Deep Dive into the PE file format-create your own pe showAuthor: winroot//////////////////////////////////////// ////////////////////////////// Start ////////////////////////////////////////// ///////////////////////////Hello everyone! I have been studying encryption and decryption for a while, but I am always confused about shell removal.As a result, I started from the
In the previous section, we have a general understanding of the role of each part of the PE file. From this section, we will further explain each part of the PE file, of course, don't forget the two questions I raised in the previous section.
1. Dos MZ header and Dos Stub:
All PE files (or even 32-bit DLLs) must start with a simple dos MZ header. We are usually n
[Learning] Windows PE file Learning (1: Export tables), pe Export
Today, I made a small program to read the exported table from the PE file for learning.
I have referenced the book "Windows PE authoritative guide.
First, the full name of the PE file is Portable Executable. E
PE file structure (4) output table, pe output
PE file structure (4)
Reference
Book: encryption and decryption
Video: Little Turtle decryption series video
Output table
Generally, the output table exists in the dll. The output table provides the name of the function in the file and the address of these functions. The PE
PE is a shorthand for the portable executable file format (Portable runtime), which is the mainstream executable file format on the Windows platform right now.PE file contains a lot of content, I will not be here to explain, interested in can see the list of references and other relevant content.Recently I also study PE file format, reference a lot of information. A class that encapsulates an efficient and
I've just started to learn cyber security from the start of a free-to-kill. Remember when antivirus software is still very weak. Jin Shanjiang rising still exists.That will not understand what principle, have been blind to tinker. (later into the ranks of infiltration)This period of time has been learning PE format, suddenly remembered the former very old PE file head shift.Search on the Internet, see every
PE file structure description (2) an array is displayed at the end of the executable file header. PE file structure description (3) the PE export table explains the format of the first item, this article will reveal the second item in this array: image_directory_entry_import, that is, the import table.
You may have noticed that the names of several items in image
PE knowledge Review of PE new section One, why new section. And the steps to add a new sectionFor example, the previous lecture. Our PE file can add code in a blank area. But this is caused by a disadvantage. Because your blank section property may be read-only, it cannot be performed. If you modify the properties. Then a new section can be used to implement our
The transformation of the RVA and Foa of PE in the review of PE knowledge two states of PEFirst of all we know that PE has two states. One is memory expansion. One is the state in the file. So we have a need at this point.We want to change the initial value of a global variable. What to do at this time. You know the virtual address. or the file location. So how d
PE re-positioning of PE knowledge reviewRelocation means correcting the meaning of the offset. such as an address bit 0x401234, Imagebase = 0x400000. Then the RVA is 1234. If ImageBase becomes 0x300000, then the correction is ImageBase + RVA = 0x300000+1234 = 0x301234.First of all we know. An EXE file. Many DLLs (PE) are called to make up a number of
PE review PE merger section I. INTRODUCTIONAccording to the previous lecture. We have added a section for PE. and attributes the mates in each member. For example, the number of header record sections. We're going to change this number when we add a section.So now we're going to merge a section. Above, we explain the example.We used to talk about how
PE Knowledge Review PE expanded festival One, why expand the FestivalAs we said above, the blank area adds our code. But sometimes we don't have enough space to do it. Therefore, the expansion section is needed.The expansion of the festival is actually very simple. Modify the size of the section data to be aligned. and add 0 data to the PE file to fill.First Look
Prior to this, we have done some practice and understanding of this input table, which will help you to further deepen the understanding of this concept. The Little Turtle thought, the more complex the problem we should go to operate it, know it, it is easy to know it!In the last lesson we like the same as a deer bump, and finally hit the input table contains the function name, hey, but the address, we still can not find ... In this lesson we will delve into the structure of the input table and
So far, the turtle and everyone has learned a lot about the DOS header and PE header. Next it is the turn of the sectiontable (block table, also a section table). (Video tutorial: http://fishc.com/a/shipin/jiemixilie/)The more you learn more structure, we may feel that PE is quite miscellaneous ha, so here is a bit of the necessary knowledge of the detailed comments, we can see as needed.PE file-to-memory m
Explanation of the output table (export table) of the small turtle PE (PE description 09)
When the PE file is executed, the Windows loader loads the file into the memory and loads the dynamic link library (usually in DLL format) file registered in the import table into the address space, then, modify the IAT of the executed File Based on the function export inf
Let's go on to the IMAGE_OPTIONAL_HEADER32 structure definition is the function of each property!(Video tutorial: http://fishc.com/a/shipin/jiemixilie/)Then let's talk about the image_optional_header structure, as the name means, this is an optional image header, an optional structure, but, actually, the image_file_header structure we've been explaining in the last lesson is far from enough to define the properties of the PE file. Therefore, these pro
Small turtle here for everyone to do a detailed comment, lest everyone confused, in addition can be combined with the small turtle "encryption Series"-System chapter-PE structure of the video tutorial learning ~ If there are flaws in the place also hope that everyone is not hesitate to correct. (Video tutorial: http://fishc.com/a/shipin/jiemixilie/)(Note: The leftmost is the offset of the file header.) )Image_dos_header STRUCT{+0h WORD e_magic//Magic
This section is the last one. In fact, there are many other things in the PE format, such as resources, which are also very complicated, but I am not interested in it, write something you are interested in-Base Relocations of PE files ). As we have mentioned above, each module has a priority loading address ImageBase. This value is provided by the connector, therefore, the address in the connector Generatio
The PE file structure in the previous article (2) a large array appears at the end of the executable file header, and each item in this array is a specific structure, you can use the rtlimagedirectoryentrytodata function to obtain the items in the array through the function. Each item in datadirectory can be obtained using this function. The function prototype is as follows:
Pvoid ntapi rtlimagedirectoryentrytodata (pvoid base, Boolean mappedasimage,
(Note: The leftmost is the offset of the file header.) )Image_dos_header STRUCT{+0h WORD e_magic//Magic DOS signature MZ (4Dh 5Ah) DOS executable tag+2h WORD E_CBLP//bytes on last page of file+4h WORD e_cp//pages in file+6h WORD E_CRLC//relocations+8h WORD e_cparhdr//size of header in paragraphs+0ah WORD E_minalloc//minimun Extra paragraphs needs+0ch WORD E_maxalloc//maximun Extra paragraphs needs+0eh WORD e_ss//intial (relative) SS valueinitialization of the DOS code stack SS+10h WORD e_sp//int
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.