Dissecting the PE Header [Windows PE Internals]

Previous Windows PE Internals Writeups

Creating a Windows Project in Visual Studio
Getting a Handle to a Dynamically Linked Library
Validating the MZ Signature
Validating the PE Signature

Previously

In the previous article, we…


This content originally appeared on DEV Community and was authored by wireless90

Previous Windows PE Internals Writeups

Previously

In the previous article, we learnt about how do we validate the PE Signature, also commonly referred to as the File Signature, which tells us that the file is very likely, a Portable Executable (PE) file.

This signature is PE\0\0 (the letters "P" and "E" followed by two null bytes).

We have also seen how to navigate our way from the IMAGE_DOS_HEADER into the IMAGE_NT_HEADER

We also saw that the IMAGE_NT_HEADER comprises of 3 parts.

  • PE Signature
  • PE Header
  • Optional Header

We will be dissecting the PE Header in this article.

Let's Begin

Following the PE Signature, we have the PE Header.

image

As the PE Header is one of the subsection of the IMAGE_NT_HEADER, we can easily retrieve as such.

PIMAGE_FILE_HEADER imageFileHeader = &imageNtHeaders->FileHeader;

Taking a deeper look into the PE Header, we have the following sections.

image

In visual studio, we can see the matching fields as well.

image

Let's write some code to visualize these information

wsprintfA(c + strlen(c), "Number of Symbols: %d\n", imageFileHeader->NumberOfSymbols);
wsprintfA(c + strlen(c), "Pointer to Symbol Table: 0x%02X\n", imageFileHeader->PointerToSymbolTable);
wsprintfA(c + strlen(c), "Number of Sections: %hd\n", imageFileHeader->NumberOfSections);
wsprintfA(c + strlen(c), "TimeDateStamp: %d\n", imageFileHeader->TimeDateStamp);
wsprintfA(c + strlen(c), "Size of Optional Header: %hd\n", imageFileHeader->SizeOfOptionalHeader);
wsprintfA(c + strlen(c), "Machine: 0x%02X\n", imageFileHeader->Machine);
wsprintfA(c + strlen(c), "Characteristix: 0x%02X\n", imageFileHeader->Characteristics);

MessageBoxA(0, c, "PE Header", MB_OK | MB_ICONINFORMATION);

And the result is,

image

Number of Symbols

This is deprecated and should contain 0.

Pointer to symbol table

This is also deprecated and should contain 0.

Number of sections

Sections will be covered in another article. This field basically stores the number of sections.

TimeDateStamp

The number of seconds that has passed from epoch since the file creation.

Size of Optional Headers

The Optional Header comes after the PE Header. We will discuss it in other articles.

Machine

The number that identifies the type of target machine that this executable was compiled for.

Looking into winnt.h,

#define IMAGE_FILE_MACHINE_I386              0x014c  // Intel 386.
// omitted
#define IMAGE_FILE_MACHINE_AMD64             0x8664  // AMD64 (K8)

Visual studio always runs in a 32bit emulator while debugging even though I am using a 64 bit machine. Thus it shows as 0x014c which is a 32 bit executable.

Characteristics

We can use tools like CFF Explorer to understand this.
image

As expected, all of these macros can be found in winnt.h.

#define IMAGE_FILE_RELOCS_STRIPPED           0x0001  // Relocation info stripped from file.
#define IMAGE_FILE_EXECUTABLE_IMAGE          0x0002  // File is executable  (i.e. no unresolved external references).
#define IMAGE_FILE_LINE_NUMS_STRIPPED        0x0004  // Line nunbers stripped from file.
#define IMAGE_FILE_LOCAL_SYMS_STRIPPED       0x0008  // Local symbols stripped from file.
#define IMAGE_FILE_AGGRESIVE_WS_TRIM         0x0010  // Aggressively trim working set
#define IMAGE_FILE_LARGE_ADDRESS_AWARE       0x0020  // App can handle >2gb addresses
#define IMAGE_FILE_BYTES_REVERSED_LO         0x0080  // Bytes of machine word are reversed.
#define IMAGE_FILE_32BIT_MACHINE             0x0100  // 32 bit word machine.
#define IMAGE_FILE_DEBUG_STRIPPED            0x0200  // Debugging info stripped from file in .DBG file
#define IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP   0x0400  // If Image is on removable media, copy and run from the swap file.
#define IMAGE_FILE_NET_RUN_FROM_SWAP         0x0800  // If Image is on Net, copy and run from the swap file.
#define IMAGE_FILE_SYSTEM                    0x1000  // System File.
#define IMAGE_FILE_DLL                       0x2000  // File is a DLL.
#define IMAGE_FILE_UP_SYSTEM_ONLY            0x4000  // File should only be run on a UP machine
#define IMAGE_FILE_BYTES_REVERSED_HI         0x8000  // Bytes of machine word are reversed.

In this article, we have understood the meaning behind each field in the PE Header.


This content originally appeared on DEV Community and was authored by wireless90


Print Share Comment Cite Upload Translate Updates
APA

wireless90 | Sciencx (2021-04-24T05:37:00+00:00) Dissecting the PE Header [Windows PE Internals]. Retrieved from https://www.scien.cx/2021/04/24/dissecting-the-pe-header-windows-pe-internals/

MLA
" » Dissecting the PE Header [Windows PE Internals]." wireless90 | Sciencx - Saturday April 24, 2021, https://www.scien.cx/2021/04/24/dissecting-the-pe-header-windows-pe-internals/
HARVARD
wireless90 | Sciencx Saturday April 24, 2021 » Dissecting the PE Header [Windows PE Internals]., viewed ,<https://www.scien.cx/2021/04/24/dissecting-the-pe-header-windows-pe-internals/>
VANCOUVER
wireless90 | Sciencx - » Dissecting the PE Header [Windows PE Internals]. [Internet]. [Accessed ]. Available from: https://www.scien.cx/2021/04/24/dissecting-the-pe-header-windows-pe-internals/
CHICAGO
" » Dissecting the PE Header [Windows PE Internals]." wireless90 | Sciencx - Accessed . https://www.scien.cx/2021/04/24/dissecting-the-pe-header-windows-pe-internals/
IEEE
" » Dissecting the PE Header [Windows PE Internals]." wireless90 | Sciencx [Online]. Available: https://www.scien.cx/2021/04/24/dissecting-the-pe-header-windows-pe-internals/. [Accessed: ]
rf:citation
» Dissecting the PE Header [Windows PE Internals] | wireless90 | Sciencx | https://www.scien.cx/2021/04/24/dissecting-the-pe-header-windows-pe-internals/ |

Please log in to upload a file.




There are no updates yet.
Click the Upload button above to add an update.

You must be logged in to translate posts. Please log in or register.