程序師世界是廣大編程愛好者互助、分享、學習的平台,程序師世界有你更精彩!
首頁
編程語言
C語言|JAVA編程
Python編程
網頁編程
ASP編程|PHP編程
JSP編程
數據庫知識
MYSQL數據庫|SqlServer數據庫
Oracle數據庫|DB2數據庫
 程式師世界 >> 編程語言 >> C語言 >> C >> C語言基礎知識 >> PE文件格式分析心得

PE文件格式分析心得

編輯:C語言基礎知識

  PE文件格式最近似乎炒得沸沸揚揚,由於我正在做一個這樣的程序,索性將自己的心得寫出來與大家同享。
     PE文件頭分兩大部分:
   1:DOS ‘MZ’ HEADER
   2:IMAGE_NT_HEADERS
     其中IMAGE_NT_HEADERS中包含
   PE signature
   IMAGE_FILE_HEADER
   IMAGE_OPTIONAL_HEADER(其中包含Data Direcotry)
     文件頭後緊跟著為
   Section Table (array of IMAGE_SECTION_HEADERs)
     在Delphi的windows.pad中已經有定義的有:
   TImageDosHeader;
   TImageNtHeaders;
   TImageSectionHeader; { size of TIm..der is $28 }
     定義變量後按住Ctrl可以察看具體的項目,這裡我就不多說了,這方面的東西也很多。
     而其他的如TImageResourceDirectory等,在DELPHI中卻沒有定義,察看其他資料,我在這裡給出他們的結構和簡單說明:
     以下是我寫的PEDump.exe的類型說明:
  
   type
     PIMAGE_RESOURCE_DIRECTORY = ^TImageResourceDirectory;
     _IMAGE_RESOURCE_DIRECTORY = packed record
       Characteristics:DWord;
       TimeDateStamp:DWORD;
       MajorVersion:WORD;
       MinorVersion:WORD;
       NumberOfNamedEntries:WORD;
       NumberOfIdEntries:WORD;
     end;
     TImageResourceDirectory = _IMAGE_RESOURCE_DIRECTORY;
     { 資源目錄的格式說明 }
  
     PIMAGE_RESOURCE_DIRECTORY_ENTRY = ^TImageResourceDirectoryEntry;
     _IMAGE_RESOURCE_DIRECTORY_ENTRY = packed record
       Name:DWORD;         { NameOffset:31,NameIsString:1 }
   //    Id:WORD;
       OffsetToData:DWORD; { OffsetToDirectory:31,DataIsDirectory:1 }
     end;
     TImageResourceDirectoryEntry = _IMAGE_RESOURCE_DIRECTORY_ENTRY;
     { 資源目錄進入點的格式說明 }
  
     PIMAGE_RESOURCE_DIRECTORY_STRING = ^TImageResourceDirectoryString;
     _IMAGE_RESOURCE_DIRECTORY_STRING = packed record
       Length:WORD;
       NameString:CHAR;
     end;
     TImageResourceDirectoryString = _IMAGE_RESOURCE_DIRECTORY_STRING;
     { 資源目錄名的格式說明 }
  
     PIMAGE_RESOURCE_DIR_STRING_U = ^TImageResourceDirStringU;
     _IMAGE_RESOURCE_DIR_STRING_U = packed record
       Length:WORD;
       NameString:WCHAR;
     end;
     TImageResourceDirStringU = _IMAGE_RESOURCE_DIR_STRING_U;
  
     { unicode形式的資源目錄名的格式說明 }
  
     PIMAGE_RESOURCE_DATA_ENTRY = ^TImageResourceDataEntry;
     _IMAGE_RESOURCE_DATA_ENTRY = packed record
       OffsetToData:DWORD;
       Size:DWORD;
       CodePage:DWORD;
       Reserved:DWORD;
     end;
     TImageResourceDataEntry = _IMAGE_RESOURCE_DATA_ENTRY;
     { 資源目錄數據進入點的格式說明 }
  
   const
     IMAGE_RESOURCE_NAME_IS_STRING = $80000000;
     { 檢測TImageResourceDirectoryEntry.Name的最高為是否設立,
       是則說明剩下的31位指向IMAGE_RESOURCE_DIR_STRING_U的偏移,
       否則說明剩下的31位為一個整數ID。 }
     IMAGE_RESOURCE_DATA_IS_DIRECTORY = $80000000;
     { 檢測TImageResourceDirectoryEntry.OffsetToData的最高為是否設立,
       是則說明剩下的31位指向另一個IMAGE_RESOURCE_DIRECTORY的偏移,
       否則說明剩下的31位指向IMAGE_RESOURCE_DATA_ENTRY的偏移。 }
  
     { 以下是文件屬性具體值常量說明 }
     { File Characteristics }
     IMAGE_FILE_RELOCS_STRIPPED           = $0001; // Relocation info stripped from file.
     IMAGE_FILE_EXECUTABLE_IMAGE          = $0002; // File is executable.
     IMAGE_FILE_LINE_NUMS_STRIPPED        = $0004; // Line nunbers stripped from file.
     IMAGE_FILE_LOCAL_SYMS_STRIPPED       = $0008; // Local symbols stripped from file.
     IMAGE_FILE_AGGRESIVE_WS_TRIM         = $0010; // Agressively trim working set
     IMAGE_FILE_LARGE_ADDRESS_AWARE       = $0020; // App can handle >2gb addresses
     IMAGE_FILE_BYTES_REVERSED_LO         = $0080; // Bytes of machine word are reversed.
     IMAGE_FILE_32B99v_MACHINE             = $0100; // 32 bit word machine.
     IMAGE_FILE_DEBUG_STRIPPED            = $0200;  
     // Debugging info stripped from file in .DBG file
     IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP   = $0400;  
     // If Image is on removable media, copy and run from the swap file.
     IMAGE_FILE_NET_RUN_FROM_SWAP         = $0800;  
     // If Image is on Net, copy and run from the swap file.
  
     IMAGE_FILE_SYSTEM                    = $1000; // System File.
     IMAGE_FILE_DLL                       = $2000; // File is a DLL.
     IMAGE_FILE_UP_SYSTEM_ONLY            = $4000; // File should only be run on a UP machine
     IMAGE_FILE_BYTES_REVERSED_HI         = $8000; // Bytes of machine word are reversed.
  
     { 以下是文件頭機器屬性值的具體說明 }
     { Machine }
     IMAGE_FILE_MACHINE_UNKNOWN           = $0;
     IMAGE_FILE_MACHINE_I386              = $014c; // Intel 386.
     IMAGE_FILE_MACHINE_R3000             = $0162; // MIPS little-endian, $160 big-endian
     IMAGE_FILE_MACHINE_R4000             = $0166; // MIPS little-endian
     IMAGE_FILE_MACHINE_R10000            = $0168; // MIPS little-endian
     IMAGE_FILE_MACHINE_WCEMIPSV2         = $0169; // MIPS little-endian WCE v2
     IMAGE_FILE_MACHINE_ALPHA             = $0184; // Alpha_AXP
     IMAGE_FILE_MACHINE_SH3               = $01a2; // SH3 little-endian
     IMAGE_FILE_MACHINE_SH3E    
 
  1. 上一頁:
  2. 下一頁:
Copyright © 程式師世界 All Rights Reserved