Skip to content
Karsten Hahn edited this page Feb 11, 2023 · 5 revisions

PortEx provides accurate recognition and offset calculation of the overlay. The overlay is all data appended to a PE that is not within a section, thus not mapped into memory if the PE is loaded. Malformations--like unaligned or oversized values in the section headers--are taken into account while calculating the overlay's offset.

Overlay Detection

File file = new File("myfile");
Overlay overlay = new Overlay(file);
if(overlay.exists()) {
   System.out.println("overlay detected");
}

Overlay Offset and Size

File file = new File("myfile");
Overlay overlay = new Overlay(file);
long offset = overlay.getOffset();
long size = overlay.getSize();

Overlay Dumping

There are two ways to dump the overlay bytes via PortEx. You can get the bytes as array:

Overlay overlay = new Overlay(file);
byte[] dump = overlay.getDump();

Or dump it directly to a specified output file:

Overlay overlay = new Overlay(file);
File outFile = new File("dump.out");
overlay.dumpTo(outFile);

Scan Overlay for Signatures

List<Signature> overlaySigs = SignatureScanner.loadOverlaySigs();
List<String> sigresults = new SignatureScanner(overlaySigs).scanAtToString(file, overlayOffset);
sigresults.forEach(System.out::println);
Clone this wiki locally