Embed Size (px)
Citation preview
About PE file #1
pyutic
EXE file
This looks similar !
EXE file
EXE file
EXE file
EXE file has codes
And…
Also has their ‘rules’
EXE file
Header
Code
EXE’s CodeAssembly code
from High-level Language
Start-up code
Ready-made code(by Compiler)
etc
Data
EXE’s Header
Something which OS need
Identification
Code Information
Information about Import/Exported func
etc
EXE’s Header -Identification-
Is this valid-pe file?
Which platform is pe for
EXE’s Header -Code Information-
Code’s base and Entry-point
Code is divided into many sections
Section for assembly-code
Section for data: static variables
Section for resource
Section for import/export
EXE’s Header -Import/Exported function-
EXE generally needs external function
DLL
PEPE PE
How pe file run
First, OS loads pe-file on memory
Second, Resolve Import-information
Third, Go to Entry Point
???
PROFIT!
How pe file run -load-
In hard disk On memory
How pe file run -load-
In hard disk On memory
Section 1
Section 2
Section 3
Section 1
Section 2
Section 3
How pe file run -Resolving-
DLL also has their base
If two or more DLLs has same base?
Rebase!
How pe file run -Resolving-
Before
EXE
Func2Func1 Func3
After
EXE
Func2Func1 Func3
How pe file run -Resolving-
OS repair it
EXE
Func2Func1 Func3
How pe file run -Go to Entry-point—
On memory
Section 1
Section 2
Section 3
Go
How pe file run -Run—
On memory
Section 1
Section 2
Section 3
Go
How pe file run -When we use debugger —
On memory
Section 1
Section 2
Section 3
Stop!Go
Thanks !
