File Structure of PE and ELF Explained

Hi everyone! Today, I am going to show you the minimal file structure of two popular binary executable format. Windows (PE) and Linux (ELF).

Windows
Let's take a look at Windows PE file format:

PE:



Please note that Code Section and Data Section is minimum 512 bytes each, or power of two to the multiple of 512 as required by File Alignment setting in File Header.

As its name implies, Code Section contains all machine code (normally Intel x86 or AMD64 CPU architecture opcodes) while Data Section contains all data values. A functional PE should have Import Table referencing to either kernel32.dll or user32.dll or both.

For ordinary EXE, you can always ignore the checksum and timestamp in File Header.

Linux
Now, it's time to look at ELF32/64 binary file format.

ELF:



ELF file format is smaller compared to that of PE. A functional "Hello World!" ELF64 binary file could be well below 200 bytes, compared to a similar "Hello World!" (CUI) PE binary file which is about 2048 bytes (or 1024 bytes if you combine three section altogether).

The similarity between these two binary file formats is each Code Segment or Code Section and Data Segment or Data Section has respective headers.

These binary file formats have existed for more than 20 years and have not changed much since then.

Tiny executable file like a 2048-byte portable executable (PE) is often falsely detected by antivirus software as trojan or malware.

macOS

Well, I could not afford an Apple machine so I give up researching on anything related to macOS including its binary file format. To date, I never have used macOS in my life time.

Conclusion
I hope you already get the preliminary idea about the file structure of two popular binary executable format.

As for me, PE file format even in its minimal form is way more complex than ELF file format.

This post has been edited by FlierMate: Aug 7 2021, 06:40 PM

DIY: Bootloader for x86

Hello everyone! Have you ever wonder how an operating system boots itself? It is no longer a secret.
While I know little about its science, I am going to show you how to make one, a bootloader for x86, using Assembly language.

My favorite assembler is FASM, so I am going to compile it using FASM (for Windows, for Linux, for DOS, depending on your OS).

This is the code upon referencing to two sources:

https://board.flatassembler.net/topic.php?t=21254
https://gitlab.redox-os.org/redox-os/bootlo.../bootsector.asm

This is my Assembly code:



Then compile it using FASM, and finally burn it to your USB flash drive:



Warning: Please test this in a virtual machine although it is safe to boot from USB flash drive if you know what you are doing.

For Linux, please run sudo fdisk -l to make sure the USB flash drive is /dev/sdb. For Windows, you can use ISO burner although I have not tested it personally.

Boot from USB Flash Drive

Depending on your computer model, you may want to press certain key (or combination of key) during BIOS startup to enter boot menu.

From the boot menu, select the USB flash drive where boot.img has been burned onto.

Now, you'll see "Hi" on screen, nothing else.


Enjoy this DIY tutorial?

This post has been edited by FlierMate: Aug 7 2021, 06:39 PM

Compare Win32, Linux and DOS system calls

Tonight I will compare system calls between Win32, Linux and legacy DOS. Let's take the system call on how to quit a program for each of these platforms.

Windows
We are going to start with Win32, with its Win32 API.
You'll need to import kernel library, kernel32.dll.


Make sure this two lines are at the bottom of any Windows program especially in Assembly programming.

Linux
Let's head to Linux x64. This time we will deal with syscall number 60.

Again, make sure we put this block of code sys_exit right at the bottom of any Linux program especially in Assembly programming.

int 0x80 is used in 32-bit Linux programming

DOS
Yikes, you may not want to hear anything about legacy operating system. For the sake of comparison in system calls, I invite you to take a quick glance.

It is very simple to quit a program in DOS mode:

Since DOS is 16-bit, Win32 is 32-bit and 64-bit, notice the ax register is different to that of eax (x32) and rax (x64).

Did you enjoy this article?

This post has been edited by FlierMate: Aug 7 2021, 06:36 PM

Articles:

DIY: Bootloader for x86
File Structure of PE and ELF Explained
Compare Win32, Linux and DOS system calls
I have created a simple back-end compiler for Linux x64
How to get processor name in Linux terminal window through programming?
Anyone in system programming with Linux x64?


Currently Learning

ELF64

Currently Hacking On

Spent years studying Win32 (PE), Linux (ELF64), and in the past DOS (MZ) binary file format.
I have created simple back-end compiler for each of these platforms.


6 posts published
3 comments written
6 tags followed

This post has been edited by FlierMate: Aug 17 2021, 06:15 PM

........

This post has been edited by FlierMate: Jan 2 2022, 09:25 AM