Section Map

This window shows you a zoomed-up version of the SectionMap icon and more details about the inner structure of the program file (click on the SectionMap icon to open this window):

 

window-sectionmap

 

The "Colored Exe Sections Map" is a feature developed exclusively by PA-Soft, where each Section Category has its own color:

sectioncolor1

Packers/Protectors/Cryptors

.aspack, UPX..., .RPCrypt, .Themida, .Upack, etc.etc.

sectioncolor2

Resource section

.rsrc

sectioncolor3

Relocation section

.reloc

sectioncolor4

Data sections

.sdata, .srdata, .sxdata, .vsdata, .xdata, etc.etc.

sectioncolor5

Code sections

.text, .itext, CODE, .code, .text0, .text1, .text2, etc.etc.

sectioncolor6

Drivers sections

PAGE, INIT

sectioncolor7

Thread sections

.tls, .tls$

sectioncolor8

Other sections

minATL, .wixburn, .stabstr, .idlsym, .glue_7t, etc.etc

sectioncolor9

Installer sections

.gentee, .bindat, .complua, .ndata, etc.

sectioncolor10

Debug sections

.debug, .buildid, .debug$F, .debug$P, .debug$S, .debug$T, etc.etc.

sectioncolor11

Reserved for future use


sectioncolor12

Reserved for future use


 

The Section Flags are abbreviations of some important Section Characteristics:

W

Writable

IMAGE_SCN_MEM_WRITE

R

Readable

IMAGE_SCN_MEM_READ

X

Executable

IMAGE_SCN_MEM_EXECUTE

S

Shareable

IMAGE_SCN_MEM_SHARED

D

Discardable

IMAGE_SCN_MEM_DISCARDABLE

The Entropy value is a very important security indicator, as it can reveal packed sections not declared as such which could contain obfuscated malicious software code (e.g., viruses, worms, Trojans, etc.). Sections not declared as packed sections with a very high entropy value nearly below 8 (which is the theoretical maximum entropy value) should make you suspicious.

Originally, Entropy is a term from the science of physics and can mean "an extensive property of a thermodynamic system". In information theory, Entropy has to do with the probability distribution of bytes in a digital file (or as here in a part of the file) and is calculated with Shannon’s formula:

shannons-formula

Here is a scientific paper which extensively discusses the practical application of entropy analysis in the field of software security:

 

Packer Detection for Multi-Layer Executables Using Entropy Analysis from the Department of Computer Science and Engineering at the Korea University in Seoul.

 

Right-click anywhere in this window to bring up a popup menu:

 

  popup-sectionwindow

 

This copies the window's client-area as a screencopy image to the clipboard. You could use that image e.g. for reports etc.

 

You can also click on a color field in the leftmost column of the section-table to TEMPORARILY change that section color in the section-map:

 

sectionmap-changecolor

This could help you to get a better visual distinction between adjacent sections which have the same color or to focus a specific section and create a clearer report.