-
-
[原创]PE知识汇总
-
发表于: 2020-9-20 18:49
-
VA(虚拟地址) = IamgeBase(基地址) + RVA(相对虚拟地址)
结构:
区块紧跟IMAGE_NT_HEADER,是一个IMAGE_SECTION_HEADER结构数组,每个项包括了它所关联的区块信息。区块数码由IMAGE_NT_HEADER.FileHeader.NumberOfSections指出。
注:第一个块表的地址=OpHeader(OpotionalHeader位置)+sizeOfOptionalHeader
结构:
常见区块
实例(以.text块为例)
IMAGE_DOS_HEADER STRUCT {
+0h WORD e_magic // DOS 可执行标记(0x5A4D)"MZ"
+2h WORD e_cblp
+4h WORD e_cp
+6h WORD e_crlc
+8h WORD e_cparhdr
+0ah WORD e_minalloc
+0ch WORD e_maxalloc
+0eh WORD e_ss
+10h WORD e_sp
+12h WORD e_csum
+14h WORD e_ip
+16h WORD e_cs
+18h WORD e_lfarlc
+1ah WORD e_ovno
+1ch WORD e_res[4]
+24h WORD e_oemid
+26h WORD e_oeminfo
+29h WORD e_res2[10]
+3ch DWORD e_lfanew // 指向PE头
} IMAGE_DOS_HEADER ENDSIMAGE_DOS_HEADER STRUCT {
+0h WORD e_magic // DOS 可执行标记(0x5A4D)"MZ"
+2h WORD e_cblp
+4h WORD e_cp
+6h WORD e_crlc
+8h WORD e_cparhdr
+0ah WORD e_minalloc
+0ch WORD e_maxalloc
+0eh WORD e_ss
+10h WORD e_sp
+12h WORD e_csum
+14h WORD e_ip
+16h WORD e_cs
+18h WORD e_lfarlc
+1ah WORD e_ovno
+1ch WORD e_res[4]
+24h WORD e_oemid
+26h WORD e_oeminfo
+29h WORD e_res2[10]
+3ch DWORD e_lfanew // 指向PE头
} IMAGE_DOS_HEADER ENDStypedef struct _IMAGE_NT_HEADERS {+00h DWORD Signature; // 固定为 0x00004550 根据小端存储为:"PE.."
+04h IMAGE_FILE_HEADER FileHeader;
+18h IMAGE_OPTIONAL_HEADER32 OptionalHeader;
} IMAGE_NT_HEADERS32, *PIMAGE_NT_HEADERS32;
typedef struct _IMAGE_NT_HEADERS {+00h DWORD Signature; // 固定为 0x00004550 根据小端存储为:"PE.."
+04h IMAGE_FILE_HEADER FileHeader;
+18h IMAGE_OPTIONAL_HEADER32 OptionalHeader;
} IMAGE_NT_HEADERS32, *PIMAGE_NT_HEADERS32;
typedef struct _IMAGE_FILE_HEADER {+04h WORD Machine; // 运行平台
+06h WORD NumberOfSections; // 文件的区块数目
+08h DWORD TimeDateStamp; // 文件创建日期和时间
+0Ch DWORD PointerToSymbolTable; // 指向符号表(主要用于调试)
+10h DWORD NumberOfSymbols; // 符号表中符号个数(同上)
+14h WORD SizeOfOptionalHeader; // IMAGE_OPTIONAL_HEADER32 结构大小
+16h WORD Characteristics; // 文件属性
} IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;
typedef struct _IMAGE_FILE_HEADER {+04h WORD Machine; // 运行平台
+06h WORD NumberOfSections; // 文件的区块数目
+08h DWORD TimeDateStamp; // 文件创建日期和时间
+0Ch DWORD PointerToSymbolTable; // 指向符号表(主要用于调试)
+10h DWORD NumberOfSymbols; // 符号表中符号个数(同上)
+14h WORD SizeOfOptionalHeader; // IMAGE_OPTIONAL_HEADER32 结构大小
+16h WORD Characteristics; // 文件属性
} IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;
typedef struct _IMAGE_OPTIONAL_HEADER {WORD Magic;BYTE MajorLinkerVersion;BYTE MinorLinkerVersion;DWORD SizeOfCode;DWORD SizeOfInitializedData;DWORD SizeOfUninitializedData;DWORD AddressOfEntryPoint; // 程序执行入口RVA
DWORD BaseOfCode;DWORD BaseOfData;DWORD ImageBase; // 文件载入内存首选载入地址
DWORD SectionAlignment; // 载入内存是区块对齐大小
DWORD FileAlignment; // 磁盘上PE文件区块对齐大小
WORD MajorOperatingSystemVersion;WORD MinorOperatingSystemVersion;WORD MajorImageVersion;WORD MinorImageVersion;WORD MajorSubsystemVersion;WORD MinorSubsystemVersion;DWORD Win32VersionValue;DWORD SizeOfImage;DWORD SizeOfHeaders;DWORD CheckSum;WORD Subsystem; // 标识可执行文件所期望的子系统
WORD DllCharacteristics;DWORD SizeOfStackReserve;DWORD SizeOfStackCommit;DWORD SizeOfHeapReserve;DWORD SizeOfHeapCommit;DWORD LoaderFlags;DWORD NumberOfRvaAndSizes; // 数据目录项数(16)
IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES]; //数据目录表
} IMAGE_OPTIONAL_HEADER32, *PIMAGE_OPTIONAL_HEADER32;
typedef struct _IMAGE_OPTIONAL_HEADER {WORD Magic;BYTE MajorLinkerVersion;BYTE MinorLinkerVersion;DWORD SizeOfCode;DWORD SizeOfInitializedData;DWORD SizeOfUninitializedData;DWORD AddressOfEntryPoint; // 程序执行入口RVA
DWORD BaseOfCode;DWORD BaseOfData;DWORD ImageBase; // 文件载入内存首选载入地址
DWORD SectionAlignment; // 载入内存是区块对齐大小
DWORD FileAlignment; // 磁盘上PE文件区块对齐大小
WORD MajorOperatingSystemVersion;WORD MinorOperatingSystemVersion;WORD MajorImageVersion;WORD MinorImageVersion;WORD MajorSubsystemVersion;WORD MinorSubsystemVersion;DWORD Win32VersionValue;DWORD SizeOfImage;DWORD SizeOfHeaders;DWORD CheckSum;WORD Subsystem; // 标识可执行文件所期望的子系统
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
最后于 2020-9-22 09:14
被tutuj编辑
,原因: 写错
|
|
|---|---|
|
|
|
|
|
|
|
|
太牛了
|
