PE (portable executable is the executable that can be transplanted)

Last Update:2018-12-07 Source: Internet

Author: User

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

PE means portable executable (portable execution body ). It is the execution body file format of the Win32 environment. Some of its features inherit from the Unix coff (Common Object File Format) file format. "Portable executable" means that the file format is cross-Win32: Even if windows runs on a non-Intel CPU, the PE Loader on any Win32 platform can recognize and use this file format. Of course, there must be some changes in the PE execution body transplanted to different CPUs. All Win32 execution bodies (except VxD and 16-bit DLL) use the PE file format, including the NT kernel mode driver. Program (Kernel mode drivers ). Therefore, studying the PE file format gives us an opportunity to gain insight into the windows structure.

In this tutorial, let's take a look at the summary of the PE file format.

Dos mz Header
Dos Stub
PE Header
Section Table
Section 1
Section 2
Section...
Section N

Is the overall hierarchical distribution of the PE file structure. All PE files (or even 32-bit DLLs) must start with a simple dos MZ header. We are usually not very interested in this structure. With it, once the program is executed in DOS, DOS can identify this as a valid execution body and then run the Dos Stub following the MZ header. Dos Stub is actually a valid exe. In an operating system that does not support the PE file format, it will simply display an error message, similar to the string "this program requires Windows", or the programmer can implement the complete dos according to their own intentions.Code. Usually we are not too interested in Dos Stub either: because in most cases it is automatically generated by the assembler/compiler. Generally, it calls to interrupt 21h Service 9 to display the string "this program cannot run in DOS mode ".

Followed by the Dos Stub is the PE Header. The PE Header is short for the image_nt_headers of the pe-related structure. It contains important fields used by many pe loaders. When we look at the PE file format in depth, we will be able to look at these important domains. When the execution body is executed in an operating system that supports the PE file structure, the PE Loader finds the start offset of the PE Header from the dos mz header. Therefore, the real file header PE Header is located directly without Dos Stub.

The real content of a PE file is divided into blocks, which are called sections ). Each section is a piece of data with common attributes, such as code/data and read/write. We can think of a PE file as a logical disk. The PE Header is the Boot Sector of the disk, and the section is a variety of files, each file naturally has different attributes, such as read-only, system, hidden, and document. It is worth noting that the Section is divided based on the common attributes of each group of data, rather than the logical concept. What matters is not how data/code is used. If the data/code in the PE file has the same attributes, they can be included in the same section. You don't have to worry about the section similar to "data", "code" or other logical concepts: If data and code have the same attributes, they can be classified into the same section. (Note: The section name is just a symbol that distinguishes different sections. For example, the Section name "data" and "code" is only for easy identification, only the attribute settings of a section determine the features and functions of the Section. If you want to pay a block of data as a read-only attribute, you can put the block data in the read-only section, when the PE Loader maps the section content, it checks the joint attributes and sets the corresponding memory block as the specified attribute.

If we regard the PE file format as a logical disk, PE Header is the Boot Sector, and sections is a variety of files, but we still lack sufficient information to locate different files on the disk, for example, what is the PE file format that is moderately priced than the directory? Don't worry, that is, the Section Table (Section Table) of the array structure next to the PE Header ). Each structure contains the attributes, file offset, and virtual offset of the corresponding section. If the PE file contains five sections, there are five members in the array. Therefore, we can regard the section table as the root directory of the Logical Disk. Each array member is equivalent to the directory items in the root directory.

The above is the physical distribution of the PE file format. The following describes the main steps for loading a PE file:

When the PE file is executed, the PE Loader checks the PE Header offset in the dos mz header. If it is found, it will jump to the PE Header.
The PE Loader checks whether the PE Header is valid. If valid, it will jump to the end of the PE Header.
The section table that follows the PE Header. The PE Loader reads the section information, maps these sections to the memory using the file ing method, and pays the section attributes specified in the preceding section table.
After the PE file is mapped to the memory, the PE Loader processes the logic section similar to the import table in the PE file.
The above steps are based on my observations. Obviously there are still some inaccuracies, but the process of processing the execution body is basically clear.

You should download the PE file format of luevelsmeyer. The description in this document is quite detailed and can be used as a reference manual for the case.

4 A |. 8bf mov ESI, eax // ESI = A eax = 4b23526
4 A A2 |. 833c24 cmp dword ptr ss: [esp],
4 A A6 |. 74 19 je short China Communications. 4 A C1
4 A A8 |. 895c24 4 mov dword ptr ss: [esp + 4], EBX
4 a ac |. c64424 8 B mov byte ptr ss: [esp + 8], B
4 A B1 |. 8d5424 4 Lea edX, dword ptr ss: [esp + 4]
4 A B5 |. A1 188a54 mov eax, dword ptr ds: [548a18]
4 A ba |. 33c9 XOR ECx, ECx
4 a bc |. E8 dbf7ffff call China Communications. 4 989c
4 A C1 |> 8bc6 mov eax, ESI // eax = 4b23526
4 A C3 |. 83c4 C add ESP, C // 12fc4 + c = 1244224 + c = 1244236
4 A C6 |. 5E pop ESI // 4b23526
4 A C7 |. 5B pop EBX // 78787878
4 A C8 \. C3 retn

537c |. 8b55 F4 mov edX, dword ptr ss: [EBP-C] // edX = 12fc4
537c 3 |. 81c2 fc7e12 add edX, 127efc // edX = edX + 127efc = 1281 B = 1212683 edX = 2 F + 127ef
537c 9 |. 81c2 9ee464 add edX, 64e49e // edX = edX + 64e49e = 7765a9 = 78248 9 edX = 1281 B + 64e49e
537c f |. 3bc2 CMP eax, EDX // comparison of true and false Codes
537c11 |. 75 19 jnz short China Communications. 537c2c // over
537c11 |./75 19 jnz short China Communications. 537c2c
537c13 |. | B3 1 mov BL, 1
537c15 |. | B8 ecc554 mov eax, China Communications. 54c5ec
537c1a |. | 8b55 F8 mov edX, dword ptr ss: [ebp-8]
537c1d |. | E8 eec2ecff call China Communications. 4 3f1
537c22 |. | 8b45 F4 mov eax, dword ptr ss: [EBP-C]
537c25 |. | A3 F c554 mov dword ptr ds: [54c5f], eax
537c2a |. | EB 2 JMP short China Communications. 537c2e
537c2c |> \ 33db xor ebx, EBX
537c2e |> 33C XOR eax, eax
537c3 |. 5A pop edX
537c31 |. 59 pop ECx // false code
537c32 |. 59 pop ECx
537c33 |. 64: 891 mov dword ptr fs: [eax], EDX
537c36 |. 68 5b7c53 push China Communications. 537c5b
537c3b |> 8d45 EC Lea eax, dword ptr ss: [ebp-14]
537c3e |. E8 79c2ecff call China Communications. 4 3ebc
537c43 |. 8d45 F Lea eax, dword ptr ss: [ebp-1]
537c46 |. E8 71c2ecff call China Communications. 4 3ebc
537c4b |. 8d45 F8 Lea eax, dword ptr ss: [ebp-8]
537c4e |. E8 69c2ecff call China Communications. 4 3ebc
537c53 \. C3 retn
537c54. ^ E9 5 bbcecff JMP China Communications. 4 38b4
537c59. ^ EB e JMP short China Communications. 537c3b
537c5b. 8bc3 mov eax, EBX
537c5d. 5E pop ESI
537c5e. 5B pop EBX
537c5f. 8be5 mov ESP, EBP
537c61. 5D pop EBP
537c62. C3 retn

53B 2. 84c test Al, Al // Test
53B 4. 74 9 je short China Communications. 53B f // Burst Point-jump over
53B 6. 8bc3 mov eax, EBX
53B 8. E8 d7c8ffff call China Communications. 5366e4
53B D. 5B pop EBX
53B E. C3 retn
53B F> B8 24B 53 mov eax, China Communications. 53B 24
53B 14. E8 CF4 f2ff call China Communications. 45f E8
53B 19. 5B pop EBX
53B 1A. C3 retn

----------------------------------------------------------

Modify the program registration as follows: Delete the application and register the application again.

HKEY_USERS \. Default \ Software \ CNET \ demo \ Name

Key Value: String: "B EB-D1C1" // machine code

HKEY_USERS \. Default \ Software \ CNET \ demo \ Pass

Key Value: DWORD: 527; x2 f)

HKEY_USERS \ S-1-5-18 \ Software \ CNET \ demo \ Name

Key Value: String: "B EB-D1C1"

HKEY_USERS \ S-1-5-18 \ Software \ CNET \ demo \ Pass

Key Value: DWORD: 527; x2 f)

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More

PE (portable executable is the executable that can be transplanted)

Contact Us

What's Trending

Top 10 Tags

Top 10 Keywords

A Free Trial That Lets You Build Big!

Sales Support

After-Sales Support

PE (portable executable is the executable that can be transplanted)

Contact Us

What's Trending

Top 10 Tags

Top 10 Keywords

Trending Topic

A Free Trial That Lets You Build Big!

Sales Support

After-Sales Support