Home > Others

A preliminary study on the format of PE file by means of graphic tools

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

Tools:

Petool,minihex,peviewer

This paper takes the native Notepad.exe as the research object. Native 64-bit, the Notepad.exe is a 64-bit application.

1 Open With Peviewer

PE files generally include four parts, DOS header, NT header, section table and specific sections. The first three parts are shown.


2 DOS Header

E_magic: A word type, the value is a constant 0x4d5a, with a text editor to view the value bit ' mz ', the executable must be ' MZ ' at the beginning.

E_lfanew: The domain that is extended for 32-bit executables, which represents the offset of the NT header after the DOS header relative to the file start address.

Look at the left-handed e_lfanew for 0x000000e8, find this address on the right, as shown on the 000000E0 line at the cursor;

The starting four bytes are 50 45 00 00, and the signature of the PE head on the right is in accordance with the corresponding;



3 File Header

Definition of PE file header:

typedef struct _IMAGE_FILE_HEADER {
WORD machine;
WORD numberofsections;
DWORD TimeDateStamp;
DWORD pointertosymboltable;
DWORD Numberofsymbols;
WORD Sizeofoptionalheader;
WORD characteristics;
} Image_file_header, *pimage_file_header;

Machine: The running platform of this file is x86, x64 or I64 and so on, which can be one of the lower denominations.
Numberofsections: How many sections in the PE file, that is, the number of items in the section table.
Timedatestamp:pe file creation time, usually has the connector fills in.

The contents of the left and right cursor are in accordance with the control.







4 Importing Tables

To calculate the starting address of the import table, it is difficult to calculate, use the tool to see, such as; Import table start address is

0x00000178


Peviewer the contents of the imported table;


Look at 16 in the binary file of 00000178, and peviewer given the seemingly inconsistent, but here is not quite understand;


16 binary files and the content given by Petool is consistent;

5 function names in the import table

Try to find the name of the imported SetWindowText function in the 16 binary file position;


What is thunk RVA, is not very familiar with the related calculation;

Directly find 0000d640 place to see, not setwindowtext;


Use the search function to find SetWindowText, in the following position; This RVA calculation is more complicated;



Link

Http://www.pediy.com/kssd/tutorial/chap8-1-6.htm
http://blog.csdn.net/evileagle/article/details/11693499

A preliminary study on the format of PE file by means of graphic tools

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
examples of graphic programs of following defines means tested program by way of definition example of learning by define by way of a certification study guide comptia a study book

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More