PE Format - PowerPoint PPT Presentation

1 / 24

About This Presentation

Title:

PE Format

Description:

Title: 1 Author: test Last modified by: test_John Created Date: 5/1/2004 3:30:04 PM Document presentation format: Company – PowerPoint PPT presentation

Number of Views:33

Avg rating:3.0/5.0

Slides: 25

Provided by: test60

Category:

Tags: format

more less

Transcript and Presenter's Notes

Title: PE Format

1
PE Format
?? ?????????, Windows ??? (Portable
Execution File, PE File) ????????, ???? machine
code ??????, ?????????????, ?????????????????
imported functions. ????????,?????????????????.
??????????????. ????????,????????,???????????,
??????????????, ??????. ???????????????.

?????

2
Overview of the PE File Format

PE files are derived from the Common Object File
Format (COFF) found on VAX/VMS
???? Portable
?????????????????? CPU ??? Run ? Windows
OS loader ? ??????????????
64-bit Windows ????? PE ?????? PE32
??????? 64 bits

?? NT ??? Team ?? Digital
x86, MIPS, Alpha
?? CPU ??????????
3

?Microsoft ??????? OBJ ???? COFF ??
Borland ?? Intel ? OMF (Object Module Format) ??

????????, ???? Obj ? library ??,
????????????????
?? PE ???? Microsoft tools DumpBin.exe Borland
tools TDump.exe
?? PE ?
HANDLE hFile CreateFile(filename,
GENERIC_READ,\
FILE_SHARE_READ, NULL,\
OPEN_EXISTING, FILE_ATTRIBUTE_NORMA
L, 0) HANDLE hFileMapping hFileMapping
CreateFileMapping(hFile, NULL, PAGE_READONLY, 0,
0,\
NULL) LPVOID
lpFileBase lpFileBase MapViewOfFile(hFileMappin
g, FILE_MAP_READ, 0, 0, 0) PIMAGE_DOS_HEADER
dosHeader dosHeader (PIMAGE_DOS_HEADER)lpFileBa
se
Reference 3
4
Overview of the PE File Format

EXE ? DLL ?????????, ????????? PE format
OCX ? Control Panel applets (.CPL files) ?? DLL

PE ??????
????????????????????????
???????????PE????????????
?????????????

? PE? Windows Loader ??????? in-Memory Version ??
module
Module ????? Process ????? resource, code ? data
??? Mapping ???????? HMODULE
Relative Virtual Address (RVA)
is the offset of some item, relative to where the
file is memory-mapped.

?? ? Loader Map ?? PE ????? 0x10000 (Virtual
Address)
? PE ???? table ? image ?????? 0x10464
? ? Table ? RVA ? ox464

(Virtual address 0x10464)-(base address 0x10000)
RVA 0x00464
HINSTANCE
7
PE File Sections

PE file section ???
Code
Data
Read/write program data global data
Import / export table for API
Resources
??? Section ???????
???? code
Read-only ?? read/write
?? data ????? process ??

PE ?????? section Code ? Data
8
PE File Sections

?? section ???????
.rdata ?? read-only section
.text ?? code
???????? Section

?? section ??
dumpbin test.exe
9
PE File Sections
10
PE File Sections

Linker ????????.obj ??section ????? PE ??
???? Obj ??? .text ????? PE ?? text section ?
??? .data section ??? ??? PE .data section

11
Import function ?????????????

When you use a Win32 API function, such as
LoadLibraryW

DWORD __imp__LoadLibrary_at_4 0x77E971C9 call
dword ptr__imp__LoadLibraryW_at_4
?????? ?? global ??? LoadLibraryW ???? ???
function ???? PE ???????
??????????????? LoadLibraryW ????? (??
kernel32.dll ????? ??????)
?? PE ?????? section ????? import function
???. ???? .idata section ? .text section
12
?? PE ?
????????? This program cannot be run in MS-DOS
mode
?? 0
1
IMAGE_DOS_HEADER
DOS Stub Program
IMAGE_NT_HEADERS
Section Table IMAGE_SECTION_HEADER
Stub ???????????, ? Dos Header ? e_lfanew
?? NT Header ?????
PE File Signature
IMAGE_FILE_HEADER
IMAGE_OPTIONAL_HEADER R32
.text section for binary code
.data section for initialized data
.reloc section for relocation table
.rdata for constants
.rsrc for resource
PE\0\0 ????PE ?? (16-bit ? NE OS/2 ? LX)
2

??????????
??????, code data ??,
code data ?????, heap ? stack ??
OS ??, heap ? stack ??, OS ??
????? directory Table ???

13
????????
? UltraEdit ? HelloWorld.exe
????? ?? PE signature
14
PE File Signature
IMAGE_FILE_HEADER
IMAGE_OPTIONAL_HEADER R32
IMAGE_FILE_HEADER ??
0x14dIntel i860
0x14c Intel I386 (same ID used for 486 and 586)
0x162 MIPS R3000
0x166 MIPS R4000
0x183 DEC Alpha AXP
WORD Machine
WORD NumberOfSections (?????? Sections)
DWORD TimeDateStamp (Linker ????????)
DWORD PointerToSymbolTable
WORD SizeOfOptionalHeader
WORD Characteristics
COFF Symbol Table (Obj ? PE ? Debug Info)
0x0001 There are no relocations in this file
0x0002 File is an executable image (not a OBJ or LIB)
0x2000 File is a dynamic-link library, not a program
?? OptionHeader ??? ?? (? OBJ ?? ? 0)
15
???????? DOS Header ? NTHeader
???? instance ? process ??????
KPEFileKPEFile( HMODULE hModule) pModule
(const char ) hModule if ( IsBadReadPtr(pModul
e, sizeof(IMAGE_DOS_HEADER)) ) pDOSHeader
NULL pNTHeader NULL else
pDOSHeader (PIMAGE_DOS_HEADER) pModule
pNTHeader (PIMAGE_NT_HEADERS)
RVA2Ptr(pDOSHeader-gte_lfanew)
???? Header (??????,???????)
? DOS Header ?? e_lfanew ????
16
GetDirectory()?? PE ??, ?? Table ???
// ???????? ?? Directory Table ? ?? const void
KPEFileGetDirectory(int id) return
RVA2Ptr(pNTHeader-gtOptionalHeader.DataDirectoryid
.VirtualAddress)
? IMAGE_OPTIONAL_HEADER R32 ????? Table ???
17
?? imported module ???

???????????? module ? functions
PE ??? IMAGE_IMPORT_DESRIPTOR ??,?????? imported
? module

?? module ???? function
?? imported module ??????
IMAGE_IMPORT_DESCRIPTOR OriginalFirstThunk
TimeDateStamp Name
imported module Name
IMAGE_THUNK_DATA union Ordinal
AddressOfData
?? imported module ??????
Function name (?? ? RVA ?)
18
???????? Import ??
????????????????? Import Module ??
Step 1
?? GetDictory() ???? IMAGE_DIRECTORY_ENTRY_IMPORT
directory ???
Step 2
???? Import table ?? Name ??????
???? DLL ? Import ??
Step 1
PIMAGE_IMPORT_DESCRIPTOR KPEFileGetImportDescrip
tor(LPCSTR pDllName) PIMAGE_IMPORT_DESCRIPTOR
pImport (PIMAGE_IMPORT_DESCRIPTOR)

GetDirectory(IMAGE_DIRECTORY_ENTRY_IMPORT)
if ( pImportNULL ) return NULL
while ( pImport-gtFirstThunk )
if ( stricmp(pDllName,
RVA2Ptr(pImport-gtName))0 )
return pImport pImport
// ??,???????
return NULL
?? map ? FirstThunk ?? module ??
Step 2
?? import ?? Name ? RVA ??,??????????
19
???? imported function ???

?????? DLL Module ??
??????? OriginalFirstThunk ??? Module ? imported
? function ??

?? module ???? function
?? imported module ??????
IMAGE_IMPORT_DESCRIPTOR OriginalFirstThunk
TimeDateStamp Name
20
???? function ??? DLL module ???
const unsigned KPEFileGetFunctionPtr(PIMAGE_IM
PORT_DESCRIPTOR pImport,

LPCSTR pProcName) // Step
1 ? Import DLL module ?????? PIMAGE_THUNK_DATA
?? // ??????? function ???
PIMAGE_THUNK_DATA pThunk pThunk
(PIMAGE_THUNK_DATA) RVA2Ptr(pImport-gtOriginalFirst
Thunk) // Step 2 ???????? Thunk Data ????
function name, for (int i0 pThunk-gtu1.Function
i) bool match match
stricmp(pProcName, RVA2Ptr((unsigned)pThunk-gtu1.Ad
dressOfData)2) \

0 if ( match ) // ?????
FirstThunk i ??? return (unsigned )
RVA2Ptr(pImport-gtFirstThunk)i pThunk

function name
21

??????????? imported function ????
??? OS ????????, ?? imported function

????? ???? ?????, ??????? ?????? function ?
22
?????? function ???
FARPROC KPEFileSetImportAddress(LPCSTR
pDllName,LPCSTR pProcName,\
FARPROC pNewProc)
// Step 1 ?????? DLL module ????
PIMAGE_IMPORT_DESCRIPTOR pImport
GetImportDescriptor(pDllName) if ( pImport )
// Step 2 ?? ?? function ??? const
unsigned pfn GetFunctionPtr(pImport,
pProcName) if ( IsBadReadPtr(pfn,
sizeof(DWORD)) ) // ?????????? return
NULL // Step 3 ???? function address
FARPROC oldproc (FARPROC) pfn // Step
4 ????????? DWORD dwWritten // ???????
bytes WriteProcessMemory(GetCurrentProcess(),
(void ) pfn,pNewProc, \
sizeof(DWORD),
dwWritten) return oldproc else
return NULL
23
??

????????? process, ?????? module name
Advanced????? DLL Injection,??????????

24
Reference
Reference 1. ms-help//MS.MSDNQTR.2004JAN.1033/dn
mag02/html/PE.htm 2. DirectX Windows Graphics
Programming, Feng Yuan 3. ms-help//MS.MSDNQTR.20
04JAN.1033/dndebug/html/msdn_peeringpe.htm

Write a Comment

User Comments (0)