-
-
[原创]PE文件格式学习(2)——PE头
-
发表于: 2020-12-12 12:13
-
PE头包括DOS头(Dos Header)、DOS存根(Dos Stub)、NT头(Nt Header)和节区头(Section Header)。在这里我们主要借助 010 editor 来辅助分析PE文件。
微软在创建PE文件格式时,人们正在广泛使用DOS文件,所以微软充分考虑了PE文件对DOS文件的兼容性。其结果是在PE头的最前面添加了一个IMAGE_DOS_HEADER结构体。
DOS存根(stub)在DOS头下方,是个可选项。
IMAGE_NT_HEADERS结构体由3个成员组成,第一个成员为签名(Signature)结构体,其值为50450000h(b'PE\x00\x00')。另外两个成员分别为文件头(File Header)与可选头(Optional Header)结构体。
每个CPU都拥有唯一的Machine码。
文件中存在的节区数量。当定义的节区数量与实际节区不同时,将发生运行错误。
可选头的大小。
该字段用于标识文件的属性,文件是否可运行、是否为DLL文件等信息,以bit OR形式组合起来。
IMAGE_OPTIONAL_HEADER32是PE头结构体中最大的。
EP的RVA值。该值指出程序最先执行的代码起始地址,相当重要。
进程虚拟内存的范围是0~0xFFFFFFFF(32位系统)。PE文件被加载到如此大的内存中时,ImageBase指出文件的优先装入地址。
EXE、DLL文件被装载到用户内存的0~0x7FFFFFFF中,SYS文件被载入到内核内存的0x80000000~0xFFFFFFFF中。一般而言,EXE文件的ImageBase为0x00400000,DLL文件的ImageBase值为0x10000000。执行PE文件时,PE装载器先创建进程,再将文件载入内存,然后把EIP寄存器的值设置为ImageBase+AddressOfEntryPoint。
DataDirectory是由IMAGE_DATA_DIRECTORY结构体组成的数组,数组的每项都有被定义的值。
现在我们用 010 editor 查看notepad.exe的DataDirectory部分:
其中我们需要重点关注的是 IMPORT 和 EXPORT Directory。
节区头中定义了各节区属性。PE文件中的代码、数据、资源等按照属性分类存储在不同节区。
IMAGE_SECTION_HEADER结构体中的重要成员如下表所示:
Characterisitics:
每个节区头都对应一个节区:
typedef struct _IMAGE_NT_HEADERS { DWORD Signature;
IMAGE_FILE_HEADER FileHeader;
IMAGE_OPTIONAL_HEADER32 OptionalHeader;
} IMAGE_NT_HEADERS32, *PIMAGE_NT_HEADERS32;
typedef struct _IMAGE_NT_HEADERS { DWORD Signature;
IMAGE_FILE_HEADER FileHeader;
IMAGE_OPTIONAL_HEADER32 OptionalHeader;
} IMAGE_NT_HEADERS32, *PIMAGE_NT_HEADERS32;
typedef struct _IMAGE_FILE_HEADER { WORD Machine;
WORD NumberOfSections;
DWORD TimeDateStamp;
DWORD PointerToSymbolTable;
DWORD NumberOfSymbols;
WORD SizeOfOptionalHeader;
WORD Characteristics;
} IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;
typedef struct _IMAGE_FILE_HEADER { WORD Machine;
WORD NumberOfSections;
DWORD TimeDateStamp;
DWORD PointerToSymbolTable;
DWORD NumberOfSymbols;
WORD SizeOfOptionalHeader;
WORD Characteristics;
} IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;
#define IMAGE_FILE_RELOCS_STRIPPED 0x0001 // Relocation info stripped from file.#define IMAGE_FILE_EXECUTABLE_IMAGE 0x0002 // File is executable (i.e. no unresolved external references).#define IMAGE_FILE_LINE_NUMS_STRIPPED 0x0004 // Line nunbers stripped from file.#define IMAGE_FILE_LOCAL_SYMS_STRIPPED 0x0008 // Local symbols stripped from file.#define IMAGE_FILE_AGGRESIVE_WS_TRIM 0x0010 // Aggressively trim working set#define IMAGE_FILE_LARGE_ADDRESS_AWARE 0x0020 // App can handle >2gb addresses#define IMAGE_FILE_BYTES_REVERSED_LO 0x0080 // Bytes of machine word are reversed.#define IMAGE_FILE_32BIT_MACHINE 0x0100 // 32 bit word machine.#define IMAGE_FILE_DEBUG_STRIPPED 0x0200 // Debugging info stripped from file in .DBG file#define IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP 0x0400 // If Image is on removable media, copy and run from the swap file.#define IMAGE_FILE_NET_RUN_FROM_SWAP 0x0800 // If Image is on Net, copy and run from the swap file.#define IMAGE_FILE_SYSTEM 0x1000 // System File.#define IMAGE_FILE_DLL 0x2000 // File is a DLL.#define IMAGE_FILE_UP_SYSTEM_ONLY 0x4000 // File should only be run on a UP machine#define IMAGE_FILE_BYTES_REVERSED_HI 0x8000 // Bytes of machine word are reversed.#define IMAGE_FILE_RELOCS_STRIPPED 0x0001 // Relocation info stripped from file.#define IMAGE_FILE_EXECUTABLE_IMAGE 0x0002 // File is executable (i.e. no unresolved external references).#define IMAGE_FILE_LINE_NUMS_STRIPPED 0x0004 // Line nunbers stripped from file.#define IMAGE_FILE_LOCAL_SYMS_STRIPPED 0x0008 // Local symbols stripped from file.#define IMAGE_FILE_AGGRESIVE_WS_TRIM 0x0010 // Aggressively trim working set#define IMAGE_FILE_LARGE_ADDRESS_AWARE 0x0020 // App can handle >2gb addresses#define IMAGE_FILE_BYTES_REVERSED_LO 0x0080 // Bytes of machine word are reversed.#define IMAGE_FILE_32BIT_MACHINE 0x0100 // 32 bit word machine.#define IMAGE_FILE_DEBUG_STRIPPED 0x0200 // Debugging info stripped from file in .DBG file#define IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP 0x0400 // If Image is on removable media, copy and run from the swap file.#define IMAGE_FILE_NET_RUN_FROM_SWAP 0x0800 // If Image is on Net, copy and run from the swap file.#define IMAGE_FILE_SYSTEM 0x1000 // System File.#define IMAGE_FILE_DLL 0x2000 // File is a DLL.#define IMAGE_FILE_UP_SYSTEM_ONLY 0x4000 // File should only be run on a UP machine#define IMAGE_FILE_BYTES_REVERSED_HI 0x8000 // Bytes of machine word are reversed.typedef struct _IMAGE_OPTIONAL_HEADER { WORD Magic;
BYTE MajorLinkerVersion;
BYTE MinorLinkerVersion;
DWORD SizeOfCode;
DWORD SizeOfInitializedData;
DWORD SizeOfUninitializedData;
DWORD AddressOfEntryPoint;
DWORD BaseOfCode;
DWORD BaseOfData;
DWORD ImageBase;
DWORD SectionAlignment;
DWORD FileAlignment;
WORD MajorOperatingSystemVersion;
WORD MinorOperatingSystemVersion;
WORD MajorImageVersion;
WORD MinorImageVersion;
WORD MajorSubsystemVersion;
WORD MinorSubsystemVersion;
DWORD Win32VersionValue;
DWORD SizeOfImage;
DWORD SizeOfHeaders;
DWORD CheckSum;
WORD Subsystem;
WORD DllCharacteristics;
DWORD SizeOfStackReserve;
DWORD SizeOfStackCommit;
DWORD SizeOfHeapReserve;
DWORD SizeOfHeapCommit;
DWORD LoaderFlags;
DWORD NumberOfRvaAndSizes;
IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
} IMAGE_OPTIONAL_HEADER32, *PIMAGE_OPTIONAL_HEADER32;
typedef struct _IMAGE_OPTIONAL_HEADER { WORD Magic;
BYTE MajorLinkerVersion;
BYTE MinorLinkerVersion;
DWORD SizeOfCode;
DWORD SizeOfInitializedData;
DWORD SizeOfUninitializedData;
DWORD AddressOfEntryPoint;
DWORD BaseOfCode;
DWORD BaseOfData;
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
最后于 2020-12-12 15:03
被34r7hm4n编辑
,原因:
|
|
|---|---|
