Table of Contents
- Make sure that you have dumped binary from memory
- (optionally) Fix PE headers if necessary
With PE bear⌗
- Open PE-bear > Sections > Section Headers
- Make sure that VA and VS matches RA and RS, so:
- RA[i] = VA[i]
- RS[i] = RA[i+1] - RA[i]
- RS.reloc = 0
- VS[i] = RS[i]
- If you see some red blocks it means that PE is probably misalligned, check: Fix misalligned sections
Fix misalligned sections⌗
- Open binary in hex editor
- Go to the 1st section (on example above to
- Section should start in this place, nulls should be before.
- Append nulls starting from last null seen before 1st section (
0xfdf) to section start address (inconclusive) (
- Review in PE Bear:
Section Headersshould no longer be marked as read.
Image Baseis the same as dumped section address (if not, set it to dumped section address).
Read other posts
comments powered by Disqus