Malware Journey Day 21

I need to understand the PE components

In two simple parts there is the Header and Sections

For Header we got the DOS,PE, and optional Header. Below those 3 we have data directories and section table.

For Sections its just code and imports(Dlls) and Data(what gets executed)

Now opening a random executable into HxD I see this

From my understanding, a lot of Yara signatures look for this string. Funny enough new malware samples are purposefully removing this so that anti virus cant detect the beginning of a PE file easily.

And the below image is section names, from my experiance this is a good indication of an unpacked file

At the end of the Dos header we get the offset to the beginning of the PE Header. This is seen below in the screenshot. The circled part is elfanew which is at offset 0x40.

Now again, a valid PE file only needs the MZ and elfanew. Everything in between can just be null bytes. No Dos string is needed. The part highlighted in blue is the PE signature. So a PE header is easy to find since it starts with PE.

Now IMAGE_NT_HEADERS

This wraps the PE Header, optional header, and data directories

The signature of the NT HEADER is really just PE.

Also IMAGE_NT_HEADER is can tell us the amount of sections and in general characteristics of the file like dll or exe

Also what the IMAGE_NT_Header(Optional Header) gives us is how a PE file is loaded into memory