PE (Portable Executable) Analysis
Last modified: 2023-07-19
The Portable Executable format is a file format for executables, object code, DLLs and others used in 32-bit and 64-bit versions of Windows.
Basic Commands
strings example.exe
# Cutter is a debugger powered by Rizin
cutter example.exe
PE Headers
There are many tools to analyze PE headers, such as wxHexEditor, pe-tree.
pe-tree is a tool that views PE files in a tree-view. It will take about a few minutes to open.
pe-tree ./executable
-
IMAGE_DOS_HEADER
It consists of the first 64 bytes of the PE file. The first two bytes (”4D 5A”) means the “MZ” characters which are an identity of the Portable Executable format.
-
DOS_STUB
It is a small piece of code that only runs if the PE file is incompatible with the system it is being run on. At such time the message “!This program cannot be run in DOS mode" will be displayed.
-
IMAGE_NT_HEADERS
It contains most of the vital information related to the PE file. The starting address of the IMAGE_NT_HEADERS is found in
e_lfanew
from the IMAGE_DOS_HEADER.-
NT_HEADERS
-
Signature
The first 4 bytes of the NT_HEADERS consists of the Signature. It says “
50 45 00 00
" in hex, which means “PE” in ASCII. It indicates the start of the NT_HEADER. -
FILE_HEADER
It contains vital information, such as a type of architecture for which the PE file is written.
-
OPTIONAL_HEADER
It contains the most important information in the PE headers. Especially, the AddressOfEntryPoint field is significant for reverse engineering.
-
Magic
It tells whether the PE file is a 32-bit or 64-bit. 0x010B indicates 32-bit, and 0x020B indicates 64-bit.
-
-
-
IMAGE_SECTION_HEADER
It contains various sections like .text, .data, .rsrc, etc.
-
IMAGE_IMPORT_DESCRIPTOR
It contains information about Windows APIs that the PE file loads when executed.
-
Reverse Engineering
dnSpy and ILSpy are decompilers for .NET applications. These are useful for reverse engineering PE files.
We can also debug the program and add breakpoints, so on using these softwares.
Identify Packers of Packed Executable
pecheck is a command-line tool which analyze PE files.
pecheck ./executable
When results appears, check the section name in the PE Section.