Hi. Today we will be discussing some techniques to shrink the footprint you create when writing programs. Plus, we’ll be nuking the header.
Okay, maybe we won’t be completely remove it, but instead we’ll be stripping out as much information from the header as possible. Sounds fun, right?
Before You Read
It is recommended to read these related posts before reading this one, so that you don’t get lost during the discussion of the concepts:
Not written by me, but this post by Pavel Yosifovich is a great example of features that will be deployed in this post.
What
Hopefully, you already know what a PE header is. If you don’t, read this post. Read it? Good. Now we can start.
The PE header holds a lot of information. This information can be used to help reverse engineers, malware analysts, threat intelligence officers, etc. get a glimpse as to what the program might possibly do. This was heavily implied in the Triage post. But, what if the PE header didn’t provide any useful information? That would stink. (Un)fortunately, you can strip a lot of information out of the PE header. This information includes:
Imports (IAT)
Exports (EAT)
Debugging information
Exception handling information
Compile time stamps
… And more
Keep reading with a 7-day free trial
Subscribe to Shellfish Systems and Security to keep reading this post and get 7 days of free access to the full post archives.