| 鿴: 600 | ظ: 4 | ||
| ǰѾ浵 | ||
| ǰֻʾָĻ鿴л | ||
[]
PE֪ʶѧϰ[ת]
|
||
|
PE ļ֪ʶǻ֪ʶ.кܶⷽ.Ȼϵͳȴ.Ҳⷽר,ȴϣש,õⷽһЩָ. ſѧʵԺǿһѧ,ʵʵѧ㶫,ҪԶһ. ڼ¿֮ǰ,ҼٶCԺͼʹVC6.0,µӶõЩ.֮,κμ. peһЩṹwinnt.hͷļҵ. һ:еĽṹ嶼ǻintelx86 CPU,ϵͳϿͬ,Ӧȥ鿴Ӧ.Ժ. peļĿʼһṹ(Ϊ˷Ķ,Ҽֽƫ): typedef struct _IMAGE_DOS_HEADER { // DOS .EXE header 00h WORD e_magic; // Magic number **DOSͷ 02h WORD e_cblp; // Bytes on last page of file 04h WORD e_cp; // Pages in file 06h WORD e_crlc; // Relocations 08h WORD e_cparhdr; // Size of header in paragraphs 0ah WORD e_minalloc; // Minimum extra paragraphs needed 0ch WORD e_maxalloc; // Maximum extra paragraphs needed 0eh WORD e_ss; // Initial (relative) SS value 10h WORD e_sp; // Initial SP value 12h WORD e_csum; // Checksum 14h WORD e_ip; // Initial IP value 16h WORD e_cs; // Initial (relative) CS value 18h WORD e_lfarlc; // File address of relocation table 1ah WORD e_ovno; // Overlay number 1ch WORD e_res[4]; // Reserved words 24h WORD e_oemid; // OEM identifier (for e_oeminfo) 26h WORD e_oeminfo; // OEM information; e_oemid specific 28h WORD e_res2[10]; // Reserved words 3ch LONG e_lfanew; // File address of new exe header **ָPEͷ } IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER; ṹDOS MZͷ,Ϊ¼ݵ.DOSwindowsڳ. ֻ:e_magic e_lfanew. e_magic ֵӦõ0x5A4D,涨: #define IMAGE_DOS_SIGNATURE 0x5A4D // MZ e_lfanewһָ,ָPEļͷPEļеƫ. PEļͷһṹ,PEװҪõ. typedef struct _IMAGE_NT_HEADERS { DWORD Signature; **PEļʶ IMAGE_FILE_HEADER FileHeader; **ӳļͷ IMAGE_OPTIONAL_HEADER32 OptionalHeader; **ӳѡͷ } IMAGE_NT_HEADERS32, *PIMAGE_NT_HEADERS32; SignatureĶ: #define IMAGE_NT_SIGNATURE 0x00004550 // PE00 ,ʵ.дС鿴һPEļЩϢ,жһPEļǷЧ. ,VCнһ̨,Ȼδ뿽ȥ(ҽֹ.ʲô?㲻Ը?,ҿһһĸýȥ,һ  )#include "stdafx.h" #include "windows.h" #include "stdio.h" int main(int argc, char* argv[]) { FILE *p; IMAGE_DOS_HEADER mydosheader; unsigned long sig; p = fopen("test1.exe","r+b"  ;if(p == NULL)return -1; fread(&mydosheader,sizeof(mydosheader),1,p); fseek(p,mydosheader.e_lfanew,SEEK_SET); fread(&sig,4,1,p); fclose(p); printf("IMAGE_DOS_HEADER dump:\n" ;printf("e_magic : %04x\n",mydosheader.e_magic); printf("e_cblp : %04x\n",mydosheader.e_cblp); printf("e_cp : %04x\n",mydosheader.e_cp); printf("e_crlc : %04x\n",mydosheader.e_crlc); printf("e_cparhdr : %04x\n",mydosheader.e_cparhdr); printf("e_minalloc: %04x\n",mydosheader.e_minalloc); printf("e_maxalloc: %04x\n",mydosheader.e_maxalloc); printf("e_ss : %04x\n",mydosheader.e_ss); printf("e_sp : %04x\n",mydosheader.e_sp); printf("e_csum : %04x\n",mydosheader.e_csum); printf("e_ip : %04x\n",mydosheader.e_ip); printf("e_cs : %04x\n",mydosheader.e_cs); printf("e_lfarlc : %04x\n",mydosheader.e_lfarlc); printf("e_ovno : %04x\n",mydosheader.e_ovno); printf("e_res[0] : %04x\n",mydosheader.e_res[0]); printf("e_oemid : %04x\n",mydosheader.e_oemid); printf("e_oeminfo : %04x\n",mydosheader.e_oeminfo); printf("res2[0] : %04x\n",mydosheader.e_res2[0]); printf("lfanew : %08x\n",mydosheader.e_lfanew); if((mydosheader.e_magic ==IMAGE_DOS_SIGNATURE) && (sig == IMAGE_NT_SIGNATURE)) printf("ЧPEļ\n" ;else printf("ЧPEļ\n" ;return 0; } PE֪ʶѧϰ ˽peͷdosײ,֪ṹe_magice_lfanew˵Ҫ.ͬʱҲᵽe_lfanewָIMAGE_NT_HEADERS32ṹpeļƫ. һ:֪ʶ32λֵĻϵ. ǽſIMAGE_NT_HEADERS32ṹ,peļѧϰҪ. IMAGE_NT_HEADERS32Ľṹ: typedef struct _IMAGE_NT_HEADERS { DWORD Signature; **PEļʶ "PE",0,0 IMAGE_FILE_HEADER FileHeader; **ӳļͷ IMAGE_OPTIONAL_HEADER32 OptionalHeader; **ӳѡͷ } IMAGE_NT_HEADERS32, *PIMAGE_NT_HEADERS32; ְṹ.һһ¿. IMAGE_FILE_HEADERṹĶ: typedef struct _IMAGE_FILE_HEADER { 00h WORD Machine; **ƽ̨ 02h WORD NumberOfSections; **Ŀ 06h DWORD TimeDateStamp; **ļʱ 0Ah DWORD PointerToSymbolTable; **ָű 0Eh DWORD NumberOfSymbols; **űеķ 12h WORD SizeOfOptionalHeader; **ӳѡͷṹĴС 14h WORD Characteristics; **ļֵ } IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER; ǿһ⼸: 1) Machine˵peļʲôCPU,: #define IMAGE_FILE_MACHINE_UNKNOWN 0 #define IMAGE_FILE_MACHINE_I386 0x014c // Intel 386. #define IMAGE_FILE_MACHINE_R3000 0x0162 // MIPS little-endian, 0x160 big-endian #define IMAGE_FILE_MACHINE_R4000 0x0166 // MIPS little-endian #define IMAGE_FILE_MACHINE_R10000 0x0168 // MIPS little-endian #define IMAGE_FILE_MACHINE_WCEMIPSV2 0x0169 // MIPS little-endian WCE v2 #define IMAGE_FILE_MACHINE_ALPHA 0x0184 // Alpha_AXP #define IMAGE_FILE_MACHINE_POWERPC 0x01F0 // IBM PowerPC Little-Endian #define IMAGE_FILE_MACHINE_SH3 0x01a2 // SH3 little-endian #define IMAGE_FILE_MACHINE_SH3E 0x01a4 // SH3E little-endian #define IMAGE_FILE_MACHINE_SH4 0x01a6 // SH4 little-endian #define IMAGE_FILE_MACHINE_ARM 0x01c0 // ARM Little-Endian #define IMAGE_FILE_MACHINE_THUMB 0x01c2 #define IMAGE_FILE_MACHINE_IA64 0x0200 // Intel 64 #define IMAGE_FILE_MACHINE_MIPS16 0x0266 // MIPS #define IMAGE_FILE_MACHINE_MIPSFPU 0x0366 // MIPS #define IMAGE_FILE_MACHINE_MIPSFPU16 0x0466 // MIPS #define IMAGE_FILE_MACHINE_ALPHA64 0x0284 // ALPHA64 #define IMAGE_FILE_MACHINE_AXP64 IMAGE_FILE_MACHINE_ALPHA64 2) NumberOfSections peļ,滹Ҫ,иӡͿ. 3)TimeDateStamp ļʱ,ָpeļɵʱ,ֵǴ1969123116:00:00. 4)PointerToSymbolTable CoffԷűƫƵַ. 5)NumberOfSymbols Coffűзŵĸ. ǰrelease汾ij0. 6)SizeOfOptionalHeader IMAGE_OPTIONAL_HEADER32ṹĴС(ֽ).ǽžҪᵽṹ.ʵ,peļĴҪIMAGE_OPTIONAL_HEADERṹ. 7)Characteristics peļһЩϢ,Ƿִ,Ƿһ̬ӿ.嶨: #define IMAGE_FILE_RELOCS_STRIPPED 0x0001 // ضλϢƳ #define IMAGE_FILE_EXECUTABLE_IMAGE 0x0002 // ļִ #define IMAGE_FILE_LINE_NUMS_STRIPPED 0x0004 // кűƳ #define IMAGE_FILE_LOCAL_SYMS_STRIPPED 0x0008 // űƳ #define IMAGE_FILE_AGGRESIVE_WS_TRIM 0x0010 // Agressively trim working set #define IMAGE_FILE_LARGE_ADDRESS_AWARE 0x0020 // ܴ2Gĵַ #define IMAGE_FILE_BYTES_REVERSED_LO 0x0080 // Bytes of machine word are reversed. #define IMAGE_FILE_32BIT_MACHINE 0x0100 // 32λ #define IMAGE_FILE_DEBUG_STRIPPED 0x0200 // .dbgļĵϢƳ #define IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP 0x0400 // ƶ,ļ #define IMAGE_FILE_NET_RUN_FROM_SWAP 0x0800 // ,ļ #define IMAGE_FILE_SYSTEM 0x1000 // ϵͳļ #define IMAGE_FILE_DLL 0x2000 // ļһdll #define IMAGE_FILE_UP_SYSTEM_ONLY 0x4000 // ļֻڵ #define IMAGE_FILE_BYTES_REVERSED_HI 0x8000 // Bytes of machine word are reversed. һpeļֵЩֵһ. ϣЩûͷ,ʵݲ,ֻһIMAGE_FILE_HEADERṹ,ṹ7. Ϥṹ,DZʾЩϢ. #include "stdafx.h" #include "windows.h" #include "stdio.h" #include "conio.h" int main(int argc, char* argv[]) { FILE *p; LONG e_lfanew; //ָIMAGE_NT_HEADERS32ṹļеƫ IMAGE_FILE_HEADER myfileheader; p = fopen("test1.exe","r+b" ;if(p == NULL)return -1; fseek(p,0x3c,SEEK_SET); fread(&e_lfanew,4,1,p); fseek(p,e_lfanew+4,SEEK_SET); //ָIMAGE_FILE_HEADERṹƫ fread(&myfileheader,sizeof(myfileheader),1,p); printf("IMAGE_FILE_HEADERṹ:\n" ;printf("Machine : %04X\n",myfileheader.Machine); printf("NumberOfSections : %04X\n",myfileheader.NumberOfSections); printf("TimeDateStamp : %08X\n",myfileheader.TimeDateStamp); printf("PointerToSymbolTable : %08X\n",myfileheader.PointerToSymbolTable); printf("NumberOfSymbols : %08X\n",myfileheader.NumberOfSymbols); printf("SizeOfOptionalHeader : %04X\n",myfileheader.SizeOfOptionalHeader); printf("Characteristics : %04X\n",myfileheader.Characteristics); getch(); return 0; } ˳win98 + vc6.0 ±ͨ. [ Last edited by sdlj8051 on 2006-10-6 at 12:49 ] |
ظ¥
5¥2006-08-26 20:15:53
|
pe֪ʶѧϰ ǰѾpeļṹ,ϣû㿴.ҰpeļĽṹг,иȫֵӡ. _______________________________ | IMAGE_DOS_HEADER | <-- Dos ------------------------------- | 'PE',0,0 | <-- PEļ־ ------------------------------- | IMAGE_FILE_HEADER | <-- ӳļͷ ------------------------------- | IMAGE_OPTIONAL_HEADER32 | <-- ӳѡͷ ------------------------------- | Section Table | <-- ڱ ------------------------------- | .text | <-- ------------------------------- | .data | <-- ------------------------------- | .idata | <-- ------------------------------- | .edata | <-- ------------------------------- | .reloc | <-- ضλ ------------------------------- | .... | ------------------------------- | Ϣ | ------------------------------- ,ǽſIMAGE_OPTIONAL_HEADER32ṹ.ṹȽ϶,ǺͺҪĽڱһ,dzҪ.ϣܹ,ʵһ. IMAGE_OPTIONAL_HEADER32Ľṹ: typedef struct _IMAGE_OPTIONAL_HEADER { // // Standard fields. // 00h WORD Magic; //,32λpeļΪ010bh 02h BYTE MajorLinkerVersion; //汾 03h BYTE MinorLinkerVersion; //汾 04h DWORD SizeOfCode; //ܴС 08h DWORD SizeOfInitializedData; //ѳʼݶܴС 0ch DWORD SizeOfUninitializedData; //δʼݶܴС 10h DWORD AddressOfEntryPoint; //ִڵַ(RVA) 14h DWORD BaseOfCode; //ʼַ(RVA) 18h DWORD BaseOfData; //ݶʼַ(RVA) // // NT additional fields. // 1ch DWORD ImageBase; //Ĭϵװʼַ 20h DWORD SectionAlignment; //ڴĶ뵥λ 24h DWORD FileAlignment; //ļĶ뵥λ 28h WORD MajorOperatingSystemVersion; //ϵͳ汾 2ah WORD MinorOperatingSystemVersion; //ϵͳ汾 2ch WORD MajorImageVersion; //Զ汾 2eh WORD MinorImageVersion; //Զ帱汾 30h WORD MajorSubsystemVersion; //ϵͳ汾 32h WORD MinorSubsystemVersion; //ϵͳ汾 34h DWORD Win32VersionValue; //0 38h DWORD SizeOfImage; //peļڴеӳܴС 3ch DWORD SizeOfHeaders; //peļʼڱ(ڱ)ܴС 40h DWORD CheckSum; //peļCRCУ 44h WORD Subsystem; //ûʹõϵͳ 46h WORD DllCharacteristics; //Ϊ0 48h DWORD SizeOfStackReserve; //Ϊ̵߳ջʼڴĬֵ 4ch DWORD SizeOfStackCommit; //Ϊ̵߳ջʼύڴĴС 50h DWORD SizeOfHeapReserve; //Ϊ̵ĶѱڴĴС 54h DWORD SizeOfHeapCommit; //Ϊ̵ĶѳʼύڴĴС 58h DWORD LoaderFlags; //Ϊ0 5ch DWORD NumberOfRvaAndSizes; //Ŀ¼ṹ,Ϊ 00000010h 60h IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES]; //Ŀ¼ṹ } IMAGE_OPTIONAL_HEADER32, *PIMAGE_OPTIONAL_HEADER32; پһ¸ĺ.Ҫ,Щ֪ʶʵ̫Ҫ. 1)Magic ,32λpeļΪ010bh Ķ: #define IMAGE_NT_OPTIONAL_HDR32_MAGIC 0x10b #define IMAGE_NT_OPTIONAL_HDR64_MAGIC 0x20b #define IMAGE_ROM_OPTIONAL_HDR_MAGIC 0x107 2)MajorLinkerVersion ӳ汾 vc6.0Ϊ06h 3)MinorLinkerVersion ӳĴΰ汾 vc6.0Ϊ00h 4)SizeOfCode peļεĴС.FileAlignment. 5)SizeOfInitializedData кѳʼݵĿĴС,һ.data. 6)SizeOfUninitializedData кδʼݵĿĴС,һ.bss. 7)AddressOfEntryPoint ʼִеĵַ,һRVA(ַ).exeļ,;dllļ,libMain()ĵַ. ѿʱһ¾ڵ,ָľֵ. 8)BaseOfCode λַ,ӳɵijһֵΪ1000h, 9)BaseOfData ݶλַ 10)ImageBase peļĬϵװַ.windows9xexeļΪ400000h,dllļΪ10000000h. 11)SectionAlignment ڴĶ뵥λ.Ƕ뵽ֵ.x8632λϵͳĬֵλ1000h 12)FileAlignment peļĶ뵥λ.peļĬֵΪ 200h. 13)MajorOperatingSystemVersion 14)MinorOperatingSystemVersion ָpeļIJϵͳͰ汾.windows95/98windows nt 4.0 ڲ汾Ŷ 4.0 ,windows2000ڲ汾5.0 15)MajorImageVersion 16)MinorImageVersion ָûԶpeļİ汾.ͨӳ,: LINK /VERSION:2.0 MyApp.objһʱʹ. 17)MajorSubsystemVersion 18)MinorSubsystemVersion ָpeļҪϵͳİ汾. 19)Win32VersionValue 0 20)SizeOfImage peļװڴӳܴС.SectionAlignmentFileAlignment,ôֵҲpeļӲϵĴС. 21)SizeOfHeaders ļʼڱ(ڱ)ܴС.Ǹε. 22)CheckSum peļCRCУ. 23)Subsystem peļûʹõϵͳ.: #define IMAGE_SUBSYSTEM_UNKNOWN 0 // Unknown subsystem. #define IMAGE_SUBSYSTEM_NATIVE 1 // Image doesn't require a subsystem. #define IMAGE_SUBSYSTEM_WINDOWS_GUI 2 // Image runs in the Windows GUI subsystem. #define IMAGE_SUBSYSTEM_WINDOWS_CUI 3 // Image runs in the Windows character subsystem. #define IMAGE_SUBSYSTEM_OS2_CUI 5 // image runs in the OS/2 character subsystem. #define IMAGE_SUBSYSTEM_POSIX_CUI 7 // image runs in the Posix character subsystem. #define IMAGE_SUBSYSTEM_NATIVE_WINDOWS 8 // image is a native Win9x driver. #define IMAGE_SUBSYSTEM_WINDOWS_CE_GUI 9 // Image runs in the Windows CE subsystem. 24)DllCharacteristics Ϊ0 25)SizeOfStackReserve Ϊ̵߳ջʼڴĴС,ĬΪ00100000h.ڵCreateThreadʱָջĴСΪ0,̵߳ĶջijʼСֵͬ. 26)SizeOfStackCommit Ϊ̵߳ջʼύڴĴС.ӳֵΪ 1000h. 27)SizeOfHeapReserve Ϊ̵ĶѱڴĴС.ĬֵΪ 00100000h. 28)SizeOfHeapCommit Ϊ̵ĶѳʼύڴĴС.ӳֵΪ1000h. 29)LoaderFlags ͨΪ0 30)NumberOfRvaAndSizes Ŀ¼ṹ,Ϊ 00000010h ֵ: #define IMAGE_NUMBEROF_DIRECTORY_ENTRIES 16 31)IMAGE_DATA_DIRECTORY DataDirectory[0x10] Ŀ¼ṹ IMAGE_DATA_DIRECTORYṹ: typedef struct _IMAGE_DATA_DIRECTORY { DWORD VirtualAddress; ַ DWORD Size; С } IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY; ṹpeļҪֵRVAַʹС.ʹϵͳļسܹٶλض.嶨: #define IMAGE_DIRECTORY_ENTRY_EXPORT 0 // Export Directory #define IMAGE_DIRECTORY_ENTRY_IMPORT 1 // Import Directory #define IMAGE_DIRECTORY_ENTRY_RESOURCE 2 // Resource Directory #define IMAGE_DIRECTORY_ENTRY_EXCEPTION 3 // Exception Directory #define IMAGE_DIRECTORY_ENTRY_SECURITY 4 // Security Directory #define IMAGE_DIRECTORY_ENTRY_BASERELOC 5 // Base Relocation Table #define IMAGE_DIRECTORY_ENTRY_DEBUG 6 // Debug Directory // IMAGE_DIRECTORY_ENTRY_COPYRIGHT 7 // (X86 usage) #define IMAGE_DIRECTORY_ENTRY_ARCHITECTURE 7 // Architecture Specific Data #define IMAGE_DIRECTORY_ENTRY_GLOBALPTR 8 // RVA of GP #define IMAGE_DIRECTORY_ENTRY_TLS 9 // TLS Directory #define IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 10 // Load Configuration Directory #define IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 11 // Bound Import Directory in headers #define IMAGE_DIRECTORY_ENTRY_IAT 12 // Import Address Table #define IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 13 // Delay Load Import Descriptors #define IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 14 // COM Runtime descriptor |
2¥2006-08-26 09:31:31
|
pe֪ʶѧϰģ ҪѧϰĿ˵peļĺ.(section table)ֿ()Ľṹ.ЩݱȽ϶ҳ.һдȷ,Ȼ.ϣĿȥ.ѧϰʱǺܿ.ʵʱҲӦõʵ. ܻǵ,IMAGE_FILE_HEADERṹNumberOfSections.,ǿصĿĽṹ. ṹĶ: #define IMAGE_SIZEOF_SHORT_NAME 8 typedef struct _IMAGE_SECTION_HEADER { 00h BYTE Name[IMAGE_SIZEOF_SHORT_NAME]; //,8ֽڳ 08h union { DWORD PhysicalAddress; //objļ,εʵʵַ DWORD VirtualSize; //exedllļļжǰĴС } Misc; 0ch DWORD VirtualAddress; //RVA(ַ) 10h DWORD SizeOfRawData; //ļжĴС 14h DWORD PointerToRawData; //ļеƫ 18h DWORD PointerToRelocations; //ضλƫ(objļʹ) 1ch DWORD PointerToLinenumbers; //кűƫ() 1eh WORD NumberOfRelocations; //ضλĿ(objļʹ) 20h WORD NumberOfLinenumbers; //кűкŵĿ 24h DWORD Characteristics; // } IMAGE_SECTION_HEADER, *PIMAGE_SECTION_HEADER; ṹεһЩҪ,һ¸ĺ. 1)Name[8] 8ֽڵ,80. 2)VirtualSize exedllļλûаFileAlignmentǰĴС.ṹǴ,ôֵʵʵĴĴС.peļdiyʱ,.ָжûʹõĿռ.ǿûʹõĿռԼĴ.öಡҲǰѴʣĿռ.(Ǻ,Ҫѧ.) 3)VirtualAddress exeļ,peļӳ䵽ڴεRVAַ.ֵϻַ(IMAGE_OPTIONAL_HEADER32.ImageBase),͵õ˸ڴеʵʼַ. 4)SizeOfRawData ΰIMAGE_OPTIONAL_HEADER32.FileAlignmentļеĴС.FileAlignmentΪ 0200h,VirtualSizeΪ035Ah,ֵΪ 0400h. 5)PointerToRawData εʼַpeļеƫ. 6)PointerToRelocations 7)PointerToLinenumbers 8)NumberOfRelocations 9)NumberOfLinenumbers ĸڷа汾ijﶼ0. 10)Characteristics εϢ.ڱʾǴ롢ݡɶдȵ. (ҪѾע) // IMAGE_SCN_TYPE_REG 0x00000000 // Reserved. // IMAGE_SCN_TYPE_DSECT 0x00000001 // Reserved. // IMAGE_SCN_TYPE_NOLOAD 0x00000002 // Reserved. // IMAGE_SCN_TYPE_GROUP 0x00000004 // Reserved. #define IMAGE_SCN_TYPE_NO_PAD 0x00000008 // Reserved. // IMAGE_SCN_TYPE_COPY 0x00000010 // Reserved. #define IMAGE_SCN_CNT_CODE 0x00000020 // Section contains code. //ΰ #define IMAGE_SCN_CNT_INITIALIZED_DATA 0x00000040 // Section contains initialized data. //ΰѳʼ #define IMAGE_SCN_CNT_UNINITIALIZED_DATA 0x00000080 // Section contains uninitialized data. //ΰδʼ #define IMAGE_SCN_LNK_OTHER 0x00000100 // Reserved. #define IMAGE_SCN_LNK_INFO 0x00000200 // Section contains comments // or some other type of information. // IMAGE_SCN_TYPE_OVER 0x00000400 // Reserved. #define IMAGE_SCN_LNK_REMOVE 0x00000800 // Section contents will not become part of image. #define IMAGE_SCN_LNK_COMDAT 0x00001000 // Section contents comdat. // 0x00002000 // Reserved. // IMAGE_SCN_MEM_PROTECTED - Obsolete 0x00004000 #define IMAGE_SCN_NO_DEFER_SPEC_EXC 0x00004000 // Reset speculative exceptions handling bits // in the TLB entries for this section. #define IMAGE_SCN_GPREL 0x00008000 // Section content can be accessed relative to GP #define IMAGE_SCN_MEM_FARDATA 0x00008000 // IMAGE_SCN_MEM_SYSHEAP - Obsolete 0x00010000 #define IMAGE_SCN_MEM_PURGEABLE 0x00020000 #define IMAGE_SCN_MEM_16BIT 0x00020000 #define IMAGE_SCN_MEM_LOCKED 0x00040000 #define IMAGE_SCN_MEM_PRELOAD 0x00080000 #define IMAGE_SCN_ALIGN_1BYTES 0x00100000 // #define IMAGE_SCN_ALIGN_2BYTES 0x00200000 // #define IMAGE_SCN_ALIGN_4BYTES 0x00300000 // #define IMAGE_SCN_ALIGN_8BYTES 0x00400000 // #define IMAGE_SCN_ALIGN_16BYTES 0x00500000 // Default alignment if no others are specified. #define IMAGE_SCN_ALIGN_32BYTES 0x00600000 // #define IMAGE_SCN_ALIGN_64BYTES 0x00700000 // #define IMAGE_SCN_ALIGN_128BYTES 0x00800000 // #define IMAGE_SCN_ALIGN_256BYTES 0x00900000 // #define IMAGE_SCN_ALIGN_512BYTES 0x00A00000 // #define IMAGE_SCN_ALIGN_1024BYTES 0x00B00000 // #define IMAGE_SCN_ALIGN_2048BYTES 0x00C00000 // #define IMAGE_SCN_ALIGN_4096BYTES 0x00D00000 // #define IMAGE_SCN_ALIGN_8192BYTES 0x00E00000 // // Unused 0x00F00000 #define IMAGE_SCN_LNK_NRELOC_OVFL 0x01000000 // Section contains extended relocations. #define IMAGE_SCN_MEM_DISCARDABLE 0x02000000 // Section can be discarded. //οɶ #define IMAGE_SCN_MEM_NOT_CACHED 0x04000000 // Section is not cachable. #define IMAGE_SCN_MEM_NOT_PAGED 0x08000000 // Section is not pageable. #define IMAGE_SCN_MEM_SHARED 0x10000000 // Section is shareable. //οɹ #define IMAGE_SCN_MEM_EXECUTE 0x20000000 // Section is executable. //οִ #define IMAGE_SCN_MEM_READ 0x40000000 // Section is readable. //οɶ #define IMAGE_SCN_MEM_WRITE 0x80000000 // Section is writeable. //οд ǿһpeļﳣõһ: 1).text code һŵǴ. 2).data һŵѳʼ. 3).idata һŵ.滹Ҫϸ. 4).rsrc һŵԴ. 5).reloc һŵǻַضλ. 6).edata һŵ. 7).tls һֲ߳̾洢. 8).bbs һŵδʼ. |
3¥2006-08-26 09:32:24
|
pe֪ʶѧϰ() ʼ,ҽܼõ:,ضλ. ֪,ⲿdllͨʽ: call my_label ... my_label: jmp dword ptr [xxxxxxxx] һdllеĺĵͨһַӵĵõ.Щַͷ. (Import Table),֮,peļļ̬ӿʲôһṹ.ϣʲô.ɲ,ֻõṹ.:IMAGE_IMPORT_DESCRIPTORIMAGE_THUNK_DATAIMAGE_IMPORT_BY_NAME. ȿһ¿ͼ. IMAGE_IMPORT_DESCRIPTOR |--------------------| |-------------------------| OriginalFirstThunk | | |--------------------| | | TimeDateStamp | | |--------------------| | | ForwarderChain | | |--------------------| | | Name |----> "USER32.DLL" | |--------------------| | | FirstThunk |---------------------------| | |--------------------| | | | | Hint-name table IMAGE_IMPORT_BY_NAME import address table(IAT) | | |------------------| |--------------------| |------------------| | |-> | IMAGE_THUNK_DATA |-->| 44 | "GetMessage" |<--| IMAGE_THUNK_DATA |<---| |------------------| |----|---------------| |------------------| | IMAGE_THUNK_DATA |-->| 72 | "LoadIcon" |<--| IMAGE_THUNK_DATA | |------------------| |----|---------------| |------------------| | ...... |-->| .. | ...... |<--| ...... | |------------------| |----|---------------| |------------------| | NULL | | NULL | |------------------| |------------------| Ȼ,һdll뺯.Ӽdll뺯,ôмĽṹ.ͬʱ,ҲǴļϵĽṹ.װڴFirstThunkָĽṹᱻ.Կͼ. ϤһṹĶ: typedef struct _IMAGE_IMPORT_DESCRIPTOR { union { DWORD Characteristics; // 0 for terminating null import descriptor DWORD OriginalFirstThunk; // RVA to original unbound IAT (PIMAGE_THUNK_DATA) }; DWORD TimeDateStamp; // 0 if not bound, // -1 if bound, and real date\time stamp // in IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT (new BIND) // O.W. date/time stamp of DLL bound to (Old BIND) DWORD ForwarderChain; // -1 if no forwarders DWORD Name; DWORD FirstThunk; // RVA to IAT (if bound this IAT has actual addresses) } IMAGE_IMPORT_DESCRIPTOR; typedef struct _IMAGE_THUNK_DATA32 { union { PBYTE ForwarderString; PDWORD Function; DWORD Ordinal; PIMAGE_IMPORT_BY_NAME AddressOfData; } u1; } IMAGE_THUNK_DATA32; typedef struct _IMAGE_IMPORT_BY_NAME { WORD Hint; //ָڵdllе BYTE Name[1]; //ָҪĺĺ } IMAGE_IMPORT_BY_NAME, *PIMAGE_IMPORT_BY_NAME; ǽһIMAGE_IMPORT_DESCRIPTORṹĸĺ: 1)union { DWORD Characteristics; DWORD OriginalFirstThunk; }; ָһ IMAGE_THUNK_DATA ͵Ľṹ.ϲǺҪ,Ϊ0. 2)TimeDateStamp dllʱڴ,һΪ0. 3)ForwarderChain .һΪ0. 4)Name dllֵRVA. 5)FirstThunk ҲһRVA,ָһDWORD,NULL.еÿDWORDʵһIMAGE_THUNK_DATAṹ塣IMAGE_THUNK_DATAͨΪһָIMAGE_IMPORT_BY_NAMEṹRVA. ͼǿԿеָ鶼ָIMAGE_IMPORT_BY_NAMEṹ.ʵ,OriginalFirstThunkָIMAGE_THUNK_DATAṹ,ʱҲʾ(Hint-name table),ʾָIMAGE_IMPORT_BY_NAMEṹ.FirstThunkָIMAGE_THUNK_DATAṹڸpeļʱ,سĸ.سÿһָ,ҵÿһIMAGE_IMPORT_BY_NAMEṹӦ뺯ĵַ,ȻسҵĵַӦIMAGE_THUNK_DATAṹ. ǰᵽ call my_label ... my_label: jmp dword ptr [xxxxxxxx] еxxxxxxxxFirstThunkָIMAGE_THUNK_DATAеһֵ.ΪFirstThunkָڼغ뺯ĵַ,Ϊַ(Import Address Table,IAT). peļغ: IMAGE_IMPORT_DESCRIPTOR |--------------------| |-------------------------| OriginalFirstThunk | | |--------------------| | | TimeDateStamp | | |--------------------| | | ForwarderChain | | |--------------------| | | Name |----> "USER32.DLL" | |--------------------| | | FirstThunk |---------------------------| | |--------------------| | | | | Hint-name table IMAGE_IMPORT_BY_NAME import address table(IAT) | | |------------------| |--------------------| |------------------| | |-> | IMAGE_THUNK_DATA |-->| 44 | "GetMessage" | |ptr of GetMessage |<---| |------------------| |----|---------------| |------------------| | IMAGE_THUNK_DATA |-->| 72 | "LoadIcon" | | ptr of LoadIcon | |------------------| |----|---------------| |------------------| | ...... |-->| .. | ...... | | ...... | |------------------| |----|---------------| |------------------| | NULL | | NULL | |------------------| |------------------| pe֪ʶҪһ.ϣܹһpeʵⲿֵ. pe֪ʶѧϰ() ,ʼ. dllһЩ.ЩpeļҲ.ͨǷ.edataε..edataεעҪɷǺ,ڵַ,. ĿʼһIMAGE_EXPORT_DIRECTORYṹ,֮ɸýṹеijָ. IMAGE_EXPORT_DIRECTORYṹ: typedef struct _IMAGE_EXPORT_DIRECTORY { DWORD Characteristics; DWORD TimeDateStamp; WORD MajorVersion; WORD MinorVersion; DWORD Name; DWORD Base; DWORD NumberOfFunctions; DWORD NumberOfNames; DWORD AddressOfFunctions; // RVA from base of image DWORD AddressOfNames; // RVA from base of image DWORD AddressOfNameOrdinals; // RVA from base of image } IMAGE_EXPORT_DIRECTORY, *PIMAGE_EXPORT_DIRECTORY; 1)Characteristics ֵΪ0. 2)TimeDateStamp ļɵʱ. 3)MajorVersion 4)MinorVersion 汾Ϣ.Ϊ0. 5)Name peļֵRVA. 6)Base ŵĿʼֵ. 7)NumberOfFunctions AddressOfFunctions Ԫصĸ.ֵǵеĸ. 8)NumberOfNames ĺĸ. 9)AddressOfFunctions һRVA,ָһɺַɵ.ÿһַDZģеһڵַ. 10)AddressOfNames һRVA,ָһַָɵ,ÿַDZģĺ. 11)AddressOfNameOrdinals һRVA,ָһword͵,wordDZģ. һdll,ֱ: 1 "myfun1" 2 3 "myfun2" Ϊ2ĺֻͨŵ.ͼʾ: IMAGE_EXPORT_DIRECTORY ַ |---------------------------| |------->|------------------| | Characteristics | | | 0x400042"myfun1" | |---------------------------| | |------------------| | ...... | | | 0x400085 | |---------------------------| | |------------------| | NumberOfFunctions = 3 | | | 0x400197"myfun2" | |---------------------------| | |------------------| | NumberOfNames = 2 | | |---------------------------| | | AddressOfFunctions |--| |----->|------------| |---------------------------| | | 0xXXXXXXXX |->"myfun1" | AddressOfNames |----| |------------| |---------------------------| | 0xXXXXXXXX |->"myfun2" | AddressOfNameOrdinals |----| |------------| |---------------------------| | | Ƶַ |----->|-----------| | 1 | |-----------| | 3 | |-----------| һpeسĹ.֪"myfun2",ôسȱ,ҵƥĺ"myfun2"."myfun2"ں2,ԼغںƵַĵڶԪȡúںַ3,ȻسͻںַĵԪȡúڵַ0x400197. ƵĹ. ŵַ,ǽ.سֱںַȡڵַ.Կ,ŵƵ,ŵַά.ЩapiڲͬϵͳϵŲͬ.Ƽʹ. イBaseΪ1ʱ,Base1,ȡúںַе,ֵȥBaseͿԵõںַеƫֵ. pe֪ʶѧϰ()-- һһpeļеضλ. ضλĸ.˵,ΪӺһЩߺûתָʹ˾Եַ,װسܰpeӳװԤĵַ(ImageBase)ʱ,ôЩԵַҪ.ʵĵַ. exeļһ㲻Ҫضλ,ΪÿexeļӳԼĵַռ,ܱӳ䵽Ԥĵַ.dllļһӳ䵽exeļĵַռ.dllļԤַͻʱ,Ͳܱ֤ᱻӳ䵽Ԥĵַ.dllļһ㶼Ҫضλ. ôضλʵֵ? peļһṹһضλ: typedef struct _IMAGE_BASE_RELOCATION { DWORD VirtualAddress; DWORD SizeOfBlock; // WORD TypeOffset[1]; } IMAGE_BASE_RELOCATION; 1)VirtualAddress ضλʼRVAֵ,ڽṹƫֵҪֵһҪضλݵRVAֵ. Ϊ0,һϵضλĽ. 2)SizeOfBlock ضλĴС. 3)TypeOffset[1] һWORD͵.Ԫظ(SizeOfBlock - 8 ) \ 2 õ.ÿԪصĵ12λһƫֵ,ƫֵVirtualAddressҪݵRVAֵ.4λƫֵ.Ͷ: #define IMAGE_REL_BASED_ABSOLUTE 0 #define IMAGE_REL_BASED_HIGH 1 #define IMAGE_REL_BASED_LOW 2 #define IMAGE_REL_BASED_HIGHLOW 3 #define IMAGE_REL_BASED_HIGHADJ 4 #define IMAGE_REL_BASED_MIPS_JMPADDR 5 #define IMAGE_REL_BASED_SECTION 6 #define IMAGE_REL_BASED_REL32 7 #define IMAGE_REL_BASED_MIPS_JMPADDR16 9 #define IMAGE_REL_BASED_IA64_IMM64 9 #define IMAGE_REL_BASED_DIR64 10 #define IMAGE_REL_BASED_HIGH3ADJ 11 кintelcpuйصֻ.Ķi386cpu. 0 (IMAGE_REL_BASED_ABSOLUTE):ƫֵ.ֻΪʹضλĴСλDWORD. 3 (IMAGE_REL_BASED_HIGHLOW): Ѹƫֵ VirtualAddressҪݵRVAֵ. WORDֻе12λʾƫֵ,һضλֻһҳ(4k).Ҫضλݳ4k,ôһpeļжضλ. س:IMAGE_OPTIONAL_HEADER.ImageBaseֵΪ0x400000,ʵpeӳصĵַΪ0x500000,ʵʼصĵַԤĸ0x100000,ôҪݶᱻ0x100000. ˵ҪָǰᵽıľԵַ͵ûתָﺬеľԵַ. pe֪ʶѧϰһ.ϣЩܰ˽peļĴ֪ʶ.ϸڵ֪ʶԵmsdn.ҵˮƽ,ָܹ֮.ҽʤм. |
4¥2006-08-26 09:32:35
10