PE文件结构详解对照《加密与破解》第十章Word文档下载推荐.docx
- 文档编号:4459773
- 上传时间:2023-05-03
- 格式:DOCX
- 页数:10
- 大小:46.16KB
PE文件结构详解对照《加密与破解》第十章Word文档下载推荐.docx
《PE文件结构详解对照《加密与破解》第十章Word文档下载推荐.docx》由会员分享,可在线阅读,更多相关《PE文件结构详解对照《加密与破解》第十章Word文档下载推荐.docx(10页珍藏版)》请在冰点文库上搜索。
NumberOfSymbolsSizeOfO
ptionalHeader
Characte
risticsMagic
SizeOfCodee_lfanew
Signature
MachineNumberOf
SectionsTimeDataStamp
PointerTpSymbolTable
e_oemid
e_oemin
fo
e_res2
e_ss
e_sp
e_csume_ipe_cs
e_lfarl
c
e_ovnoe_res
PE文件结构
DOS"
MZ"
HEADER
e_magice_cblpe_cpe_crlc
e_cparhdre_minalloce_maxal
loc
000000E0
000000F0
00000100
00000110
00000120
00000130
00000140
00000150
DataDirectory(
PE文件头
IMAGE_NT_HEADERS
DataDirectory
IMAGE_DIRECTORY_ENTRY_BASERELOCIMAGE_DIRECTORY_ENTRY_DEBUG
IMAGE_DIRECTORY_ENTRY_IMPORT
IMAGE_DIRECTORY_ENTRY_RESOURCE
IMAGE_DIRECTORY_ENTRY_EXCEPTIONIMAGE_DIRECTORY_ENTRY_SECURITY
LoaderFlags
NumberOfRvaAndSizes
IMAGE_DIRECTORY_ENTRY_EXPORT
SizeOfStackReserveSizeOfStackCommitSizeOfHeapReserveSizeOfHeapComm
it
SizeOfImageSizeOfHeadersCheckSum
Subsyst
em
DllChar
acteristics
MajorOperatingSystemVersionMinorOp
eratingSystemVersion
MajorImageVersionMinorImageVersionMajorSubsystemVersionMinorSu
bsystem
Version
Win32VersionVa
lue
BaseOfDataImageBase
SectionAlignme
nt
FileAlignment
SizeOfInitializedDataSizeOfUninitializedDataAddressOfEntry
Point
BaseOfCode
00000160
00000170
00000180
00000190
000001A0
000001B0
000001C0
000001D0
000001E0
000001F0
IMAGE_SECTION_HEADER
tory(IMAGE_DATA_DIRECTORY区块表头部
NumberOfRelocationsNumberO
fLinenumbers
CharacteristicsName(.data
SizeOfRawDataPointerToRawData
PointerToRelocationsPointerToLinen
umbers
Name(.rdataVirtualSizeVirtualAddress
IMAGE_SECTION_HEADERIMAGE_SECTION_HEADER
Characteristics
VirtualSizeVirtualAddressSizeOfRawDataPointerToRawData
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORTIMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
最后15是预留位置。
Name(.textDataDirectory
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORTIMAGE_DIRECTORY_ENTRY_IAT
IMAGE_DIRECTORY_ENTRY_COPYRIGHTIMAGE_DIRECTORY_ENTRY_GLOBALPTR
IMAGE_DIRECTORY_ENTRY_TLSIMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
00000200
00000210
00000600
00000610
00000620
00000630
00000640
00000650
00000660
IMAGE_IMPORT_DIRECTORY
FirstThunk
IMAGE_THUNK_DATAFirstThunk
OriginalFirstThunk
TimeDateStampForwarderChain
IMAGE_IMPORT_DIRECTORY2
TimeDateStampForwarderChainName
IMAGE_IMPORT_DIRECTORY1
ImportAddressTable(IAT
IAT:
USER32
KERNEL32.dllIMAGE_SECTION_HEADER
0000067000000680
00000690
000006A0
000006B0
000006C0
000006D0
000006E0
000006F0
00000700
TORY
IMAGE_THUNK_DATA
User31.
User32.
区块表
文件输入表
INT:
USER32.dllImportNameTable(INT
KERNEL32.dll
USER32.dll
ImportNameTable(INT
INT
NameFirstThunk
000007100000072000000730000007400000075000000760000007700000078000000790000007A0000007B0er31.dll的函数KERNEL31.dll的函数er32.dll的函数KERNEL32.dll的函数
b0h
块表有3个?
VirtualAddresssizeb0h+80h130000020403ch
偏移大小00h8h0ch4h08h4h14h4h10h4h24h4h600hPointerToRowDataRoffset从IMAGE_FILE_HEADER的B6h处NumberOfSections可知知道有三个块表:
NumberOfSections-----0003hSizeOfRawData
RSizeCharacteristicsFlagVirtualSize
VSizePointerToRowData
RoffsetIMAGE_SECTION_HEADER
SectionTableName
NameVirtualAddress
VOffset
从IMAGE_OPTIONAL_HEADER32的E8h处SectionAlignment可知块对齐大小为1000h块表位于目录表之后:
PE头B0h+目录表最后偏移F7h=1A71A8为第一个块表的首地址从VirtualAddress可知三个块表的首地址为00001000,00002000,000030002040位于.rdata块中Roffset600h∆k=VOffset(VirtualAddress-Roffset(PointerToRowData∆k=2000h-600h=1A00hFileOffset=RVA-∆k=2040h-1A00h=640h(这就是输入表的位置)Name实际上是Dll的地址RVA,换算成FlieOffset=2174h-1A00h=774hINT:
OriginalFirstThunk实际上是Dll中函数的地址RVA,换算成FlieOffset=208Ch-1A00h=68ChIAT:
FirstThunk实际上是Dll中函数的地址RVA,换算成FlieOffset=2010h-1A00h=610hName实际上是Dll的地址RVA,换算成FlieOffset=21B4h-1A00h=7B4h
INT:
OriginalFirstThunk实际上是Dll中函数的地址RVA,换算成FlieOffset=207Ch-1A00h=67ChIAT:
FirstThunk实际上是Dll中函数的地址RVA,换算成FlieOffset=2000h-1A00h=600hForwarderStringFunctionOrdinalAddressOfDataCreateWindowExADefWindowProcADispatchMessageAGetMessageALoadCursorA
LoadIconAPostQuitMessageRegisterClassExAShowWindowTranslateMessageUpdateWindowUSER32.dllExitProcessGetCommandLineAGetModuleHandleAKERNEL32.dll
- 配套讲稿:
如PPT文件的首页显示word图标,表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
- 特殊限制:
部分文档作品中含有的国旗、国徽等图片,仅作为作品整体效果示例展示,禁止商用。设计者仅对作品中独创性部分享有著作权。
- 关 键 词:
- 加密与破解 PE 文件 结构 详解 对照 加密 破解 第十