Volume -0x00 [ Intr0dUCti0N of PE ]
“is the processes of extracting knowledge or design information from anything man-made and re-producing it or re-producing anything based on the extracted information” [**]Most of windows programs are in the Portable Executable [PE] Format. it’s contains information, resources and references to dynamic-linked libraries [DLL] that allows windows to load and execute the machine code. That’s why we say that to portable. xD
Windows Building
User-mode vs. Kernel Mode [1]
- In user-mode, an application starts a user-mode process which comes with its own private virtual address space and handle table
- In kernel mode, applications share virtual address space
in here we will go head with on user-mode application. at the top diagram shows the relationship of application components for user-mode and kernel-mode.
Introducing PE Header
The PE header provides
information to operating system on how to map the file into memory. The
executable code has designated regions that require a different memory
protection (RWX)
- Read
- Write
- Execute
Here is a hexcode dump of a PE header.
Memory Layout
- Stack – region of memory is added or removed using “last-in-first-out” (LIFO) procedure [2]
- Heap – region for dynamic memory allocation [3]
- Program Image – The PE executable code placed into memory
- DLLs – Loaded DLL images that are referenced by the PE
- TEB – Thread Environment Block stores information about the current running thread(s) [4]
- PEB – Process Environment Block stores information about loaded modules and processes. [5]
The Stack
- Data is either pushed onto or popped off of the stack data structure.
- EBP – Base Pointer is the register that used to store the references in the stack frame.
This is all about the PE header and I will soon with new topic called “x86 Assembly” as Volume 0x01 . Thank you !
@ShapManasick #HarithDilshan
Comments
Post a Comment