File Type: EXECUTABLE IMAGESection contains the following imports:KERNEL32.dll
405000 Import Address Table
405030 Import Name Table
0 time date stamp
0 Index of first forwarder reference22F IsDebuggerPresentSummary1000 .data
4000 .h3mf85n
1000 .h477w81
1000 .rdataListing 11.4 (continued)
Not much news here. DUMPBIN is also claiming the Defender.EXEis
only calling IsDebuggerPresent. One slightly interesting thing however is
the Summary section, where DUMPBIN lists the module’s sections. It would
appear that Defender doesn’t have a .textsection (which is usually where
the code is placed in PE executables). Instead it has two strange sections:
.h3mf85nand .h477w81. This doesn’t mean that the program doesn’t have
any code, it simply means that the code is most likely tucked in one of those
oddly named sections.
At this point it would be wise to run DUMPBIN with the /HEADERSoption
to get a better idea of how Defender is built (see Listing 11.5).
Microsoft (R) COFF/PE Dumper Version 7.10.3077
Copyright (C) Microsoft Corporation. All rights reserved.Dump of file defender.exePE signature foundFile Type: EXECUTABLE IMAGEFILE HEADER VALUES
14C machine (x86)Listing 11.5 Output from DUMPBIN when run on Defender.EXE with the /HEADERS
option. (continued)
Breaking Protections 373