1

Generally, what is the criterion by which to decide whether a PE section contains code or not?

Specifically, is a .text or .code section always considered to contain code? And what is the relationship between the IMAGE_SCN_CNT_CODE flag (0x00000020) and IMAGE_SCN_MEM_EXECUTE flag (0x20000000) - can we consider a section with at least one of those two as definitely containing code?

Is there a hard static rule to recognize code sections?

Improve this question

1 Answer 1

Reset to default
5

Specifically, is a .text or .code section always considered to contain code?

No.

And what is the relationship between the IMAGE_SCN_CNT_CODE flag (0x00000020) and IMAGE_SCN_MEM_EXECUTE flag (0x20000000)

The former is ignored by the Windows PE loader. The latter is used by the Windows PE loader such that if the flag is set then the pages for that section are marked as executable in memory (via https://en.wikipedia.org/wiki/NX_bit).

can we consider a section with at least one of those two as definitely containing code?

Not always, no.

Generally, what is the criterion by which to decide whether a PE section contains code or not?

While the .text/.code sections will usually contain code, and a section with the IMAGE_SCN_MEM_EXECUTE flag will usually contain code, the only real way to say that a section definitely contains code is if the CPU actually executes code in that section at runtime.

Improve this answer
9
  • I just turned the IMAGE_SCN_MEM_EXECUTE flag off on the only PE section which had it and the sample executable still runs with no problems. What am I missing here? Commented Nov 12, 2015 at 14:06
  • Is DEP enabled for your sample executable? Commented Nov 12, 2015 at 14:11
  • DEP is enabled on Windows programs only and this one does not belong to that group. Does this mean that Windows does not care whether code will get executed from non-executable sections if DEP is off for the given PE file? And if DEP was on? Commented Nov 12, 2015 at 16:05
  • With DEP disabled for your application (as is currently the case), it means that the process will be able to execute code in pages that don't have the executable-flag set (as you said, "the sample executable still runs with no problems"). With DEP enabled for your application, it means that the process will crash when trying to execute code in pages that don't have the executable-flag set. Commented Nov 12, 2015 at 16:08
  • I understand that DEP will prevent the execution, but it is really counterintuitive that Windows PE loader does not care whether the address pointed to by the entry point resides in an executable section or not. It feels like the creators of PE and the loader did their best to enable malware to hide. Commented Nov 12, 2015 at 16:23

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.