1
00:00:00,180 --> 00:00:03,010
So in this video we'll be seeing about the optional header.

2
00:00:03,030 --> 00:00:08,100
The name says optional, but it's mandatory for executables and errors.

3
00:00:09,660 --> 00:00:17,550
So let's see the option here before we have seen this, uh, header and the dash up and here you can

4
00:00:17,550 --> 00:00:22,140
see the 5045 represents the signature.

5
00:00:22,140 --> 00:00:28,320
So here these four bytes are signature and the next 20 bytes, uh, specifies the file header.

6
00:00:28,410 --> 00:00:35,160
So here in the paper, I have open this another character that you see because it's generated by Metasploit.

7
00:00:35,160 --> 00:00:42,510
So this file header also gives the same information but in a meaningful format because it's going to

8
00:00:42,510 --> 00:00:44,970
pass the values and gives you some meaning.

9
00:00:46,290 --> 00:00:54,630
And the next 20 wide so 16 for so next 20 whites are the file header and the next 224 bytes.

10
00:00:54,630 --> 00:00:58,230
So here you will have the file header size of option.

11
00:00:58,440 --> 00:01:02,970
So this option header is the the size changes.

12
00:01:02,970 --> 00:01:07,140
So the size of this option header is specified in this file header.

13
00:01:07,680 --> 00:01:10,860
So that is to 40.

14
00:01:27,560 --> 00:01:29,290
So you have 0 to 40.

15
00:01:29,300 --> 00:01:35,510
So the size of the option header is to 40 bytes and starting from this point.

16
00:01:38,080 --> 00:01:41,080
And here we have the first member.

17
00:01:41,080 --> 00:01:45,940
So I am at the PIN work and here you can see if you search for option error.

18
00:01:45,940 --> 00:01:51,430
We have two structures or image option 32 and image option 64.

19
00:01:51,430 --> 00:01:54,430
So for now we'll be dealing with the 64 bits.

20
00:01:55,090 --> 00:01:57,250
It's our most similar structure.

21
00:01:57,250 --> 00:02:01,420
The only difference you get is the base of data.

22
00:02:01,930 --> 00:02:07,330
So here you can see, uh, the base of code, base of data and image base.

23
00:02:07,330 --> 00:02:18,940
So these are the members and this image image base is the base address preferred or assumed base address

24
00:02:18,940 --> 00:02:20,170
of this executable.

25
00:02:20,410 --> 00:02:26,560
So that means this image based value in the option header, let's say, uh, where is this one?

26
00:02:28,780 --> 00:02:31,110
So this 14 zeros.

27
00:02:31,120 --> 00:02:40,240
So this address is assumed as the base address and compiler will give you that basis for the hardcoded

28
00:02:40,480 --> 00:02:41,110
values.

29
00:02:41,110 --> 00:02:42,730
Suppose there are some.

30
00:02:44,550 --> 00:02:45,050
Uh.

31
00:02:47,420 --> 00:02:50,780
Like pointers to some integers.

32
00:02:50,780 --> 00:02:59,870
So lets say those pointers will get the value from the this image based and if this executable is loaded

33
00:02:59,870 --> 00:03:06,410
at another image base then you need to fix those addresses.

34
00:03:06,410 --> 00:03:13,430
So that will be using the we'll be fixing the base relocations, so we'll be talking about that in the

35
00:03:13,580 --> 00:03:14,750
upcoming videos.

36
00:03:14,780 --> 00:03:18,530
So for now, let's, uh, just, uh, follow through this.

37
00:03:18,530 --> 00:03:18,890
Uh.

38
00:03:21,210 --> 00:03:21,990
These members.

39
00:03:21,990 --> 00:03:25,130
So you will get only the difference at this image base.

40
00:03:25,140 --> 00:03:26,490
So here it is for whites.

41
00:03:26,490 --> 00:03:28,920
You can see field of 28 and 32.

42
00:03:28,920 --> 00:03:30,240
The next number starts.

43
00:03:30,540 --> 00:03:35,250
So the four bytes and here you don't have the size of a base of data.

44
00:03:35,280 --> 00:03:40,350
You have this image base that is eight bytes because it's a 64 bit.

45
00:03:41,010 --> 00:03:45,000
So the first one is, uh, 002.

46
00:03:45,000 --> 00:03:51,300
And if you go to P file format and you have this Microsoft website.

47
00:03:55,930 --> 00:03:58,280
And here you can see the magic number.

48
00:03:58,300 --> 00:04:03,880
So this is also magic number that defines the whether the executable is 32 bit or 64.

49
00:04:04,060 --> 00:04:10,280
And here you can see the value is 20 B and it has been passed and it is 64.

50
00:04:10,300 --> 00:04:14,410
So this will be using this number to.

51
00:04:15,640 --> 00:04:19,390
Identify whether it's 32 bit or 64 bit executable.

52
00:04:21,350 --> 00:04:30,290
And the next one is, uh, linker aversions and the size of code, size of all code sections.

53
00:04:30,920 --> 00:04:37,520
So generally there will be or the code will be merged into the one section, vertex section.

54
00:04:37,520 --> 00:04:48,890
If you have multiple sections, then all of the those sizes combined will be told here and so is the

55
00:04:49,010 --> 00:04:50,150
initial data.

56
00:04:50,150 --> 00:04:56,090
If there are there are any initial data and each is an initialized data and entry point.

57
00:04:56,090 --> 00:05:03,640
So this one is also, uh, important, this is the offset to this base address.

58
00:05:03,650 --> 00:05:04,430
Where is this one?

59
00:05:05,330 --> 00:05:09,920
So if you go and click here, this will point directly to this one.

60
00:05:09,920 --> 00:05:16,160
And this is the entry point execution of the first instruction.

61
00:05:16,410 --> 00:05:16,760
Okay.

62
00:05:18,130 --> 00:05:21,220
And the base of code and image base.

63
00:05:21,220 --> 00:05:22,540
So this.

64
00:05:24,120 --> 00:05:26,040
Is the preferred image based.

65
00:05:26,700 --> 00:05:27,540
Will we see?

66
00:05:27,570 --> 00:05:31,920
We'll be loading our executable in the, uh, some random images.

67
00:05:31,920 --> 00:05:35,160
And we also fix inputs and basically locations.

68
00:05:35,610 --> 00:05:37,130
And this is the section element.

69
00:05:37,140 --> 00:05:39,270
So this is also important.

70
00:05:40,580 --> 00:05:41,150
So what?

71
00:05:41,150 --> 00:05:43,550
This sexual harassment meanies.

72
00:05:47,350 --> 00:05:48,950
Section 11 Values thousand.

73
00:05:48,970 --> 00:05:54,880
So that means each section should start at multiples of this 1000 hexadecimal only.

74
00:05:54,910 --> 00:06:02,530
Suppose if there is a section dot test one and it starts at 2000 heads.

75
00:06:03,640 --> 00:06:05,940
So and the size.

76
00:06:07,360 --> 00:06:11,470
Of test, one section is only.

77
00:06:15,280 --> 00:06:19,060
I'd say 500 hexadecimal, uh, bytes, so.

78
00:06:20,530 --> 00:06:30,760
Then if there is another textual to section and this section should not start it to FY zero one, it

79
00:06:30,760 --> 00:06:39,880
should start at 3000 H because the multiples of uh, this thousand H uh, that is the rule for the section

80
00:06:39,880 --> 00:06:40,240
element.

81
00:06:40,240 --> 00:06:41,980
So this is called section alignment.

82
00:06:42,040 --> 00:06:46,930
The sections should start at the multiples of this value only.

83
00:06:48,140 --> 00:06:49,820
In the same way file arrangement.

84
00:06:49,820 --> 00:06:55,460
So this action element is in the memory and this file element is when the file is on the right disk

85
00:06:56,180 --> 00:07:05,120
or if you go to sections and here you can see here raw addresses or addresses follows these file alignment.

86
00:07:05,120 --> 00:07:07,820
You can see 416 hundred, 8000.

87
00:07:07,820 --> 00:07:10,250
These are all multiples of 200.

88
00:07:13,810 --> 00:07:15,250
So what is my version?

89
00:07:15,280 --> 00:07:18,370
Minor version and subsystem.

90
00:07:22,610 --> 00:07:29,870
And Subsystem also tells us whether it's a GWI or a console application and size of image.

91
00:07:29,870 --> 00:07:40,730
So size of images, total size of the image in memory, not on disk but in memory and size of headers.

92
00:07:40,730 --> 00:07:48,080
So size of headers is total size of all headers combined except the actual data.

93
00:07:48,080 --> 00:07:55,400
So we have seen does header this dash top and the file header optional header section headers.

94
00:07:55,400 --> 00:08:04,310
So if you combine all of these sizes, that is the size of all headers to 48 hexadecimal.

95
00:08:06,410 --> 00:08:08,360
And the other characteristics.

96
00:08:09,400 --> 00:08:11,740
And of stack reserve and commit.

97
00:08:13,160 --> 00:08:16,790
And one other important thing is a lot of flags.

98
00:08:17,060 --> 00:08:22,310
So these are badges can be given when you are creating the threat will see there and a lot of flags

99
00:08:22,310 --> 00:08:23,390
should be zero.

100
00:08:24,620 --> 00:08:31,670
You can see, uh, if, uh, some malware can have these red flags set to some, uh, random value.

101
00:08:32,270 --> 00:08:35,030
When this red flags is set to some random value.

102
00:08:35,280 --> 00:08:38,780
Um, some is just run this binary.

103
00:08:38,780 --> 00:08:42,620
So there are all, there is a old version of, uh, dpkg.

104
00:08:42,620 --> 00:08:52,370
It's whenever this red flags is set to some random value, it just runs the executable and you get infected

105
00:08:52,700 --> 00:08:55,010
a number of ah here and say this.

106
00:08:55,310 --> 00:09:04,910
So up to here we have normal members and from here onwards, uh, these Occupy 128 bytes, I think.

107
00:09:05,970 --> 00:09:07,370
124 bytes.

108
00:09:08,880 --> 00:09:12,840
So you can subtract this 14 C -0.

109
00:09:18,840 --> 00:09:19,370
14.

110
00:09:19,380 --> 00:09:20,160
C minus.

111
00:09:20,160 --> 00:09:20,970
E zero.

112
00:09:23,840 --> 00:09:24,580
I think.

113
00:09:24,660 --> 00:09:25,830
148.

114
00:09:44,410 --> 00:09:49,360
So the next are the the image data directories.

115
00:09:53,330 --> 00:09:57,020
So you can see the values, but it's very impossible.

116
00:10:00,640 --> 00:10:03,550
To attend everything.

117
00:10:03,550 --> 00:10:05,450
Because that's why I'm using this p.

118
00:10:07,770 --> 00:10:12,750
So these are the image data territories and these are the payers.

119
00:10:12,750 --> 00:10:17,100
So we have the virtual address and the size of this data directory.

120
00:10:18,900 --> 00:10:20,670
So we can search for this.

121
00:10:23,310 --> 00:10:25,320
Image data directory.

122
00:10:31,120 --> 00:10:36,310
So it means that the data sets are contains to members what you your address and the size.

123
00:10:38,520 --> 00:10:42,770
So there is an export directory and the virtual address and zero.

124
00:10:42,810 --> 00:10:46,440
So this is the XY and XY does not do any export.

125
00:10:46,440 --> 00:10:47,700
So that's why we.

126
00:10:49,760 --> 00:10:56,140
I don't have any exports and the import directory so the executable import something import some functions

127
00:10:56,140 --> 00:11:03,130
from the dealers and the starting import will be pointed to this one.

128
00:11:03,130 --> 00:11:13,030
So the that import is import uh descriptor and the first uh import descriptor will be pointed by this

129
00:11:13,030 --> 00:11:13,600
address.

130
00:11:13,750 --> 00:11:20,740
And if you go to this one and you go to this exact, uh, structure, so we'll be parsing this, uh,

131
00:11:20,740 --> 00:11:28,300
later, just for now, uh, understand that this points to the first, uh, uh, image import descriptor.

132
00:11:29,070 --> 00:11:40,410
And the size of this territory the the seas six sea and we have zero so that is we don't that is there

133
00:11:40,410 --> 00:11:45,600
are no those territories and we have a base relocation table.

134
00:11:46,780 --> 00:11:56,110
Uh, we, we also passing, uh, and updating the base addresses and we have email address table.

135
00:11:56,110 --> 00:11:58,240
So we are also fixing this one.

136
00:11:59,930 --> 00:12:01,700
So that's how about this option?

137
00:12:03,530 --> 00:12:06,980
This is a very important header for the P file.