).
.data. The .data section contains the program’s global data, which is accessible from anywhere in the program. Local data is not stored in this section, or anywhere else in the PE file. (We address this topic in .)
.rsrc. The .rsrc section includes the resources used by the executable that are not considered part of the executable, such as icons, images, menus, and strings. Strings can be stored either in the .rsrc section or in the main program, but they are often stored in the .rsrc section for multilanguage support.
Section names are often consistent across a compiler, but can vary across different compilers. For example, Visual Studio uses .text for executable code, but Borland Delphi uses CODE. Windows doesn’t care about the actual name since it uses other information in the PE header to determine how a section is used. Furthermore, the section names are sometimes obfuscated to make analysis more difficult. Luckily, the default names are used most of the time. lists the most common you’ll encounter.
In the figure, the left pane at ❶ displays the main parts of a PE header. The IMAGE_FILE_HEADER entry is highlighted because it is currently selected.
The first two parts of the PE header—the IMAGE_DOS_HEADER and MS-DOS Stub Program—are historical and offer no information of particular interest to us.
The next section of the PE header, IMAGE_NT_HEADERS, shows the NT headers. The signature is always the same and can be ignored.
The IMAGE_FILE_HEADER entry, highlighted and displayed in the right panel at ❷, contains basic information about the file. The Time Date Stamp . These headers are used to describe each section of a PE file. The compiler generally creates and names the sections of an executable, and the user has little control over these names. As a result, the sections are usually consistent from executable to executable (see ), and any deviations may be suspicious.
For example, in , Virtual Size at ❶ tells us how much space is allocated for a section during the loading process. The Size of Raw Data at ❷ shows how big the section is on disk. These two values should usually be equal, because data should take up just as much space on the disk as it does in memory. Small differences are normal, and are due to differences between alignment in memory and on disk.
The section sizes can be useful in detecting packed executables. For example, if the Virtual Size is much larger than the Size of Raw Data, you know that the section takes up more space in memory than it does on disk. This is often indicative of packed code, particularly if the .text section is larger in memory than on disk.
.text, .rdata, and .rsrc sections each has a Virtual Size and Size of Raw Data value of about the same size. The .data section may seem suspicious because it has a much larger virtual size than raw data size, but this is normal for the .data section in Windows programs. But note that this information alone does not tell us that the program is not malicious; it simply shows that it is likely not packed and that the PE file header was generated by a compiler.Dijfpds, .sdfuok, and Kijijl are unusual, and the .text, .data, and .rdata sections are suspicious. The .text section has a Size of Raw Data value of 0, meaning that it takes up no space on disk, and its Virtual Size value is A000, which means that space will be allocated for the .text segment. This tells us that a packer will unpack the executable code to the allocated .text section..rsrc section. When you click through the items in Resource Hacker, you’ll see the strings, icons, and menus. The menus displayed are identical to what the program uses. shows the Resource Hacker display for the Windows Calculator program, calc.exe.) is similar to PEview. It allows you to look at the bytes from each section and shows the parsed data. PEBrowse Professional does the better job of presenting information from the resource (.rsrc) section.
PE Explorer () has a rich GUI that allows you to navigate through the various parts of the PE file. You can edit certain parts of the PE file, and its included resource editor is great for browsing and editing the file’s resources. The tool’s main drawback is that it is not free.
reviews the key information that can be obtained from a PE header.Table 1-7. Information in the PE Header
Field
Information revealed
Imports
Functions from other libraries that are used by the malware
Exports
Functions in the malware that are meant to be called by other programs or libraries
Time Date Stamp
Time when the program was compiled
Sections
Names of sections in the file and their sizes on disk and in memory
Subsystem
Indicates whether the program is a command-line or GUI application
Resources
Strings, icons, menus, and other information included in the file
Table 1-7. Information in the PE Header
Field | Information revealed |
|---|---|
Imports | Functions from other libraries that are used by the malware |
Exports | Functions in the malware that are meant to be called by other programs or libraries |
Time Date Stamp | Time when the program was compiled |
Sections | Names of sections in the file and their sizes on disk and in memory |
Subsystem | Indicates whether the program is a command-line or GUI application |
Resources | Strings, icons, menus, and other information included in the file |
Войти в систему
Войти с помощью соц. сетей:
