Table of content

What is PE

PE stand for Portable Executable It's a way to organize an executable code into a file.

Structure of a PE

PE file can be considered as a book. Thus, it contains the data and metadata containing information about the book itself and the data it contains.

PE file are organized in headers and sections.

  • Headers : contain the metadata
  • Sections : contain the data itself (code, imports, data...)


  • .text : contain executable code
  • .rdata : readonly data
  • .data : global variable
  • .pdata : information about exceptions
  • .rsrc : contain diffents objects such as images, icon, other PE file (dll, executable). This section give a lot of possibilities for malware develoment
  • .reloc : it allows the Windows loader to safe reaload the module (.dll) in memory with randomized address space

The most important is .text, .data and .rserc


Seperate program that can be load in memory as an independent process.

Need a main function that will be called by the OS loader when it finished the job.

Source code

int main(int argc, char* argv){


PE modules that are loaded in existing process and cannot live independently.

Main purpose is to deliver some functionnality the calling process needs.

The loader already created a process and the porcess need the DLL to be loaded on the process.

Thus, it will create an empty address space and load the DLL main code inside. This main code will initialize the library and give back the control to the process that will be able to call DLL function.

When the malware is packed as a DLL, the DLL main must be created and exporting at least one function.

Source code

BOOL APIENTRY DllMain(HMODULE hModule,  DWORD  ul_reason_for_call, LPVOID lpReserved) {

    switch (ul_reason_for_call)  {
    return TRUE;

The DLLMain can be called for several reason:

  • When the process load the DLL (idem for thread)
  • When the process unload the DLL (idem for thread)

The switch allow to design different behavior depending on the event resulting in DLLMain call.

To run a DLL:

rundll32 ${file.dll} ${exportedMethod}


Analyze PE headers

#In a visual studio command prompt
#To see header
dumpbin /headers ${file.exe}

#To see exported function (DLL)
dumpbin /export ${file.dll}

#To see dll imported by an exe
dumpbin /imports file.exe

Compile Exe

cl.exe /nologo /Ox /MT /W0 /GS- /DNDEBUG /${exeCode.cpp} /link /OUT:${exeFile.exe} /SUBSYSTEM:CONSOLE /MACHINE:x64

Compile DLL

cl.exe /D_USRDLL /D_WINDLL ${dllCode.cpp} /MT /link /DLL /OUT:${dllFile.dll}

results matching ""

    No results matching ""

    results matching ""

      No results matching ""