The PE file structure in the previous article (2) a large array appears at the end of the executable file header, and each item in this array is a specific structure, you can use the rtlimagedirectoryentrytodata function to obtain the items in the array through the function. Each item in datadirectory can be obtained using this function. The function prototype is as follows:
Pvoid ntapi rtlimagedirectoryentrytodata (pvoid base, Boolean mappedasimage,
Let's go on to the IMAGE_OPTIONAL_HEADER32 structure definition is the function of each property!(Video tutorial: http://fishc.com/a/shipin/jiemixilie/)Then let's talk about the image_optional_header structure, as the name means, this is an optional image header, an optional structure, but, actually, the image_file_header structure we've been explaining in the last lesson is far from enough to define the properties of the PE file. Therefore, these pro
During the test, I felt that the efficiency was not very good. So I would like to express my gratitude to anyone who can provide valuable suggestions!
1. Traverse PE files on the disk
[CPP]
View plaincopyprint?
/*************************************** *********************************/
/* Function Description: traverses all EXE files in the specified drive.
/* Parameter: Drive name, such as C:
/* Return value: the number of traversal tasks.
/*
(Note: The leftmost is the offset of the file header.) )Image_dos_header STRUCT{+0h WORD e_magic//Magic DOS signature MZ (4Dh 5Ah) DOS executable tag+2h WORD E_CBLP//bytes on last page of file+4h WORD e_cp//pages in file+6h WORD E_CRLC//relocations+8h WORD e_cparhdr//size of header in paragraphs+0ah WORD E_minalloc//minimun Extra paragraphs needs+0ch WORD E_maxalloc//maximun Extra paragraphs needs+0eh WORD e_ss//intial (relative) SS valueinitialization of the DOS code stack SS+10h WORD e_sp//int
-------- Patch PE files --------
We all know that there are many gaps in PE files, so we may patch PE files.
The practice is to insert our patch code in the gap.
In the following example, I want to teach you how to fill in the notepad.exe (Notepad) Program of win97.
Ding, run my pach.exe program at notepad.exeruntime:
1.insert in section gap of notepad.exe
ShellE
PE Study Notes
PE means portable executable (portable execution body ). Overall hierarchical distribution of PE file structure:--------------| Dos MZ header || -------------- || Dos Stub || -------------- || PE Header || -------------- || Section Table || -------------- || Section 1 || -------------- || Section 2 || --
Summary of this chapter
· PE file Format overview
· PE file structure
· How to get Oep in a PE file
· How to get resources in a PE file
· How to modify the PE file to display an instance of the MessageBox 2.1 introduction
Typically, EXE files under windows are in
Turn: http://hi.baidu.com/cqulwq/blog/item/2be170d6dbb03d2906088b26.html
We all know that in Windows 9x, NT, and 2000, All executable files are based on a new file format portable designed by Microsoft.Executable FileFormat (portable execution body), that is, PE format. In some cases, we need to modify these executable files. The following text attempts to describe the PE file format in detail andModify.
1, positioning standard PE headDos stub length is not fixed, so DOS header is not a fixed-size data structure. The DOS head is located in the starting position of the PE, and the position of the standard PE head after the DOS head is e_lfanew by the field.The value of the E_lfanew field is a relative offset, and the base address of the DOS MZ header is required f
Detailed description of PE File Format (Part 1)
Summary
Windows NT 3.1 introduces a new executable file format named PE file format. The PE file format specification is included in the msdn Cd (specs and strategy, specifications, Windows NT file format specifications), but it is very obscure.However, this document does not provide sufficient information, so devel
Author: little heartPrevious: http://www.bkjia.com/Article/201202/118214.htmlThere are many structures in the PE file, but in fact, more than half of these structures tell the loader how to load its PE. Normal PE files are always strictly filled with their internal structures, but there are also a small number of deformation
Author: msdnAuthor: Li Ma (http://home.nuc.edu.cn /~ Titilima)
Summary
Windows NT 3.1 introduces a new executable file format named PE file format. The PE file format specification is included in the msdn Cd (specs and strategy, specifications, Windows NT file format specifications), but it is very obscure.However, this document does not provide sufficient information, so developers cannot understand the
V. Section Table)
The section table is a structure array next to the PE Header. The number of members of this array is determined by the value of the numberofsections field in the file header (image_file_header) structure. The member structure of the table is also named image_section_header (40 bytes ). Its structure definition:
Typedef struct _ image_section_header {Byte name [image_sizeof_short_name];Union {DWORD physicaladdress;DWORD virtualsize;}
V. Section Table)The section table is a structure array next to the PE Header. The number of members of this array is determined by the value of the numberofsections field in the file header (image_file_header) structure. The member structure of the table is also named image_section_header (40 bytes ). Its structure definition:Typedef struct _ image_section_header {Byte name [image_sizeof_short_name];Union {DWORD physicaladdress;DWORD virtualsize;} MI
PE means portable executable (portable execution body ). It is the execution body file format of the Win32 environment. Some of its features inherit from the Unix coff (Common Object File Format) file format. "Portable executable" means that the file format is cross-Win32: Even if windows runs on a non-Intel CPU, the PE Loader on any Win32 platform can recognize and use this file format. Of course, there mu
In Windows 9x, NT, and 2000, All executable files are based on a new file format portable Executable File designed by Microsoft.
Format(Portable execution body), that is, PE format. In some cases, we need to modify these executable files. The following text attempts to describe the PE file format and modify the PE format file in detail.
1.
At present, PE routers are widely used. They are one type of VPN routers. So I have studied the explanations and principles of PE routers and will share them with you here, I hope it will be useful to you. VPNVirtual Private Network (VPNVirtual Private Network) is a virtual Private Network based on public networks. It uses tunneling, encryption, and other technologies to provide users with a sense of direct
Document directory
1.3.1 hosting PE files
Text/Xuan Hun
Intermediate Language
In the. NET Framework, the basic structure of public languages uses Cls to bind different languages. By requiring different languages to at least implement the CTS contained in CLs, the public language infrastructure allows different languages to use the. NET Framework. Therefore. in the. NET Framework, all languages (C #, VB. net, effil. net) is finally converted to a
Text/tU niuyuan
We all know that in Windows 9x, NT, and 2000, all Executable files are based on a new Microsoft-designed File Format (Portable Executable File Format), that is, the PE Format. In some cases, we need to modify these executable files. The following text attempts to describe the PE file format and modify the PE format file in detail.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.