The sections of Portable Executable files are tagged with differents flags. Can someone explain the difference between IMAGE_SCN_MEM_EXECUTE (the section can be executed as code) and IMAGE_SCN_CNT_CODE (the section contains executable code)? Thanks.
A:
IMAGE_SCN_MEM_EXECUTE is the one that is actually used by the PE loader to set up page permissions. IMAGE_SCN_CNT_CODE is not used, I guess it's just a descriptive flag.
Igor Skochinsky
2010-10-12 10:35:30
IMAGE_SCN_MEM_EXECUTE is used and IMAGE_SCN_CNT_CODE is not used! Is that the answer? How can you tell this? The COFF spec does not really help. Does it means that IMAGE_SCN_CNT_CODE is meaningless and it can be ignored? Thanks.
marc ochsenmeier
2010-10-12 13:21:41
This is from my experience working with PE files and Windows. You can try it yourself - toggle the bit and see if the file runs.
Igor Skochinsky
2010-10-13 13:05:16
I have just taken a look at the Download package of Firefox ("Firefox Setup 3.6.10.exe"). This package has been compressed with UPX (see typical section names). Somehow interesting to see that both UPX0 and UPX1 sections are tagged with IMAGE_SCN_MEM_EXECUTE but NONE has the IMAGE_SCN_CNT_CODE! This could confirm what you say. But to be honest, I am still a little bit confused about this.
marc ochsenmeier
2010-10-14 11:02:29