Revealing Internals of Executable File Format - The University of ...

Background

ELF (Executable and Linkable Format)

PE (Portable Executable)

CS 6V81-05: System Security and Malicious Code Analysis

Revealing Internals of Executable File Format

Zhiqiang Lin Department of Computer Science University of Texas at Dallas March 19th , 2012

Summary

Background

ELF (Executable and Linkable Format)

PE (Portable Executable)

Outline

1

Background

2

ELF (Executable and Linkable Format)

3

PE (Portable Executable)

4

Summary

Summary

Outline

1

Background

2

ELF (Executable and Linkable Format)

3

PE (Portable Executable)

4

Summary

Background

ELF (Executable and Linkable Format)

PE (Portable Executable)

Why learning the executable file format Machine essentially run binary code. Good people Reverse Engineering Malicious Code Analysis File patching File Carving Bad people Reverse Engineering Developing Exploits Developing virus Secret stealing

Summary

Outline

1

Background

2

ELF (Executable and Linkable Format)

3

PE (Portable Executable)

4

Summary

Background

ELF (Executable and Linkable Format)

PE (Portable Executable)

ELF: Executable and Linkable Format The a.out format served the Unix community well for over 10 years. However, to better support cross-compilation, dynamic linking, initializer/finalizer and so on, a.out has been replaced by the ELF file format. ELF Standard binary format for object files Derived from AT&T System V Unix, now supported by UNIX/Linux One unified format for relocatable object files (.o) executable object files shared object files (.so)

Summary

Background

ELF (Executable and Linkable Format)

PE (Portable Executable)

Summary

ELF File Types ELF defines the format of executable binary files. There are three different types: Relocatable Created by compilers or assemblers. Need to be processed by the linker before running. Executable Have all relocation done and all symbol resolved except perhaps shared library symbols that must be resolved at run time. Shared object Shared library containing both symbol information for the linker and directly runnable code for run time

Background

ELF (Executable and Linkable Format)

PE (Portable Executable)

ELF Structure

ELF files have a dual nature: Compilers, assemblers, and linkers treat the file as a set of logical sections described by a section header table The system loader treats the file as a set of segments described by a program header table.

Summary

Background

ELF (Executable and Linkable Format)

Elf Structure

PE (Portable Executable)

Summary

Background

ELF (Executable and Linkable Format)

PE (Portable Executable)

Summary

ELF object file format Elf header

ELF object file format

magic number, type (.o, exec, .so), machine, byte •ordering, Elf headeretc. magic number, Program–header table type (.o, exec, .so), machine, byte ordering, etc. size,header virtualtable addresses for memory •page Program segments (sections), segment sizes. – page size, virtual addresses for memory segments .text section(sections), segment sizes. •code .text section – code .data section • .data section initialized (static) datadata – initialized (static) • .bss section .bss section – uninitialized (static) data uninitialized (static) data – “Block Started by Symbol” “Block Started by Symbol” “Better SaveSave Space” – “Better Space” – section has section header occupiesnonospace space has header butbut occupies

ELF header Program header table (required for executables) .text section .data section .bss section .symtab .rel.txt .rel.data .debug Section header table (required for relocatables)

0

Background

ELF (Executable and Linkable Format)

PE (Portable Executable)

Summary

ELF object file format .symtab section

ELF object file format

symbol table •procedure Elf header and static variable names – magic number, type (.o, exec, .so), machine, byte section names ordering, etc. .rel.text section • Program header table relocation infovirtual for .text section for memory segments – page size, addresses addresses of instructions that will need to be (sections), segment sizes. in the executable •modified .text section instructions – code for modifying. • .data section .rel.data section – initialized data relocation info(static) for .data section • .bss section addresses of pointer data that will need to be – uninitialized (static) data modified in the merged executable – “Block Started by Symbol” .debug section – “Better Save Space” hassymbolic section header but occupies info– for debugging (gcc -g)no space

ELF header Program header table (required for executables) .text section .data section .bss section .symtab .rel.txt .rel.data .debug Section header table (required for relocatables)

0

Background

ELF (Executable and Linkable Format)

PE (Portable Executable)

An example 00000000 00000010 00000020 00000030 00000040 00000050 00000060

7f 02 78 1c 34 04 34

45 00 64 00 80 00 81

4c 03 01 1b 04 00 04

46 00 00 00 08 00 08

01 01 00 06 00 03 13

00000130 00000140 00000150 00000160

04 78 01 06

00 2e 00 00

00 73 00 00

00 6f 00 00

2f 2e 47 08

000014b0 000014c0

ff 35 08 e1 05 ff 25 10 e1 05

00001a70 00001a80

ff 25 7c e2 05 31 ed 5e 89 e1

00016390 000163a0

6c 73 00 00 52 61 62 00 2e 69

00016470 00016480

75 67 6c 69 6e 00 00 00 00 00

000164a0 000164b0

0b 00 00 00 01 34 01 00 00 13

000168c0 000168d0

98 63 01 00 df 01 00 00 00 00

[Nr] Name [ 0] [ 1] .interp [ 2] .note.ABI-tag [12] [13] [14] [15]

.plt .text .fini .rodata

[27] .shstrtab

01 00 00 00 01 00 00

01 00 00 00 00 00 00 00 00 00 00 00 00 00 ... 6c 69 62 32 00 00 4e 55 00 00 00 00 ... 08 ff 25 08 68 00 ... 08 68 d8 83 e4 f0 ... a8 bd 5a 6e 74 65 ... 6b 00 00 00 00 00 ... 00 00 00 00 00 00 ... 00 00 00 00 00 00

00 80 34 34 00 34 13

00 9a 00 00 01 01 00

00 04 20 00 00 00 00

00 08 00 00 00 00 00

00 34 08 34 05 34 04

00 00 00 80 00 81 00

00 00 28 04 00 04 00

00 00 00 08 00 08 00

2f 04 00 61

6c 00 00 00

64 00 00 00

2d 00 00 00

6c 10 02 68

69 00 00 00

6e 00 00 00

75 00 00 00

0c e1 05 08 00 00 00 00 00 00 00 e9 e0 ff ff ff 02 00 00 e9 30 fa ff ff 50 54 52 68 60 9e 05 08 00 2e 73 68 73 74 72 74 72 70 00 2e 6e 6f 74 65

ELF Header

Program Header

sec[1].interp sec[2].note.ABI-tag ...

sec[12].plt sec[13].text ... sec[27].shstrtab

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 34 81 04 08 00 00 00 00 00 00 00 00

Section Header

00 00 00 00 00 00 00 00

Section Headers: Type Addr Off NULL 00000000 000000 PROGBITS 08048134 000134 NOTE 08048148 000148 ... PROGBITS 080494b0 0014b0 PROGBITS 08049a80 001a80 PROGBITS 08059f3c 011f3c PROGBITS 08059f60 011f60 ... STRTAB 00000000 016398

Size 000000 000013 000020

ES Flg Lk Inf Al 00 0 0 0 00 A 0 0 1 00 A 0 0 4

0005d0 0104bc 00001c 003e4c

04 00 00 00

0000df 00

AX AX AX A

0 0 0 0

0 4 0 16 0 4 0 32

0

0

1

Summary

Background

ELF (Executable and Linkable Format)

PE (Portable Executable)

Summary

ELF Header

The Elf header is always at offset zero of the file. The offset of program header table (PHT) and the section header table (SHT) in the file are defined in the ELF header. Any positions for PHT and SHT will be ok. The header is decodable even on machines with a different byte order from the file’s target architecture. After reading class and byte order fields, the rest fields in the elf header can be decoded. The elf format can support two different address sizes: 32 bits 64 bits

Background

ELF (Executable and Linkable Format)

PE (Portable Executable)

ELF-header

typedef struct elf32_hdr{ unsigned char e_ident[EI_NIDENT]; Elf32_Half e_type; /* ET_EXEC ET_DYN */ Elf32_Half e_machine; Elf32_Word e_version; Elf32_Addr e_entry; /* Entry point */ Elf32_Off e_phoff; Elf32_Off e_shoff; Elf32_Word e_flags; Elf32_Half e_ehsize; Elf32_Half e_phentsize; Elf32_Half e_phnum; Elf32_Half e_shentsize; Elf32_Half e_shnum; Elf32_Half e_shstrndx; } Elf32_Ehdr;

Summary

Background

ELF (Executable and Linkable Format)

PE (Portable Executable)

Example $ readelf -h hello ELF Header: Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 Class: ELF32 Data: 2’s complement, little endian Version: 1 (current) OS/ABI: UNIX - System V ABI Version: 0 Type: EXEC (Executable file) Machine: Intel 80386 Version: 0x1 Entry point address: 0x8048300 Start of program headers: 52 (bytes into file) Start of section headers: 4396 (bytes into file) Flags: 0x0 Size of this header: 52 (bytes) Size of program headers: 32 (bytes) Number of program headers: 8 Size of section headers: 40 (bytes) Number of section headers: 29 Section header string table index: 26

Summary

Background

ELF (Executable and Linkable Format)

PE (Portable Executable)

Summary

Relocatable Files

A relocatable or shared object file is a collection of sections. Each section contains a single type of information, such as program code, read-only data,or read/write data, relocation entries,or symbols. Every symbol’s address is defined relative to a section. Therefore, a procedure’s entry point is relative to the program code section that contains that procedure’s code.

Background

ELF (Executable and Linkable Format)

PE (Portable Executable)

Example $ readelf -h hello.o ELF Header: Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 Class: ELF32 Data: 2’s complement, little endian Version: 1 (current) OS/ABI: UNIX - System V ABI Version: 0 Type: REL (Relocatable file) Machine: Intel 80386 Version: 0x1 Entry point address: 0x0 Start of program headers: 0 (bytes into file) Start of section headers: 220 (bytes into file) Flags: 0x0 Size of this header: 52 (bytes) Size of program headers: 0 (bytes) Number of program headers: 0 Size of section headers: 40 (bytes) Number of section headers: 11 Section header string table index: 8

Summary

Background

ELF (Executable and Linkable Format)

PE (Portable Executable)

Program header

typedef struct elf32_phdr{ Elf32_Word p_type; /*PT_INTERP,PT_LOAD,PT_DYNAMIC*/ Elf32_Off p_offset; Elf32_Addr p_vaddr; Elf32_Addr p_paddr; Elf32_Word p_filesz; Elf32_Word p_memsz; Elf32_Word p_flags; Elf32_Word p_align; } Elf32_Phdr;

Summary

Background

ELF (Executable and Linkable Format)

PE (Portable Executable)

Example: a.out’s elf header

e_ident[EI_NIDENT]: 16 Bytes: 7f 45 4c 46 01 01 01 00

ELFCLASS32 1 ELFDATA2LSB 1 EI_VERSION 1

ELFMAG0 ELFMAG1 ELFMAG2 ELFMAG3 e_ident[4] e_ident[5] e_ident[6]

0x7f ’E’ ’L’ ’F’

00 00 00 00 00 00 00 00

e_ident[0] e_ident[1] e_ident[2] e_ident[3]

e_type:2 Bytes: 02 00 (ET_EXEC 2 Executable file) e_machine: 2 Bytes: 03 00 (EM_386 3 Intel 80386) e_version: 4 Bytes: 01 00 00 00 e_entry: 4 Bytes: 80 82 04 08 program entry address 0x08048280 e_phoff: 4 Bytes: 34 00 00 00 Program Header Table’s offset (bytes) e_shoff: 4 Bytes: 6c 1c 00 00 Section Head Table’s offset (bytes) e_flags: 4 Bytes: 00 00 00 00 e_ehsize: 2 Bytes: 34 00 sizeof(Elf32_Ehdr) e_phentsize: 2 Bytes: 20 00 size of program header (0x20) e_phnum: 2 Bytes: 06 00 number of program header(0x06) e_shentsize: 2 Bytes: 28 00 size of each section header(0x28) e_shnum: 2 Bytes: 21 00, number of section header e_shstrndx: 2 Bytes: 1e 00

Summary

Background

ELF (Executable and Linkable Format)

PE (Portable Executable)

Program header of a.out (1)

$hexdump -s 52 -n 32 -C a.out 00000034 06 00 00 00 34 00 00 00 34 80 04 08 34 80 04 08 |....4...4...4...| 00000044 c0 00 00 00 c0 00 00 00 05 00 00 00 04 00 00 00 |................| 00000054 Structure analysis: p_type: 4 bytes : 06 00 00 00, type is PT_PHDR p_offset: 4 bytes : 34 00 00 00 offset p_vaddr: 4 bytes : 34 80 04 08 virtual address:0x08048034 p_paddr: 4 bytes : 34 80 04 08 phisical address: 0x08048034 p_filesz:4 bytes : c0 00 00 00 segment size:0xc0 p_memsz: 4 bytes : c0 00 00 00 memory: 0xc0 p_flags: 4 bytes : 05 00 00 00 segment flag p_align: 4 bytes : 04 00 00 00

$readelf -l a.out Type Offset PHDR 0x000034

VirtAddr 0x08048034

PhysAddr 0x08048034

FileSiz MemSiz Flg Align 0x000c0 0x000c0 R E 0x4

Summary

Background

ELF (Executable and Linkable Format)

PE (Portable Executable)

Program header of a.out (2)

$ hexdump -s 84 -n 32 -C a.out 00000054 03 00 00 00 f4 00 00 00 f4 80 04 08 f4 80 04 08 |................| 00000064 13 00 00 00 13 00 00 00 04 00 00 00 01 00 00 00 |................| 00000074 Structure analysis: p_type: 4 bytes: 03 00 00 00 , type is PT_INTERP p_offset: 4 bytes: f4 00 00 00 offset p_vaddr: 4 bytes: f4 80 04 08 virtual address:0x080480f4 p_paddr: 4 bytes: f4 80 04 08 phisical address: 0x080480f4 p_filesz: 4 bytes: 13 00 00 00 segment size:0x13 p_memsz: 4 bytes: c0 00 00 00 memory size: 0xc0 p_flags: 4 bytes: 04 00 00 00 segment flag p_align: 4 bytes: 01 00 00 00 Type INTERP

Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align 0x0000f4 0x080480f4 0x080480f4 0x00013 0x00013 R 0x1

$ hexdump -s 0xf4 -n 19 -C a.out 000000f4 2f 6c 69 62 2f 6c 64 2d 00000104 2e 32 00 00000107

6c 69 6e 75 78 2e 73 6f

|/lib/ld-linux.so| |.2.|

Summary

Background

ELF (Executable and Linkable Format)

PE (Portable Executable)

Summary

All program headers of a.out $ readelf -l a.out Elf file type is EXEC (Executable file) Entry point 0x8048300 There are 8 program headers, starting at offset 52 Program Headers: Type Offset PHDR 0x000034 INTERP 0x000134 [Requesting program LOAD 0x000000 LOAD 0x000f14 DYNAMIC 0x000f28 NOTE 0x000148 GNU_STACK 0x000000 GNU_RELRO 0x000f14

VirtAddr PhysAddr FileSiz MemSiz 0x08048034 0x08048034 0x00100 0x00100 0x08048134 0x08048134 0x00013 0x00013 interpreter: /lib/ld-linux.so.2] 0x08048000 0x08048000 0x004a4 0x004a4 0x08049f14 0x08049f14 0x00100 0x00108 0x08049f28 0x08049f28 0x000c8 0x000c8 0x08048148 0x08048148 0x00044 0x00044 0x00000000 0x00000000 0x00000 0x00000 0x08049f14 0x08049f14 0x000ec 0x000ec

Flg Align R E 0x4 R 0x1 R E RW RW R RW R

0x1000 0x1000 0x4 0x4 0x4 0x1

Section to Segment mapping: Segment Sections... 00 01 .interp 02 .interp .note.ABI-tag .note.gnu.build-id .gnu.hash .dynsym .dynstr .gnu.version .gnu 03 .ctors .dtors .jcr .dynamic .got .got.plt .data .bss 04 .dynamic 05 .note.ABI-tag .note.gnu.build-id 06 07 .ctors .dtors .jcr .dynamic .got

Background

ELF (Executable and Linkable Format)

PE (Portable Executable)

Summary

Segments vs. Sections

A single segment usually consist of several sections. E.g., a loadable read-only segment could contain sections for executable code, read-only data, and symbols for the dynamic linker.

Relocatable files have section header tables. Executable files have program header tables. Shared object files have both. Sections are intended for further processing by a linker, while the segments are intended to be mapped into memory.

Background

ELF (Executable and Linkable Format)

Section Header

typedef struct { Elf32_Word sh_name; Elf32_Word sh_type; Elf32_Word sh_flags; Elf32_Addr sh_addr; Elf32_Off sh_offset; Elf32_Word sh_size; Elf32_Word sh_link; Elf32_Word sh_info; Elf32_Word sh_addralign; Elf32_Word sh_entsize; } Elf32_Shdr;

PE (Portable Executable)

Summary

Background

ELF (Executable and Linkable Format)

PE (Portable Executable)

Various Sections .text: This section holds executable instructions of a program. Type: PROGBITS Flags: ALLOC + EXECINSTR

.data: This section holds initialized data that contributes to the program’s image. Type: PROGBITS Flags: ALLOC + WRITE

.got: This section holds the global offset table. Type: PROGBIT

.plt: This section holds the procedure linkage table. Type: PROGBIT

Summary

Background

ELF (Executable and Linkable Format)

PE (Portable Executable)

All sections of a.out

$ readelf -S a.out There are 29 section headers, starting at offset 0x112c: Section Headers: [Nr] Name [ 0] [ 1] .interp [ 2] .note.ABI-tag [ 3] .note.gnu.build-i [ 4] .gnu.hash [ 5] .dynsym [ 6] .dynstr [ 7] .gnu.version [ 8] .gnu.version_r [ 9] .rel.dyn [10] .rel.plt [11] .init [12] .plt [13] .text [14] .fini [15] .rodata [16] .eh_frame

Type NULL PROGBITS NOTE NOTE GNU_HASH DYNSYM STRTAB VERSYM VERNEED REL REL PROGBITS PROGBITS PROGBITS PROGBITS PROGBITS PROGBITS

Addr 00000000 08048134 08048148 08048168 0804818c 080481ac 080481fc 08048246 08048250 08048270 08048278 08048290 080482c0 08048300 0804846c 08048488 080484a0

Off 000000 000134 000148 000168 00018c 0001ac 0001fc 000246 000250 000270 000278 000290 0002c0 000300 00046c 000488 0004a0

Size 000000 000013 000020 000024 000020 000050 00004a 00000a 000020 000008 000018 000030 000040 00016c 00001c 000015 000004

ES Flg Lk Inf Al 00 0 0 0 00 A 0 0 1 00 A 0 0 4 00 A 0 0 4 04 A 5 0 4 10 A 6 1 4 00 A 0 0 1 02 A 5 0 2 00 A 6 1 4 08 A 5 0 4 08 A 5 12 4 00 AX 0 0 4 04 AX 0 0 4 00 AX 0 0 16 00 AX 0 0 4 00 A 0 0 4 00 A 0 0 4

Summary

Background

ELF (Executable and Linkable Format)

PE (Portable Executable)

Summary

All sections of a.out (continued)

[17] .ctors PROGBITS 08049f14 000f14 000008 00 WA 0 0 [18] .dtors PROGBITS 08049f1c 000f1c 000008 00 WA 0 0 [19] .jcr PROGBITS 08049f24 000f24 000004 00 WA 0 0 [20] .dynamic DYNAMIC 08049f28 000f28 0000c8 08 WA 6 0 [21] .got PROGBITS 08049ff0 000ff0 000004 04 WA 0 0 [22] .got.plt PROGBITS 08049ff4 000ff4 000018 04 WA 0 0 [23] .data PROGBITS 0804a00c 00100c 000008 00 WA 0 0 [24] .bss NOBITS 0804a014 001014 000008 00 WA 0 0 [25] .comment PROGBITS 00000000 001014 00002a 01 MS 0 0 [26] .shstrtab STRTAB 00000000 00103e 0000ee 00 0 0 [27] .symtab SYMTAB 00000000 0015b4 000400 10 28 44 [28] .strtab STRTAB 00000000 0019b4 0001fb 00 0 0 Key to Flags: W (write), A (alloc), X (execute), M (merge), S (strings) I (info), L (link order), G (group), T (TLS), E (exclude), x (unknown) O (extra OS processing required) o (OS specific), p (processor specific)

4 4 4 4 4 4 4 4 1 1 4 1

Background

ELF (Executable and Linkable Format)

PE (Portable Executable)

Summary

String table

String table sections hold null-terminated character sequences, commonly called strings. The object file uses these strings to represent symbol and section names. We use an index into the string table section to reference a string.

Background

ELF (Executable and Linkable Format)

PE (Portable Executable)

Symbol table

An object file’s symbol table holds information needed to locate and relocate a program’s symbolic definition and references. A symbol table index is a subscript into this array.

Summary

Background

ELF (Executable and Linkable Format)

Symbol Table

typedef struct { Elf32_Word st_name; Elf32_Addr st_value; Elf32_Word st_size; unsigned char st_info; unsigned char st_other; Elf32_Half st_shndx; } Elf32_Sym;

PE (Portable Executable)

Summary

Background

ELF (Executable and Linkable Format)

PE (Portable Executable)

Symbols of a.out $nm a.out 08049f28 d _DYNAMIC 08049ff4 d _GLOBAL_OFFSET_TABLE_ 0804848c R _IO_stdin_used w _Jv_RegisterClasses 08049f18 d __CTOR_END__ 08049f14 d __CTOR_LIST__ 08049f20 D __DTOR_END__ 08049f1c d __DTOR_LIST__ 080484a0 r __FRAME_END__ 08049f24 d __JCR_END__ 08049f24 d __JCR_LIST__ 0804a014 A __bss_start 0804a00c D __data_start 08048440 t __do_global_ctors_aux 08048330 t __do_global_dtors_aux 0804a010 D __dso_handle w __gmon_start__ 08048435 T __i686.get_pc_thunk.bx 08049f14 d __init_array_end 08049f14 d __init_array_start 08048430 T __libc_csu_fini 080483d0 T __libc_csu_init U __libc_start_main@@GLIBC_2.0

0804a014 0804a01c 0804846c 08048488 08048290 08048300 0804a014 0804a00c 0804a018 08048390 080483b4

A A T R T T b W b t T U

_edata _end _fini _fp_hw _init _start completed.6155 data_start dtor_idx.6157 frame_dummy main puts@@GLIBC_2.0

Summary

Background

ELF (Executable and Linkable Format)

PE (Portable Executable)

Dynamic sysmbol .dynsym

$ readelf -s a.out Symbol table ’.dynsym’ Num: Value Size 0: 00000000 0 1: 00000000 0 2: 00000000 0 3: 00000000 0 4: 0804848c 4

contains 5 entries: Type Bind Vis NOTYPE LOCAL DEFAULT NOTYPE WEAK DEFAULT FUNC GLOBAL DEFAULT FUNC GLOBAL DEFAULT OBJECT GLOBAL DEFAULT

Ndx UND UND UND UND 15

Name __gmon_start__ __libc_start_main@GLIBC_2.0 (2) puts@GLIBC_2.0 (2) _IO_stdin_used

Summary

Background

ELF (Executable and Linkable Format)

PE (Portable Executable)

Symbol table .symtab Symbol table ’.symtab’ Num: Value Size 0: 00000000 0 . . . . . . . 39: 00000000 0 40: 08049ff4 0 41: 08049f14 0 42: 08049f14 0 43: 08049f28 0 44: 0804a00c 0 45: 08048430 5 46: 08048300 0 47: 00000000 0 48: 00000000 0 49: 08048488 4 50: 0804846c 0 51: 00000000 0 52: 0804848c 4 53: 0804a00c 0 54: 0804a010 0 55: 08049f20 0 56: 080483d0 90 57: 0804a014 0 58: 0804a01c 0 59: 00000000 0 60: 0804a014 0 61: 08048435 0 62: 080483b4 28 63: 08048290 0

contains 64 entries: Type Bind Vis NOTYPE LOCAL DEFAULT

Ndx Name UND

FILE OBJECT NOTYPE NOTYPE OBJECT NOTYPE FUNC FUNC NOTYPE NOTYPE OBJECT FUNC FUNC OBJECT NOTYPE OBJECT OBJECT FUNC NOTYPE NOTYPE FUNC NOTYPE FUNC FUNC FUNC

ABS 22 17 17 20 23 13 13 UND UND 15 14 UND 15 23 23 18 13 ABS ABS UND ABS 13 13 11

LOCAL LOCAL LOCAL LOCAL LOCAL WEAK GLOBAL GLOBAL WEAK WEAK GLOBAL GLOBAL GLOBAL GLOBAL GLOBAL GLOBAL GLOBAL GLOBAL GLOBAL GLOBAL GLOBAL GLOBAL GLOBAL GLOBAL GLOBAL

DEFAULT DEFAULT DEFAULT DEFAULT DEFAULT DEFAULT DEFAULT DEFAULT DEFAULT DEFAULT DEFAULT DEFAULT DEFAULT DEFAULT DEFAULT HIDDEN HIDDEN DEFAULT DEFAULT DEFAULT DEFAULT DEFAULT HIDDEN DEFAULT DEFAULT

Hello.c _GLOBAL_OFFSET_TABLE_ __init_array_end __init_array_start _DYNAMIC data_start __libc_csu_fini _start __gmon_start__ _Jv_RegisterClasses _fp_hw _fini __libc_start_main@@GLIBC_ _IO_stdin_used __data_start __dso_handle __DTOR_END__ __libc_csu_init __bss_start _end puts@@GLIBC_2.0 _edata __i686.get_pc_thunk.bx main _init

Summary

Background

ELF (Executable and Linkable Format)

PE (Portable Executable)

Summary

Library Dependency

ldd - print shared library dependencies zlin@zlin-desktop:~$ ldd /bin/ls linux-vdso.so.1 => (0x00007ffff43ff000) libselinux.so.1 => /lib/x86_64-linux-gnu/libselinux.so.1 (0x00007f02213a0000) librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x00007f0221198000) libacl.so.1 => /lib/x86_64-linux-gnu/libacl.so.1 (0x00007f0220f8f000) libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f0220bfb000) libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f02209f7000) /lib64/ld-linux-x86-64.so.2 (0x00007f02215e3000) libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f02207d8000) libattr.so.1 => /lib/x86_64-linux-gnu/libattr.so.1 (0x00007f02205d3000)

Outline

1

Background

2

ELF (Executable and Linkable Format)

3

PE (Portable Executable)

4

Summary

Background

ELF (Executable and Linkable Format)

PE (Portable Executable)

Summary

PE

PE stands for Portable Executable Microsoft introduced PE in Windows NT 3.1 It originates from Unix COFF Features dynamic linking, symbol exporting/importing Can contain Intel, Alpha, MIPS and even .NET MSIL binary code

Background

ELF (Executable and Linkable Format)

PE (Portable Executable)

Summary

PE

PE stands for Portable Executable Microsoft introduced PE in Windows NT 3.1 It originates from Unix COFF Features dynamic linking, symbol exporting/importing Can contain Intel, Alpha, MIPS and even .NET MSIL binary code Acknowledgment Many of the following slides are compiled from http://pentest.cryptocity.net/reverse-engineering/

Background

ELF (Executable and Linkable Format)

PE (Portable Executable)

Summary

Complete Picture of PE struct _IMAGE_DOS_HEADER { 0x00 WORD e_magic; 0x02 WORD e_cblp; 0x04 WORD e_cp; 0x06 WORD e_crlc; 0x08 WORD e_cparhdr; 0x0a WORD e_minalloc; 0x0c WORD e_maxalloc; 0x0e WORD e_ss; 0x10 WORD e_sp; 0x12 WORD e_csum; 0x14 WORD e_ip; 0x16 WORD e_cs; 0x18 WORD e_lfarlc; 0x1a WORD e_ovno; 0x1c WORD e_res[4]; 0x24 WORD e_oemid; 0x26 WORD e_oeminfo; 0x28 WORD e_res2[10]; 0x3c DWORD e_lfanew; };

IMAGE_DIRECTORY_ENTRY_EXPORT struct _IMAGE_DATA_DIRECTORY { 0x00 DWORD VirtualAddress; 0x04 DWORD Size; }; struct _IMAGE_FILE_HEADER { 0x00 WORD Machine; 0x02 WORD NumberOfSections; 0x04 DWORD TimeDateStamp; 0x08 DWORD PointerToSymbolTable; 0x0c DWORD NumberOfSymbols; 0x10 WORD SizeOfOptionalHeader; 0x12 WORD Characteristics; };

struct _IMAGE_IMPORT_DESCRIPTOR { 0x00 { structunion _IMAGE_IMPORT_DESCRIPTOR { structunion _IMAGE_IMPORT_DESCRIPTOR { /* {0 for terminating null import descriptor */ structunion _IMAGE_IMPORT_DESCRIPTOR { 0x00 DWORD Characteristics; /*{0 for terminating null import descriptor 0x00

IMAGE_DIRECTORY_ENTRY_IMPORT

0x04

struct _IMAGE_DATA_DIRECTORY { 0x00 DWORD VirtualAddress; 0x04 DWORD Size; }; 0x08 0x0c 0x10 }; }; };

struct _IMAGE_NT_HEADERS { 0x00 DWORD Signature; 0x04 _IMAGE_FILE_HEADER FileHeader; 0x18 _IMAGE_OPTIONAL_HEADER OptionalHeader; };

_IMAGE_FILE_HEADER .NumberOfSections

typedef struct _IMAGE_SECTION_HEADER { 0x00 BYTE Name[IMAGE_SIZEOF_SHORT_NAME]; union { 0x08 DWORD PhysicalAddress; 0x08 DWORD VirtualSize; } Misc; 0x0c DWORD VirtualAddress; 0x10 DWORD SizeOfRawData; 0x14 DWORD PointerToRawData; 0x18 DWORD PointerToRelocations; 0x1c DWORD PointerToLinenumbers; 0x20 WORD NumberOfRelocations; 0x22 WORD NumberOfLinenumbers; 0x24 DWORD Characteristics; }; typedef struct _IMAGE_SECTION_HEADER { 0x00 BYTE Name[IMAGE_SIZEOF_SHORT_NAME]; union { 0x08 DWORD PhysicalAddress; 0x08 DWORD VirtualSize; } Misc; 0x0c DWORD VirtualAddress; 0x10 DWORD SizeOfRawData; 0x14 DWORD PointerToRawData; 0x18 DWORD PointerToRelocations; 0x1c DWORD PointerToLinenumbers; 0x20 WORD NumberOfRelocations; 0x22 WORD NumberOfLinenumbers; 0x24 DWORD Characteristics; };

. . .

typedef struct _IMAGE_SECTION_HEADER { 0x00 BYTE Name[IMAGE_SIZEOF_SHORT_NAME]; union { 0x08 DWORD PhysicalAddress; 0x08 DWORD VirtualSize; } Misc; 0x0c DWORD VirtualAddress; 0x10 DWORD SizeOfRawData; 0x14 DWORD PointerToRawData; 0x18 DWORD PointerToRelocations; 0x1c DWORD PointerToLinenumbers; 0x20 WORD NumberOfRelocations; 0x22 WORD NumberOfLinenumbers; 0x24 DWORD Characteristics; };

IMAGE_DIRECTORY_ENTRY_RESOURCE

struct _IMAGE_OPTIONAL_HEADER { 0x00 WORD Magic; 0x02 BYTE MajorLinkerVersion; 0x03 BYTE MinorLinkerVersion; 0x04 DWORD SizeOfCode; 0x08 DWORD SizeOfInitializedData; 0x0c DWORD SizeOfUninitializedData; 0x10 DWORD AddressOfEntryPoint; 0x14 DWORD BaseOfCode; 0x18 DWORD BaseOfData; 0x1c DWORD ImageBase; 0x20 DWORD SectionAlignment; 0x24 DWORD FileAlignment; 0x28 WORD MajorOperatingSystemVersion; 0x2a WORD MinorOperatingSystemVersion; 0x2c WORD MajorImageVersion; 0x2e WORD MinorImageVersion; 0x30 WORD MajorSubsystemVersion; 0x32 WORD MinorSubsystemVersion; 0x34 DWORD Win32VersionValue; 0x38 DWORD SizeOfImage; 0x3c DWORD SizeOfHeaders; 0x40 DWORD CheckSum; 0x44 WORD Subsystem; 0x46 WORD DllCharacteristics; 0x48 DWORD SizeOfStackReserve; 0x4c DWORD SizeOfStackCommit; 0x50 DWORD SizeOfHeapReserve; 0x54 DWORD SizeOfHeapCommit; 0x58 DWORD LoaderFlags; 0x5c DWORD NumberOfRvaAndSizes; 0x60 _IMAGE_DATA_DIRECTORY DataDirectory[16]; };

struct _IMAGE_DATA_DIRECTORY { 0x00 DWORD VirtualAddress; 0x04 DWORD Size; };

*/ union/*{0 for terminating null import descriptor */ /* RVA to originalCharacteristics; unbound IAT */ DWORD /* 0 for terminating null import descriptor */ DWORD PIMAGE_THUNK_DATA OriginalFirstThunk; /* RVA to originalCharacteristics; unbound IAT */ DWORD /* RVA to originalCharacteristics; unbound IAT */ } u; PIMAGE_THUNK_DATA OriginalFirstThunk; /* RVA to original unbound IAT */ PIMAGE_THUNK_DATA DWORD TimeDateStamp; /* OriginalFirstThunk; 0 if not bound, } u; PIMAGE_THUNK_DATA OriginalFirstThunk; } u; * -1 if bound, and real date\time DWORD TimeDateStamp; /* 0 if not bound,stamp } u; DWORD TimeDateStamp; /* 0 if not bound, stamp * * in -1IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT if bound, and real date\time DWORD TimeDateStamp; /* 0 if not bound, stamp -1BIND) if bound, and real date\time * (new * * in IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT -1 IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT if bound, and real date\time stamp * * in * otherwise date/time stamp of DLL bound to * (new BIND) * in IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT * (new * (Old BIND)BIND) * otherwise date/time stamp of DLL bound to * (new BIND) * otherwise */ * (Old BIND) date/time stamp of DLL bound to * otherwise date/time stamp of DLL bound to DWORD ForwarderChain; /* -1 if no forwarders */ */ * (Old BIND) */ * (Old BIND) DWORD DWORD Name; ForwarderChain; /* -1 if no forwarders */ */ DWORD ForwarderChain; /* -1 if no forwarders */ /* RVA to IAT (if bound this IAT has actual addresses) */ DWORD Name; DWORD Name; ForwarderChain; /* -1 if no forwarders */ DWORD PIMAGE_THUNK_DATA FirstThunk; /* RVA to IAT (if bound this IAT has actual addresses) */ DWORD Name; /* RVA to IAT (if bound this IAT has actual addresses) */ PIMAGE_THUNK_DATA FirstThunk; /* RVA to IAT (if bound this IAT has actual addresses) */ PIMAGE_THUNK_DATA FirstThunk; PIMAGE_THUNK_DATA FirstThunk; };

struct _IMAGE_RESOURCE_DIRECTORY { 0x00 DWORD Characteristics; 0x04 DWORD TimeDateStamp; 0x08 WORD MajorVersion; 0x0a WORD MinorVersion; 0x0c WORD NumberOfNamedEntries; 0x0e WORD NumberOfIdEntries; };

struct _IMAGE_EXPORT_DIRECTORY { 0x00 DWORD Characteristics; 0x04 DWORD TimeDateStamp; 0x08 WORD MajorVersion; 0x0a WORD MinorVersion; 0x0c DWORD Name; 0x10 DWORD Base; 0x14 DWORD NumberOfFunctions; 0x18 DWORD NumberOfNames; 0x1c DWORD AddressOfFunctions; 0x20 DWORD AddressOfNames; 0x24 DWORD AddressOfNameOrdinals; };

Indexed by Ordinals address_of_function[0] address_of_function[1] address_of_function[2] . . . address_of_function[NumberOfFunctions]

Code/Data Code/Data Code/Data Code/Data Code/Data

If a symbol N is exported by ordinal and name then: -Its name will be located at AddressOfNames[N] -Its ordinal at AddressOfNameOrdinals[N] -And its address* will be AddressOfFunctions[AddressOfNameOrdinals[N]]

Array of WORDs

Pointers to strings

name_ordinal[0] name_ordinal[1] name_ordinal[2] . . . name_ordinal[NumberOfNames]

address_of_name[0] address_of_name[1] address_of_name[2] . . . address_of_name[NumberOfNames]

The function might be forwarded, in that case the last pointer will refer to an address within the exports pointing to the forwarder string, which will contain information on the symbol and the module where to find it.

typedef struct _IMAGE_THUNK_DATA { typedef struct union { _IMAGE_THUNK_DATA { typedef struct { union { _IMAGE_THUNK_DATA 0x00 LPBYTE ForwarderString; unionLPBYTE { ForwarderString; 0x00 PDWORD Function; LPBYTE Function; ForwarderString; PDWORD 0x00 DWORD Ordinal; PDWORDOrdinal; Function; DWORD 0x00 PIMAGE_IMPORT_BY_NAME AddressOfData; DWORD Ordinal; PIMAGE_IMPORT_BY_NAME AddressOfData; } u1; PIMAGE_IMPORT_BY_NAME AddressOfData; } u1; } IMAGE_THUNK_DATA,*PIMAGE_THUNK_DATA; } u1; } IMAGE_THUNK_DATA,*PIMAGE_THUNK_DATA; } IMAGE_THUNK_DATA,*PIMAGE_THUNK_DATA; typedef struct _IMAGE_IMPORT_BY_NAME { typedef struct _IMAGE_IMPORT_BY_NAME { 0x00 WORD Hint; typedef struct _IMAGE_IMPORT_BY_NAME { WORD 0x02 BYTE Name[1];Hint; WORD BYTE Name[1];Hint; } IMAGE_IMPORT_BY_NAME,*PIMAGE_IMPORT_BY_NAME; BYTE Name[1]; } IMAGE_IMPORT_BY_NAME,*PIMAGE_IMPORT_BY_NAME; } IMAGE_IMPORT_BY_NAME,*PIMAGE_IMPORT_BY_NAME;

IMAGE_DIRECTORY_ENTRY_EXCEPTION struct _IMAGE_DATA_DIRECTORY { 0x00 DWORD VirtualAddress; 0x04 DWORD Size; }; IMAGE_DIRECTORY_ENTRY_SECURITY

typedef struct _IMAGE_THUNK_DATA { typedef struct union { _IMAGE_THUNK_DATA { typedef struct { union { _IMAGE_THUNK_DATA 0x00 LPBYTE ForwarderString; unionLPBYTE { ForwarderString; 0x00 PDWORD Function; LPBYTE Function; ForwarderString; PDWORD 0x00 DWORD Ordinal; PDWORDOrdinal; Function; DWORD 0x00 PIMAGE_IMPORT_BY_NAME AddressOfData; DWORD Ordinal; PIMAGE_IMPORT_BY_NAME AddressOfData; } u1; PIMAGE_IMPORT_BY_NAME AddressOfData; } u1; } IMAGE_THUNK_DATA,*PIMAGE_THUNK_DATA; } u1; } IMAGE_THUNK_DATA,*PIMAGE_THUNK_DATA; } IMAGE_THUNK_DATA,*PIMAGE_THUNK_DATA;

struct _IMAGE_DATA_DIRECTORY { 0x00 DWORD VirtualAddress; 0x04 DWORD Size; }; IMAGE_DIRECTORY_ENTRY_BASERELOC struct _IMAGE_DATA_DIRECTORY { 0x00 DWORD VirtualAddress; 0x04 DWORD Size; }; IMAGE_DIRECTORY_ENTRY_DEBUG struct _IMAGE_DATA_DIRECTORY { 0x00 DWORD VirtualAddress; 0x04 DWORD Size; }; IMAGE_DIRECTORY_ENTRY_COPYRIGHT

struct _IMAGE_DEBUG_DIRECTORY { 0x00 DWORD Characteristics; 0x04 DWORD TimeDateStamp; 0x08 WORD MajorVersion; 0x0a WORD MinorVersion; 0x0c DWORD Type; 0x10 DWORD SizeOfData; 0x14 DWORD AddressOfRawData; 0x18 DWORD PointerToRawData; };

struct _IMAGE_DATA_DIRECTORY { 0x00 DWORD VirtualAddress; 0x04 DWORD Size; }; IMAGE_DIRECTORY_ENTRY_GLOBALPTR struct _IMAGE_DATA_DIRECTORY { 0x00 DWORD VirtualAddress; 0x04 DWORD Size; }; IMAGE_DIRECTORY_ENTRY_TLS struct _IMAGE_DATA_DIRECTORY { 0x00 DWORD VirtualAddress; 0x04 DWORD Size; };

struct _IMAGE_TLS_DIRECTORY { 0x00 DWORD StartAddressOfRawData; 0x04 DWORD EndAddressOfRawData; 0x08 LPDWORD AddressOfIndex; 0x0c PIMAGE_TLS_CALLBACK *AddressOfCallBacks; 0x10 DWORD SizeOfZeroFill; 0x14 DWORD Characteristics; };

IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG struct _IMAGE_DATA_DIRECTORY { 0x00 DWORD VirtualAddress; 0x04 DWORD Size; };

typedef struct _IMAGE_IMPORT_BY_NAME { typedef struct _IMAGE_IMPORT_BY_NAME { 0x00 WORD Hint; typedef struct _IMAGE_IMPORT_BY_NAME { WORD 0x02 BYTE Name[1];Hint; WORD BYTE Name[1];Hint; } IMAGE_IMPORT_BY_NAME,*PIMAGE_IMPORT_BY_NAME; BYTE Name[1]; } IMAGE_IMPORT_BY_NAME,*PIMAGE_IMPORT_BY_NAME; } IMAGE_IMPORT_BY_NAME,*PIMAGE_IMPORT_BY_NAME;

typedef struct _IMAGE_THUNK_DATA { typedef struct union { _IMAGE_THUNK_DATA { typedef struct { union { _IMAGE_THUNK_DATA 0x00 LPBYTE ForwarderString; unionLPBYTE { ForwarderString; 0x00 PDWORD Function; LPBYTE Function; ForwarderString; PDWORD 0x00 DWORD Ordinal; PDWORDOrdinal; Function; DWORD 0x00 PIMAGE_IMPORT_BY_NAME AddressOfData; DWORD Ordinal; PIMAGE_IMPORT_BY_NAME AddressOfData; } u1; PIMAGE_IMPORT_BY_NAME AddressOfData; } u1; } IMAGE_THUNK_DATA,*PIMAGE_THUNK_DATA; } u1; } IMAGE_THUNK_DATA,*PIMAGE_THUNK_DATA; } IMAGE_THUNK_DATA,*PIMAGE_THUNK_DATA; typedef struct _IMAGE_IMPORT_BY_NAME { typedef struct _IMAGE_IMPORT_BY_NAME { 0x00 WORD Hint; typedef struct _IMAGE_IMPORT_BY_NAME { WORD 0x02 BYTE Name[1];Hint; WORD BYTE Name[1];Hint; } IMAGE_IMPORT_BY_NAME,*PIMAGE_IMPORT_BY_NAME; BYTE Name[1]; } IMAGE_IMPORT_BY_NAME,*PIMAGE_IMPORT_BY_NAME; } IMAGE_IMPORT_BY_NAME,*PIMAGE_IMPORT_BY_NAME;

typedef struct _IMAGE_THUNK_DATA { typedef struct union { _IMAGE_THUNK_DATA { typedef struct { union { _IMAGE_THUNK_DATA 0x00 LPBYTE ForwarderString; unionLPBYTE { ForwarderString; 0x00 PDWORD Function; LPBYTE Function; ForwarderString; PDWORD 0x00 DWORD Ordinal; PDWORDOrdinal; Function; DWORD 0x00 PIMAGE_IMPORT_BY_NAME AddressOfData; DWORD Ordinal; PIMAGE_IMPORT_BY_NAME AddressOfData; } u1; PIMAGE_IMPORT_BY_NAME AddressOfData; } u1; } IMAGE_THUNK_DATA,*PIMAGE_THUNK_DATA; } u1; } IMAGE_THUNK_DATA,*PIMAGE_THUNK_DATA; } IMAGE_THUNK_DATA,*PIMAGE_THUNK_DATA; typedef struct _IMAGE_IMPORT_BY_NAME { typedef struct _IMAGE_IMPORT_BY_NAME { 0x00 WORD Hint; typedef struct _IMAGE_IMPORT_BY_NAME { WORD 0x02 BYTE Name[1];Hint; WORD BYTE Name[1];Hint; } IMAGE_IMPORT_BY_NAME,*PIMAGE_IMPORT_BY_NAME; BYTE Name[1]; } IMAGE_IMPORT_BY_NAME,*PIMAGE_IMPORT_BY_NAME; } IMAGE_IMPORT_BY_NAME,*PIMAGE_IMPORT_BY_NAME;

IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT struct _IMAGE_DATA_DIRECTORY { 0x00 DWORD VirtualAddress; 0x04 DWORD Size; }; IMAGE_DIRECTORY_ENTRY_IAT struct _IMAGE_DATA_DIRECTORY { 0x00 DWORD VirtualAddress; 0x04 DWORD Size; }; IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT struct _IMAGE_DATA_DIRECTORY { 0x00 DWORD VirtualAddress; 0x04 DWORD Size; }; IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR struct _IMAGE_DATA_DIRECTORY { 0x00 DWORD VirtualAddress; 0x04 DWORD Size; };

struct _IMAGE_DELAY_IMPORT_DESCRIPTOR { 0x00 DWORD grAttrs; 0x04 DWORD szName; 0x08 DWORD phmod; 0x0c DWORD pIAT; 0x10 DWORD pINT; 0x14 DWORD pBoundIAT; 0x18 DWORD pUnloadIAT; 0x1c DWORD dwTimeStamp; };

Portable Executable Format Structure contained within parent Structure pointed to by the parent Last updated on Mon Dec 26 2005 Created by Ero Carrera Ventura

Background

ELF (Executable and Linkable Format)

PE (Portable Executable)

File Headers: MZ header File Headers: MZ header MZ Header PE Header Code Section Data Section Imports Resources

struct _IMAGE_DOS_HEADER { 0x00 WORD e_magic; 0x02 WORD e_cblp; 0x04 WORD e_cp; 0x06 WORD e_crlc; 0x08 WORD e_cparhdr; 0x0a WORD e_minalloc; 0x0c WORD e_maxalloc; 0x0e WORD e_ss; 0x10 WORD e_sp; 0x12 WORD e_csum; 0x14 WORD e_ip; 0x16 WORD e_cs; 0x18 WORD e_lfarlc; 0x1a WORD e_ovno; 0x1c WORD e_res[4]; 0x24 WORD e_oemid; 0x26 WORD e_oeminfo; 0x28 WORD e_res2[10]; _ [ ]; 0x3c DWORD e_lfanew; };

Summary

Background

ELF (Executable and Linkable Format)

PE (Portable Executable)

Summary

File Headers: PE Header File Headers: PE Header MZ Header File Header Optional Header Section Header Section Header

struct _IMAGE_NT_HEADERS { 0x00 DWORD Signature; 0x04 _IMAGE_FILE_HEADER FileHeader; 0x18 _IMAGE_OPTIONAL_HEADER OptionalHeader; };

Background

ELF (Executable and Linkable Format)

PE (Portable Executable)

Summary

File Headers: File Header File Headers: File Header MZ Header File Header Optional Header Section Header Section Header

struct _IMAGE_FILE_HEADER { 0x00 WORD Machine; 0x02 WORD NumberOfSections; 0x04 DWORD TimeDateStamp; 0x08 DWORD PointerToSymbolTable; 0x0c DWORD NumberOfSymbols; 0x10 WORD SizeOfOptionalHeader; 0x12 WORD Characteristics; };

Background

ELF (Executable and Linkable Format)

PE (Portable Executable)

Summary

File Headers: Optional Header File Headers: Optional Header MZ Header File Header Optional Header Section Header Section Header

struct _IMAGE_OPTIONAL_HEADER { 0x00 WORD Magic; 0x02 BYTE MajorLinkerVersion; 0x03 BYTE MinorLinkerVersion; 0x04 DWORD SizeOfCode; 0x08 DWORD SizeOfInitializedData; 0x0c DWORD SizeOfUninitializedData; 0x10 DWORD AddressOfEntryPoint; 0x14 DWORD BaseOfCode; 0x18 DWORD BaseOfData; 0x1c DWORD ImageBase; 0x20 DWORD SectionAlignment; 0x24 DWORD FileAlignment; 0x28 WORD MajorOperatingSystemVersion; 0x2a WORD MinorOperatingSystemVersion; 0x2c WORD MajorImageVersion; 0x2e WORD MinorImageVersion; 0x30 WORD MajorSubsystemVersion; 0x32 WORD MinorSubsystemVersion; 0x34 DWORD Win32VersionValue; 0x38 DWORD SizeOfImage; 0x3c DWORD SizeOfHeaders; 0x40 DWORD CheckSum; 0x44 WORD Subsystem; 0x46 WORD DllCharacteristics; 0x48 DWORD SizeOfStackReserve; 0x4c DWORD SizeOfStackCommit; 0x50 DWORD SizeOfHeapReserve; 0x54 DWORD SizeOfHeapCommit; 0x58 DWORD LoaderFlags; 0x5c DWORD NumberOfRvaAndSizes; 0x60 _IMAGE_DATA_DIRECTORY DataDirectory[16]; };

Background

ELF (Executable and Linkable Format)

PE (Portable Executable)

File Headers: Optional Header File Headers: Optional Header MZ Header File Header Optional Header Section Header Section Header

struct _IMAGE_OPTIONAL_HEADER { 0x00 WORD Magic; 0x02 BYTE MajorLinkerVersion; 0x03 BYTE MinorLinkerVersion; 0x04 DWORD SizeOfCode; 0x08 DWORD SizeOfInitializedData; 0x0c DWORD SizeOfUninitializedData;; 0x10 DWORD AddressOfEntryPoint; 0x14 DWORD BaseOfCode; 0x18 DWORD BaseOfData; 0x1c DWORD ImageBase; 0x20 DWORD SectionAlignment; 0x24 DWORD FileAlignment; 0x28 WORD MajorOperatingSystemVersion; 0x2a WORD MinorOperatingSystemVersion; 0x2c WORD MajorImageVersion; 0x2e WORD MinorImageVersion; 0x30 WORD MajorSubsystemVersion; 0x32 WORD MinorSubsystemVersion; 0x34 DWORD Win32VersionValue; 0x38 DWORD SizeOfImage; 0x3c DWORD SizeOfHeaders; 0x40 DWORD CheckSum; 0x44 WORD Subsystem;

Summary

Background

ELF (Executable and Linkable Format)

PE (Portable Executable)

Summary

File Headers: Optional Header File Headers: Optional Header MZ Header File Header Optional Header Section Header Section Header

0x1c 0x20 0x24 0x28 0x2a 0x2c 0x2e 0x30 0x32 0x34 0x38 0x3c 0x40 0x44 0x46 0x48 0x4c 0x50 0x54 0x58 0x5c 0x60 };

DWORD ImageBase; DWORD SectionAlignment; DWORD FileAlignment; WORD MajorOperatingSystemVersion; WORD MinorOperatingSystemVersion; WORD MajorImageVersion; WORD MinorImageVersion; WORD MajorSubsystemVersion; WORD MinorSubsystemVersion; DWORD Win32VersionValue; DWORD SizeOfImage; DWORD SizeOfHeaders; DWORD CheckSum; WORD Subsystem; WORD DllCharacteristics; DWORD SizeOfStackReserve; DWORD SizeOfStackCommit; DWORD SizeOfHeapReserve; DWORD SizeOfHeapCommit; DWORD LoaderFlags; DWORD NumberOfRvaAndSizes; _IMAGE_DATA_DIRECTORY _IMAGE_DAT ATA_DIRECTORY Y DataDirectory[16];

Background

ELF (Executable and Linkable Format)

PE (Portable Executable)

File Headers: Image Directory File Headers: Image Directory IMAGE_DIRECTORY_ENTRY_EXPORT IMAGE DIRECTORY ENTRY EXPORT

MZ Header File Header Optional Header Section Header Section Header

IMAGE IMAGE_DIRECTORY_ENTRY_IMPORT DIRECTORY ENTRY IMPORT struct _IMAGE_DATA_DIRECTORY { 0x00 DWORD VirtualAddress; IMAGE_DIRECTORY_ENTRY_RESOURCE struct { 0x04 _IMAGE_DATA_DIRECTORY DWORD Size; 0x00 DWORD VirtualAddress; }; struct { IMAGE_DIRECTORY_ENTRY_EXCEPTION 0x04 _IMAGE_DATA_DIRECTORY DWORD Size; 0x00 DWORD VirtualAddress; }; 0x04 _IMAGE_DATA_DIRECTORY DWORD Size; struct { IMAGE_DIRECTORY_ENTRY_SECURITY }; 0x00 DWORD VirtualAddress; 0x04 _IMAGE_DATA_DIRECTORY DWORD Size; struct { IMAGE_DIRECTORY_ENTRY_BASERELOC }; 0x00 DWORD VirtualAddress; 0x04 _IMAGE_DATA_DIRECTORY DWORD Size; struct { IMAGE_DIRECTORY_ENTRY_DEBUG }; 0x00 DWORD VirtualAddress; 0x04 _IMAGE_DATA_DIRECTORY DWORD Size; struct { IMAGE_DIRECTORY_ENTRY_COPYRIGHT }; 0x00 DWORD VirtualAddress; 0x04 DWORD Size; struct _IMAGE_DATA_DIRECTORY { IMAGE_DIRECTORY_ENTRY_GLOBALPTR }; 0x00 DWORD VirtualAddress; 0x04 _IMAGE_DATA_DIRECTORY DWORD Size; struct { IMAGE_DIRECTORY_ENTRY_TLS }; 0x00 DWORD VirtualAddress; 0x04 _IMAGE_DATA_DIRECTORY DWORD Size; struct { IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG }; 0x00 DWORD VirtualAddress; 0x04 _IMAGE_DATA_DIRECTORY DWORD Size; struct { IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT }; 0x00 DWORD VirtualAddress; 0x04 _IMAGE_DATA_DIRECTORY DWORD Size; struct IMAGE_DIRECTORY_ENTRY_IAT A { }; 0x00 DWORD VirtualAddress; IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 0x04 _IMAGE_DATA_DIRECTORY DWORD Size; struct { }; 0x00 DWORD VirtualAddress; struct { IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 0x04 _IMAGE_DATA_DIRECTORY DWORD Size; 0x00 DWORD VirtualAddress; }; 0x04 _IMAGE_DATA_DIRECTORY DWORD Size; struct { }; 0x00 DWORD VirtualAddress; 0x04 DWORD Size; };

Summary

Background

ELF (Executable and Linkable Format)

PE (Portable Executable)

Summary

File Headers: Section Header File Headers: Section Header MZ Header File Header Optional Header Section Header Section Header

typedef struct _IMAGE_SECTION_HEADER { 0x00 BYTE Name[IMAGE_SIZEOF_SHORT_NAME]; union { 0x08 DWORD PhysicalAddress; 0x08 DWORD VirtualSize; } Misc; 0x0c DWORD VirtualAddress; 0x10 DWORD SizeOfRawData;; 0x14 DWORD PointerToRawData; T 0x18 DWORD PointerToRelocations; 0x1c DWORD PointerToLinenumbers; 0x20 WORD NumberOfRelocations; 0x22 WORD NumberOfLinenumbers; 0x24 DWORD Characteristics; };

Background

ELF (Executable and Linkable Format)

PE (Portable Executable)

PE Image Loading PE Image Loading File image

Memory Image

MZ/PE Header

MZ/PE Header

Section Table

Section Table

.text .data .idata .rsrc

.text .data .idata .rsrc

Summary

Background

ELF (Executable and Linkable Format)

PE (Portable Executable)

Memory Layout Memory Layout 0x00400000

App. Image App. Stack App. Heap

0x00800000

SOME.DLL

0x77E00000

KERNEL32.DLL

Summary

Background

ELF (Executable and Linkable Format)

PE (Portable Executable)

Summary

Import Symbols

Symbols (functions/data) can be imported from external DLLs The loader will load external DLLs automatically All the dependencies are loaded as well DLLs will be loaded only once External addresses are written to the Import Address Table (IAT) IAT is most often located in the .idata section

Background

ELF (Executable and Linkable Format)

PE (Portable Executable)

Summary

DLL Dependency DLL Dependency Tree Depends tool shows all dependencies http://www.dependencywalker.com/

Background

ELF (Executable and Linkable Format)

PE (Portable Executable)

Summary

Import Symbols

Each DLL has one IMAGE_IMPORT_DESCRIPTOR The descriptor points to two parallel lists of symbols to import Import Address Table (IAT) Import Name Table (INT) The primary list is overwritten by the loader, the second one is not Executables can be pre-bound to DLLs to speed up loading Symbols can be imported by ASCII name or ordinal

Background

ELF (Executable and Linkable Format)

PE (Portable Executable)

Summary

Imports

Imports .idata section IMPORT_DESCRIPTORS: USER32.DLL ADVAPI32.DLL

Calling:

Import Name Table(INT): ‘IMPORT1’ ‘IMPORT2’

...

Import Adddress Table (IAT): DWORD IMPORT1 DWORD IMPORT2

CALL [IMPORT1]

CALL [IMPORT2]

Background

ELF (Executable and Linkable Format)

PE (Portable Executable)

ImportImport Descriptors Descriptors

IMAGE_DIRECTORY_ENTRY_IMPORT struct _IMAGE_DATA_DIRECTORY { 0x00 DWORD VirtualAddress; 0x04 DWORD Size; };

struct _IMAGE_IMPORT_DESCRIPTOR { structunion _IMAGE_IMPORT_DESCRIPTOR { 0x00 { structunion _IMAGE_IMPORT_DESCRIPTOR { 0x00 /* {0 for terminating null import descriptor */ /* {0 for terminating null import descriptor */ 0x000x00 union DWORD Characteristics; /* 0tofor terminating nullIAT import 0x00 DWORD Characteristics; /* RVA original unbound */ descriptor */ DWORD /* RVA to originalCharacteristics; unbound IAT */ 0x000x00 PIMAGE_THUNK_DATA OriginalFirstThunk; /* RVA to original unbound IAT */ 0x00} u; PIMAGE_THUNK_DATA OriginalFirstThunk; PIMAGE_THUNK_DATA } u; 0x040x00 DWORD TimeDateStamp; /* OriginalFirstThunk; 0 if not bound, } u;DWORD TimeDateStamp; 0x040x08 DWORD ForwarderChain;/* 0 if/*not -1 ifbound, no forwarders */ DWORD TimeDateStamp; 0x08 DWORD ForwarderChain;/* 0 if/*not -1 ifbound, no forwarders */ 0x0c0x04 DWORD Name; 0x08 DWORD /* -1 if no 0x0c/* RVA DWORD Name;thisForwarderChain; to IAT (if bound IAT has actual addresses) */ forwarders */ DWORD Name;this /* RVA to IAT (if bound IAT has actual addresses) */ 0x100x0c PIMAGE_THUNK_DATA FirstThunk; /* RVA to IAT (if bound this IAT has actual addresses) */ FirstThunk; }; 0x10 PIMAGE_THUNK_DATA }; 0x10 PIMAGE_THUNK_DATA FirstThunk; };

typedef struct _IMAGE_THUNK_DATA { typedef struct union { _IMAGE_THUNK_DATA { unionLPBYTE { 0x00 ForwarderString; 0x00 LPBYTE Function; ForwarderString; 0x00 PDWORD 0x00 PDWORDOrdinal; Function; 0x00 DWORD 0x00 DWORD Ordinal; 0x00 PIMAGE_IMPORT_BY_NAME AddressOfData; 0x00} u1; PIMAGE_IMPORT_BY_NAME AddressOfData; } u1; } IMAGE_THUNK_DATA,*PIMAGE_THUNK_DATA; } IMAGE_THUNK_DATA,*PIMAGE_THUNK_DATA;

typedef struct _IMAGE_IMPORT_BY_NAME { typedef struct _IMAGE_IMPORT_BY_NAME { 0x00 WORD Hint; 0x00BYTE WORD 0x02 Name[1]; Hint; 0x02 BYTE Name[1]; } IMAGE_IMPORT_BY_NAME,*PIMAGE_IMPORT_BY_NAME; } IMAGE_IMPORT_BY_NAME,*PIMAGE_IMPORT_BY_NAME;

Summary

Background

ELF (Executable and Linkable Format)

PE (Portable Executable)

Exporting Symbols

Symbols can be exported with ordinals, names or both Ordinals are simple index numbers of symbols Name is a full ASCII name of the exported symbol Exports are described by three simple lists List of ordinals List of symbol addresses List of symbol names

Exports can be forwarded to another DLL Example: NTDLL.RtlAllocHeap

Summary

Background

ELF (Executable and Linkable Format)

PE (Portable Executable)

Resources

Resources in PE are similar to an archive Resource files can be organised into directory trees The data structure is quite complex but there are tools to handle it Most common resources: Icons Version information GUI resources

Summary

Background

ELF (Executable and Linkable Format)

PE (Portable Executable)

Summary

Base Relocation Base Relocation Preferred image base

MZ Header PE Header Code Section

Relocation offset

MZ Header PE Header Code Section

Data Section Imports Resources

Data Section Imports Resources

Actual image base

Background

ELF (Executable and Linkable Format)

PE (Portable Executable)

Summary

Base Relocation

Sometimes a DLL can not be loaded to its preferred address When rebasing, the loader has to adjust all hardcoded addresses Relocations are done in 4KiB blocks (page size on x86) Each relocation entry gives a type and points to a location The loader calculates the base address difference The offsets are adjusted according to the difference

Outline

1

Background

2

ELF (Executable and Linkable Format)

3

PE (Portable Executable)

4

Summary

Background

ELF (Executable and Linkable Format)

PE (Portable Executable)

Summary

Binary executable file format is important for (many reasons) ELF (executable, shared, compiled) PE (executable, DLL) ELF/PE has its own structure and definition

Summary

Background

ELF (Executable and Linkable Format)

PE (Portable Executable)

Summary

References

http://en.wikipedia.org/wiki/Executable_and_Linkable_Format www.skyfree.org/linux/references/ELF_Format.pdf http://en.wikipedia.org/wiki/Portable_Executable http://msdn.microsoft.com/msdnmag/issues/02/02/PE/default.aspx http://msdn.microsoft.com/msdnmag/issues/02/03/PE2/default.aspx https://www.openrce.org/reference_library/files/reference/PE Format.pdf http://code.google.com/p/pefile/ http://pentest.cryptocity.net/reverse-engineering/ http://pentest.cryptocity.net/files/reversing/helsinki/reverse_engineering__pe_format.pdf