PE Section names – re-visited, again, in 2023

In my previous posts I have listed many PE sections present in different types of binaries. Today I am looking at win11 PE sections and am happy to report that the world of PE Sections has expanded a bit, again; here are some stats:

  • 3176 b’.rsrc’
  • 3109 b’.text’
  • 3109 b’.reloc’
  • 3108 b’.data’
  • 3102 b’.pdata’
  • 2983 b’.rdata’
  • 2007 b’.a64xrm’ –> CHPEV2 section
  • 1958 b’.hexpthk’ –> possibly stands for Hybrid Executable Push Thunk
  • 1705 b’.didat’
  • 241 b’.00cfg’
  • 50 b’.orpc’
  • 39 b’?g_Encry’ –> WarbirdPayload
  • 31 b’PAGE’
  • 25 b’INIT’
  • 25 b’GFIDS’
  • 25 b’.edata’
  • 19 b’.wpp_sf’
  • 14 b’.idata’
  • 12 b’.mrdata’
  • 9 b’PAGECMRC’
  • 7 b’RT_DATA’
  • 7 b’RT_BSS’
  • 6 b’RT_CODE’
  • 5 b’_RDATA’
  • 5 b’.sdbid’
  • 5 b’.no_bbt’
  • 5 b’.apiset’
  • 4 b’RT_CONST’
  • 4 b’.isoapis’
  • 4 b’.imrsiv’
  • 2 b’PAGEWdfV’
  • 2 b’PAGELK’
  • 2 b’PAGEDATA’
  • 2 b’PAGECONS’
  • 2 b’.text_hf’
  • 2 b’.sipc’
  • 1 b’msrodata’
  • 1 b’debug_wi’
  • 1 b’cachelin’
  • 1 b’__Defaul’
  • 1 b’SANONTCP’
  • 1 b’RT’
  • 1 b’FE_TEXT’
  • 1 b’ExtTel’
  • 1 b’ERRATA’
  • 1 b’CiPolicy’
  • 1 b’.ssm_url’
  • 1 b’.proxy’
  • 1 b’.ndr64′
  • 1 b’.mytext’
  • 1 b’.guids’
  • 1 b’.detourd’
  • 1 b’.detourc’
  • 1 b’.bootdat’
  • 1 b’.DDIData’

An Elf walks into the bar…

Windows 11’s advapi32.dll includes interesting export functions:

  • ElfBackupEventLogFileA
  • ElfBackupEventLogFileW
  • ElfChangeNotify
  • ElfClearEventLogFileA
  • ElfClearEventLogFileW
  • ElfCloseEventLog
  • ElfDeregisterEventSource
  • ElfFlushEventLog
  • ElfNumberOfRecords
  • ElfOldestRecord
  • ElfOpenBackupEventLogA
  • ElfOpenBackupEventLogW
  • ElfOpenEventLogA
  • ElfOpenEventLogW
  • ElfReadEventLogA
  • ElfReadEventLogW
  • ElfRegisterEventSourceA
  • ElfRegisterEventSourceW
  • ElfReportEventA
  • ElfReportEventAndSourceW
  • ElfReportEventW

And I know nothing about them… while they are obviously exported by advapi32.dll and for some unknown reason, they do not seem to be imported … by anything (no .exe, .dll import these functions, at least directly!). Plus, most of these apis’ code reference NDR functions (RPC), so unless you are really well-versed in these, it’s hard to reverse them 🙁

BUT

A quick google suggests that these are not Linux-related (refrerence to ‘ELF’), and are actually Event Log File (also ‘ELF’)-related. In a trivial pursuit of the truth, we look at the code of Elf* functions and their invocations and we can almost immediately see that f.ex. that RegisterEventSourceW is calling ElfRegisterEventSourceW internally. So… looks like either intentionally, or accidentally the MS coders exposed a lower-level interface to Event Logs.

As such, functions:

  • ElfClearEventLogFileA
  • ElfClearEventLogFileW

may be perhaps of interest?