Questions tagged [pe]
a file format for Windows executables, object code, DLLs, and more. Commonly found extensions of PE files include .exe, .dll, .ocx, .sys, and .scr.
253
questions
0
votes
2
answers
84
views
how do i use the text like in pe files?
I extracted pe file from another pe file and I saved it.
I want it execute but when I saved file computer sees it like text file. Altough my actual file starting with "4d 5a" computer sees ...
0
votes
1
answer
104
views
Expanding .data section at particular area
I have a program which creates a hard-coded number of objects. I patched the binary so that now it can attempt to create more objects than the limit allows, however when it does it allocates them to ...
- 61
0
votes
1
answer
2k
views
idb file and IDA
I've just received from a friend a *.idb file concerning the pe file i'd like to disassemble in IDA. What the file is and how can i load/use it with the exe linked with it in IDA?
- 115
0
votes
0
answers
58
views
IDAPython NtCreateFile
Let's say I want to print the filenames on every call to NtCreateFile
(With %any% exe loaded in IDA )
The first problem is to get the ntdll!NtCreateFile address
Tried to do it like this ...
- 1
0
votes
2
answers
719
views
Pe file code starting address
When i load an exe in the IDA the assembled code always starts at 00401000 address. Does it mean that in pe files the code always starts at that specific address?
- 115
2
votes
2
answers
3k
views
Hex-Rays not properly showing strings
Here's the difference between Hex_Rays and the debugger:
Note that I've synchronized the views, so they are showing the same operations in both the debugger and the decompiler. I've tried Edit -> ...
- 99
0
votes
1
answer
163
views
IDAPython, parse IDA DB as PE file [duplicate]
I have buffer loaded into IDA with IDAPython in a costume loader script, I want to now to be parsed as a PE, or in fact, it would be better if IDA will try to reparse it as a PE, is it possible ...
- 39
1
vote
2
answers
231
views
Lifting exported function instructions in PE files
I am trying to automate analysis of instructions within exported functions for a .DLL and need to be able to lift the first few instructions for the entry point of each exported function statically ...
- 11
2
votes
1
answer
411
views
Import Address Table in Process Hollowing
I know that the PE loader is the one that is responsible for assigning addresses in a PE Import Address Table, so why when we inject code using process hollowing we don't build the IAT?
We just copy ...
- 21
1
vote
1
answer
87
views
What is the role of PAGE section in windows Drivers?
I have seen many drivers with a section named PAGE, but couldn't find good enough information on it, what is the role of this section?
- 176
1
vote
1
answer
184
views
Try to parse buffer as PE with IDAPython
file_buffer = requests.get(file_url)
buf_size = len(file_buffer)
pe_file = pefile.PE(data=file_buffer)
print("This is really a pe imphash %s." % pe_file.get_imphash())
addr = hex(id(...
- 39
1
vote
1
answer
122
views
Name other than ".text" for the main code section
Is it safe to assume that, in the general case, the name of the section containing the user code (not the compiler generated code) is .text? I spot-checked several ARM, x86 and MIPS binaries (PE and ...
- 1,560
4
votes
2
answers
2k
views
How can I get xrefs to class member variables in IDA?
I'm working on a decompilation of a windows PE (with its full debug symbols in a PDB) and I'm using IDA to help with it.
I want to know how I can get a list of all references to a given class member ...
- 315
2
votes
1
answer
266
views
Garbage Assembly Code Generationat at random offsets
Recently I've been working on a project. The main purpose of the project is to generated statically undetectable PE samples. Where each time one generates a PE sample, each generated sample is going ...
- 395
2
votes
1
answer
179
views
PE - IAT resolve mechanism
I'm trying to understand how Windows is resolving functions with the IAT.
I have noticed that when a call is made to a Win API function, the structure of that call is not always the same (it's still ...
- 709