This window shows you a zoomed-up version of the SectionMap icon and more details about the inner structure of the program file (click on the SectionMap icon to open this window):
The "Colored Exe Sections Map" is a feature developed exclusively by PA-Soft, where each Section Category has its own color:
|
Packers/Protectors/Cryptors |
.aspack, UPX..., .RPCrypt, .Themida, .Upack, etc.etc. |
|
Resource section |
.rsrc |
|
Relocation section |
.reloc |
|
Data sections |
.sdata, .srdata, .sxdata, .vsdata, .xdata, etc.etc. |
|
Code sections |
.text, .itext, CODE, .code, .text0, .text1, .text2, etc.etc. |
|
Drivers sections |
PAGE, INIT |
|
Thread sections |
.tls, .tls$ |
|
Other sections |
minATL, .wixburn, .stabstr, .idlsym, .glue_7t, etc.etc |
|
Installer sections |
.gentee, .bindat, .complua, .ndata, etc. |
|
Debug sections |
.debug, .buildid, .debug$F, .debug$P, .debug$S, .debug$T, etc.etc. |
|
Reserved for future use |
|
|
Reserved for future use |
The Section Flags are abbreviations of some important Section Characteristics:
W |
Writable |
IMAGE_SCN_MEM_WRITE |
R |
Readable |
IMAGE_SCN_MEM_READ |
X |
Executable |
IMAGE_SCN_MEM_EXECUTE |
S |
Shareable |
IMAGE_SCN_MEM_SHARED |
D |
Discardable |
IMAGE_SCN_MEM_DISCARDABLE |
The Entropy value is a very important security indicator, as it can reveal packed sections not declared as such which could contain obfuscated malicious software code (e.g., viruses, worms, Trojans, etc.). Sections not declared as packed sections with a very high entropy value nearly below 8 (which is the theoretical maximum entropy value) should make you suspicious.
Originally, Entropy is a term from the science of physics and can mean "an extensive property of a thermodynamic system". In information theory, Entropy has to do with the probability distribution of bytes in a digital file (or as here in a part of the file) and is calculated with Shannon’s formula:
Here is a scientific paper which extensively discusses the practical application of entropy analysis in the field of software security:
Packer Detection for Multi-Layer Executables Using Entropy Analysis from the Department of Computer Science and Engineering at the Korea University in Seoul.
▶ Right-click anywhere in this window to bring up a popup menu:
This copies the window's client-area as a screencopy image to the clipboard. You could use that image e.g. for reports etc.
▶ You can also click on a color field in the leftmost column of the section-table to TEMPORARILY change that section color in the section-map:
This could help you to get a better visual distinction between adjacent sections which have the same color or to focus a specific section and create a clearer report.