Small turtle PE detailed input table (export table) detailed (PE detailed 09)

Source: Internet
Author: User

Small turtle PE detailed output table (export table) detailed (PE detailed)


when the PE file is executed, the Windows loader loads the file into memory and loads the dynamic-link library (typically the DLL format) file that is registered with the import table into the address space, and then modifies the IAT of the executed file according to the function export information in the DLL file.

(Basic supplement: A lot of friends may see here will be a bit ignorant, you crossing please allow the small turtle to nag, take care of beginners. We all know that Windows has a single virtual address space for the program in memory after loading a program, so that in each program's own view, it has almost arbitrary address control, so his own function wants to put at which address himself. There are a number of functions that are used by many programs, to write the same function for each program seems a little wasted space, so Windows is the concept of a dynamic link library, a number of commonly used functions encapsulated into a dynamic link library, when needed by directly loading the dynamic link library, the need to integrate the function into itself , so that the storage of resources in memory is greatly saved.



There is an important concept to keep in mind:The dynamic link library is executed in the address space of the other application, and the application can be regarded as "one", the dynamic link library can use the resources of the application, the resources it owns can be used by the application, and any operation of it is done on behalf of the application. When dynamic-link libraries open files, allocate memory, and create Windows, these files, memory, and windows are owned by the application. Therefore, the dynamic link library with the small turtle is said to be "parasite"! )

What is the export table for? The export table is a description of some of the exported information of the dynamic link library. By exporting a table, a DLL file can provide the system with information such as the name, ordinal, and entry address of the exported function, rather than the entire process through which the Windows loader completes the dynamic connection.

Friendly tip: The export table does not generally exist in the PE file with the. exe extension, and most of the. dll files contain the export table. But note that this is not absolute. For example, a. dll file that is purely used as a resource does not require an export function, and an. exe file with some special features also has an export function. So, there is no absolute ... OK, so let's analyze the structure of the exported table next.


export Table Structure

the main ingredient in the Export table is a table containing function names, output ordinals, and so on. An ordinal is a 16-bit number that specifies a function in a DLL that is unique in the DLL file that is pointed to. In this case, we do not advocate the method of indexing functions simply by ordinal, which can cause problems in the maintenance of DLL files. For example, when a DLL file is upgraded or modified, the program that calls the DLL cannot be loaded into the required function.

The first member of the Data Catalog table points to the export table, which is a image_export_directory (hereafter called IED) structure, and the IED structure is defined as follows:


Image_export_directory STRUCT
Characteristicsdword?; Not used, always defined as 0
Timedatestampdword? ; File generation time
Majorversionword?; Not used, always defined as 0
Minorversionword?; Not used, always defined as 0
Namedword?; The real name of the module
Base DWORD?; The cardinality, plus the ordinal number, is the index value of the function address array
Numberoffunctionsdword?; Total number of exported functions
Numberofnamesdword?; Total number of functions exported as names
Addressoffunctionsdword?; RVA pointing to the address of the output function
Addressofnamesdword?; RVA that points to the name of the output function
Addressofnameordinalsdword?; RVA pointing to the output function ordinal

Image_export_directory ENDS


Some of the fields in this structure are not used, and the meaningful fields are described below.

    • Name: A RVA value that points to a string that defines the name of the module. For example, even if the Kernel32.dll file is renamed "Ker.dll", it is still possible to know from this string that its file name at compile time is "Kernel32.dll".
    • Numberoffunctions: The total number of exported functions contained in the file.
    • Numberofnames: The total number of exported functions defined by the function name, obviously only this number of functions can be exported with the function name. can also be exported by ordinal, the remaining numberoffunctions minus numberofnames number of functions can only be exported by ordinal. The value of the field is only less than or equal to the value of the Numberoffunctions field, and if the value is 0, all functions are exported by ordinal.
    • Addressoffunctions: A RVA value that points to a double word group that contains the entry address of all exported functions. Each item in the array is a RVA value, and the number of items in the array equals the value of the Numberoffunctions field.
    • Base: Export the starting value of the function ordinal, the index number of the entry Address table that the Addressoffunctions field points to, plus this starting value is the export ordinal of the corresponding function. If the value of the base field is X, then the ordinal of the 1th exported function specified by the entry Address table is x, and the ordinal of the 2nd exported function is x+1. In summary, the export ordinal of an exported function equals the value of the base field plus its position index value in the Entry Address table.
    • Addressofnames and Addressofnameordinals: both RVA values. The former points to the function name string Address table. This address table is a double-word group, with each entry in the array pointing to the RVA of a function name string. The number of items in an array equals the value of the Numberofnames field, and all name strings for the exported function with a name are defined in the table, which points to an array of another word type (note that it is not a double word group). The array item corresponds to item one by one in the file name Address table, and the item value represents the index of the function entry Address table so that the function name is associated with the function entry address. (for example, adding the function name string Address Table of the nth item points to a string "MyFunction", then you can find the addressofnameordinals point to the array of the nth item, if the nth item holds the value is x, The name of the entry address for the X entry function in the Address table that is described in the Addressoffunctions field is "MyFunction" complex? OK, then see you understand, don't give up Oh ~)

The whole process is as complicated as other PE structures, but it's easy to see the pictures. So the small turtle is also in the spirit of seeking truth from facts &......%¥ #踏踏实实画图让大家好理解一点吧, come, please:




1. Find function entry address from ordinal

The Little turtle below takes you to simulate the entire process of the Windows loader looking for an exported function entry address. If the exported ordinal of the function is known, how to get the entry address of the function ?

The Windows loader works as follows:
  1. Locate the PE file header
  2. Remove the Data Catalog table from the IMAGE_OPTIONAL_HEADER32 structure in the PE file header and get the RVA of the exported table from the first Data directory
  3. Get the starting ordinal from the Base field of the exported table
  4. Subtract the starting ordinal from the exported ordinal you need to find, and get the index of the function in the Entry Address table
  5. Detects if the index value is greater than the value of the Numberoffunctions field of the exported table, and if it is greater than the latter, the ordinal entered is invalid
  6. Use this index value in the Addressoffunctions field to point to the Export function entry Address table to remove the corresponding item, this is the RVA value of the function entry address, when the function is loaded into memory, this RVA value plus the actual loading of the module base address, you get the function of the real entry address

2. Find the entry address from the function name

if the name of the function is known, how do you get the entry address of the function? This process is a bit more complicated than using the ordinal to get the entry address!

the Windows loader works as follows:
  1. The initial step is the same, that is to get the address of the export table first
  2. Get the total number of named functions from the Numberofnames field of the exported table, and construct a loop with this number as the number of cycles
  3. Starting with the first entry in the Addressofnames field that points to the resulting function name Address table, compare the function name defined in the loop with the function name you want to find, and if none of the function names are compliant, a function that does not have a name specified in the file
  4. If an item defines a function name that matches the name of the function to be found, note the index value of the function name in the string Address table, and then take the value of the array item in the array pointed to by the addressofnamesordinals, and we assume that the value is X
  5. Finally, using the X value as the index value, the RVA obtained in the function entry Address table pointed to by the Addressoffunctions field is the entry address of the function.

In a bunch of cases, the virus program looks for the entry address through the function name, because the virus program is attached to the executable as an extra piece of code, and if some API is used in the virus code, the address of these APIs is unlikely to be ready for the virus code in the exported table of the host file. Therefore, you can only implement the address of the fetch API by dynamically locating in memory. On the specific implementation of virus code analysis, the small turtle in the future will be with you to discuss this topic ~


example analysis of output table structure (the process will be shown in the video, here is not verbose ~)

Tools: PEinfo.exe, UltraEdit, w32dasmv10.0
Anatomy object: Counter.dll

Small turtle PE detailed input table (export table) detailed (PE detailed 09)

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.