I am analyzing PE structure.
some article in MSDN(http://msdn.microsoft.com/en-us/magazine/bb985997.aspx) says
"IMAGE_DIRECTORY_ENTRY_IMPORT" points to the imports(an array of IMAGE_IMPORT_DESCRIPTOR structures).
I checked the actual value with 010 Editor PE template.
however the value seemed to be encoded somehow and I don't know how to interpret.
pictures below clearly explains this situation problem.
some advice would be appreciated...!
I looked through the template, and it would appear that the "FOA" comments are generated by passing an RVA to the "RVA2FOA" function, which looks like it's converting the RVA to a file offset.
That makes sense, the file offset is something you often want to know (especially in a HEX editor, where you have to navigate by file offset), and FOA looks like it can be short for File Offset Something-or-other.
Related
I need help to understand these concepts.
I understand that the rva is an offset from the base address. But Its relative to what in a file? I understood it was from where the image will be loaded in memory, but in the executable file itself, an rva is relative to what? The beggining of the file, so the file Id at the start?
Thanks for reading :)
Yes, usually from the start of the file. There are probably a couple of exceptions when you get deeper into specific parts of a file. You will generally find them when reading the documentation:
MESSAGE_RESOURCE_BLOCK.OffsetToEntries:
The offset, in bytes, from the beginning of the MESSAGE_RESOURCE_DATA structure to the MESSAGE_RESOURCE_ENTRY structures in this MESSAGE_RESOURCE_BLOCK. The MESSAGE_RESOURCE_ENTRY structures contain the message strings.
For my project I'm experimenting with disguising the content of a file and thought a good way to do this would be to change the document signature (magic numbers). I think in order to do this I need to change the starting x bytes of the hex but am not sure if this is possible? I've tried looking at the file I want to change in various hex viewers such as autopsy but it strips back all the metadata and only shows the content of that file and the corresponding hex. My question is it possible to change the signature and if so what is the best way to go about it? Any program recommendations?
i got two PE files having same sections named as ".data". These name contains different bytes when we see in hex dump. This sections is having 00 bytes in contents. What is this file type can be?
https://www.curlybrace.com/archive/PE%20File%20Structure.pdf
You can get all the details about section names here [PE file Structure]
And then decide yourself if the file is malicious or not.
Happy Overflowing :D
Normal compilers shouldn't produce two sections with identical names, so the likely explanation is that the binary was modified post-compilation. Such obvious modifications are typical (but not conclusive) of malware. Without further information, it's not possible to say much else.
I need to read the ".pdata" section of a x64 PE file.
I've seen that the structures in the ".pdata" section differ from one platform to another
http://msdn.microsoft.com/en-us/library/aa448751.aspx
It also says the same thing in the PE specifications document.
But I dont understand what it is for the regular windows (XP/Vista/Win7 etc.)
Does anybody what it is?
The .pdata section is an array of RUNTIME_FUNCTION. It gives you a code range (first two members) and an RVA to the corresponding UNWIND_INFO.
From there you get info like exception handler RVA, size of prolog, etc.
I have been looking for a way of modifying static strings stored in Windows .exe files in the .rdata section, however I haven't found a real way to do so yet.
The whole thing is too complicated to do by hand (in this case by a HEX editor) and so I wanted to know if you have a solution to do so.
What is complicated about doing it in a hex editor? One 'gotcha' that might be tripping you up is that you have to maintain each string's original length. You can do so with spaces at the end or (sometimes) by null-terminating it early, depending on how it's accessed in the executable.
If you really want to get tricky, you can try finding every cross reference to said string in the code and modify the length parameter passed to functions that use it.