Section in PE isStore different types of data (Code, Data, constants, resources)Different sections have different access permissions.
Section is the basic unit for storing code or data in PE files. Some data types belong to different data directories, but they are classified into the same section because their access attributes are the same. The section may occupy one or more pages, the page attributes in
The PE file format is the self-contained execution body file format in the Win32 environment. The main subject of a personal volume is the. exe file and. DLL file. I don't know if it is correct. If it's not correct, I hope the heroes will correct it. I will not talk about it much more. Brother Feng feixue described it in details in encryption and decryption, first, write a console-based PE File Format analy
Configuration:System: win7 + Ubuntu dual-System Computer: Sony
Cause:
After windows 12.04 and Ubuntu are installed, Ubuntu has some problems, so I want to reinstall ubuntu.
I used the easybcd software to install the dual-system, because I did not know about the software and system, and so on. I just thought about it. Do I think Sony has any built-in recovery software? I can fix the entire hard disk and restore the system to the factory status. So I did it.
As a result, there is a tragedy
Image_dos_header struct
{
+ 0 h word e_magic // magic dos signature MZ (4dh 5ah) DoS Executable File tag
+ 2 H word e_cblp // bytes on last page of File
+ 4 h word e_cp // pages in file
+ 6 h word e_crlc // relocations
+ 8 h word e_cparhdr // size of header in paragraphs
+ 0ah word e_minalloc // minimun extra paragraphs needs
+ 0ch word e_maxalloc // maximun extra paragraphs needs
+ 0eh word e_ss // intial (relative) SS value dos code initialization stack SS
+ 10 h word e_sp /
The parser writes additional data to the file.
It mainly resolves the PE File Header, locates the overlay location, and writes the file. The common application scenario is that in crackme, crackme itself has a piece of encrypted additional data, parse its own additional data during the crackme operation, and then decrypt the data ....
Code retention:
// Parse your PE file TCHAR szModuleFile [MAX_PATH] = {
Research on basic PE resources
Resources are generally stored in a tree, which usually contains three layers. In NT, the top layer is type, followed by name, and finally language. If a PE file contains a resource file, the system checks whether the selection table contains ". rsrc" but does not apply to some PE files.
1. The structure of a type table is as
How is the PE system letter modified? WinPE believe that everyone has used, but every time the PE letter is fixed, then there is no way to change the letter?
For example, the PE system in the B disk into the W plate, carry forward the DIY spirit, and then together to modify it. The following areas are roughly required:
First, WINPE. There is one place in the IN
PE system can not find a hard drive solution, here we introduce the following four methods:
Method One:
On the desktop, right-click "My Computer"--"manage"--"Disk Management", you can see that PE has recognized the mobile hard disk (disk 1), but did not assign a letter to it.
On a partition on a removable hard disk (disk 1) (if there are 2 or more partitions), right-click--"Change drive name and path"--"
binary level of metadata.
In the next article, I will gradually metadata in PE, the organizational structure gradually stripped away,
So that you can understand what this mysterious CLR core is, what it hides, that we can get through
What he did, why he designed it, and so on ...
The organization structure of 1.4 metadata in PE
After saying a nonsense, back to Roman up, talk about metadata in
Recently just bought a piece of the net to move a plate, and then want to install a PE system for its system maintenance, I will explain how to install the PE system on the mobile hard disk, the use of this method will not harm the data of the mobile hard disk itself!
Of course, someone would like to, why not buy a U disk, click on it! Oh, or I hope you do not spray me greatly!
Installation Preparation:
As the content of this article is much more so write Doc documentIn order to review the knowledge, I in the original software participants manually join the section, and write to everyone to share, also try to use LORDPE Add section found unexpectedly failed,It's better to do it yourself and run it perfectly.Use OD's assembler function to do whatever you can in the new section hahaPE Information prior to modificationModified PE InformationExcerpt from
Format c disk for NTFS format
Unzip the ISO installation file to find the boot, BOOTMGR and sources three files to the C packing directory, or copy boot, BOOTMGR, create a new folder in the C drive sources, Copy the Boot.win from the sources directory in the ISO installation file to the C drive in the newly created sources directory
Run cmd in the Win PE system and enter:C:\boot\bootsect.exe/nt60 C:See the hint successful the word indicates succ
of each register reference: http://www.cnblogs.com/ant-colonies/p/6008322.htmlThe representation of the tag register in debugax=0000 bx=0000 cx=0000 dx=0000 sp=ffee bp=0000 si=0000 di=0000ds=**** es=**** ss=**** cs=**** ip=0100NV up EI PL NZ NA PO NCThe bit flag value is1The flag value is0The logo0 CF CY (CarrY) NC (not CarrY)2 PF PE (Parity even) PO (Parity Odd)4 AF AC (auxiliary Carry) NA (No auxiliary Carry)6 ZF ZR (zero) NZ (not zero)7 SF NG (neg
bytes.* Indicates the fields that need attention, the most useful is Sizeofrawdata, pointertorawdata and characteristics fields. Name *The chunk name when this field is in. ( in a word: Name only, no use )Requirements:1. A UTF8 string of 8 bytes, if the chunk name exceeds 8 bytes, there is no final terminating flag "NULL".2. The name of each chunk is unique and cannot have two chunks of that name.3. Also, if the name is too long, you can use a slash (/) with an ASCII character to represent a
ZwCreateProcessEx is a very good thing, although it is an UNDOC. however, if you have carefully read the SRC of WIN2K and have a good understanding of the PE operating mechanism, you will find some interesting things.
This is critical to all current NT kernel systems.What can be used?
1. Create Vulnerabilities2. Privilege Escalation3. Use it to write viruses4. Write various Trojans5. Various ROOTKIT
But here I just want to briefly talk about the princ
This large-capacity U disk boot disk is based on the first DOS boot disk, will be micro winpe (by old peach) win fault recovery console, dwarf dos toolbox, dm9.75, pqpartition magician dos edition, kv2006 dos anti-virus companion, efficiency source hard disk repair, gdisk single hard disk fast partitioning, system testing, etc. USB flash drive is enabled in USB-zip mode. The menu after startup is as follows (the image is not completely accurate ):1. Start dwarf dos toolkit V5.02. Start the pqpar
It took me seven days to complete this work, and I have almost never been out of the house these seven days. Debugging is performed several hundred times, because you have a computer on hand, and you have to shut down the computer every time you debug it. You can use a real computer to test it. In fact, it could have been completed in about three days, but it took a long time to study the problem when adding the fedora Installation Guide. During this period, I learned how to compile the gurb4dos
1. If this problem occurs, we need to set it in the BIOS of the computer. Press f12 or del when the computer starts up to enter the BIOS, and then on the BIOS interface shown below, select the Advanced menu, select the SATA Configuration option, and then press Enter;2. In the window that appears in Windows 8, click press enter to open the SATA Mode Section option. The IDE and AHCI options are displayed, select IDE, and click press Enter;3. After that, you can re-enter the
1, the Boot Press "F2" into the BIOS Select Advanced, will "Fast BIOS Mold" to "Disabled" and then into the boot;
2, choose Secure Boot will be "Enabled" modified to Disabled, thereafter, will be in "Secure Boot" pop-up OS mode selection option;
3, "UEFI OS" change to "CSM OS", and then save by F10, restart press F10, select USB boot, you can enter PE.
4, to enter the PE after
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.