this page is project for carving something.
The first, i start PE carving.
Let's Start!
PE consist of PE Header and PE Body.
PE Header is comprised of DOS Header + DOS Stub + NT Header(File Header + Optional Header) + Section Headers.
PE Body is sections.
We must know PE structure for carving it. But i don't introduce it. Because its structure is introduced through web a lot.
- PE Carving -
Before Caving PE, examiner must know cluster/block size.
(1) Searching for PE Magic Value at the first offset of every cluster.
PE magic value is 0x45 0x5A. its Ascii is MZ.
(2) If You find PE magic value at The first offset of a cluster, search for the magic value of NT header in the cluster. this is 0x50 0x45 0x00 0x00 and this value's ascii is PE.
(3) The size of NT Header is 0xF8.
(4) File header in NT header has the number of section. Number of sections must bigger than Zero.
(5) The magic of optional header in NT header is 0x0B 0x01, if this PE runs on 32bit. when it runs on 64bit, this value is 0x0B 0x02.
(6) The size of PE Header is found at offset 0x3C from the start of optional header.
(7) Section Headers have file alignment and section alignment. file alignment has the start offset of each section on file. section alignment has the start offset of each section on memory.
(8) The size of each section table is 0x28.
(9) Pointer to raw data in section table expresses the start offset of its section.
(10) Size of raw data in section table expresses The size of its section.
I made a tool. Click below link
https://dorumugs-tools.googlecode.com/files/PE_Carver.py
No comments:
Post a Comment