Difference between revisions of "Executable"
From ForensicsWiki
Joachim Metz (Talk | contribs) (→DBG, PDB) |
Joachim Metz (Talk | contribs) (→External Links) |
||
(13 intermediate revisions by the same user not shown) | |||
Line 6: | Line 6: | ||
* Scripts; e.g. shell scripts, batch scripts (.bat) | * Scripts; e.g. shell scripts, batch scripts (.bat) | ||
* DOS, Windows executable files (.exe) which can be of various formats like: MZ, PE/COFF, NE | * DOS, Windows executable files (.exe) which can be of various formats like: MZ, PE/COFF, NE | ||
+ | ** EFI fat binary; roughly a 48-byte header and 2x MZ-PE/COFF | ||
* ELF | * ELF | ||
* Mach-O | * Mach-O | ||
Line 11: | Line 12: | ||
== External Links == | == External Links == | ||
* [http://en.wikipedia.org/wiki/Executable Wikipedia: Executable] | * [http://en.wikipedia.org/wiki/Executable Wikipedia: Executable] | ||
+ | * [http://duartes.org/gustavo/blog/post/anatomy-of-a-program-in-memory/ Anatomy of a Program in Memory], by Gustavo Duarte, January 27, 2009 | ||
+ | * [ftp://ftp.cs.wisc.edu/paradyn/papers/Rosenblum10prov.pdf Extracting Compiler Provenance from Program Binaries], by Nathan E. Rosenblum, Barton P. Miller, Xiaojin Zhu, June 2010 | ||
+ | * [http://duartes.org/gustavo/blog/post/journey-to-the-stack/ Journey to the Stack, Part I], by Gustavo Duarte, March 10, 2014 | ||
+ | |||
+ | === ELF === | ||
+ | * [http://robinhoksbergen.com/papers/howto_elf.html Manually Creating an ELF Executable], by Robin Hoksbergen | ||
=== MZ, PE/COFF === | === MZ, PE/COFF === | ||
Line 19: | Line 26: | ||
* [http://msdn.microsoft.com/en-us/magazine/cc301805.aspx An In-Depth Look into the Win32 Portable Executable File Format], by Matt Pietrek, February 2002 | * [http://msdn.microsoft.com/en-us/magazine/cc301805.aspx An In-Depth Look into the Win32 Portable Executable File Format], by Matt Pietrek, February 2002 | ||
* [https://googledrive.com/host/0B3fBvzttpiiSd1dKQVU0WGVESlU/Executable%20(EXE)%20file%20format.pdf MZ, PE-COFF executable file format (EXE)], by the [[libexe|libexe project]], October 2011 | * [https://googledrive.com/host/0B3fBvzttpiiSd1dKQVU0WGVESlU/Executable%20(EXE)%20file%20format.pdf MZ, PE-COFF executable file format (EXE)], by the [[libexe|libexe project]], October 2011 | ||
+ | * [http://ho.ax/posts/2012/02/carving-up-efi-fat-binaries/ Carving up EFI fat binaries], by snare, February 24, 2012 | ||
* [http://seclists.org/fulldisclosure/2013/Oct/157 The Internal of Reloc .text], Full Disclosure Mailing list, October 21, 2013 | * [http://seclists.org/fulldisclosure/2013/Oct/157 The Internal of Reloc .text], Full Disclosure Mailing list, October 21, 2013 | ||
Line 30: | Line 38: | ||
* [http://pierrelib.pagesperso-orange.fr/exec_formats/MS_Symbol_Type_v1.0.pdf Microsoft Symbol and Type Information] | * [http://pierrelib.pagesperso-orange.fr/exec_formats/MS_Symbol_Type_v1.0.pdf Microsoft Symbol and Type Information] | ||
* [https://code.google.com/p/pdbparse/wiki/StreamDescriptions Stream Descriptions], [https://code.google.com/p/pdbparse/ pdbparse project] | * [https://code.google.com/p/pdbparse/wiki/StreamDescriptions Stream Descriptions], [https://code.google.com/p/pdbparse/ pdbparse project] | ||
− | |||
* [http://sourceforge.net/p/mingw-w64/code/HEAD/tree/experimental/tools/libmsdebug/ libmsdebug], by the [[MinGW|MinGW project]] | * [http://sourceforge.net/p/mingw-w64/code/HEAD/tree/experimental/tools/libmsdebug/ libmsdebug], by the [[MinGW|MinGW project]] | ||
− | * [http://moyix.blogspot. | + | * [http://moyix.blogspot.com/2007/10/types-stream.html The Types Stream], by [[Brendan Dolan-Gavitt]], October 4, 2007 |
+ | |||
+ | === Minidump === | ||
+ | * [http://msdn.microsoft.com/en-us/library/windows/desktop/ms680378(v=vs.85).aspx MSDN: MINIDUMP_HEADER structure] | ||
+ | * [https://code.google.com/p/google-breakpad/source/browse/trunk/src/google_breakpad/common/minidump_format.h minidump_format.h], by [[Google]], 2006 | ||
+ | * [http://moyix.blogspot.com/2008/05/parsing-windows-minidumps.html Parsing Windows Minidumps], by [[Brendan Dolan-Gavitt]], May 7, 2008 | ||
+ | * [http://web.archive.org/web/20110814041817/http://www.stackhash.com/blog/post/Format-of-a-minidump-(mdmp)-file.aspx Format of a minidump (mdmp) file], Internet Archive: StackHash blog, May 16, 2011 | ||
=== Mach-O === | === Mach-O === | ||
* [http://en.wikipedia.org/wiki/Mach-O Wikipedia: Mach-O] | * [http://en.wikipedia.org/wiki/Mach-O Wikipedia: Mach-O] | ||
+ | |||
+ | === Packers === | ||
+ | * [http://www.woodmann.com/crackz/Packers.htm Packers & Unpackers] | ||
== Tools == | == Tools == | ||
Line 44: | Line 60: | ||
=== PDB === | === PDB === | ||
* [https://code.google.com/p/pdbparse/ pdbparse], Open-source parser for Microsoft debug symbols (PDB files) | * [https://code.google.com/p/pdbparse/ pdbparse], Open-source parser for Microsoft debug symbols (PDB files) | ||
+ | |||
+ | === Minidump === | ||
+ | * [http://support.microsoft.com/kb/315271 Dumpchk.exe], by [[Microsoft]] | ||
+ | * [http://amnesia.gtisc.gatech.edu/~moyix/minidump.py minidump.py], by [[Brendan Dolan-Gavitt]] |
Latest revision as of 15:21, 28 June 2014
Please help to improve this article by expanding it.
|
An executable file is used to perform tasks according to encoded instructions. Executable files are sometimes also referred to as binaries which technically can be considered a sub class of executable files.
There are multiple families of executable files:
- Scripts; e.g. shell scripts, batch scripts (.bat)
- DOS, Windows executable files (.exe) which can be of various formats like: MZ, PE/COFF, NE
- EFI fat binary; roughly a 48-byte header and 2x MZ-PE/COFF
- ELF
- Mach-O
Contents
External Links
- Wikipedia: Executable
- Anatomy of a Program in Memory, by Gustavo Duarte, January 27, 2009
- Extracting Compiler Provenance from Program Binaries, by Nathan E. Rosenblum, Barton P. Miller, Xiaojin Zhu, June 2010
- Journey to the Stack, Part I, by Gustavo Duarte, March 10, 2014
ELF
- Manually Creating an ELF Executable, by Robin Hoksbergen
MZ, PE/COFF
- Wikipedia: Portable Executable
- Microsoft PE and COFF Specification
- Peering Inside the PE: A Tour of the Win32 Portable Executable File Format, by Matt Pietrek, March 1994
- Under the Hood, by Matt Pietrek, July 1997
- An In-Depth Look into the Win32 Portable Executable File Format, by Matt Pietrek, February 2002
- MZ, PE-COFF executable file format (EXE), by the libexe project, October 2011
- Carving up EFI fat binaries, by snare, February 24, 2012
- The Internal of Reloc .text, Full Disclosure Mailing list, October 21, 2013
DBG, PDB
- Wikipedia: Program database
- Matching Debug Information, by debuginfo.com
- Description of the .PDB files and of the .DBG files, by Microsoft
- Public and Private Symbols, by Microsoft
- DbgHelp Structures, by Microsoft
- Internet Archive: Microsoft Symbol and Type Information, by Microsoft
- Microsoft Symbol and Type Information
- Stream Descriptions, pdbparse project
- libmsdebug, by the MinGW project
- The Types Stream, by Brendan Dolan-Gavitt, October 4, 2007
Minidump
- MSDN: MINIDUMP_HEADER structure
- minidump_format.h, by Google, 2006
- Parsing Windows Minidumps, by Brendan Dolan-Gavitt, May 7, 2008
- Format of a minidump (mdmp) file, Internet Archive: StackHash blog, May 16, 2011
Mach-O
Packers
Tools
MZ, PE/COFF
- pefile, multi-platform Python module to read and work with Portable Executable (aka PE) files
PDB
- pdbparse, Open-source parser for Microsoft debug symbols (PDB files)