ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
                                             ³ Xine - issue #5 - Phile 106 ³
                                             ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ





	 A short re-view of the PE format
	---------------------------------


 
  Intro 
 -------

As the 1st documents I had was a bit old and out dated, the second text was 
too unreadable and unusable for the little assembler programmer like me. I 
decided to rebuild the last file in a text, who should be much easy in 
structure and usable for our little infectors. Hope you enjoy it!
Starzero-


  PE format
 -----------

 MZ header... etc etc, we begin at address pointed by [03Ch]

Offset 	Size	Description
------- ------- ---------------------------------------------------------
0	4	Magic Word, should be 'P','E',0,0
4	2	Machine type: 	014Ch - I386
				014Dh - I486
				014Eh - I586 or better
				0160h - R3000 (big endian)
				0162h - R3000 (little endian)
				0166h - R4000 (little endian)
				0168h - R10000 (little)
				0184h - Dec Alpha AXP
				01F0h - IBM Power PC
6	2	Number of section
8	4	Time/Date Stamp (seconds since 1 january 1970 0:0:0)
12	4	Pointer to symbol table
16	4	Number of symbol
20	2	Size of optional header
22	2	Flags: bit 0: 	Reloc Stripped
			   1: 	Executable
			   2: 	Line number info Stripped
			   3: 	Symbol Stripped
			   4: 	Agresive WS_TRIM
			   7:	little endianess
			   8:	Machine excepted 32 bit
			   9:	Debug stripped
			   10:	Loaded from removable disk
			   11:	Should not run from network
			   12:	Set if the file is a driver
			   13: 	Set if the file is a DLL
			   14:  Not designed for multiprocessor
			   15: 	Big endianess(estonishing no?)

Here begin the optional header...

24	2	Magic, 010bh
26	2	Major/Minor version of the linker
28	4	Size of code
32	4	Size of Initialized data
36	4	Size of Uninitialized data
40	4	Entrypoint RVA 
44	4	Code Offset
48	4	Data Offset
52	4	Image Base (the preffered load address)
56	4	Section Alignment (Usually 1000h)
60	4	File Alignment (Usually 200h)
64	2	Major Operating System Version
66	2	Minor Operating System Version
68	2	Major Image Version
70	2	Minor Image Version
72	2	Major Sub-system Version 
74	2	Minor Sub-system Version 
76	4	Win32 Version Value (Usually 0)
80	4	Image size
84	4	Header size
88	4	File CheckSum
92	2	Sub-system:	1 = Image Subsystem native
				2 = Image Subsystem Windows GUI
				3 = Image Subsystem Windows CUI
				4 = Image Subsystem OS2 CUI
				5 = Image POSIX CUI
94	2	DLL Flags: bit 0: DLL notified about process attachments
			   bit 1: DLL notified about thread detachments
			   bit 2: DLL notified about thread attachments
			   bit 3: DLL notified about thread detachment
96	4	Initial reserved stack size
100	4	Initial committed stack size
104	4	Initial reserved heap size
108	4	Initial committed heap size
112	4	Loader Flags (no description aivable)
116	4	Number of RVA and Size that follow this header
120	4	Export Table RVA
124	4	Export Table Size
128	4	Import Table RVA
132	4	Import Table Size
136	4	Ressource Table RVA
140	4	Ressource Table Size
144	4	Exception Table RVA - Structure unknown
148	4	Exception Table Size
152	4	Security Table RVA - Structure unknown
156	4	Security Table Size 
160	4	Relocation Table RVA
164	4	Relocation Table Size
168	4	Debug Table RVA (Compiler dependent)
172	4	Debug Table Size
184	4	Copyright string RVA
188	4	Copyright string size
192	4 	Global Machine Pointer RVA - Structure Unkown
196	4	Global Machine Pointer size
200	4	Image Directory Entry of Thread local Storage RVA
204	4	Image Directory Entry of Thread local Storage Size
208	4	Load configuration directory RVA
212	4	Load configuration directory Size
216	4	Bound import directory RVA
220	4	Bound import directory Size
224	4	Import Address Table directory RVA
228	4	Import Address Table directory Size

Section header

Offset 	Size	Description
------- ------- ---------------------------------------------------------

0	8	String - Name of the section 
8	4	Section Virtual Size
12	4	Section RVA
16	4	Section Physical Size
20	4	Section Offset
24	4	Section Relocation Pointer
28	4	Pointer to Line numbers
32	4	Number of Relocations
36	4	Flags: bit 5 :	Section contains code
		       bit 6 :  Section contains initialized data
		       bit 7 :	Section contains unitialized data
		       bit 9 : 	Section contain link info(libraries etc...)
		       bit 11:  Section is supposed to left out when compiled
		       bit 12:  Section contains "common block data"
		       bit 15:	Section is far data ?
		       bit 17:	Section data is purgeable
		       bit 18:  Section memory locked (not movable)
		       bit 19:  Section memory preloaded
		       bit 20 21 22 23:  Alignment - Unknown
		       bit 24:	Section contains extended relocations
		       bit 25:	Section is discardable (not loaded)
		       bit 26:  Section is not cachable
		       bit 27:  Section is not paged
		       bit 28:  Section memory is shared
		       bit 29:	Section memory is executable
		       bit 30:  Section memory is readable
		       bit 31:  Section memory is writable
			
Export structure

Offset 	Size	Description
------- ------- ---------------------------------------------------------

0	4	Flags (normally 0)
4	4	Time Stamp
8	2	Major Version
10	2	Minor Version
12	4	RVA to DLL name
16	4	Ordinal base
20	4	Number of exported function
24	4	Number of exported names
28	4	RVA of exported function address
			if the address = 0, function unused
			if the address point to export section, it's forwarded
32	4	RVA of exported function names
36	2	RVA of Name Ordinals, wich is 16 bit

Import structure

Offset 	Size	Description
------- ------- ---------------------------------------------------------

0	4	Imported function table RVA

this table is composed of RVA of:

Ordinal (2 bytes) + String (terminated by zero)	
note, ordinal are usually zero

4	4	Time Date Stamp (Usually 0)
8	4	Forwarder chain address 
12	4	32 bit RVA to name of the DLL
16 	4	Lookup Table RVA (RVA of the received address table)

Ressource structure

A ressource directory in fact a tree, it begin with a short header

Offset 	Size	Description
------- ------- ---------------------------------------------------------

0	4	Flags (unused)
4	4	Time/Data stamp
8	2	Major version
10	2	Minor version
12	2	Number of Named Entries
14	2	Number of ID Entries

it's directly followed by the root directory, wich have the Number of 
ID_Entries

Offset 	Size	Description
------- ------- ---------------------------------------------------------

0	4	ID of the ressource directory it describes, in root, you 
		have defined number of ressource type:
			1: cursor
			2: bitmap
			3: icon
			4: menu
			5: dialog
			6: string table
			7: font directory
			8: font
			9: accelerators
			10: unformatted ressource data
			11: message table
			12: group cursor
			14: group icon
			16: version information

 		if you are not in the root directory, and the 31 bit is set
		the lower 31 bits point to the name of the ressource from
		the beginning of ressource section

4	4	32 bit offset to the data or offset to next subdirectory

		if the 31 bit is set, you have a directory, and this directory
		the lower 31 bit is an offset from the beginning of ressource
		section

it's not very clear, but I think there's everything, hope you enjoy it :)

Relocation structure

The relocation section is a suite of fix up sequences

Offset 	Size	Description
------- ------- ---------------------------------------------------------

0	4	RVA Base for these relocation
4	4	Size of block (including this header I think)

followed by entries

0	4 bits	Flags:	0 = no operation 
			1 = apply the high 16 bit of the relocation
			2 = apply the low 16 bit of the relocation
			3 = apply the 32 bit of the relocation
			4 = highadjust (?)
			5 = MIPS_JMPADDR (unknown)
			6 = SECTION (unknown)
			7 = REL32 (unknown)

4 bits	12 bits	Offset from RVA base to apply the relocation


it's all...
Ah yes, don't forget the source of these data:

Portable Executable Format by Michael J. O'Leary, good but a bit old
The PE file format by Bernd Luevelsmeyer, complete but unreadable :\