EXE file structure and reading method, exe structure reading

EXE file structure and reading method, exe structure reading

1. EXE file Concept

EXE File: executable file, which is an executable File. It can be transplanted into the memory and executed by the operating system, it is an executable program that can be floating in the operating system storage space. For example, the notepad.exe program can be used to edit documents. For example, test. txt double-hitting the notepad.exe Notepad program for editing.

Ii. EXE file structure

The EXE file is divided into two parts: the EXE file header and the program body. The exe file is complex and belongs to a multi-segment structure. It is one of the most successful and complex DOS designs. Each exe file contains a file header and an image of the relocated program. The file header contains information for the MS-DOS to load the program, such as the program size and initial register values. The file header also points to a relocation table, which contains a linked list of pointers pointing to the relocated segment addresses in the program image. The MS-DOS loads the exe program by copying the image directly from the file to the memory, and then adjusts the relocated segment address described in the positioning table. The positioning table is a relocation pointer array, each pointing to the relocated segment address in the program image. For details about the principle and structure, click the structure and principle of the EXE file.

The preceding figure shows the EXE file header.

Iii. Open EXE files

Because the EXE file is special, the open method is also a bit special, you need to specify the format, see the following code:

#include<iostream>#include<string>#include<fstream>#include<ios>using namespace std;const int BUFFER_SIZE=1024;void update(ifstream& in) {if (!in) {return;}std::streamsize length;char buffer[BUFFER_SIZE];while (!in.eof()){in.read(buffer, BUFFER_SIZE);length = in.gcount();if (length > 0) {printf("%s",buffer);}}in.close();}int main(){update(ifstream("1.exe", ios_base::binary));return 0;}

Ios_base is a class in the C ++ standard library and is defined in the header file <ios>. The ios_base class encapsulates basic information about data types that do not depend on read/write in the Stream Input and Output in the C ++ standard, such as formatting information, exception status, and Event Callback functions.

How to read the source code of the exe file?

The generated program cannot see the source Code, but you can see the program resources. use E-Code Explorer to decompile and debug the easy-format executable files generated by easy-language compilation and analyze the internal structure, view the data.

[Function overview]
1. Format analysis: analyze the overall structure of easy-to-format executable files and view the data of corresponding items. The analysis of the PE skeleton (PE Header) and the easy-format mycoplasma are presented with a clear tree structure and supplemented with detailed analysis tables.
2. Disassembly analysis: Quick static disassembly and easy-to-format executable files. This feature allows you to conveniently jump to and call the code preview function of the target address.
3. Form Analysis: analyzes form data contained in easy-format executable files. The subordinate structure of the form unit is clearly displayed in a tree structure. Detailed display of control properties, accurate event processing function locating, and convenient switching with the disassembly mode allow users to immediately enter the event function airspace to be debugged, avoid wasting time in the runtime space. This is required for debugging non-linear event-driven programs.
4. Symbol modifier: You can call the easy-language support library as a symbol table to modify the disassembly code. You can directly analyze the methods and operation attributes called by the function, used constants, basic data types, custom data types, and window units. This greatly improves the readability of the Code.
5. Internal data analysis: analyzes constants, API functions, services, and call support libraries used by the program.
6. Multiple Loading Methods: supports loading from files and loading disassembly directly from memory of a process. Attaching the Process List directly can avoid debugging difficulties caused by some AntiDebug operations.
7. Supports multiple formats: supports standard PE executable files, easy-to-format files, and other types of easy-to-format files. Can be analyzed correctly.
8. Easy-format captors: Easy-format executable files (such as files encapsulated by other means after shelling) of unknown shells can be easily and quickly analyzed.
9. Provides the hexadecimal File Viewing function.
10. Provides a variety of auxiliary tools to complete functions such as dump easy-to-format scripts in the memory, fix relocation information, and generate EXE files.
11. Both the analysis results and the disassembly results can be directly exported to generate a report file.
12. Supports custom disassembly and environment color for HEX display. You can select your preferred color to read the code.
13. For detailed analysis settings, you can set the most appropriate debugging environment on your own.
14. Provides the file drag-and-drop function for direct analysis or debugging.
15. You can obtain the file to be analyzed from the command line.
Other more functions are waiting for you to find ............
 
In C ++/C, the file I/O function is used to read exe files.

Ifstream fin ("abc.exe", ios_base: binary );
Ofstream fout ("aaa.exe", ios_base: binary );
Char gc;
Do
{
Fin. read (char *) (& gc), sizeof (char ));
Fout. write (char *) (& gc), sizeof (char ));
} While (! Fin. eof ());
Fin. close ();
Fout. close ();