According to what I know ,Overlay is the part of PE file that is not covered by the PE header and therefore isn't part of the virtual image in the Loaded PE.
My question is if the overlay is not loaded along with all other code of the PE (sections) in the memory,How do overlay viruses execute?Do they read the file from the disk /
By overlay viruses I mean ,malware which run malicious code from its overlay?
The overlay is just appended data to the end of the executable file. Detecting this can be tricky. But keep in mind that this portion is only ignored when loading an executable into memory. Opening the file for reading will allow access to the entire file including the Overlay portion.
The PE header will contain the size of the executable, and you can attempt to base the start of the overlay section on this. However, this size could be any size including zero or 0xffffffff.
Viruses most likely use the executable portion to gain a foothold into the system, and then load more more suspicious code into memory from the overlay once they have appropriate permissions. In this case the virus already knows where in the file to find its extra code.
The advantage here might be that the initial actions by the EXE will allow it past virus scanners to run, and the overlay portion isn't taken into account.
How to Append Data to an EXE is a nice little article that talks about how this can be done for legitimate means.
