Pe file format

Go over some of the boring stuff. I’ll try to keep this brief but informative.The PE file formatSo, what exactly is a PE file? PE stands for portable executable. Several types of files fall under the PE umbrella, but the two of primary concern to us right now are .exe and .dll. The PE format is essentially a data structure that lays out all of the information, in a well-defined manner, that Windows needs to run the code in the file1. In their excellent book Malware Analysis and Detection Engineering, Abhijit Mohanta and Anoop Saldanha describe the PE file format as defining: “…various headers that define the structure of the file, its code, its data, and the various resources that it needs. It also contains various fields that inform how much of virtual memory it needs when it is spawned into a process and where in its process’s memory to copy its various code, data, and resources”2.Essentially, the PE file format provides all the information that Windows needs to run the executable code as a process. But how does this code become a running process in Windows? A PE file is loaded into memory as a process by a component of the Windows operating system called the Windows loader. The Windows loader understands all the information provided in the PE file format and uses it as a recipe for setting up and running the code in a process.Structure of a PE fileThe PE file format defines a number of headers and subheaders, each of which can contain a number of fields. The tree below provides a high level view of the PE file structure:├── DOS Header├── DOS Stub├── NT Headers ├── File Header └── Optional Header └── Data Directories├── Section Headers└── SectionsLet’s briefly define each of the headers above.DOS Header:

] [--search ] [--quality ] [--opcode ] [--instructions ] [--type ] [--detailed] [--all] [--cfg-only] [--chain ] [-b ] [--nocolor] [--clear-cache] [--no-load] [--analyse ] [--semantic constraint] [--count-of-findings ] [--single]You can use ropper to display information about binary files in different file formats and you can search for gadgets to build rop chains for different architecturessupported filetypes: ELF PE Mach-O Rawsupported architectures: x86 [x86] x86_64 [x86_64] MIPS [MIPS, MIPS64] ARM/Thumb [ARM, ARMTHUMB] ARM64 [ARM64] PowerPC [PPC, PPC64] SPARC [SPARC64]available rop chain generators: execve (execve[=], default /bin/sh) [Linux x86, x86_64] mprotect (mprotect=:) [Linux x86, x86_64] virtualprotect (virtualprotect=:) [Windows x86]options: -h, --help show this help message and exit --help-examples Print examples -v, --version Print version --console Starts interactive commandline -f [ ...], --file [ ...] The file to load -r, --raw Loads the file as raw file -a , --arch The architecture of the loaded file --section The data of this section should be printed --string [] Looks for the string in all data sections --hex Prints the selected sections in a hex format --asm [ [H|S|R] ...] A string to assemble and a format of the output (H=HEX, S=STRING, R=RAW, default: H) --disasm Opcode to disassemble (e.g. ffe4, 89c8c3, ...) --disassemble-address Disassembles instruction at address (0x12345678:L3). The count of instructions to disassemble can be specified (0x....:L...) -i, --info Shows file header [ELF/PE/Mach-O] -e Shows EntryPoint --imagebase Shows ImageBase [ELF/PE/Mach-O] -c, --dllcharacteristics Shows DllCharacteristics [PE] -s, --sections Shows file sections [ELF/PE/Mach-O] -S, --segments Shows file segments [ELF/Mach-O] --imports Shows imports [ELF/PE] --symbols Shows symbols

A hex format --asm [ [H|S|R] ...] A string to assemble and a format of the output (H=HEX, S=STRING, R=RAW, default: H) --disasm Opcode to disassemble (e.g. ffe4, 89c8c3, ...) --disassemble-address Disassembles instruction at address (0x12345678:L3). The count of instructions to disassemble can be specified (0x....:L...) -i, --info Shows file header [ELF/PE/Mach-O] -e Shows EntryPoint --imagebase Shows ImageBase [ELF/PE/Mach-O] -c, --dllcharacteristics Shows DllCharacteristics [PE] -s, --sections Shows file sections [ELF/PE/Mach-O] -S, --segments Shows file segments [ELF/Mach-O] --imports Shows imports [ELF/PE] --symbols Shows symbols [ELF] --set Sets options. Available options: aslr nx --unset Unsets options. Available options: aslr nx -I Use this imagebase for gadgets -p, --ppr Searches for 'pop reg; pop reg; ret' instructions [only x86/x86_64] -j , --jmp Searches for 'jmp reg' instructions (-j reg[,reg...]) [only x86/x86_64] --stack-pivot Prints all stack pivot gadgets --inst-count Specifies the max count of instructions in a gadget (default: 6) --search Searches for gadgets --quality The quality for gadgets which are found by search (1 = best) --opcode Searches for opcodes (e.g. ffe4 or ffe? or ff??) --instructions Searches for instructions (e.g. "jmp esp", "pop eax; ret") --type Sets the type of gadgets [rop, jop, sys, all] (default: all) --detailed Prints gadgets more detailed --all Does not remove duplicate gadgets --cfg-only Filters out gadgets which fail the Microsoft CFG check. Only for PE files which are compiled with CFG check enabled (check DllCharachteristics) [PE] --chain Generates a ropchain [generator parameter=value[ parameter=value]] -b , --badbytes Set bytes which should not be contained in gadgets --nocolor