Editing Portable Executable (section)

==Technical details==

===Layout===
[[File:Portable Executable 32 bit Structure in SVG fixed.svg|thumb|Structure of a Portable Executable 32 bit]]
A PE file consists of several headers and sections that instruct the [[dynamic linker]] about on how to map the file into memory. An executable image consists of several different regions, each requiring different memory protection attributes. To ensure proper alignment, the start of each section must align to a page boundary.<ref>{{cite web |url=http://www.csn.ul.ie/%7Ecaolan/pub/winresdump/winresdump/doc/pefile2.html |title=The Portable Executable File From Top to Bottom |access-date=2017-10-21}}</ref> For instance, the ''.text'' section, which contains program code, is typically mapped as an execute/read-only. Conversely, the ''.data'' section, which holds global variables, is mapped as no-execute/read write. However, to conserve space, sections are not aligned on disk in this manner. The dynamic linker maps each section to memory individually and assigns the correct permissions based on the information in the headers.<ref name="Peering Inside">{{cite web |url=https://msdn.microsoft.com/en-us/library/ms809762.aspx |title=Peering Inside the PE: A Tour of the Win32 Portable Executable File |date=30 June 2010 |access-date=2017-10-21}}</ref>

===Import table===
The ''import address table'' (IAT) is used as a lookup table when the application calls a function in a different module. The [[Dynamic-link library|imports]] can be specified by ordinal or by name. Because a compiled program cannot know the memory locations of its dependent libraries beforehand, an indirect jump is necessary for API calls. As the dynamic linker holds modules and resolves dependencies, it populates the IAT slots with actual addresses of the corresponding library functions. Although this adds an extra jump, incurring a performance penalty compared to intermodular calls, it minimizes the number of memory pages that that require [[copy-on-write]] changes, thus conserving memory and disk I/O. If a call is known to be intermodular beforehand (if indicated by a [[Dynamic-link library|dllimport]] attribute), the compiler can generate optimized code with a simple indirect call [[opcode]].<ref name="Peering Inside" />

=== Address Space Layout Randomization (ASLR) ===
PE files aren't [[position-independent code|position-independent]] by default; they are compiled to run at a specific, fixed memory address. Modern operating systems use Address Space Layout Randomization ([[Address space layout randomization|ASLR]]) to make it harder for attackers to exploit memory-related vulnerabilities. ASLR works by randomly changing the memory address of important parts of the program every time it's loaded. This includes the base address of the program itself, shared libraries (DLLs), and memory areas like the heap and stack. ASLR rearranges the address space positions of key data areas of a process, including the base of the [[executable]] and the positions of the [[Stack-based memory allocation|stack]], [[Dynamic memory allocation|heap]] and [[Library (computer science)|libraries]]. By randomizing these memory addresses each time the process an application is loaded, ASLR prevents attackers from being able to reliably predict memory locations.