PE file Format Learning PE head shift

I've just started to learn cyber security from the start of a free-to-kill. Remember when antivirus software is still very weak. Jin Shanjiang rising still exists.

That will not understand what principle, have been blind to tinker. (later into the ranks of infiltration)

This period of time has been learning PE format, suddenly remembered the former very old PE file head shift.

Search on the Internet, see everyone although did the video, but no one said the principle. By just learning PE format knowledge, do a PE file head shift notes. (Do not like to spray, just learn PE header file format, inevitably error please mention, thank you)

Of course, the very old way to kill the soft is simply vulnerable. Take notes purely.

The basic structure of the PE file is as follows:

image_dos_header definition

Image_dos_header STRUCT +00h Word e_magic//Magic DOS signature MZ (4Dh 5Ah) DOS executable tag +02h word E_CBLP//Bytes on Last page of the file +04h Word E_CP//Pages in file+06h word E_CRLC//relocations+08h word E_CPARHDR//Size of Hea  Der in Paragraphs+0ah word e_minalloc//minimun extra paragraphs needs+0ch word e_maxalloc//Maximun extra paragraphs Needs+0eh word e_ss//intial (relative) SS value DOS code initialization stack SS +10h WORD e_sp//intial SP value DOS code initialization stack pointer SP + 12h word e_csum//Checksum +14h word e_ip//intial IP value DOS code initialization instruction entry [pointer IP] +16h WORD e_cs//intial (Relati  VE) CS value DOS code initial stack entry cs+18h word E_LFARLC//File Address of relocation table +1ah Word e_ovno//Overlay number +1ch word e_res[4]//Reserved words +24h word e_oemid//OEM identifier (for e_oeminfo) +26h word e_oeminfo//OEM Information;e_oemid specific +29h WORD e_res2[10]//Reserved words +3ch LONG e_lfanew//Offset to start of PE Heade R point to PE file header image_dos_heADER ENDS 

To: NC (Swiss Army Knife for example)

Load Nc.exe with C32asm

(Photo 1 reproduced online)

The offset address starts at 0 bytes and is the EXE MZ flag of the DOS header. That's 5a4d. With this logo, DOS can recognize that the program is not a valid execution body. (because the Intel CPU belongs to the Little-endian class, the character storage bit is low before, the high is behind)

+3ch long  e_lfanew  //Offset to start of PE header   point to PE file header, Long is 4 bytes

So, we get the PE file header offset address to 00d8.


Image_file_header structure

 image_file_header STRUCT  +04h WORD machine; //  run platform  +06h WORD numberofsections; //   The number of chunks in the file  +08h DWORD timedatestamp; //  file creation date and time  +0ch DWORD pointertosymboltable; //   points to the symbol table (primarily for debugging)  +10h DWORD numberofsymbols; //   +14h WORD Sizeofoptionalheader; //   IMAGE_OPTIONAL_HEADER32 structure size  +16h WORD characteristics; //  file property  Image_file_header ENDS 

Here, we just need to be careful.

+14h      WORD          sizeofoptionalheader;  IMAGE_OPTIONAL_HEADER32 Structure Size

Starting with the PE head, the offset 14H is 20 bytes, resulting in a structure size.

The structure size is E0, we change the 16 to 10 binary. You know how many bytes the structure has.

Copy the data and move up to 8 bytes upwards.

The PE head size needs to be recalculated because the PE head moves the position.

Because the PE head has moved over the position, the PE head size needs to be re-modified and the DOS head points to the PE head position. Such as.

Run successfully.

PE file Format Learning PE head shift