Windows executables must conform to the PE/COFF (Portable Executable/Common Object File Format). The PE file format is used by the Windows executable files (such as .exe, .dll, .sys, .ocx, and .drv) and such files are generally called Portable Executable (PE) files. The PE file is a series of structures and sub-components that contain the information required by the operating system to load it into memory.
When an executable is compiled, it includes a header (PE header), which describes its structure. When the binary is executed, the operating system loader reads the information from the PE header and then loads the binary content from the file into the memory. The PE header contains information such as where the executable needs to be loaded into memory, the address where the execution starts, the list of libraries/functions on which the application relies on, and the resources used by the binary. Examining the PE header yields a wealth of information about the binary, and its functionalities.
This book does not cover the basics of PE file structure. However, the concepts that are relevant to malware analysis will be covered in the following sub-sections; various resources can help in understanding the PE file structure. The following are some of the great resources for understanding the PE file structure:
- An In-Depth Look into the Win32 Portable Executable File Format - Part 1:
http://www.delphibasics.info/home/delphibasicsarticles/anin-depthlookintothewin32portableexecutablefileformat-part1 - An In-Depth Look into the Win32 Portable Executable File Format - Part 2:
http://www.delphibasics.info/home/delphibasicsarticles/anin-depthlookintothewin32portableexecutablefileformat-part2 - PE Headers and structures:
http://www.openrce.org/reference_library/files/reference/PE%20Format.pdf - PE101 - A Windows Executable Walkthrough:
https://github.com/corkami/pics/blob/master/binary/pe101/pe101.pdf
You can get a clear understanding of the PE file format by loading a suspect file into PE analysis tools. The following are the some of the tools that allow you to examine and modify the PE structure and its sub-components:
- CFF Explorer: http://www.ntcore.com/exsuite.php
- PE Internals: http://www.andreybazhan.com/pe-internals.html
- PPEE(puppy): https://www.mzrst.com/
- PEBrowse Professional: http://www.smidgeonsoft.prohosting.com/pebrowse-pro-file-viewer.html
The subsequent sections will cover some of the important PE file attributes that are useful for malware analysis. A tool such as pestudio (https://www.winitor.com) or PPEE (puppy: https://www.mzrst.com/) can assist you with exploring interesting artifacts from the PE file.