Investigating Sections in PE Files and Why They Are Important for Reverse Engineering

There are several topics that must be covered to gain a practical, yet comprehensive, understanding of the portable executable file format. In this video, we'll cover one of the more important - sections. We'll discuss what they are, how they differ on-disk and in-memory, and how they are aligned. We'll use structures defined by Micrsoft, such as the IMAGE_SECTION_HEADER, to further our understanding.

Cybersecurity, reverse engineering, malware analysis and ethical hacking content!
🎓 Courses on Pluralsight 👉🏻 https://www.pluralsight.com/authors/j...
🌶️ YouTube 👉🏻 Like, Comment & Subscribe!
🙏🏻 Support my work 👉🏻   / joshstroschein  
🌎 Follow me 👉🏻   / jstrosch  ,   / joshstroschein  
⚙️ Tinker with me on Github 👉🏻 https://github.com/jstrosch

0:33 Getting a sample PE file
1:20 Our focus for this video and why
2:09 Analyzing the PE structure in 010 editor
3:01 Structure definition on MSDN and finding winnt.h
4:15 Array of IMAGE_SECTION_HEADERs
6:04 Virtual size
6:20 Virtual versus raw values
6:53 Virtual address
7:06 PointerToRaw and RawSize
7:17 Size differences in the sections
7:41 Characteristics of a section
8:05 Viewing the next section header
9:06 Viewing section raw data
9:49 What is alignment
12:00 Calculating next section bytes in memory
12:50 File alignment
14:45 Viewing sections with System Informer