Malware Handbook
  • Preface
  • Author
  • Prerequisites for Malware
  • Prerequisites for Lab Set-Up
  • Setting Up Labs
  • Download Sample Malware Exercises
  • Intro to Assembly Language
  • Assembly Language Basics
  • Commonly Used Instructions
  • Win32 Assembly Programming
  • PE Format
    • PE32
    • PE32+
  • Malware
    • Types of Malware
    • Malware Classification by Windows Defender
    • Sourcing Malware
  • Malware Development
  • Malware Analysis
    • Malware Analysis Methodologies
      • Static Analysis
        • Static Analysis Tools/Methods
        • Static Analysis of Sample Files
      • Dynamic Analysis
        • Dynamic Analysis Tools/Methods
        • Analyzing Files with Regshot, Process Monitor, and Wireshark
        • Analyzing calc.exe and Network Activity
      • Manual Code Reversing
        • Reverse Engineering Simple Windows Executable Files
        • Reverse Engineering re_lotsastuff.exe
        • Reverse Engineering re_lotsastuff.exe Using Ghidra
      • Analyzing PowerShell Scripts
      • Analyzing JavaScript Samples
        • Analyzing JavaScript in HTML
      • Analyzing Macro Code in Office Documents
      • Setting Up REMnux Environment
        • Setting Up and Configuring FakeNet in REMnux
      • Analyzing an ELF File
      • Analyzing ASPX Webshells
      • Analyzing JAR Files
    • SAMPLE NOTES (of Notes.txt)
Powered by GitBook
On this page
  1. PE Format

PE32+

PE32+ is an extension of the Portable Executable (PE) file format used in 64-bit versions of Windows operating systems. Here's a brief explanation:

  1. 64-bit Support: PE32+ supports 64-bit architectures, allowing executable files to address larger amounts of memory and utilize 64-bit registers and instructions.

  2. Header Changes: While the basic structure of the PE header remains similar to that of the standard PE32 format used for 32-bit executables, PE32+ introduces changes to accommodate 64-bit architecture requirements. These changes include modifications to the data directories, section headers, and other metadata.

  3. 64-bit Addressing: PE32+ enables the use of 64-bit virtual memory addressing, allowing applications to access memory beyond the 4 GB limit imposed by 32-bit architectures. This enables larger address spaces and supports applications that require more memory.

  4. New Calling Convention: With PE32+, the calling convention for function calls may change to accommodate the different register usage and parameter passing conventions of 64-bit architectures. For example, function parameters might be passed in registers rather than on the stack.

  5. Compatibility: While PE32+ is primarily designed for 64-bit Windows systems, it still maintains backward compatibility with 32-bit versions of Windows. However, 32-bit applications cannot directly execute on 64-bit systems without the aid of an emulator or compatibility layer.

Overall, PE32+ extends the capabilities of the PE file format to support 64-bit architectures, enabling developers to create applications that can take advantage of the increased performance and memory capabilities offered by 64-bit systems.

PreviousPE32NextMalware