Arcanum Analysis - The PE Header [Part 3]

Old and abandoned stuff goes here...
Locked
Bia
Ailing Wolf
Ailing Wolf
Posts: 19
Joined: Fri Feb 11, 2011 6:55 pm
Location: Void

Arcanum Analysis - The PE Header [Part 3]

Post by Bia » Mon Nov 28, 2011 1:29 am

Welcome to third part of arcanum analysis in this part we will talk about PE header in broad sense. The PE header is quite interesting stuff and contains quite valuable information for us.


The PE header is the general term for a structure named IMAGE_NT_HEADERS. This structure contains essential info used by the loader. IMAGE_NT_HEADERS has 3 members which are defined in windows.inc

Code: Select all

WINDOWS.INC

IMAGE_NT_HEADERS STRUCT
   Signature                DWORD
   FileHeader               IMAGE_FILE_HEADER
   OptionalHeader           IMAGE_OPTIONAL_HEADER32
IMAGE_NT_HEADERS END
Signature is a DWORD containing the value 50h, 45h, 00h, 00h ("PE" followed by two terminating zeroes). The signature doesn't play much role for us, except it can be abused to prevent program from running, which is sometimes handy.
All possible signatures are properly defined in winNT.h so Windows NT kernel can recognize and execute the program.

Code: Select all

WINNT.H

#define IMAGE_DOS_SIGNATURE             0x5A4D      // MZ
#define IMAGE_OS2_SIGNATURE             0x454E      // NE
#define IMAGE_OS2_SIGNATURE_LE          0x454C      // LE
#define IMAGE_NT_SIGNATURE              0x00004550  // PE00  ;(bytes in reverse order 50 45 00 00)

//Extra note:
To be precise in some older reference for WINNT.H/DOS-kernel you can see IMAGE_VXD_SIGNATURE equ 454Ch //DOS device driver not compatible with Windows NT and also
#define IMAGE_EDOS_SIGNATURE    0x44454550  // PEED - to be honest i don't know what the hell this is.
FileHeader is the next 20 bytes of the PE file and contains info about the physical layout & properties of the file e.g. number of sections.FileHeader is again precisely defined structure. So lets check it out.

Code: Select all

WINNT.H

typedef struct _IMAGE_FILE_HEADER {
    USHORT  Machine;
    USHORT  NumberOfSections;
    ULONG   TimeDateStamp;
    ULONG   PointerToSymbolTable;
    ULONG   NumberOfSymbols;
    USHORT  SizeOfOptionalHeader;
    USHORT  Characteristics;
} IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;

#define IMAGE_SIZEOF_FILE_HEADER             20

//Extra note: I hope you remember from part 2 that USHORT = WORD, ULONG = DWORD if not go check part 2 again.
Most of these members are not of use to us but we must modify NumberOfSections if we add or delete any sections(add or delete code/data) in the PE file. Characteristics contains flags which dictate for instance whether this PE file is an executable or a DLL. We can find NumberOfSections by counting 6 bytes from the start of the PE header. Why?

Simple Math:
We know that Signature is DWORD(4bytes) and that Machine is WORD(2bytes) 4+2=6 YAY :D

Well lets take closer look at FileHeader members.

Machine
The architecture type of the computer. An image file can only be run on the specified computer or a system that emulates the specified computer. This member can be one of the following values.

Code: Select all

IMAGE_FILE_MACHINE_I386     //x86
0x014c
IMAGE_FILE_MACHINE_IA64    //Intel Itanium
0x0200
IMAGE_FILE_MACHINE_AMD64   //x64
0x8664


NumberOfSections
The number of sections. This indicates the size of the section table, which immediately follows the headers. Note that the Windows loader limits the number of sections to 96.

TimeDateStamp
The low 32 bits of the time stamp of the image. This represents the date and time the image was created by the linker. The value is represented in the number of seconds elapsed since midnight (00:00:00), January 1, 1970, Universal Coordinated Time, according to the system clock.

PointerToSymbolTable
The offset of the symbol table, in bytes, or zero if no COFF symbol table exists.

NumberOfSymbols
The number of symbols in the symbol table.

SizeOfOptionalHeader
The size of the optional header, in bytes. This value should be 0 for object files.

Characteristics
The characteristics of the image. This member can be one or more of the following values.

Code: Select all

IMAGE_FILE_RELOCS_STRIPPED  //Relocation information was stripped from the file. The file must be loaded at its preferred base address. If the base address is not available, the loader reports an error.
0x0001
IMAGE_FILE_EXECUTABLE_IMAGE  //The file is executable (there are no unresolved external references).
0x0002
IMAGE_FILE_LINE_NUMS_STRIPPED  //COFF line numbers were stripped from the file.
0x0004
IMAGE_FILE_LOCAL_SYMS_STRIPPED  //COFF symbol table entries were stripped from file.
0x0008
IMAGE_FILE_AGGRESIVE_WS_TRIM  //Aggressively trim the working set. This value is obsolete as of Windows 2000.
0x0010
IMAGE_FILE_LARGE_ADDRESS_AWARE  //The application can handle addresses larger than 2 GB.
0x0020
IMAGE_FILE_BYTES_REVERSED_LO  //The bytes of the word are reversed. This flag is obsolete.
0x0080
IMAGE_FILE_32BIT_MACHINE //The computer supports 32-bit words.
0x0100
IMAGE_FILE_DEBUG_STRIPPED //Debugging information was removed and stored separately in another file.
0x0200
IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP  //If the image is on removable media, copy it to and run it from the swap file.
0x0400
IMAGE_FILE_NET_RUN_FROM_SWAP  //If the image is on the network, copy it to and run it from the swap file.
0x0800
IMAGE_FILE_SYSTEM  //The image is a system file.
0x1000
IMAGE_FILE_DLL  //The image is a DLL file. While it is an executable file, it cannot be run directly.
0x2000
IMAGE_FILE_UP_SYSTEM_ONLY  //The file should be run only on a uniprocessor computer.
0x4000
IMAGE_FILE_BYTES_REVERSED_HI   //The bytes of the word are reversed. This flag is obsolete.
0x8000
You might wonder why the heck am i talking about COFF header but did you red part 1 carefully? COFF header and PE file header are alike... just compare COFF header vs PE file header

Code: Select all

COFF FILE HEADER
typedef struct {
  unsigned short f_magic;         /* magic number             */ Signature in pe file
  unsigned short f_nscns;         /* number of sections       */
  unsigned long  f_timdat;        /* time & date stamp        */
  unsigned long  f_symptr;        /* file pointer to symbol table   */
  unsigned long  f_nsyms;         /* number of symbol table entries */
  unsigned short f_opthdr;        /* size of optional header     */
  unsigned short f_flags;         /* flags                    */ Characteristics
} FILHDR;
And this also leads to common confusion that some older IT geeks tend to put Signature into IMAGE_FILE_HEADER, however that's incorrect when working with PE since Signature is member of IMAGE_NT_HEADERS.

OptionalHeader
is always present and forms the next 224 bytes. It contains info about the logical layout inside the PE file e.g. AddressOfEntryPoint. Its size is given by a member of FileHeader. The structures of these members are also defined in windows.inc or winnt.h

Code: Select all

WINNT.H

typedef struct _IMAGE_OPTIONAL_HEADER {
  WORD                 Magic;
  BYTE                 MajorLinkerVersion;
  BYTE                 MinorLinkerVersion;
  DWORD                SizeOfCode;
  DWORD                SizeOfInitializedData;
  DWORD                SizeOfUninitializedData;
  DWORD                AddressOfEntryPoint;
  DWORD                BaseOfCode;
  DWORD                BaseOfData;
  DWORD                ImageBase;
  DWORD                SectionAlignment;
  DWORD                FileAlignment;
  WORD                 MajorOperatingSystemVersion;
  WORD                 MinorOperatingSystemVersion;
  WORD                 MajorImageVersion;
  WORD                 MinorImageVersion;
  WORD                 MajorSubsystemVersion;
  WORD                 MinorSubsystemVersion;
  DWORD                Win32VersionValue;
  DWORD                SizeOfImage;
  DWORD                SizeOfHeaders;
  DWORD                CheckSum;
  WORD                 Subsystem;
  WORD                 DllCharacteristics;
  DWORD                SizeOfStackReserve;
  DWORD                SizeOfStackCommit;
  DWORD                SizeOfHeapReserve;
  DWORD                SizeOfHeapCommit;
  DWORD                LoaderFlags;
  DWORD                NumberOfRvaAndSizes;
  IMAGE_DATA_DIRECTORY    DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
} IMAGE_OPTIONAL_HEADER, *PIMAGE_OPTIONAL_HEADER;
Lets take a look at the members of optional header.Ill mark the important one in red.

Magic
The state of the image file.

MajorLinkerVersion
The major version number of the linker.

MinorLinkerVersion
The minor version number of the linker.

SizeOfCode
The size of the code section, in bytes, or the sum of all such sections if there are multiple code sections.

SizeOfInitializedData
The size of the initialized data section, in bytes, or the sum of all such sections if there are multiple initialized data sections.

SizeOfUninitializedData
The size of the uninitialized data section, in bytes, or the sum of all such sections if there are multiple uninitialized data sections.

AddressOfEntryPoint
A pointer to the entry point function, relative to the image base address. For executable files, this is the starting address. For device drivers, this is the address of the initialization function. The entry point function is optional for DLLs. When no entry point is present, this member is zero.

This member is also RVA(Relative Virtual Adress) of the first instruction that will be executed when the PE loader is ready to run the PE file. If you want to divert the flow of execution right from the start, you need to change the value in this field to a new RVA and the instruction at the new RVA will be executed first. Executable packers usually redirect this value to their decompression stub, after which execution jumps back to the original entry point of the app - the OEP. Of further note is the Starforce protection in which the CODE section is not present in the file on disk but is written into virtual memory on execution. The value in this field is therefore a VA(Virtual Adress), ill disscuss the diference of RVA X VA in the first appendix of this guide.

BaseOfCode
A pointer to the beginning of the code section, relative to the image base.

BaseOfData
A pointer to the beginning of the data section, relative to the image base.

ImageBase
The preferred address of the first byte of the image when it is loaded in memory. This value is a multiple of 64K bytes. The default value for DLLs is 0x10000000. The default value for applications is 0x00400000, except on Windows CE where it is 0x00010000.The word "preferred" means that the PE loader may not load the file at that address if some other module already occupied that address range. In 98% of cases it is 400000h.

SectionAlignment
The alignment of sections loaded in memory, in bytes. This value must be greater than or equal to the FileAlignment member. The default value is the page size for the system. For example, if the value in this field is 4096 (1000h), each section must start at multiples of 4096 bytes. If the first section is at 401000h and its size is 10 bytes, the next section must be at 402000h even if the address space between 401000h and 402000h will be mostly unused.

FileAlignment
The alignment of the raw data of sections in the image file, in bytes. The value should be a power of 2 between 512 and 64K (inclusive). The default is 512. If the SectionAlignment member is less than the system page size, this member must be the same as SectionAlignment. For example, if the value in this field is 512 (200h), each section must start at multiples of 512 bytes. If the first section is at file offset 200h and the size is 10 bytes, the next section must be located at file offset 400h: the space between file offsets 522 and 1024 is unused/undefined.

MajorOperatingSystemVersiom
The major version number of the required operating system.

MinorOperatingSystemVersion
The minor version number of the required operating system.

MajorImageVersion
The major version number of the image.

MinorImageVersion
The minor version number of the image.

MajorSubsystemVersion
The major version number of the subsystem.

MinorSubsystemVersion
The minor version number of the subsystem.

Win32VersionValue
This member is reserved and must be 0.

SizeOfImage
The size of the image, in bytes, including all headers. Must be a multiple of SectionAlignment.It's the sum of all headers and sections aligned to SectionAlignment. It's the sum of all headers and sections aligned to SectionAlignment.

SizeOfHeaders
The combined size of the MS-DOS stub, the PE header, and the section headers, rounded to a multiple of the value specified in the FileAlignment member. In short, this value is equal to the file size minus the combined size of all sections in the file. You can also use this value as the file offset of the first section in the PE file.

CheckSum
The image file checksum. The following files are validated at load time: all drivers, any DLL loaded at boot time, and any DLL loaded into a critical system process.

Subsystem
The subsystem required to run this image.

DllCharacteristics
The DLL characteristics of the image.

SizeOfStackReserve
The number of bytes to reserve for the stack. Only the memory specified by the SizeOfStackCommit member is committed at load time; the rest is made available one page at a time until this reserve size is reached.

SizeOfStackCommit
The number of bytes to commit for the stack.

SizeOfHeapReserve
The number of bytes to reserve for the local heap. Only the memory specified by the SizeOfHeapCommit member is committed at load time; the rest is made available one page at a time until this reserve size is reached.

SizeOfHeapCommit
The number of bytes to commit for the local heap.

LoaderFlags
This member is obsolete.

NumberOfRvaAndSizes
The number of directory entries in the remainder of the optional header. Each entry describes a location and size.

DataDirectory
An array of 16(in most cases) IMAGE_DATA_DIRECTORY structures, each relating to an important data structure in the PE file such as the import address table. This important structure will be discussed in the next part.


Well guys ill be reformating/debugging the guide at weekend so this is a pre-alpha version 8-).
Ill also try to give u guys a bit more power by learning you how to make basic tools for arcanum in VB or C# i dunno wich one is easier to understand. However the sad fact is that exams are gettin closer and closer and ill have to spend my whole december gettin trough 4000-6000 pages. But once i am done with formal stuffs so my "real-life" can go on, we will roam in virtual world :D BTW crypton please read your pms and reply once in a while i would appreciate that.

Locked