none
Which parts/sections of PE files (.exe .dll) contain most their behaviours?

    Question

  • I’m doing Windows malware research by machine learning method. I read the PE format and using dumpbin and found that there are many parts in there. Eg:.idata .edata .pdata .data .rdata .sxdata .text .rscr .tls... But not all of them are used for actions/behaviours. I just care about their behaviours and to reduce the large data before the next steps. Thanks
    Tuesday, March 21, 2017 12:27 AM

Answers

  • Hi duy thao,

    thanks for posting here.

    >>I just care about their behaviours and to reduce the large data before the next steps.

    What do you mean about behavirours?

    PE file format is made up of IMAGE_DOS_HEADER, IMAGE_NT_HEADERS (IMAGE_FILE_HEADER, IMAGE_OPTIONAL_HEADER), IMAGE_SECTION_HEADERS, Sections. You can get the details on the structures of PE file format on Winnt.h.

    Here is a document about details of Portable Executables file format itself.

    https://blogs.msdn.microsoft.com/coreinternals/2009/01/19/portable-executable-file-format-on-memory-dump/

    You could find further more about PE format on this page below.

    http://msdn.microsoft.com/en-us/library/ms809762.aspx.

    Hope this could be help of you.

    Best Regards,

    Sera Yu


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    • Marked as answer by duy thao Tuesday, March 21, 2017 7:50 AM
    Tuesday, March 21, 2017 6:56 AM
    Moderator