PE
Folders and files
Name | Name | Last commit date | ||
---|---|---|---|---|
parent directory.. | ||||
this is Corkami PE files corpus: a set of handmade files showing the various possibilities of the Portable Executable format, under Windows. All these files are clean and working. However, they are hand-made and push the PE file format to its limits, so they might be detected as malicious or as corrupted files. it's documented at http://pe.corkami.com Ange Albertini @angealbertini (@corkami for news only) BSD Licence, 2009-2013 Ranking (YMMV) *.. = common **. = non-standard *** = complex *.. compiled.exe complete PE example, as if compiled via MASM, including RichHeader, full headers + dos stub... *.. normal.exe a 'normal' PE - sections, code, imports. Header is not full *.. normal64.exe 64b version **. mini.exe a PE defined with as few elements as possible (alignments = 1/1) **. bigalign.exe big alignments (10000h/20000000h) **. bigib.exe IMAGEBASE equ 7efd0000h ; 7ffd0000h also works under XP **. bigsec.exe PE with virtually big section (0x10001000) **. bigSoRD.exe PE with oversized SizeOfRawData (0xFFFF0200) **. bottomsecttbl.exe section table at the bottom of the PE *.. lowsubsys.exe a PE with a subsystem version of 3.10 **. 65535sects.exe 65536 physical sections, all executed **. 96emptysections.exe PE with 96 sections (95 empty sections) **. 96workingsections.exe PE with 96 code sections, fully used *.. appendeddata.exe a PE with appended data **. appendedhdr.exe PE with NT headers in appended data (in extended header via SizeOfHeader) **. apphdrW7.exe PE with NT headers in appended data (W7) **. appendedsecttbl.exe section table outside the PE, in appended data (but in the header itself, for XP compatibility) **. appsectableW7.exe unlike XP, the header doesn't need to be extended until the bottom of the file !W8 **. footer.exe NT Headers at the bottom of the file *** ctxt.dll a DLL modifying the caller's context via lpvReserved ctxt-ld.exe loader EntryPoint **. nullEP.exe PE with null EntryPoint (MZ is executed as dec ebp, pop edx) *** virtEP.exe PE with EntryPoint in virtual space (there will be a virtual 00 before the first physical C0, so 00C0 will be executed as `add al, al`) DLL: (relocations, EntryPoint...) *.. dll.dll a simple DLL with relocations dll-ld.exe static loader dll-dynld.exe dynamic loader dll-dynunicld.exe dynamic unicode loader **. dll-webdavld.exe WEBDav loader **. dllemptyexp.dll DLL with empty export name dllemptyexp-ld.exe loader **. dllextep.dll DLL with no relocations for external EntryPoint execution dllextep-ld.exe loader *.. dllfw.dll forwarding DLL with minimal export table, and relocations dllfw-ld.exe loader **. dllfwloop.dll forwarding DLL with forwarding loop dllfwloop-ld.exe loader **. dllnegep.dll DLL with a negative entrypoint - that is *NOT* called dllnegep-ld.exe loader **. dllnoexp.dll DLL with no export tables, only DLL main dllnoexp-dynld.exe loader *** dllnomain.dll a DLL with no DLLMain (no IMAGE_FILE_DLL) dllnomain-ld.exe static loader *** dllnomain2.dll a DLL with no DLLMain (no IMAGE_FILE_DLL), and no imports (to be loaded dynamically) dllnomain2-dynld.exe dynamic loader **. dllnoreloc.dll DLL with no relocations (unneeded) dllnoreloc-ld.exe loader **. dllnullep.dll DLL with a null entrypoint - that is *NOT* called dllnullep-ld.exe static loader dllnullep-dynld.exe dynamic loader **. dllfakess.dll a DLL with a fake subsystem dllfakess-ld.exe static loader dllfakess-dynld.exe dynamic loader **. dllmaxvals.dll a DLL with maximum values dllmaxvals-ld.exe static loader dllmaxvals-dynld.exe dynamic loader **. dllcfgdup.dll a DLL using Guard ControlFlow, but with duplicate entry dllcfgdup-dynld.exe dynamic loader **. cfgbogus.exe a PE with a bogus ControlFlow Guard table (Subsystem version too old) Subsystems *.. gui.exe a simple GUI PE **. driver.sys a simple driver (section, relocation, imports, checksum) *** multiss.exe a multi-subsystem PE (that displays a message) no matter what its subsystem is set to. multiss_con.exe console !W8 multiss_gui.exe gui !W8 multiss_drv.sys driver *.. aslr.dll a DLL with DYNAMIC_BASE set and used aslr-ld.exe loader **. skippeddynbase.exe a PE with ignored DYNAMIC_BASE, because RELOCS_STRIPPED is set Section table (PE Geometry): **. duphead.exe a PE with a section mapping the header **. dupsec.exe a PE with several sections with the same physical space, and the header too *** foldedhdr.exe NT headers is partially overwritten by section space, as if the sections were folded back on the header. *** foldedhdrW7.exe Windows 7 version **. hiddenappdata1.exe a PE with appended data hidden by an extra almost virtual section **. hiddenappdata2.exe a PE with appended data hidden by an enlarged last section **. truncatedlast.exe last section truncated **. truncsectbl.exe section table is truncated by sizeofheaders **. shuffledsect.exe a PE with sections in wrong order in the section table **. slackspace.exe slack space between sections **. secinsec.exe a PE with a small section physically inside a bigger one **. virtgap.exe a PE with a huge virtual gap between physical section *** virtsectblXP.exe with 85 sections, with the section table outside the file **. maxsec_lowaligW7.exe Low Alignment PE for Vista-W7, with 6666 sections **. maxsecW7.exe PE with 8192 used code sections **. maxsecXP.exe Low Alignment PE for XP, with 96 sections **. no_dd.exe a PE without any data directory (loading imports manually) !W8 **. no_dd64.exe 64b version **. no0code.exe no null before code ends => headers are relocated far enough so that e_lfanew contains no 0 !W8 **. nosectionW7.exe Low Alignment PE for , with no section !W8 nosectionXP.exe XP version *** nothing.dll a DLL with code and no sections, no EntryPoint, no imports (crashing w/W8) nothing-ld.exe loader **. nullSOH-XP.exe null SizeOfOptionalHeader which means the Section table is overlapping the Optional header (XP only) *.. nullvirt.exe a PE with a virtually null section **. tinyXP.exe a tiny PE: sectionless, PE header overlapping dos headers, truncated optional header, 97 bytes XP only. **. tinydll.dll same thing, DLL version tinydll-ld.exe loader **. tinydllXP.dll same thing, XP version tinydllXP-ld.exe loader **. tinydrivXP.sys same thing, driver version **. tinygui.exe GUI version, using MessageBox and ExitProcess with contiguous code !W8 **. tiny.exe a universal tiny PE, working from XP to W8 64b **. tinyW7.exe a tiny PE, W7 32b compatible. just need a full optional header, so padding until 252 bytes is required. **. tinyW7_3264.exe a 32b tiny PE, W7 64b compatible (requires a bigger padding, 268 bytes) !W8 **. tinyW7x64.exe a 64b tiny PE, in 268 bytes !W8 *** weirdsord.exe a PE where 4K is read from the section for no apparent reason **. winver.exe a PE using Win32VersionValue to override OS version numbers *.. no_dep.exe a PE executing code on the stack successfully *.. dep.exe a PE executing code on the stack, and failing because of DEP *.. no_seh.exe a PE with DllCharacteristics set to NO_SEH, but using a Vectored Exception Handler *.. memshared.dll a DLL with a MEM_SHARED section memshared-ld.exe loader, waiting for X launches to terminate DataDirectory 0: Export **. ownexports.exe calling its own exports **. ownexportsdot.exe calling its own exports, but with a trailing characters in the import name (may generate crashes) **. ownexports2.exe calling its own virtual and header exports **. exportobf.exe PE with fake exports to disrupt disassembly **. exports_doc.exe PE with exports as internal documentation **. exports_order.exe a PE with exports not alphabetically sorted *** exportsdata.exe PE with its own exports, used to store data, restored on imports resolving **. dllord.dll DLL with exports by ordinal and heavily export corrupted structure dllord-ld.exe loader **. dllweirdexp.dll DLL with weird export (very long, fake, obfuscation (anti-Hiew)) dllweirdexp-ld.exe loader DataDirectory 1: Import *.. imports.exe standard imports *.. impbyord.exe PE importing by ordinal (his own exports) *.. imports_apimsW7.exe imports with Windows 7 redirection via apisetschema.dll *.. imports_mixed.exe mixed case imports *.. imports_noext.exe imports with dll without file extensions (>2K) *.. imports_multidesc.exe a PE with multiple import descriptors for the same DLL *.. imports_noint.exe imports with no INT **. imports_badterm.exe PE with a 'bad' imports terminator, just the dll name is empty **. imports_bogusIAT.exe bogus IAT content but INT is correct **. imports_corruptedIAT.exe IAT with corrupted pointers but INT is correct **. imports_nnIAT.exe IAT is not null-terminated but INT is correct **. importsdotXP.exe a PE using trailing characters in its imports (XP/W8 only) **. imports_nothunk.exe imports with a bogus DLL with missing thunks in the tables *** imports_relocW7.exe PE with a kernel range IMAGEBASE, and relocations to fix (manually pre-corrupted) imports *** hard_imports.exe a PE that calls imports by comparing kernel32 timestamp with known list dump_imports.exe tool to extract data for hard_imports **. imports_iatindesc.exe imports with IAT inside descriptors (smallest 'standard' imports structure) **. imports_tinyW7.exe imports with all tricks to make it as small as possible !W8 **. imports_tinyXP.exe XP version **. imports_virtdesc.exe PE with 1st import descriptor starting in virtual space **. imports_vterm.exe import terminator in virtual space **. importshint.exe exports with the same name - and the right one is called via hints DataDirectory 2: Resource *.. resource.exe resources loaded by IDs as integers *.. resource2.exe resource loaded by its IDs as strings *.. namedresource.exe resource, loaded by name **. reshdr.exe resource in the header, and shuffled resource structure **. resourceloop.exe recursive resource directory Resource type: RT_STRING *.. resource_string.exe string resource Resource type: RT_ICON and RT_GROUP_ICON *.. resource_icon.exe icon resource and group Resource type: RT_VERSION *.. version_std.exe 'standard' version information (with duplicate entries) **. version_cust.exe a PE with version customized minimal info - only to make the version tab appear **. version_mini.exe a PE with version minimal info Resource type: RT_MANIFEST *.. manifest.exe a PE with a minimal MANIFEST resource (CreateActCtx successfull) **. manifest_broken.exe a PE with a checked broken MANIFEST resource (ignored) **. manifest_bsod.exe a PE with a checked MANIFEST resource, that triggers a crash on execution (kb 921337) DataDirectory 3: Exception *.. exceptions.exe a 64b PE using SEH via its exceptions DD **. seh_change64.exe a 64b PE updating its exceptions DD on the fly DataDirectory 5: Relocations **. fakerelocs.exe a PE with unused corrupted relocations *** virtrelocXP.exe fake virtual relocations **. ibnullXP.exe null IMAGEBASE (XP only) + relocations **. ibkernel.exe kernel range IMAGEBASE + relocations **. ibknoreloc64.exe a PE32+ with kernel imagebase and RIP-relative code (no relocations) *** ibkmanual.exe kernel range IMAGEBASE, but no relocations, only manually-fixed in advance offsets **. reloc4.exe a PE using relocation type 4 (parameter ignored from W2k to W7, used in W8) **. reloc9.exe a PE using relocation type 9 (different results under XP and W7, unsupported under W8) *** reloccrypt.exe a PE storing its code via relocations patch, with extra fake or rarely used relocations *** reloccryptXP.exe XP version *** reloccryptW8.exe W8 version *** ibreloc.exe relocation is applied to ImageBase in memory, which corrects the wrong entrypoint *** ibrelocW7.exe >XP version !W8 *** lfanew_relocW7.exe relocation is applied to e_lfanew in memory => another PE header is then pointed to, which contains the actual imports in the 2nd part of DataDirectories !W8 *** lfanew_relocXP.exe XP version **. relocsstripped.exe a PE using relocations even if RELOCS_STRIPPED is set **. relocsstripped64.exe PE32+ version *** relocOSdet.exe combining relocations type 9 and 4 to detect OSes DataDirectory 6: Debug *.. debug.exe a PE with a Debug Directory (and missing symbols) DataDirectory 7: Architecture/Copyright *.. copyright.exe a PE with an Architecture DataDirectory entry used for Copyright/Description DataDirectory 9: Thread local storage *.. tls.exe standard Thread Local Storage callbacks *.. tls64.exe standard Thread Local Storage callbacks in 64 bits **. tls_noEP.exe TLS PE with ExitProcess call, and no entrypoint at all **. tls_exiting.exe TLS PE with ExitProcess call, and ignored EntryPoint code, even though the TLS is called again after... **. tls_import.exe TLS using an import IAT entry as callbacks => API called with IMAGEBASE as param => WinExec can thus execute MZ.exe mz.exe executed by tls_import **. tls_k32.exe TLS but only imports to k32 (TLS ignored) **. tls_obfuscation.exe file with extra fake TLS to disturb disassembly (first callbacks triggers an exception) **. tls_onthefly.exe PE with TLS updating on-the-fly the callback list **. tls_reloc.exe Kernel ImageBase + TLS that needs relocation **. tls_virtEP.exe random EntryPoint, and the TLS just allocates virtual space before it's called **. tls_aoi.exe TLS AddressOfIndex is used to patch a dword to 0 *** tls_aoiOSDET.exe AddressOfIndex is used to patch turn an import descriptor to a terminator => the OS' different behaviors will alterate imports loading *** manyimportsW7.exe file with too many fake imports, which are 'ignored' on loading by TLS AddressOfIndex DataDirectory A: Load config *.. safeseh.exe a PE making use of SafeSEH (succeeding or not) **. safeseh_fly.exe a PE modifying its HandlerTable on the fly before triggering an exception *.. ldrsnaps.exe a PE enabling LoaderSnaps via its LoadConfig DataDirectory *.. ldrsnaps64.exe 64b version *.. ss63.exe a PE with a Subsystem 6.3 (which enforces a LoadConfig directory and a valid cookie) *.. ss63nocookie.exe the same but with no cookie and GuardFlags set to IMAGE_GUARD_SECURITY_COOKIE_UNUSED DataDirectory B: Bound imports *.. dllbound-ld.exe dll loader with bound imports **. dllbound-redirld.exe dll loader with corrupted bound imports to call unexpected API **. dllbound-redirldXP.exe dll loader with corrupted bound imports to call an unexpected API from another DLL dllbound.dll DLL with 2 exports (one normal one 'fake') to test imports binding dllbound2.dll extra DLL to test corruption at dll level (different name, different timestamp) DataDirectory D: Delay imports *.. delayimports.exe PE with delay imports **. delaycorrupt.exe PE with corrupted delay imports, all set to zero **. delayfake.exe fake delay imports data obfuscation DataDirectory E: COM Descriptor *.. dotnet20.exe a 'compiled', dissected and manually rebuild, .Net 2.0 PE **. tinynet.exe a tiny .Net PE - with only NumberOfRvaAndSizes=2, 4 streams... **. fakenet.exe a PE with fake .NET EntryPoint, imports but no COM directory **. mscoree.exe a non-managed PE with MSCOREE imports DataFile DLLs (loaded via LoadLibraryEx with LOAD_LIBRARY_AS_DATAFILE parameter, not resolving imports or executing DLLMain) *** d_tiny.dll a minimal DataFile DLL :only contains MZ, PE and 1 byte of e_lfanew d_tiny-ld.exe loader *** d_nonnull.dll a DataFile DLL containing no null byte d_nonnull-ld.exe loader *** d_resource.dll a DataFile DLL with working resources (most values set to FF while resources are usable) d_resource-ld.exe loader Special **. maxvals.exe a PE with a maximal values in the headers **. standard.exe a PE with a bit of everything, useful as a all-in-one tutorial PE 'crackme'. **. dosZMXP.exe a non-PE EXE with ZM signature *** exe2pe.exe a non-PE EXE whose DOS stubs patches itself back to PE and relaunch as PE *** hdrcode.exe a PE which header is completely executed (to calculate a fibonacci number via FPU) - NO jump over header data !W8 *** quine.exe a working PE file, made entirely in assembly, with no need of a compiler, with its own source embedded, which it displays on execution, via 'typing' its own binary. **. fakeregs.exe corrupting registers as much as possible, during TLS and EP **. fakeregslib.dll loaded DLL corrupting registers as much as possible, during TLS and DllMain **. pdf.exe a tiny PE with a PDF, copying itself and launching itself under acrobat **. pdf_zip_pe.exe see CorkaMiX *.. hdrdata.exe a PE with data between header and first section **. sc.exe simple shellcode target in progress: debug.exe debug data directory no_dd64 self-loading imports in 64 bits