PE
Table of content
What is PE
PE stand for Portable Executable
It's a way to organize an executable code into a file.
Structure of a PE
PE file can be considered as a book. Thus, it contains the data and metadata containing information about the book itself and the data it contains.
PE file are organized in headers and sections.
Headers: contain the metadataSections: contain the data itself (code, imports, data...)
Sections
.text: contain executable code.rdata: readonly data.data: global variable.pdata: information about exceptions.rsrc: contain diffents objects such as images, icon, otherPEfile (dll, executable). This section give a lot of possibilities for malware develoment.reloc: it allows the Windows loader to safe reaload the module (.dll) in memory with randomized address space
The most important is .text, .data and .rserc
Exe
Seperate program that can be load in memory as an independent process.
Need a main function that will be called by the OS loader when it finished the job.
Source code
int main(int argc, char* argv){
...
}
DLL
PE modules that are loaded in existing process and cannot live independently.
Main purpose is to deliver some functionnality the calling process needs.
The loader already created a process and the porcess need the DLL to be loaded on the process.
Thus, it will create an empty address space and load the DLL main code inside. This main code will initialize the library and give back the control to the process that will be able to call DLL function.
When the malware is packed as a DLL, the DLL main must be created and exporting at least one function.
Source code
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) {
switch (ul_reason_for_call) {
case DLL_PROCESS_ATTACH:
case DLL_PROCESS_DETACH:
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
break;
}
return TRUE;
}
The DLLMain can be called for several reason:
- When the process load the
DLL(idem for thread) - When the process unload the
DLL(idem for thread)
The switch allow to design different behavior depending on the event resulting in DLLMain call.
To run a DLL:
rundll32 ${file.dll} ${exportedMethod}
Tools
Analyze PE headers
- PEBear : https://github.com/hasherezade/pe-bear-releases
- Visual Studio :
#In a visual studio command prompt
#To see header
dumpbin /headers ${file.exe}
#To see exported function (DLL)
dumpbin /export ${file.dll}
#To see dll imported by an exe
dumpbin /imports file.exe
Compile Exe
cl.exe /nologo /Ox /MT /W0 /GS- /DNDEBUG /${exeCode.cpp} /link /OUT:${exeFile.exe} /SUBSYSTEM:CONSOLE /MACHINE:x64
Compile DLL
cl.exe /D_USRDLL /D_WINDLL ${dllCode.cpp} /MT /link /DLL /OUT:${dllFile.dll}