Hacking/Windows internals/PE
From Skypher
|
▼Main Page |
|
A PE (Portable Executable) is a format for storing compiled code such that it can be loaded and run on [[wikipedia:Microsoft Windows|Windows]. It is used for .exe and '.dll files, as well as several other formats.
Memory map
Using OllyDbg to look at a process' memory of a process If you look at the above example output, you can see there are 5 entries that have "cmd" as their Owner. If you are familiar with the PECOF Format, you will recognize these entries. If not, I will explain some of them to you. The PE "cmd.exe" has 5 sections, which have each been loaded into a region of memory. The first section is the header which contains information about the executable, such as how big it is, what sections it has, where these sections are found in the file and where they should go in memory. The second section, called ".text", contains the machine code for the executable as well as an import table, which helps the machine code find out how to call functions in .dll libraries by importing the addresses of these functions when the executable is loaded. The third section, called ".data", contains data for the executable, such as strings, icons, images, etc... The last two sections, ".rscs" and ".reloc" are not really important at this time.
See also
- Windows internals/PE/Import
- Windows internals/PE/Symbols
- Windows internals/PE/Export
- PE/COFF format specification on Microsoft.com
- Portable Executable on Wikipedia.
