portable-executable

问题 I want to try the following: I have a C# program which takes a file as input and calculate MD5 algorithm for these five MD5. My algorithm has a unique value for each file; this value is a 128 bit value, so I want to use this technique to protect my programs by saving the output value of md5 algorithm into a my PE file (let's say the value is X). The PE will calculate the MD5 value again (for itself) (let's say the value is Y) and then compare X with Y. If it's the same value it's ok and run;

问题 I'm trying to generate an executable in PE format - Windows 7, 64 bit, initially a minimal file for testing purposes that does nothing more than mov eax, 42 ret I've got one that dumpbin seems happy with and contains apparently valid values for all the fields the various sources I can find say are actually used, but when I try to run it, Windows says 'not a valid Win32 application'. dumpbin output follows; can anyone see from this what I'm missing? Dump of file a.exe PE signature found File

问题 This question already has an answer here : Closed 7 years ago . Possible Duplicate: Why won't the loader load at the desired location "MapViewOfFile", does this function map a file into the virtual memory and return the base address of the mapped memory?? If yes, then the following code should output 0X400000, beacuse by default, exe's are loaded at this location, but the output is 0X360000. Why?? #include<iostream> #include<Windows.h> #include<stdio.h> #include<WinNT.h> int main() { HANDLE

问题 0x10b : PE32 executable 0×107 : ROM image 0x20b : PE32+ (64 bit) executable What is the ROM image ? 回答1: Interesting question, I've dabbled with manipulating PE files but never noticed that. Here's what I believe they are used for: A ROM image can be executed 'in place' (XIP), if you search MSDN for "rom image", you'll find a number of references to it in the Windows Mobile and older Windows CE tools, e.g. Rom Image Creation. A ROM image can thus be executed directly from the ROM without

问题 I'm trying to find a way to resolve a memory address and a DLL file name for a particular API when it's mapped into a process. Most of this can be resolved with the import/export tables in a DLL and by analyzing the Import Address Table of a mapped module. That is for most functions. But the issue happens with some forwarded functions. An example of such function happens to be DeleteProcThreadAttributeList on my Windows 10 system. So for instance, if I build a test 32-bit process with such

问题 So I have been reasearching the PE format for the last couple days, and I still have a couple of questions Does the data section get mapped into the process' memory, or does the program read it from the disk? If it does get mapped into its memory, how can the process aqquire the offset of the section? ( And other sections ) Is there any way the get the entry point of a process that has already been mapped into the memory, without touching the file on disk? 回答1: Does the data section get

问题 Well, today I ran into an oddity. I wrote my own version of GetProcAddress a while ago to get function addresses from remote processes. I obviously spent quite a lot of time reading up on the PE architecture to figure out the best way to approach this. From the PECOFF v8 specification (which, as I take it is the most up-to-date official specification), there is the following notation about the Export Name Pointer Table : The export name pointer table is an array of addresses (RVAs) into the

问题 I'd like to write a sandbox virtual machine for executing a compiled program. My goal is to isolate that program from the rest of operating system and control its execution so that it can't do anything harmful to a host computer. I assume that: executed program is compiled to Portable Executable format and it's in machine code, not in any kind of byte code or for CLR, executed program is not allowed to communicate with peripherals like printer, scanner, and doesn't use any GUI, executed

问题 I have several questions about the PE "subsystem" field, which may overlap to some extent. To avoid spamming this place with each question separately, I thought I'd ask them together and then re-ask separately anything that doesn't get addressed. Hope this is OK... I know that IMAGE_SUBSYSTEM_WINDOWS_CUI makes the OS "pre-attach" the process to a console, either of its parent process or creating a new console if necessary. IMAGE_SUBSYSTEM_WINDOWS_GUI doesn't do that. Are there any other

问题 I am learning the structure of a portable executable. I went through the MSDN article but I am a bit confused about it. I have some confusion with their precise stucture and its functionality. Can anybody help me or please refer me to a nice article for this? 回答1: For a more discursive approach than official specs, you should have a look at Matt Pietrek 1994 article Peering inside the PE: A tour of the Win32 Portable Executable File Format. The explanation is more readable than the dry,