exploiting:theory:start
Differences
This shows you the differences between two versions of the page.
| Both sides previous revisionPrevious revision | |||
| exploiting:theory:start [2020/01/02 11:04] – titannet | exploiting:theory:start [2020/01/02 11:44] (current) – titannet | ||
|---|---|---|---|
| Line 97: | Line 97: | ||
| </ | </ | ||
| + | |||
| + | < | ||
| + | Magic -> 32 or 64 | ||
| + | AddressOfEntryPoints -> RVA of Entry Point (EP) ~ location of first instruction | ||
| + | BaseOfCode, BaseOfData -> Code and Data Sections | ||
| + | ImageBase -> Preferred VA for PE file in memory (default: 0x00400000 for .exe, 0x10000000 for DLLs) | ||
| + | SectionAlignment, | ||
| + | SizeOfImage -> MemorySize of PE file at runtime, must be multiple of SectionAlignment | ||
| + | </ | ||
| + | |||
| + | DataDirectory Array: | ||
| + | <code c> | ||
| + | typedef struct _IMAGE_DATA_DIRECTORY { | ||
| + | DWORD VirtualAddress; | ||
| + | DWORD Size; | ||
| + | } IMAGE_DATA_DIRECTORY, | ||
| + | |||
| + | * 16 Data Directory Structures per default htat point to RVA and size of specific data inside PE image on runtime. | ||
| + | * Example: ExportTableAddress (exported functions), ImportTableAddress (imported functions), ResourceTable (embedded resources), ImportAddressTable (IAT, runtime addresses of imported functions) | ||
| + | |||
| + | |||
| + | |||
| + | </ | ||
exploiting/theory/start.1577959450.txt.gz · Last modified: 2020/01/02 11:04 by titannet