Investigating Sections in PE Files and Why They Are Important for Reverse Engineering

There are several topics that must be covered to gain a practical, yet comprehensive, understanding of the portable executable file format. In this video, we'll cover one of the more important - sections. We'll discuss what they are, how they differ on-disk and in-memory, and how they are aligned. We'll use structures defined by Micrsoft, such as the IMAGE_SECTION_HEADER, to further our understanding. Cybersecurity, reverse engineering, malware analysis and ethical hacking content! 🎓 Courses on Pluralsight 👉🏻 https://www.pluralsight.com/authors/j... 🌶️ YouTube 👉🏻 Like, Comment & Subscribe! 🙏🏻 Support my work 👉🏻   / joshstroschein   🌎 Follow me 👉🏻   / jstrosch  ,   / joshstroschein   ⚙️ Tinker with me on Github 👉🏻 https://github.com/jstrosch 0:33 Getting a sample PE file 1:20 Our focus for this video and why 2:09 Analyzing the PE structure in 010 editor 3:01 Structure definition on MSDN and finding winnt.h 4:15 Array of IMAGE_SECTION_HEADERs 6:04 Virtual size 6:20 Virtual versus raw values 6:53 Virtual address 7:06 PointerToRaw and RawSize 7:17 Size differences in the sections 7:41 Characteristics of a section 8:05 Viewing the next section header 9:06 Viewing section raw data 9:49 What is alignment 12:00 Calculating next section bytes in memory 12:50 File alignment 14:45 Viewing sections with System Informer