Learning to crack & lt; 2 & gt; IMAGE_NT_HEADERS in PE format

This IMAGE_NT_HEADERS is actually the image header of the PE-related structure. NT, I guess it should be the abbreviation of New Technology. It is different from the New DOS WIN9X Technology. It doesn't matter whether you think it is NTR or not.
The structure of IMAGE_NT_HEADERS is like this.
 
IMAGE_NT_HEADERS STRUCT
{
+ 0 h DWORD Signature
+ 4 h IMAGE_FILE_HEADER FileHeader
+ 18 h IMAGE_OPTIONAL_HEADER32 OptionalHeader
} IMAGE_NT_HEADERS ENDS
It contains two child structures and a flag.
The Signature field is set to 00004550 h and the ASCII code is PE00, marking the start of the PE header file. In the previous article, e_lfanew in the DOS header structure points to this.
 
The structure IMAGE_FILE_HEADER is like this.
 
Typedef struct _ IMAGE_FILE_HEADER
{
+ 04 h WORD Machine; // running platform
+ 06 h WORD NumberOfSections; // number of file blocks
+ 08 h DWORD TimeDateStamp; // file creation date and time
+ 0Ch DWORD PointerToSymbolTable; // point to the symbol table (mainly used for debugging)
+ 10 h DWORD NumberOfSymbols; // Number of symbols in the symbol table (same as above)
+ 14 h WORD SizeOfOptionalHeader; // size of the IMAGE_OPTIONAL_HEADER32 Structure
+ 16 h WORD Characteristics; // file attributes
} IMAGE_FILE_HEADER, * PIMAGE_FILE_HEADER;
 
The Machine represents the CPU type, which is defined in windows. h.
 
# Define IMAGE_FILE_MACHINE_UNKNOWN 0
# Define IMAGE_FILE_MACHINE_I386 0x014c // The Intel 386.
# Define IMAGE_FILE_MACHINE_R3000 0x0162 // MIPS little-endian, 0x160 big-endian
# Define IMAGE_FILE_MACHINE_R4000 0x0166 // MIPS little-endian
# Define IMAGE_FILE_MACHINE_R10000 0x0168 // MIPS little-endian
# Define IMAGE_FILE_MACHINE_WCEMIPSV2 0x0169 // MIPS little-endian WCE v2
# Define IMAGE_FILE_MACHINE_ALPHA 0 0x0184 // Alpha_AXP
# Define IMAGE_FILE_MACHINE_POWERPC 0x01F0 // IBM PowerPC Little-Endian
# Define IMAGE_FILE_MACHINE_SH3 0x01a2 // SH3 little-endian
# Define IMAGE_FILE_MACHINE_SH3E 0x01a4 // SH3E little-endian
# Define IMAGE_FILE_MACHINE_SH4 0x01a6 // SH4 little-endian
# Define IMAGE_FILE_MACHINE_ARM 0x01c0 // ARM Little-Endian
# Define IMAGE_FILE_MACHINE_THUMB 0x01c2
# Define IMAGE_FILE_MACHINE_IA64 0 0x0200 // Intel 64
# Define IMAGE_FILE_MACHINE_MIPS16 0x0266 // MIPS
# Define IMAGE_FILE_MACHINE_MIPSFPU 0x0366 // MIPS
# Define image_file_machine_mipsfp160. 0x0466 // MIPS
# Define IMAGE_FILE_MACHINE_ALPHA64 0x0284 // ALPHA64
# Define IMAGE_FILE_MACHINE_AXP64 IMAGE_FILE_MACHINE_ALPHA64
 
NumberOfSection indicates the number of blocks. The block table follows IMAGE_NT_HEADERS. The block table is probably a linked list structure. The length of the linked list is determined by the value of NumberOfSection.
TimeDataStamp indicates the file creation time.
SizeOfOptionalHeader is the size of another sub-structure IMAGE_OPTIONAL_HEADER of IMAGE_NT_HEADERS. The value of the 32-bit PE file is generally 00E0, And the 64-bit PE file is generally 00F0.
Characteristics indicates that the file's attribute EXE file is generally a 0100 h DLL file, generally 210Eh, and multiple attributes can be used or operated simultaneously.
 
# Define IMAGE_FILE_RELOCS_STRIPPED 0x0001 // The relocation information is removed.
# Define IMAGE_FILE_EXECUTABLE_IMAGE 0x0002 // file executable
# Define IMAGE_FILE_LINE_NUMS_STRIPPED 0x0004 // The row number is removed.
# Define IMAGE_FILE_LOCAL_SYMS_STRIPPED 0x0008 // The symbol is removed.
# Define IMAGE_FILE_AGGRESIVE_WS_TRIM 0x0010 // Agressively trim working set
# Define IMAGE_FILE_LARGE_ADDRESS_AWARE 0x0020 // The program can process addresses larger than 2 GB.
# Define IMAGE_FILE_BYTES_REVERSED_LO 0x0080 // Bytes of machine word are reversed.
# Define IMAGE_FILE_32BIT_MACHINE 0x0100 // 32-bit Machine
# Define IMAGE_FILE_DEBUG_STRIPPED 0x0200 // The debugging information of the. dbg file is removed.
# Define IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP 0x0400 // if it is in mobile media, copy it to the swap file to run
# Define IMAGE_FILE_NET_RUN_FROM_SWAP 0x0800 // if it is in the network, copy it to the swap file to run
# Define IMAGE_FILE_SYSTEM 0x1000 // System File
# Define IMAGE_FILE_DLL 0x2000 // The file is a dll
# Define IMAGE_FILE_UP_SYSTEM_ONLY 0x4000 // the file can only run on a single processor.
# Define IMAGE_FILE_BYTES_REVERSED_HI 0x8000 // Bytes of machine word are reversed.
 
Write a program to display the struct
 
# Include "windows. h" // The structure of PE is mostly defined in this header file.
# Include "stdio. h"
 
Int main (int argc, char * argv [])
{
FILE * p;
LONG e_lfanew; // point to the offset of the IMAGE_NT_HEADERS32 structure in the file
IMAGE_FILE_HEADER myfileheader;

P = fopen ("test.exe", "r + B ");
If (p = NULL) return-1;
 
Fseek (p, 0x3c, SEEK_SET );
Fread (& e_lfanew, 4,1, p );
Fseek (p, e_lfanew + 4, SEEK_SET); // the flag of the Offset PE pointing to the IMAGE_FILE_HEADER structure is that DWORD occupies 4 bytes
Fread (& myfileheader, sizeof (myfileheader), 1, p );
 
Printf ("IMAGE_FILE_HEADER structure: \ n ");
Printf ("Machine: % 04X \ n", myfileheader. Machine );
Printf ("NumberOfSections: % 04X \ n", myfileheader. NumberOfSections );
Printf ("TimeDateStamp: % 08X \ n", myfileheader. TimeDateStamp );
Printf ("PointerToSymbolTable: % 08X \ n", myfileheader. PointerToSymbolTable );
Printf ("NumberOfSymbols: % 08X \ n", myfileheader. NumberOfSymbols );
Printf ("SizeOfOptionalHeader: % 04X \ n", myfileheader. SizeOfOptionalHeader );
Printf ("Characteristics: % 04X \ n", myfileheader. Characteristics );
Getch ();
Return 0;
}
In general, IMAGE_FILE_HEADER records various file information.
 
The following describes the IMAGE_OPTIONAL_HEADER structure. It is an optional structure that supplements IMAGE_FILE_HEADER. Of course, it is required in many cases.
 
Typedef struct _ IMAGE_OPTIONAL_HEADER
{
//
// Standard fields.
//
+ 18 h WORD Magic; // flag, ROM image (0107 h), common executable file (010Bh)
+ 1Ah BYTE MajorLinkerVersion; // The main version number of the linked Program
+ 1Bh BYTE MinorLinkerVersion; // The minor version number of the linked Program
+ 1Ch DWORD SizeOfCode; // the total size of all sections containing code
+ 20 h DWORD SizeOfInitializedData; // the total size of all nodes with initialized data
+ 24 h DWORD SizeOfUninitializedData; // the size of all sections containing uninitialized data
+ 28 h DWORD AddressOfEntryPoint; // program execution entry RVA
+ 2Ch DWORD BaseOfCode; // The starting RVA of the code block
+ 30 h DWORD BaseOfData; // The starting RVA of the data block
//
// NT additional fields. The following fields are added to the NT structure.
//
+ 34 h DWORD ImageBase; // The preferred address of the program
+ 38 h DWORD SectionAlignment; // alignment of blocks in memory
+ 3Ch DWORD FileAlignment; // the alignment of the block in the file
+ 40 h WORD MajorOperatingSystemVersion; // The Master version number that requires the lowest version number of the Operating System
+ 42 h WORD MinorOperatingSystemVersion; // The minor version number that requires the lowest version number of the Operating System
+ 44 h WORD MajorImageVersion; // The main version number that can be run on the Operating System
+ 46 h WORD MinorImageVersion; // The minor version number that can be run on the Operating System
+ 48 h WORD MajorSubsystemVersion; // The primary version number of the minimum subsystem version is required.
+ 4Ah WORD MinorSubsystemVersion; // The minor version number of the minimum subsystem version is required.
+ 4Ch DWORD Win32VersionValue; // a field is not required and is generally 0 if it is not used by viruses.
+ 50 h DWORD SizeOfImage; // total size after the image is loaded into memory
+ 54 h DWORD SizeOfHeaders; // all headers + block table size
+ 58 h DWORD CheckSum; // checking and
+ 5Ch WORD Subsystem; // Subsystem expected by the executable file
+ 5Eh WORD DllCharacteristics; // when the DllMain () function is called. The default value is 0.
+ 60 h DWORD SizeOfStackReserve; // stack size during initialization
+ 64 h DWORD SizeOfStackCommit; // stack size actually submitted during initialization
+ 68 h DWORD SizeOfHeapReserve; // heap size retained during initialization
+ 6Ch DWORD SizeOfHeapCommit; // The actual heap size submitted during initialization
+ 70 h DWORD LoaderFlags; // related to debugging. The default value is 0.
+ 74 h DWORD NumberOfRvaAndSizes; // number of items in the data directory below, which has been 16 since the release of Windows NT
+ 78 h IMAGE_DATA_DIRECTORY DataDirectory [IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
// Data directory table
} IMAGE_OPTIONAL_HEADER32, * PIMAGE_OPTIONAL_HEADER32;
 
This structure is a lot of things... it hurts a lot, but many of them are optional. You don't have to worry about them. There are just a few important things.
AddressOfEntryPoint indicates the entry address during file execution. It is an RVA address, which is often referred to as OEP. If you have any code to be executed before the program subject, you just need to point this entry to this code ~
ImageBase points to the file's preferred loading address. Generally, the EXE file does not need to be relocated, and the DLL file may need to be relocated.
SectionAlignment and FileAlignment determine the unit of festival alignment in memory and the unit of festival alignment in disk.
DataDirectory is a powerful member. It consists of 16 IMAGE_DATA_DIRCTORY structures to define multiple useless data blocks.
The content of this struct is very simple.
 
Typedef struct _ IMAGE_DATA_DIRECTORY {
DWORD VirtualAddress; relative virtual address
DWORD Size; Size
} IMAGE_DATA_DIRECTORY, * PIMAGE_DATA_DIRECTORY;
Only two members are available: the relative virtual address and the size.
 
IMAGE_DATA_DIRECTORY DataDirectory [IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
The value of IMAGE_NUMBEROF_DIRECTORY_ENTRIES indicates the purpose of the data block.
 
# Define IMAGE_DIRECTORY_ENTRY_EXPORT 0 // Export Directory
# Define IMAGE_DIRECTORY_ENTRY_IMPORT 1 // Import Directory
# Define IMAGE_DIRECTORY_ENTRY_RESOURCE 2 // Resource Directory
# Define IMAGE_DIRECTORY_ENTRY_EXCEPTION 3 // Exception Directory
# Define IMAGE_DIRECTORY_ENTRY_SECURITY 4 // Security Directory
# Define IMAGE_DIRECTORY_ENTRY_BASERELOC 5 // Base Relocation Table
# Define IMAGE_DIRECTORY_ENTRY_DEBUG 6 // Debug Directory
// IMAGE_DIRECTORY_ENTRY_COPYRIGHT 7 // (X86 usage)
# Define IMAGE_DIRECTORY_ENTRY_ARCHITECTURE 7 // Architecture Specific Data
# Define IMAGE_DIRECTORY_ENTRY_GLOBALPTR 8 // RVA of GP
# Define IMAGE_DIRECTORY_ENTRY_TLS 9 // TLS Directory
# Define IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 10 // Load Configuration Directory
# Define IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 11 // Bound Import Directory in headers
# Define IMAGE_DIRECTORY_ENTRY_IAT 12 // Import Address Table
# Define IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 13 // Delay Load Import Descriptors
# Define IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 14 // COM Runtime descriptor
 
Finally, read these structures.
 
# Include "windows. h"
# Include "stdio. h"
 
Int main (int argc, char * argv [])
{
FILE * p;
Unsigned long Signature;
IMAGE_FILE_HEADER myfileheader;
IMAGE_DOS_HEADER mydosheader;
IMAGE_OPTIONAL_HEADER myoptionalheader;
 
P = fopen ("test.exe", "r + B ");
If (p = NULL) return-1;
 
Fread (& mydosheader, sizeof (mydosheader), 1, p );
Fseek (p, mydosheader. e_lfanew, SEEK_SET );
Fread (& Signature, sizeof (Signature), 1, p );
 
Fseek (p, mydosheader. e_lfanew + sizeof (Signature), SEEK_SET); // offset pointing to the IMAGE_FILE_HEADER Structure
Fread (& myfileheader, sizeof (myfileheader), 1, p );
 
Fseek (p, mydosheader. e_lfanew + sizeof (Signature) + sizeof (myfileheader), SEEK_SET );
Fread (& myoptionalheader, sizeof (myoptionalheader), 1, p );
 
Printf ("% X \ n", mydosheader. e_lfanew );
 
Printf ("Signature: % 04X \ n", Signature );
Printf ("IMAGE_FILE_HEADER structure: \ n ");
Printf ("Machine: % 04X \ n", myfileheader. Machine );
 
Printf ("IMAGE_OPTIONALHEADER_HEADER structure: \ n ");
Printf ("Magic: % 04X \ n", myoptionalheader. Magic );
 
Since there are too many Members in the IMAGE_OPENTIONAL_HEADER structure, I won't have them all. The Magic value is generally 010bH, so I can determine whether the structure retrieved by the pause read is correct.