HackToHell. Powered by Blogger.

Analysing PE files

PE files or Portable Executable files is an format for executables in the Windows Operating System.

PE file header hold a host of information, about the executable. The header preceeds the actual information of the file. In any windows executable file these day, the DOS header occupies the first 64 bytes of the file, it is present so that the program runs fine if loaded form DOS mode, then followed by PX header.

NameWhat it does
.textContains the actual excutable code
.rdata or .idataRead only data for the program
.datachanging data
.pdataOnly present in 64-bit
.rsrcstores stuff needed by the programs aka resources

Viewing PE files is simplified using tools like PEview.
Click the image to enlarge, you will see that the IDATA PE header contains all the Dll's that it loads, even the functions it calls, do not expect malware to be like this, they are heavily obfuscated. Using PEView, we can find out if an program has been packed or not.

Look at the Size of Raw Data and the Virtual Size, if you find that Virtual Size is insanely large that Size of Raw Data, you can safely assume that it is packed.(look in IMAGE_SECTION_HEADER .text ).

For example look at StuxNet, the Virtual Store is 16AD while Size of Raw Data is 1800, meaning that it unpacks and the process kills itself, i.e spawns itself. The PE shows a lot of useful info about the program.

Share on Google Plus

About hacktohell

Love technology.
    Blogger Comment
    Facebook Comment