实验任务-PE文件格式实验
PE文件分析
Hello-2.5.exe程序-PE文件格式分析姓名:__ ___ 学号:_____0 1 2 3 4 5 6 7 8 9 A B C D E F------------------------------------------------------------------------------ 00000000h: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 ; MZ?.......... 00000010h: B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ; ?......@....... 00000020h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000030h: 00 00 00 00 00 00 00 00 00 00 00 00 B0 00 00 00 ; ............?.. 00000040h: 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 ; ..?.???L?Th00000050h: 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F ; is program canno 00000060h: 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 ; t be run in DOS 00000070h: 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 ; mode....$....... 00000080h: 5D 65 FD C8 19 04 93 9B 19 04 93 9B 19 04 93 9B ; ]e..摏..摏..摏00000090h: 97 1B 80 9B 11 04 93 9B E5 24 81 9B 18 04 93 9B ; ?€?.摏?仜..摏000000a0h: 52 69 63 68 19 04 93 9B 00 00 00 00 00 00 00 00 ; Rich..摏........ 000000b0h: 50 45 00 004C 01 03 00 9B 4D 8F 42 00 00 00 00 ; PE..L...汳廈.... 000000c0h: 00 00 00 00 E0 00 0F 010B 01 05 0C 00 02 00 00 ; ....?.......... 000000d0h: 00 04 00 00 00 00 00 00 00 10 00 00 00 10 00 00 ; ................ 000000e0h: 00 20 00 00 00 00 40 00 00 10 00 00 00 02 00 00 ; . ....@......... 000000f0h: 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 ; ................ 00000100h: 00 40 00 00 00 04 00 00 00 00 00 00 02 00 00 00 ; .@.............. 00000110h: 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 ; ................ 00000120h: 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000130h: 14 20 00 00 3C 00 00 00 00 00 00 00 00 00 00 00 ; . ..<........... 00000140h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000150h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000160h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000170h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000180h: 00 00 00 00 00 00 00 00 00 20 00 00 14 00 00 00 ; ......... ...... 00000190h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000001a0h: 00 00 00 00 00 00 00 00 2E 74 65 78 74 00 00 00 ; .........text... 000001b0h: 46 00 00 00 00 10 00 00 00 02 00 00 00 04 00 00 ; F............... 000001c0h: 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 ; ............ ..` 000001d0h: 2E 72 64 61 74 61 00 00 A6 00 00 00 00 20 00 00 ; .rdata..?... .. 000001e0h: 00 02 00 00 00 06 00 00 00 00 00 00 00 00 00 00 ; ................ 000001f0h: 00 00 00 00 40 00 00 40 2E 64 61 74 61 00 00 00 ; ....@..@.data... 00000200h: 8E 00 00 00 00 30 00 00 00 02 00 00 00 08 00 00 ; ?...0.......... 00000210h: 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 ; ............@..? 00000220h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000230h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000240h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000250h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000260h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000270h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................00000280h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000290h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................0 1 2 3 4 5 6 7 8 9 A B C D E F---------------------------------------------------------------------------- 000002a0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000002b0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000002c0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000002d0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000002e0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000002f0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000300h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000310h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000320h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000330h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000340h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000350h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000360h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000370h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000380h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000390h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000003a0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000003b0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000003c0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000003d0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000003e0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000003f0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000400h: 68 40 10 00 00 68 00 30 40 00 68 09 30 40 00 6A ; h@...h.0@.h.0@.j 00000410h: 00 E8 2A 00 00 00 68 40 10 00 00 68 00 30 40 00 ; .?...h@...h.0@. 00000420h: 68 31 30 40 00 6A 00 E8 14 00 00 00 6A 00 E8 01 ; h10@.j.?...j.? 00000430h: 00 00 00 CC FF 25 00 20 40 00 FF 25 0C 20 40 00 ; ...?%. @.%. @. 00000440h: FF 25 08 20 40 00 00 00 00 00 00 00 00 00 00 00 ; %. @........... 00000450h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000460h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000470h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000480h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000490h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000004a0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000004b0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000004c0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000004d0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000004e0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000004f0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000500h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000510h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000520h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000530h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000540h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000550h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000560h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................1.MZ文件头(0x40)2.DOSStub3.PE文件头[开始于000000B0 ](PE标识、映像文件头(0x14)、可选文件头)4.节表填充文件头续填充部分5.代码节实际大小46H对齐后大小200H00000570h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000580h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................0 1 2 3 4 5 6 7 8 9 A B C D E F------------------------------------------------------------------------------ 00000590h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000005a0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000005b0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000005c0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000005d0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000005e0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000005f0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000600h: 64 20 00 00 00 00 00 00 8C 20 00 00 80 20 00 00 ; d ......?..€ .. 00000610h: 00 00 00 00 50 20 00 00 00 00 00 00 00 00 00 00 ; ....P .......... 00000620h: 72 20 00 00 00 20 00 00 58 20 00 00 00 00 00 00 ; r ... ..X ...... 00000630h: 00 00 00 00 9A 20 00 00 08 20 00 00 00 00 00 00 ; ....?... ...... 00000640h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000650h: 64 20 00 00 00 00 00 00 8C 20 00 00 80 20 00 00 ; d ......?..€ .. 00000660h: 00 00 00 00 80 00 45 78 69 74 50 72 6F 63 65 73 ; ....€.ExitProces 00000670h: 73 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 ; s.kernel32.dll.. 00000680h: 62 02 77 73 70 72 69 6E 74 66 41 00 9D 01 4D 65 ; b.wsprintfA.?Me 00000690h: 73 73 61 67 65 42 6F 78 41 00 75 73 65 72 33 32 ; er32 000006a0h: 2E 64 6C 6C 00 00 00 00 00 00 00 00 00 00 00 00 ; .dll............ 000006b0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000006c0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000006d0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000006e0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000006f0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000700h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000710h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000720h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000730h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000740h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000750h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000760h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000770h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000780h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000790h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000007a0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000007b0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000007c0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000007d0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000007e0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000007f0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000800h: BD CC D1 A7 B2 E2 CA D4 00 50 45 C8 EB BF DA B5 ; 教学测试.PE入口? 00000810h: E3 B2 E2 CA D4 31 A3 BA BD F8 C8 EB B5 DA D2 BB ; 悴馐?:进入第一00000820h: C8 EB BF DA CE BB D6 C3 34 30 31 30 30 30 48 21 ; 入口位置401000H! 00000830h: 00 50 45 C8 EB BF DA B5 E3 B2 E2 CA D4 32 A3 BA ; .PE入口点测试2:00000840h: BD F8 C8 EB B5 DA B6 FE C8 EB BF DA CE BB D6 C3 ; 进入第二入口位置00000850h: 34 30 31 30 31 36 48 21 00 00 00 00 00 00 00 00 ; 401016H!........ 00000860h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000870h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................0 1 2 3 4 5 6 7 8 9 A B C D E F------------------------------------------------------------------------------ 00000880h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000890h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000008a0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000008b0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000008c0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000008d0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000008e0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000008f0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000900h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000910h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000920h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000930h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000940h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000950h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000960h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000970h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000980h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000990h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000009a0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000009b0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000009c0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000009d0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000009e0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000009f0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................要求:1.分割PE文件的各个部分:MZ头部+DOS Stub+PE文件头+可选文件头+节表+节2.标明各个关键字段结构和字段,及其含义3.详细分析函数引入表中的各个字段及其关系答:1.如图所示:各段颜色标记如图。
PE文件结构分析及应用
PE文件结构分析,这里我就直接从网上摘抄了,都千篇一律常见的PE文件有EXE、DLL、OCX、SYS、COM,像位图文件一样,它们也有固定的格式,PE 文件是由五大部分构成,如下所示:1:DOS MZ Header(DOS文件头)一个IMAGE_DOS_HEADER结构,大小为64字节2:DOS Stub(DOS加载模块)没有固定大小3:PE Header(PE文件头)一个IMAGE_NT_HEADERS结构,大小为248字节4:Section Table(节表)一个IMAGE_SECTION_HEADER结构数组,数组大小依据节而定,如果PE文件有5个节,则数组大小为55:Sections(节或段)没有固定大小,可以有多个节。
第一二部分DOS文件头和DOS加载模块PE文件的一二部分完全是为了程序能在DOS运行下时给出一个提示,在Windows下几乎已经没什么作用了,所以我们只要了解IMAGE_DOS_HEADER里的e_lfanew成员,这个成员指明了IMAGE_NT_HEADERS(PE文件头)在PE文件中的偏移量(位置)IMAGE_DOS_HEADER结构的定义,以及各成员的意思typedef struct _IMAGE_DOS_HEADER { // DOS的.EXE头部WORD e_magic; // 魔术数字WORD e_cblp; // 文件最后页的字节数WORD e_cp; // 文件页数WORD e_crlc; // 重定义元素个数WORD e_cparhdr; // 头部尺寸,以段落为单位WORD e_minalloc; // 所需的最小附加段WORD e_maxalloc; // 所需的最大附加段WORD e_ss; // 初始的SS值(相对偏移量)WORD e_sp; // 初始的SP值WORD e_csum; // 校验和WORD e_ip; // 初始的IP值WORD e_cs; // 初始的CS值(相对偏移量)WORD e_lfarlc; // 重分配表文件地址WORD e_ovno; // 覆盖号WORD e_res[4]; // 保留字WORD e_oemid; // OEM标识符(相对e_oeminfo)WORD e_oeminfo; // OEM信息WORD e_res2[10]; // 保留字LONG e_lfanew; // 新exe头部的文件地址} IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER;第三部分PE文件头IMAGE_NT_HEADERS结构定义及其各成员意思typedef struct _IMAGE_NT_HEADERS {DWORD Signature; // PE文件头标志:"PE\0\0",占4字节IMAGE_FILE_HEADER FileHeader; // PE文件物理分布的信息,占20字节IMAGE_OPTIONAL_HEADER32 OptionalHeader; // PE文件逻辑分布的信息,占224字节} IMAGE_NT_HEADERS32, *PIMAGE_NT_HEADERS32;typedef IMAGE_NT_HEADERS32 IMAGE_NT_HEADERS; IMAGE_FILE_HEADER结构定义及其成员意思typedef struct _IMAGE_FILE_HEADER {WORD Machine;//表示该程序要执行的环境及平台,0x14c Intel 80386 处理器以上 0x014d Intel 80486 处理器以上。
逆向分析实验2PE文件结构分析
实验二PE文件结构分析一. 实验目的1.了解PE文件的输入表结构;2.手工解析PE文件的输入表;3.编程实现PE文件输入表的解析。
二. 实验内容1.第一步:手动解析输入表结构(1)使用工具箱中的工具e verything,寻找当前系统中任意一个e xe文件,文件名称是: actmovie.exe(2)使用LordPE“PE编辑器”打开exe文件,确定输入表的RVA,截图如下(图1):(3)点击PE编辑器右侧的“位置计算器”,得到文件偏移值,截图如下(图2):(4)使用16进制编辑工具,跳转到相应的输入文件偏移地址,输入表是每个IID对应一个DLL,根据IID大小,这里取20字节的数据进行分析,将输入表第一个IID结构的数据与IID结构体的成员一一对应,具体如下所示:IMAGE_IMPORT_DESCRIPTOR {OriginalFirstThunk = 000013C0TimeDateStamp = FFFFFFFFForwarderChain = FFFFFFFFName = 000014C0FirstThunk = 0000100C}(5)关注OriginalFirstThunk和Name两个成员,其中Name是一个RVA,用步骤(3)的方法得到其文件偏移值为 000008C0 ,在16进制编辑工具转到这个偏移地址,可见输入表的第一个D LL名为 msvcrt.dll ,截图如下(图3):(6)分析一下OriginalFirstThunk,它指向一个类型为IMAGE_THUNK_DATA的数组,上面已经分析出了它的值为000013C0 ,这是一个RVA,用步骤(3)的方法得到文件偏移地址 00007C0 。
在16进制编辑工具转到这个偏移地址,其中前面4个字节的数据为 63 5F 00 C8 ,截图如下(图4):(7)可以看出,这是以序号(填“以名字”或“以序号”)的方式输入函数;用与步骤(3)相同的方式在16进制编辑工具中对应IMAGE_IMPORT_BY_NAME结构的数据,可以看到函数的输入序号为 20 ,函数名为 cexit ,截图如下(图5):(8)验证:使用L ordPE单击“目录表”界面中输入表右侧的“…按钮”,打开输入表对话框,可以验证获取的DLL名和函数名是否正确。
PE类检测试验操作规程
熔体质量流动速率试验操作规程编号:QG/ZCJ-700-008-01-2004 一、参照标准:GB/T3682-2000热塑性塑料熔体质量流动速率和熔体体积流动速率的测定。
二、原理被测样品在规定的试验温度和载荷条件下,10分钟所经过口模的流量。
三、试样的制备:PP-R、PE-RT、PE100试样为3~4gPE80、PE63 试样为4~5g只要能装入料筒内膛,试样可以为任何形状,如:粉料、粒料或薄膜碎片。
四、操作步骤(质量流动速率法):1、调整水平,将水平仪放入料筒中,调整仪器的地脚至水平仪气泡在圈线的中心即为调好;2、将料筒清洗器缠纱布清洗料膛中的异物;3、推上口模挡板,将口模放入膛内;4、打开温控开关,检查仪器是否正常。
在温度控制面板上设定所需温度。
(PP-R为230℃,PE、PE-RT为190℃,将带活塞的砝码插入料筒内升温.)5、按“设置”键,选择质量法,先设定切割次数一般为6~8次,最多不超过10次,根据样条切断长度最好为10~20mm,设定切割时间,一般PP-R、PE-RT、PE100为120s,PE80、PE63为100s。
6、按启动键进入试验阶段,当温度升到设定温度后,进入15分钟的恒温过程SHEO,提前10s发出音响提示,自动转为加料(JIAO)阶段,时间为60s接着转入4分钟的料样温度恢复阶段,提前10s 提示,并转到1分钟压料阶段(YA00),PP-R、PE-RT加砝码质量为2.16Kg,PE加砝码质量为5.0Kg,然后转入切割阶段,每到设定切割时间切割一次直到完成切割设定次数为止,在样品中选择适量无气泡的连续样品,冷却后在分析天平上称量并计算结果。
7、质量法的熔体流动速率计算公式:MFR=600W/T式中:MFR—熔体质量流动速率,单位g/10minW —切取样条重量的算术平均值,单位gT —切样时间间隔单位为s。
管材、管件耐内压试验操作规程编号:QG/ZCJ-700-008-02-2004一、参照标准:GB/T6111-2003 流体输送用热塑性塑料管材耐内压试验方法二、原理试样经状态调节后,在规定的恒定静液压下保持一个规定的时间或直到试样破坏。
pe格式化方法
pe格式化方法PE格式(Portable Executable format)是Windows操作系统下的一种可执行文件的格式标准,它定义了可执行文件、动态链接库(DLL)和驱动程序等二进制文件的结构和标识方法。
本文将介绍PE格式化的基本原理和方法,并举例说明。
一、PE格式基本原理1. PE格式定义:PE格式是一种COFF(Common Object File Format)文件格式的变体,用于描述32位和64位Windows可执行文件的结构和组织。
2. 文件头部分:PE格式文件的开头是一个固定大小的文件头(File Header),用于描述整个PE文件的组织结构和属性信息,如文件类型、目标体系结构、节表位置等。
3. 节部分:紧随文件头部分的是节(Section)部分,它描述了PE格式文件中各个段或区块的属性和内容,如代码段、数据段、资源段等。
4. 数据目录:PE格式文件中包含了多个数据目录(Data Directory),每个数据目录描述了PE文件中某个特定功能的位置和大小信息,如导入表、导出表、资源表等。
1. 创建空白PE文件:使用合适的开发工具,如Visual Studio等,新建一个空白的PE 文件。
2. 定义文件头:根据所需的文件类型和目标体系结构,填写文件头部分的属性信息。
如指定文件类型为可执行文件(Executable)、目标体系结构为32位或64位等。
3. 定义节表:根据需求,定义PE文件中的各个节的属性和内容,如代码段、数据段、资源段等。
可以使用合适的工具,如Hex编辑器等,手动修改节表。
4. 填充数据目录:根据PE格式的规定,将所需的功能的位置和大小信息填写入数据目录表中,如导入表、导出表、资源表等。
5. 填充节内容:根据需求,将代码、数据和资源等内容填写入相应的节中。
可以使用合适的工具,如文本编辑器等,手动修改和填充节内容。
6. 调整文件大小:根据实际内容大小,调整整个PE文件的大小,确保文件大小与实际内容相符。
pe文件格式
·PointerToRawData。这是一个文件中段实体位置的偏移量。
ULONG SizeOfData;
ULONG AddressOfRawData;
ULONG PointerToRawData;
} IMAGE_DEBUG_DIRECTORY, *PIMAGE_DEBUG_DIRECTORY;
这个段被分为单独的部分,每个部分为不同种类的调试信息数据。对于每个部分来说都是一个像上边一样的调试目录。不同的调试信息种类如下:
UCHAR Name[IMAGE_SIZEOF_SHORT_NAME];
union {
ULONG PhysicalAddress;
ULONG VirtualSize;
} Misc;
ULONG VirtualAddress;
ULONG SizeOfRawData;
PE文件规范由目前为止定义的那些头部以及一个名为“段”的一般对象组成。段包含了文件的内容,包括代码、数据、资源以及其它可执行信息,
每个段都有一个头部和一个实体(原始数据)。我将在下面描述段头部的有关信息,但是段实体则缺少一个严格的文件结构。因此,它们几乎可以
被链接器按任何的方法组织,只要它的头部填充了足够能够解释数据的信息。
段头部
PE文件格式中,所有的段头部位于可选头部之后。每个段头部为40个字节长,并且没有任何的填充信息。段头部被定义为以下的结构:
PE文件格式详解(一)
PE文件格式详解(一)0x00 前言PE文件是portable File Format(可移植文件)的简写,我们比较熟悉的DLL和exe文件都是PE文件。
了解PE文件格式有助于加深对操作系统的理解,掌握可执行文件的数据结构机器运行机制,对于逆向破解,加壳等安全方面方面的同学极其重要。
接下来我将通过接下来几篇详细介绍PE文件的格式。
0x01 基本概念PE文件使用的是一个平面地址空间,所有代码和数据都被合并在一起,组成一个很大的组织结构。
文件的内容分割为不同的区块(Setion,又称区段,节等),区段中包含代码数据,各个区块按照页边界来对齐,区块没有限制大小,是一个连续的结构。
每块都有他自己在内存中的属性,比如:这个块是否可读可写,或者只读等等。
认识PE文件不是作为单一内存映射文件被装入内存是很重要的,windows加载器(PE加载器)便利PE文件并决定文件的哪个部分被映射,这种映射方式是将文件较高的偏移位置映射到较高的内存地址中。
当磁盘的数据结构中寻找一些内容,那么几乎能在被装入到内存映射文件中找到相同的信息。
但是数据之间的位置可能改变,其某项的偏移地址可能区别于原始的偏移位置,不管怎么样,所表现出来的信息都允许从磁盘文件到内存偏移的转换,如下图:PS:PE文件头以下的地址无论在内存映射中还是在磁盘映射中都是一样的,当内存分页和磁盘分页一致时无需进行地址转换,只有当磁盘分页和内存分页不一样时才要进行地址转化,这点很重要,拿到PE文件是首先查看分页是否一致。
前两天一直没碰到内存和磁盘分页不一样的,所以这个点一直没发现,今天特来补上。
下面要介绍几个重要概念,分别是基地址(ImageBase),相对虚拟地址(Relative Virtual Address),文件偏移地址(File Offset)。
1)基地址定义:当PE文件通过Windows加载器被装入内存后,内存中的版本被称作模块(Module)。
映射文件的起始地址被称作模块句柄(hMoudule),可以通过模块句柄访问其他的数据结构。
PE文件格式(内容详细)
简介
在DOS环境下有四种基本的可执行文件格式
批处理文件,以.BAT结尾的文件
设备驱动文件,是以.SYS结尾的文件,如CONFIG.SYS
COM文件,是以.COM结尾的纯代码文件
• 没有文件头部分,缺省情况下总是从0x100H处开始执行, 没有重定位项,所有代码和数据必须控制在64K以内
在Win32位平台可执行文件格式:可移植的可执行文件 (Portable Executable File)格式,即PE格式。MZ文件头 之后是一个以“PE”开始的文件头
安装在硬盘上的程序没运行-静态 加载到内存-动态
EXE文件的格式
MZ文件格式-Mark Zbikowski
.EXE文件由三部分构成:文件头、重定位表和二进制代码 允许代码、数据、堆栈分别处于不同的段,每一段都可以是64KB.
EXE文件的格式
PE文件格式
一般来说,病毒往往先于HOST程序获得控制权。运行 Win32病毒的一般流程示意如下:
①用户点击或系统自动运行HOST程序; ②装载HOST程序到内存;
③通过PE文件中的AddressOfEntryPoint+ImageBase,
定位第一条语句的位置(程序入口); ④从第一条语句开始执行(这时执行的其实是病毒代码); ⑤病毒主体代码执行完毕,将控制权交给HOST程序原来的
病毒通过“MZ”、“PE”这两个标志,初步判断当前程序 是否是目标文件——PE文件。如果要精确校验指定文件是 否为一有效PE文件,则可以检验PE文件格式里的各个数 据结构,或者仅校验一些关键数据结构。大多数情况下, 没有必要校验文件里的每一个数据结构,只要一些关键数 据结构有效,就可以认为是有效的PE文件
PE的意思就是Portable Executable(可移植、可执 行),它是Win32可执行文件的标准格式
- 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
- 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
- 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。
实验名称:PE文件格式实验
实现目的:本实验是根据PE文件结构及其运行原理而设计的实验。
通过该实验,读者可以了解PE文件的结构,为进一步学习PE文件病毒原理奠定基础。
实验环境:
运行环境:Windows 2000、Windows 9x、Windows NT以及Windows XP。
编译环境:Visual Studio 6.0
实验步骤:
使用编译环境打开源代码工程,编译后可以生成可执行文件winpe.exe。
预备步骤:找任意一个Win32下的EXE文件作为查看对象。
运行winpe.exe,并打开任一exe文件,选择不同的菜单,可以查看到exe文件的内部结构。
WinPE 察看器演示
Exe
Dll
源代码级PE察看器演示。