aljaz/securedorg.github.io
1
0
Fork 0
mirror of https://github.com/aljazceru/securedorg.github.io.git synced 2025-12-21 16:04:20 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
541bcd74d8b60df46b4d5bd17c81c80b4cac2a21
securedorg.github.io/fundamentals2.md
Amanda Rousseau 541bcd74d8 adding memory layout
2017-03-13 15:29:15 -07:00

2.0 KiB
Raw Blame History

layout, permalink, title
layout permalink title
default /RE101/section1.2/ Fundamentals

Go Back to Reverse Engineering Malware 101

Section 1.2: Fundamentals

Anatomy of a Windows PE C program

Typical windows programs are in the Portable Executable (PE) Format. Its portable because it contains information, resources, and references to dynamic-linked libraries (DLL) that allows windows to load and execute the machine code.

alt text

Windows Architecture

In this workshop we will be focusing on user-mode applications.

User-mode vs. Kernel Mode [1]

  • In user-mode, an application starts a user-mode process which comes with its own private virtual address space and handle table

  • In kernel mode, applications share virtual address space.

1

This diagram shows the relationship of application components for user-mode and kernel-mode. alt text

PE Header

The PE header provides the information to operating system on how to map the file into memory. The executable code has designated regions that require a different memory protection (RWX)

  • Read
  • Write
  • Execute

This diagram shows how this header is broken up. alt text

Here is a hexcode dump of a PE header we will be working with. alt text

Memory Layout

This diagram illustrates how the PE is placed into memory. alt text

The Stack

Environment Setup <- Back | Next -> x86 Assembly