Malware Analysis – Understanding The PE Header

  • What Is The PE Header?

  • The PE header contains the information the OS requires to run the executable.
  • This information is very useful, as it can give us more information about the functionality of the malware and how the malware interacts with the OS.

 

Why is the PE header important?

  1. It contains all of the important and necessary information required by the OS to execute the executable.
  2. It contains information that specifies where the executable needs to be loaded in to memory.
  3. It contains the libraries that the executable requires to be loaded (dll).
  4. It contains information that specifies where the execution begins.

 

PE Header Structure

MZ Header/DOS Header
DOS Stub

(Program cannot be run in DOS mode)

PE File Header (Signature)
Image Optional Header
Sections Table
Sections

 

PE Sections

Section Name Function
.code / .text Executable code
.data Stores Data (R/W)
.rdata  Stores Data (Read Only)
.idata Stores The Import Table
.edata Stores Export Data
.rsrc Stores Resources (Strings, icons)
Liked it? Take a second to support Alexis on Patreon!
Share this post

Leave a Reply

Your email address will not be published. Required fields are marked *

Releated

Malware Analysis – Creating YARA Rules

YARA Rules YARA rules are used to identify samples based on specific strings or binary data.   Structure of a YARA rule   rule <rule_name> { meta: description = “Sample YARA rule”   strings: $a = “example” $b = “example2”   condition: ($a or $b) } Our completed YARA rule looks like this: rule creds_ru […]

Share this post

Malware Analysis – Malware Classification And Identification

Malware Classification & Identification Malware classification is the process of classifying malware samples based on shared characteristics with previously analyzed samples. An example of these characteristics are: strings and binary code.   What’s wrong with hash-based identification/classification? The content of the samples are changed by attackers to evade hash based identification/classification. Cryptographic hashing is only […]

Share this post