PE文件格式分析心得

2019-11-17 05:38:44

字體：大中小

來源：轉載

供稿：網友

　　PE文件格式最近似乎炒得沸沸揚揚，由于我正在做一個這樣的程序，索性將自己的心得寫出來與大家同享。
  PE文件頭分兩大部分：
1：DOS ‘MZ’ HEADER
2：IMAGE_NT_HEADERS
  其中IMAGE_NT_HEADERS中包含
PE signature
IMAGE_FILE_HEADER
IMAGE_OPTIONAL_HEADER（其中包含Data Direcotry）
  文件頭后緊跟著為
Section Table (array of IMAGE_SECTION_HEADERs)
  在Delphi的windows.pad中已經有定義的有：
TImageDosHeader;
TImageNtHeaders;
TImageSectionHeader; { size of TIm..der is $28 }
  定義變量后按住Ctrl可以察看具體的項目，這里我就不多說了，這方面的東西也很多。
  而其他的如TImageResourceDirectory等，在DELPHI中卻沒有定義，察看其他資料，我在這里給出他們的結構和簡單說明：
  以下是我寫的PEDump.exe的類型說明：

type
  PIMAGE_RESOURCE_DIRECTORY = ^TImageResourceDirectory;
  _IMAGE_RESOURCE_DIRECTORY = packed record
    Characteristics:DWord;
    TimeDateStamp:DWORD;
    MajorVersion:WORD;
    MinorVersion:WORD;
    NumberOfNamedEntries:WORD;
    NumberOfIdEntries:WORD;
  end;
  TImageResourceDirectory = _IMAGE_RESOURCE_DIRECTORY;
  { 資源目錄的格式說明 }

  PIMAGE_RESOURCE_DIRECTORY_ENTRY = ^TImageResourceDirectoryEntry;
  _IMAGE_RESOURCE_DIRECTORY_ENTRY = packed record
    Name:DWORD;         { NameOffset:31,NameIsString:1 }
//    Id:WORD;
    OffsetToData:DWORD; { OffsetToDirectory:31,DataIsDirectory:1 }
  end;
  TImageResourceDirectoryEntry = _IMAGE_RESOURCE_DIRECTORY_ENTRY;
  { 資源目錄進入點的格式說明 }

  PIMAGE_RESOURCE_DIRECTORY_STRING = ^TImageResourceDirectoryString;
  _IMAGE_RESOURCE_DIRECTORY_STRING = packed record
    Length:WORD;
    NameString:CHAR;
  end;
  TImageResourceDirectoryString = _IMAGE_RESOURCE_DIRECTORY_STRING;
  { 資源目錄名的格式說明 }

  PIMAGE_RESOURCE_DIR_STRING_U = ^TImageResourceDirStringU;
  _IMAGE_RESOURCE_DIR_STRING_U = packed record
    Length:WORD;
    NameString:WCHAR;
  end;
  TImageResourceDirStringU = _IMAGE_RESOURCE_DIR_STRING_U;

  { unicode形式的資源目錄名的格式說明 }

  PIMAGE_RESOURCE_DATA_ENTRY = ^TImageResourceDataEntry;
  _IMAGE_RESOURCE_DATA_ENTRY = packed record
    OffsetToData:DWORD;
    Size:DWORD;
    CodePage:DWORD;
    Reserved:DWORD;
  end;
  TImageResourceDataEntry = _IMAGE_RESOURCE_DATA_ENTRY;
  { 資源目錄數據進入點的格式說明 }

const
  IMAGE_RESOURCE_NAME_IS_STRING = $80000000;
  { 檢測TImageResourceDirectoryEntry.Name的最高為是否設立，
    是則說明剩下的31位指向IMAGE_RESOURCE_DIR_STRING_U的偏移，
    否則說明剩下的31位為一個整數ID。 }
  IMAGE_RESOURCE_DATA_IS_DIRECTORY = $80000000;
  { 檢測TImageResourceDirectoryEntry.OffsetToData的最高為是否設立，
    是則說明剩下的31位指向另一個IMAGE_RESOURCE_DIRECTORY的偏移，
    否則說明剩下的31位指向IMAGE_RESOURCE_DATA_ENTRY的偏移。 }

  { 以下是文件屬性具體值常量說明 }
  { File Characteristics }
  IMAGE_FILE_RELOCS_STRipPED           = $0001; // Relocation info stripped from file.
  IMAGE_FILE_EXECUTABLE_IMAGE          = $0002; // File is executable.
  IMAGE_FILE_LINE_NUMS_STRIPPED        = $0004; // Line nunbers stripped from file.
  IMAGE_FILE_LOCAL_SYMS_STRIPPED       = $0008; // Local symbols stripped from file.
  IMAGE_FILE_AGGRESIVE_WS_TRIM         = $0010; // Agressively trim working set
  IMAGE_FILE_LARGE_ADDRESS_AWARE       = $0020; // App can handle >2gb addresses
  IMAGE_FILE_BYTES_REVERSED_LO         = $0080; // Bytes of machine word are reversed.
  IMAGE_FILE_32B99v_MACHINE             = $0100; // 32 bit word machine.
  IMAGE_FILE_DEBUG_STRIPPED            = $0200;
  // Debugging info stripped from file in .DBG file
  IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP   = $0400;
  // If Image is on removable media, copy and run from the swap file.
  IMAGE_FILE_NET_RUN_FROM_SWAP         = $0800;
  // If Image is on Net, copy and run from the swap file.

  IMAGE_FILE_SYSTEM                    = $1000; // System File.
  IMAGE_FILE_DLL                       = $2000; // File is a DLL.
  IMAGE_FILE_UP_SYSTEM_ONLY            = $4000; // File should only be run on a UP machine
  IMAGE_FILE_BYTES_REVERSED_HI         = $8000; // Bytes of machine word are reversed.

  { 以下是文件頭機器屬性值的具體說明 }
  { Machine }
  IMAGE_FILE_MACHINE_UNKNOWN           = $0;
  IMAGE_FILE_MACHINE_I386              = $014c; // Intel 386.
  IMAGE_FILE_MACHINE_R3000             = $0162; // MIPS little-endian, $160 big-endian
  IMAGE_FILE_MACHINE_R4000             = $0166; // MIPS little-endian
  IMAGE_FILE_MACHINE_R10000            = $0168; // MIPS little-endian
  IMAGE_FILE_MACHINE_WCEMIPSV2         = $0169; // MIPS little-endian WCE v2
  IMAGE_FILE_MACHINE_ALPHA             = $0184; // Alpha_AXP
  IMAGE_FILE_MACHINE_SH3               = $01a2; // SH3 little-endian
  IMAGE_FILE_MACHINE_SH3E

上一篇：1.1　Turbo C語言概述

下一篇：OpenBSD 可加載內核模塊編程完全指南