实验二 PE文件格式实验
PE文件分析
Hello-2.5.exe程序-PE文件格式分析姓名:__ ___ 学号:_____0 1 2 3 4 5 6 7 8 9 A B C D E F------------------------------------------------------------------------------ 00000000h: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 ; MZ?.......... 00000010h: B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ; ?......@....... 00000020h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000030h: 00 00 00 00 00 00 00 00 00 00 00 00 B0 00 00 00 ; ............?.. 00000040h: 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 ; ..?.???L?Th00000050h: 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F ; is program canno 00000060h: 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 ; t be run in DOS 00000070h: 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 ; mode....$....... 00000080h: 5D 65 FD C8 19 04 93 9B 19 04 93 9B 19 04 93 9B ; ]e..摏..摏..摏00000090h: 97 1B 80 9B 11 04 93 9B E5 24 81 9B 18 04 93 9B ; ?€?.摏?仜..摏000000a0h: 52 69 63 68 19 04 93 9B 00 00 00 00 00 00 00 00 ; Rich..摏........ 000000b0h: 50 45 00 004C 01 03 00 9B 4D 8F 42 00 00 00 00 ; PE..L...汳廈.... 000000c0h: 00 00 00 00 E0 00 0F 010B 01 05 0C 00 02 00 00 ; ....?.......... 000000d0h: 00 04 00 00 00 00 00 00 00 10 00 00 00 10 00 00 ; ................ 000000e0h: 00 20 00 00 00 00 40 00 00 10 00 00 00 02 00 00 ; . ....@......... 000000f0h: 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 ; ................ 00000100h: 00 40 00 00 00 04 00 00 00 00 00 00 02 00 00 00 ; .@.............. 00000110h: 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 ; ................ 00000120h: 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000130h: 14 20 00 00 3C 00 00 00 00 00 00 00 00 00 00 00 ; . ..<........... 00000140h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000150h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000160h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000170h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000180h: 00 00 00 00 00 00 00 00 00 20 00 00 14 00 00 00 ; ......... ...... 00000190h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000001a0h: 00 00 00 00 00 00 00 00 2E 74 65 78 74 00 00 00 ; .........text... 000001b0h: 46 00 00 00 00 10 00 00 00 02 00 00 00 04 00 00 ; F............... 000001c0h: 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 ; ............ ..` 000001d0h: 2E 72 64 61 74 61 00 00 A6 00 00 00 00 20 00 00 ; .rdata..?... .. 000001e0h: 00 02 00 00 00 06 00 00 00 00 00 00 00 00 00 00 ; ................ 000001f0h: 00 00 00 00 40 00 00 40 2E 64 61 74 61 00 00 00 ; ....@..@.data... 00000200h: 8E 00 00 00 00 30 00 00 00 02 00 00 00 08 00 00 ; ?...0.......... 00000210h: 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 ; ............@..? 00000220h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000230h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000240h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000250h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000260h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000270h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................00000280h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000290h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................0 1 2 3 4 5 6 7 8 9 A B C D E F---------------------------------------------------------------------------- 000002a0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000002b0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000002c0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000002d0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000002e0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000002f0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000300h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000310h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000320h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000330h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000340h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000350h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000360h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000370h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000380h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000390h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000003a0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000003b0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000003c0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000003d0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000003e0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000003f0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000400h: 68 40 10 00 00 68 00 30 40 00 68 09 30 40 00 6A ; h@...h.0@.h.0@.j 00000410h: 00 E8 2A 00 00 00 68 40 10 00 00 68 00 30 40 00 ; .?...h@...h.0@. 00000420h: 68 31 30 40 00 6A 00 E8 14 00 00 00 6A 00 E8 01 ; h10@.j.?...j.? 00000430h: 00 00 00 CC FF 25 00 20 40 00 FF 25 0C 20 40 00 ; ...?%. @.%. @. 00000440h: FF 25 08 20 40 00 00 00 00 00 00 00 00 00 00 00 ; %. @........... 00000450h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000460h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000470h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000480h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000490h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000004a0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000004b0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000004c0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000004d0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000004e0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000004f0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000500h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000510h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000520h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000530h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000540h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000550h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000560h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................1.MZ文件头(0x40)2.DOSStub3.PE文件头[开始于000000B0 ](PE标识、映像文件头(0x14)、可选文件头)4.节表填充文件头续填充部分5.代码节实际大小46H对齐后大小200H00000570h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000580h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................0 1 2 3 4 5 6 7 8 9 A B C D E F------------------------------------------------------------------------------ 00000590h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000005a0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000005b0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000005c0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000005d0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000005e0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000005f0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000600h: 64 20 00 00 00 00 00 00 8C 20 00 00 80 20 00 00 ; d ......?..€ .. 00000610h: 00 00 00 00 50 20 00 00 00 00 00 00 00 00 00 00 ; ....P .......... 00000620h: 72 20 00 00 00 20 00 00 58 20 00 00 00 00 00 00 ; r ... ..X ...... 00000630h: 00 00 00 00 9A 20 00 00 08 20 00 00 00 00 00 00 ; ....?... ...... 00000640h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000650h: 64 20 00 00 00 00 00 00 8C 20 00 00 80 20 00 00 ; d ......?..€ .. 00000660h: 00 00 00 00 80 00 45 78 69 74 50 72 6F 63 65 73 ; ....€.ExitProces 00000670h: 73 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 ; s.kernel32.dll.. 00000680h: 62 02 77 73 70 72 69 6E 74 66 41 00 9D 01 4D 65 ; b.wsprintfA.?Me 00000690h: 73 73 61 67 65 42 6F 78 41 00 75 73 65 72 33 32 ; er32 000006a0h: 2E 64 6C 6C 00 00 00 00 00 00 00 00 00 00 00 00 ; .dll............ 000006b0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000006c0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000006d0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000006e0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000006f0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000700h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000710h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000720h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000730h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000740h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000750h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000760h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000770h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000780h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000790h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000007a0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000007b0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000007c0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000007d0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000007e0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000007f0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000800h: BD CC D1 A7 B2 E2 CA D4 00 50 45 C8 EB BF DA B5 ; 教学测试.PE入口? 00000810h: E3 B2 E2 CA D4 31 A3 BA BD F8 C8 EB B5 DA D2 BB ; 悴馐?:进入第一00000820h: C8 EB BF DA CE BB D6 C3 34 30 31 30 30 30 48 21 ; 入口位置401000H! 00000830h: 00 50 45 C8 EB BF DA B5 E3 B2 E2 CA D4 32 A3 BA ; .PE入口点测试2:00000840h: BD F8 C8 EB B5 DA B6 FE C8 EB BF DA CE BB D6 C3 ; 进入第二入口位置00000850h: 34 30 31 30 31 36 48 21 00 00 00 00 00 00 00 00 ; 401016H!........ 00000860h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000870h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................0 1 2 3 4 5 6 7 8 9 A B C D E F------------------------------------------------------------------------------ 00000880h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000890h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000008a0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000008b0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000008c0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000008d0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000008e0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000008f0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000900h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000910h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000920h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000930h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000940h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000950h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000960h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000970h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000980h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000990h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000009a0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000009b0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000009c0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000009d0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000009e0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000009f0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................要求:1.分割PE文件的各个部分:MZ头部+DOS Stub+PE文件头+可选文件头+节表+节2.标明各个关键字段结构和字段,及其含义3.详细分析函数引入表中的各个字段及其关系答:1.如图所示:各段颜色标记如图。
PE格式揭秘
这是我在我的电脑上随便找了个exe文件,下面我将会仔细的分析一下这种文件的格式下面我依次截图,仔细分析,让你看清楚:首先4D 5A 90 这三个一般是在一起的,我们知道windows文件是从DOS兼容过来的,这三个数其实就是M Z 和一个分隔符是为了兼容以前DOS下的MZ文件好:我找了两个文件通过比较发现,从0x 00 00 00 80处开始不一样,也就是在这之前从0x 00 00 00 00到0x00 00 00 7F是相同的DOS头和DOS桩程序,其实,MZ_DOS在PE 文件中占64个字节,就是我们看到的前4行数据(每行16个字节),而在微软给我们提供的DOS头结构体中有各个部分的结构:Typedef struct _IMAGE_DOS_HEADER{USHORT e_magic; //00H魔术数字就是0x 4D 5A = MZ;USHORT e_cblp; // 02H 表示的是文件最后页(page)中的字节数;USHORT e_cb ; / 04H 文件的页数(每页大小4KB);USHORT e_crlc ; //06H重新定向的元素个数;USHORT e_parhdr //08H 头部大小,以段(paragraph)为单位;USHORT e_minalloc //0AH 所需要的最小附加段;USHORT e_maxalloc //0CH 所需要的最大附加段;USHORT e_ss //0EH 初始的ss值;USHORT e_sp //10H 初始的sp值;USHORT e_csum //12H 校验和或者0USHORT e_ip //14H 初始的IP值USHORT e_cs //16H 初始的CS值(相对偏移量)USHORT e_lfarlc //18H 重定向表文件地址USHORT e_ovno //1AH 覆盖号USHORT e_res[4] 1CH 保留字USHORT e_oemid //24H OEM标示符(for e_oeminfo)USHORT e_oeminfo //26H OEM信息USHORT e_res2[10] //28H 保留LONG e_lfanew; //3CH PE头位置//这个位置很重要,做病毒要这个东西} IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER上边就是我的一个exe文件的DOS头(不包括DOS桩,紧跟在它的下面),下面是我的分析0x4D 5A 魔术字符MZ0x00 90(144字节) 文件最后一页的字节数地址为20x00 03 文件总页数用这两个计算出文件总大小(3-1)*4028+144=82000x00 00 重定向元素个数0x00 04 头部大小,以段为单位0x00 00 所需要的最小附加段0xFF FF 所需要的最大附加段0x00 00 加载时ss段寄存器的值0x00 B8 加载时sp的值0x00 00 校验和或者为00x00 00 初始IP值0x00 00 初始CS值0x00 40 重定位表文件地址0x00 00 覆盖号0x0000 0000 0000 0000保留的四个字0x00 00 OEM标识0x00 00 OEM信息0x0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 保留10个字0x00 00 00 D0 PE头开始的地址地址为3C上边指需要记住两处,但是别的地方最好是也记住。
逆向分析实验2PE文件结构分析
实验二PE文件结构分析一. 实验目的1.了解PE文件的输入表结构;2.手工解析PE文件的输入表;3.编程实现PE文件输入表的解析。
二. 实验内容1.第一步:手动解析输入表结构(1)使用工具箱中的工具e verything,寻找当前系统中任意一个e xe文件,文件名称是: actmovie.exe(2)使用LordPE“PE编辑器”打开exe文件,确定输入表的RVA,截图如下(图1):(3)点击PE编辑器右侧的“位置计算器”,得到文件偏移值,截图如下(图2):(4)使用16进制编辑工具,跳转到相应的输入文件偏移地址,输入表是每个IID对应一个DLL,根据IID大小,这里取20字节的数据进行分析,将输入表第一个IID结构的数据与IID结构体的成员一一对应,具体如下所示:IMAGE_IMPORT_DESCRIPTOR {OriginalFirstThunk = 000013C0TimeDateStamp = FFFFFFFFForwarderChain = FFFFFFFFName = 000014C0FirstThunk = 0000100C}(5)关注OriginalFirstThunk和Name两个成员,其中Name是一个RVA,用步骤(3)的方法得到其文件偏移值为 000008C0 ,在16进制编辑工具转到这个偏移地址,可见输入表的第一个D LL名为 msvcrt.dll ,截图如下(图3):(6)分析一下OriginalFirstThunk,它指向一个类型为IMAGE_THUNK_DATA的数组,上面已经分析出了它的值为000013C0 ,这是一个RVA,用步骤(3)的方法得到文件偏移地址 00007C0 。
在16进制编辑工具转到这个偏移地址,其中前面4个字节的数据为 63 5F 00 C8 ,截图如下(图4):(7)可以看出,这是以序号(填“以名字”或“以序号”)的方式输入函数;用与步骤(3)相同的方式在16进制编辑工具中对应IMAGE_IMPORT_BY_NAME结构的数据,可以看到函数的输入序号为 20 ,函数名为 cexit ,截图如下(图5):(8)验证:使用L ordPE单击“目录表”界面中输入表右侧的“…按钮”,打开输入表对话框,可以验证获取的DLL名和函数名是否正确。
《计算机病毒技术及其防御》课程教学大纲
《计算机病毒技术及其防御》课程教学大纲一、课程基本信息二、课程简介《计算机病毒技术及其防御》(或《恶意代码原理与防范》)是网络空间安全专业中专业性与实践性较强的课程,是网络空间安全学科中的重要组成部分,与后续学习的多门课程皆有关联。
本课程主要研究恶意代码(计算机病毒)的分类、恶意代码的原理、恶意代码的行为、恶意代码静态与动态的分析方法以及恶意代码的防御技术,对构建学生网络安全类知识体系进而进行恶意代码攻防实践有重要作用。
课程的任务是通过课堂教学与实验教学方式,使学生能够从生命周期的角度掌握恶意代码技术的基本原理与实现方法,掌握常见恶意代码的防御方法,培养学生具备良好的恶意代码分析能力与常见恶意代码的防范能力,提高自身对相关领域的安全意识与职业素养,从而为今后从事网络信息安全领域相关工作奠定坚实的基础。
通过本课程学习,使学生能够通过对相关实操案例的分析,对恶意代码的种类、危害、应急、防御处理都有较为深入的认识,具备一定的分析研究能力,能够将本课程的相关知识与防御技术的思路和技巧用于解决恶意代码所带来的问题。
三、课程目标及其对毕业要求的支撑(一)课程目标课程目标1:理解恶意代码的基本概念和理论知识,能够描述恶意代码的基本特性以及恶意代码的发展趋势。
课程目标2:掌握恶意代码的基本技术,能够自觉运用基本知识认识恶意代码,并对常见的恶意代码的进行逆向分析,培养学生分析问题的能力。
课程目标3:掌握恶意代码防御技术,能够自觉运用所学知识进行恶意代码防御处理,并对其中常见问题进行分析并加以解决,培养学生研究和分析问题、工程部署与设计解决方案的能力。
(二)课程目标对毕业要求的支撑四、教学方法本课程课堂教学和上机实验并重,结合作业、练习及实验报告等教学手段和形式完成课程教学任务。
在课堂教学中,通过讲授、提问、实验、练习、演示等教学方法和手段让学生了解恶意代码,掌握恶意代码攻防的基本应用。
在实验、练习教学环节中,通过任务布置教学、培养学生动手能力,同时培养学生发现问题、分析问题和解决问题的能力。
PE文件格式实验
PE文件格式分析实验使用工具LordPE/PEview、winhex选择一个exe或者DLL文件阶段一:(本次实验)1.DOS头部查看、对应DOS头结构进行数据逐项分析2.PE头部查看、对应PE头结构进行数据逐项分析3.Exe文件和DLL文件均是PE格式,他们的区别在哪里?4.Section表结构的查看(是否可以增加一个新的section表?对齐边界是多少?)5.PE文件section查看、对应section 块表结构进行数据分析6.VA、RVA、RA计算7.问题:你查看的PE文件DOS、PE头部的空隙是多大?8.问题:你查看的PE文件在那个section的空隙最大/最小?9.问题:如果手工增加一个section,要修改哪些字段,请手工试验。
(提高:你的新块表增加是否引起原文件的对齐位置的改变?)10.问题(提高):一个section的属性字节如何设置,请在上一个问题基础上实验。
本次实验要求对照以上要求,自行选择文件进行分析,撰写报告。
阶段二:(后一阶段的工作)1.资源查看、修改2.编写PE文件分析程序3.编写PE病毒程序附录1PE格式详细讲解(一)前几天发了一个PE信息查看器的小工具,本来想用那个获取邀请码的,可是觉得几率不是太大,于是再献上一篇教程,既是为了自己能获得邀请码,也是帮助那些想学习PE格式的人,让知识来源于网络再回归网络。
N年没写文章了,不知道句子还能不能写通顺,最近正在看《软件加密技术内幕》,刚看完PE结构那部分内容,所以想起来写篇教程作为读书笔记,既可加强记忆又可帮助别人,何乐而不为呢。
好了,废话少说好戏正式上场,PE是英文Portable Executable(可移植的执行体)的缩写,从缩写可以看出它是跨平台的,即使在非intel的CPU上也能正常运行的。
它是 Win32环境自身所带的执行体文件格式。
其实不光是EXE文件是PE格式,其它的一些重要文件,例如动态链接库文件(DLL),驱动文件(SYS)等也是PE格式的,所以学好PE格式是非常重要的,以下我把这类文件统称为PE文件。
C2-2 PE文件格式之一
8
3 PE文件格式总体结构
1.DOS MZ header 2.DOS stub 3.PE header 4.Section table 5-1 Section 1 5-2 Section 2 Section ... 5.3 Section n
15
(1) MS-DOS MZ文件头(0x40)+ (2)DOS Stub
29
(4)节表
节表,是紧挨着 PE header 的一个结构数组。 每一个节均对应一个节表项: 节名; 节在文件和内存中的开始地址; 长度; 节属性等。
30
test.exe的节表
31
Characteristics-节属性
0x00000020? 这个块包含代码。置位 0x00000040? 这个块包含已初始化的数据。 0x00000080? 这个块包含未初始化的数据(如 .bss 块) 0x00000200? 这个块包含注释或其它的信息。 0x00000800? 这个块的内容不应放进最终的EXE文件中。 0x02000000? 这个块可以被丢弃,因为一旦它被载入,其进程就不需要它。最通常的可丢弃 块是基本重定位块( .reloc )。 0x10000000? 这个块是可共享的。 0x20000000? 这个块是可执行的。 0x40000000? 这个块是可读的。 0x80000000? 这个块是可写的。
38
.data节
39
4.3未初始化的数据节
节名称一般叫.bbs。
这个节里放有未初始化的全局变量和静态变量。 例如“static int k;”
40
6
2 PE文件格式与恶意软件的关系
何为文件感染?[或控制权获取]
使目标PE文件具备[或启动]病毒功能[或目标程序] 但不破坏目标PE文件原有功能和外在形态(如图标)等
软件逆向工程原理与实践第4章PE文件格式
第4章 PE文件格式
第4章 PE文件格式
IMAGE_SECTION_HEADER结构体的Name字段是一个 8字节的字节数组,用于存放节区的名称,如“.text”。 VirtualSize指定节区在内存中的实际大小,即没有对齐处理 之前的实际大小。VirtualAddress字段是该节区装载到内存 中的起始RVA地址,该地址按照内存页对齐,是 SectionAlignment的整数倍。SizeOfRawData字段指明节区在 外存文件中所占的大小,该长度是FileAlignment的整数倍。 PointerToRawData字段指明节区在外存文件中相对于文件起 始位置的偏移量。
第4章 PE文件格式
2.NT头 紧跟DOS存根的就是PE文件的NT头。NT头对应的数据 结构是IMAGE_NT_ HEADERS结构体,该结构体的长度是 F8H,其数据结构具体定义如表4-2(a)所示。
第4章 PE文件格式
第4章 PE文件格式
第4章 PE文件格式
IMAGE_NT_HEADERS结构体的第一个字段是一个PE 签名。PE签名的值总为00004550H,即“PE\0\0”。上面提 到的DOS头的e_lfanew字段正是指向这个PE签名。 IMAGE_NT_HEADERS结构体的第二个字段和第三个字段 分别为一个IMAGE_FILE_HEADER结构体(见表4-2(b))和一 个IMAGE_OPTIONAL_HEAD第4章 PE文件格式
IMAGE_OPTIONAL_HEADER结构体用于补充定义一 些PE文件属性,其中的一些主要字段如表4-2(c)所示。 Magic标志字在PE32中为010BH,PE32+中为020BH。 AddressOfEntryPoint字段指定了程序执行入口的RVA地址, 即程序最先执行的代码的地址。BaseOfCode字段和 BaseOfData字段分别表示代码节区和数据节区的起始RVA地 址。ImageBase字段是PE文件在内存中的默认装入地址,如 果PE文件被装入这个地址,那么就可以跳过基址重定位的 步骤。
PE文件格式(内容详细)
简介
在DOS环境下有四种基本的可执行文件格式
批处理文件,以.BAT结尾的文件
设备驱动文件,是以.SYS结尾的文件,如CONFIG.SYS
COM文件,是以.COM结尾的纯代码文件
• 没有文件头部分,缺省情况下总是从0x100H处开始执行, 没有重定位项,所有代码和数据必须控制在64K以内
在Win32位平台可执行文件格式:可移植的可执行文件 (Portable Executable File)格式,即PE格式。MZ文件头 之后是一个以“PE”开始的文件头
安装在硬盘上的程序没运行-静态 加载到内存-动态
EXE文件的格式
MZ文件格式-Mark Zbikowski
.EXE文件由三部分构成:文件头、重定位表和二进制代码 允许代码、数据、堆栈分别处于不同的段,每一段都可以是64KB.
EXE文件的格式
PE文件格式
一般来说,病毒往往先于HOST程序获得控制权。运行 Win32病毒的一般流程示意如下:
①用户点击或系统自动运行HOST程序; ②装载HOST程序到内存;
③通过PE文件中的AddressOfEntryPoint+ImageBase,
定位第一条语句的位置(程序入口); ④从第一条语句开始执行(这时执行的其实是病毒代码); ⑤病毒主体代码执行完毕,将控制权交给HOST程序原来的
病毒通过“MZ”、“PE”这两个标志,初步判断当前程序 是否是目标文件——PE文件。如果要精确校验指定文件是 否为一有效PE文件,则可以检验PE文件格式里的各个数 据结构,或者仅校验一些关键数据结构。大多数情况下, 没有必要校验文件里的每一个数据结构,只要一些关键数 据结构有效,就可以认为是有效的PE文件
PE的意思就是Portable Executable(可移植、可执 行),它是Win32可执行文件的标准格式