Teach you step-by-step encryption and decryption technology-compression and shelling (1) (1)
Source: Internet
Author: User
KeywordsDecryption crack.
Compression and shelling the first section PE file format PE tutorial 1:PE file format list PE means Portable executable (portable actuator). It is the executable file format with the WIN32 environment itself. Some of its features are inherited from the Unix Coff (Common object file format) files format. The "Portable Executable" (portable executable) means that this file format is across the Win32 platform: even if Windows is running on a non-Intel CPU, the file format can be recognized and used by any Win32 platform's PE loader. Of course, porting to a different CPU on the PE executive must have some change. All Win32 executables (except VxD and 16-bit DLLs) use the PE file format, including the NT kernel-mode driver (kernel mode drivers). Therefore, the study of PE file format gives us a good opportunity to understand the structure of windows. This tutorial allows us to browse the outline of the PE file format. DOS MZ headerdos stubpe headersection tablesection 1Section 2Section ... The graph on section n is the overall hierarchical distribution of the PE file structure. All PE files (even 32-bit DLLs) must start with a simple DOS MZ header. We usually don't have much interest in this structure. With it, once the program is executed in DOS, DOS recognizes that this is a valid execution, and then runs the DOS stub that follows the MZ header. A DOS stub is actually a valid EXE, and in an operating system that does not support the PE file format, it will simply display an error prompt, similar to the string "This program requires Windows" or the programmer can implement the complete DOS code according to his or her own intent. Usually we are not too interested in the DOS stub: because in most cases it is generated automatically by the assembler/compiler. Typically, it simply invokes the interrupt 21h service whenever display string "This program cant run in DOS mode". The DOS stub is followed by the PE header. PE header is the abbreviation of PE-related structure image_nt_headers, which contains many important fields of PE loader. As we delve more deeply into the PE file format, we will be able to detail the eyes and ears of these important domains. When executing in an operating system that supports the PE file structure, the PE loader will MZ from the DOS HeadeR to find the starting offset of the PE header. Thus skipping the DOS stub directly positioned to the real header of the file head PE. The real content of the PE file is divided into blocks, called sections (section). Each section is a piece of data that has a common attribute, such as code/data, read/write, and so on. We can imagine the PE file as a logical disk, the PE header is the disk boot sector, and sections is a variety of files, each file naturally have different attributes such as read-only, system, hidden, documents and so on. It is worth noting that the division of----sections is based on the common attributes of each group of data: not the logical concept. What is important is not how data/code is used, and if the data/code in the PE file has the same attributes, they can be grouped into the same section. You don't have to care about a section similar to "Data", "code", or other logical concepts: if data and code have the same attributes, they can be grouped into the same section. (Translator note: A section name is just a symbol that distinguishes different sections, similar to "data", "code" named only for easy recognition, only the section's property settings determine the characteristics of the section and function) if a piece of data wants to pay as a read-only property, you can put that block of data into a read-only section, When the PE loader maps the section contents, it checks the properties of the joint and resets the corresponding memory block to the specified property. If we consider the PE file format as a logical disk, the PE header is the boot sector and the sections is a variety of files, but we still lack enough information to locate different files on the disk, for example, what is the equivalent of a catalog in the PE file format? Take it easy, that's the PE header. The next Array Structure section table (node tables). Each structure contains the attributes of the corresponding section, the file offset, the virtual offset, and so on. If there are 5 sections in the PE file, there are 5 members in the array of this structure. Therefore, we can treat the section table as the root directory in the logical disk, and each array member is equivalent to the directory entry in the root directory. The above is the physical distribution of the PE file format, the following will summarize the main steps to load a PE file: When the PE file is executed, the PE loader checks the DOS MZ header's PE header offset. If found, jumps to the PE header. The PE loader checks the validity of the PE header. If valid, jump to the end of the PE header. The section table follows the PE header. The PE loader reads the section information and uses the file mapping method to map the sections to memory while paying the section attributes specified in the previous section. After the PE file is mapped into memory, the PE loader handles the logical part of the PE file similar to import table (introducing tables). The above steps are based on my observation of the brief, there are clearly some imprecise areas, but the process of executing the body is basically clear. 1 2 3 4 5 6 7 next page >> content navigation to force (0 votes) (0 Votes) nonsense (0 Votes) The professional (0 votes) The title party (0 Votes) passed (0 Votes) The original text: teach you step-by-step encryption and decryption technology--compression and shelling (1) (1) Return to network security home
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.