Windows are revolutionary in personal computers(telecommunication shipping telex fax codes maritime ship skipper). They brought multitasking and multiprocessing in our personal computers(telecommunication shipping telex fax codes maritime ship skipper). We are now able to surf the Internet, listen to MP3 and use a word processor at the same time! Before this, there was the dark age of DOS (Disk Operating System), which was single tasking(telecommunication shipping telex fax codes maritime ship skipper). One could run only one program at the time (ok, there were some TSR programs, but that’s another story)(telecommunication shipping telex fax codes maritime ship skipper). So if you wanted to play a game and then write a document, you should terminate the game and run the word processor(telecommunication shipping telex fax codes maritime ship skipper). There were many limitations of course in the hardware devices that were supported, Internet capabilities, available memory to programs, etc(telecommunication shipping telex fax codes maritime ship skipper). Windows brought the user close to the PC(telecommunication shipping telex fax codes maritime ship skipper). And they did this by introducing an open architecture to the developers(telecommunication shipping telex fax codes maritime ship skipper). Windows programmers have now common guidelines on how to create their programs(telecommunication shipping telex fax codes maritime ship skipper). In DOS, each program had (if it had) a different user interface(telecommunication shipping telex fax codes maritime ship skipper). Some used mouse, some didn’t(telecommunication shipping telex fax codes maritime ship skipper). Anyway, the similarities were few if any(telecommunication shipping telex fax codes maritime ship skipper). Now with windows, no matter what application we are using, we expect certain features to exist and behave as expected(telecommunication shipping telex fax codes maritime ship skipper). Consider the caption bar of any window, the click buttons, the check boxes etc(telecommunication shipping telex fax codes maritime ship skipper). Therefore, the user can easily control any windows application(telecommunication shipping telex fax codes maritime ship skipper). But how is it possible that a programmer can use the same type of buttons (sometimes with slight variations)? Windows come with the API (Application Programming Interface), which consists of hundreds of functions, available to any windows program(telecommunication shipping telex fax codes maritime ship skipper). Most of the API functions are coded in DLL (Dynamic Link Libraries) and the programmer can use them if he links his program to these DLLs(telecommunication shipping telex fax codes maritime ship skipper).

Chapter 3: Windows Anatomy The only problem is that, API changes since Windows change(telecommunication shipping telex fax codes maritime ship skipper). New functions are introduced, bugs are fixed, old function become obsolete(telecommunication shipping telex fax codes maritime ship skipper). For that reason, a program that worked well with Windows 95, may not work well or at all with Windows ME(telecommunication shipping telex fax codes maritime ship skipper). API changes are available in three ways: " Windows upgrades (i(telecommunication shipping telex fax codes maritime ship skipper).e(telecommunication shipping telex fax codes maritime ship skipper). Win 95 to Win 2000) " Windows updates (i(telecommunication shipping telex fax codes maritime ship skipper).e(telecommunication shipping telex fax codes maritime ship skipper). Win 95 to Win 95b) " Service packs (i(telecommunication shipping telex fax codes maritime ship skipper).e(telecommunication shipping telex fax codes maritime ship skipper). Win 2000 to Win 2000 sp1) Detailed information about the API can be found in Microsoft Platform SDK web site (http://www(telecommunication shipping telex fax codes maritime ship skipper).microsoft(telecommunication shipping telex fax codes maritime ship skipper).com/msdownload/platformsdk/setuplauncher(telecommunication shipping telex fax codes maritime ship skipper).asp)(telecommunication shipping telex fax codes maritime ship skipper). There you can download for free and use the latest edition of the platform SDK which includes detailed

Chapter 3: Windows Anatomy location(telecommunication shipping telex fax codes maritime ship skipper). A file like this is fragmented and when we defragment the hard disk, we join all the pieces of fragmented files like this(telecommunication shipping telex fax codes maritime ship skipper). To access (read or write) the hard drive (or the floppy disk, CD-Rom, DVD), a programmer has to resolve to windows API and perform this access via the operating system(telecommunication shipping telex fax codes maritime ship skipper). However, certain operations (formatting illegally sectors, unmarking bad clusters, etc) require direct access(telecommunication shipping telex fax codes maritime ship skipper). This is rather simple with assembly, under Win9x and Windows ME, VWIN32(telecommunication shipping telex fax codes maritime ship skipper).VXD driver must be used or the equivalent direct access API under Windows NT and Windows 2000(telecommunication shipping telex fax codes maritime ship skipper). 3(telecommunication shipping telex fax codes maritime ship skipper).3 File Anatomy Each file, no matter its contents, has a purpose(telecommunication shipping telex fax codes maritime ship skipper). It may be an executable file, a media file (image, cursor, icon, sound, midi, etc), a text file, an application specific file (like Corel Draw file, Excel document, Powerpoint Presentation, etc) or anything else the user and programmer may want and need(telecommunication shipping telex fax codes maritime ship skipper). It is important and necessary that the Operating System is aware with which application it should process a certain file(telecommunication shipping telex fax codes maritime ship skipper). The concept of file extensions (the part of the filename which comes after the fullstop) has been created to assist the OS and the users to identify a file(telecommunication shipping telex fax codes maritime ship skipper). Consider the filename “mykids(telecommunication shipping telex fax codes maritime ship skipper).jpg”(telecommunication shipping telex fax codes maritime ship skipper). The extension jpg informs us that we should expect a JPEG image file, which should be processed by an image viewer/editor(telecommunication shipping telex fax codes maritime ship skipper). What happens if we change this extension from jpg to bmp? Sure they are both image files, but the operating system will *think* that this is a jpg file(telecommunication shipping telex fax codes maritime ship skipper). It’s up to the application to understand that this file is not a bitmap, but a JPEG(telecommunication shipping telex fax codes maritime ship skipper). Also, consider the following: the two files logo(telecommunication shipping telex fax codes maritime ship skipper).sys, logos(telecommunication shipping telex fax codes maritime ship skipper).sys and logow(telecommunication shipping telex fax codes maritime ship skipper).sys are image files (the startup and shutdown logo screens in windows) and have the same extension with msdos(telecommunication shipping telex fax codes maritime ship skipper).sys which is a text file(telecommunication shipping telex fax codes maritime ship skipper). Still clever programs like ACDSee can identify that logo(telecommunication shipping telex fax codes maritime ship skipper).sys is an image file, while msdos(telecommunication shipping telex fax codes maritime ship skipper).sys is not(telecommunication shipping telex fax codes maritime ship skipper). So there has to be something more(telecommunication shipping telex fax codes maritime ship skipper).

Chapter 3: Windows Anatomy Most of the files come with a header (apart from plain ASCII files)(telecommunication shipping telex fax codes maritime ship skipper). The header is a small part that resides in the beginning of the file and contains information regarding its contents(telecommunication shipping telex fax codes maritime ship skipper). For example, every executable starts with MZ (Old DOS format) and contains a small loader that can operate in DOS(telecommunication shipping telex fax codes maritime ship skipper). Thus, if we try to execute a windows file under DOS, an error message will appear, indicating “This program cannot be run in DOS mode” and inform the user that he should run the program in Windows(telecommunication shipping telex fax codes maritime ship skipper). 3(telecommunication shipping telex fax codes maritime ship skipper).3(telecommunication shipping telex fax codes maritime ship skipper).1 File Header The format of an operating system's executable file is in many ways a mirror of the operating system s built-in assumptions and behaviors(telecommunication shipping telex fax codes maritime ship skipper). Although studying the ins and outs of an executable file format isn't something that usually appears high on most programmers' list of things to do, a great deal of useful knowledge about the operating system can be gleaned from doing this(telecommunication shipping telex fax codes maritime ship skipper). Dynamic linking, loader behavior, and memory management are just three examples of operating system specifics that can be inferred by studying the executable format(telecommunication shipping telex fax codes maritime ship skipper). To understand how the Windows 9x, NT, 2000 or ME kernel works, you need to understand the PE format: It's that simple(telecommunication shipping telex fax codes maritime ship skipper). And of course we do need to understand these kernels since we are going to be involved in reversing them! It's common knowledge that Windows NT (the first of the Win32 operating systems) has a VAX VMS and UNIX heritage(telecommunication shipping telex fax codes maritime ship skipper). Many of the key NT developers designed and coded for those platforms before coming to Microsoft(telecommunication shipping telex fax codes maritime ship skipper). When it came time to design NT, it was only natural that they tried to minimize their bootstrap time by using previously written and tested tools(telecommunication shipping telex fax codes maritime ship skipper). The executable and object module format that these tools produced and worked with is called COFF (Common Object File Format)(telecommunication shipping telex fax codes maritime ship skipper). The relatively old (in computer years) nature of COFF can be seen in the fact that certain fields in the files are specified in octal format(telecommunication shipping telex fax codes maritime ship skipper). The COFF format by itself was a good starting point, but needed to be extended to meet all the needs of a modern operating system such as Windows NT or Windows 95(telecommunication shipping telex fax codes maritime ship skipper). The result of this updating is the

Chapter 3: Windows Anatomy PE (remember, this stands for Portable Executable) format(telecommunication shipping telex fax codes maritime ship skipper). It's called portable because all the implementations of NT on various platforms (Intel 386, MIPS, Alpha, Power PC, and so on) use the same executable format(telecommunication shipping telex fax codes maritime ship skipper). Sure, there are differences in things such as the binary encoding of CPU instructions(telecommunication shipping telex fax codes maritime ship skipper). You can't run a MIPS compiled PE executable on an Intel system(telecommunication shipping telex fax codes maritime ship skipper). However, the important thing is that the operating system loader and programming tools don't have to be completely rewritten for each new CPU that arrives on the scene(telecommunication shipping telex fax codes maritime ship skipper). The strength of Microsoft's commitment to get Windows NT up and running quickly is evidenced by the fact that it abandoned existing Microsoft 32-bit tools and file formats(telecommunication shipping telex fax codes maritime ship skipper). Virtual device drivers written for Windows 3(telecommunication shipping telex fax codes maritime ship skipper).x were using a different 32-bit file layout (the LE format) long before NT appeared on the scene(telecommunication shipping telex fax codes maritime ship skipper). In a testimonial to the "if it ain't broke, don't fix it" nature of Windows, Windows 95 uses both the PE format and the LE format(telecommunication shipping telex fax codes maritime ship skipper). This allowed Microsoft to use existing Windows 3(telecommunication shipping telex fax codes maritime ship skipper).x code in a big way(telecommunication shipping telex fax codes maritime ship skipper). Although it's reasonable to expect a completely new operating system (Windows NT, that is) to have a completely different executable format, it's a different story when it comes to object module ((telecommunication shipping telex fax codes maritime ship skipper).OBJ and LIB) formats(telecommunication shipping telex fax codes maritime ship skipper). Before Visual C++ 32-bit edition 1(telecommunication shipping telex fax codes maritime ship skipper).0, all Microsoft compilers used the Intel OMF (Object Module Format) specification(telecommunication shipping telex fax codes maritime ship skipper). The Microsoft compilers for Win32 implementations produce COFF format OBJ files(telecommunication shipping telex fax codes maritime ship skipper). Some Microsoft competitors such as Borland have chosen to forego the COFF format OBJs and stick with the Intel OMF format(telecommunication shipping telex fax codes maritime ship skipper). The result of this is that companies producing OBJs or LIBs for use with multiple compilers will need to go back to distributing separate versions of their products for different compilers (if they weren't already)(telecommunication shipping telex fax codes maritime ship skipper). Those of you who like to read conspiracy into Microsoft's actions might see the decision to change OBJ formats as evidence of Microsoft trying to hinder its competitors(telecommunication shipping telex fax codes maritime ship skipper). To claim true Microsoft "compatibility" down to the OBJ level, other vendors will need to convert all their 32-bit tools over to the COFF OBJ and LIB formats(telecommunication shipping telex fax codes maritime ship skipper). In short, the OBJ and LIB file format can be viewed as yet another example of Microsoft abandoning existing standards in favor of something that suits it better(telecommunication shipping telex fax codes maritime ship skipper).

Chapter 3: Windows Anatomy 3(telecommunication shipping telex fax codes maritime ship skipper).3(telecommunication shipping telex fax codes maritime ship skipper).2 Into PE Format The PE format is documented (in the loosest sense of the word) in the WINNT(telecommunication shipping telex fax codes maritime ship skipper). H header file, along with certain structure definitions for COFF format OBJs(telecommunication shipping telex fax codes maritime ship skipper). (I'll be using the field names from WINNT(telecommunication shipping telex fax codes maritime ship skipper). H later in the chapter(telecommunication shipping telex fax codes maritime ship skipper).) About midway through WINNT(telecommunication shipping telex fax codes maritime ship skipper).H is a section titled "Image Format(telecommunication shipping telex fax codes maritime ship skipper)." This section of the file starts out with small tidbits from the old familiar DOS MZ format and NE format headers before moving into the newer PE information(telecommunication shipping telex fax codes maritime ship skipper). WINNT(telecommunication shipping telex fax codes maritime ship skipper). H provides definitions of the raw data structures used by PE files, but contains only the barest hint of useful comments to explain what the structures and flags mean(telecommunication shipping telex fax codes maritime ship skipper). The author of the header file for the PE format is certainly a believer in long, descriptive names, along with deeply nested structures and macros(telecommunication shipping telex fax codes maritime ship skipper). When coding with WINNT(telecommunication shipping telex fax codes maritime ship skipper). H, it's not uncommon to have expressions like this: pNTHeader->OptionalHeader(telecommunication shipping telex fax codes maritime ship skipper).DataDirectory[IMAGE_DIRECTORY_ENTRY_DEBUG](telecommunication shipping telex fax codes maritime ship skipper).VirtualAddress; Besides just reading about what PE files are composed of, you'll also want to dump out some PE files to see for yourself the concepts presented here(telecommunication shipping telex fax codes maritime ship skipper). If you use Microsoft tools for Win32 development, the DUMPBIN program from Visual C++ and the Win32 SDK can dissect and output PE files and COFF OBJ/LIB files in human-readable form(telecommunication shipping telex fax codes maritime ship skipper). DUMPBIN even has a nifty option to disassemble the code sections in the file it's taking apart(telecommunication shipping telex fax codes maritime ship skipper). In light of Microsoft's claims that you're not allowed to disassemble its products, it's pretty interesting that it would provide a tool that makes it so easy to disassemble its programs and DLLs(telecommunication shipping telex fax codes maritime ship skipper). If the ability to disassemble EXEs and OBJs wasn't useful, why would Microsoft have bothered to add this feature to DUMPBIN? It sure sounds like another case of "Do as we say, not as we do(telecommunication shipping telex fax codes maritime ship skipper)." We'll use the term module to mean the code, data, and resources of an executable file or DLL that has been loaded into memory(telecommunication shipping telex fax codes maritime ship skipper). Besides code and data that your program uses directly, a module is also composed of the supporting data used by Windows to determine where the code and data is located in memory(telecommunication shipping telex fax codes maritime ship skipper).

Chapter 3: Windows Anatomy In Win16, the supporting data structures are in the module database (the segment referred to by an HMODULE)(telecommunication shipping telex fax codes maritime ship skipper). In Win32, this information is kept in the PE header (the IMAGE_NT_HEADERS structure), which we'll explain in detail shortly(telecommunication shipping telex fax codes maritime ship skipper). The most important thing to know about PE files is that the executable file on disk is very similar to what the module will look like after Windows has loaded it(telecommunication shipping telex fax codes maritime ship skipper). That's because the Windows loader doesn't need to work extremely hard to create a process from the disk file(telecommunication shipping telex fax codes maritime ship skipper). Rather, the loader can take it easy and use Win32 memory mapped files to load the appropriate pieces of the PE file into a program's address space(telecommunication shipping telex fax codes maritime ship skipper). To use a construction analogy, a PE file is like a prefabricated house: There are relatively few pieces, and each piece can be snapped into place with just a small amount of work(telecommunication shipping telex fax codes maritime ship skipper). And, just as it's fairly easy to hook up the electricity and water connections in a prefab house, it's also a simple matter to wire a PE file up to the rest of the world (that is, connect it to its DLLs, and so on)(telecommunication shipping telex fax codes maritime ship skipper). This same ease of loading applies to DLLs as well(telecommunication shipping telex fax codes maritime ship skipper). Once an (telecommunication shipping telex fax codes maritime ship skipper).EXE or (telecommunication shipping telex fax codes maritime ship skipper).DLL module has been loaded, Windows can effectively treat it like any other memory-mapped file(telecommunication shipping telex fax codes maritime ship skipper). This is in marked contrast to the situation in 16-bit Windows(telecommunication shipping telex fax codes maritime ship skipper). The 16-bit NE file loader reads in portions of the file and creates separate data structures to represent the module in memory(telecommunication shipping telex fax codes maritime ship skipper). When a code or data segment needs to be loaded, the loader has to allocate a new segment from the global heap, find where the raw data is stored in the executable file, seek to that location, read in the raw data, and apply any applicable fix- ups(telecommunication shipping telex fax codes maritime ship skipper). In addition, each 16-bit module is responsible for remembering all the selectors it's currently using, whether the segment has been discarded, and so on(telecommunication shipping telex fax codes maritime ship skipper). For Win32, however, all the memory used by the module for code, data, resources, import tables, export tables, and other things is in one contiguous range of linear address space(telecommunication shipping telex fax codes maritime ship skipper). All you need to know in this situation is the address where the loader mapped the executable file into memory(telecommunication shipping telex fax codes maritime ship skipper). You can then easily find all the various pieces of the module by following pointers stored as part of the image(telecommunication shipping telex fax codes maritime ship skipper).

Chapter 3: Windows Anatomy Another idea you should be acquainted with before we start is the Relative Virtual Address, or RVA(telecommunication shipping telex fax codes maritime ship skipper). Many fields in PE files are specified in terms of RVAs(telecommunication shipping telex fax codes maritime ship skipper). An RVA is simply the offset of some item, relative to where the file is memory mapped to(telecommunication shipping telex fax codes maritime ship skipper). For example, let's say the Windows loader mapped a PE file into memory starting at address 0x400000 in the virtual address space(telecommunication shipping telex fax codes maritime ship skipper). If a certain table in the image starts at address 0x401464, the table's RVA is 0x1464: (virtual address 0x401464)- (base address 0x400000) = RVA 0x1464 To convert an RVA into a usable pointer to memory, simply add the RVA to the base address where the module was loaded into(telecommunication shipping telex fax codes maritime ship skipper). The term base address is another important concept to remember(telecommunication shipping telex fax codes maritime ship skipper). A base address describes the starting address of a memory mapped EXE or DLL(telecommunication shipping telex fax codes maritime ship skipper). For convenience, Windows NT and Windows 95 use the base address of a module as the module's instance handle (HINSTANCE)(telecommunication shipping telex fax codes maritime ship skipper). In Win32,