Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 09-12-2010, 22:26
dila dila is offline
Friend
 
Join Date: Jan 2010
Posts: 60
Rept. Given: 12
Rept. Rcvd 32 Times in 14 Posts
Thanks Given: 35
Thanks Rcvd at 74 Times in 20 Posts
dila Reputation: 32
Post PE Loader Questions

Hello, I have a number of questions about the PE file format, and what is considered a valid/loadable file by the OS.

Here's a few of my thoughts while coding a PE loader:

1) Is it possible that a valid executable can have overlapping sections?
2) Is it possible for a single code instruction to overflow into another section?
3) Is it possible to have executable code between two sections, and if so, what memory characteristics are given to data in such a region?

Regards!
Reply With Quote
  #2  
Old 09-13-2010, 00:26
Archer's Avatar
Archer Archer is offline
retired
 
Join Date: Aug 2005
Posts: 239
Rept. Given: 1
Rept. Rcvd 46 Times in 19 Posts
Thanks Given: 3
Thanks Rcvd at 387 Times in 57 Posts
Archer Reputation: 46
1. No.
2. Haven't seen, but I think, yes.
3. Sections must go butt-to-butt in virtual address space without gaps.
Reply With Quote
  #3  
Old 09-13-2010, 03:45
gigaman gigaman is offline
Friend
 
Join Date: Jun 2002
Posts: 87
Rept. Given: 0
Rept. Rcvd 3 Times in 2 Posts
Thanks Given: 0
Thanks Rcvd at 14 Times in 11 Posts
gigaman Reputation: 4
1. You don't say if you're talking about raw offsets/sizes (yes, the sections can overlap that way) or virtual addresses/sizes (I don't think they can)
2. Yes
3. Again, you should be more specific about what exactly you mean; gaps in addresses (probably not), gaps in raw data (certainly yes), uninitialized data at the end of sections (yes, those zeroes can be executed)
Reply With Quote
  #4  
Old 10-24-2010, 03:42
pp2 pp2 is offline
Friend
 
Join Date: Jan 2002
Posts: 59
Rept. Given: 1
Rept. Rcvd 2 Times in 2 Posts
Thanks Given: 1
Thanks Rcvd at 16 Times in 12 Posts
pp2 Reputation: 2
1. Sections in file can overlap, sections in memory cannot. But they both can have gaps.
3. To execute your code between two pages correctly you must have at least EXECUTABLE attribute on both pages (READ_EXECUTE on Intel x86), if not - instruction will cause an exception. So, set EXECUTABLE flag in section attributes for both sections and executed code anywhere you want.
Reply With Quote
  #5  
Old 10-24-2010, 04:14
Maximus Maximus is offline
Friend
 
Join Date: Nov 2005
Posts: 39
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 1 Time in 1 Post
Maximus Reputation: 0
Quote:
But they both can have gaps.
hmmm?

If i remember well (played with this thing much time ago), when i left an opened gap between virtual sections i got punished by the winloader... are you sure about this?
Reply With Quote
  #6  
Old 10-24-2010, 07:54
BoB's Avatar
BoB BoB is offline
Lo*eXeTools*rd
 
Join Date: Jun 2009
Location: England
Posts: 85
Rept. Given: 88
Rept. Rcvd 56 Times in 24 Posts
Thanks Given: 2
Thanks Rcvd at 2 Times in 2 Posts
BoB Reputation: 56
1. Yes
2. Sections, yes pages no
3. Whatever the protection of the section is - it is rounded up to the page size
Reply With Quote
  #7  
Old 12-25-2010, 05:26
unknownone
 
Posts: n/a
Quote:
Originally Posted by dila View Post

1) Is it possible that a valid executable can have overlapping sections?
2) Is it possible for a single code instruction to overflow into another section?
3) Is it possible to have executable code between two sections, and if so, what memory characteristics are given to data in such a region?

Regards!
1. each PE section has more characteristics: the raw and rva fields and some sizes. raw is the offset of the section in the file and the rva - an offset in memory where the section will be copied. the loader doesn't check if the raw data overlaps, as I know till now. off course, there may be some checks in future windows versions.
2. possible, if you have the section already rounded. needs testing.
3. between 2 sections where? inside the file or in mem? to exist in mem, must be declared as a section, because the loader maps in mem only what it finds in sections header.
Reply With Quote
  #8  
Old 11-15-2011, 05:21
qkumba qkumba is offline
Friend
 
Join Date: Nov 2011
Posts: 14
Rept. Given: 0
Rept. Rcvd 4 Times in 4 Posts
Thanks Given: 0
Thanks Rcvd at 3 Times in 3 Posts
qkumba Reputation: 4
1. file content can overlap, but section addresses cannot.
There cannot be gaps in section addresses in Windows NT+.
Only Windows 9x/Me allows gaps.
2. Yes, you can have the entire code cross lots of sections. No problem there.
3. If you mean after the end of one section and before the start of another section, then no - because there can be no gap. The characteristics for a section cover the entire section.
Reply With Quote
  #9  
Old 11-16-2011, 15:29
V0ldemAr
 
Posts: n/a
Gap is possible when you have size of section alignment larger than page size.
Example can be found here: c:\Windows\SysWOW64\ntdll.dll section alignment is 0x10000 but size of committed header is 0x1000 so first section starts at 0x10000 and there is gap between 0x1000 and 0x10000 but you can't access that memory in any way since it's not committed and you can't commit it manually. Use VmMap to see how it looks like there are no protection flags and so on...
Reply With Quote
  #10  
Old 11-18-2011, 01:28
qkumba qkumba is offline
Friend
 
Join Date: Nov 2011
Posts: 14
Rept. Given: 0
Rept. Rcvd 4 Times in 4 Posts
Thanks Given: 0
Thanks Rcvd at 3 Times in 3 Posts
qkumba Reputation: 4
That's not a gap. We are talking about virtual addresses, like 0x1000 and then 0x3000. This is possible only in Windows 9x. On NT+, addresses must be sequential in memory.
Physical gaps are obviously possible on all of the platforms - you can have sections that contain no physical data, by setting SizeOfRawData to 0, and set the characteristics to non-readable so the region cannot be accessed, but that's not special.
Reply With Quote
  #11  
Old 11-19-2011, 03:45
gigaman gigaman is offline
Friend
 
Join Date: Jun 2002
Posts: 87
Rept. Given: 0
Rept. Rcvd 3 Times in 2 Posts
Thanks Given: 0
Thanks Rcvd at 14 Times in 11 Posts
gigaman Reputation: 4
Why isn't it a gap? I suppose we should define what a "gap" actually is first...

As the ntdll.dll example shows, when the virtual size of a section is considered rounded up to the section size (0x10000 in this case), then there really isn't any gap between the addresses. But since the PE loader actually rounds the virtual size up to the page size only (0x1000) when mapping the image, then there are unallocated/inaccessble blocks of memory between the sections (and it has nothing to do with the physical size, SizeOfRawData, it's all about virtual addresses and sizes). I would probably call it a gap, but yes, it's a bit special
Reply With Quote
  #12  
Old 12-14-2011, 04:19
pp2 pp2 is offline
Friend
 
Join Date: Jan 2002
Posts: 59
Rept. Given: 1
Rept. Rcvd 2 Times in 2 Posts
Thanks Given: 1
Thanks Rcvd at 16 Times in 12 Posts
pp2 Reputation: 2
Quote:
Originally Posted by gigaman View Post
But since the PE loader actually rounds the virtual size up to the page size only (0x1000) when mapping the image...
PE Loader rounds virtual size to "Section Alignment" value, which is specified in header. On NT even user-space programs can have virtual alignment not only on 4096 bytes, but on 4 bytes, for example. Whole page is reserved in this case by loader, and sections with different access rights must be aligned on physical page boundaries, cause you cannot make 32 first bytes just read/write, and other 32 bytes only read/executable
Reply With Quote
  #13  
Old 12-15-2011, 03:49
gigaman gigaman is offline
Friend
 
Join Date: Jun 2002
Posts: 87
Rept. Given: 0
Rept. Rcvd 3 Times in 2 Posts
Thanks Given: 0
Thanks Rcvd at 14 Times in 11 Posts
gigaman Reputation: 4
No, it doesn't - check the example given above in debugger or vmmap.
Note that we're talking about a case when section alignment, as specified in PE header, is actually bigger than one page.
Reply With Quote
  #14  
Old 12-20-2011, 12:03
Killboy Killboy is offline
Friend
 
Join Date: Apr 2009
Posts: 9
Rept. Given: 2
Rept. Rcvd 22 Times in 4 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
Killboy Reputation: 22
I don't understand why they designed such a loose and bug-ridden format in the first place.
What's the point of having weird undocumented behaviour that dramatically affects compatibility and even worse, changes across OS versions.

Give this a read, if you haven't seen it already: http://reversinglabs.com/advisory/pecoff.php

If that doesn't make you curl up on the floor and weep like a 5 year-old, kudos to you good sir
Reply With Quote
Reply

Tags
header, loader, overflow, overlap, section

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Armadillo questions? ManSun General Discussion 20 05-12-2004 17:46
2 questions (IDA / Windows 2k/2k3) skyper General Discussion 8 04-22-2004 08:44
questions about code bartster General Discussion 19 02-14-2004 01:31
some unpacking questions gnasher General Discussion 2 01-03-2004 20:44


All times are GMT +8. The time now is 14:22.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )