-
-
[原创]010edit模版(obj文件分析)
-
2017-11-24 12:17
-
编写模版文件obj.bt
obj文件:
Obj就是目标文件,是你的源程序经过编译程序编译后生成的,它不能直接执行,需要连接程序连接后才能生成可执行文件,这样就能执行了。
步骤:
1.分析obj文件的结构
2.根据obj结构编写脚本
使用SDK中自带的工具包dumpbin.exe 可以将obj文件转换成可读的txt文本形式
命令:
dumpbin /all xxx.obj > obj.txt
文件结构体的布局
文件头部
typedef struct _IMAGE_FILE_HEADER {
WORD Machine <format=hex,comment="the cpu x86">;
WORD NumberOfSections;
DWORD TimeDateStamp <format=hex>;
DWORD PointerToSymbolTable <format=hex>;
DWORD NumberOfSymbols;
WORD SizeOfOptionalHeader;
WORD Characteristics; <format=hex>;
}IMAGE_FILE_HEADER;
dump文件
文件后紧跟着区段
区段结构体
typedef struct _IMAGE_SECTION_HEADER {
BYTE Name[8];
union {
DWORD PhysicalAddress;
DWORD VirtualSize <format=hex>;
} Misc; //no used in obj file
DWORD VirtualAddress <format=hex>;
DWORD SizeOfRawData <format=hex>;
DWORD PointerToRawData <format=hex>;
DWORD PointerToRelocations <format=hex>;
DWORD PointerToLinenumbers <format=hex>;
WORD NumberOfRelocations <format=hex>;
WORD NumberOfLinenumbers <format=hex>;
SECTION_CHARACTERISTICS Characteristics <format=hex>;
}IMAGE_SECTION_HEADER;
接着就是重定位数据,重定位数据存放在区段中的PointerToRelocations字段中
重定位结构体
typedef struct _IMAGE_RELOCATION {
union {
DWORD VirtualAddress;
DWORD RelocCount;
}M;
DWORD SymbolTableIndex;
WORD Type;
}IMAGE_RELOCATION;
//符号表信息结构体
typedef struct _IMAGE_SYMBOL {
union {
BYTE ShortName[8];
struct {
DWORD Short; // if 0, use LongName
DWORD Long; // offset into string table
} Name;
DWORD LongName[2]; //two byte potioner
}N;
DWORD Value;
SHORT SectionNumber;
WORD Type;
BYTE StorageClass;
BYTE NumberOfAuxSymbols;
} IMAGE_SYMBOL;
最后是一个字符表,
字符表结构
typedef struct _STRIMG_TABLE{
DWORD Tabsize <format=hex>; //字符串的总长度,记住不是字符个数
char str[xxx]; //不定长度的字符,以零为结尾的
}STRIMG_TABLE;
//区段属性
typedef struct
{
ULONG IMAGE_SCN_TYPE_DSECT:1 <hidden=true,comment="0x00000001 Reserved">;
ULONG IMAGE_SCN_TYPE_NOLOAD:1 <hidden=true,comment="0x00000002 Reserved">;
ULONG IMAGE_SCN_TYPE_GROUP:1 <hidden=true,comment="0x00000004 Reserved">;
ULONG IMAGE_SCN_TYPE_NO_PAD:1 <comment="0x00000008 Reserved">;
ULONG IMAGE_SCN_TYPE_COPY:1 <hidden=true,comment="0x00000010 Reserved">;
ULONG IMAGE_SCN_CNT_CODE:1 <comment="0x00000020 Section contains code">;
ULONG IMAGE_SCN_CNT_INITIALIZED_DATA:1 <comment="0x00000040 Section contains initialized data">;
ULONG IMAGE_SCN_CNT_UNINITIALIZED_DATA:1 <comment="0x00000080 Section contains uninitialized data">;
ULONG IMAGE_SCN_LNK_OTHER:1 <comment="0x00000100 Reserved">;
ULONG IMAGE_SCN_LNK_INFO:1 <comment="0x00000200 Section contains comments or some other type of information">;
ULONG IMAGE_SCN_TYPE_OVER:1 <hidden=true,comment="0x00000400 Reserved">;
ULONG IMAGE_SCN_LNK_REMOVE:1 <comment="0x00000800 Section contents will not become part of image">;
ULONG IMAGE_SCN_LNK_COMDAT:1 <comment="0x00001000 Section contents comdat">;
ULONG :1 <comment="0x00002000 Reserved">;
ULONG IMAGE_SCN_NO_DEFER_SPEC_EXC:1 <hidden=true,comment="0x00004000 Reset speculative exceptions handling bits in the TLB entries for this section.">;
ULONG IMAGE_SCN_GPREL:1 <comment="0x00008000 Section content can be accessed relative to GP">;
ULONG IMAGE_SCN_MEM_SYSHEAP:1 <hidden=true,comment="0x00010000 Obsolete">;
ULONG IMAGE_SCN_MEM_16BIT:1 <comment="0x00020000">;
ULONG IMAGE_SCN_MEM_LOCKED:1 <comment="0x00040000 ">;
ULONG IMAGE_SCN_MEM_PRELOAD:1 <comment="0x00080000">;
ULONG IMAGE_SCN_ALIGN_1BYTES:1 <comment="0x00100000">;
ULONG IMAGE_SCN_ALIGN_2BYTES:1 <comment="0x00200000">;
ULONG IMAGE_SCN_ALIGN_8BYTES:1 <comment="0x00400000">;
ULONG IMAGE_SCN_ALIGN_128BYTES:1 <comment="0x00800000">;
ULONG IMAGE_SCN_LNK_NRELOC_OVFL:1 <comment="0x01000000 Section contains extended relocations">;
ULONG IMAGE_SCN_MEM_DISCARDABLE:1 <comment="0x02000000 Section can be discarded.">;
ULONG IMAGE_SCN_MEM_NOT_CACHED:1 <comment="0x04000000 Section is not cachable">;
ULONG IMAGE_SCN_MEM_NOT_PAGED:1 <comment="0x08000000 Section is not pageable.">;
ULONG IMAGE_SCN_MEM_SHARED:1 <comment="0x10000000 Section is shareable">;
ULONG IMAGE_SCN_MEM_EXECUTE:1 <comment="0x20000000 Section is executable">;
ULONG IMAGE_SCN_MEM_READ:1 <comment="0x40000000 Section is readable">;
ULONG IMAGE_SCN_MEM_WRITE:1 <comment="0x80000000 Section is writeable">;
}SECTION_CHARACTERISTICS;
//文件头部coff
typedef struct _IMAGE_FILE_HEADER {
WORD Machine <format=hex,comment="the cpu x86">;
WORD NumberOfSections;
DWORD TimeDateStamp <format=hex>;
DWORD PointerToSymbolTable <format=hex>;
DWORD NumberOfSymbols;
WORD SizeOfOptionalHeader;
WORD Characteristics; <format=hex>;
}IMAGE_FILE_HEADER;
//区段信息
typedef struct _IMAGE_SECTION_HEADER {
BYTE Name[8];
union {
DWORD PhysicalAddress;
DWORD VirtualSize <format=hex>;
} Misc; //no used in obj file
DWORD VirtualAddress <format=hex>;
DWORD SizeOfRawData <format=hex>;
DWORD PointerToRawData <format=hex>;
DWORD PointerToRelocations<format=hex>;
DWORD PointerToLinenumbers<format=hex>;
WORD NumberOfRelocations <format=hex>;
WORD NumberOfLinenumbers <format=hex>;
SECTION_CHARACTERISTICS Characteristics <format=hex>;
}IMAGE_SECTION_HEADER;
//重定位信息
typedef struct _IMAGE_RELOCATION(string s ) {
local string sec_name =s; // save reloc at section of name
union {
DWORD VirtualAddress;
DWORD RelocCount;
}M;
DWORD SymbolTableIndex;
WORD Type;
}IMAGE_RELOCATION;
//符号表信息
typedef struct _IMAGE_SYMBOL {
union {
BYTE ShortName[8];
struct {
DWORD Short; // if 0, use LongName
DWORD Long; // offset into string table
} Name;
DWORD LongName[2]; //two byte potioner
}N;
DWORD Value;
SHORT SectionNumber;
WORD Type;
BYTE StorageClass;
BYTE NumberOfAuxSymbols;
} IMAGE_SYMBOL;
//字符串表信息
typedef struct _PARSESTRING{
char str[];
}PARSESTRING;
//符号表信息
typedef struct _STRIMG_TABLE{
DWORD Tabsize <format=hex>;
local int i;
for(i=0;i<Tabsize;i++)//该字符以零结尾
{
PARSESTRING s_str;
i+=Strlen(s_str.str)+1;
};
}STRIMG_TABLE;
//解析重定位表信息
void ParseBaseReloc()
{
local int i;
local string szName="";
for(i=0;i<file_header.NumberOfSections;i++)
{
if(section_header[i].PointerToRelocations>0)
{
FSeek(section_header[i].PointerToRelocations);
SPrintf(szName,"%s\n",section_header[i].Name);
IMAGE_RELOCATION record(szName) <comment=rename>;
}
}
}
string rename(IMAGE_RELOCATION& reasss)
{
return reasss.sec_name;
}
//----------------code-------------
//开启小端
LittleEndian();
IMAGE_FILE_HEADER file_header;
IMAGE_SECTION_HEADER section_header[file_header.NumberOfSections];
//section data
ParseBaseReloc();
IMAGE_SYMBOL symbol_header[file_header.NumberOfSymbols];
STRIMG_TABLE stringtable ;部分代码参考网上的代码。
010edit提供了很多函数还有实例可以到官方去获取
http://www.sweetscape.com/010editor/templates.html
[CTF入门培训]顶尖高校博士及硕士团队亲授《30小时教你玩转CTF》,视频+靶场+题目!助力进入CTF世界
|
|
|---|---|
|
|
|
|
|
|
|
|
|
