《逆向工程核心原理》学习笔记4
PE文件学习——PE头总结
1.DOS头
typedef struct _IMAGE_DOS_HEADER //DOS头
{
WORD e_magic; //DOS signature :4D5A ("MZ",是确定的值,
被称为DOS签名,如果值被改变,程序无法运行)
WORD e_cblp;
WORD e_cp;
WORD e_crlc;
WORD e_cparhdr;
WORD e_minalloc;
WORD e_maxalloc;
WORD e_ss;
WORD e_sp;
WORD e_csum;
WORD e_ip;
WORD e_cs;NT
WORD e_lfarlc;
WORD e_ovno;
WORD e_res[4];
WORD e_oemid;
WORD e_oeminfo;
WORD e_res2[10];
WORD e_lfanew; //NT头的偏移,offset to NT header,修改后程序
无法正常运行
} IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER;
2.DOS存根
由代码和数据混合而成,在DOS环境下运行,可以用debug.exe运行(window10下用DOSBOX+debug)。
3.NT头
typedef struct _IMAGE_NT_HEADERS //NT头
{
DWORD Signature; //签名结构体,值为50450000h,即"PE00"
IMAGE_FILE_HEADER FileHeader; //文件头
IMAGE_OPTIONAL_HEADER32 OptionalHeader;//可选头
} IMAGE_NT_HEADERS32, *PIMAGE_NT_HEADERS32;
typedef struct _IMAGE_FILE_HEADER //文件头
{
WORD Machine; //CPU的标识,不同的CPU有不同的Machine值
WORD NumberOfSections; //指出文件中存在的节区个数
DWORD TimeDateStamp;
DWORD PointerToSymbolTable;
DWORD NumberOfSymbols;
WORD SizeOfOptionalHeader; //指出IMAGE_OPTIONAL_HEADER32的长度
WORD Characteristics;
}IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;
typedef struct _IMAGE_DATA_DIRECTORY
{
DWORD VirtualAddress;
DWORD Size;
} IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY;
#define IMAGE_NUMBEROF_DIRECTORY_ENTRIES 16
typedef struct _IMAGE_OPTIONAL_HEADER
{
WORD Magic; //当为IMAGE_OPTIONAL_HEADER32时,Magic值为10B,当IMAGE_OPTIONAL_HEADER64时,Magic的值为20B
BYTE MajorLinkerVersion;
BYTE MinorLinkerVersion;
DWORD SizeOfCode;
DWORD SizeOfInitializedData;
DWORD SizeOfUninitializedData;
DWORD AddressOfEntryPoint; //EP的RVA值,即最先执行的代码的起始地址
DWORD BaseOfCode;
DWORD BaseOfData;
DWORD ImageBase; //文件加载到内存中的时候,ImageBase指出了优先装入地址
DWORD SectionAlignment;
DWORD FileAlignment;
WORD MajorOperatingSystemVersion;
WORD MinorOperatingSystemVersion;
WORD MajorImageVersion;
WORD MinorImageVersion;
WORD MajorSubsystemVersion;
WORD MinorSubsystemVersion;
DWORD Win32VersionValue;
DWORD SizeOfImage;
DWORD SizeOfHeaders;
DWORD CheckSum;
WORD Subsystem;
WORD DllCharacteristics;
DWORD SizeOfStackReserve;
DWORD SizeOfStackCommit;
DWORD SizeOfHeapReserve;
DWORD SizeOfHeapCommit;
DWORD LoaderFlags;
DWORD NumberOfRvaAndSizes;
IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
} IMAGE_OPTIONAL_HEADER32, *PIMAGE_OPTIONAL_HEADER32;
//结构体数组DataDirectory
DataDirectory[0] = EXPORT Directory;
DataDirectory[1] = IMPORT Directory;
DataDirectory[2] = RESOURCE Directory;
DataDirectory[3] = EXCEPTION Directory;
DataDirectory[4] = SECURITY Directory;
DataDirectory[5] = BASERELOC Directory;
DataDirectory[6] = DEBUG Directory;
DataDirectory[7] = COPYRIGHT Directory;
DataDirectory[8] = GLOBALPTR Directory;
DataDirectory[9] = TLS Directory;
DataDirectory[A] = LOAD_CONFIG Directory;
DataDirectory[B] = BBOUND_IMPORT Directory;
DataDirectory[C] = IAT Directory;
DataDirectory[D] = DELAY_IMPORT Directory;
DataDirectory[E] = COM_DESCRIPTOR Directory;
DataDirectory[F] = Reserved Directory;
4.节区头
在节区头分别对data,resource,code三个节区进行设置特性和访问权限等操作。三个节区头分别控制各自所对应的节区。
#define IMAGE_SIZEOF_SHORT_NAME 8
typedef struct _IMAGE_SECTION_HEADER
{
BYTE NAME[IMAGE_SIZEOF_SHORT_NAME];
union
{
DWORD PhysicalAddress;
DWORD VirtualSize; //内存中节区的大小
} Misc;
DWORD VirtualAddress; //内存中节区的起始地址
DWORD SizeOfRawData; //磁盘文件中节区的大小
DWORD PointerToRawData; //磁盘文件中节区的起始位置
DWORD PointerToRelocations;
DWORD PointerToLinenumbers;
WORD NumberOfRelocations;
WORD NumberOfLinenumbers;
DWORD Characteristics; //节区的属性,包括是否是code,有没有数据,是否可执行,是否可读,是否可修改等属性
}IMAGE_SECTION_HEADER, *PIMAGE_SECTION_HEADER;
以上是我整理的需要学习的重点,如有不足,望大佬指点
来源:CSDN
作者:EloflyS
链接:https://blog.csdn.net/yzaxiloveyou/article/details/104329885