Experience modifying PE files

Text/tU niuyuan

We all know that in Windows 9x, NT, and 2000, all Executable files are based on a new Microsoft-designed File Format (Portable Executable File Format), that is, the PE Format. In some cases, we need to modify these executable files. The following text attempts to describe the PE file format and modify the PE format file in detail.

 

PE file framework

Dos mz header

DOS Stub

PE header

Section table

Section 1

Section 2

Section...

Section n
 

The above table shows the overall hierarchical distribution of the PE file structure. All PE files (or even 32-bit DLLs) must start with a simple dos mz header. The offset 0 contains the "MZ mark" of the executable file under DOS, once the program is executed in DOS, DOS can identify this as a valid execution body and then run the DOS Stub following the MZ header. Followed by the DOS Stub is the PE header. The PE header is short for the IMAGE_NT_HEADERS of the PE-related structure. It contains important fields used by many PE loaders. When an executable file is executed in an operating system that supports the PE file structure, the PE Loader finds the start offset of the PE header from the offset 3CH of the dos mz header. Therefore, the real file header PE header is located directly without DOS Stub.

 

TIPS: DOS Stub is actually a valid EXE. In an operating system that does not support the PE file format, it will simply display an error message, similar to the string "This program cannot run in DOS mode", or programmers can implement the complete DOS code according to their own intentions. Generally, DOS Stub is automatically generated by the assembler/compiler, which is not very useful to us. It simply calls the interrupt 21h Service 9 to display the string "This program cannot run in DOS mode ".

 

The real content of a PE file is divided into blocks, which are called Sections ). Each section is a piece of data with common attributes, such as the ". text" section. What is the content of each section? In fact, files in PE format put the content with the same attributes into the same section, without having to worry about ". text ",". the name of data is only for easy identification. If we modify the file in PE format, we can theoretically write it into any section, and adjust the attributes of this section.

The following Array Structure Section table (Section table) of PE header ). Each structure contains the attributes, file offset, and virtual offset of the corresponding section. If the PE file contains five sections, there are five members in the array.

The above is the physical distribution of the PE file format. The following describes the main steps for loading a PE file:
1. the PE file is executed. The PE Loader checks the PE header offset in the dos mz header. If it is found, it will jump to the PE header.
2. the PE Loader checks the validity of the PE header. If valid, it will jump to the end of the PE header.
3. The section table that follows the PE header is followed. The PE Loader reads the section information, maps these sections to the memory using the file ing method, and attaches the section attributes specified in the section table.

4. After the PE file is mapped to the memory, the PE Loader will process the logic section similar to the Import table in the PE file.

 

PE file header definition

We can find the PE file header definition in the Winnt. h file:

Typedef struct _ IMAGE_NT_HEADERS {
DWORD Signature;

// PE Header flag: "PE ". Start at the address pointed to by the start dos header offset 3CH
IMAGE_FILE_HEADER FileHeader; // physical distribution of PE files
IMAGE_OPTIONAL_HEADER32 OptionalHeader; // information about the Logical Distribution of PE files
} IMAGE_NT_HEADERS32, * PIMAGE_NT_HEADERS32;
Typedef struct _ IMAGE_FILE_HEADER {
WORD Machine; // The CPU required for running the file, which is 14Ch for the Intel Platform
WORD NumberOfSections; // number of file sections
DWORD TimeDateStamp; // file creation date and time
DWORD PointerToSymbolTable; // used for debugging
DWORD NumberOfSymbols; // Number of symbols in the symbol table
WORD SizeOfOptionalHeader; // size of the OptionalHeader Structure
WORD Characteristics; // mark the file information to identify whether the file is exe or dll
} IMAGE_FILE_HEADER, * PIMAGE_FILE_HEADER;
Typedef struct _ IMAGE_OPTIONAL_HEADER {
WORD Magic; // flag (always 010bh)
BYTE MajorLinkerVersion; // connector version
BYTE MinorLinkerVersion ;//
DWORD SizeOfCode; // code segment size
DWORD SizeOfInitializedData; // size of the initialized data block
DWORD SizeOfUninitializedData; // uninitialized data block size
DWORD AddressOfEntryPoint;

RVA of the first instruction of the PE file to be run by the PE Loader. To change the entire execution process, you can specify this value to the new RVA, in this way, the commands at the new RVA are first executed. (In the past, many articles have introduced RVA. Please understand it first ).

 

DWORD BaseOfCode; // code segment start RVA
DWORD BaseOfData; // The starting RVA of the Data Segment
DWORD ImageBase; // address for loading PE files
DWORD SectionAlignment; // block alignment
DWORD FileAlignment; // file block alignment
WORD MajorOperatingSystemVersion; // required OS version
WORD MinorOperatingSystemVersion ;//
WORD MajorImageVersion; // The custom version number.
WORD MinorImageVersion ;//
WORD MajorSubsystemVersion; // win32 subsystem version. If the PE file is specially designed for Win32
WORD MinorSubsystemVersion; // This subsystem version must be 4.0. Otherwise, the dialog box will not have a three-dimensional stereoscopic effect.
DWORD Win32VersionValue; // Reserved
DWORD SizeOfImage; // size of the entire PE image in memory
DWORD SizeOfHeaders; // size of all headers + section tables
DWORD CheckSum; // CheckSum
WORD Subsystem; // NT is used to identify the Subsystem of the PE file.
WORD DllCharacteristics ;//
DWORD SizeOfStackReserve ;//
DWORD SizeOfStackCommit ;//
DWORD SizeOfHeapReserve ;//
DWORD SizeOfHeapCommit ;//
DWORD LoaderFlags ;//
DWORD NumberOfRvaAndSizes ;//
IMAGE_DATA_DIRECTORY DataDirectory [IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
// IMAGE_DATA_DIRECTORY structure array. Each structure provides an important data structure RVA, such as the introduction of address tables.
} IMAGE_OPTIONAL_HEADER32, * PIMAGE_OPTIONAL_HEADER32;

Typedef struct _ IMAGE_DATA_DIRECTORY {
DWORD VirtualAddress; // The RVA address of the table
DWORD Size; // Size
} IMAGE_DATA_DIRECTORY, * PIMAGE_DATA_DIRECTORY;

The PE file header is followed by a section table, which is defined in winnt. h as follows:
Typedef struct _ IMAGE_SECTION_HEADER {
BYTE Name [IMAGE_SIZEOF_SHORT_NAME]; // The Name Of The section table, such as ". text"
Union {
DWORD PhysicalAddress; // physical address
DWORD VirtualSize; // the actual length.
} Misc;
DWORD VirtualAddress; // RVA
DWORD SizeOfRawData; // physical length <