The table below summarizes most of the basic ones: Returning to our 64-bit version of PE: if you know the PE file format well, you won’t be surprised by changes introduced in PE+. HX provides a Win32 emulation layer to DOS and enables DOS to load 32-bit PE files. Some DOS extenders are still actively being developed and supported: HX DOS Extender is a great example. If you thought that DOS and DOS extenders were part of the past, you would be wrong. There are a couple of DOS extenders that offer Win32 PE support out of the box. But wait a minute – isn’t DOS a 16-bit real-mode operating system, whose process loader is limited to handling 64KB COM files and MZ EXEs? How can it execute Windows 32-bit protected mode binaries? The answer is simple: DOS extenders. Other cases for loading Win32 PE or plain PE files are limited today mostly to some DOS-based embedded solutions. In turn, the PE+ file format contains a special flag to mark it as UEFI executable. There is one important note: UEFI expects the PE+ file format even on 32-bit architecture, and furthermore it uses just a subset of PE+ features. The PE(+) file format is supported by the UEFI specification, so it is possible to execute UEFI PE files even before the target operating system or hypervisor starts. If you thought you would only be able to execute a PE(+) file after successfully booting into Windows (you don’t have to log in successfully since Windows service files are also PE(+) executables internally), you would be wrong. ![]() The PE+ file format is a bit like the good old 32-bit Windows PE format on steroids. In this tutorial I will describe some of the main differences between the PE and PE+ file formats from the perspective of the binary unpacking process. While not all packers/obfuscators have been upgraded to handle 64-bit executable formats, there are a lot of tools that can handle both Windows PE+ files and ELF 64-bit files. Linux and BSD systems lag behind, while embedded systems for the mobile market such as Android and iOS are catching up in this area. Due to the closed-source nature of Windows, the best and most advanced debuggers and anti-debugging techniques have been developed for the Win32/64 world. One of the most complex (and flexible) executable formats in the 64-bit world is Microsoft Windows PE32+ (since the name is a bit misleading, we will refer to it as ‘PE+’ in the rest of this article). Of course, malware authors are aware of this revolution and thus they target executable files running natively on AMD64-compatible architectures and operating platforms. The x86-64 architecture is taking over from IA32 CPUs – but this should not come as a surprise, especially since major operating system players have been supporting it for years already.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |