0 Preface
You might demand to comprehend the ways a virus program injects its procedure into the interior of a portable executable file and corrupts it, or you are interested in implementing a packer or a protector to encrypt the data of your portable executable (PE) file. This article is committed to represent a brief discussion to realize the performance that is accomplished by EXE tools or some kinds of mal-ware.
You can employ this article’s source code to create your custom EXE builder. It could be used to make an EXE protector in the right way, or with the wrong intention, to spread a virus. However, my purpose of writing this article has been the first application, so I will not be responsible for the immoral usage of these methods.
1 Prerequisites
There are no specific mandatory prerequisites to follow the topics in this article. If you are familiar with a debugger and also the portable file format, I suggest you to drop to Sections 2 and 3; the whole of these sections has been made for people who don’t have any knowledge regarding the EXE file format or debuggers.
2 Portable Executable File Format
The Portable Executable file format was defined to provide the best way for the Windows Operating System to execute code and also to store the essential data that is needed to run a program—for example constant data, variable data, import library links, and resource data. It consists of MS-DOS file information, Windows NT file information, Section Headers, and Section images, as shown in Table 1.
2.1 The MS-DOS data
These data let you remember the first days of developing the Windows Operating System. You were at the beginning of a way to achieve a complete Operating System such as Windows NT 3.51 (I mean, Win3.1, Win95, Win98 were not perfect OSs). The MS-DOS data causes that your executable file to have the performance inside MS-DOS and the MS-DOS Stub program lets it display: “This program can not be run in MS-DOS mode” or “This program can be run only in Windows mode”, or some things like these comments when you try to run a Windows EXE file inside MS-DOS 6.0, where there is no footstep of Windows. Thus, this data is reserved for the code to indicate these comments in the MS-DOS operating system. The most interesting part of the MS-DOS data is “MZ“! Can you believe, it refers to the name of “Mark Zbikowski“, one of the first Microsoft programmers?
To me, only the offset of the PE signature in the MS-DOS data is important, so I can use it to find the position of the Windows NT data. I just recommend that you take a look at Table 1, and then observe the structure of IMAGE_DOS_HEADER in the <winnt.h> header in the <Microsoft Visual Studio .net path>\VC7\PlatformSDK\include\ folder or the <Microsoft Visual Studio 6.0 path>\VC98\include\ folder. I do not know why the Microsoft team has forgotten to provide some comment about this structure in the MSDN library!
typedef struct _IMAGE_DOS_HEADER { // DOS .EXE header “MZ”
WORD e_magic; // Magic number
WORD e_cblp; // Bytes on last page of file
WORD e_cp; // Pages in file
WORD e_crlc; // Relocations
WORD e_cparhdr; // Size of header in
// paragraphs
WORD e_minalloc; // Minimum extra paragraphs
// needed
WORD e_maxalloc; // Maximum extra paragraphs
// needed
WORD e_ss; // Initial (relative) SS
// value
WORD e_sp; // Initial SP value
WORD e_csum; // Checksum
WORD e_ip; // Initial IP value
WORD e_cs; // Initial (relative) CS
// value
WORD e_lfarlc; // File address of relocation
// table
WORD e_ovno; // Overlay number
WORD e_res[4]; // Reserved words
WORD e_oemid; // OEM identifier
// (for e_oeminfo)
WORD e_oeminfo; // OEM information;
// e_oemid specific
WORD e_res2[10]; // Reserved words
LONG e_lfanew; // File address of the new
// exe header
} IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER;
e_lfanew is the offset that refers to the position of the Windows NT data. I have provided a program to obtain the header information from an EXE file and to display it to you. To use the program, just try:
PE Viewer
This sample is useful for the whole of this article.
Table 1: Portable Executable file format structure
MS-DOS information | IMAGE_DOS_ HEADER | DOS EXE Signature | 00000000 ASCII “MZ” |
DOS_PartPag | |||
DOS_PageCnt | |||
DOS_ReloCnt | |||
DOS_HdrSize | |||
DOS_MinMem | |||
DOS_MaxMem | |||
DOS_ReloSS | |||
DOS_ExeSP | |||
DOS_ChkSum | |||
DOS_ExeIPP | |||
DOS_ReloCS | |||
DOS_TablOff | |||
DOS_Overlay | |||
b& Reserved words b& | |||
Offset to PE signature | |||
MS-DOS Stub Program | 00000040 ..B:..B4.C | ||
Windows NT information IMAGE_ | Signature | PE signature (PE) | 000000F0 ASCII “PE” |
IMAGE_ FILE_HEADER | Machine | 000000F4 DW 014C | |
NumberOfSections | |||
TimeDateStamp | |||
PointerToSymbolTable | |||
NumberOfSymbols | |||
SizeOfOptionalHeader | |||
Characteristics | |||
IMAGE_ OPTIONAL_ HEADER32 | MagicNumber | 00000108 DW 010B | |
MajorLinkerVersion | |||
MinorLinkerVersion | |||
SizeOfCode | |||
SizeOfInitializedData | |||
SizeOfUninitializedData | |||
AddressOfEntryPoint | |||
BaseOfCode | |||
BaseOfData | |||
ImageBase | |||
SectionAlignment | |||
FileAlignment | |||
MajorOSVersion | |||
MinorOSVersion | |||
MajorImageVersion | |||
MinorImageVersion | |||
MajorSubsystemVersion | |||
MinorSubsystemVersion | |||
Reserved | |||
SizeOfImage | |||
SizeOfHeaders | |||
CheckSum | |||
Subsystem | |||
DLLCharacteristics | |||
SizeOfStackReserve | |||
SizeOfStackCommit | |||
SizeOfHeapReserve | |||
SizeOfHeapCommit | |||
LoaderFlags | |||
NumberOfRvaAndSizes | |||
IMAGE_ DATA_DIRECTORY[16] | Export Table | ||
Import Table | |||
Resource Table | |||
Exception Table | |||
Certificate File | |||
Relocation Table | |||
Debug Data | |||
Architecture Data | |||
Global Ptr | |||
TLS Table | |||
Load Config Table | |||
Bound Import Table | |||
Import Address Table | |||
Delay Import Descriptor | |||
COM+ Runtime Header | |||
Reserved | |||
Sections information | IMAGE_ SECTION_ HEADER[0] | Name[8] | 000001E8 ASCII“.text” |
VirtualSize | |||
VirtualAddress | |||
SizeOfRawData | |||
PointerToRawData | |||
PointerToRelocations | |||
PointerToLineNumbers | |||
NumberOfRelocations | |||
NumberOfLineNumbers | |||
Characteristics | |||
b& b& b& IMAGE_ SECTION_ HEADER[n] | 00000210 ASCII“.data”; SECTION | ||
SECTION[0] | 00000400 EA 22 DD 77 D7 23 DD 77 C*”C.wC.#C.w | ||
b& b& b& SECTION[n] | b& |