PE文件结构详解--对照《加密与破解》第十章
offset 0123456789A B C D E F
0000000000000010000000200000003000000040
00000050
00000060
00000070
00000080
00000090
000000A0000000B0
000000C0
Maj orL ink erV
ers
ion Min orL ink erV ers ion
000000D0Signature
IMAGE_FILE_HEADER DOS stub M
S
-
D
o
s
部
首IMAGE_FILE_HEADER
IMAGE_OPTIONAL_HEADER32
IMAGE_FILE_HEADER
NumberOfSymbols SizeOfO ptional Header Characte ristics Magic
SizeOfCode e_lfanew
Signature Machine NumberOf Sections TimeDataStamp PointerTpSymbo
lTable
e_oemid e_oemin fo e_res2e_ss e_sp
e_csum e_ip e_cs
e_lfarl c e_ovno e_res PE文件结构
DOS"MZ"HEADER
e_magic e_cblp e_cp e_crlc e_cparh dr e_minal loc e_maxal loc
000000E0000000F0000001000000011000000120000001300000014000000150IMAGE_OPTIONAL_HEADER32DataDirectory(PE文件头IMAGE_NT_HEADERS IMAGE_OPTIONAL_HEADER32DataDirectory
IMAGE_DIRECTORY_ENTRY_BASERELOC IMAGE_DIRECTORY_ENTRY_DEBUG
DataDirectory
IMAGE_DIRECTORY_ENTRY_IMPORT IMAGE_DIRECTORY_ENTRY_RESOURCE DataDirectory
IMAGE_DIRECTORY_ENTRY_EXCEPTION IMAGE_DIRECTORY_ENTRY_SECURITY
IMAGE_OPTIONAL_HEADER32
LoaderFlags NumberOfRvaAnd Sizes IMAGE_DIRECTORY_ENTRY_EXPORT IMAGE_OPTIONAL_HEADER32DataDirectory IMAGE_OPTIONAL_HEADER32
SizeOfStackRes erve SizeOfStackCom mit SizeOfHeapRese rve SizeOfHeapComm
it IMAGE_OPTIONAL_HEADER32
SizeOfImage SizeOfHeaders CheckSum Subsyst em DllChar acteris tics
IMAGE_OPTIONAL_HEADER32
MajorOp
erating
SystemV
ersion MinorOp erating SystemV ersion
MajorIm ageVers ion MinorIm ageVers ion MajorSu bsystem Version MinorSu bsystem Version Win32VersionVa lue IMAGE_OPTIONAL_HEADER32
BaseOfData ImageBase SectionAlignme
nt FileAlignment
SizeOfInitiali zedData SizeOfUninitia lizedData AddressOfEntry
Point BaseOfCode
00000160000001700000018000000190000001A0000001B0000001C0000001D0
000001E0000001F0
IMAGE_SECTION_HEADER tory(IMAGE_DATA_DIRECTORY)
区块表头部IMAGE_SECTION_HEADER
NumberO fReloca tions NumberO
fLinenu mbers Characteristics
Name(.data)
SizeOfRawData PointerToRawData
PointerToReloc ations PointerToLinen
umbers Name(.rdata)
VirtualSize VirtualAddress IMAGE_SECTION_HEADER
IMAGE_SECTION_HEADER
IMAGE_SECTION_HEADER
IMAGE_SECTION_HEADER PointerToReloc ations PointerToLinen umbers NumberO fReloca tions NumberO fLinenu mbers
Characteristics DataDirectory IMAGE_SECTION_HEADER VirtualSize VirtualAddress SizeOfRawData PointerToRawData IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR DataDirectory 最后15是预留位置。Name(.text)DataDirectory IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT IMAGE_DIRECTORY_ENTRY_IAT DataDirectory IMAGE_DIRECTORY_ENTRY_COPYRIGHT IMAGE_DIRECTORY_ENTRY_GLOBALPTR DataDirectory IMAGE_DIRECTORY_ENTRY_TLS IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
0000020000000210
00000600
00000610
0000062000000630
00000640
00000650
00000660
IMAGE_IMPORT_DIRECTORY FirstThunk IMAGE_THUNK_DATA
FirstThunk OriginalFirstThunk TimeDateStamp ForwarderChain
IMAGE_IMPORT_DIRECTORY2
OriginalFirstThunk TimeDateStamp ForwarderChain Name
IMAGE_IMPORT_DIRECTORY1
Import Address Table(IAT)
IAT:USER32
Import Address Table(IAT)
Import Address Table(IAT)
IAT:USER32Import Address Table(IAT)IAT:USER32IMAGE_SECTION_HEADER
IAT:KERNEL32.dll
IMAGE_SECTION_HEADER
PointerToReloc ations PointerToLinen umbers NumberO fReloca tions NumberO fLinenu mbers
Characteristics IMAGE_SECTION_HEADER
IMAGE_SECTION_HEADER
VirtualSize VirtualAddress SizeOfRawData PointerToRawData
00000670
0000068000000690000006A0000006B0000006C0000006D0
000006E0
000006F0
00000700
TORY
IMAGE_THUNK_DATA User31.OriginalFirstThunk User32.
区块表
文件输入表INT:USER32.dll Import Name Table(INT)INT:USER32.dll Import Name Table(INT)INT:USER32.dll Import Name Table(INT)INT:KERNEL32.dll
INT:USER32.dll Import Name Table(INT)
INT:KERNEL32.dll INT
Name FirstThunk
000007100000072000000730000007400000075000000760000007700000078000000790000007A0000007B0er31.dll的函数KERNEL31.dll的函数er32.dll的函数KERNEL32.dll的函数
b0h
b0h
块表有3个?
VirtualAddress size b0h+80h130000020403ch
偏移大小00h 8h 0ch 4h 08h 4h 14h 4h 10h 4h 24h 4h
600h
PointerToRowData Roffset 从IMAGE_FILE_HEADER的B6h处NumberOfSections可知知道有三个块表:
NumberOfSections-----0003h
SizeOfRawData
RSize Characteristics Flag VirtualSize
VSize PointerToRowData
Roffset IMAGE_SECTION_HEADER
Section Table Name
Name VirtualAddress
VOffset
600h Name 实际上是Dll 的地址
RVA ,换算成FlieOffset=21B4h-1A00h=7B4h INT :OriginalFirstThunk 实际上是Dll 中函数的地址RVA ,换算成FlieOffset=208Ch-1A00h=68Ch IAT :FirstThunk 实际上是Dll 中函数的地址RVA ,换算成FlieOffset=2010h-1A00h=610h Name 实际上是Dll 的地址RVA ,换算成FlieOffset=2174h-1A00h=774h
?k=VOffset(VirtualAddress)-Roffset(PointerToRowData)
?k=2000h-600h=1A00h
FileOffset=RVA-?k=2040h-1A00h=640h (这就是输入表的位置)
从VirtualAddress可知三个块表的首地址为00001000,00002000,00003000
2040位于.rdata块中Roffset 从IMAGE_OPTIONAL_HEADER32的E8h处SectionAlignment可知块对齐大小为1000h 块表位于目录表之后:PE头B0h+目录表最后偏移F7h=1A7
1A8为第一个块表的首地址
LoadCursorA
DefWindowProcA
DispatchMessageA
GetMessageA
CreateWindowExA
Ordinal
AddressOfData
IAT :FirstThunk 实际上是Dll 中函数的地址RVA ,换算成FlieOffset=2000h-1A00h=600h ForwarderString
Function
INT :OriginalFirstThunk 实际上是Dll 中函数的地址RVA ,换算成
FlieOffset=207Ch-1A00h=67Ch
LoadIconA PostQuitMessage RegisterClassExA ShowWindow TranslateMessage UpdateWindow USER32.dll ExitProcess GetCommandLineA GetModuleHandleA KERNEL32.dll