Typical windows programs are in the Portable Executable (PE) Format. It’s portable because it contains information, resources, and references to dynamic-linked libraries (DLL) that allows windows to load and execute the machine code.
In this workshop we will be focusing on user-mode applications.
In user-mode, an application starts a user-mode process which comes with its own private virtual address space and handle table
In kernel mode, applications share virtual address space.
This diagram shows the relationship of application components for user-mode and kernel-mode.
The PE header provides information to operating system on how to map the file into memory. The executable code has designated regions that require a different memory protection (RWX)
This diagram shows how this header is broken up.
Here is a hexcode dump of a PE header we will be working with.
This diagram illustrates how the PE is placed into memory.
This diagram represents a typical stack frame.
|Environment Setup <- Back||Next -> x86 Assembly|