首页
社区
课程
招聘
[原创]PE知识汇总
发表于: 2020-9-20 18:49 6348

[原创]PE知识汇总

2020-9-20 18:49
6348

VA(虚拟地址) = IamgeBase(基地址) + RVA(相对虚拟地址)

结构:

IMAGE_FILE_HEADER

IMAGE_OPTIONAL_FILE

区块紧跟IMAGE_NT_HEADER,是一个IMAGE_SECTION_HEADER结构数组,每个项包括了它所关联的区块信息。区块数码由IMAGE_NT_HEADER.FileHeader.NumberOfSections指出。

注:第一个块表的地址=OpHeader(OpotionalHeader位置)+sizeOfOptionalHeader

结构:

常见区块
img
img
img

实例(以.text块为例)
图片描述
图片描述

IMAGE_DOS_HEADER STRUCT
 
  {
  +0h WORD e_magic            // DOS 可执行标记(0x5A4D"MZ"
  +2h WORD  e_cblp           
  +4h WORD  e_cp
  +6h WORD  e_crlc
  +8h WORD  e_cparhdr
  +0ah WORD  e_minalloc
  +0ch WORD  e_maxalloc
  +0eh WORD  e_ss
  +10h WORD  e_sp
  +12h WORD  e_csum
  +14h WORD  e_ip
  +16h WORD  e_cs
  +18h WORD  e_lfarlc
  +1ah WORD  e_ovno
  +1ch WORD  e_res[4]
  +24h WORD  e_oemid
  +26h WORD  e_oeminfo
  +29h WORD  e_res2[10]
  +3ch DWORD e_lfanew        // 指向PE头
} IMAGE_DOS_HEADER ENDS
IMAGE_DOS_HEADER STRUCT
 
  {
  +0h WORD e_magic            // DOS 可执行标记(0x5A4D"MZ"
  +2h WORD  e_cblp           
  +4h WORD  e_cp
  +6h WORD  e_crlc
  +8h WORD  e_cparhdr
  +0ah WORD  e_minalloc
  +0ch WORD  e_maxalloc
  +0eh WORD  e_ss
  +10h WORD  e_sp
  +12h WORD  e_csum
  +14h WORD  e_ip
  +16h WORD  e_cs
  +18h WORD  e_lfarlc
  +1ah WORD  e_ovno
  +1ch WORD  e_res[4]
  +24h WORD  e_oemid
  +26h WORD  e_oeminfo
  +29h WORD  e_res2[10]
  +3ch DWORD e_lfanew        // 指向PE头
} IMAGE_DOS_HEADER ENDS
typedef struct _IMAGE_NT_HEADERS {
+00h    DWORD Signature; // 固定为 0x00004550  根据小端存储为:"PE.."
+04h    IMAGE_FILE_HEADER FileHeader;
+18h    IMAGE_OPTIONAL_HEADER32 OptionalHeader;
} IMAGE_NT_HEADERS32, *PIMAGE_NT_HEADERS32;
typedef struct _IMAGE_NT_HEADERS {
+00h    DWORD Signature; // 固定为 0x00004550  根据小端存储为:"PE.."
+04h    IMAGE_FILE_HEADER FileHeader;
+18h    IMAGE_OPTIONAL_HEADER32 OptionalHeader;
} IMAGE_NT_HEADERS32, *PIMAGE_NT_HEADERS32;
typedef struct _IMAGE_FILE_HEADER {
+04h    WORD          Machine;              // 运行平台
+06h    WORD          NumberOfSections;     // 文件的区块数目
+08h    DWORD         TimeDateStamp;        // 文件创建日期和时间
+0Ch    DWORD         PointerToSymbolTable; // 指向符号表(主要用于调试)
+10h    DWORD         NumberOfSymbols;      // 符号表中符号个数(同上)
+14h    WORD          SizeOfOptionalHeader; // IMAGE_OPTIONAL_HEADER32 结构大小
+16h    WORD          Characteristics;      // 文件属性
} IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;
typedef struct _IMAGE_FILE_HEADER {
+04h    WORD          Machine;              // 运行平台
+06h    WORD          NumberOfSections;     // 文件的区块数目
+08h    DWORD         TimeDateStamp;        // 文件创建日期和时间
+0Ch    DWORD         PointerToSymbolTable; // 指向符号表(主要用于调试)
+10h    DWORD         NumberOfSymbols;      // 符号表中符号个数(同上)
+14h    WORD          SizeOfOptionalHeader; // IMAGE_OPTIONAL_HEADER32 结构大小
+16h    WORD          Characteristics;      // 文件属性
} IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;
typedef struct _IMAGE_OPTIONAL_HEADER {
WORD                 Magic;
BYTE                 MajorLinkerVersion;
BYTE                 MinorLinkerVersion;
DWORD                SizeOfCode;
DWORD                SizeOfInitializedData;
DWORD                SizeOfUninitializedData;
DWORD                AddressOfEntryPoint;                // 程序执行入口RVA
DWORD                BaseOfCode;
DWORD                BaseOfData;
DWORD                ImageBase;                          // 文件载入内存首选载入地址
DWORD                SectionAlignment;                   // 载入内存是区块对齐大小
DWORD                FileAlignment;                      // 磁盘上PE文件区块对齐大小
WORD                 MajorOperatingSystemVersion;
WORD                 MinorOperatingSystemVersion;
WORD                 MajorImageVersion;
WORD                 MinorImageVersion;
WORD                 MajorSubsystemVersion;
WORD                 MinorSubsystemVersion;
DWORD                Win32VersionValue;
DWORD                SizeOfImage;
DWORD                SizeOfHeaders;
DWORD                CheckSum;
WORD                 Subsystem;                             // 标识可执行文件所期望的子系统
WORD                 DllCharacteristics;
DWORD                SizeOfStackReserve;
DWORD                SizeOfStackCommit;
DWORD                SizeOfHeapReserve;
DWORD                SizeOfHeapCommit;
DWORD                LoaderFlags;
DWORD                NumberOfRvaAndSizes;                    // 数据目录项数(16
IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
                                                             //数据目录表
} IMAGE_OPTIONAL_HEADER32, *PIMAGE_OPTIONAL_HEADER32;
typedef struct _IMAGE_OPTIONAL_HEADER {
WORD                 Magic;
BYTE                 MajorLinkerVersion;
BYTE                 MinorLinkerVersion;
DWORD                SizeOfCode;
DWORD                SizeOfInitializedData;
DWORD                SizeOfUninitializedData;
DWORD                AddressOfEntryPoint;                // 程序执行入口RVA
DWORD                BaseOfCode;
DWORD                BaseOfData;
DWORD                ImageBase;                          // 文件载入内存首选载入地址
DWORD                SectionAlignment;                   // 载入内存是区块对齐大小
DWORD                FileAlignment;                      // 磁盘上PE文件区块对齐大小
WORD                 MajorOperatingSystemVersion;
WORD                 MinorOperatingSystemVersion;
WORD                 MajorImageVersion;
WORD                 MinorImageVersion;
WORD                 MajorSubsystemVersion;
WORD                 MinorSubsystemVersion;
DWORD                Win32VersionValue;
DWORD                SizeOfImage;
DWORD                SizeOfHeaders;
DWORD                CheckSum;
WORD                 Subsystem;                             // 标识可执行文件所期望的子系统

[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

最后于 2020-9-22 09:14 被tutuj编辑 ,原因: 写错
收藏
免费 5
支持
分享
最新回复 (3)
雪    币: 4495
活跃值: (1561)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
2
文章绝对精彩。。
2020-9-20 21:56
0
雪    币: 922
活跃值: (1813)
能力值: ( LV4,RANK:40 )
在线值:
发帖
回帖
粉丝
3
棒棒!
2023-1-27 13:36
0
雪    币:
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
4
太牛了
2023-2-4 21:03
0
游客
登录 | 注册 方可回帖
返回
//