The e_lfanew value points to the location of the PE header, enabling Windows to properly execute the image file.
This value is defined in the ntimage.h header file as the file address (offset) of the new EXE header that is, the offset at which we should find the signature for the beginning of the IMAGE_NT_HEADERS structure. The important elements of this structure are the first two bytes (the "magic number" 0x5a4d in little-endian hexadecimal format, or MZ) and the last DWORD (4-byte) value, which is referred to as e_lfanew. Mark’s initials are the signature for a 64-byte structure called the IMAGE_DOS_ HEADER. However, as you’ll see, it takes much more than those two letters and an ".exe" at the end of the file name to make a file executable. As noted earlier in the topic, these two letters are the initials of Mark Zbikowski ( ), the Microsoft architect credited with designing the executable file format. For executable files on Windows systems, the file signature consists of the letters MZ, found in the first two bytes of the file. The first, and perhaps most important, part of a PE file (if not the most important, then one of the best bits of geek trivia) is the file signature. With this and other resources, we can understand the structure of a PE file, delve into its depths, and extract information that may be of use to us during an investigation.Ī PE file can be broken down into several areas of interest (I hesitate to say "sections," as we will be using this term for a specific purpose in our discussion). Microsoft has also made most of the structures used within the file headers publicly available, as part of the documentation for the ImageHlp ( )ĪPI structures. At Microsoft has thoroughly documented the format of PE files (as well as the Common Object File Format, or COFF, found on VAX/VMS systems), and has made that documentation public.
0 kommentar(er)
