《逆向工程核心原理》学习笔记4 PE文件学习——PE头总结

限于喜欢 提交于 2020-02-16 14:38:39

《逆向工程核心原理》学习笔记4

PE文件学习——PE头总结

1.DOS头

typedef struct _IMAGE_DOS_HEADER   //DOS头
{
WORD e_magic;       //DOS signature :4D5A ("MZ",是确定的值,
                   被称为DOS签名,如果值被改变,程序无法运行)
WORD e_cblp;
WORD e_cp;
WORD e_crlc;
WORD e_cparhdr;
WORD e_minalloc;
WORD e_maxalloc;
WORD e_ss;
WORD e_sp;
WORD e_csum;
WORD e_ip;
WORD e_cs;NT
WORD e_lfarlc;
WORD e_ovno;
WORD e_res[4];
WORD e_oemid;
WORD e_oeminfo;
WORD e_res2[10];
WORD e_lfanew;  //NT头的偏移,offset to NT header,修改后程序
                无法正常运行
} IMAGE_DOS_HEADER,  *PIMAGE_DOS_HEADER;

2.DOS存根
由代码和数据混合而成,在DOS环境下运行,可以用debug.exe运行(window10下用DOSBOX+debug)。

3.NT头

typedef struct _IMAGE_NT_HEADERS       //NT头
{
DWORD Signature;                       //签名结构体,值为50450000h,即"PE00"
IMAGE_FILE_HEADER FileHeader;          //文件头
IMAGE_OPTIONAL_HEADER32 OptionalHeader;//可选头
} IMAGE_NT_HEADERS32, *PIMAGE_NT_HEADERS32;

typedef struct _IMAGE_FILE_HEADER     //文件头
{
WORD Machine;              //CPU的标识,不同的CPU有不同的Machine值
WORD NumberOfSections;     //指出文件中存在的节区个数
DWORD TimeDateStamp;
DWORD PointerToSymbolTable;
DWORD NumberOfSymbols;
WORD SizeOfOptionalHeader; //指出IMAGE_OPTIONAL_HEADER32的长度
WORD Characteristics;
}IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;

typedef struct _IMAGE_DATA_DIRECTORY
{
DWORD VirtualAddress;
DWORD Size;
} IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY;
#define IMAGE_NUMBEROF_DIRECTORY_ENTRIES 16

typedef struct _IMAGE_OPTIONAL_HEADER
{
WORD Magic;     //当为IMAGE_OPTIONAL_HEADER32时,Magic值为10B,当IMAGE_OPTIONAL_HEADER64时,Magic的值为20B
BYTE MajorLinkerVersion;
BYTE MinorLinkerVersion;
DWORD SizeOfCode;
DWORD SizeOfInitializedData;
DWORD SizeOfUninitializedData;
DWORD AddressOfEntryPoint;   //EP的RVA值,即最先执行的代码的起始地址
DWORD BaseOfCode;
DWORD BaseOfData;
DWORD ImageBase;             //文件加载到内存中的时候,ImageBase指出了优先装入地址        
DWORD SectionAlignment;
DWORD FileAlignment;
WORD MajorOperatingSystemVersion;
WORD MinorOperatingSystemVersion;
WORD MajorImageVersion;
WORD MinorImageVersion;
WORD MajorSubsystemVersion;
WORD MinorSubsystemVersion;
DWORD Win32VersionValue;
DWORD SizeOfImage;
DWORD  SizeOfHeaders;
DWORD CheckSum;
WORD Subsystem;
WORD DllCharacteristics;
DWORD SizeOfStackReserve;
DWORD SizeOfStackCommit;
DWORD SizeOfHeapReserve;
DWORD SizeOfHeapCommit;
DWORD LoaderFlags;
DWORD NumberOfRvaAndSizes;
IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
} IMAGE_OPTIONAL_HEADER32, *PIMAGE_OPTIONAL_HEADER32;

//结构体数组DataDirectory
DataDirectory[0] = EXPORT Directory;
DataDirectory[1] = IMPORT Directory;
DataDirectory[2] = RESOURCE Directory;
DataDirectory[3] = EXCEPTION Directory;
DataDirectory[4] = SECURITY Directory;
DataDirectory[5] = BASERELOC Directory;
DataDirectory[6] = DEBUG Directory;
DataDirectory[7] = COPYRIGHT Directory;
DataDirectory[8] = GLOBALPTR Directory;
DataDirectory[9] = TLS Directory;
DataDirectory[A] = LOAD_CONFIG Directory;
DataDirectory[B] = BBOUND_IMPORT Directory;
DataDirectory[C] = IAT Directory;
DataDirectory[D] = DELAY_IMPORT Directory;
DataDirectory[E] = COM_DESCRIPTOR Directory;
DataDirectory[F] = Reserved Directory;

4.节区头
在节区头分别对data,resource,code三个节区进行设置特性和访问权限等操作。三个节区头分别控制各自所对应的节区。

#define IMAGE_SIZEOF_SHORT_NAME      8
typedef struct _IMAGE_SECTION_HEADER
{
BYTE   NAME[IMAGE_SIZEOF_SHORT_NAME];
union
{
DWORD PhysicalAddress;
DWORD VirtualSize;         //内存中节区的大小
} Misc;
DWORD   VirtualAddress;    //内存中节区的起始地址
DWORD   SizeOfRawData;     //磁盘文件中节区的大小
DWORD   PointerToRawData;  //磁盘文件中节区的起始位置
DWORD   PointerToRelocations;
DWORD   PointerToLinenumbers;
WORD    NumberOfRelocations;
WORD    NumberOfLinenumbers;
DWORD   Characteristics;   //节区的属性,包括是否是code,有没有数据,是否可执行,是否可读,是否可修改等属性
}IMAGE_SECTION_HEADER, *PIMAGE_SECTION_HEADER;

以上是我整理的需要学习的重点,如有不足,望大佬指点

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!