The magic behind .exe pt.1 (Intro & big picture).

What is it?

As some may know the .exe stands for executable. This extension has been set forth and used by Microsoft in its release of Windows NT onwards. The .exe in windows is also known by different names such as Portable Executable/ PE file, PECOFF file, and WIN-PE file. Reason of which will become obvious soon.

An executable file in the windows world is more than just a bunch of lines of code. The executable file must tell Windows how it would like to be placed/ "mapped" in memory, how big chunks of memory should be, if there are any functions it needs to import from other programs or library's, if it has any functions to export itself, where code execution starts, if it's compatible with your version of windows, etc.  For this reason explaining the exe is quite the endeavor, but it's not impossible. 

Your .exe should be called .pe.

Terminology time:

  • An "image file" or "image" refers to the .exe file as it sits in disk/ storage. Most of the time with normal executables/ .exe's what you see on the hard drive will be very similar to what you see in RAM, but not exactly. Hence the need to describe the stationary/ unmapped (meaning not in RAM)/ stored state of the file.
  • In the world of executables an "Object" refers to any piece of data can be referenced, examples: Imported functions, exported functions, resources such as icons, images, piece's of text, etc.
  • In the world of executables and compilers an "Object file" refers to an intermediary file which contains code which has yet to be linked and made into an image.

The PECOFF/ PE/ WIN PE format, which we'll call PE from now on, is a combination of two different formats, I'd argue it's an extension instead of combination but I'll let the system architects argue that. The PE of PECOFF stands for "Portable Executable", portable in the sense of system architecture independent. While at the time of writing this article the PE format has yet to see wide adoption outside of Windows, it is completely possible to implement it on other operating systems. An example of such is ReactOS, an Operating System with an emphasis on Windows compatibility, which has it's own PE loader. The COFF of PECOFF stands for "Common Object File Format", which is used to describe how objects in the image will be allocated and referenced.  

As with any standardized format, there are rules and bounds which must be respected to function properly. These rules and standards are documented by Microsoft here: https://docs.microsoft.com/en-us/windows/win32/debug/pe-format. In this post we will not be breaking down the specifications (that'll come later).

How does windows handle .exe's.

When you double click an executable what happens is explorer.exe, a program handling some of the GUI aspects of your Windows OS makes a call to a kernel32 function "CreateProcess", this function in turn calls a more hidden and direct API "NtCreateProcess" located in ntdll.dll which is part of the PE Loader. Running executables from command prompt or a shell does the same. This can all be observed with tools such as Systems Internals Procmon.

Lets break it down.

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla euismod condimentum felis vitae efficitur. Sed vel dictum quam, at blandit leo.

Logo

© Copyright. All rights reserved.