Questions tagged [pe]
a file format for Windows executables, object code, DLLs, and more. Commonly found extensions of PE files include .exe, .dll, .ocx, .sys, and .scr.
253
questions
2
votes
1
answer
403
views
How to find "RawAddress" of a "VirtualAddress"?
I'm trying to parse a PE file manually as below:
1 ### DOS Header
2
3 00000000: 4d5a 9000 0300 0000 0400 0000 ffff 0000 MZ..............
4 00000010: b800 0000 0000 0000 4000 0000 ...
-1
votes
1
answer
116
views
Why I get 0xc00000005?
I'm trying to use RunPE technique (For learning).
First, I tried it on Windows XP(32-bit) and no error occurs but, the injected code for(HelloWorld) didn't run.
Then, I tried to use it on Windows 7 ...
0
votes
0
answers
144
views
Module name in the export table of a PE image
One of the fields of the PE export table is the image name, see screenshot below for an example.
This name is part of the file, even though I can rename it to any other name after it's compiled.
My ...
2
votes
0
answers
265
views
What is the meaning of call ds:ApiName[registry*constant] in IDA .asm files?
I have a dataset of .ASM files generated by IDA (dont have the corresponding file)
And there are a lot of calls like this :
.text:00637114 5F pop edi
.text:...
1
vote
2
answers
5k
views
How to find the file address of AddressOfEntryPoint
I have a binary file and in the optional header I have the address of the entry point 0x00011046 but when I put the file inside HEX editor this address doesn't exist, more than that 0x000097f0.
I ...
1
vote
1
answer
597
views
What is physical address on a pe reader?
What is physical address on a Pe file? I had search on the microsoft website article about pe files and don't have found anything.
1
vote
2
answers
134
views
"unknown publisher" after adding new PE section
I'm starting to learn about reverse engineering and I'm currently encountering a problem with a game I'm trying to patch. I needed more space to insert instructions in my program so I followed the ...
0
votes
0
answers
172
views
How is ELF symbol resolution and relocation different from PE symbol resolution?
I've learned extensively about PE and PE64 format a while back. I am now digging deeper into ELF format. However, I've not found as many thorough resources for ELF as I did for PE, such as ARTeam's PE ...
1
vote
1
answer
779
views
Why are relocation tables needed?
I understand that the relocation table exists for when an image isn't loaded at its preferred address, but if an image isn't loaded at its preferred address, doesn't everything need to be relocated ...
1
vote
0
answers
44
views
PE Format - How can I delete IMAGE_IAT_DIRECTORY and the app still runs fine?
I’m doing a small research regarding PE files and while I drilled every related question or the documentation itself I couldn’t explain this issue.
Why can I go to CFF explorer or some other PE ...
-1
votes
1
answer
1k
views
Best way to find the entropy of an EXE file?
I want to write a script to extract the entropy of each sections of an EXE file. What is the best tool that I can use to do this?
I tried Ghidra but it doesn't have an entropy API which I can use.
1
vote
1
answer
439
views
How to find DOS Header and PE Header with an entry point in Radare2?
I am currently doing byte extraction from PE files using Radare2. I know how to find the byte sequence for DOS Header and PE Header when there is no entry point and the start is defaulted to 0x0. But ...
2
votes
1
answer
733
views
Pe 32 Add Export function Segment by Extending with dll or Patching pe
I need to add new function inside pe32 module.dll Export Table , in dynamic way if possible ( via extending with dll ) or by patching pe32 module.dll
What can u suggest to solve this ?
0
votes
1
answer
249
views
Why does an executable still run despite changes to checksum, or changes to data section without new checksum?
I have a "Hello World" console app compiled with Flat Assembler. The size of the executable is 2048 bytes and the checksum is 0x3797.
Questions:
Does it matter if I make changes to the data section ...
1
vote
0
answers
132
views
PE Explorer vs. Debugger differences
I injected shellcode into an executable. Entrypoint is set to first shellcode instruction.
Shellcode: nop nop label: nop nop jmp label nopnop
which translate to: \x90\x90\x90\x90\xeb\xfc\x90\x90
...