-
-
[旧帖] [推荐]免杀之PE结构偏移研究 0.00雪花
-
发表于: 2010-3-31 21:13 1077
-
While there is a lot of data and various parts of the structure are at varying positions there are still a lot of useful fixed and relative offsets that will help when disassembling/examining PE files. Resource information and the such like are omitted - there are good tools available to manipulate these e.g. ResHacker.
The DOS Header
OFFSET SIZE NAME EXPLANATION
00 WORD e_magic Magic DOS signature MZ (4Dh 5Ah)
02 WORD e_cblp Bytes on last page of file
04 WORD e_cp Pages in file
06 WORD e_crlc Relocations
08 WORD e_cparhdr Size of header in paragraphs
0A WORD e_minalloc Minimum extra paragraphs needed
0C WORD e_maxalloc Maximum extra paragraphs needed
0E WORD e_ss Initial (relative) SS value
10 WORD e_sp Initial SP value
12 WORD e_csum Checksum
14 WORD e_ip Initial IP value
16 WORD e_cs Initial (relative) CS value
18 WORD e_lfarlc File address of relocation table
1A WORD e_ovno Overlay number
1C WORD e_res[4] Reserved words
24 WORD e_oemid OEM identifier (for e_oeminfo)
26 WORD e_oeminfo OEM information; e_oemid specific
28 WORD e_res2[10] Reserved words
3C DWORD e_lfanew Offset to start of PE header
The PE Header
Offsets shown are from the beginning of this section.
00 DWORD Signature PE Signature PE.. (50h 45h 00h 00h)
04 WORD Machine 014Ch = Intel 386, 014Dh = Intel 486, 014Eh = Intel 586, 0200h = Intel 64-bit, 0162h=MIPS
06 WORD NumberOfSections Number Of Sections
08 DWORD TimeDateStamp Date & time image was created by the linker
0C DWORD PointerToSymbolTable Zero or offset of COFF symbol table in older files
10 DWORD NumberOfSymbols Number of symbols in COFF symbol table
14 WORD SizeOfOptionalHeader Size of optional header in bytes (224 in 32bit exe)
16 WORD Characteristics see below
18 ********** START OF OPTIONAL HEADER **************************************
18 WORD Magic 010Bh=32-bit executable image
020Bh=64-bit executable image
0107h=ROM image
1A BYTE MajorLinkerVersion Major version number of the linker
1B BYTE MinorLinkerVersion Minor version number of the linker
1C DWORD SizeOfCode size of code section or sum if multiple code sections
20 DWORD SizeOfInitializedData as above
24 DWORD SizeOfUninitializedData as above
28 DWORD AddressOfEntryPoint Start of code execution, optional for DLLs, zero when none present
2C DWORD BaseOfCode RVA of first byte of code when loaded into RAM
30 DWORD BaseOfData RVA of first byte of data when loaded into RAM
34 DWORD ImageBase Preferred load address
38 DWORD SectionAlignment Alignment of sections when loaded in RAM
3C DWORD FileAlignment Alignment of sections in file on disk
40 WORD MajorOperatingSystemVersion Major version no. of required operating system
42 WORD MinorOperatingSystemVersion Minor version no. of required operating system
44 WORD MajorImageVersion Major version number of the image
46 WORD MinorImageVersion Minor version number of the image
48 WORD MajorSubsystemVersion Major version number of the subsystem
4A WORD MinorSubsystemVersion Minor version number of the subsystem
4C DWORD Reserved1
50 DWORD SizeOfImage Amount of memory allocated by loader for image. Must be a multiple of SectionAlignment
54 DWORD SizeOfHeaders Offset of first section, multiple of FileAlignment
58 DWORD CheckSum Image checksum (only required for kernel-mode drivers and some system DLLs).
5C WORD Subsystem 0002h=Windows GUI, 0003h=console
5E WORD DllCharacteristics 0001h=per-process library initialization
0002h=per-process library termination
0003h=per-thread library initialization
0004h=per-thread library termination
60 DWORD SizeOfStackReserve Number of bytes reserved for the stack
64 DWORD SizeOfStackCommit Number of bytes actually used for the stack
68 DWORD SizeOfHeapReserve Number of bytes to reserve for the local heap
6C DWORD SizeOfHeapCommit Number of bytes actually used for local heap
70 DWORD LoaderFlags This member is obsolete.
74 DWORD NumberOfRvaAndSizes Number of directory entries.
78 ********** START OF DATADIRECTORY **************************************
78 DWORD IMAGE_DATA_DIRECTORY0 RVA of Export Directory
7C DWORD size of Export Directory
80 DWORD IMAGE_DATA_DIRECTORY1 RVA of Import Directory (array of IIDs)
84 DWORD size of Import Directory (array of IIDs)
88 DWORD IMAGE_DATA_DIRECTORY2 RVA of Resource Directory
8C DWORD size of Resource Directory
90 DWORD IMAGE_DATA_DIRECTORY3 RVA of Exception Directory
94 DWORD size of Exception Directory
98 DWORD IMAGE_DATA_DIRECTORY4 Raw Offset of Security Directory
9C DWORD size of Security Directory
A0 DWORD IMAGE_DATA_DIRECTORY5 RVA of Base Relocation Directory
A4 DWORD size of Base Relocation Directory
A8 DWORD IMAGE_DATA_DIRECTORY6 RVA of Debug Directory
AC DWORD size of Debug Directory
B0 DWORD IMAGE_DATA_DIRECTORY7 RVA of Copyright Note
B4 DWORD size of Copyright Note
B8 DWORD IMAGE_DATA_DIRECTORY8 RVA to be used as Global Pointer (IA-64 only)
BC DWORD Not used
C0 DWORD IMAGE_DATA_DIRECTORY9 RVA of Thread Local Storage Directory
C4 DWORD size of Thread Local Storage Directory
C8 DWORD IMAGE_DATA_DIRECTORY10 RVA of Load Configuration Directory
CC DWORD size of Load Configuration Directory
D0 DWORD IMAGE_DATA_DIRECTORY11 RVA of Bound Import Directory
D4 DWORD size of Bound Import Directory
D8 DWORD IMAGE_DATA_DIRECTORY12 RVA of first Import Address Table
DC DWORD total size of all Import Address Tables
E0 DWORD IMAGE_DATA_DIRECTORY13 RVA of Delay Import Directory
E4 DWORD size of Delay Import Directory
E8 DWORD IMAGE_DATA_DIRECTORY14 RVA of COM Header (top level info & metadata...
EC DWORD size of COM Header ...in .NET executables)
F0 DWORD ZERO (Reserved) Reserved
F4 DWORD ZERO (Reserved) Reserved
F8 ********** START OF SECTION TABLE *******Offsets shown from here********
00 8 Bytes Name1 Name of first section header
08 DWORD misc (VirtualSize) Actual size of data in section
0C DWORD virtual address RVA where section begins in memory
10 DWORD SizeOfRawData Size of data on disk (multiple of FileAlignment)
14 DWORD pointerToRawData Raw offset of section on disk
18 DWORD pointerToRelocations Start of relocation entries for section, zero if none
1C DWORD PointerToLinenumbers Start of line-no. entries for section, zero if none
20 WORD NumberOfRelocations This value is zero for executable images.
22 WORD NumberOfLineNumbers Number of line-number entries for section.
24 DWORD Characteristics see end of page below
00 8 Bytes Name1 Name of second section header
********** Repeats for rest of sections **************************************
The Export Table
Offsets shown from beginning of table (given at offset 78 from start of PE header). The following 40 Bytes repeat for each export library (DLL whose functions are imported by the executable) and ends with one full of zeroes.
OFFSET SIZE NAME EXPLANATION
00 DWORD Characteristics Set to zero (currently none defined)
04 DWORD TimeDateStamp often set to zero
08 WORD MajorVersion user-defined version number, otherwise zero
0A WORD MinorVersion as above
0C DWORD Name RVA of DLL name in null-terminated ASCII
10 DWORD Base First valid exported ordinal, normally=1
14 DWORD NumberOfFunctions Number of entries in EAT
18 DWORD NumberOfNames Number of entries in ENT
1C DWORD AddressOfFunctions RVA of EAT (export address table)
20 DWORD AddressOfNames RVA of ENT (export name table)
24 DWORD AddressOfNameOrdinals RVA of EOT (export ordinal table)
The Import Table
Offsets shown from beginning of table (given at offset 80 from start of PE header). The following 5 DWORDS repeat for each import library (DLL whose functions are imported by the executable) and ends with one full of zeroes.
OFFSET SIZE NAME EXPLANATION
00 DWORD OriginalFirstThunk RVA to Image_Thunk_Data
04 DWORD TimeDateStamp zero unless bound against imported DLL
08 DWORD ForwarderChain pointer to 1st redirected function (or 0)
0C DWORD Name1 RVA to name in null-terminated ASCII
10 DWORD FirstThunk RVA to Image_Thunk_Data
Image Characteristics Flags
FLAG EXPLANATION
0001 Relocation info stripped from file
0002 File is executable (no unresolved external references)
0004 Line numbers stripped from file
0008 Local symbols stripped from file
0010 Lets OS aggressively trim working set
0020 App can handle >2Gb addresses
0080 Low bytes of machine word are reversed
0100 requires 32-bit WORD machine
0200 Debugging info stripped from file into .DBG file
0400 If image is on removable media, copy and run from swap file
0800 If image is on a network, copy and run from swap file
1000 System file
2000 File is a DLL
4000 File should only be run on a single-processor machine
8000 High bytes of machine word are reversed
Section Characteristics Flags
FLAG EXPLANATION
00000008 Section should not be padded to next boundary
00000020 Section contains code
00000040 Section contains initialised data (which will become initialised with real values before the file is launched)
00000080 Section contains uninitialised data (which will be initialised as 00 byte values before launch)
00000200 Section contains comments for the linker
00000800 Section contents will not become part of image
00001000 Section contents comdat (Common Block Data)
00008000 Section contents cannot be accessed relative to GP
00100000 to 00800000 Boundary alignment settings
01000000 Section contains extended relocations
02000000 Section can be discarded (e.g. .reloc)
04000000 Section is not cacheable
08000000 Section is pageable
10000000 Section is shareable
20000000 Section is executable
40000000 Section is readable
80000000 Section is writabl
The DOS Header
OFFSET SIZE NAME EXPLANATION
00 WORD e_magic Magic DOS signature MZ (4Dh 5Ah)
02 WORD e_cblp Bytes on last page of file
04 WORD e_cp Pages in file
06 WORD e_crlc Relocations
08 WORD e_cparhdr Size of header in paragraphs
0A WORD e_minalloc Minimum extra paragraphs needed
0C WORD e_maxalloc Maximum extra paragraphs needed
0E WORD e_ss Initial (relative) SS value
10 WORD e_sp Initial SP value
12 WORD e_csum Checksum
14 WORD e_ip Initial IP value
16 WORD e_cs Initial (relative) CS value
18 WORD e_lfarlc File address of relocation table
1A WORD e_ovno Overlay number
1C WORD e_res[4] Reserved words
24 WORD e_oemid OEM identifier (for e_oeminfo)
26 WORD e_oeminfo OEM information; e_oemid specific
28 WORD e_res2[10] Reserved words
3C DWORD e_lfanew Offset to start of PE header
The PE Header
Offsets shown are from the beginning of this section.
00 DWORD Signature PE Signature PE.. (50h 45h 00h 00h)
04 WORD Machine 014Ch = Intel 386, 014Dh = Intel 486, 014Eh = Intel 586, 0200h = Intel 64-bit, 0162h=MIPS
06 WORD NumberOfSections Number Of Sections
08 DWORD TimeDateStamp Date & time image was created by the linker
0C DWORD PointerToSymbolTable Zero or offset of COFF symbol table in older files
10 DWORD NumberOfSymbols Number of symbols in COFF symbol table
14 WORD SizeOfOptionalHeader Size of optional header in bytes (224 in 32bit exe)
16 WORD Characteristics see below
18 ********** START OF OPTIONAL HEADER **************************************
18 WORD Magic 010Bh=32-bit executable image
020Bh=64-bit executable image
0107h=ROM image
1A BYTE MajorLinkerVersion Major version number of the linker
1B BYTE MinorLinkerVersion Minor version number of the linker
1C DWORD SizeOfCode size of code section or sum if multiple code sections
20 DWORD SizeOfInitializedData as above
24 DWORD SizeOfUninitializedData as above
28 DWORD AddressOfEntryPoint Start of code execution, optional for DLLs, zero when none present
2C DWORD BaseOfCode RVA of first byte of code when loaded into RAM
30 DWORD BaseOfData RVA of first byte of data when loaded into RAM
34 DWORD ImageBase Preferred load address
38 DWORD SectionAlignment Alignment of sections when loaded in RAM
3C DWORD FileAlignment Alignment of sections in file on disk
40 WORD MajorOperatingSystemVersion Major version no. of required operating system
42 WORD MinorOperatingSystemVersion Minor version no. of required operating system
44 WORD MajorImageVersion Major version number of the image
46 WORD MinorImageVersion Minor version number of the image
48 WORD MajorSubsystemVersion Major version number of the subsystem
4A WORD MinorSubsystemVersion Minor version number of the subsystem
4C DWORD Reserved1
50 DWORD SizeOfImage Amount of memory allocated by loader for image. Must be a multiple of SectionAlignment
54 DWORD SizeOfHeaders Offset of first section, multiple of FileAlignment
58 DWORD CheckSum Image checksum (only required for kernel-mode drivers and some system DLLs).
5C WORD Subsystem 0002h=Windows GUI, 0003h=console
5E WORD DllCharacteristics 0001h=per-process library initialization
0002h=per-process library termination
0003h=per-thread library initialization
0004h=per-thread library termination
60 DWORD SizeOfStackReserve Number of bytes reserved for the stack
64 DWORD SizeOfStackCommit Number of bytes actually used for the stack
68 DWORD SizeOfHeapReserve Number of bytes to reserve for the local heap
6C DWORD SizeOfHeapCommit Number of bytes actually used for local heap
70 DWORD LoaderFlags This member is obsolete.
74 DWORD NumberOfRvaAndSizes Number of directory entries.
78 ********** START OF DATADIRECTORY **************************************
78 DWORD IMAGE_DATA_DIRECTORY0 RVA of Export Directory
7C DWORD size of Export Directory
80 DWORD IMAGE_DATA_DIRECTORY1 RVA of Import Directory (array of IIDs)
84 DWORD size of Import Directory (array of IIDs)
88 DWORD IMAGE_DATA_DIRECTORY2 RVA of Resource Directory
8C DWORD size of Resource Directory
90 DWORD IMAGE_DATA_DIRECTORY3 RVA of Exception Directory
94 DWORD size of Exception Directory
98 DWORD IMAGE_DATA_DIRECTORY4 Raw Offset of Security Directory
9C DWORD size of Security Directory
A0 DWORD IMAGE_DATA_DIRECTORY5 RVA of Base Relocation Directory
A4 DWORD size of Base Relocation Directory
A8 DWORD IMAGE_DATA_DIRECTORY6 RVA of Debug Directory
AC DWORD size of Debug Directory
B0 DWORD IMAGE_DATA_DIRECTORY7 RVA of Copyright Note
B4 DWORD size of Copyright Note
B8 DWORD IMAGE_DATA_DIRECTORY8 RVA to be used as Global Pointer (IA-64 only)
BC DWORD Not used
C0 DWORD IMAGE_DATA_DIRECTORY9 RVA of Thread Local Storage Directory
C4 DWORD size of Thread Local Storage Directory
C8 DWORD IMAGE_DATA_DIRECTORY10 RVA of Load Configuration Directory
CC DWORD size of Load Configuration Directory
D0 DWORD IMAGE_DATA_DIRECTORY11 RVA of Bound Import Directory
D4 DWORD size of Bound Import Directory
D8 DWORD IMAGE_DATA_DIRECTORY12 RVA of first Import Address Table
DC DWORD total size of all Import Address Tables
E0 DWORD IMAGE_DATA_DIRECTORY13 RVA of Delay Import Directory
E4 DWORD size of Delay Import Directory
E8 DWORD IMAGE_DATA_DIRECTORY14 RVA of COM Header (top level info & metadata...
EC DWORD size of COM Header ...in .NET executables)
F0 DWORD ZERO (Reserved) Reserved
F4 DWORD ZERO (Reserved) Reserved
F8 ********** START OF SECTION TABLE *******Offsets shown from here********
00 8 Bytes Name1 Name of first section header
08 DWORD misc (VirtualSize) Actual size of data in section
0C DWORD virtual address RVA where section begins in memory
10 DWORD SizeOfRawData Size of data on disk (multiple of FileAlignment)
14 DWORD pointerToRawData Raw offset of section on disk
18 DWORD pointerToRelocations Start of relocation entries for section, zero if none
1C DWORD PointerToLinenumbers Start of line-no. entries for section, zero if none
20 WORD NumberOfRelocations This value is zero for executable images.
22 WORD NumberOfLineNumbers Number of line-number entries for section.
24 DWORD Characteristics see end of page below
00 8 Bytes Name1 Name of second section header
********** Repeats for rest of sections **************************************
The Export Table
Offsets shown from beginning of table (given at offset 78 from start of PE header). The following 40 Bytes repeat for each export library (DLL whose functions are imported by the executable) and ends with one full of zeroes.
OFFSET SIZE NAME EXPLANATION
00 DWORD Characteristics Set to zero (currently none defined)
04 DWORD TimeDateStamp often set to zero
08 WORD MajorVersion user-defined version number, otherwise zero
0A WORD MinorVersion as above
0C DWORD Name RVA of DLL name in null-terminated ASCII
10 DWORD Base First valid exported ordinal, normally=1
14 DWORD NumberOfFunctions Number of entries in EAT
18 DWORD NumberOfNames Number of entries in ENT
1C DWORD AddressOfFunctions RVA of EAT (export address table)
20 DWORD AddressOfNames RVA of ENT (export name table)
24 DWORD AddressOfNameOrdinals RVA of EOT (export ordinal table)
The Import Table
Offsets shown from beginning of table (given at offset 80 from start of PE header). The following 5 DWORDS repeat for each import library (DLL whose functions are imported by the executable) and ends with one full of zeroes.
OFFSET SIZE NAME EXPLANATION
00 DWORD OriginalFirstThunk RVA to Image_Thunk_Data
04 DWORD TimeDateStamp zero unless bound against imported DLL
08 DWORD ForwarderChain pointer to 1st redirected function (or 0)
0C DWORD Name1 RVA to name in null-terminated ASCII
10 DWORD FirstThunk RVA to Image_Thunk_Data
Image Characteristics Flags
FLAG EXPLANATION
0001 Relocation info stripped from file
0002 File is executable (no unresolved external references)
0004 Line numbers stripped from file
0008 Local symbols stripped from file
0010 Lets OS aggressively trim working set
0020 App can handle >2Gb addresses
0080 Low bytes of machine word are reversed
0100 requires 32-bit WORD machine
0200 Debugging info stripped from file into .DBG file
0400 If image is on removable media, copy and run from swap file
0800 If image is on a network, copy and run from swap file
1000 System file
2000 File is a DLL
4000 File should only be run on a single-processor machine
8000 High bytes of machine word are reversed
Section Characteristics Flags
FLAG EXPLANATION
00000008 Section should not be padded to next boundary
00000020 Section contains code
00000040 Section contains initialised data (which will become initialised with real values before the file is launched)
00000080 Section contains uninitialised data (which will be initialised as 00 byte values before launch)
00000200 Section contains comments for the linker
00000800 Section contents will not become part of image
00001000 Section contents comdat (Common Block Data)
00008000 Section contents cannot be accessed relative to GP
00100000 to 00800000 Boundary alignment settings
01000000 Section contains extended relocations
02000000 Section can be discarded (e.g. .reloc)
04000000 Section is not cacheable
08000000 Section is pageable
10000000 Section is shareable
20000000 Section is executable
40000000 Section is readable
80000000 Section is writabl
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
赞赏
|
|
|---|---|
|
|
他的文章
- [求助]是不是OllyICE的问题???? 1270
- [推荐]动力(My Power)暴库漏洞 1491
- [下载]熊猫烧香病毒样本 3215
- [推荐]免杀之PE结构偏移研究 1078
- [原创]破解Update Now2.0 957
赞赏
雪币:
留言:
