PE文件结构详解对照《加密与破解》第十章.docx
《PE文件结构详解对照《加密与破解》第十章.docx》由会员分享,可在线阅读,更多相关《PE文件结构详解对照《加密与破解》第十章.docx(10页珍藏版)》请在冰豆网上搜索。
PE文件结构详解对照《加密与破解》第十章
offset0123456789ABCDEF
00000000
00000010
00000020
00000030
000000400000005000000060000000700000008000000090000000A0
000000B0
000000C0
MajorLinkerVersionMinorLink
erVersion
000000D0
SignatureIMAGE_FILE_HEADER
DOSstub
MS-Dos部首
IMAGE_FILE_HEADER
IMAGE_OPTIONAL_HEADER32
IMAGE_FILE_HEADER
NumberOfSymbolsSizeOfO
ptionalHeader
Characte
risticsMagic
SizeOfCodee_lfanew
Signature
MachineNumberOf
SectionsTimeDataStamp
PointerTpSymbolTable
e_oemid
e_oemin
fo
e_res2
e_ss
e_sp
e_csume_ipe_cs
e_lfarl
c
e_ovnoe_res
PE文件结构
DOS"MZ"HEADER
e_magice_cblpe_cpe_crlc
e_cparhdre_minalloce_maxal
loc
000000E0
000000F0
00000100
00000110
00000120
00000130
00000140
00000150
IMAGE_OPTIONAL_HEADER32
DataDirectory(
PE文件头
IMAGE_NT_HEADERS
IMAGE_OPTIONAL_HEADER32
DataDirectory
IMAGE_DIRECTORY_ENTRY_BASERELOCIMAGE_DIRECTORY_ENTRY_DEBUG
DataDirectory
IMAGE_DIRECTORY_ENTRY_IMPORT
IMAGE_DIRECTORY_ENTRY_RESOURCE
DataDirectory
IMAGE_DIRECTORY_ENTRY_EXCEPTIONIMAGE_DIRECTORY_ENTRY_SECURITY
IMAGE_OPTIONAL_HEADER32
LoaderFlags
NumberOfRvaAndSizes
IMAGE_DIRECTORY_ENTRY_EXPORT
IMAGE_OPTIONAL_HEADER32
DataDirectory
IMAGE_OPTIONAL_HEADER32
SizeOfStackReserveSizeOfStackCommitSizeOfHeapReserveSizeOfHeapComm
it
IMAGE_OPTIONAL_HEADER32
SizeOfImageSizeOfHeadersCheckSum
Subsyst
em
DllChar
acteristics
IMAGE_OPTIONAL_HEADER32
MajorOperatingSystemVersionMinorOp
eratingSystemVersion
MajorImageVersionMinorImageVersionMajorSubsystemVersionMinorSu
bsystem
Version
Win32VersionVa
lue
IMAGE_OPTIONAL_HEADER32
BaseOfDataImageBase
SectionAlignme
nt
FileAlignment
SizeOfInitializedDataSizeOfUninitializedDataAddressOfEntry
Point
BaseOfCode
00000160
00000170
00000180
00000190
000001A0
000001B0
000001C0
000001D0
000001E0
000001F0
IMAGE_SECTION_HEADER
tory(IMAGE_DATA_DIRECTORY区块表头部
IMAGE_SECTION_HEADER
NumberOfRelocationsNumberO
fLinenumbers
CharacteristicsName(.data
SizeOfRawDataPointerToRawData
PointerToRelocationsPointerToLinen
umbers
Name(.rdataVirtualSizeVirtualAddress
IMAGE_SECTION_HEADER
IMAGE_SECTION_HEADERIMAGE_SECTION_HEADER
IMAGE_SECTION_HEADER
PointerToRelocationsPointerToLinen
umbers
NumberOfRelocationsNumberO
fLinenumbers
Characteristics
DataDirectory
IMAGE_SECTION_HEADER
VirtualSizeVirtualAddressSizeOfRawDataPointerToRawData
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORTIMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
DataDirectory
最后15是预留位置。
Name(.textDataDirectory
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORTIMAGE_DIRECTORY_ENTRY_IAT
DataDirectory
IMAGE_DIRECTORY_ENTRY_COPYRIGHTIMAGE_DIRECTORY_ENTRY_GLOBALPTR
DataDirectory
IMAGE_DIRECTORY_ENTRY_TLSIMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
00000200
00000210
00000600
00000610
00000620
00000630
00000640
00000650
00000660
IMAGE_IMPORT_DIRECTORY
FirstThunk
IMAGE_THUNK_DATAFirstThunk
OriginalFirstThunk
TimeDateStampForwarderChain
IMAGE_IMPORT_DIRECTORY2
OriginalFirstThunk
TimeDateStampForwarderChainName
IMAGE_IMPORT_DIRECTORY1
ImportAddressTable(IAT
IAT:
USER32
ImportAddressTable(IAT
ImportAddressTable(IAT
IAT:
USER32
ImportAddressTable(IAT
IAT:
USER32
IMAGE_SECTION_HEADER
IAT:
KERNEL32.dllIMAGE_SECTION_HEADER
PointerToRelocationsPointerToLinen
umbers
NumberOfRelocationsNumberO
fLinenumbers
Characteristics
IMAGE_SECTION_HEADER
IMAGE_SECTION_HEADER
VirtualSizeVirtualAddressSizeOfRawDataPointerToRawData
0000067000000680
00000690
000006A0
000006B0
000006C0
000006D0
000006E0
000006F0
00000700
TORY
IMAGE_THUNK_DATA
User31.
OriginalFirstThunk
User32.
区块表
文件输入表
INT:
USER32.dllImportNameTable(INT
INT:
USER32.dllImportNameTable(INT
INT:
USER32.dllImportNameTable(INT
INT:
KERNEL32.dll
INT:
USER32.dll
ImportNameTable(INT
INT:
KERNEL32.dll
INT
NameFirstThunk
000007100000072000000730000007400000075000000760000007700000078000000790000007A0000007B0er31.dll的函数KERNEL31.dll的函数er32.dll的函数KERNEL32.dll的函数
b0h
b0h
块表有3个?
VirtualAddresssizeb0h+80h130000020403ch
偏移大小00h8h0ch4h08h4h14h4h10h4h24h4h600hPointerToRowDataRoffset从IMAGE_FILE_HEADER的B6h处NumberOfSections可知知道有三个块表:
NumberOfSections-----0003hSizeOfRawData
RSizeCharacteristicsFlagVirtualSize
VSizePointerToRowData
RoffsetIMAGE_SECTION_HEADER
SectionTableName
NameVirtualAddress
VOffset
从IMAGE_OPTIONAL_HEADER32的E8h处SectionAlignment可知块对齐大小为1000h块表位于目录表之后:
PE头B0h+目录表最后偏移F7h=1A71A8为第一个块表的首地址从VirtualAddress可知三个块表的首地址为00001000,00002000,000030002040位于.rdata块中Roffset600h∆k=VOffset(VirtualAddress-Roffset(PointerToRowData∆k=2000h-600h=1A00hFileOffset=RVA-∆k=2040h-1A00h=640h(这就是输入表的位置)Name实际上是Dll的地址RVA,换算成FlieOffset=2174h-1A00h=774hINT:
OriginalFirstThunk实际上是Dll中函数的地址RVA,换算成FlieOffset=208Ch-1A00h=68ChIAT:
FirstThunk实际上是Dll中函数的地址RVA,换算成FlieOffset=2010h-1A00h=610hName实际上是Dll的地址RVA,换算成FlieOffset=21B4h-1A00h=7B4h
INT:
OriginalFirstThunk实际上是Dll中函数的地址RVA,换算成FlieOffset=207Ch-1A00h=67ChIAT:
FirstThunk实际上是Dll中函数的地址RVA,换算成FlieOffset=2000h-1A00h=600hForwarderStringFunctionOrdinalAddressOfDataCreateWindowExADefWindowProcADispatchMessageAGetMessageALoadCursorA
LoadIconAPostQuitMessageRegisterClassExAShowWindowTranslateMessageUpdateWindowUSER32.dllExitProcessGetCommandLineAGetModuleHandleAKERNEL32.dll
升级会员 