📚
OpenRCE
is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.
About
Articles
Book Store
Distributed RCE
Downloads
Event Calendar
Forums
Live Discussion
Reference Library
RSS Feeds
Search
Users
What's New
Customize Theme
bluegrey
blackgreen
metal
simple
Flag:
Tornado!
Hurricane!
Login:
Password:
Remember Me
Register
Blogs
>>
ero
's Blog
Created: Tuesday, March 13 2007 00:21.00 CDT
Modified: Wednesday, March 14 2007 10:47.46 CDT
This is an imported entry.
View original
.
Printer Friendly ...
Tiny (and crazy) PE
Author:
ero
# Views:
3650
I did prepare a couple of new graphics for the
last training
I taught with
Pedram
in BlackHat DC.
One of them was to illustrate a bit the structure of the header mess that leads to the small footprint of the executables in
Solar Eclipse
s
solution to the Tiny PE challenge
.
I think its a good example of how flexible and tolerant the Windows loader is and why loading PE files is something that tends to break most tools when a file pushes the limits.
Ill comment on some of the slides on this post without going into too much detail on how or why things work, thats well explained in Solar Eclipses page. The general format is the same I use when doing the walk-through of the PE formats main headers in a
sane
file in order to illustrate how the headers are laid out on the file itself.
The red zeros in the following pictures mean data beyond the file size. That data is zeroed by Windows when the file is mapped in memory and Tiny PE relies on those zeros being there, as windows will try to access data in memory at that location, beyond the end of the file. If the memory wasnt zeroed first and contained random data it would be much harder to cook up the headers in the current "compressed" layout.
This first shot just shows the DOS header and the
e_lfanew
field. Which points to the the start of the NT headers.
The
e_lfanew
field contains 4, which is the offset within the file where the NT headers can be found. Thats in the middle of what would otherwise be the DOS header. In the shot of NT headers we can see some of its fields.
The NT headers contain the File and Optional headers, the next picture shows some of the fields constituting the Optional header.
As the last entry in the Optional Header one can find the array of data directories.
Now, the loader would need to locate the section headers. These normally follow after the directories of the Optional header. But in this case, as its illustrated in the following picture, they lay in what would be the middle of the Optional Header. The location of the section headers is calculated by adding the size of the Optional header (4) to its offset (0x1C). Amusingly enough, the Windows loader does not take into account the reported size of the optional header when it reads the header itself, but it does in order to find what follows.
And here are the fields of the section header...
I havent taken the time to illustrate the import directory and the couple of additional details missing (Its just left as an exercise of mental contortion for the reader...). The
original text
by
Solar Eclipse
provides with the rest of the info for the interested souls.
If you wish to comment on this blog entry, please do so on the
original site
it was imported from.
There are
31,328
total registered users.
Recently Created Topics
[help] Unpacking VMP...
Mar/12
Reverse Engineering ...
Jul/06
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06
Question about memor...
Dec/12
Recent Forum Posts
Finding the procedur...
rolEYder
Question about debbu...
rolEYder
Identify RVA data in...
sohlow
let 'IDAPython' impo...
sohlow
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n
Recent Blog Entries
halsten
Mar/14
Breaking IonCUBE VM
oleavr
Oct/24
Anatomy of a code tracer
hasherezade
Sep/24
IAT Patcher - new tool for ...
oleavr
Aug/27
CryptoShark: code tracer ba...
oleavr
Jun/25
Build a debugger in 5 minutes
More ...
Recent Blog Comments
nieo
on:
Mar/22
IAT Patcher - new tool for ...
djnemo
on:
Nov/17
Kernel debugger vs user mod...
acel
on:
Nov/14
Kernel debugger vs user mod...
pedram
on:
Dec/21
frida.github.io: scriptable...
capadleman
on:
Jun/19
Using NtCreateThreadEx for ...
More ...
Imagery
SoySauce Blueprint
Jun 6, 2008
[+] expand
View Gallery
(11) /
Submit
Printer Friendly ...
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}