PE文件格式(3)
2007-01-14 20:15:00 来源:WEB开发网核心提示: (__imp__WriteConsoleA@20,at0x224)AddressOfData????????;RVAtofunctionname"WriteConsoleA"(__imp__GetStdHandle@4,at0x228)AddressOfData????
(__imp__WriteConsoleA@20,at0x224)
AddressOfData ???????? ;RVAtofunctionname"WriteConsoleA"
(__imp__GetStdHandle@4,at0x228)
AddressOfData ???????? ;RVAtofunctionname"GetStdHandle"
00000000 ;terminator现在只剩下2个函数名在IMAGE_IMPORT_BY_NAME.从0x230.
0100 ;ordinal,neednotbecorrect
5772697465436f6e736f6c654100 ;"WriteConsoleA"
0200 ;ordinal,neednotbecorrect
47657453746448616e646c6500 ;"GetStdHandle"下面填充到0x260:
00000000000000000000000000000000;padding
00------------
现在结束,我们知道所有字节偏移量,我们可以实施修补地址和尺寸了。
DOS-header,startingat0x0:
00|4d5a0000000000000000000000000000
10|00000000000000000000000000000000
20|00000000000000000000000000000000
30|00000000000000000000000040000000
signature,startingat0x40:
50450000
file-header,startingat0x44:
Machine 4c01 ;i386
NumberOfSections 0200 ;codeanddata
TimeDateStamp 00000000;whocares?
PointerToSymbolTable 00000000;unused
NumberOfSymbols 00000000;unused
SizeOfOptionalHeader e000 ;constant
Characteristics 0201 ;executableon32-bit-machine
optionalheader,startingat0x58:
Magic 0b01 ;constant
MajorLinkerVersion 00 ;I'mversion0.0:-)
MinorLinkerVersion 00 ;
SizeOfCode 20000000;32bytesofcode
SizeOfInitializedData a0000000;datasectionsize
SizeOfUninitializedData 00000000;wedon'thaveaBSS
AddressOfEntryPoint a0010000;beginningofcodesection
BaseOfCode a0010000;RVAtocodesection
BaseOfData c0010000;RVAtodatasection
ImageBase 00001000;1MB,chosenarbitrarily
SectionAlignment 20000000;32-bytes-alignment
FileAlignment 20000000;32-bytes-alignment
MajorOperatingSystemVersion 0400 ;NT4.0
MinorOperatingSystemVersion 0000 ;
MajorImageVersion 0000 ;version0.0
MinorImageVersion 0000 ;
MajorSubsystemVersion 0400 ;Win324.0
MinorSubsystemVersion 0000 ;
Win32VersionValue 00000000;unused?
SizeOfImage c0000000;sumofallsectionsizes//没有包含头的尺寸,跟前面所说矛盾了。
SizeOfHeaders a0010000;offsetto1stsection
CheckSum 00000000;notusedfornon-drivers
Subsystem 0300 ;Win32console
DllCharacteristics 0000 ;unused(notaDLL)
SizeOfStackReserve 00001000;1MBstack
SizeOfStackCommit 00100000;4KBtostartwith
SizeOfHeapReserve 00001000;1MBheap
SizeOfHeapCommit 00100000;4KBtostartwith
LoaderFlags 00000000;unknown
NumberOfRvaAndSizes 10000000;constant
datadirectories,startingat0xb8:
Address Size
00000000 00000000 ;IMAGE_DIRECTORY_ENTRY_EXPORT(0)
e0010000 6f000000 ;IMAGE_DIRECTORY_ENTRY_IMPORT(1)
00000000 00000000 ;IMAGE_DIRECTORY_ENTRY_RESOURCE(2)
00000000 00000000 ;IMAGE_DIRECTORY_ENTRY_EXCEPTION(3)
00000000 00000000 ;IMAGE_DIRECTORY_ENTRY_SECURITY(4)
00000000 00000000 ;IMAGE_DIRECTORY_ENTRY_BASERELOC(5)
00000000 00000000 ;IMAGE_DIRECTORY_ENTRY_DEBUG(6)
00000000 00000000 ;IMAGE_DIRECTORY_ENTRY_COPYRIGHT(7)
00000000 00000000 ;IMAGE_DIRECTORY_ENTRY_GLOBALPTR(8)
00000000 00000000 ;IMAGE_DIRECTORY_ENTRY_TLS(9)
00000000 00000000 ;IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG(10)
00000000 00000000 ;IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT(11)
00000000 00000000 ;IMAGE_DIRECTORY_ENTRY_IAT(12)
00000000 00000000 ;13
00000000 00000000 ;14
00000000 00000000 ;15
sectionheader(code),startingat0x138:
Name 2e636f6465000000 ;".code"
VirtualSize 00000000 ;unused
VirtualAddress a0010000 ;RVAtocodesection
SizeOfRawData 20000000 ;sizeofcode
PointerToRawData a0010000 ;fileoffsettocodesection
PointerToRelocations00000000 ;unused
PointerToLinenumbers00000000 ;unused
NumberOfRelocations 0000 ;unused
NumberOfLinenumbers 0000 ;unused
Characteristics 20000060 ;code,executable,readable
sectionheader(data),startingat0x160:
Name 2e64617461000000 ;".data"
VirtualSize 00000000 ;unused
VirtualAddress c0010000 ;RVAtodatasection
SizeOfRawData a0000000 ;sizeofdatasection
PointerToRawData c0010000 ;fileoffsettodatasection
PointerToRelocations00000000 ;unused
PointerToLinenumbers00000000 ;unused
NumberOfRelocations 0000 ;unused
NumberOfLinenumbers 0000 ;unused
Characteristics 400000c0 ;initialized,readable,writeable
(padding)
000000000000 ;padding
000000000000
000000000000
000000000000
codesection,startingat0x1a0:
6A00 ;push 0x00000000
68d0011000 ;push offset_written
6A0D ;push 0x0000000d
68c0011000 ;push offsethello_string
6AF5 ;push 0xfffffff5
2EFF1528021000 ;call dwordptrcs:__imp__GetStdHandle@4
50 ;push eax
2EFF1524021000 ;call dwordptrcs:__imp__WriteConsoleA@20
C3 ;ret
datasection,beginningat0x1c0:
68656C6C6F2C20776F726C640A ;"hello,world
"
000000 ;paddingtoalign_written
00000000 ;_written
padding:
000000000000000000000000 ;padding
IMAGE_IMPORT_DESCRIPTOR,startingat0x1e0:
OriginalFirstThunk 18020000 ;RVAtoorig.1stthunk
TimeDateStamp 00000000 ;unbound
ForwarderChain ffffffff ;noforwarders
Name 08020000 ;RVAtoDLLname
FirstThunk 24020000 ;RVAto1stthunk
terminator(0x1f4):
OriginalFirstThunk 00000000 ;terminator
TimeDateStamp 00000000 ;
ForwarderChain 00000000 ;
Name 00000000 ;
FirstThunk 00000000 ;
TheDLLname,at0x208:
6b65726e656c33322e646c6c00 ;"kernel32.dll"
000000 ;paddingto32-bit-boundary
originalfirstthunk,startingat0x218:
AddressOfData 30020000 ;RVAtofunctionname"WriteConsoleA"
AddressOfData 40020000 ;RVAtofunctionname"GetStdHandle"
00000000 ;terminator
firstthunk,startingat0x224:
AddressOfData 30020000 ;RVAtofunctionname"WriteConsoleA"
AddressOfData 40020000 ;RVAtofunctionname"GetStdHandle"
00000000 ;terminator
IMAGE_IMPORT_BY_NAME,atbyte0x230:
0100 ;ordinal,neednotbecorrect
5772697465436f6e736f6c654100 ;"WriteConsoleA"
IMAGE_IMPORT_BY_NAME,atbyte0x240:
0200 ;ordinal,neednotbecorrect
47657453746448616e646c6500 ;"GetStdHandle"
(padding)
00000000000000000000000000000000;padding
00
Firstunusedbyte:0x260--------------
因为是32字节的节对齐,所以在windows98下该程序不工作,可以在NT下工作,要想在WIN98下工作,必须插入许多0并修改RVA。
中查找“PE文件格式(3)”更多相关内容
中查找“PE文件格式(3)”更多相关内容更多精彩
赞助商链接
