tiny PE 분석

http://www.phreedom.org/research/tinype/

Tiny PE

 

[97Byte PE]

- IMAGE_DOS_HEADER [0x00 ~ 0x3F]

1) e_magic = "MZ", DOS 시그니쳐 존재

2) e_lfanew = NT Header offset = 0x04

// PE files still need an MZ header, but the only two fields that are used are e_magic and e_lfanew. We can fill the rest of the MZ header with zeros (or use in other purpose)

// The PE header cannot start at offset 0, because we need the first two bytes of the file to be "MZ". According to the PE specification, the PE header must be aligned on a 8 byte boundary, but the Windows loader requires only a 4 byte alignment. This means that the smallest possible value for e_lfanew is 4.

 

- DOS Stub

생략

// // remove the DOS stub that prints the message This program cannot be run in DOS mode.

 

- PE Signature [0x4 ~ 0x8]

 

- IMAGE_FILE_HEADER [0x8 ~ 0x1B]

1) Machine number = 0x14C (intel 386)

2) Number of section = 0x1

// The Window loader calculates the address of the first section header by adding SizeOfOptionalHeader to the beginning of the optional header. However, the code that accesses the fields of the optional header never checks its size. We can set SizeOfOptionalHeader to a value smaller than the real size, and move the PE section into the optional header.

3) Size of Optional Header = 0x4

4) Characteristics = 0x103 // relocation info stripped(1), executable(2), 32bit word machine(1000)

 

- IMAGE_OPTIONAL_HEADER[0x1C ~ 0xFB 여야 하지만 0x1C~0x1F로 인식]

1) Machine number = 0x10B (HEADER32)

2) Size of code = 0x4

3) RVA of EP = 0xC

4) Image Base = 0x400000 (exe 파일의 기본 image base)

// The only field we need to be careful with is e_lfanew, which is at the same offset as SectionAlignment. Since e_lfanew must be 4, we have to set SectionAlignment to 4 as well.

5) Section Alignment = 0x4 (in memory)

// The official PE specification states that the minimim file alignment is 512, but the Microsoft linker can produce PE files with smaller alignment. The Windows loader ignores the invalid alignment and is able to execute the file.

6) File Alignment = 0x4 (in file)

7) PE Image size = 0x68

8) PE Header Size = 0x64

9) Subsystem = 0x2 // 2=GUI file

// Subsystem 한바이트, SizeOfStackCommit, SizeOfHeapReserve, NumberOfRvaAndSizes 아예 범위 내에 없다??

// The PE file is mapped on a 4KB memory page. Since the file is smaller than 4KB, the rest of the page is filled with zeros. If we remove the last few fields of the PE optional header from the file, the end of the structure will be mapped on a readable page of memory containing zeros. 0 is a valid value for the last seven fields of the optional header, allowing us to remove them and save another 26 bytes.

//The PE specification says that the number of data directories is specified in the NumberOfRvaAndSizes header field and the size of the PE optional header is variable. If we set NumberOfRvaAndSizes to 0 and decrease SizeOfOptionalHeader, we can remove the data directories from the file.

// The field at offset 0x60 from the beginning of the file is Subsystem, which must be set to 2. We cannot remove this field or get around it. This must be the smallest possible PE file. => 97 Byte

 

- IMAGE_SECTION_HEADER [0x20 ~ 0x48]

1) Name of section(8B) = 생략

2) Virtual Size = 0x4

3) VirtualAddress = 0xC

4) Size Of Raw Data = 0x4

5) Pointer To Raw Data = 0xC

6) Characteristics = 생략

 

- Section Body [0xC ~ 0xF]

00401000: 6A 2A              push        2Ah
00401002: 58                 pop         eax
00401003: C3                 ret

 

// A disassembly of the .text section shows that main function was optimized down to 4 bytes

참고로 RVA of EP = 0xC, Size of code = 0x4 였다

 

cf) 128 byte 파일을 분석해보니

Optional Header NumverOfRvaAndSizes 변수까지 정의되어있었고

그 뒤 4byte에 section body 등장 (물론 Addr of EP=0x7C, Size of Header=0x7C, Size of PE image=0x80)

 

=> IMAGE_OPTIONAL_HEADER Subsystem 변수 이후 뒷 부분을 날려버렸느냐

=> Section body를 Header에 넣었느냐

 

가 주요한 차이인 듯