Windows linker – packing binary data into PE format
In the previous section, we assumed some memory distribution during the program's compilation. For example, the default EXE module image base should be at 0x400000 so that executable content should be placed. The .text section should be placed at 0x401000 above its image base. As we said, the .idata section is used to store the import address table, so the question is who or what is responsible for filling the import address table?
The answer is that every OS has an application loader, which is designed to fill all these tasks correctly when creating a process from a static program. However, there is a lot of information that will only be known at the compiling time and not by the system developer, such as the following:
- Does the program want to enable Address Space Layout Randomization (ASLR) or Data Execution Prevention (DEP)?
- Where is the
main(int, char)function in the.textsection written by the developer? - How much of the total memory is used by the execution module during the dynamic phase?
Microsoft has therefore introduced the PE format, which is essentially an extension to the COFF file, with an additional optional header structure to record the information required by the Windows program loader to correct the process. The following chapters will focus on playing with the various structures of the PE format so that you can write an executable file by hand on a whiteboard.
All you need to know now is that a PE executable has some key features:
- Code content: Usually stored as machine code in the
.textsection - Import address tables: To allow the loader to fill in the function addresses and enable the program to get them correctly
- Optional header: This structure allows the loader to read and know how to correct the current dynamic module
Here is an example in Figure 1.5:
Figure 1.5 – Minimalist architecture of the program
msgbox.exe is a minimalist Windows program with only three sections: .text, .rdata, and .idata. After dynamic execution, the system application loader sequentially extracts the content of the three sections and writes them each to the offset of 0x1000, 0x2000, and 0x3000 relative to the current PE module (msgbox.exe).
In this section, we learned that the application loader is responsible for correcting and filling the program content to create a static program file into a process.
