That is the offset to the image_nt_headers, it will be different between PE files. I can't say for sure why it's not consistent, but it won't be - you'll see a variety of values here. That is why that value is read than added to the beginning of the file to locate that section, instead of just locating image_nt_headers without referencing it.
Really glad to hear the explanations have been helpful! I've been hesitant to drop links in the video description because I've received strikes against my account if something flags that content as malicious - which is often the case when I link to tools, etc. I'll try again and maybe even add some links that can't be parsed programmatically but visually. Feel free to DM me as well on LinkedIn or Twitter if I can help with specific questions.
Usually that is due to the file you are opening not being a PE file. PEStudio will still provide limited information as you point out for non-PE files, but it is really designed for those file types. If you are unsure, you can open a terminal on a Mac or Linux and use the file utility, output along the lines of "PE32..." are the files you are after. Let me know if this helps!
Any PE file will suffice - that is, a file in Windows with a .exe extension. I've also added the compiled binaries to my "Learning Reverse Engineering" repository on Github - so you can download those as well.
I have heard of it, but haven't had a chance to take a look. Looks really impressive from the website, will definitely check it out soon and maybe even make a video... Thanks for the tip!
One of the most professionals, clearest TH-camr I ever heard. I appreciate your commitment to share your knowledge.
Thank you
You are very welcome, thank you for the kind words!
Hello Josh , thank you very much. Quick question, can you consider the "functions" section as the IAT ?
Yes, the functions and imports are just mapping the IAT from the file.
why does my hex editor shows the offset to next section being 00 10 00 00 instead of F8 00 00 00?
That is the offset to the image_nt_headers, it will be different between PE files. I can't say for sure why it's not consistent, but it won't be - you'll see a variety of values here. That is why that value is read than added to the beginning of the file to locate that section, instead of just locating image_nt_headers without referencing it.
Following your tut, I'm a budding sec analyst. Some hotlinks to your resources would be helpful. Thanks for the thorough explanations
Really glad to hear the explanations have been helpful! I've been hesitant to drop links in the video description because I've received strikes against my account if something flags that content as malicious - which is often the case when I link to tools, etc. I'll try again and maybe even add some links that can't be parsed programmatically but visually. Feel free to DM me as well on LinkedIn or Twitter if I can help with specific questions.
hey when iam open pestudio i can see only 3 category any idea y ?
indicators
virustotal
strings
and not match of information
Usually that is due to the file you are opening not being a PE file. PEStudio will still provide limited information as you point out for non-PE files, but it is really designed for those file types. If you are unsure, you can open a terminal on a Mac or Linux and use the file utility, output along the lines of "PE32..." are the files you are after. Let me know if this helps!
Any sample PE file to analyze
Any PE file will suffice - that is, a file in Windows with a .exe extension. I've also added the compiled binaries to my "Learning Reverse Engineering" repository on Github - so you can download those as well.
Thank you Josh for this video
My pleasure! Thank you for the comment :)
Have you seen Malcat?
I have heard of it, but haven't had a chance to take a look. Looks really impressive from the website, will definitely check it out soon and maybe even make a video... Thanks for the tip!
thank you so much
You're welcome, thank you for the comment!
You’re most welcome!
GREAT
Glad you liked it :)
4D 5A = executable file 😊
Well, sometimes any way :)
Oi
👋
thank you so much
You’re very welcome!