?? lion-petut-c05.htm
字號(hào):
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=gb_2312-80">
<meta name="GENERATOR" content="Microsoft FrontPage Express 2.0">
<title>Iczelion的PE教程5: Section Table(節(jié)表)</title>
</head>
<body bgcolor="#003366" text="#FFFFFF" link="#FFFFCC"
vlink="#FFCCCC" alink="#CCFFCC">
<h1 align="center"><font color="#FFFFCC">PE教程5: Section Table(節(jié)表)</font></h1>
<p><font size="2">請(qǐng)下載 </font><a href="files/PE-tut05.zip"><font
size="2">范例</font></a><font size="2">。</font></p>
<h3>理論<font face="MS Sans Serif">:</font></h3>
<p><font size="2">到本課為止,我們已經(jīng)學(xué)了許多關(guān)于
</font><font size="2" face="MS Sans Serif">DOS header </font><font
size="2">和 </font><font size="2" face="MS Sans Serif">PE header
</font><font size="2">的知識(shí)。接下來(lái)就該輪到 </font><font
size="2" face="MS Sans Serif">section table</font><font size="2">(節(jié)表)了。節(jié)表其實(shí)就是緊挨著
</font><font size="2" face="MS Sans Serif">PE header </font><font
size="2">的一結(jié)構(gòu)數(shù)組。該數(shù)組成員的數(shù)目由 </font><font
size="2" face="MS Sans Serif">file header (</font><font
color="#CCFFCC" size="2" face="MS Sans Serif"><b>IMAGE_FILE_HEADER</b></font><font
size="2" face="MS Sans Serif">) </font><font size="2">結(jié)構(gòu)中 </font><font
color="#FFFFCC" size="2" face="MS Sans Serif"><b>NumberOfSections</b></font><font
size="2" face="MS Sans Serif"> </font><font size="2">域的域值來(lái)決定。節(jié)表結(jié)構(gòu)又命名為
</font><font color="#CCFFCC" size="2" face="MS Sans Serif"><b>IMAGE_SECTION_HEADER</b></font><font
size="2">。</font></p>
<p><font size="2" face="MS Sans Serif"><b>IMAGE_SIZEOF_SHORT_NAME
equ 8 </b></font></p>
<p><font size="2" face="MS Sans Serif"><b>IMAGE_SECTION_HEADER
STRUCT <br>
Name1 db IMAGE_SIZEOF_SHORT_NAME dup(?) <br>
union Misc <br>
PhysicalAddress dd ? <br>
VirtualSize dd ? <br>
ends <br>
VirtualAddress dd ? <br>
SizeOfRawData dd ? <br>
PointerToRawData dd ? <br>
PointerToRelocations dd ? <br>
PointerToLinenumbers dd ? </b></font><font
size="2"><b>哦<br>
</b></font><font size="2" face="MS Sans Serif"><b> NumberOfRelocations
dw ? <br>
NumberOfLinenumbers dw ? <br>
Characteristics dd ? <br>
IMAGE_SECTION_HEADER ENDS </b></font></p>
<p><font size="2">同樣,不是所有成員都是很有用的,我們只關(guān)心那些真正重要的。</font></p>
<table border="1" cellpadding="2">
<tr>
<th bgcolor="#006666"><font size="2" face="MS Sans Serif"><b>Field</b></font></th>
<th bgcolor="#006666"><font size="2" face="MS Sans Serif">Meanings</font></th>
</tr>
<tr>
<td align="center" bgcolor="#003333"><font size="2"
face="MS Sans Serif"><b>Name1</b></font></td>
<td align="center" bgcolor="#003333"><font size="2">事實(shí)上本域的名稱是</font><font
size="2" face="MS Sans Serif">"name"</font><font
size="2">,只是</font><font size="2"
face="MS Sans Serif">"name"</font><font
size="2">已被</font><font size="2" face="MS Sans Serif">MASM</font><font
size="2">用作關(guān)鍵字,所以我們只能用</font><font
size="2" face="MS Sans Serif">"Name1"</font><font
size="2">代替。這兒的節(jié)名長(zhǎng)不超過(guò)</font><font
size="2" face="MS Sans Serif">8</font><font size="2">字節(jié)。記住節(jié)名僅僅是個(gè)標(biāo)記而已,我們選擇任何名字甚至空著也行,注意這里不用</font><font
size="2" face="MS Sans Serif">null</font><font size="2">結(jié)束。命名</font><font
color="#FF0000" size="2"><b>不是</b></font><font
size="2">一個(gè)</font><font size="2" face="MS Sans Serif">ASCIIZ</font><font
size="2">字符串,所以不用</font><font size="2"
face="MS Sans Serif">null</font><font size="2">結(jié)尾。</font></td>
</tr>
<tr>
<td align="center" bgcolor="#003333"><font size="2"
face="MS Sans Serif"><b>VirtualAddress</b></font></td>
<td align="center" bgcolor="#003333"><font size="2">本節(jié)的</font><font
size="2" face="MS Sans Serif">RVA</font><font size="2">(相對(duì)虛擬地址)。</font><font
size="2" face="MS Sans Serif">PE</font><font size="2">裝載器將節(jié)映射至內(nèi)存時(shí)會(huì)讀取本值,因此如果域值是</font><font
size="2" face="MS Sans Serif">1000h</font><font size="2">,而</font><font
size="2" face="MS Sans Serif">PE</font><font size="2">文件裝在地址</font><font
size="2" face="MS Sans Serif">400000h</font><font
size="2">處,那么本節(jié)就被載到</font><font
size="2" face="MS Sans Serif">401000h</font><font
size="2">。</font></td>
</tr>
<tr>
<td align="center" bgcolor="#003333"><font size="2"
face="MS Sans Serif"><b>SizeOfRawData</b></font></td>
<td align="center" bgcolor="#003333"><font size="2">經(jīng)過(guò)文件對(duì)齊處理后節(jié)尺寸,</font><font
size="2" face="MS Sans Serif">PE</font><font size="2">裝載器提取本域值了解需映射入內(nèi)存的節(jié)字節(jié)數(shù)。(譯者注</font><font
size="2" face="MS Sans Serif">: </font><font size="2">假設(shè)一個(gè)文件的文件對(duì)齊尺寸是</font><font
size="2" face="MS Sans Serif">0x200</font><font size="2">,如果前面的</font><font
size="2" face="MS Sans Serif"><b> VirtualSize</b></font><font
size="2">域指示本節(jié)長(zhǎng)度是</font><font size="2"
face="MS Sans Serif">0x388</font><font size="2">字節(jié),則本域值為</font><font
size="2" face="MS Sans Serif">0x400</font><font size="2">,表示本節(jié)是</font><font
size="2" face="MS Sans Serif">0x400</font><font size="2">字節(jié)長(zhǎng))。</font></td>
</tr>
<tr>
<td align="center" bgcolor="#003333"><font size="2"
face="MS Sans Serif"><b>PointerToRawData</b></font></td>
<td align="center" bgcolor="#003333"><font size="2">這是節(jié)基于文件的偏移量,</font><font
size="2" face="MS Sans Serif">PE</font><font size="2">裝載器通過(guò)本域值找到節(jié)數(shù)據(jù)在文件中的位置。</font></td>
</tr>
<tr>
<td align="center" bgcolor="#003333"><font size="2"
face="MS Sans Serif"><b>Characteristics</b></font></td>
<td align="center" bgcolor="#003333"><font size="2">包含標(biāo)記以指示節(jié)屬性,比如節(jié)是否含有可執(zhí)行代碼、初始化數(shù)據(jù)、未初始數(shù)據(jù),是否可寫(xiě)、可讀等。</font></td>
</tr>
</table>
<p><font size="2">現(xiàn)在我們已知曉 </font><font
color="#CCFFCC" size="2" face="MS Sans Serif"><b>IMAGE_SECTION_HEADER</b></font><font
size="2" face="MS Sans Serif"> </font><font size="2">結(jié)構(gòu),再來(lái)模擬一下
</font><font size="2" face="MS Sans Serif">PE</font><font
size="2">裝載器的工作吧</font><font size="2"
face="MS Sans Serif">:</font></p>
<ol>
<li><font size="2">讀取 </font><font color="#CCFFCC"
size="2" face="MS Sans Serif"><b>IMAGE_FILE_HEADER</b></font><font
size="2" face="MS Sans Serif"> </font><font size="2">的 </font><font
color="#FFFFCC" size="2" face="MS Sans Serif"><b>NumberOfSections</b></font><font
size="2">域,知道文件的節(jié)數(shù)目。</font></li>
<li><font color="#CCFFCC" size="2" face="MS Sans Serif"><b>SizeOfHeaders</b></font><font
size="2" face="MS Sans Serif"> </font><font size="2">域值作為節(jié)表的文件偏移量,并以此定位節(jié)表。</font></li>
<li><font size="2">遍歷整個(gè)結(jié)構(gòu)數(shù)組檢查各成員值。</font></li>
<li><font size="2">對(duì)于每個(gè)結(jié)構(gòu),我們讀取</font><font
color="#FFFFCC" size="2" face="MS Sans Serif"><b>PointerToRawData</b></font><font
size="2">域值并定位到該文件偏移量。然后再讀取</font><font
color="#FFFFCC" size="2" face="MS Sans Serif"><b>SizeOfRawData</b></font><font
size="2">域值來(lái)決定映射內(nèi)存的字節(jié)數(shù)。將</font><font
color="#FFFFCC" size="2" face="MS Sans Serif"><b>VirtualAddress</b></font><font
size="2">域值加上</font><font color="#FFFFCC"
size="2" face="MS Sans Serif"><b>ImageBase</b></font><font
size="2">域值等于節(jié)起始的虛擬地址。然后就準(zhǔn)備把節(jié)映射進(jìn)內(nèi)存,并根據(jù)</font><font
color="#FFFFCC" size="2" face="MS Sans Serif"><b>Characteristics</b></font><font
size="2">域值設(shè)置屬性。</font></li>
<li><font size="2">遍歷整個(gè)數(shù)組,直至所有節(jié)都已處理完畢。</font></li>
</ol>
<p><font size="2">注意我們并沒(méi)有使用節(jié)名</font><font
size="2" face="MS Sans Serif">: </font><font size="2">這其實(shí)并不重要。</font></p>
<h3>示例<font face="Arial, Helvetica, sans-serif">:</font></h3>
<p><font size="2">本例程打開(kāi)一</font><font size="2"
face="MS Sans Serif">PE</font><font size="2">文件遍歷其節(jié)表,并在列表框控件顯示各節(jié)的信息。</font></p>
<p><font face="Fixedsys">.386 <br>
.model flat,stdcall <br>
option casemap:none <br>
include \masm32\include\windows.inc <br>
include \masm32\include\kernel32.inc <br>
include \masm32\include\comdlg32.inc <br>
include \masm32\include\user32.inc <br>
include \masm32\include\comctl32.inc <br>
includelib \masm32\lib\comctl32.lib <br>
includelib \masm32\lib\user32.lib <br>
includelib \masm32\lib\kernel32.lib <br>
includelib \masm32\lib\comdlg32.lib <br>
<br>
IDD_SECTIONTABLE equ 104 <br>
IDC_SECTIONLIST equ 1001 <br>
<br>
SEH struct </font></p>
<p><font face="Fixedsys"><br>
PrevLink dd ? ; the address of the previous seh structure <br>
CurrentHandler dd ? ; the address of the new exception handler <br>
SafeOffset dd ? ; The offset where it's safe to continue
execution <br>
PrevEsp dd ? ; the old value in esp <br>
PrevEbp dd ? ; The old value in ebp <br>
SEH ends <br>
<br>
.data <br>
AppName db "PE tutorial no.5",0 <br>
ofn OPENFILENAME <> <br>
FilterString db "Executable Files (*.exe,
*.dll)",0,"*.exe;*.dll",0 <br>
db "All Files",0,"*.*",0,0 <br>
FileOpenError db "Cannot open the file for reading",0 <br>
FileOpenMappingError db "Cannot open the file for memory
mapping",0 <br>
FileMappingError db "Cannot map the file into memory",0
<br>
FileInValidPE db "This file is not a valid PE",0 <br>
template db "%08lx",0 <br>
SectionName db "Section",0 <br>
VirtualSize db "V.Size",0 <br>
VirtualAddress db "V.Address",0 <br>
SizeOfRawData db "Raw Size",0 <br>
RawOffset db "Raw Offset",0 <br>
Characteristics db "Characteristics",0 <br>
<br>
.data? <br>
hInstance dd ? <br>
buffer db 512 dup(?) <br>
hFile dd ? <br>
hMapping dd ? <br>
pMapping dd ? <br>
ValidPE dd ? <br>
NumberOfSections dd ? <br>
<br>
.code <br>
start proc <br>
?? 快捷鍵說(shuō)明
復(fù)制代碼
Ctrl + C
搜索代碼
Ctrl + F
全屏模式
F11
切換主題
Ctrl + Shift + D
顯示快捷鍵
?
增大字號(hào)
Ctrl + =
減小字號(hào)
Ctrl + -