Traces ancestry directly back to COFF files.
Uses PDB for debugging information.
Portable Executable (PE)
Readings
Tools/Software
Loaders
- DreamLoader: Simple 32/64-bit PEs loader
- In-Memory PE Loader: A very simple PE loader for loading DLLs into memory without using LoadLibray
Packers
- Amber: Reflective PE packer
- fasm_packer: PE Packer written in x86 assembly (FASM syntax)
- pe_armor: Metamorphic PE packer generated and assembled by a Python code
- squishy: a modern pc 64k intro packer
Talks
- 2018 - Reflective PE Unloading
- 2018 - DEF CON 26 - Relocation Bonus
- 2013 - 44Con 2013 - Exploring the Portable Executable format - Ange Albertini
- 2013 - NoVA Hackers - 2013-03-11 - Joshua Pitts - Backdooring Win32 Portable Executables
- 2012 - Hack in Paris 2012 - Ange Albertini A Bit More of PE
- 2012 - Hashdays 2012 - Byte-ing the PE that fails you - Ange Albertini
- 2011 - Berlinsides - x86 & PE - Ange Albertini - https://speakerdeck.com/ange/x86-and-pe
- 2011 - BlackHat 2011 - Constant Insecurity: Things you didn’t know about (PE) Portable Executable file format
Dynamic Link Libraries
DLLs are Win32 libraries, loaded and linked at runtime (hence the name), built on top of the Portable Executable format. DLLs and EXEs differ by basically one byte in the PE file format, indicating whether this is executable (and therefore has a main()-style entry point) or not.
Readings
Tools/Software
Talks
- 2017 - Everything You Ever Wanted to Know about DLLs
- 2017 - Memory-Based Library Loading: Someone Did That Already
Tags:
format
native
windows
pdb
pe
Last modified 07 October 2024