首页
社区
课程
招聘
.net pe file text节详细信息
发表于: 2009-6-22 20:21 5798

.net pe file text节详细信息

2009-6-22 20:21
5798
// .text节信息
--------------------------------
输入表 (0x8)

CLR头 (0x48)

强名称(可选)(0x80)

MSIL代码

托管资源数据(可选)

元数据

非托管输出数据

非托管输入表数据

非托管程序入口 Native EP
----------------------------------
// 输入表和CLR头
00001000h: 40 8B 00 00 00 00 00 00 48 00 00 00 02 00 05 00 ; @?.....H.......
00001010h: 10 4D 00 00 94 3D 00 00 09 00 00 00 3E 00 00 06 ; .M..?......>...
00001020h: 60 3D 00 00 B0 0F 00 00 50 20 00 00 80 00 00 00 ; `=..?..P ..€...
00001030h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00001040h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
// 强名称
00001050h: 16 FE 2C 3A 42 CF 42 79 81 5C 6A D0 5E 4B 20 96 ; .?:B螧y乗j衈K ?
00001060h: CE 69 38 A8 61 74 35 44 52 B1 1A 9A 04 AB C1 1A ; 蝘8╝t5DR??.
00001070h: 05 9B E0 92 1D 2D 05 BE E3 80 BA 1E 2E 1B 2F 36 ; .涏?-.俱€?../6
00001080h: FD FB A8 86 19 B1 FA CC F0 80 F3 C9 F4 0E CA 8F ; ▎.柄甜€笊?蕪
00001090h: E5 C8 7B 74 D2 5B 02 B7 A4 26 7B FB 97 7C 5B 55 ; 迦{t襕.筏&{麠|[U
000010a0h: 60 55 8A 16 86 74 20 46 1F 1A 20 1D C9 AC 86 99 ; `U?唗 F.. .涩啓
000010b0h: 2D BD C1 CC 5F 27 C5 00 26 6C 7D C7 17 67 54 6D ; -搅蘝'?&l}?gTm
000010c0h: 7B D4 C3 00 9B 5A 0E DA 40 BF 29 FE 03 12 B1 3C ; {悦.沍.贎??.?
// IL代码(各个函数体---包括函数头和函数体及异常处理表)
000010d0h: 7A 03 2C 13 02 7B 01 00 00 04 2C 0B 02 7B 01 00 ; z.,..{....,..{..
000010e0h: 00 04 6F 10 00 00 0A 02 03 28 11 00 00 0A 2A 00 ; ..o......(....*.
000010f0h: 13 30 07 00 AC 0B 00 00 01 00 00 11 D0 02 00 00 ; .0..?......?..
。。。。。。
00002d50h: B9 00 00 0A 0C 2B AA 08 2A 00 00 00 00 00 00 00 ; ?...+?*.......
// 托管资源
00002d60h: B4 00 00 00 CE CA EF BE 01 00 00 00 91 00 00 00 ; ?..问锞....?..
。。。。。。
00003ce0h: 00 00 03 E0 00 00 03 F0 00 00 07 F8 00 00 0F FC ; ...?..?..?..?
00003cf0h: 00 00 1F FE 00 00 7F FF 80 01 FF FF C0 0F FF FF ; ...?.€.?
00003d00h: C0 FF FF FF 83 FF FF FF 0F FF FF FF FF FF FF 0B ; ??..
// 元素据
00003d10h: 42 53 4A 42 01 00 01 00 00 00 00 00 0C 00 00 00 ; BSJB............
00003d20h: 76 32 2E 30 2E 35 30 37 32 37 00 00 00 00 05 00 ; v2.0.50727......
00003d30h: 6C 00 00 00 98 14 00 00 23 7E 00 00 04 15 00 00 ; l...?..#~......
00003d40h: 40 18 00 00 23 53 74 72 69 6E 67 73 00 00 00 00 ; @...#Strings....
00003d50h: 44 2D 00 00 E8 08 00 00 23 55 53 00 2C 36 00 00 ; D-..?..#US.,6..
00003d60h: 10 00 00 00 23 47 55 49 44 00 00 00 3C 36 00 00 ; ....#GUID...<6..
00003d70h: 58 07 00 00 23 42 6C 6F 62 00 00 00 00 00 00 00 ; X...#Blob.......
00003d80h: 02 00 00 01 57 3D A2 35 09 03 00 00 00 FA 01 33 ; ....W=?.....?3
00003d90h: 00 16 00 00 01 00 00 00 8D 00 00 00 0D 00 00 00 ; ........?......
00003da0h: 4F 00 00 00 4E 00 00 00 67 00 00 00 B9 00 00 00 ; O...N...g...?..
00003db0h: 0C 00 00 00 1F 00 00 00 02 00 00 00 1B 00 00 00 ; ................
00003dc0h: 04 00 00 00 0A 00 00 00 0D 00 00 00 03 00 00 00 ; ................
00003dd0h: 11 00 00 00 01 00 00 00 01 00 00 00 07 00 00    ; ...............
。。。。。。
//  非托管输出数据(从加粗字符开始)
00007aa0h: 73 01 00 00 00 00 00 00 2D 28 40 4A 00 00 00 00 ; s.......-(@J....
00007ab0h: 02 00 00 00 44 00 00 00 C0 8A 00 00 C0 7A 00 00 ; ....D...缞..纙..
00007ac0h: 52 53 44 53 FD 2C 98 FE 60 0B FD 4D BD D7 17 CA ; RSDS?橚`.齅阶.?
00007ad0h: 5B 9F E9 FE 01 00 00 00 45 3A 5C 6D 79 70 72 6F ; [熼?...E:\mypro
00007ae0h: 67 72 61 6D 5C 74 65 73 74 5C 74 65 73 74 5C 6F ; gram\test\test\o
00007af0h: 62 6A 5C 52 65 6C 65 61 73 65 5C 74 65 73 74 2E ; bj\Release\test.
00007b00h: 70 64 62 00 2C 8B 00 00 00 00 00 00 00 00 00 00 ; pdb.,?.........
// 非托管输入表 Native import table
00007b10h: 4E 8B 00 00 00 20 00 00 00 00 00 00 00 00 00 00 ; N?.. ..........
00007b20h: 00 00 00 00 00 00 00 00 00 00 00 00 40 8B 00 00 ; ............@?.
00007b30h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00007b40h: 00 00 5F 43 6F 72 45 78 65 4D 61 69 6E 00 6D 73 ; .._CorExeMain.ms
// 非托管程序入口 Native entry point [EP](加粗部分为间隔)
00007b50h: 63 6F 72 65 65 2E 64 6C 6C 00 00 00 00 00 FF 25; coree.dll.....%
00007b60h: 00 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 ; . @.............
00007b70h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................

这个“非托管程序入口”是“Opteion Header”中“AddressOfEntryPoint”项RVA指定的位置( FF 25 00 20 40 00 00 00),他的大小还不清楚,可能是8个字节。

[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

收藏
免费 1
支持
分享
最新回复 (4)
雪    币: 256
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
2
这个好,学习了。
2009-10-18 21:41
0
雪    币: 93
活跃值: (11)
能力值: ( LV3,RANK:20 )
在线值:
发帖
回帖
粉丝
3
不错,向楼主学习.........
2009-10-19 00:04
0
雪    币: 155
活跃值: (29)
能力值: ( LV3,RANK:30 )
在线值:
发帖
回帖
粉丝
4
支持..............
2009-10-19 09:49
0
雪    币: 40
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
5
不管是非托管还是托管的.NET程序,AddressOfEntryPoint 指向的地方永远是一条 ( FF 25 00 20 40 00 00 00)模样的东东。 其实这是一条跳转指令,  FF 25 是( JMP ) ,后面的 ( FF 25 00 20 40 00 00 00) 是一个地址,在32位的程序中当然是4个字节。 这条的地址是0x402000 , 这个RVA的地址, 就不用我说了吧!! 指向(mscoree.dll -> _CorExeMain or _CorDllMain)。

支持楼主!!!!
2009-10-19 16:31
0
游客
登录 | 注册 方可回帖
返回
//