portable-executable

问题 I'm working on a program that will parse a PE object for various pieces of information. Reading the specifications though, I cannot find out why the MZ bytes are there, as I cannot find this on the list of machine types that these 2 bytes are supposed to represent. Can anyone clarify? 回答1: The MZ signature is a signature used by the MS-DOS relocatable 16-bit EXE format. The reason a PE binary contains an MZ header is for backwards compatibility. If the executable is run on a DOS-based system

问题 I am trying to write a code which is supposed to print out the names of all the imported dll's in the exe by using the 'name' field of the IMAGE_IMPORT_DESCRIPTOR structure in the .idata section of the exe, but the program seems to be getting stuck in an infinite loop. Can someone please tell me how to get the names printed out correctly... #include<iostream> #include<Windows.h> #include<stdio.h> #include<WinNT.h> int main() { FILE *fp; int i; if((fp = fopen("c:\\Linked List.exe","rb"))==NULL

问题 I found a tool to repair import table here, but how are PE executable without import table built in the first place in c/c++? 回答1: Just don't use CRT, and don't use any imported functions. #pragma comment(linker, "/entry:start") int start() { return 42; } To use WinAPI functions, find kernel32 base, parse it's export directory and find LoadLibrary() function (you should already have something like GetProcAddress() to find LoadLibrary()) This may looks like this: // compile as console

问题 I just learned ImageBase is specified in PE format,and OS will load it to the exact position for .EXE , then comes the question: what if two .EXE is requiring the same ImageBase location? 回答1: Incase of 2 EXE's, they have Completely Different Address Spaces...Every Executable has its own space. This means, every time you execute an EXE, it is assigned its own independent 4GB (on 32bit systems, although the process can use just part of it, the rest goes the kernel.) worth address space. It's

问题 How do I determine if an EXE (or DLL) participate in ASLR, i.e. is relocatable? I want to check some EXE's on my system whether they are relocatable and participate in ASLR. I know the default behavior of the linker is to strip base relocations, so that the EXE is not relocatable? How do I see from a tool like FileAlyzer whether the image participate in ASLR? 回答1: A relocatable module (exe or dll) doesn't necessarily need to have ASLR enabled but a module that has ASLR enabled needs to be

问题 If I set a timestamp with signing, what happens? What if I don't set? Is it essential? Why is it recommended? 回答1: Timestamping is used to specify time when the digital signature is made. This is needed to properly validate the signature. If signature timestamp is present, the application which validates (verifies) the signature, will check whether the certificates involved into signature validation were valid at the moment of signing. If there's no timestamp for the signature, certificate

问题 This question extensions from one of the answers to my earlier question: how to save user registration in the exe... (C#). The idea itself is still very new to me, but it seems plausible. My first attempt of simply appending a string to the exe from inside a different application didn't work. Then got a little smarter and tried appending bytes. Still no luck. I've found various documentations on Windows Portable Executable files: http://en.wikipedia.org/wiki/Portable_Executable http://msdn

问题 The ultimate goal is comparing 2 binaries built from exact same source in exact same environment and being able to tell that they indeed are functionally equivalent. One application for this would be focusing QA time on things that were actually changed between releases, as well as change monitoring in general. MSVC in tandem with PE format naturally makes this very hard to do. So far I found and neutralized those things: PE timestamp and checksum Digital signature directory entry Debugger

问题 As a precursor to writing a compiler I'm trying to understand the Windows (32-bit) Portable Executable format. In particular I'd like to see an example of a bare-bones executable which does nothing except load correctly, run and exit. I've tried writing and compiling a simple C main function which does nothing but the resulting .exe is ~22KB and contains many imports from KERNEL32.DLL (presumably used by LIBC to set up environment, heaps etc.). Even the DOS Header could probably be smaller

问题 A file that is given as input to the linker is called Object File . The linker produces an Image file , which in turn is used as input by the loader. A blurb from " Microsoft Portable Executable and Common Object File Format Specification " RVA (relative virtual address) . In an image file, the address of an item after it is loaded into memory, with the base address of the image file subtracted from it. The RVA of an item almost always differs from its position within the file on disk (file