| 《加密解密 技术内幕》2.2 手工构造一个超微型的 PE 文件 |
| 责任编辑:酷酷の鱼 更新日期:2008-3-14 |
|
|
| 作者:一块三毛钱
最近构造了一个微型的 PE 文件,下面把构造的方法和一点心得写出来和大家交流,也算是
对 PE 格式的一个复习吧。
最终构造好的文件大小是 180 字节,可以在 Win2k 下运行,运行后会弹出一个消息框。
来看看最后生成的文件的内容:
00000000 4D 5A 00 00 50 45 00 00 4C 01 01 00 75 73 65 72 MZ..PE..L...user
00000010 33 32 2E 64 6C 6C 00 00 70 00 0F 01 0B 01 6A 00 32.dll..p.....j.
00000020 B8 8C 00 40 00 50 50 6A 00 EB 05 00 1E 00 00 00 ...@.PPj........
00000030 FF 15 78 00 40 00 C3 00 00 00 40 00 04 00 00 00 ..x.@.....@.....
00000040 04 00 00 00 04 00 00 00 00 00 00 00 04 00 00 00 ................
00000050 00 00 00 00 B4 00 00 00 00 00 00 00 00 00 00 00 ................
00000060 02 00 00 00 00 00 10 00 00 00 00 00 00 00 10 00 ................
00000070 00 10 00 00 00 00 00 00 C4 01 00 80 00 00 00 00 ................
00000080 00 00 00 00 9C 00 00 00 28 00 00 00 5A 54 53 B1 ........(...ZTS.
00000090 E0 D0 B4 00 B4 00 00 00 00 00 00 00 B4 00 00 00 ................
000000A0 00 00 00 00 00 00 00 00 0C 00 00 00 78 00 00 00 ............x...
000000B0 E0 00 00 E0 ....
用 dumpbin 显示文件结构如下:
FILE HEADER VALUES
14C machine (i386)
1 number of sections
72657375 time date stamp Sat Oct 26 21:21:57 2030
642E3233 file pointer to symbol table
6C6C number of symbols
70 size of optional header
10F characteristics
Relocations stripped
Executable
Line numbers stripped
Symbols stripped
32 bit word machine
OPTIONAL HEADER VALUES
10B magic #
106.00 linker version
40008CB8 size of code
6A505000 size of initialized data
5EB00 size of uninitialized data
1E RVA of entry point <----
7815FF base of code
C30040 base of data
400000 image base
4 section alignment
4 file alignment
4.00 operating system version
0.00 image version
4.00 subsystem version
0 Win32 version
B4 size of image
0 size of headers
0 checksum
2 subsystem (Windows GUI)
0 DLL characteristics
100000 size of stack reserve
0 size of stack commit
100000 size of heap reserve
1000 size of heap commit
0 loader flags
800001C4 number of directories
0 [ 0] RVA [size] of Export Directory
9C [ 28] RVA [size] of Import Directory <----
0 [ 0] RVA [size] of Resource Directory
0 [ 0] RVA [size] of Exception Directory
0 [ 0] RVA [size] of Certificates Directory
0 [ 0] RVA [size] of Base Relocation Directory
0 [ 0] RVA [size] of Debug Directory
0 [ 0] RVA [size] of Architecture Directory
0 [ 0] RVA [size] of Special Directory
0 [ 0] RVA [size] of Thread Storage Directory
0 [ 0] RVA [size] of Load Configuration Directory
0 [ 0] RVA [size] of Bound Import Directory
0 [ 0] RVA [size] of Import Address Table Directory
0 [ 0] RVA [size] of Delay Import Directory
0 [ 0] RVA [size] of Reserved Directory
0 [ 0] RVA [size] of Reserved Directory
现在开始具体的步骤
1. Dos Header
IMAGE_DOS_HEADER STRUCT
e_magic <-- 4D 5A
... <-- 其他的都填 0
e_lfanew <-- 04 00 00 00
IMAGE_DOS_HEADER ENDS
为了把文件做得尽可能的小,所以 PE Header 准备放在文件偏移 4 的地方,本来还可以
往前放,由于 Dos Header 的 e_lfanew 必须指向 PE Header 的偏移位置。当放在偏移
4 的地方,Dos Header 的 e_lfanew 正好对应着 PE Header 的 SectionAlignment,
我们只需要把 SectionAlignment 设为 4 就可以达到两个目的。
2. PE Header
IMAGE_NT_HEADERS STRUCT
Signature <-- 50 45 00 00
FileHeader
OptionalHeader
IMAGE_NT_HEADERS ENDS
下面打了 * 标志的意味着不能随便填数据,具体的数据可以参考上面 dumpbin 显示的数
据。凡是没有打 * 标志的可以填入任意数据,我们的代码就准备塞在这些结构里面。
[1] [2] 下一页 |
|
| 上一篇文章: 《加密解密 技术内幕》2.1 关于PE可执行文件的修改 |
| 下一篇文章: 《加密解密 技术内幕》 3.1 病毒是如何抗动态测试 |
|
|
|
|
