Windows PE File Format

Question 1

Name 3 major file extensions that commonly use the PE File Format?

Answer 1

EXE, SYS, DLL

Question 2

PE Sections have a virtual size, and a size on disk – and the two may be different. In what common malware situation may be size on disk be quite a bit lower than size in memory?

Answer 2

Packed code – more space allocated for the unpacked version

Question 3

Describe briefly (3-4 lines) why PE Files need to use Relative Virtual Addresses (RVA)

Answer 3

Mentioned ImageBase, having to relocate, and having things relative to that.

Question 4

What is a handle?

Answer 4

It’s simply a pointer to the first memory address of that dll or exe. You can essentially find any part of the file in memory simply from the handle.

Question 5

Name a few tools to analyse PE files?

Answer 5

PE Browse, Winitor, Hiew, DependencyWalker

Question 6

How many sections does a PE file usually has?

Answer 6

Usually at least 2 sections - one for code, one for data, exist within a file. There might be one code section, but a couple of different data sections – one for Read only data, one for R/W etc.

• .text - Programs Code
• .rdata - Read-Only Data
• .data - Other Data

Question 7

What is File Alignment / Section Alignment?

Answer 7

Sections in the file line up with a multiple of the File Alignment value - usually 512 bytes (0x200)

Sections loaded in memory line up with a multiple of the size of page of memory (Section Alignment):

• Usually 4Kb on 32-bit machines (0x1000)
• Usually 8Kb on 64-bit machines (0x2000)

Question 8

What is RVA?

Answer 8

Relative Virtual Addresses (RVA) - Offset in memory relative to where PE file is loaded.

E.g. Exe loaded at 0x400000, code section at 0x4010000

=> RVA = Target address(0x4010000) - Load address (0x400000) = RVA (0x1000)

Question 9

What’s the Image Base Address?

Answer 9

All files have a field in the header called “Image Base Address” which is the location in the memory the PE File would prefer to load. Sometime this area is taken and the file is loaded at a different memory address. To solve that we use Relative addresses (RVA).

Question 10

What is the IAT?

Answer 10

The Windows Loader builds a Import Address Table (IAT) for each DLL loaded by the process containing those functions.

If you look at this table in file on disk it will simply list the functions used by the program. However when the PE File is loaded into memory this table is updated to point to the actual DLL code in memory.

Question 11

What are the main sections of the PE File?

Answer 11

• MZ Header
• PE Header
• Code Section
• Data Section
• Imports
• Resources

Question 12

What is important in the MZ header?

Answer 12

• E_magic: file signature (0x4D5A)
• E_Ifanew: Offset to the PE header

Question 13

What is important in the PE header?

Answer 13

• IMAGE_FILE_HEADER
• IMAGE_OPTIONAL_HEADER (mandatory, big)
• IMAGE_SECTION_HEADER

Question 14

What is important in the PE header/Image_File_Header?

Answer 14

• Machine: ox014C
• Number of section
• Timestamp
• Size (of optional header)
• Characteristics (16 flags; two bits indicates DLL vs EXE)

Question 15

What is important in the PE header/Image_Optional_Header?

Answer 15

• Magic Number (01 = PE file; 02 = x64 PE file)
• Address of EntryPoint (RVA)
• ImageBase (offset in Virtual Memory; 0x400000)
• SectionAlignment
• FileAlignment
• EXPORTS
• IMPORTS
• Import Address Table

Question 16

What is important in the PE header/Image_Section_Header (Sections Table)?

Answer 16

Section Header contains one data structure for each section in the file:

• Name
• Virtual Address (to the start of the section)
• Virtual Size (let’s you calc the end of the section)
• PointerToRawData
• SizeOfRawData
• Characteristics (16 flags; code vs. data)

Question 17

Name a few tools to analyse PE files?

Answer 17

• PEFrame
• ExeInfo PE
• DIE (Detect It Easy)

Question 18

What is the OEP?

Answer 18

The Original Entry Point is the field in the Optional Header that shows the RVA of the memory address for the first piece of code to be executed.