Difference between revisions of "Executable"

From ForensicsWiki
Jump to: navigation, search
(DBG, PDB)
(External Links)
 
(13 intermediate revisions by the same user not shown)
Line 6: Line 6:
 
* Scripts; e.g. shell scripts, batch scripts (.bat)
 
* Scripts; e.g. shell scripts, batch scripts (.bat)
 
* DOS, Windows executable files (.exe) which can be of various formats like: MZ, PE/COFF, NE
 
* DOS, Windows executable files (.exe) which can be of various formats like: MZ, PE/COFF, NE
 +
** EFI fat binary; roughly a 48-byte header and 2x MZ-PE/COFF
 
* ELF
 
* ELF
 
* Mach-O
 
* Mach-O
Line 11: Line 12:
 
== External Links ==
 
== External Links ==
 
* [http://en.wikipedia.org/wiki/Executable Wikipedia: Executable]
 
* [http://en.wikipedia.org/wiki/Executable Wikipedia: Executable]
 +
* [http://duartes.org/gustavo/blog/post/anatomy-of-a-program-in-memory/ Anatomy of a Program in Memory], by Gustavo Duarte, January 27, 2009
 +
* [ftp://ftp.cs.wisc.edu/paradyn/papers/Rosenblum10prov.pdf Extracting Compiler Provenance from Program Binaries], by Nathan E. Rosenblum, Barton P. Miller, Xiaojin Zhu, June 2010
 +
* [http://duartes.org/gustavo/blog/post/journey-to-the-stack/ Journey to the Stack, Part I], by Gustavo Duarte, March 10, 2014
 +
 +
=== ELF ===
 +
* [http://robinhoksbergen.com/papers/howto_elf.html Manually Creating an ELF Executable], by Robin Hoksbergen
  
 
=== MZ, PE/COFF ===
 
=== MZ, PE/COFF ===
Line 19: Line 26:
 
* [http://msdn.microsoft.com/en-us/magazine/cc301805.aspx An In-Depth Look into the Win32 Portable Executable File Format], by Matt Pietrek, February 2002
 
* [http://msdn.microsoft.com/en-us/magazine/cc301805.aspx An In-Depth Look into the Win32 Portable Executable File Format], by Matt Pietrek, February 2002
 
* [https://googledrive.com/host/0B3fBvzttpiiSd1dKQVU0WGVESlU/Executable%20(EXE)%20file%20format.pdf MZ, PE-COFF executable file format (EXE)], by the [[libexe|libexe project]], October 2011
 
* [https://googledrive.com/host/0B3fBvzttpiiSd1dKQVU0WGVESlU/Executable%20(EXE)%20file%20format.pdf MZ, PE-COFF executable file format (EXE)], by the [[libexe|libexe project]], October 2011
 +
* [http://ho.ax/posts/2012/02/carving-up-efi-fat-binaries/ Carving up EFI fat binaries], by snare, February 24, 2012
 
* [http://seclists.org/fulldisclosure/2013/Oct/157 The Internal of Reloc .text], Full Disclosure Mailing list, October 21, 2013
 
* [http://seclists.org/fulldisclosure/2013/Oct/157 The Internal of Reloc .text], Full Disclosure Mailing list, October 21, 2013
  
Line 30: Line 38:
 
* [http://pierrelib.pagesperso-orange.fr/exec_formats/MS_Symbol_Type_v1.0.pdf Microsoft Symbol and Type Information]
 
* [http://pierrelib.pagesperso-orange.fr/exec_formats/MS_Symbol_Type_v1.0.pdf Microsoft Symbol and Type Information]
 
* [https://code.google.com/p/pdbparse/wiki/StreamDescriptions Stream Descriptions], [https://code.google.com/p/pdbparse/ pdbparse project]
 
* [https://code.google.com/p/pdbparse/wiki/StreamDescriptions Stream Descriptions], [https://code.google.com/p/pdbparse/ pdbparse project]
* [https://code.google.com/p/google-breakpad/source/browse/trunk/src/google_breakpad/common/minidump_format.h minidump_format.h]
 
 
* [http://sourceforge.net/p/mingw-w64/code/HEAD/tree/experimental/tools/libmsdebug/ libmsdebug], by the [[MinGW|MinGW project]]
 
* [http://sourceforge.net/p/mingw-w64/code/HEAD/tree/experimental/tools/libmsdebug/ libmsdebug], by the [[MinGW|MinGW project]]
* [http://moyix.blogspot.ch/2007/10/types-stream.html The Types Stream], by [[Brendan Dolan-Gavitt]], October 4, 2007
+
* [http://moyix.blogspot.com/2007/10/types-stream.html The Types Stream], by [[Brendan Dolan-Gavitt]], October 4, 2007
 +
 
 +
=== Minidump ===
 +
* [http://msdn.microsoft.com/en-us/library/windows/desktop/ms680378(v=vs.85).aspx MSDN: MINIDUMP_HEADER structure]
 +
* [https://code.google.com/p/google-breakpad/source/browse/trunk/src/google_breakpad/common/minidump_format.h minidump_format.h], by [[Google]], 2006
 +
* [http://moyix.blogspot.com/2008/05/parsing-windows-minidumps.html Parsing Windows Minidumps], by [[Brendan Dolan-Gavitt]], May 7, 2008
 +
* [http://web.archive.org/web/20110814041817/http://www.stackhash.com/blog/post/Format-of-a-minidump-(mdmp)-file.aspx Format of a minidump (mdmp) file], Internet Archive: StackHash blog, May 16, 2011
  
 
=== Mach-O ===
 
=== Mach-O ===
 
* [http://en.wikipedia.org/wiki/Mach-O Wikipedia: Mach-O]
 
* [http://en.wikipedia.org/wiki/Mach-O Wikipedia: Mach-O]
 +
 +
=== Packers ===
 +
* [http://www.woodmann.com/crackz/Packers.htm Packers & Unpackers]
  
 
== Tools ==
 
== Tools ==
Line 44: Line 60:
 
=== PDB ===
 
=== PDB ===
 
* [https://code.google.com/p/pdbparse/ pdbparse], Open-source parser for Microsoft debug symbols (PDB files)
 
* [https://code.google.com/p/pdbparse/ pdbparse], Open-source parser for Microsoft debug symbols (PDB files)
 +
 +
=== Minidump ===
 +
* [http://support.microsoft.com/kb/315271 Dumpchk.exe], by [[Microsoft]]
 +
* [http://amnesia.gtisc.gatech.edu/~moyix/minidump.py minidump.py], by [[Brendan Dolan-Gavitt]]

Latest revision as of 15:21, 28 June 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

An executable file is used to perform tasks according to encoded instructions. Executable files are sometimes also referred to as binaries which technically can be considered a sub class of executable files.

There are multiple families of executable files:

  • Scripts; e.g. shell scripts, batch scripts (.bat)
  • DOS, Windows executable files (.exe) which can be of various formats like: MZ, PE/COFF, NE
    • EFI fat binary; roughly a 48-byte header and 2x MZ-PE/COFF
  • ELF
  • Mach-O

External Links

ELF

MZ, PE/COFF

DBG, PDB

Minidump

Mach-O

Packers

Tools

MZ, PE/COFF

  • pefile, multi-platform Python module to read and work with Portable Executable (aka PE) files

PDB

  • pdbparse, Open-source parser for Microsoft debug symbols (PDB files)

Minidump

Retrieved from "http://forensicswiki.org/index.php?title=Executable&oldid=14037"