Malware Reverse Engineering: part 2 Memory Concepts and The PE structure

In this blog the aim is to give an over view of how a process access the memory and how is the computer memory organized

In the early days of computers, memories were small & expensive. In those days the programmer spent a lot of time trying to squeeze programs into the tiny memory. Often it was necessary to use an algorithm that ran a great deal slower than another, better algorithm simply because the better algorithm was too big- i.e. a program using the better algorithm could not be squeezed into the computer’s memory.

Basic information

The traditional solution to this problem was the use of secondary memory, such as disk. The programmer divided the program up into a number of pieces, called overlays, each of which could fit in the memory. In 1961 a group of researchers at Manchester, England, proposed a method for performing the overlay process atomically, without the programmer even knowing that it was happening. This method now called virtual memory.


Virtual Memory (VM) is Not a physical device but an abstract concept Comprised of the virtual address spaces (of all processes) Virtual Address Space (VAS) (of one process) Set of visible virtual addresses
(some systems may use a single vas for all processes)
  • Resident set - Pieces of a process currently in physical memory
  • Working set - Set of pieces a process is currently working on
On a machine with VM, the following steps would occur :
  1. The contents of main memory would be saved on disk.
  2. Words 8192 to 12287 would be located on disk.
  3. Words 8192 to 12287 would be loaded into main memory.
  4. The address map would be changed to map addresses 8192 to 12287 onto memory locations 0 to 4095.
  5. Execution would continue as though nothing unusual had happened.

Principles of virtual memory

System creates illusion of large contiguous memory space(s) for each process Relevant portions of VM are loaded automatically and transparently Address map translates virtual addresses to physical addresses

Single-segment VM: 
  • One area of 0..n-1 words
  • Divided into fix-size pages
Multiple-segment VM:
  • Multiple areas of up to 0..n-1 (words)
  • Each holds a logical segment (function, data structure)
  • Each is contiguous or divided into pages
Main issues in VM design

Address mapping
  • How to translate virtual addresses to physical Placement
  • Where to place a portion of VM needed by process Replacement
  • Which portion of VM to remove when space is needed Load control
  • How much of VM to load at any one time Sharing
  • How can processes share portions of their VMs.

The (Portable Executable ) PE 

The Portable Executable (PE) format is a file format for executables, object code and DLLs, used in 32-bit and 64-bit versions of Windows operating systems. The term "portable" refers to the format's versatility in numerous environments of operating system software architecture. The PE format is a data structure that encapsulates the information necessary for the Windows OS loader to manage the wrapped executable code. This includes dynamic library references for linking, API export and import tables, resource management data and thread-local storage (TLS) data. On NT operating systems, the PE format is used for EXE, DLL, SYS (device driver), and other file types. [Wikipedia]

Understanding The PE structure is important during Malware reverese engineering , or any reverse engineering in general , it tells us alot of importand information about an executable as we will see .

The detailed PE structure explanation can be found at
2- (v.v.v Important )

Activity : how to explore PE structure of an EXE  using olle debugger

1- Open The PE in Olle  and  Click Explore Memory (M )

2-Double Click the PE Header of your Loaded EXE

We Will talk in details about these tools and how to get them for free with we talk about the tools Used by The Malware Reverse Engineers .