Anonymous user
PE: Difference between revisions
m
added Signed PE
| [unchecked revision] | [unchecked revision] |
(→Section header: Fixed typo in struct member name) |
m (added Signed PE) |
||
Line 78:
=== Data Directories ===
While technically part of the optional header and follows directly after it is a list of entries pointing to data directories (only in executable images and DLLs). Because the optional header can vary in size, you only need to pay attention to the directories that exist and you expect, since it is likely that new data directories will be added to the PE specification in the future (.Net is an example of one that was recently added). Each data directory is referenced as an 8-byte entry in the optional header. The first 4 bytes is the Relative Virtual Address, or RVA (see Sections below), of the directory, and the last 4 bytes is the size of the directory.
Each data directory that the entries point to have their own format. Data directories are used to describe import tables for dynamic linking, a table of resources that are embedded inside of the PE file, debug information (line numbers and break points), the CLI .Net header.
{| class="wikitable"
! Position (PE/PE32+)
! Section
|-
| 96/112 || The export table address and size. Same format as .edata
|-
| 104/120 || The import table address and size. Same format as .idata
|-
| 112/128 || The resource table address and size. Same format as .rsc
|-
| 120/136 || The exception table address and size. Same format as .pdata
|-
| 128/144 || The attribute certificate table offset (not RVA) and size. See [https://wiki.osdev.org/PE#Signed_PE_with_Attribute_Certificate_Table Signed PE] below
|-
| 136/152 || The base relocation table address and size. Same format as .reloc
|-
| 144/160 || The debug data starting address and size. Same format as .debug
|-
| 152/168 || Architecture, reserved MBZ
|-
| 160/176 || Global Ptr, the RVA of the value to be stored in the global pointer register. The size member of this structure must be set to zero.
|-
| 168/184 || The thread local storage (TLS) table address and size. Same format as .tls
|}
== Sections ==
Line 121 ⟶ 146:
Because addresses can point across section borders, relocations should be done after each section is loaded into memory. Then reiterate over each section, iterate through each address in the Relocation Table, find out what section that RVA exists in and add/subtract the offset between that section's linked virtual address and the section's virtual address you loaded it into.
== Signed PE with Attribute Certificate Table ==
Many PE executable (most notably all Microsoft updates) are signed with a certificate. These information is stored in the Attribute Certificate Table, pointed by the Data Directory's 5th entry. It is important that for the Attribute Certificate Table no RVA is stored, rather a simple file offset. The format is concatenated signatures, each with the following structure:
{| class="wikitable"
! Offset
! Size
! Field
! Description
|-
| 0 || 4 || dwLength || Specifies the length of the attribute certificate entry.
|-
| 4 || 2 || wRevision || Contains the certificate version number, magic 0x0200 (WIN_CERT_REVISION_2_0)
|-
| 6 || 2 || wCertificateType || Specifies the type of content in bCertificate, magic 0x0002 (WIN_CERT_TYPE_PKCS_SIGNED_DATA)
|-
| 8 || x || bCertificate || Contains a PKCS#7 SignedData structure
|}
For [https://wiki.osdev.org/EFI#Secure_Boot Secure Boot] under [[EFI]] such a signature is a must. It worth nothing that the PE format allows multiple certificates to be embedded in a single PE file, but UEFI firmware implementations usually only '''allow one''', which must be signed by the Microsoft KEK. If the firmware allows installing more KEK (not typical), then you can use other certificates as well.
The bCertificate data is a PKCS#7 signature with certificate, encoded in ASN.1 format. Microsoft uses signtool.exe to create these signature entries, but an Open Source solution exists, called [git://kernel.ubuntu.com/jk/sbsigntool.git sbsigntool] (also available on [https://github.com/imedias/sbsigntool github] with debian packaging).
== CLI / .Net ==
| |||