Pe_header.zip_TheInformation资源-CSDN文库

共1个文件

txt：1个

版权申诉

7 浏览量 2022-09-23 01:45:30 上传评论收藏 9KB ZIP 举报

PE（Portable Executable）格式是Windows操作系统中用于执行程序的标准文件格式。这个“Pe_header.zip_The Information”压缩包显然包含了关于PE头信息的详细资料，主要集中在“Pe_header.txt”文件中。PE头是PE文件结构的重要组成部分，它包含了运行时系统用来加载和执行程序所需的关键信息。 PE头分为两部分：COFF（Common Object File Format）标头和可选标头。COFF标头主要包含了一些编译器和链接器的信息，如文件类型、节的数量和位置等。而可选标头则提供了更具体的执行信息，如程序入口点、图像基地址、节表、导出和导入表等。 1. COFF标头： - 文件标识：包含魔数（Magic Number），表明文件是PE格式。 - 非成员：如文件大小、时间戳、对齐要求等。 - 节表：列出文件的各个节（Section），每个节都有自己的属性，如名称、大小、偏移量等。 2. 可选标头： - Magic Number：区分32位和64位PE文件。 - Linker Version：编译器和链接器的版本信息。 - Image Base：程序在内存中的默认基地址。 - Section Alignment：节的内存对齐要求，影响文件和内存布局。 - File Alignment：文件在磁盘上的对齐方式。 - Entry Point：程序的入口点，通常为main函数或WinMain函数的地址。 - 导出和导入表：列出程序对外部函数和库的依赖。 - 资源表：包含窗口样式、图标、字符串等资源信息。 - 弹性缓冲区（Data Directories）：包含异常处理、安全特性、线程局部存储等额外信息的指针。了解PE头对于逆向工程、软件调试和病毒分析等领域非常重要。例如，通过分析PE头，我们可以得知程序的运行需求，如是否需要特定版本的动态链接库（DLL），或者是否存在恶意代码利用的漏洞。 “Pe_header.txt”文件很可能详细描述了这些内容，包括每个字段的作用、如何解析以及可能的值。通过深入研究这份资料，开发者和安全专家可以更好地理解和操作PE文件，从而优化程序性能或检测潜在的安全问题。此外，对于那些想要深入理解Windows程序加载过程的人来说，理解PE头至关重要。

资源推荐

资源详情

资源评论

收起资源包目录

Pe_header.zip （1个子文件）

Pe_header.txt 35KB

+------··· ···---------··· ···---------··· ···---------··· ···------+ ¦ The PE header ¦ +------··· ···---------··· ···---------··· ···---------··· ···------+ This is probably the most important chapter of all the document. Read it! % Introduction % ---------------- It's very important to have clear the structure of the PE header for write our windoze viruses. Well, here i'll list what i though that was important, but here it is NOT all the information about the PE file, for know more just take a look to the documents i recommended about the PE file above, in "Useful..." chapter. +-----------------------------------+ --- OFFSET = 00000000h ¦ ¦ ¦ DOS stub ¦ ¦ ¦ +-----------------------------------¦ --- OFFSET = [DOS Stub+3Ch] ¦ ¦ ¦ PE stuff ¦ ¦ ¦ +-----------------------------------+ Let's make a deep analysis of both two situation in general. Let's see some stuff as Micheal J. O'Leary's diagram style. +-----------------------------------+ --- Base of Image Header ¦ DOS compatible EXE header ¦-+ +-----------------------------------¦ ¦ ¦ Unused ¦ ¦ +-----------------------------------¦ ¦ ¦ OEM identifier ¦ ¦ +-----------------------------------¦ ¦ ¦ OEM info ¦ +-- Uninteresting (DOS Compatibility) +-----------------------------------¦ ¦ ¦ Offset to PE Header ¦---- Very interesting +-----------------------------------¦ ¦ ¦ DOS Stub program and reloc table ¦ ¦ +-----------------------------------¦ ¦ ¦ Unused ¦-+ +-----------------------------------¦ ¦ PE header (IMAGE_FILE_HEADER) ¦-+ +-----------------------------------¦ ¦ ¦ PE header (IMAGE_OPTIONAL_HEADER) ¦ ¦ +-----------------------------------¦ +-- Very very interesting :) ¦ Section Table ¦ ¦ +-----------------------------------¦ ¦ ¦ ¦ ¦ ¦ Sections ¦-+ ¦ ¦ +-----------------------------------+ Now you have seen a general approach to PE header, that wonderful thingy (but also complicated), our new nº1 target. Ok, ok, you have a "general" view of all that stuff, but still you need to know the internal structure of only the PE Header IMAGE_FILE_HEADER itself. Tight your belts! IMAGE_FILE_HEADER ----------------+ +-----------------------------------+ --- +00000000h ¦ "PE\0\0" ¦ Size : 1 DWORD +-----------------------------------¦ --- +00000004h ¦ Machine ¦ Size : 1 WORD +-----------------------------------¦ --- +00000006h ¦ Number Of Sections ¦ Size : 1 WORD +-----------------------------------¦ --- +00000008h ¦ Time Date Stamp ¦ Size : 1 DWORD +-----------------------------------¦ --- +0000000Ch ¦ Pointer To Symbol Table ¦ Size : 1 DWORD +-----------------------------------¦ --- +00000010h ¦ Number Of Symbols ¦ Size : 1 DWORD +-----------------------------------¦ --- +00000014h ¦ Size Of Optional Header ¦ Size : 1 WORD +-----------------------------------¦ --- +00000016h ¦ Characteristics ¦ Size : 1 WORD +-----------------------------------+ --------- Total Size : 18h BYTES I'm gonna make a brief description (a resume of what Matt Pietrek said in his wonderful document about PE file) of the fields of the IMAGE_FILE_HEADER ¦ PE\0\0: This is the mark that every PE file has. Just check for its existence while coding your infection. If it is not here, it's not a PE, ok? ¦ Machine: As the kind of computer we can be using could be a non-PC compatible and suck like (NT has an opened hierarchy for those things, you know), and as the PE file is common for all the whole thing, in this field goes for what kind of machine the application is coded for. Could be one of these valuez: IMAGE_FILE_MACHINE_I386 equ 14Ch ; Intel 386. IMAGE_FILE_MACHINE_R3000 equ 162h ; MIPS little-endian,160h big-endian IMAGE_FILE_MACHINE_R4000 equ 166h ; MIPS little-endian IMAGE_FILE_MACHINE_R10000 equ 168h ; MIPS little-endian IMAGE_FILE_MACHINE_ALPHA equ 184h ; Alpha_AXP IMAGE_FILE_MACHINE_POWERPC equ 1F0h ; IBM PowerPC Little-Endian ¦ Number Of Sections: Very important field for our infections. It tells us the number of sections that the file has. ¦ Time Date Stamp: Holds the number of seconds that passed since December 31st of 1969 at 4:00 AM until the time when the file was linked. ¦ Pointer To Symbol Table: Uninteresting, because it's only used by OBJ files. ¦ Number Of Symbols: Uninteresting, because it's only used by OBJ files. ¦ Size Of Optional header: Holds the amount of bytes that the IMAGE_OPTIONAL_HEADER occupies (see the description of IMAGE_OPTIONAL_HEADER below). ¦ Characteristics: The flags that give us some information more about the file. Uninteresting for all us. IMAGE_OPTIONAL_HEADER --------------------+ +-----------------------------------+ --- +00000018h ¦ Magic ¦ Size : 1 WORD +-----------------------------------¦ --- +0000001Ah ¦ Major Linker Version ¦ Size : 1 BYTE +-----------------------------------¦ --- +0000001Bh ¦ Minor Linker Version ¦ Size : 1 BYTE +-----------------------------------¦ --- +0000001Ch ¦ Size Of Code ¦ Size : 1 DWORD +-----------------------------------¦ --- +00000020h ¦ Size Of Initialized Data ¦ Size : 1 DWORD +-----------------------------------¦ --- +00000024h ¦ Size Of UnInitialized Data ¦ Size : 1 DWORD +-----------------------------------¦ --- +00000028h ¦ Address Of Entry Point ¦ Size : 1 DWORD +-----------------------------------¦ --- +0000002Ch ¦ Base Of Code ¦ Size : 1 DWORD +-----------------------------------¦ --- +00000030h ¦ Base Of Data ¦ Size : 1 DWORD +-----------------------------------¦ --- +00000034h ¦ Image Base ¦ Size : 1 DWORD +-----------------------------------¦ --- +00000038h ¦ Section Alignment ¦ Size : 1 DWORD +-----------------------------------¦ --- +0000003Ch ¦ File Alignment ¦ Size : 1 DWORD +-----------------------------------¦ --- +00000040h ¦ Major Operating System Version ¦ Size : 1 WORD +-----------------------------------¦ --- +00000042h ¦ Minor Operating System Version ¦ Size : 1 WORD +-----------------------------------¦ --- +00000044h ¦ Major Image Version ¦ Size : 1 WORD +-----------------------------------¦ --- +00000046h ¦ Minor Image Version ¦ Size : 1 WORD +-----------------------------------¦ --- +00000048h ¦ Major Subsystem Version ¦ Size : 1 WORD +-----------------------------------¦ --- +0000004Ah ¦ Minor Subsystem Version ¦ Size : 1 WORD +-----------------------------------¦ --- +0000004Ch ¦ Reserved1 ¦ Size : 1 DWORD +-----------------------------------¦ --- +00000050h ¦ Size Of Image ¦ Size : 1 DWORD +-----------------------------------¦ --- +00000054h

评论收藏

内容反馈

版权申诉