Malware Unicorn

twitter: @malwareunicorn
Company: Endgame, Inc.
MU

View My GitHub Profile

Go Back to Reverse Engineering Malware 101

Section 1.2: Fundamentals

Anatomy of a Windows PE C program

Typical windows programs are in the Portable Executable (PE) Format. It’s portable because it contains information, resources, and references to dynamic-linked libraries (DLL) that allows windows to load and execute the machine code.

alt text


Windows Architecture

In this workshop we will be focusing on user-mode applications.

User-mode vs. Kernel Mode [1]

This diagram shows the relationship of application components for user-mode and kernel-mode. alt text


PE Header

The PE header provides information to operating system on how to map the file into memory. The executable code has designated regions that require a different memory protection (RWX)

This diagram shows how this header is broken up.

Click to Enlarge alt text

Here is a hexcode dump of a PE header we will be working with.

Click to Enlarge alt text


Memory Layout

This diagram illustrates how the PE is placed into memory. alt text


The Stack

This diagram represents a typical stack frame. alt text

Environment Setup <- Back Next -> x86 Assembly