I have a memory dump with different PE files inside. There are two types of PE files: "Raw"/Not mapped – the same as on the disk (probably, program just read/decrypted it in memory). Mapped image. Here we have aligned/increased section/header sizes. I’m looking for such PE files using signatures MZ + PE + some other ..
How to get the very last byte of a PE portable executable file (Windows e.g. exe file). PE executable can have some bytes appended to the end (e.g. malware), I want the very last byte before that. Using all those IMAGE_NT_HEADERS and IMAGE_DOS_HEADERS… Let’s assume that PE is not signed. Source: Windows..
I was trying to create a TLS directory to a PE file, which didn’t have a TLS directory when it was compiled. I added the virtual address of structure, to OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS], but it gives me an exception when I try to inject that PE (.dll) to a process. (STATUS_ACCESS_VIOLATION at LdrpAllocateTlsEntry, it tries to access ..
PIMAGE_NT_HEADERS ntheaders = (PIMAGE_NT_HEADERS)(PCHAR(virtualpointer) + PIMAGE_DOS_HEADER(virtualpointer)->e_lfanew); In the code above ,virtualpointer points to a memory location that has a PE file loaded . I want to know that how that why there is the virtualpointer in brackets in front of PIMAGE_DOS_HEADER ? How it handles the pointer and how is e_lfanew getting its value. I ..
I want to convert my binaries into a 256 bit per pixel visualization. My goal is to compare different binaries this way. Because I only want to compare the content of the binary and not the header, I want to remove it. How can I remove the PE header from a x86 binary? What marks ..
To clarify, my specific confusion is centered around the fact that all instructions in a PE executable are written assuming the base image address is = 00400000. However, when debugging an executable, the addresses used adapt to whatever base image address is decided at runtime. I have opened a simple process at a base image ..
So after debugging a few executables on windbg I saw that sometimes the module name was different from the image name. Upon first loading the executable and setting a breakpoint before the entry point, the lmDvm command shows this. start end module name 00a30000 00a38000 Injection C (no symbols) Loaded symbol image file: C:UsersuserDownloadsBird.exe Image ..
So after debugging a few executables on windbg I saw that sometimes the module name was different from the image name. Upon first loading the executable and setting a breakpoint before the entry point, the lm vm command shows this. start end module name 00a30000 00a38000 Injection C (no symbols) Loaded symbol image file: C:UsersuserDownloadsBird.exe ..
I am trying to execute and test a python code that checks if a pe file is malicious or legitimate. But I am unable to get PE files for testing. I am trying to do something like this. enter image description here Source: Windows..
I am trying to execute and test a python code that checks if a pe file is malicious or legitimate. It requires PE files, how can u generate a .pe file? is it possible to convert a .exe to .pe? if so how? enter image description here Source: Windows..