layout | permalink | title |
default |
/RE101/section1.2/ |
Fundamentals |
Go Back to Reverse Engineering Malware 101
Typical windows programs are in the Portable Executable (PE) Format. It’s portable because it contains information, resources, and references to dynamic-linked libraries (DLL) that allows windows to load and execute the machine code.
In this workshop we will be focusing on user-mode applications.
In user-mode, an application starts a user-mode process which comes with its own private virtual address space and handle table
In kernel mode, applications share virtual address space.
This diagram shows the relationship of application components for user-mode and kernel-mode.
The PE header provides the information to operating system on how to map the file into memory. The executable code has designated regions that require a different memory protection (RWX)
- Read
- Write
- Execute
This diagram shows how this header is broken up.
Here is a hexcode dump of a PE header we will be working with.
- Stack - region of memory is added or removed using “last-in-first-out” (LIFO) procedure [2]2
- Heap - region for dynamic memory allocation [3]3
- Program Image - The PE executable code placed into memory
- DLLs - Loaded DLL images that are referenced by the PE
- TEB - Thread Environment Block stores information about the current running thread(s) [4]4
- PEB - Process Environment Block stores information about loaded modules and processes. [5]5
This diagram illustrates how the PE is placed into memory.
- Data is either pushed onto or pop off of the stack data structure
- EBP - Base Pointer is the register that used to store the references in the stack frame