Assembly Language for Beginners

(Jeff_L) #1

6.5. WINDOWS NT


Resources


Resources in a PE file are just a set of icons, pictures, text strings, dialog descriptions.


Perhaps they were separated from the main code, so all these things could be multilingual, and it would
be simpler to pick text or picture for the language that is currently set in theOS.


As a side effect, they can be edited easily and saved back to the executable file, even if one does not
have special knowledge, by using the ResHack editor, for example (6.5.2).


.NET


.NET programs are not compiled into machine code but into a special bytecode. Strictly speaking, there
is bytecode instead of the usual x86 code in the .exe file, however, the entry point (OEP) points to this
tiny fragment of x86 code:


jmp mscoree.dll!_CorExeMain


The .NET loader is located in mscoree.dll, which processes the PE file.


It was so in all pre-Windows XPOSes. Starting from XP, theOSloader is able to detect the .NET file and
run it without executing thatJMPinstruction^35.


TLS


This section holds initialized data for theTLS(6.2 on page 742) (if needed). When a new thread start, its
TLSdata is initialized using the data from this section.


Aside from that, the PE file specification also provides initialization of theTLSsection, the so-called TLS
callbacks.


If they are present, they are to be called before the control is passed to the main entry point (OEP).


This is used widely in the PE file packers/encryptors.


Tools



  • objdump (present in cygwin) for dumping all PE-file structures.

  • Hiew(7.1 on page 789) as editor.

  • pefile—Python-library for PE-file processing^36.

  • ResHackAKAResource Hacker—resources editor^37.

  • PE_add_import^38 — simple tool for adding symbol(s) to PE executable import table.

  • PE_patcher^39 —simple tool for patching PE executables.

  • PE_search_str_refs^40 —simple tool for searching for a function in PE executables which use some text
    string.


Further reading



  • Daniel Pistelli—The .NET File Format^41


(^35) MSDN
(^36) http://go.yurichev.com/17052
(^37) http://go.yurichev.com/17052
(^38) http://go.yurichev.com/17049
(^39) yurichev.com
(^40) yurichev.com
(^41) http://go.yurichev.com/17056

Free download pdf