Review article copied (brazenly) from fiks-ru.net
PEID 0.95
PEID- the most popular analyzer of executable files. The latest version is 0.95 from November 2008. The analysis is performed on the internal and external database of signatures, there are several levels of scanning from fast to deep, you can process entire directories. The functionality is easily extended by external plugins, the signatures are stored in a separate text file, so you can easily add your own there. A special program was written to work with the signature database. PEiDSO. Plugin developers are provided with an SDK with examples in different programming languages and a description of the API. The off-site of the program ordered the campaign to live for a long time, but in any case, it is better to download it here, because otherwise you would have to assemble the necessary set of plug-ins and signatures yourself, but here it is decently equipped.
The PEiD manual can be read
DiE 0.65 Rus
Detect it Easy (DiE), domestic development, I translated the latest version 0.65 into Russian at my leisure (if you don’t like the translation, throw the DiE.RU file out of the directory - it will be Eng). An emulator was added to version 0.65. Similar to PEiD, but the main focus is on its own heuristic analyzers, and only then on signature analysis. The program also provides some useful functions: viewing imports, sections, viewing a file in hex mode, a disassembler, viewing the main characteristics of PE, obtaining an MD5 hash and CRC-32. The functionality is extended with plugins.
Off-site program
DiE (Detect it Easy) 0.70 alpha 12
Update DiE (Detect it Easy) up to version 0.70. The program has been completely rewritten - before it was in Borland Delphi, and now in Microsoft Visual C++. In this connection, I consider its further translation into Russian inexpedient, since you can’t give a dump anymore, and it’s probably not worth it to “torment” hard-coded strings in a HEX editor. The off-site of the program is now located. You can download the new version directly from the off-site (I did not add it to the archive).
P.S. Thanks to a friend from exelab.ru for providing information about the new version.
ExeInfo PE 0.0.3.2
ExeInfo PE also very similar to PEiD, latest version 0.0.3.2 dated September 11, 2012. Built-in signatures (667 pieces). The program has an interesting feature: if the protector is defined, it gives information about which tool can be used to try to unpack it. For beginners, this information will be very useful. Also useful tools include a ripper of archives from SFX modules, search for text strings, registry calls, OEP adjustment, and others. You can download from offsite. You can also download a plug-in adapter for PEiD and DiE from the off-site, which allows you to scan files through ExeInfo PE.
PE Scan 3.31
Pe Scan by snyper, latest version 3.31, offsite has ceased to exist. With a minimum size, the program has great potential. This is a heuristic and signature analyzer of executable files, unpacker of some packers, dynamic OEP search. In addition to the above tools, Pe-Scan has a unique probabilistic analyzer for unfamiliar packers and file encrypters ("adv.scan" button). It shows in percentage terms which of the packers known to him is similar to the investigated unknown. Helps identify common UPX packers treated with various scramblers and modifiers.
Stud PE 2.6.1.0
Stud PE, latest version 2.6.1.0 dated June 2, 2012. A very good program, besides analyzing what the file is packed with, shows a lot of other useful information: sections, resources, import and export tables, DOS header. The HEX editor built into Stud_PE highlights the selected fields of the file header, which is very convenient when analyzing its structure. There is also a process manager with a built-in dumper. The functionality is extended with the help of plugins, and plugins from PEiD are suitable. A description of the API and SDK for developers is included in the package.
File Format Identifier 1.4
File Format Identifier- a very successful development of the Chinese antivirus company SUCOP, the latest version is 1.4 from 2008. The analyzer works on external signatures in the PEiD format, but the main value is the built-in static unpacker of simple packers. The unpacker works on the technology of a virtual machine, that is, no code is actually executed, which is especially important when investigating malware. Other useful tools in the program include an import reconstructor, an executable file rebuilder, an offset calculator, and an overlay extractor. If you understand Chinese, you can download it from offsite, but I recommend taking this assembly from the archive at the end of the post. Everything superfluous has been removed in it, the unpacker engine has been replaced with a commercial one with improved functions, and an external signature database has been added. File Format Identifier is recommended to always have at hand.
Protection ID 0.6.4.1
Protection ID, latest version 0.6.4.0 Not a bad program mainly used for analyzing protected CD/DVD discs. In addition, it defines about 350 packers, dongles, installers of executable files. It does not require additional files to work, but it is not possible to add your own signatures. In recent versions, the author has noticed a bad tendency to push a bunch of unnecessary junk into the utility, such as a system load indicator, a process manager, a memory optimizer and other excesses.
RDG Packer Detector v.0.7.0
RDG Packer Detector , latest version 0.7.0 dated December 27, 2012. A good idea, but a monstrous implementation, another example of what developers should NOT turn their programs into. If you understand the ugly interface, then in addition to the analyzer you will get a few more tools like OEP Detector, Cryptographic Analyzer, which didn’t work for me normally. The latest version has been added to the archive.
FastScanner v.3.0
FastScanner by AT4RE cracker team, latest version 3.0 Scanner works with signatures from PEiD, supports plugins. Beautiful interface, but the result of checking files is often erroneous. Of the useful features, there is a good PE editor - files in the form of a plugin.
Bit Detector 2.8.5.6
Bit Detector- a new development, also from the Arab cracker team Under SEH Team, the latest public version is 2.8.5.6 from June 2012. In addition to the function of determining the compiler and packer, it carries several useful and not very useful tools on board.
MiTeC EXE Explorer
MiTeC EXE Explorer- a small free viewer of the structure of executable files. Shows information from the file header, import and export table, TLS, file version, Delphi forms, resource tree with the ability to view pictures and dialogs in a convenient form and save them to disk, and there is also a convenient search function for text strings in the file.
The Ultimate Hellspawn's EXE Analyzer 0.6
The Ultimate Hellspawn's EXE Analyzer- DiE analyzer prototype. It will be more useful for a collection than for practical use, because it is very outdated. Shows the main characteristics of an EXE file, heuristically detects some packers and protectors.
file insPector XL
file insPector XL from ViPER - an old analyzer from 2001, has not been updated since then. Heuristically detects packers and compilers of executable files, shows basic data from PE header, section, import and export table. In addition to the analyzer, it includes several useful tools, for example, adding an empty section to a file or new functions to import, an RVA to Offset calculator, changing the date and time of a file, OEP redirection, a process manager, and others. Supports plugins and multilingual interface. It is useful not only for collection, but also for practical use.
SCANIT 1.85
SCANiT- file analyzer from the cracker team tPORT. The functionality is small, it scans the file using signatures from PE Tools, it supports plug-ins of some incomprehensible format.
PE Pirate 0.51
PE Pirate from kosfiz - a detector of protectors, compilers, packers that can pack PE files. Written in assembler, can scan directories, read file entropy. Often mistaken, despite assurances of 95-99% hit accuracy.
GAPE 1.01
gAPE- analyzer from the cracker team TLG. Supports signatures from PE Tools and plugins from PEiD. Of the tools, there is a working entropy calculator and a curve displacement calculator in the file. Useful for collection.
PeStudio 7.95
I have long wanted to write about the program PeStudio, but all hands did not reach. Off-site of the program has moved ==> HERE<== версии там последнее время идут одна за одной, просто обновлять не успеваю - уже 7.95 натикало. Было немного времени, глянул у проги ресурсы на предмет локализации. В самом исполняемом файле можно разве что менюшку перекинуть, да и то смысла почти нет - на русском всего несколько слов появится (значит кириллицу до сих пор поддерживает), а вот все остальное у ней походу большей частью в файле PeStudioIndicators.xml lies, and when I try to change them to Russian, I generally have all the values, for example, immediately disappeared even without kryakozyabry. Of course, you can still be smarter - like changing the encoding from the notorious utf-8 to hard windows-1251 and resaving the document from unicode to ANSI (you can use an ordinary Windows notepad), but alas, there is no time for experiments, and there will be little sense from them - the versions are now jumping one by one. In short, anyone who is interested can try, but English does not interfere with me in this program either - and so everything seems to be visible.
InspectExe
InspectExe adds additional tabs to the properties window of executable files to view sections, import table, resources, manifest and other data.
DNiD 1.0
DNiD- a program similar to PEiD, but focused on .NET applications. Allows you to define dozens of different versions of compilers, protectors, packers and obfuscators of .NET programs.
A-Ray Scanner 2.0.2.2
A-Ray Scanner, the project has not been updated for a long time, the latest version is 2.0.2.2 from 2005. The program is intended only for scanning CD/DVDs and defines several dozens of disc copy protections. Also defines some packers and protectors for executable files.
ClonyXXL 2.0.1.5
Clony XXL- a utility that determines the type of CD protection. Like the previous program, it has not been updated for a long time, the latest version is 2.0.1.5 from 2003. Defines protections: SafeDisc, SecuROM, Discguard, LaserLok, Psx/Lybcrypt, Cactus Data Shield (Audio CDs), Lock Blocks, CD Check, ProtectetCD-VOB, CD-Extra and protection based on non-standard placement of information on the disk. By default, the interface is in German, but in the settings it switches to English.
PE File Summary
PE files are associated with three file type(s) and can be viewed using Microsoft Windows developed Microsoft Corporation. In general, this format is associated with three existing application(s) software(s). They usually have the format Portable Executable File. These files are classified into Executable Files, Plugin Files and Data Files. Most of the files are Executable Files.
The PE file extension can be viewed using Windows. They are supported primarily on desktops and some mobile platforms. The popularity rating of PE files is "Low", which means that these files are rare.
If you'd like to learn more about PE files and the software that opens them, see the additional details below. Alternatively, you can also learn how to perform simple troubleshooting for problems opening PE files.
Popularity of File Types
File Rank
Activity
This file type is still relevant and is actively used by developers and application software. Although the original software of this file type may be overshadowed by a newer version (eg Excel 97 vs Office 365), this file type is still actively supported by the current version of the software. This process of interacting with an old operating system or an outdated version of software is also known as " backward compatibility».
File status
Page Last updated
PE File Types
PE Master File Association
The executable program, which is portable to all Microsoft 32-bit operating systems, can be executed on any version of Windows NT, Windows 95 and Win32s.
Associations of other PE files
Plugin associated with Privacy Eraser, an Internet Eraser that protects Internet privacy by cleaning all traces of Internet and computer activity.
The data file is saved in a text format stores planetary ephemeris data for the System Tool Set (STK), based on physics engine geometry, developed by analytical graphics.
Try Universal File Viewer
In addition to the products listed above, we suggest you try the universal file viewer like FileViewPro. This tool can open over 200 different types of files, providing editing functionality for most of them.
License | | Terms |
Troubleshooting Opening PE Files
General problems opening PE files
Microsoft Windows not installed
By double-clicking on a PE file, you can see a system dialog that says "Can't open this type of file". In this case, this is usually due to the fact that Your computer does not have Microsoft Windows installed for %%os%%. Since your operating system doesn't know what to do with this file, you won't be able to open it by double-clicking on it.
Advice: If you know of another program that can open a PE file, you can try opening the given file by selecting that application from the list of possible programs.
Wrong version of Microsoft Windows installed
In some cases, you may have a newer (or older) version of the Portable Executable File, not supported by the installed version of the application. If the correct version of the Microsoft Windows software (or any of the other programs listed above) is not available, you may need to download a different version of the software or one of the other software applications listed above. This problem most often occurs when working in an older version of the application software With a file created in a newer version, which the old version cannot recognize.
Advice: Sometimes you can get a general idea of the version of a PE file by right-clicking on the file and then choosing Properties (Windows) or Get Info (Mac OSX).
Summary: In any case, most of the problems that arise during the opening of PE files are due to the lack of the correct application software installed on your computer.
Install optional products - FileViewPro (Solvusoft) | License | Privacy policy | Terms |
Other Causes of Problems Opening PE Files
Even if you already have Microsoft Windows or other PE-related software installed on your computer, you may still encounter problems while opening Portable Executable Files. If you still have problems opening PE files, the reason may be related to other problems preventing these files from being opened. Such problems include (listed in order from most to least common):
- Invalid links to PE files in the Windows registry ("phone book" of the Windows operating system)
- Accidental deletion of description PE file in the Windows registry
- Incomplete or incorrect installation application software associated with the PE format
- File corruption PE (problems with the Portable Executable File itself)
- PE infection malware
- Damaged or outdated device drivers hardware associated with a PE file
- Lack of sufficient system resources on the computer to open the Portable Executable File format
Poll: How often do you encounter a file extension that you don't recognize?
Top Mobile Device Brands
| Samsung | (28.86%) | |
| Apple | (21.83%) | |
| Huawei | (9.25%) | |
| Xiaomi | (6.74%) | |
| LG | (3.11%) |
Event of the day
Photographers have a long list of file formats to choose from, but when they want a huge amount of image information to be included in their RAW photos is the go-to choice.
How to fix problems opening PE files
If your computer has antivirus program Can scan all files on the computer, as well as each file individually. You can scan any file by right-clicking on the file and selecting the appropriate option to scan the file for viruses.
For example, in this figure, file my-file.pe, then you need to right-click on this file, and in the file menu select the option "scan with AVG". Selecting this option will open AVG Antivirus and scan the file for viruses.
Sometimes an error can result from incorrect software installation, which may be due to a problem that occurred during the installation process. It may interfere with your operating system associate your PE file with the correct software application, influencing the so-called "file extension associations".
Sometimes simple reinstalling Microsoft Windows may solve your problem by properly linking PE to Microsoft Windows. In other cases, file association problems may result from bad software programming developer, and you may need to contact the developer for further assistance.
Advice: Try updating Microsoft Windows to the latest version to make sure you have the latest fixes and updates.
This may seem too obvious, but often the PE file itself may be causing the problem. If you received a file via an email attachment or downloaded it from a website and the download process was interrupted (for example, by a power outage or other reason), the file may be corrupted. If possible, try getting a fresh copy of the PE file and try opening it again.
Carefully: A corrupted file can cause collateral damage to previous or pre-existing malware on your PC, so it's important to keep your computer up to date with an up-to-date antivirus.
If your PE file associated with the hardware on your computer to open the file you may need update device drivers associated with this equipment.
This problem usually associated with media file types, which depend on the successful opening of the hardware inside the computer, for example, sound card or video card. For example, if you are trying to open an audio file but cannot open it, you may need to update sound card drivers.
Advice: If when you try to open a PE file you get .SYS file related error message, the problem could probably be associated with corrupted or outdated device drivers that need to be updated. This process can be facilitated by using driver update software such as DriverDoc.
If the steps didn't solve the problem and you are still having problems opening PE files, this may be due to lack of available system resources. Some versions of PE files may require a significant amount of resources (eg. memory/RAM, processing power) to open properly on your computer. This problem is quite common if you are using fairly old computer hardware and a much newer operating system at the same time.
This problem can occur when the computer is having a hard time completing a task because the operating system (and other services running in the background) can consume too many resources to open PE file. Try closing all applications on your PC before opening Portable Executable File. By freeing up all available resources on your computer, you will ensure the best possible conditions for trying to open the PE file.
If you completed all the above steps and your PE file still won't open, you may need to run hardware upgrade. In most cases, even with older hardware versions, the processing power can still be more than enough for most user applications (unless you're doing a lot of CPU-intensive work like 3D rendering, financial/science modeling, or intense media work) . Thus, it is likely that your computer does not have enough memory(more commonly referred to as "RAM", or RAM) to perform the task of opening a file.
Try to upgrade your memory to see if that helps open the PE file. Today, memory upgrades are quite affordable and very easy to install, even for the average computer user. As a bonus, you you will probably see a nice performance boost while your computer is performing other tasks.
Install optional products - FileViewPro (Solvusoft) | License | Privacy policy | Terms |
Typedef struct _IMAGE_FILE_HEADER ( WORD Machine; WORD NumberOfSections; DWORD TimeDateStamp; DWORD PointerToSymbolTable; DWORD NumberOfSymbols; WORD SizeOfOptionalHeader; WORD Characteristics; ) IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;
I will only dryly describe these fields, because. the names are intuitive and represent direct meanings, not VA, RVA, RAW and other scary intriguing things that we have only heard about from the old pirates. Although we have already encountered RAW, these are just offsets relative to the beginning of the file (they are also called raw pointers or file offset). That is, if we have a RAW address, this means that we need to step from the beginning of the file to RAW positions ( ptrFile+RAW). After that, you can start reading the values. A prime example of this type is e_lfnew- which we covered above in the Dos heading.
*machine: WORD is a number (2 bytes) that specifies the processor architecture on which this application can run.
NumberOfSections: DWORD - number of sections in the file. Sections (hereinafter referred to as the section table) follow immediately after the header (PE-Header). The documentation says that the number of sections is limited to 96.
TimeDateStamp: WORD - a number that contains the date and time the file was created.
PointerToSymbolTable: DWORD is the offset (RAW) to the symbol table, and SizeOfOptionalHeader is the size of this table. This table is intended to serve as a debugging information storage, but the detachment did not notice the loss of a fighter from the very beginning of the service. Most often, this field is cleared with zeros.
SizeOfOptionHeader: WORD - the size of the optional header (which follows the current one) The documentation states that for an object file it is set to 0…
*Characteristics: WORD - file characteristics.
* - fields that are defined by a range of values. Tables of possible values \u200b\u200bare presented in the description of the structure at the office. site and will not be given here, because. they do not carry anything particularly important for understanding the format.
Let's leave this island! We need to move on. The landmark is a country called Optional-Header.
“Where's the map, Billy? I need a map."
(Treasure Island)
Optional-Header(IMAGE_OPTIONAL_HEADER)
The name of this mainland title is not very successful. This header is mandatory and has 2 formats PE32 and PE32+ (IMAGE_OPTIONAL_HEADER32 and IMAGE_OPTIONAL_HEADER64 respectively). The format is stored in the field Magic: WORD. The header contains the necessary information to download the file. As always :
IMAGE_OPTIONAL_HEADER
typedef struct _IMAGE_OPTIONAL_HEADER ( WORD Magic; BYTE MajorLinkerVersion; BYTE MinorLinkerVersion; DWORD SizeOfCode; DWORD SizeOfInitializedData; DWORD SizeOfUninitializedData; DWORD AddressOfEntryPoint; DWORD BaseOfCode; DWORD BaseOfData; DWORD ImageBase; DWORD SectionAlignment; DWORD FileAlignment;WORD MajorOperatingSystemVersion;WORD MinorOperatingSystemVersion;WORD MajorImageVersion;WORD MinorImageVersion; WORD MajorSubsystemVersion; WORD MinorSubsystemVersion; DWORD Win32VersionValue; DWORD SizeOfImage; DWORD SizeOfHeaders; DWORD CheckSum; WORD Subsystem; WORD DllCharacteristics; DWORD SizeOfStackReserve; DWORD SizeOfStackCommit; DWORD SizeOfHeapReserve; DWORD SizeOfHeapCommit; DWORD LoaderFlags; DWORD NumberOfRvaAndSizes; IMAGE_DATA_DIRECTORY DataDirectory; ) IMAGE_OPTIONAL_HEADE R , *PIMAGE_OPTIONAL_HEADER;
* As always, we'll only cover the main fields that have the most impact on the idea of uploading and how to move forward with the file. Let's agree that the fields of this structure contain values with VA (Virtual address) and RVA (Relative virtual address) addresses. These are already addresses not like RAW, and they need to be able to read (more precisely, count). We will certainly learn how to do this, but only to begin with, we will analyze the structures that follow each other so as not to get confused. For now, just remember - these are addresses that, after calculations, point to a specific place in the file. There will also be a new concept - alignment. We will consider it together with RVA addresses, because these are quite closely related.
AddressOfEntryPoint: DWORD - RVA entry point address. Can point to any point in the address space. For .exe files, the entry point corresponds to the address from which the program starts to run and cannot be zero!
BaseOfCode: DWORD - RVA of the beginning of the program code (code section).
BaseOfData: DWORD - RVA of the beginning of the program code (data section).
imagebase: DWORD - Preferred program load base address. Must be a multiple of 64kb. In most cases it is 0x00400000.
Section Alignment: DWORD - size of alignment (bytes) of the section when unloading into virtual memory.
FileAlignment: DWORD - alignment size (bytes) of a section within a file.
SizeOfImage: DWORD - file size (in bytes) in memory, including all headers. Must be a multiple of SectionAligment.
SizeOfHeaders: DWORD - size of all headers (DOS, DOS-Stub, PE, Section) aligned to FileAligment.
NumberOfRvaAndSizes: DWORD - the number of directories in the directory table (below the table itself). Currently, this field is always equal to the symbolic constant IMAGE_NUMBEROF_DIRECTORY_ENTRIES, which is equal to 16.
DataDirectory: IMAGE_DATA_DIRECTORY - data directory. Simply put, this is an array (size 16), each element of which contains a structure of 2 DWORD values.
Consider what the IMAGE_DATA_DIRECTORY structure is like:
Typedef struct _IMAGE_DATA_DIRECTORY ( DWORD VirtualAddress; DWORD Size; ) IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY;
What we have? We have an array of 16 elements, each element of which contains the address and size (what? how? why? all in a minute). The question arises of what exactly these characteristics are. For this, microsoft has special constants to match. They can be seen at the very end of the description of the structure. For now:
// Directory Entries #define IMAGE_DIRECTORY_ENTRY_EXPORT 0 // Export Directory #define IMAGE_DIRECTORY_ENTRY_IMPORT 1 // Import Directory #define IMAGE_DIRECTORY_ENTRY_RESOURCE 2 // Resource Directory #define IMAGE_DIRECTORY_ENTRY_EXCEPTION 3 // Exception Directory #define IMAGE_DIRECTORY_ENTRY_SECURITY 4 // Security Directory #define IMAGE_DIRECTORY_ENTRY_BASERELOC 5 // Base Relocation Table #define IMAGE_DIRECTORY_ENTRY_DEBUG 6 // Debug Directory // IMAGE_DIRECTORY_ENTRY_COPYRIGHT 7 // (X86 usage) #define IMAGE_DIRECTORY_ENTRY_ARCHITECTURE 7 // Architecture Specific Data #define IMAGE_DIRECTORY_ENTRY_GLOBALPTR 8 // RVA of GP #define IMAGE_DIRECTORY_ ENTRY_TLS 9 // TLS Directory #define IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 10 // Load Configuration Directory #define IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 11 // Bound Import Directory in headers #define IMAGE_DIRECTORY_ENTRY_IAT 12 // Import Address Table #define IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 13 // Delay Load Import Descriptors #define IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 14 // COM Runtime descriptor
Aha! We see that each element of the array is responsible for the table attached to it. But alas and ah, while these shores are inaccessible to us, because. we do not know how to work with VA and RVA addresses. And in order to learn, we need to learn what sections are. It is they who will talk about their structure and work, after which it will become clear why VA, RVA and alignments are needed. In this article, we will only touch on exports and imports. The purpose of the remaining fields can be found in the office. documentation or books. So. Actually fields:
virtual address: DWORD - RVA for the table that the array element corresponds to.
size: DWORD - table size in bytes.
So! To get to such exotic shores as tables of imports, exports, resources and others, we need to complete a quest with sections. Well, cabin boy, let's take a look at the general map, determine where we are now and move on:
And we are not directly in front of the wide expanses of sections. We need to find out by all means what they are hiding and finally deal with another type of addressing. We want real adventure! We want to quickly go to such republics as import and export tables. Old pirates say that not everyone was able to get to them, and those who got back came back with gold and women with sacred knowledge about the ocean. We set sail and keep our way to the Section header.
“- You are deposed, Silver! Get off the barrel!”
(Treasure Island)
Section-header (IMAGE_SECTION_HEADER)
Right behind the array DataDirectory sections follow each other. The section table is a sovereign state, which is divided into NumberOfSections cities. Each city has its own craft, its own rights, as well as a size of 0x28 bytes. The number of sections is indicated in the field NumberOfSections, which is stored in File-header. So let's look at the structure:
Typedef struct _IMAGE_SECTION_HEADER ( BYTE Name; union ( DWORD PhysicalAddress; DWORD VirtualSize; ) Misc; DWORD VirtualAddress; DWORD SizeOfRawData; DWORD PointerToRawData; DWORD PointerToRelocations; DWORD PointerToLinenumbers; WORD NumberOfRelocations; WORD NumberOfLinenumbers; DWORD Characteristics; ) IMAGE_SECTION_HEADER, *PIMAGE_SECTION_HEADER;
Name: BYTE - section name. It is currently 8 characters long.
VirtualSize: DWORD - section size in virtual memory.
SizeOfRawData: DWORD - section size in the file.
virtual address: DWORD - RVA section address.
SizeOfRawData: DWORD - section size in the file. Must be a multiple FileAlignment.
PointerToRawData: DWORD - RAW offset to the beginning of the section. Must also be a multiple FileAlignment…
Characteristics: DWORD - section access attributes and rules for loading it into Wirth. memory. For example, an attribute to define the contents of a section (initial data, non-initial data, code). Or access attributes - reading, writing, execution. This is not the whole spectrum. Characteristics are set by constants from the same WINNT.h, which begin with IMAGE_SCN_. You can get acquainted with the attributes of sections in more detail. The attributes are also well described in the books of Chris Kaspersky - references at the end of the article.
Regarding the name, the following should be remembered - the section with resources should always have the name .rsrc. Otherwise, the resources will not be loaded. As for the rest of the sections, the name can be anything. Usually there are meaningful names, such as .data, .src, etc... But it also happens:
Sections are an area that is unloaded into virtual memory and all work is done directly with this data. An address in virtual memory, without any offsets, is called a Virtual address, VA for short. Preferred address for downloading the application, set in the field imagebase. It's like the point at which the application area starts in virtual memory. And relative to this point offsets RVA (Relative virtual address) are counted. That is, VA = imagebase+ RVA; imagebase we always know and having at our disposal VA or RVA, we can express one through the other.
Looks like they got used to it. But it's virtual memory! And we are in the physical. Virtual memory for us now is like a journey to other galaxies, which we can only imagine so far. So we cannot get into virtual memory at the moment, but we can find out what will be there, because it is taken from our file.
alignment
In order to correctly represent the unloading in Wirth. memory, it is necessary to deal with such a mechanism as alignment. First, let's take a look at the diagram of how sections are swapped out into memory.
As you can see, the section is unloaded into memory not according to its size. Alignments are used here. This is the value that must be a multiple of the section size in memory. If we look at the diagram, we will see that the section size is 0x28, and it is unloaded in the size of 0x50. This is due to the size of the alignment. 0x28 “does not reach” 0x50 and as a result, the section will be unloaded, and the rest of the space in the amount of 0x50-0x28 will be nullified. And if the section size were larger than the alignment size, then what? For example sectionSize= 0x78, and sectionAlignment= 0x50, i.e. remained unchanged. In this case, the section would occupy 0xA0 (0xA0 = 0x28 * 0x04) bytes in memory. That is, a value that is a multiple sectionAlignment and completely covers sectionSize. It should be noted that the sections in the file are aligned in the same way, only by the size FileAlignment. Having received the necessary base, we can figure out how to convert from RVA to RAW.
“Here you don’t have a plain, here the climate is different.”
(V.S. Vysotsky)
A little lesson in arithmetic
Before execution begins, some part of the program must be sent to the processor's address space. The address space is the amount of RAM physically addressed by the processor. The "piece" in the address space where the program is unloaded is called a virtual image. The image is characterized by the base load address (Image base) and size (Image size). So VA (Virtual address) is the address relative to the beginning of virtual memory, and RVA (Relative Virtual Address) is relative to the place where the program was unloaded. How can I find out the base download address of an app? There is a separate field for this in the optional header called imagebase. It was a little prelude to refresh my memory. Now consider a schematic representation of different addressing:
So how can you still read information from a file without unloading it into virtual memory? To do this, you need to convert the addresses to RAW format. Then we can step inside the file to the area we need and read the necessary data. Since RVA is the virtual memory address that was mapped from the file, we can reverse the process. For this we need the key nine by sixteen simple arithmetic. Here are some formulas:
VA = ImageBase + RVA; RAW = RVA - sectionRVA + rawSection; // rawSection - offset to the section from the beginning of the file // sectionRVA - section RVA (this field is stored inside the section)
As you can see, in order to calculate RAW, we need to determine the section that RVA belongs to. To do this, you need to go through all the sections and check the following condition:
RVA >= sectionVitualAddress && RVA< ALIGN_UP(sectionVirtualSize, sectionAligment)
// sectionAligment - выравнивание для секции. Значение можно узнать в Optional-header.
// sectionVitualAddress - RVA секции - хранится непосредственно в секции
// ALIGN_UP() - функция, определяющая сколько занимает секция в памяти, учитывая выравнивание
Putting all the puzzles together, we get the following listing:
Typedef uint32_t DWORD; typedef uint16_t WORD; typedef uint8_t BYTE; #define ALIGN_DOWN(x, align) (x & ~(align-1)) #define ALIGN_UP(x, align) ((x & (align-1))?ALIGN_DOWN(x,align)+align:x) // IMAGE_SECTION_HEADER sections; // init array sections int defSection(DWORD rva) ( for (int i = 0; i< numberOfSection; ++i)
{
DWORD start = sections[i].VirtualAddress;
DWORD end = start + ALIGN_UP(sections[i].VirtualSize, sectionAligment);
if(rva >= start && rva< end)
return i;
}
return -1;
}
DWORD rvaToOff(DWORD rva)
{
int indexSection = defSection(rva);
if(indexSection != -1)
return rva - sections.VirtualAddress + sections.PointerToRawData;
else
return 0;
}
*I did not include a type declaration and array initialization in the code, but only provided functions that will help in calculating addresses. As you can see, the code is not very complicated. Is that a little confusing. It goes away... if you spend a little more time tinkering with the .exe through the disassembler.
HOORAY! Understood. Now we can go to the edge of resources, import and export libraries, and generally wherever our heart desires. We've just learned how to work with a new type of addressing. Let's hit the road!
"-Not bad, not bad! Still, they got their rations for today!”
(Treasure Island)
export table
At the very first element of the array DataDirectory RVA is stored on the export table, which is represented by the IMAGE_EXPORT_DIRECTORY structure. This table is specific to dynamic library (.dll) files. The main purpose of the table is to link the exported functions with their RVA. The description is presented in specifications :
Typedef struct _IMAGE_EXPORT_DIRECTORY ( DWORD Characteristics; DWORD TimeDateStamp; WORD MajorVersion; WORD MinorVersion; DWORD Name; DWORD Base; DWORD NumberOfFunctions; DWORD NumberOfNames; DWORD AddressOfFunctions; DWORD AddressOfNames; DWORD AddressOfNameOrdinals; ) IMAGE_EXPORT_DIREC TORY,*PIMAGE_EXPORT_DIRECTORY;
This structure contains three pointers to three different tables. This is a table of names (functions) ( AddressOfNames), ordinals( AddressOfNamesOrdinals), addresses( AddressOfFunctions). The Name field stores the RVA of the dynamic library name. An ordinal is like an intermediary between the table of names and the table of addresses, and is an array of indices (the index size is 2 bytes). For more clarity, consider the diagram:
Consider an example. Let's say the i-th element of the array of names indicates the name of the function. Then the address of this function can be obtained by referring to the i-th element in the array of addresses. Those. i is an ordinal.
Attention! If you took for example the 2nd element in the table of ordinals, this does not mean 2 - this is an ordinal for tables of names and addresses. The index is the value stored in the second element of the ordinal array.
Number of values in name tables ( NumberOfNames) and ordinals are equal and do not always match the number of elements in the address table ( NumberOfFunctions).
“They came for me. Thank you for your attention. Now they must be killing!”
(Treasure Island)
import table
The import table is an integral part of any application that uses dynamic libraries. This table helps to correlate dynamic library function calls with corresponding addresses. Import can occur in three different modes: standard, binding (bound import) and delayed (delay import). Because the topic of import is quite multifaceted and pulls for a separate article, I will describe only the standard mechanism, and the rest I will describe only as a “skeleton”.
Standard Import- V DataDirectory the import table is stored under the index IMAGE_DIRECTORY_ENTRY_IMPORT(=1). It is an array of elements of the IMAGE_IMPORT_DESCRIPTOR type. The import table stores (in an array) the names of functions/ordinals and where the loader should write the effective address of this function. This mechanism is not very efficient, because frankly, it all comes down to iterating through the entire export table for each necessary function.
Bound import- with this scheme of work, -1 is entered in the fields (in the first element of the standard import table) TimeDateStamp and ForwardChain and information about the link is stored in the cell DataDirectory with index IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT(=11). That is, this is a kind of flag to the loader that it needs to use bound import. Also for the "chain of bound imports" their structures appear. The algorithm of work is as follows - the necessary library is unloaded into the virtual memory of the application and all the necessary addresses are “binded” at the compilation stage. Of the shortcomings, it can be noted that when recompiling a dll, you will need to recompile the application itself, because. function addresses will be changed.
Delay import- with this method, it is assumed that the .dll file is attached to the executable, but it is not unloaded into memory immediately (as in the previous two methods), but only when the application accesses the symbol for the first time (the so-called unloaded elements from dynamic libraries). That is, the program is executed in memory, and as soon as the process has reached the function call from the dynamic library, a special handler is called, which loads the dll and spreads the effective addresses of its functions. For lazy imports, the loader refers to the DataDirectory (item number 15).
Having covered the import methods a bit, let's go directly to the import table.
"It's a sailor! His clothes were marine. - Yah? Did you think to find a bishop here?”
(Treasure Island - John Silver)
Import descriptor (IMAGE_IMPORT_DESCRIPTOR)
In order to find out the coordinates of the import table, we need to refer to the array DataDirectory. Namely, to the element IMAGE_DIRECTORY_ENTRY_IMPORT (=1). And read the RVA address of the table. Here is a general outline of the path that needs to be done:
Then we get RAW from RVA, in accordance with the formulas given above, and then “step” through the file. We are now right in front of an array of structures called IMAGE_IMPORT_DESCRIPTOR. The sign of the end of the array is the “null” structure.
Typedef struct _IMAGE_IMPORT_DESCRIPTOR ( union ( DWORD Characteristics; DWORD OriginalFirstThunk; ) DUMMYUNIONNAME; DWORD TimeDateStamp; DWORD ForwarderChain; DWORD Name; DWORD FirstThunk; ) IMAGE_IMPORT_DESCRIPTOR,*PIMAGE_IMPORT_DESCRIPTOR;
I couldn't get a link to the structure description on msdn, but you can see it in the WINNT.h file. Let's start to figure it out.
Original First Thunk: DWORD - RVA of import name table (INT).
TimeDateStamp: DWORD - date and time.
ForwarderChain: DWORD - index of first forwarded character.
Name: DWORD - RVA string with library name.
FirstThunk: DWORD - RVA of the Import Address Table (IAT).
Everything here is somewhat similar to export. Also a table of names (INT) and also a rag on it addresses (IAT). Also named RVA library. Only here INT and IAT refer to an array of IMAGE_THUNK_DATA structures. It is presented in two forms - for the 64th and for the 32nd systems and differ only in the size of the fields. Consider x86 as an example:
Typedef struct _IMAGE_THUNK_DATA32 ( union ( DWORD ForwarderString; DWORD Function; DWORD Ordinal; DWORD AddressOfData; ) u1; ) IMAGE_THUNK_DATA32,*PIMAGE_THUNK_DATA32;
It is important to answer that further actions depend on the high bit of the structure. If it is set, then the remaining bits are the number of the symbol being imported (import by number). Otherwise (high bit cleared), the remaining bits specify the RVA of the imported symbol (import by name). If we have an import by name, then the pointer stores the address to the following structure:
Typedef struct _IMAGE_IMPORT_BY_NAME ( WORD Hint; BYTE Name; ) IMAGE_IMPORT_BY_NAME, *PIMAGE_IMPORT_BY_NAME;
Here Hint is the function number, and Name- Name.
What is it all for? All these arrays, structures ... For clarity, let's consider a wonderful scheme with
Portable Executable (PE) is an executable file format that has been around for a long time and is still used on all versions of Windows. This includes files with the format *.exe, *.dll and others, and such files contain all the information about the program. But any program can contain a virus, and before installation it is desirable to know what is stored behind a file with this format. This can be found using PE Explorer.
PE Explorer is a program that is designed to view and modify everything contained in PE files. This program was created and very often used to detect viruses, but its useful functions are not limited to this. For example, it can be used to remove debug information or translate any program into Russian.
While the program is being compressed, it is usually encrypted so that the user or anyone else cannot see everything that happens behind the scenes. But PE Explorer does not stop this, because thanks to a specially written algorithm, it can decrypt these files and show all the contents.
Browsing titles
As soon as you open the PE file, the program will open the header viewer. Here you can see a lot of interesting things, but nothing can be changed, and it is not necessary.
Data directories
Data Directories (data directories) is an important part of any executable file, because it is in this array that information about structures is stored (their size, pointer to the beginning, etc.). Copies of files should be changed, otherwise it can lead to irreversible consequences.
Section headings
All important application code is stored in PE Explorer in different sections for greater order. Since this section contains all the data, they can be changed by changing their location. If some data should not be changed, the program will notify you about it.
Resource editor
As you know, resources are an integral part of the program (icons, forms, inscriptions). But with the help of PE Explorer they can be changed. Thus, you can replace the application icon or translate the program into Russian. Here you can also save resources to your computer.
Disassembler
This tool is necessary for express analysis of executable files, moreover, it is made in a more simplified, but no less functional format.
Import table
Thanks to this section in the program, you can find out if the application being checked is harmful to your computer. This section contains all the functions that are contained in the program.
Dependency Scanner
Another advantage of the program in the fight against viruses. Here you can see the dependency with dynamic libraries, thereby recognizing whether this application poses a threat to your computer or not.
Program Benefits
- Intuitive
- Ability to change resources
- Allows you to find out about viruses in the program even before running the code
Flaws
- Lack of Russification
- Paid (free version only available for 30 days)
PE Explorer is an excellent tool that will allow you to protect your computer from viruses. Of course, it can be used in another direction, by adding dangerous code to a completely harmless program, but this is not recommended. In addition, due to the ability to change resources, you can add advertising or translate the program into Russian.
SDL Passolo 2015 is the most powerful utility for translating programs into various languages of the world. Understands many formats, distinguishes the type of language. A template resource editor with advanced features designed for software localization. SDL Passolo 2015 has a visual dialog editor with a range of convenient formatting tools, supports working with almost any resource, has a lot of fine-tuning, a batch processing option, and a built-in spell checker. SDL Passolo 2015 can help a translator save a lot of effort and time in software localization. This is due to the fact that the program provides the function of automatic translation and checking the translated text for most common errors. The automatic translation function is carried out in the presence of certain dictionaries, of which there are many on the Internet, including those from Microsoft. If you are not satisfied with ready-made dictionaries, then you can create them yourself. It is enough to translate some program once and export the translation list to a dictionary. And in the future, this dictionary can be connected when translating new versions of programs. SDL Passolo 2015 has a very advanced visual correction of dialog boxes in translatable programs. Suffice it to say that it is not much inferior to form editing in Microsoft Visual Studio.Net. If you say that Resource Hacker has good dialogue adjustments, then you haven't seen Passolo. The list of Passolo advantages is not limited to this. Add. Information: New features: * Terminology is now also provided from the Passolo translation lists. * Services for pre-translation, searches for loose translations, matches and terminology can now easily be selected in the options dialog. * Searching for translations with quick indexes in projects and glossaries makes the search process much faster. * New modern user interface that allows arbitrary docking of output windows. New Auto-hide setting for output windows. * Keyboard shortcuts can be changed in the toolbar customization dialog. * Search for non-strict translations now marks the differences of non-strict matches in the searched text with colored texts. * When an entry is selected, terminologies are selected from the context menu of the source text, popping up with additional information regarding the displayed terminology element. * Files can be dragged and dropped into the project window to add them as a source file or import information from them. * The history of all changes in the text is provided with the date and username. Previous versions of data can be restored using the Rollback feature. * Entries in the project window can now be filtered and grouped. * Entries in the project window can be filtered as lists of strings.
