实验2 PE文件格式分析

Hello-2.5.exe程序-PE文件格式分析姓名：__ ___ 学号：_____0 1 2 3 4 5 6 7 8 9 A B C D E F------------------------------------------------------------------------------ 00000000h: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 ; MZ?.......... 00000010h: B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ; ?......@....... 00000020h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000030h: 00 00 00 00 00 00 00 00 00 00 00 00 B0 00 00 00 ; ............?.. 00000040h: 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 ; ..?.???L?Th00000050h: 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F ; is program canno 00000060h: 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 ; t be run in DOS 00000070h: 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 ; mode....$....... 00000080h: 5D 65 FD C8 19 04 93 9B 19 04 93 9B 19 04 93 9B ; ]e..摏..摏..摏00000090h: 97 1B 80 9B 11 04 93 9B E5 24 81 9B 18 04 93 9B ; ?€?.摏?仜..摏000000a0h: 52 69 63 68 19 04 93 9B 00 00 00 00 00 00 00 00 ; Rich..摏........ 000000b0h: 50 45 00 004C 01 03 00 9B 4D 8F 42 00 00 00 00 ; PE..L...汳廈.... 000000c0h: 00 00 00 00 E0 00 0F 010B 01 05 0C 00 02 00 00 ; ....?.......... 000000d0h: 00 04 00 00 00 00 00 00 00 10 00 00 00 10 00 00 ; ................ 000000e0h: 00 20 00 00 00 00 40 00 00 10 00 00 00 02 00 00 ; . ....@......... 000000f0h: 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 ; ................ 00000100h: 00 40 00 00 00 04 00 00 00 00 00 00 02 00 00 00 ; .@.............. 00000110h: 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 ; ................ 00000120h: 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000130h: 14 20 00 00 3C 00 00 00 00 00 00 00 00 00 00 00 ; . ..<........... 00000140h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000150h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000160h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000170h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000180h: 00 00 00 00 00 00 00 00 00 20 00 00 14 00 00 00 ; ......... ...... 00000190h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000001a0h: 00 00 00 00 00 00 00 00 2E 74 65 78 74 00 00 00 ; .........text... 000001b0h: 46 00 00 00 00 10 00 00 00 02 00 00 00 04 00 00 ; F............... 000001c0h: 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 ; ............ ..` 000001d0h: 2E 72 64 61 74 61 00 00 A6 00 00 00 00 20 00 00 ; .rdata..?... .. 000001e0h: 00 02 00 00 00 06 00 00 00 00 00 00 00 00 00 00 ; ................ 000001f0h: 00 00 00 00 40 00 00 40 2E 64 61 74 61 00 00 00 ; ....@..@.data... 00000200h: 8E 00 00 00 00 30 00 00 00 02 00 00 00 08 00 00 ; ?...0.......... 00000210h: 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 ; ............@..? 00000220h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000230h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000240h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000250h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000260h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000270h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................00000280h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000290h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................0 1 2 3 4 5 6 7 8 9 A B C D E F---------------------------------------------------------------------------- 000002a0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000002b0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000002c0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000002d0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000002e0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000002f0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000300h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000310h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000320h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000330h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000340h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000350h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000360h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000370h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000380h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000390h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000003a0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000003b0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000003c0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000003d0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000003e0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000003f0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000400h: 68 40 10 00 00 68 00 30 40 00 68 09 30 40 00 6A ; h@...h.0@.h.0@.j 00000410h: 00 E8 2A 00 00 00 68 40 10 00 00 68 00 30 40 00 ; .?...h@...h.0@. 00000420h: 68 31 30 40 00 6A 00 E8 14 00 00 00 6A 00 E8 01 ; h10@.j.?...j.? 00000430h: 00 00 00 CC FF 25 00 20 40 00 FF 25 0C 20 40 00 ; ...?%. @.%. @. 00000440h: FF 25 08 20 40 00 00 00 00 00 00 00 00 00 00 00 ; %. @........... 00000450h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000460h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000470h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000480h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000490h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000004a0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000004b0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000004c0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000004d0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000004e0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000004f0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000500h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000510h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000520h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000530h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000540h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000550h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000560h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................1.MZ文件头（0x40）2.DOSStub3.PE文件头[开始于000000B0 ]（PE标识、映像文件头（0x14）、可选文件头）4.节表填充文件头续填充部分5.代码节实际大小46H对齐后大小200H00000570h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000580h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................0 1 2 3 4 5 6 7 8 9 A B C D E F------------------------------------------------------------------------------ 00000590h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000005a0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000005b0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000005c0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000005d0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000005e0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000005f0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000600h: 64 20 00 00 00 00 00 00 8C 20 00 00 80 20 00 00 ; d ......?..€ .. 00000610h: 00 00 00 00 50 20 00 00 00 00 00 00 00 00 00 00 ; ....P .......... 00000620h: 72 20 00 00 00 20 00 00 58 20 00 00 00 00 00 00 ; r ... ..X ...... 00000630h: 00 00 00 00 9A 20 00 00 08 20 00 00 00 00 00 00 ; ....?... ...... 00000640h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000650h: 64 20 00 00 00 00 00 00 8C 20 00 00 80 20 00 00 ; d ......?..€ .. 00000660h: 00 00 00 00 80 00 45 78 69 74 50 72 6F 63 65 73 ; ....€.ExitProces 00000670h: 73 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 ; s.kernel32.dll.. 00000680h: 62 02 77 73 70 72 69 6E 74 66 41 00 9D 01 4D 65 ; b.wsprintfA.?Me 00000690h: 73 73 61 67 65 42 6F 78 41 00 75 73 65 72 33 32 ; er32 000006a0h: 2E 64 6C 6C 00 00 00 00 00 00 00 00 00 00 00 00 ; .dll............ 000006b0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000006c0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000006d0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000006e0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000006f0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000700h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000710h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000720h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000730h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000740h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000750h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000760h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000770h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000780h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000790h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000007a0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000007b0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000007c0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000007d0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000007e0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000007f0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000800h: BD CC D1 A7 B2 E2 CA D4 00 50 45 C8 EB BF DA B5 ; 教学测试.PE入口? 00000810h: E3 B2 E2 CA D4 31 A3 BA BD F8 C8 EB B5 DA D2 BB ; 悴馐?：进入第一00000820h: C8 EB BF DA CE BB D6 C3 34 30 31 30 30 30 48 21 ; 入口位置401000H! 00000830h: 00 50 45 C8 EB BF DA B5 E3 B2 E2 CA D4 32 A3 BA ; .PE入口点测试2：00000840h: BD F8 C8 EB B5 DA B6 FE C8 EB BF DA CE BB D6 C3 ; 进入第二入口位置00000850h: 34 30 31 30 31 36 48 21 00 00 00 00 00 00 00 00 ; 401016H!........ 00000860h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000870h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................0 1 2 3 4 5 6 7 8 9 A B C D E F------------------------------------------------------------------------------ 00000880h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000890h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000008a0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000008b0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000008c0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000008d0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000008e0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000008f0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000900h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000910h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000920h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000930h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000940h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000950h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000960h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000970h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000980h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000990h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000009a0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000009b0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000009c0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000009d0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000009e0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000009f0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................要求：1．分割PE文件的各个部分：MZ头部+DOS Stub+PE文件头+可选文件头+节表+节2．标明各个关键字段结构和字段，及其含义3．详细分析函数引入表中的各个字段及其关系答：1.如图所示：各段颜色标记如图。

PE文件结构分析，这里我就直接从网上摘抄了，都千篇一律常见的PE文件有EXE、DLL、OCX、SYS、COM，像位图文件一样，它们也有固定的格式，PE 文件是由五大部分构成，如下所示：1:DOS MZ Header(DOS文件头）一个IMAGE_DOS_HEADER结构，大小为64字节2:DOS Stub(DOS加载模块）没有固定大小3:PE Header(PE文件头）一个IMAGE_NT_HEADERS结构，大小为248字节4:Section Table(节表）一个IMAGE_SECTION_HEADER结构数组，数组大小依据节而定，如果PE文件有5个节，则数组大小为55:Sections(节或段）没有固定大小，可以有多个节。

第一二部分DOS文件头和DOS加载模块PE文件的一二部分完全是为了程序能在DOS运行下时给出一个提示，在Windows下几乎已经没什么作用了，所以我们只要了解IMAGE_DOS_HEADER里的e_lfanew成员，这个成员指明了IMAGE_NT_HEADERS（PE文件头）在PE文件中的偏移量（位置）IMAGE_DOS_HEADER结构的定义，以及各成员的意思typedef struct _IMAGE_DOS_HEADER { // DOS的.EXE头部WORD e_magic; // 魔术数字WORD e_cblp; // 文件最后页的字节数WORD e_cp; // 文件页数WORD e_crlc; // 重定义元素个数WORD e_cparhdr; // 头部尺寸，以段落为单位WORD e_minalloc; // 所需的最小附加段WORD e_maxalloc; // 所需的最大附加段WORD e_ss; // 初始的SS值(相对偏移量)WORD e_sp; // 初始的SP值WORD e_csum; // 校验和WORD e_ip; // 初始的IP值WORD e_cs; // 初始的CS值(相对偏移量)WORD e_lfarlc; // 重分配表文件地址WORD e_ovno; // 覆盖号WORD e_res[4]; // 保留字WORD e_oemid; // OEM标识符(相对e_oeminfo)WORD e_oeminfo; // OEM信息WORD e_res2[10]; // 保留字LONG e_lfanew; // 新exe头部的文件地址} IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER;第三部分PE文件头IMAGE_NT_HEADERS结构定义及其各成员意思typedef struct _IMAGE_NT_HEADERS {DWORD Signature; // PE文件头标志:"PE\0\0"，占4字节IMAGE_FILE_HEADER FileHeader; // PE文件物理分布的信息，占20字节IMAGE_OPTIONAL_HEADER32 OptionalHeader; // PE文件逻辑分布的信息，占224字节} IMAGE_NT_HEADERS32, *PIMAGE_NT_HEADERS32;typedef IMAGE_NT_HEADERS32 IMAGE_NT_HEADERS; IMAGE_FILE_HEADER结构定义及其成员意思typedef struct _IMAGE_FILE_HEADER {WORD Machine;//表示该程序要执行的环境及平台,0x14c Intel 80386 处理器以上 0x014d Intel 80486 处理器以上。

这是我在我的电脑上随便找了个exe文件，下面我将会仔细的分析一下这种文件的格式下面我依次截图，仔细分析，让你看清楚：首先4D 5A 90 这三个一般是在一起的，我们知道windows文件是从DOS兼容过来的，这三个数其实就是M Z 和一个分隔符是为了兼容以前DOS下的MZ文件好：我找了两个文件通过比较发现，从0x 00 00 00 80处开始不一样，也就是在这之前从0x 00 00 00 00到0x00 00 00 7F是相同的DOS头和DOS桩程序，其实，MZ_DOS在PE 文件中占64个字节，就是我们看到的前4行数据(每行16个字节)，而在微软给我们提供的DOS头结构体中有各个部分的结构：Typedef struct _IMAGE_DOS_HEADER{USHORT e_magic; //00H魔术数字就是0x 4D 5A = MZ;USHORT e_cblp; // 02H 表示的是文件最后页(page)中的字节数;USHORT e_cb ; / 04H 文件的页数(每页大小4KB);USHORT e_crlc ; //06H重新定向的元素个数;USHORT e_parhdr //08H 头部大小，以段(paragraph)为单位;USHORT e_minalloc //0AH 所需要的最小附加段;USHORT e_maxalloc //0CH 所需要的最大附加段;USHORT e_ss //0EH 初始的ss值;USHORT e_sp //10H 初始的sp值;USHORT e_csum //12H 校验和或者0USHORT e_ip //14H 初始的IP值USHORT e_cs //16H 初始的CS值(相对偏移量)USHORT e_lfarlc //18H 重定向表文件地址USHORT e_ovno //1AH 覆盖号USHORT e_res[4] 1CH 保留字USHORT e_oemid //24H OEM标示符(for e_oeminfo)USHORT e_oeminfo //26H OEM信息USHORT e_res2[10] //28H 保留LONG e_lfanew; //3CH PE头位置//这个位置很重要,做病毒要这个东西} IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER上边就是我的一个exe文件的DOS头(不包括DOS桩,紧跟在它的下面),下面是我的分析0x4D 5A 魔术字符MZ0x00 90(144字节) 文件最后一页的字节数地址为20x00 03 文件总页数用这两个计算出文件总大小(3-1)*4028+144=82000x00 00 重定向元素个数0x00 04 头部大小,以段为单位0x00 00 所需要的最小附加段0xFF FF 所需要的最大附加段0x00 00 加载时ss段寄存器的值0x00 B8 加载时sp的值0x00 00 校验和或者为00x00 00 初始IP值0x00 00 初始CS值0x00 40 重定位表文件地址0x00 00 覆盖号0x0000 0000 0000 0000保留的四个字0x00 00 OEM标识0x00 00 OEM信息0x0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 保留10个字0x00 00 00 D0 PE头开始的地址地址为3C上边指需要记住两处，但是别的地方最好是也记住。

实验二PE文件结构分析一. 实验目的1．了解PE文件的输入表结构；2．手工解析PE文件的输入表；3．编程实现PE文件输入表的解析。

二. 实验内容1.第一步：手动解析输入表结构(1)使用工具箱中的工具e verything,寻找当前系统中任意一个e xe文件，文件名称是： actmovie.exe(2)使用LordPE“PE编辑器”打开exe文件，确定输入表的RVA，截图如下（图1）：(3)点击PE编辑器右侧的“位置计算器”，得到文件偏移值，截图如下（图2）：(4)使用16进制编辑工具，跳转到相应的输入文件偏移地址，输入表是每个IID对应一个DLL，根据IID大小，这里取20字节的数据进行分析，将输入表第一个IID结构的数据与IID结构体的成员一一对应，具体如下所示：IMAGE_IMPORT_DESCRIPTOR {OriginalFirstThunk = 000013C0TimeDateStamp = FFFFFFFFForwarderChain = FFFFFFFFName = 000014C0FirstThunk = 0000100C}(5)关注OriginalFirstThunk和Name两个成员，其中Name是一个RVA，用步骤(3)的方法得到其文件偏移值为 000008C0 ，在16进制编辑工具转到这个偏移地址，可见输入表的第一个D LL名为 msvcrt.dll ，截图如下（图3）：(6)分析一下OriginalFirstThunk，它指向一个类型为IMAGE_THUNK_DATA的数组，上面已经分析出了它的值为000013C0 ，这是一个RVA，用步骤(3)的方法得到文件偏移地址 00007C0 。

在16进制编辑工具转到这个偏移地址，其中前面4个字节的数据为 63 5F 00 C8 ，截图如下（图4）：(7)可以看出，这是以序号（填“以名字”或“以序号”）的方式输入函数；用与步骤(3)相同的方式在16进制编辑工具中对应IMAGE_IMPORT_BY_NAME结构的数据，可以看到函数的输入序号为 20 ，函数名为 cexit ，截图如下（图5）：(8)验证：使用L ordPE单击“目录表”界面中输入表右侧的“…按钮”，打开输入表对话框，可以验证获取的DLL名和函数名是否正确。

PE文件头简析及输入表、输出表的分析2008年01月13日星期日 22:50PE文件头简析及输入表、输出表的分析前两天由于做个免杀，需要对输入表做些改变，所以又重新看了pe文件的结构尤其是输入表及输出表的一些细节方面，做个笔记，方便自己以后翻看，也给大家提个方便，呵呵！1、PE文件格式文件尾___________________________________________________________________Code View调试信息 |COFF 符号表 | 调试信息COFF 行号 |------------------------------------------------------------------.reloc |.edata | 块(Section) .data |.text |---------------------------------------------------------------------------------------------------IMAGE_SECTION_HEADER |IMAGE_SECTION_HEADER | 块表（Section Table）IMAGE_SECTION_HEADER |IMAGE_SECTION_HEADER | //对应.text块---------------------------------------------------------------------------------------------------------数据目录表 | //包含在可选映像头中，包含输出\入表信息 IMAGE_OPTIONAL_HEADER32 | 可选映像头IMAGE_FILE_HEADER | 文件映像头"PE",0,0 | pe文件标识（pe文件头包含三个部分）---------------------------------------------------------------------------------------------------------DOS stub |DOS 'MZ' HEADER | 该字段中的e_lfanew字段指向pe头 ---------------------------------------------------------------------------------------------------------文件头说明：01、输入表、输出表的位置：在pe头中可选映像头字段中数据目录表字段中，相对于pe文件标识处的偏移分别为：+80h、+78h；（其中pe文件标识的位置在DOS 'MZ' HEADER字段中的e_lfanew指出，该字段相对于文件开始的偏移为+3Ch，4个字节）；02、在用例子说明时用c32asm打开，其中的偏移均为文件在磁盘上存储的物理偏移，而查看的值均为给出的各个地址的RVA，转化方法入下：查到的RVA值-VOffset（可由lordpe查看）+ROffset 得到的就是可以c32asm中的偏移2、上面对pe文件格式做了简要介绍，下面主要分析输入表和输出表：输入表篇：概念不做介绍，位置上面已经给出，呵呵输入表的结构：输入表是以一个IMAGE_IMPORT_DESCRIPTOR(IID)数组开始，一个程序要调用几个dll就会有几个IID项，即每个IID对应于一个dllIID结构：IMAGE_IMPORT_DESCRIPTOR structunion{DWORD Characteristics ; ;00hDWORD OriginalFirstThunk; // 注释1};TimeDateStamp DWORD ;04h // 时间标志，可以忽略；ForwarderChain DWORD ;08h // 正向链接索引，一般为0，当程序引用一个dll中的api，而这个api又引用其它dll中的api时用；Name DWORD ;0Ch //DLL名字的指针，以00结尾的ASCII字符的RVA地址；FirstThunk DWORD ;10h // 注释2IMAGE_IMPORT_DESCRIPTOR ends注释 1：该值为一个 IMAGE_THUNK_DATA数组的RVA，其中的每个指针都指向IMAGE_IMPORT_BY_NAME结构。

pe格式化方法PE格式（Portable Executable format）是Windows操作系统下的一种可执行文件的格式标准，它定义了可执行文件、动态链接库（DLL）和驱动程序等二进制文件的结构和标识方法。

本文将介绍PE格式化的基本原理和方法，并举例说明。

一、PE格式基本原理1. PE格式定义：PE格式是一种COFF（Common Object File Format）文件格式的变体，用于描述32位和64位Windows可执行文件的结构和组织。

2. 文件头部分：PE格式文件的开头是一个固定大小的文件头（File Header），用于描述整个PE文件的组织结构和属性信息，如文件类型、目标体系结构、节表位置等。

3. 节部分：紧随文件头部分的是节（Section）部分，它描述了PE格式文件中各个段或区块的属性和内容，如代码段、数据段、资源段等。

4. 数据目录：PE格式文件中包含了多个数据目录（Data Directory），每个数据目录描述了PE文件中某个特定功能的位置和大小信息，如导入表、导出表、资源表等。

1. 创建空白PE文件：使用合适的开发工具，如Visual Studio等，新建一个空白的PE 文件。

2. 定义文件头：根据所需的文件类型和目标体系结构，填写文件头部分的属性信息。

如指定文件类型为可执行文件（Executable）、目标体系结构为32位或64位等。

3. 定义节表：根据需求，定义PE文件中的各个节的属性和内容，如代码段、数据段、资源段等。

可以使用合适的工具，如Hex编辑器等，手动修改节表。

4. 填充数据目录：根据PE格式的规定，将所需的功能的位置和大小信息填写入数据目录表中，如导入表、导出表、资源表等。

5. 填充节内容：根据需求，将代码、数据和资源等内容填写入相应的节中。

可以使用合适的工具，如文本编辑器等，手动修改和填充节内容。

6. 调整文件大小：根据实际内容大小，调整整个PE文件的大小，确保文件大小与实际内容相符。

PE⽂件结构解析说明：本⽂件中各种⽂件头格式截图基本都来⾃看雪的《加密与解密》；本⽂相当《加密与解密》的阅读笔记。

1.PE⽂件总体结构PE⽂件框架结构，就是exe⽂件的排版结构。

也就是说我们以⼗六进制打开⼀个.exe⽂件，开头的那些内容就是DOS头内容，下来是PE头内容，依次类推。

如果能认识到这样的内含，那么“exe开头的内容是不是就直接是我们编写的代码”（不是，开头是DOS头内容）以及“我们编写的代码被编排到了exe⽂件的哪⾥”（在.text段，.text具体地址由其相应的IMAGE_SECTION_HRADER指出）此类的问题答案就显⽽易见了。

exe⽂件从磁盘加载到内存，各部份的先后顺序是保持不变的，但由于磁盘（⼀般200H）和内存（⼀般1000H）区块的对齐⼤⼩不⼀样，所以同⼀内容在磁盘和在内存中的地址是不⼀样的。

换⾔之你在磁盘上看到⼀段内容⼀内容要到在内存中找到它--假设它是能映射到内容的部份--那么要做相应的地址转换。

（⽐如你在Ultraedit 中看到某⼏个字节⽽想在OllyDbg中找到这⼏个字节那么需要进⾏地址转换）另外要注意，PE⽂件中存放的地址值都是内存中的地址，这些地址在OllyDbg中不需要转换到其指定的位置就能找到其指向的内容；这要根据这个地址找到内容在Ultraedit的地址，需要将此RVA址转换成⽂件偏移地址。

还要注意DOS头/PE头/块表，映射到内存时属同⼀区块⽽且是第⼀区块，所以此三者上的RVA和⽂件偏移地址是相等的。

2.DOS头部2.1MS-DOS头部（IMAGE_DOS_HEADER）最后的e_lfanew即是PE⽂件的RVA地址我们在前边已经提过，对于DOS头/PE头/区块表三部分RVA和⽂件偏移地址是相等的，所以上边在⼗六进制⽂本编缉器中，直接转向e_lfanew指向的000000B0可以正好找到PE头。

2.2DOS stubDOS stub是当操作系统不⽀持PE⽂件时执⾏的部分，⼀般由编译器⾃⼰⽣成内容是输出“This program cannot be run in MS-DOS mode”等提⽰。

PE文件格式详解（一）0x00 前言PE文件是portable File Format（可移植文件）的简写，我们比较熟悉的DLL和exe文件都是PE文件。

了解PE文件格式有助于加深对操作系统的理解，掌握可执行文件的数据结构机器运行机制，对于逆向破解，加壳等安全方面方面的同学极其重要。

接下来我将通过接下来几篇详细介绍PE文件的格式。

0x01 基本概念PE文件使用的是一个平面地址空间，所有代码和数据都被合并在一起，组成一个很大的组织结构。

文件的内容分割为不同的区块（Setion，又称区段，节等），区段中包含代码数据，各个区块按照页边界来对齐，区块没有限制大小，是一个连续的结构。

每块都有他自己在内存中的属性，比如：这个块是否可读可写，或者只读等等。

认识PE文件不是作为单一内存映射文件被装入内存是很重要的，windows加载器（PE加载器）便利PE文件并决定文件的哪个部分被映射，这种映射方式是将文件较高的偏移位置映射到较高的内存地址中。

当磁盘的数据结构中寻找一些内容，那么几乎能在被装入到内存映射文件中找到相同的信息。

但是数据之间的位置可能改变，其某项的偏移地址可能区别于原始的偏移位置，不管怎么样，所表现出来的信息都允许从磁盘文件到内存偏移的转换，如下图：PS：PE文件头以下的地址无论在内存映射中还是在磁盘映射中都是一样的，当内存分页和磁盘分页一致时无需进行地址转换，只有当磁盘分页和内存分页不一样时才要进行地址转化，这点很重要，拿到PE文件是首先查看分页是否一致。

前两天一直没碰到内存和磁盘分页不一样的，所以这个点一直没发现，今天特来补上。

下面要介绍几个重要概念，分别是基地址（ImageBase）,相对虚拟地址（Relative Virtual Address），文件偏移地址（File Offset）。

1）基地址定义：当PE文件通过Windows加载器被装入内存后，内存中的版本被称作模块（Module）。

映射文件的起始地址被称作模块句柄（hMoudule），可以通过模块句柄访问其他的数据结构。