Manually construct a typical PE File

Question: an absolutely detailed tutorial on manually Constructing PE files.

 

Reprint Please Note Copyright: A1Pass http://a1pass.blog.163.com/

I have been learning the PE file structure for a long time and never dared to look down on it. But even so, I still find myself lacking in this aspect, so I thought of creating a complete executable PE file by hand. During this period, I also checked a large amount of information, but these materials all have a common problem: incomplete. I just translated some of these materials. The inside story of encryption and decryption technology is more general, in addition, it is a 180-byte PE file, a pleasant little game for Masters after dinner.

In view of this, I wonder why I am not trying to create a complete one by myself? One is to enhance your understanding of PE files, and the other is to write an article with strong reference, paving the way for friends who wish to develop here, it is a good thing to benefit the nation and the people.

For manual creation of PE files, I personally think it should be divided into at least three articles. each article is relatively independent and forms a relative system. The first article (that is, this article) describes how to create the most typical and simple PE file by hand, the advent of the last two articles will also reference Mr. Pan aimin's statement "it will take time and opportunity ".

The manual editing of PE files described in this article is based on the following three principles. Please note:
1. Integrity: It is necessary to introduce fields that do not need to be paid attention to when creating PE files manually. Therefore, the entire text may be very bloated.
2. Typical: It is constructed completely according to the typical PE file structure, so there is a certain gap between Some uncommon PE file structures.
3. Easy to learn: The logical relationships between fields are described in detail. Therefore, some readers may be somewhat embarrassed.

In order to facilitate reading and reading, I have divided the article into three parts so that readers can get what they need without wasting their valuable energy on searching.
1. The overall information of the PE file provides a chart that analyzes the PE file, so that readers can have an overall understanding of the PE file and monitor their work progress.
2. For the introduction of key fields and the logical relationship between fields, we recommend that you start from here.
3. Manually construct the PE file field list. This list contains every byte of a complete PE file. With this list, you can construct a PE file.

For friends who created PE files manually for the first time, you can take "1. Overall information" as the outline, and refer to the third part to build it slowly, if you have any questions, go to the second part.

Select read: Why do we need to create PE files manually?

We know that some features of the entire operating system can be viewed from the perspective of a system executable file structure. That is to say, PE contains the shadow of the Windows operating system structure and operating mechanism. It can be seen that PE files must be a very complex and complex logical structure. Why do we need to create a PE file manually? This should begin with the importance of PE files.

Today, the main Member of the Windows family is the PE file, which includes EXE, DLL, OCX, SYS and other most valuable files, all of which are in the PE file format, for copyright considerations or a desire for a technology, any behavior related to Windows systems will eventually be centralized here-PE files.

Especially for those who want to learn how to shell, crack, and engage in virtual machines, it is essential to be familiar with the PE file structure!

However, because of the complexity of PE files, we have to take some special measures to overcome it. Manual creation of PE files is a shortcut.

As you can imagine, if you can create PE files manually, you can see your understanding of PE files. However, I would like to remind you that even so, we only know a part of it, but it is generally enough.

I. Overall Information

This section shows the overall structure of the PE file in the form of charts.

-------------*-------------------------------------------------*
| DOS Header (IMAGE_DOS_HEADER) | --> 64 bytes
DOS header --------------------------------------------------
| DOS Stub | -- & gt; 112 Byte
-------------*-------------------------------------------------*
| "PE" 00 (Signature) | --> 4 bytes
-------------------------------------------------
| IMAGE_FILE_HEADER | --> 20 bytes
PE File Header --------------------------------------------------
| IMAGE_OPTIONAL_HEADER32 | --> 96 bytes
---------------------------------------------------
| Data directory table | --> 128 bytes
-------------*--------------------------------------------------*
| IMAGE_SECTION_HEADER | --> 40 bytes
---------------------------------------------------
Block table | IMAGE_SECTION_HEADER | --> 40 bytes
--------------------------------------------------
| IMAGE_SECTION_HEADER | --> 40 bytes
-------------*--------------------------------------------------*
|. Text | -- & gt; 512 Byte
---------------------------------------------------
Block |. rdata | --> 512 bytes
---------------------------------------------