Binary Executable File Formats”
Total Page:16
File Type:pdf, Size:1020Kb
Load more
Recommended publications
-
The GNU Linker
The GNU linker ld (GNU Binutils) Version 2.37 Steve Chamberlain Ian Lance Taylor Red Hat Inc [email protected], [email protected] The GNU linker Edited by Jeffrey Osier ([email protected]) Copyright c 1991-2021 Free Software Foundation, Inc. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover Texts, and with no Back-Cover Texts. A copy of the license is included in the section entitled \GNU Free Documentation License". i Table of Contents 1 Overview :::::::::::::::::::::::::::::::::::::::: 1 2 Invocation ::::::::::::::::::::::::::::::::::::::: 3 2.1 Command-line Options ::::::::::::::::::::::::::::::::::::::::: 3 2.1.1 Options Specific to i386 PE Targets :::::::::::::::::::::: 40 2.1.2 Options specific to C6X uClinux targets :::::::::::::::::: 47 2.1.3 Options specific to C-SKY targets :::::::::::::::::::::::: 48 2.1.4 Options specific to Motorola 68HC11 and 68HC12 targets :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: 48 2.1.5 Options specific to Motorola 68K target :::::::::::::::::: 48 2.1.6 Options specific to MIPS targets ::::::::::::::::::::::::: 49 2.1.7 Options specific to PDP11 targets :::::::::::::::::::::::: 49 2.2 Environment Variables :::::::::::::::::::::::::::::::::::::::: 50 3 Linker Scripts:::::::::::::::::::::::::::::::::: 51 3.1 Basic Linker Script Concepts :::::::::::::::::::::::::::::::::: 51 3.2 Linker Script -
The “Stabs” Debug Format
The \stabs" debug format Julia Menapace, Jim Kingdon, David MacKenzie Cygnus Support Cygnus Support Revision TEXinfo 2017-08-23.19 Copyright c 1992{2021 Free Software Foundation, Inc. Contributed by Cygnus Support. Written by Julia Menapace, Jim Kingdon, and David MacKenzie. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover Texts, and with no Back-Cover Texts. A copy of the license is included in the section entitled \GNU Free Documentation License". i Table of Contents 1 Overview of Stabs ::::::::::::::::::::::::::::::: 1 1.1 Overview of Debugging Information Flow ::::::::::::::::::::::: 1 1.2 Overview of Stab Format ::::::::::::::::::::::::::::::::::::::: 1 1.3 The String Field :::::::::::::::::::::::::::::::::::::::::::::::: 2 1.4 A Simple Example in C Source ::::::::::::::::::::::::::::::::: 3 1.5 The Simple Example at the Assembly Level ::::::::::::::::::::: 4 2 Encoding the Structure of the Program ::::::: 7 2.1 Main Program :::::::::::::::::::::::::::::::::::::::::::::::::: 7 2.2 Paths and Names of the Source Files :::::::::::::::::::::::::::: 7 2.3 Names of Include Files:::::::::::::::::::::::::::::::::::::::::: 8 2.4 Line Numbers :::::::::::::::::::::::::::::::::::::::::::::::::: 9 2.5 Procedures ::::::::::::::::::::::::::::::::::::::::::::::::::::: 9 2.6 Nested Procedures::::::::::::::::::::::::::::::::::::::::::::: 11 2.7 Block Structure -
Automatic Classifying of Mac OS X Samples
Automatic Classifying of Mac OS X Samples Spencer Hsieh, Pin Wu and Haoping Liu Trend Micro Inc., Taiwan TREND MICRO LEGAL DISCLAIMER The information provided herein is for general information Contents and educational purposes only. It is not intended and should not be construed to constitute legal advice. The information contained herein may not be applicable to all situations and may not reflect the most current situation. Nothing contained herein should be relied on or acted 4 upon without the benefit of legal advice based on the particular facts and circumstances presented and nothing Introduction herein should be construed otherwise. Trend Micro reserves the right to modify the contents of this document at any time without prior notice. Translations of any material into other languages are intended solely as a convenience. Translation accuracy 6 is not guaranteed nor implied. If any questions arise related to the accuracy of a translation, please refer to Mac OS X Samples Dataset the original language official version of the document. Any discrepancies or differences created in the translation are not binding and have no legal effect for compliance or enforcement purposes. 10 Although Trend Micro uses reasonable efforts to include accurate and up-to-date information herein, Trend Micro makes no warranties or representations of any kind as Classification of Mach-O Files to its accuracy, currency, or completeness. You agree that access to and use of and reliance on this document and the content thereof is at your own risk. Trend Micro disclaims all warranties of any kind, express or implied. 11 Neither Trend Micro nor any party involved in creating, producing, or delivering this document shall be liable for any consequence, loss, or damage, including direct, Malware Families indirect, special, consequential, loss of business profits, or special damages, whatsoever arising out of access to, use of, or inability to use, or in connection with the use of this document, or any errors or omissions in the content 15 thereof. -
Doin' the Eagle Rock
VIRUS BULLETIN www.virusbtn.com MALWARE ANALYSIS 1 DOIN’ THE EAGLE ROCK this RNG in every virus for which he requires a source of random numbers. Peter Ferrie Microsoft, USA The virus then allocates two blocks of memory: one to hold the intermediate encoding of the virus body, and the other to hold the fully encoded virus body. The virus decompresses If a fi le contains no code, can it be executed? Can arithmetic a fi le header into the second block. The fi le header is operations be malicious? Here we have a fi le that contains compressed using a simple Run-Length Encoder algorithm. no code, and no data in any meaningful sense. All it The header is for a Windows Portable Executable fi le, and it contains is a block of relocation items, and all relocation seems as though the intention was to produce the smallest items do is cause a value to be added to locations in the possible header that can still be executed on Windows. There image. So, nothing but relocation items – and yet it also are overlapping sections, and ‘unnecessary’ fi elds have been contains W32/Lerock. removed. The virus then allocates a third block of memory, Lerock is written by the same virus author as W32/Fooper which will hold a copy of the unencoded virus body. (see VB, January 2010, p.4), and behaves in the same way at a The virus searches for zeroes within the unencoded memory high level, but at a lower level it differs in an interesting way. -
The IAR XLINK Linker™ and IAR XLIB Librarian™ Reference Guide
IAR Linker and Library To o l s Reference Guide Version 4.60 XLINK-460G COPYRIGHT NOTICE © Copyright 1987–2007 IAR Systems. All rights reserved. No part of this document may be reproduced without the prior written consent of IAR Systems. The software described in this document is furnished under a license and may only be used or copied in accordance with the terms of such a license. DISCLAIMER The information in this document is subject to change without notice and does not represent a commitment on any part of IAR Systems. While the information contained herein is assumed to be accurate, IAR Systems assumes no responsibility for any errors or omissions. In no event shall IAR Systems, its employees, its contractors, or the authors of this document be liable for special, direct, indirect, or consequential damage, losses, costs, charges, claims, demands, claim for lost profits, fees, or expenses of any nature or kind. TRADEMARKS IAR, IAR Systems, IAR Embedded Workbench, IAR MakeApp, C-SPY, visualSTATE, From Idea To Target, IAR KickStart Kit and IAR PowerPac are trademarks or registered trademarks owned by IAR Systems AB. All other product names are trademarks or registered trademarks of their respective owners. EDITION NOTICE April 2007 Part number: XLINK-460G The IAR Linker and Library Tools Reference Guide replaces all versions of the IAR XLINK Linker™ and IAR XLIB Librarian™ Reference Guide. XLINK-460G Contents Tables ..................................................................................................................... -
Packet Structure Definition
xx Tektronix Logic Analyzer Online Help ZZZ PrintedHelpDocument *P077003206* 077-0032-06 Tektronix Logic Analyzer Online Help ZZZ PrintedHelpDocument www.tektronix.com 077-0032-06 Copyright © Tektronix. All rights reserved. Licensed software products are owned by Tektronix or its subsidiaries or suppliers, and are protected by national copyright laws and international treaty provisions. Tektronix products are covered by U.S. and foreign patents, issued and pending. Information in this publication supersedes that in all previously published material. Specifications and price change privileges reserved. TEKTRONIX and TEK are registered trademarks of Tektronix, Inc. D-Max, MagniVu, iView, iVerify, iCapture, iLink, PowerFlex, and TekLink are trademarks of Tektronix, Inc. 076-0113-06 077-0032-06 April 27, 2012 Contacting Tektronix Tektronix, Inc. 14150 SWKarlBraunDrive P.O. Box 500 Beaverton, OR 97077 USA For product information, sales, service, and technical support: In North America, call 1-800-833-9200. Worldwide, visit www.tektronix.com to find contacts in your area. Warranty Tektronix warrants that this product will be free from defects in materials and workmanship for a period of one (1) year from the date of shipment. If any such product proves defective during this warranty period, Tektronix, at its option, either will repair the defective product without charge for parts and labor, or will provide a replacement in exchange for the defective product. Parts, modules and replacement products used by Tektronix for warranty work may be new or reconditioned to like new performance. All replaced parts, modules and products become the property of Tektronix. In order to obtain service under this warranty, Customer must notify Tektronix of the defect before the expiration of the warranty period and make suitable arrangements for the performance of service. -
A Proposed System for Hiding Information in Portable Executable Files Based on Analyzing Import Section
IOSR Journal of Engineering (IOSRJEN) www.iosrjen.org ISSN (e): 2250-3021, ISSN (p): 2278-8719 Vol. 04, Issue 01 (January. 2014), ||V7|| PP 21-30 A Proposed System for Hiding Information In Portable Executable Files Based on Analyzing Import Section Mohammad Hussein Jawwad 1- University of Babylon- College of Information Technology- Iraq Abstract: - Information-hiding techniques have newly become very important in a many application areas. Many cover mediums have been used to hide information like image, video, voice. Use of these mediums have been extensively studied. In this paper, we propose new system for hiding information in Portable Executable files (PE files). PE is a file format for executable file used in the 32-bit and 64-bit versions of the Windows operating system. This algorithm has higher security than some traditional ones because of the combination between encryption and hiding. We first encrypt the information before hiding it to ensure high security. After that we hide the information in the import table of PE file. This hiding depends on analyzing the import table characteristics of PE files that have been built under Borland turbo assembler. The testing result shows that the result file does not make any inconsistency with anti-virus programs and the PE file still function as normal after the hiding process. Keywords: - PE File, Information Hiding, Cryptography. I. INTRODUCTION The development and wide use of computer science and informatics also, the advent of global networks (i.e. Internet) that make the access for information is possible for every one online impose the need for ways to avoid hackers and muggers from getting the important information. -
Portable Executable File Format
Chapter 11 Portable Executable File Format IN THIS CHAPTER + Understanding the structure of a PE file + Talking in terms of RVAs + Detailing the PE format + The importance of indices in the data directory + How the loader interprets a PE file MICROSOFT INTRODUCED A NEW executable file format with Windows NT. This for- mat is called the Portable Executable (PE) format because it is supposed to be portable across all 32-bit operating systems by Microsoft. The same PE format exe- cutable can be executed on any version of Windows NT, Windows 95, and Win32s. Also, the same format is used for executables for Windows NT running on proces- sors other than Intel x86, such as MIPS, Alpha, and Power PC. The 32-bit DLLs and Windows NT device drivers also follow the same PE format. It is helpful to understand the PE file format because PE files are almost identi- cal on disk and in RAM. Learning about the PE format is also helpful for under- standing many operating system concepts. For example, how operating system loader works to support dynamic linking of DLL functions, the data structures in- volved in dynamic linking such as import table, export table, and so on. The PE format is not really undocumented. The WINNT.H file has several struc- ture definitions representing the PE format. The Microsoft Developer's Network (MSDN) CD-ROMs contain several descriptions of the PE format. However, these descriptions are in bits and pieces, and are by no means complete. In this chapter, we try to give you a comprehensive picture of the PE format. -
Common Object File Format (COFF)
Application Report SPRAAO8–April 2009 Common Object File Format ..................................................................................................................................................... ABSTRACT The assembler and link step create object files in common object file format (COFF). COFF is an implementation of an object file format of the same name that was developed by AT&T for use on UNIX-based systems. This format encourages modular programming and provides powerful and flexible methods for managing code segments and target system memory. This appendix contains technical details about the Texas Instruments COFF object file structure. Much of this information pertains to the symbolic debugging information that is produced by the C compiler. The purpose of this application note is to provide supplementary information on the internal format of COFF object files. Topic .................................................................................................. Page 1 COFF File Structure .................................................................... 2 2 File Header Structure .................................................................. 4 3 Optional File Header Format ........................................................ 5 4 Section Header Structure............................................................. 5 5 Structuring Relocation Information ............................................... 7 6 Symbol Table Structure and Content........................................... 11 SPRAAO8–April 2009 -
Investigation of Malicious Portable Executable File Detection on the Network Using Supervised Learning Techniques
Investigation of Malicious Portable Executable File Detection on the Network using Supervised Learning Techniques Rushabh Vyas, Xiao Luo, Nichole McFarland, Connie Justice Department of Information and Technology, Purdue School of Engineering and Technology IUPUI, Indianapolis, IN, USA 46202 Emails: [email protected]; [email protected]; [email protected]; [email protected] Abstract—Malware continues to be a critical concern for that random forest learning technique achieved best detection everyone from home users to enterprises. Today, most devices are performance than the other three learning techniques. The connected through networks to the Internet. Therefore, malicious achieved detection rate and false alarm rate on experimental code can easily and rapidly spread. The objective of this paper is to examine how malicious portable executable (PE) files can be data set were 98.7% and 1.8% respectively. We compared detected on the network by utilizing machine learning algorithms. the performances of the four learning techniques on four The efficiency and effectiveness of the network detection rely types of PE malware - backdoors, viruses, worms and trojans. on the number of features and the learning algorithms. In this The results showed that the same learning technique show work, we examined 28 features extracted from metadata, packing, the similar performance on different types of malwares. It imported DLLs and functions of four different types of PE files for malware detection. The returned results showed that the demonstrated the features that are extracted from the files have proposed system can achieve 98.7% detection rates, 1.8% false no bias for a specific type of malware. -
Tricore Architecture Manual for a Detailed Discussion of Instruction Set Encoding and Semantics
User’s Manual, v2.3, Feb. 2007 TriCore 32-bit Unified Processor Core Embedded Applications Binary Interface (EABI) Microcontrollers Edition 2007-02 Published by Infineon Technologies AG 81726 München, Germany © Infineon Technologies AG 2007. All Rights Reserved. Legal Disclaimer The information given in this document shall in no event be regarded as a guarantee of conditions or characteristics (“Beschaffenheitsgarantie”). With respect to any examples or hints given herein, any typical values stated herein and/or any information regarding the application of the device, Infineon Technologies hereby disclaims any and all warranties and liabilities of any kind, including without limitation warranties of non- infringement of intellectual property rights of any third party. Information For further information on technology, delivery terms and conditions and prices please contact your nearest Infineon Technologies Office (www.infineon.com). Warnings Due to technical requirements components may contain dangerous substances. For information on the types in question please contact your nearest Infineon Technologies Office. Infineon Technologies Components may only be used in life-support devices or systems with the express written approval of Infineon Technologies, if a failure of such components can reasonably be expected to cause the failure of that life-support device or system, or to affect the safety or effectiveness of that device or system. Life support devices or systems are intended to be implanted in the human body, or to support and/or maintain and sustain and/or protect human life. If they fail, it is reasonable to assume that the health of the user or other persons may be endangered. User’s Manual, v2.3, Feb. -
IAR Linker and Library Tools Reference Guide
IAR Linker and Library Tools Reference Guide XLINK-540 XLINK-540 COPYRIGHT NOTICE © 1987–2012 IAR Systems AB. No part of this document may be reproduced without the prior written consent of IAR Systems AB. The software described in this document is furnished under a license and may only be used or copied in accordance with the terms of such a license. DISCLAIMER The information in this document is subject to change without notice and does not represent a commitment on any part of IAR Systems. While the information contained herein is assumed to be accurate, IAR Systems assumes no responsibility for any errors or omissions. In no event shall IAR Systems, its employees, its contractors, or the authors of this document be liable for special, direct, indirect, or consequential damage, losses, costs, charges, claims, demands, claim for lost profits, fees, or expenses of any nature or kind. TRADEMARKS IAR Systems, IAR Embedded Workbench, C-SPY, visualSTATE, The Code to Success, IAR KickStart Kit, I-jet, IAR, and the logotype of IAR Systems are trademarks or registered trademarks owned by IAR Systems AB. Microsoft and Windows are registered trademarks of Microsoft Corporation. Adobe and Acrobat Reader are registered trademarks of Adobe Systems Incorporated. All other product names are trademarks or registered trademarks of their respective owners. EDITION NOTICE June 2012 Part number: XLINK-540 The IAR Linker and Library Tools Reference Guide replaces all versions of the IAR XLINK Linker™ and IAR XLIB Librarian™ Reference Guide. XLINK-540 Contents Tables ........................................................................................................................ 7 Preface ...................................................................................................................... 9 Who should read this guide ................................................................. 9 How to use this guide ............................................................................