PE file structure (4) output table, pe output

PE file structure (4) output table, pe output

PE file structure (4)

Reference

Book: encryption and decryption

Video: Little Turtle decryption series video

Output table

Generally, the output table exists in the dll. The output table provides the name of the function in the file and the address of these functions. The PE Loader modifies the IAT through the output table.

DataDirectory [0] In IMAGE_OPTIONAL_HEADER provides the RVA of the output table. The output table starts with an IMAGE_EXPORT_DIRECTORY structure.

IMAGE_EXPORT_DIRECTORY structure:

Typedef struct _ IMAGE_EXPORT_DIRECTORY {DWORD Characteristics; // The time when the DWORD TimeDateStamp is not used; // The time when the file is generated is WORD MajorVersion; // The main version number, which is generally 0 WORD MinorVersion; // the version number, it is generally 0 DWORD Name; // The rva dword Base pointing to the dll Name; // The Base, generally 1 (starting from 1) DWORD NumberOfFunctions; // AddressOfFunctions the number of elements in the array directed to DWORD NumberOfNames; // The number of elements in the array pointed to by AddressOfNames DWORD AddressOfFunctions; // The rva dword AddressOfNames of the function address array ENT; // function name array rva dword AddressOfNameOrdinals of EAT; // RVA of the output serial number array, which is in the unit of WORD and used to connect the function name array to the function address array} IMAGE_EXPORT_DIRECTORY, * PIMAGE_EXPORT_DIRECTORY;

The output table is mainly used to modify the IAT for the PE Loader, that is, to find the function entry address. The PE Loader can search for the address of a function by serial number or function name.

1. Search for the function entry address from the serial number

The PE Loader knows the serial number through INT. You can use this serial number to find the function address array EAT.

2. Find the function entry address from the function name

Find the function name array ENT by using the function name, and find the number n of the function name in the array (starting from 0 ), then, the nth value of the output serial number array (starting from 0) is obtained ). Then, the value of the function address array EAT whose value is the serial number is the entry address of the function.

That is, the ENT [Output serial number array [n]

Instance analysis:

For example, find the AdjustWindowRect function in user32.dll.

First, check the binary file of user32.dll. Its IMAGE_OPTIONAL_HEADER structure is:

Image 1

We can know that:

Name: RVA 55C0h file offset value: 49C0h
Base: 1
NumberOfFunctions: 02DCh
NumberOfNmae: 02DCh
AddressOfFunctions: RVA 3928 h file offset value: 2D28h
AddressOfNames: RVA 4498 h file offset value: 3898 h
AddressOfNameOrdinals: RVA 5008 h file offset value: 4408 h

View the string pointed to by the ENT array. You can see that AdjustWindowRect is 2nd elements. Therefore, you can view the 2nd elements in the output serial number array pointed to by AddressOfNameOrdinals. The value can be 1.

Image 2

Then, check that the value of the element with the serial number 1 (2nd elements) in the EAT is 021140 h. This is the rva of the AdjustWindowRect function.

Image 3

What is pe file structure analysis?

The PE file is called a Portable executable and is the full name of Portable Execute. Common EXE, DLL, OCX, SYS, and COM are all PE files, PE files are program files on Microsoft Windows operating systems (may be indirectly executed, such as DLL)
The executable file format of an operating system is a mirror of the system in many aspects. Although learning an executable file format is generally not a programmer's top priority, you can learn a lot from it. In this article, I will give a detailed introduction to all MicroSoft's portable executable (PE) file formats based on win32 systems (such as winnt and win9x. In the foreseeable future, including Windows2000 and PE file formats, MicroSoft will play an important role in the operating system. If you are using Win32 or Winnt, you are already using the PE file. Even if you are using Visual C ++ programming in Windows, you are still using PE files (the 32-bit MS-DOS extension component of Visual C ++ uses this format ). In short, the PE format has been widely used and is still inevitable in the future. Now it's time to find out what this new executable file format brings to the operating system.
Comprehensive Introduction: baike.baidu.com/view/1097038.htm

Learning pe file structure

The length of the PE file structure. Hard? And where to learn. I am very interested in computer technology. You do not need to be proficient in problem assembly/data structure, and you only need to be able to understand PE. You only need to know how to check when using it.