3

When looking at PE files in a hex editor, I often encountered some bytes between the section table and the first section, which doesn't really make sense to me. As far as I am concerned, there should be a 00-byte padding in order to fit the alignment. However, here is a screenshot which demonstrates the opposite:

As it turned out the highlighted block is pretty much the Bound Import Table. But I am still confused. Why is this table not located in a section? Is this always the case or is it just the specification of a certain compiler/linker? I did not find any documentation on this specific issue. Everything one can find on this topic basically says:

  1. DOS MZ Header
  2. DOS Stub
  3. PE Header
  4. Section Table
  5. Section 1
  6. Section 2
  7. Section 3

... and so on

Before I encountered this issue I was not even aware of the fact, that there can be things outside of the sections (besides the ones i listed above, of course).

[EDIT]

Proof of concept (Since Mox did not believe me):

LordPE

Glorfindel
  • 21,988
  • 13
  • 81
  • 109
user1658887
  • 449
  • 4
  • 15
  • How can you say that the highlighted block is part of Bound Import Table? Which (other) well known PE tool(s) did you use to confirm this assertion? – mox Sep 14 '12 at 20:35
  • @mox Well, it's pretty easy. The DataDirectory array starts at offset 0x178 and ends at offset 0x1EF (both inclusive). The 12th element of this array is located at 0x1D0 and contains the RVA to the Bound Import Table. If you look at the screenshot you can easily see that the location points to 0x2E8, which is part of the highlighted section. I also tried filling the selection with 00s, which "destroyed" the binary (couldn't start anymore). Setting the RVA and size of the BIT to 0 caused the binary to start again, which is just another indication. However, i also doublechecked it with LordPE. – user1658887 Sep 14 '12 at 22:13

4 Answers4

5

Data directories such as the IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT can exist outside of sections. Another example of a data directory existing outside of any known section would be the IMAGE_DIRECTORY_ENTRY_CERTIFICATE data directory which is the data directory used to store the certificate information when an executable is signed.

Data directories can point to data outside of a section, with-in a section, or they can point to the entire section. The IMAGE_DIRECTORY_ENTRY_RESOURCE data directory points to the entire ".rsrc" section. Certain data directories point to known sections and these are documented in the PE format specification by Microsoft.

Nathan Moinvaziri
  • 5,506
  • 4
  • 29
  • 30
1

Items like the bound import table can be written wherever the linker wants to put them in the raw image. It just overwrites the zero bytes with the table and makes the pointer correct in the data directory. You could probably even overwrite the middle of the DOS header or stub with the import table and it would work as long as the pointer in the directory was correct.

Tyler Durden
  • 11,156
  • 9
  • 64
  • 126
0

As far as I can see with LordPe, the IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT entry of iexplore.exe is empty.

enter image description here

mox
  • 6,084
  • 2
  • 23
  • 35
  • Maybe you have a different version (did you try the 64 bit version?). But i can assure you my findings are right – user1658887 Sep 15 '12 at 14:50
0

both 32bit and 64bit versions of IEXPLORE.EXE don't have IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT entries.

Here a snaphot of LordPE, showing the 64bit version of IEXPLORE.EXE on a Windows 7 machine and (in green) the missing IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT entry:

enter image description here

It looks like you don't look at the right directory entry.

mox
  • 6,084
  • 2
  • 23
  • 35
  • 1
    I never updated my IE. So I am sure this is related to a different version. I am looking at the right entry, just trust me :). I found out, that this is something which sometimes occur in Microsoft Binaries, because those bytes right after the section table are just unnused bytes, which sometimes are used to store the Bound Import Table. It is still undocumented though. – user1658887 Sep 18 '12 at 00:55
  • It would be my pleasure to take a look at your image. Can you provide (send?) it? – mox Sep 18 '12 at 06:38