?? pe-tut3.html
字號(hào):
<html>
<head>
<title>Iczelion's PE tutorial 3: File Header</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>
<body bgcolor="#003366" text="#FFFFFF" link="#FFFFCC" vlink="#FFCCCC" alink="#CCFFCC">
<h1 align="center"><font face="Arial, Helvetica, sans-serif" color="#FFFFCC">Tutorial
3: File Header</font></h1>
<p><font face="MS Sans Serif" size="-1">In this tutorial, we will study the file
header portion of the PE header. </font></p>
<p><font face="MS Sans Serif" size="-1">Let's summarize what we have learned so
far:</font></p>
<ul>
<li><font face="MS Sans Serif" size="-1">DOS MZ header is called<b><font color="#CCFFCC">
IMAGE_DOS_HEADER</font></b>. Only two of its members are important to us:
<font color="#FFFFCC"> <b>e_magic</b></font> which contains the string "MZ"
and <font color="#FFFFCC"><b>e_lfanew</b></font> which contains the file offset
of the PE header.</font></li>
<li><font face="MS Sans Serif" size="-1">We use the value in <font color="#FFFFCC"><b>e_magic</b></font>
to check if the file has a valid DOS header by comparing it to the value<font color="#CCFFCC"><b>
IMAGE_DOS_SIGNATURE</b></font>. If both values match, we can assume that the
file has a valid DOS header.</font></li>
<li><font face="MS Sans Serif" size="-1">In order to go to the PE header, we
must move the file pointer to the offset specified by the value in <font color="#FFFFCC"><b>e_lfanew</b></font>.</font></li>
<li><font face="MS Sans Serif" size="-1">The first dword of the PE header should
contain the string "PE" followed by two zeroes. We compare the value
in this dword to the value <font color="#CCFFCC"><b>IMAGE_NT_SIGNATURE</b></font>.
If they match, then we can assume that the PE header is valid.</font></li>
</ul>
<p><font face="MS Sans Serif" size="-1">We will learn more about the PE header
in this tutorial. The official name of the PE header is <font color="#CCFFCC"><b>IMAGE_NT_HEADERS</b></font>.
To refresh your memory, I show it below.</font></p>
<blockquote>
<p><font face="MS Sans Serif" size="-1"><b><font color="#999900">IMAGE_NT_HEADERS
STRUCT <br>
Signature dd ? <br>
FileHeader IMAGE_FILE_HEADER <> <br>
OptionalHeader IMAGE_OPTIONAL_HEADER32 <> <br>
IMAGE_NT_HEADERS ENDS </font></b></font></p>
</blockquote>
<p><font face="MS Sans Serif" size="-1"><b><font color="#FFFFCC">Signature</font></b>
is the PE signature, "PE" followed by two zeroes. You already know
and use this member.<br>
<font color="#FFFFCC"><b>FileHeader</b></font> is a structure that contains
the information about the physical layout/properies of the PE file in general.<br>
<font color="#FFFFCC"><b>OptionalHeader </b></font>is also a structure that
contains the information about the logical layout inside the PE file.</font></p>
<p><font face="MS Sans Serif" size="-1">The most interesting information is in
<font color="#FFFFCC"> <b>OptionalHeader</b></font>. However, some fields in
<font color="#FFFFCC"> <b>FileHeader</b></font> are also important. We will
learn about <font color="#FFFFCC"><b>FileHeader</b></font> in this tutorial
so we can move to study <font color="#FFFFCC"><b>OptionalHeader</b></font> in
the next tutorials.</font></p>
<p><font face="MS Sans Serif" size="-1"><b><font color="#009933">IMAGE_FILE_HEADER
STRUCT <br>
Machine WORD ? <br>
NumberOfSections WORD ? <br>
TimeDateStamp dd ? <br>
PointerToSymbolTable dd ? <br>
NumberOfSymbols dd ? <br>
SizeOfOptionalHeader WORD ? <br>
Characteristics WORD ? <br>
IMAGE_FILE_HEADER ENDS </font> </b> </font></p>
<table border="1" cellspacing="2" cellpadding="2" align="center">
<tr bgcolor="#006666">
<th><b><font face="MS Sans Serif" size="-1">Field name</font></b></th>
<th><font face="MS Sans Serif" size="-1">Meanings</font></th>
</tr>
<tr>
<td><b><font face="MS Sans Serif" size="-1">Machine</font></b></td>
<td><font face="MS Sans Serif" size="-1">The CPU platform the file is intended
for. For Intel platform, the value is <font color="#CCFFCC"><b>IMAGE_FILE_MACHINE_I386</b></font>
(14Ch). I tried to use 14Dh and 14Eh as stated in the pe.txt by LUEVELSMEYER
but Windows refused to run it. This field is rarely of interest to us except
as a quick way of preventing a program to be executed.</font></td>
</tr>
<tr>
<td><b><font face="MS Sans Serif" size="-1">NumberOfSections </font></b></td>
<td><font face="MS Sans Serif" size="-1">The number of sections in the file.
We will need to modify the value in this member if we add or delete a section
from the file.</font></td>
</tr>
<tr>
<td><b><font face="MS Sans Serif" size="-1">TimeDateStamp</font></b></td>
<td><font face="MS Sans Serif" size="-1">The date and time the file is created.
Not useful to us.</font></td>
</tr>
<tr>
<td><b><font face="MS Sans Serif" size="-1">PointerToSymbolTable</font></b></td>
<td><font face="MS Sans Serif" size="-1">used for debugging. </font></td>
</tr>
<tr>
<td><b><font face="MS Sans Serif" size="-1">NumberOfSymbols</font></b></td>
<td><font face="MS Sans Serif" size="-1">used for debugging.</font></td>
</tr>
<tr>
<td><b><font face="MS Sans Serif" size="-1">SizeOfOptionalHeader</font></b></td>
<td><font face="MS Sans Serif" size="-1">The size of the<font color="#FFFFCC"><b>
OptionalHeader</b></font> member that immediately follows this structure.
Must be set to a valid value.</font></td>
</tr>
<tr>
<td><b><font face="MS Sans Serif" size="-1">Characteristics</font></b></td>
<td><font face="MS Sans Serif" size="-1">Contains flags for the file, such
as whether this file is an exe or a dll.</font></td>
</tr>
</table>
<p><font face="MS Sans Serif" size="-1">In summary, only three members are somewhat
useful to us:<font color="#FFFFCC"><b> Machine</b></font>, <font color="#FFFFCC"><b>NumberOfSections</b></font>
and <font color="#FFFFCC"><b>Characteristics</b></font>. You would normally
not change the values of <font color="#FFFFCC"><b>Machine</b></font> and <font color="#FFFFCC"><b>Characteristics</b></font>
but you must use the value in <font color="#FFFFCC"><b>NumberOfSections</b></font>
when you're walking the section table.<br>
I'm jumping the gun here but in order to illustrate the use of <font color="#FFFFCC"><b>NumberOfSections</b></font>,
I need to digress briefly to the section table.</font></p>
<p><font face="MS Sans Serif" size="-1">The section table is an array of structures.
Each structure contains the information of a section. Thus if there are 3 sections,
there will be 3 members in this array. You need the value in <font color="#FFFFCC"><b>NumberOfSections</b></font>
so you know how many members there are in the array. You would think that checking
for the structure with all zeroes in its members would help. Windows does use
this approach. You can verify this fact by setting the value in NumberOfSections
to a value higher than the real value and Windows still runs the file without
problem. From my observation, I think Windows reads the value in<font color="#FFFFCC"><b>
NumberOfSections</b></font> and examines each structure in the section table.
If it finds a structure that contains all zeroes, it terminates the search.
Else it would process until the number of structures specified in <font color="#FFFFCC"><b>NumberOfSections</b></font>
is met. Why can't we ignore the value in NumberOfSections? Several reasons.
The PE specification doesn't specify that the section table array must end with
an all-zero structure. Thus there may be a situation where the last array member
is contiguous to the first section, without empty space at all. Another reason
has to do with bound imports. The new-style binding puts the information immediately
following the section table's last structure array member. Thus you still need
NumberOfSections.</font></p>
<hr>
<p align="center"><font face="MS Sans Serif" size="-1">[<a href="http://win32asm.cjb.net"><b>Iczelion's
Win32 Assembly Homepage</b></a>]</font></p>
<p> </p>
</body>
</html>
?? 快捷鍵說(shuō)明
復(fù)制代碼
Ctrl + C
搜索代碼
Ctrl + F
全屏模式
F11
切換主題
Ctrl + Shift + D
顯示快捷鍵
?
增大字號(hào)
Ctrl + =
減小字號(hào)
Ctrl + -