Assembly Language for Beginners

(Jeff_L) #1

6.5. WINDOWS NT



  • console (console application) or

  • GUI(non-console).


OS version


A PE file also specifies the minimal Windows version it needs in order to be loadable.


The table of version numbers stored in the PE file and corresponding Windows codenames is here^26.


For example,MSVC2005 compiles .exe files for running on Windows NT4 (version 4.00), butMSVC 2008
does not (the generated files have a version of 5.00, at least Windows 2000 is needed to run them).


MSVC2012 generates .exe files of version 6.00 by default, targeting at least Windows Vista. However, by
changing the compiler’s options^27 , it is possible to force it to compile for Windows XP.


Sections


Division in sections, as it seems, is present in all executable file formats.


It is devised in order to separate code from data, and data—from constant data.



  • EithertheIMAGE_SCN_CNT_CODEorIMAGE_SCN_MEM_EXECUTEflagswillbesetonthecodesection—
    this is executable code.

  • On data section—IMAGE_SCN_CNT_INITIALIZED_DATA,
    IMAGE_SCN_MEM_READandIMAGE_SCN_MEM_WRITEflags.

  • On an empty section with uninitialized data—
    IMAGE_SCN_CNT_UNINITIALIZED_DATA,IMAGE_SCN_MEM_READ
    andIMAGE_SCN_MEM_WRITE.

  • On a constant data section (one that’s protected from writing), the flags
    IMAGE_SCN_CNT_INITIALIZED_DATAandIMAGE_SCN_MEM_READcan be set,
    but notIMAGE_SCN_MEM_WRITE. A process going to crash if it tries to write to this section.


Each section in PE-file may have a name, however, it is not very important. Often (but not always) the
code section is named.text, the data section—.data, the constant data section —.rdata(readable
data). Other popular section names are:



  • .idata—imports section. IDAmay create a pseudo-section named like this:6.5.2 on the previous
    page.

  • .edata—exports section (rare)

  • .pdata—sectionholdingallinformationaboutexceptionsinWindowsNTforMIPS,IA64andx64:6.5.3
    on page 783

  • .reloc—relocs section

  • .bss—uninitialized data (BSS)

  • .tls—thread local storage (TLS)

  • .rsrc—resources

  • .CRT—may present in binary files compiled by ancient MSVC versions


PE file packers/encryptors often garble section names or replace the names with their own.


MSVCallows you to declare data in arbitrarily named section^28.


Some compilers and linkers can add a section with debugging symbols and other debugging information
(MinGW for instance). However it is not so in latest versions ofMSVC(separatePDBfiles are used there
for this purpose).


That is how a PE section is described in the file:


(^26) wikipedia
(^27) MSDN
(^28) MSDN

Free download pdf