-
Notifications
You must be signed in to change notification settings - Fork 95
Overlay
Karsten Hahn edited this page Feb 11, 2023
·
5 revisions
PortEx provides accurate recognition and offset calculation of the overlay. The overlay is all data appended to a PE that is not within a section, thus not mapped into memory if the PE is loaded. Malformations--like unaligned or oversized values in the section headers--are taken into account while calculating the overlay's offset.
File file = new File("myfile");
Overlay overlay = new Overlay(file);
if(overlay.exists()) {
System.out.println("overlay detected");
}
File file = new File("myfile");
Overlay overlay = new Overlay(file);
long offset = overlay.getOffset();
long size = overlay.getSize();
There are two ways to dump the overlay bytes via PortEx. You can get the bytes as array:
Overlay overlay = new Overlay(file);
byte[] dump = overlay.getDump();
Or dump it directly to a specified output file:
Overlay overlay = new Overlay(file);
File outFile = new File("dump.out");
overlay.dumpTo(outFile);
List<Signature> overlaySigs = SignatureScanner.loadOverlaySigs();
List<String> sigresults = new SignatureScanner(overlaySigs).scanAtToString(file, overlayOffset);
sigresults.forEach(System.out::println);