Wednesday, January 11, 2017

Dissecting C# Executables: Part 8

Let's get back to section two of the Section Table as defined in Microsoft Portable Executable and Common ObjectFile Format Specification: Revision 10:

Offset
Size
Field
Description
  0
8
Name
An 8-byte, null-padded UTF-8 encoded string. If the string is exactly 8 characters long, there is no terminating null. For longer names, this field contains a slash (/) that is followed by an ASCII representation of a   decimal number that is an offset into the string table. Executable images do not use a string table and do not support section names longer than 8 characters. Long names in object files are truncated if they are emitted to an executable file.
  8
4
VirtualSize
The total size of the section when loaded into memory. If this value is greater than SizeOfRawData, the section is zero-padded. This field is valid only for executable images and should be set to zero for object files.
12
4
VirtualAddress
For executable images, the address of the first byte of the section relative to the image base when the section is loaded into memory. For object files, this field is the address of the first byte before relocation is applied; for simplicity, compilers should set this to zero. Otherwise, it is an arbitrary value that is subtracted from offsets during relocation.
16
4
SizeOfRawData
The size of the section (for object files) or the size of the initialized data on disk (for image files). For executable images, this must be a multiple of FileAlignment from the optional header. If this is less than VirtualSize, the remainder of the section is zero-filled. Because the SizeOfRawData field is rounded but the VirtualSize field is not, it is possible for SizeOfRawData to be greater than VirtualSize as well. When a section contains only uninitialized data, this field should be zero.
20
4
PointerToRawData
The file pointer to the first page of the section within the COFF file. For executable images, this must be a multiple of FileAlignment from the optional header. For object files, the value should be aligned on a 4‑byte boundary for best performance. When a section contains only uninitialized data, this field should be zero.
24
4
PointerToRelocations
The file pointer to the beginning of relocation entries for the section. This is set to zero for executable images or if there are no relocations.
28
4
PointerToLinenumbers
The file pointer to the beginning of line-number entries for the section. This is set to zero if there are no COFF line numbers. This value should be zero for an image because COFF debugging information is deprecated.
32
2
NumberOfRelocations
The number of relocation entries for the section. This is set to zero for executable images.
34
2
NumberOfLinenumbers
The number of line-number entries for the section. This value should be zero for an image because COFF debugging information is deprecated.
36
4
Characteristics
The flags that describe the characteristics of the section. For more information, see section 4.1, “Section Flags.”


In the last post we dissected the .text section header.  We will pick up where we left off on the Xamarin image:

D:\Source\HelloWorld\CommandLine>PrintBinaryFile.exe HelloWorld_Xamarin_2.0.exe
000001A0   2E 72 73 72 63 00 00 00  84 03 00 00 00 40 00 00   .rsrc···?····@··
000001B0   00 04 00 00 00 08 00 00  00 00 00 00 00 00 00 00   ················
000001C0   00 00 00 00 40 00 00 40  2E 72 65 6C 6F 63 00 00   ····@··@.reloc··

Beginning with the Name which is stored in a word using UTF-8 encoding, the value is .rsrc for this Section Header.  Next is the VirtualSize which is a half-word containing 0x00000384 or 900 bytes. That is followed by the VirtualAddress half-word which is 0x00004000 and the half-word for SizeOfRawData which is 0x00000400.  The PointerToRawData half-word contains 0x00000800 and the PointerToRelocations half-word which contains 0x00.  The PointerToLinenumbers half-word contains 0x00 and the NumberOfRelocations is two bytes containing 0x00.  The NumberOfLineNumbers is two bytes containing 0x00 and lastly the Characteristics is a half-word containing 0x40000040.

As before, the only differences are in the VirtualSize, SizeOfRawData, and PointerToRawData.  From the build from the Command Line:

D:\Source\HelloWorld\CommandLine>PrintBinaryFile.exe HelloWorld_CSC_2.0.exe
000001A0   2E 72 73 72 63 00 00 00  D0 02 00 00 00 40 00 00   .rsrc···D····@··
000001B0   00 04 00 00 00 06 00 00  00 00 00 00 00 00 00 00   ················
000001C0   00 00 00 00 40 00 00 40  2E 72 65 6C 6F 63 00 00   ····@··@.reloc··

and the build from Visual Studio:

D:\Source\HelloWorld\CommandLine>PrintBinaryFile.exe HelloWorld_VS_2.0.exe
000001A0   2E 72 73 72 63 00 00 00  10 06 00 00 00 40 00 00   .rsrc········@··
000001B0   00 08 00 00 00 0A 00 00  00 00 00 00 00 00 00 00   ················
000001C0   00 00 00 00 40 00 00 40  2E 72 65 6C 6F 63 00 00   ····@··@.reloc··

The Characteristics this time decode to IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ.

Well, that will do for tonight.  Tomorrow we will tackle the .reloc section header that we see starting at the last half of line 0x000001C0.  Until next time, keep coding and learning!


Part 1
Part 2
Part 3
Part 4
Part 5
Part 6
Part 7
Part 8
Part 9

No comments:

Post a Comment