kernel32.dll: Core functionality for memory, file, and hardware manipulation.

  • Advapi32.dll: Provides access to advanced Windows components like the Service Manager and Registry.

  • User32.dll: Contains user interface components such as buttons and scroll bars.

  • Gdi32.dll: Functions for displaying and manipulating graphics.

  • Ntdll.dll: Interface to the Windows kernel, used for advanced tasks like process manipulation.

  • WSock32.dll and Ws2_32.dll: Networking DLLs for network-related tasks.

  • Wininet.dll: Implements higher-level networking protocols like FTP, HTTP, and NTP.


PE Headers & Sections

  1. PE File Format Overview:

  • Header: Contains metadata about the PE file itself.

  • Sections: Follow the header and contain various types of data used by the executable.

  1. Common Sections in a PE File:

  • .text:

  • Description: Contains executable code (machine code instructions).

  • Purpose: This section is where the main program logic resides.

  • .rdata:

  • Description: Holds read-only data that is globally accessible within the program.

  • Usage: Stores constants, static strings, and other read-only data used throughout the program.

  • .data:

  • Description: Stores global data accessed throughout the program.

  • Usage: Includes variables and data structures that need to be initialized and modified during program execution.

  • .idata:

  • Description: Stores import function information.

  • Usage: Lists functions imported from external DLLs or other modules. If absent, this information may be merged into the .rdata section.

  • .edata:

  • Description: Stores export function information.

  • Usage: Lists functions within the executable that can be accessed by other programs or modules. If absent, export information may also be found in the .rdata section.

  • .pdata:

  • Description: Present only in 64-bit executables and stores exception-handling information.

  • Usage: Records information needed for stack unwinding during exception handling.

  • .rsrc:

  • Description: Stores resources needed by the executable.

  • Usage: Contains resources such as icons, dialog boxes, menus, and other non-executable data used by the application.

  • .reloc:

  • Description: Contains information for relocation of library files.

  • Usage: When an executable is loaded at an address different from its preferred base address, this section helps in adjusting memory addresses.

  1. PE Header Summary (Malware Perspective):

  • Imports: Lists functions from other libraries that the malware uses.

  • Exports: Functions in the malware that can be called by other programs or libraries.

  • Time Date Stamp: Indicates the time when the program was compiled.

  • Sections: Names of sections in the file and their sizes on disk and in memory.

  • Subsystem: Indicates whether the program is a command-line application or a GUI application.

  • Resources: Contains strings, icons, menus, and other embedded data within the file.

  1. Practical Tools for PE File Analysis:

  • PEview, PEBrowser, PEExplorer, CFF Explorer, ResourceHacker:

  • Purpose: These tools assist in viewing and analyzing PE file headers, sections, imports, exports, and resources.

  • Functionality: They provide insights into the internal structure of PE files, which is crucial for understanding both legitimate applications and potentially malicious software.


 
 
 

Recent Posts

See All
OS internals

Privilege Separation Concept: Modern operating systems separate user applications (untrusted) from critical operating system components...

 
 
 
Memory Management in short

Address Space CPU Access: To run instructions and access data in main memory, the CPU needs unique addresses for that data. Definition:...

 
 
 
Memory Forensics

Memory Forensics Memory forensics is the process of analyzing and investigating data stored in the memory (RAM) of a computer system....

 
 
 

Commentaires

Subscribe Form

Thanks for submitting!

©2021 by just dump 1. Proudly created with Wix.com

bottom of page