PE Format

The Portable Executable (PE) format is a primary file format for executables, object code, DLLs, Font files, and others used in 32-bit and 64-bit versions of Windows operating systems. The PE format is a data structure that encapsulates the information necessary for the Windows OS to manage the wrapped executable code. This includes dynamic library references for linking, API export and import tables, resource management metadata and thread-local storage (TLS) data. A PE file consists of headers and sections that tell the dynamic linker how to map the file into memory.

In malware analysis, the PE format is extremely useful. Analyzing the structure of a PE file can provide crucial information about a potential malicious file. For instance, it can reveal the import and export functions, which could be interacting with critical Windows components or performing suspicious activities. Moreover, resource management metadata might contain embedded malicious payloads. By understanding the PE file structure and its various sections, an analyst can better understand the behavior of a suspect file and devise appropriate countermeasures.

The term "bastardized COFF" is often used to refer to PE (Portable Executable) format. COFF stands for Common Object File Format, an older format for executable files. The PE format is sometimes referred to as "bastardized" because it is a modified and extended version of the COFF. It includes additional features, such as the import and export tables, resource management metadata, and thread-local storage data, that are not present in the original COFF format (Common Object File Format).

Tools : PE Explorer, IDA Pro, Ghidra, OllyDbg / x64dbg, PEiD, Dependency Walker, PEviews, Wireshark, Process Monitor, PE Bear, YARA, CFF Explorer

The highlighted ‘4d 5a’ are hex for MZ - developer of MS-DOS. If they are there then windows wont be able to run. After removing them, windows will be able to run it since its PE format file then.

1. Most imp right now is e_magic.

1. Image_optional_header is where we get the most info.

1. Image_Data_Directory is again a very juicy place for information.

1. Export Directory

1. Import Address Table

The Import Address Table (IAT) in malware refers to a data structure within the malicious code that stores references to external functions or libraries the malware relies on. These references are used for dynamically linking to functions present in external libraries or system DLLs. Malware often uses the IAT to call functions from system libraries or other modules, enabling it to perform various malicious activities such as stealing data, executing commands, or compromising system integrity. By manipulating the IAT, malware can obfuscate its behavior, evade detection, or bypass security measures.

1. Sections have specific names and permissions - R, W, X - and hold some data or information.

The common ones are ‘.text’, ‘.data’, ‘.rdata’, ‘.idata’, ‘.reloc’, ‘.rsrc’, ‘.bss’, etc. Out of these generally, ‘.text’, ‘.data’, ‘.rdata’, ‘.rsrc’ have malicious stuff. So we can put our payload here.

In malware analysis:

• .text: Contains executable code, typically the main body of the malware's instructions.

• .data: Stores initialized global and static variables used by the malware. (unsigned int x = 12)

• .rdata: Holds read-only data such as constant strings or configuration information.(const unsigned int x = 12)

• .idata: Contains the Import Address Table (IAT), listing external functions and libraries the malware imports.

• .reloc: Stores information for relocations, allowing the executable to be loaded at different memory addresses.

• .rsrc: Houses resources such as icons, images, or other non-executable data.

• .bss: Reserved space for uninitialized data or variables used by the malware.