Shulou(Shulou.com)06/01 Report--

The NT header of PE file analysis under win32 from the previous article

(1) .FileBuffer and ImageBuffer

(1) .FileBuffer reads the original file into the memory area of the application, which is FileBuffer, which is exactly the same as the file on disk. As shown below:

(2) .ImageBuffer is an area that is loaded into memory according to certain rules and can be executed immediately after certain processing. That part of the area is called ImageBuffer. Its size is the SizeOfImage in the optional PE header. The structure is as follows:

(3)。 The relationship between the two

ImageBuffer is loaded into ImageBuffer according to certain regulations according to the conditions given in the file FileBuffer. If the memory alignment is the same as the file alignment size, the ImageBuffer is almost a complete copy of the FileBuffer (the × × part of the figure is the Misc in the section table).

(2) Section table:

From the figure above, you can see that the position of the section table is next to the optional PE header, so as long as you add the size of several heads from the starting position of the FileBuffer, that is the position of the section table. The number of section tables in a PE file may be different. Each section table is next to each other. The following is the section table structure defined in winnt.h in Visual C++ 6.0:

# define IMAGE_SIZEOF_SHORT_NAME 8typedef struct _ IMAGE_SECTION_HEADER {BYTE name [image _ SIZEOF_SHORT_NAME]; / / the name of the section union {DWORD PhysicalAddress; DWORD VirtualSize;} Misc; / / the size DWORD VirtualAddress before the section is aligned in memory / / offset of the section in ImageBuffer DWORD SizeOfRawData; / / size of the section aligned in the file DWORD PointerToRawData; / / offset of the section in the file DWORD PointerToRelocations; DWORD PointerToLinenumbers; WORD NumberOfRelocations; WORD NumberOfLinenumbers; DWORD Characteristics / / attributes of this section (such as whether it is readable or writable)} IMAGE_SECTION_HEADER, * PIMAGE_SECTION_HEADER

(III)。 Traverse the section table:

By iterating through the section table in notepad.exe, the number of sections is the value of NumberOfSections in the standard PE header, as follows:

Section.h:

Void OutputSections (void* buffer) {void* buf = buffer; IMAGE_DOS_HEADER* pdos = (IMAGE_DOS_HEADER*) buf; IMAGE_FILE_HEADER* pfile = (IMAGE_FILE_HEADER*) ((unsigned char*) buf + pdos- > e_lfanew + 0x4) / / locate the location of the section table in the file buffer IMAGE_SECTION_HEADER* psec = (IMAGE_SECTION_HEADER*) ((unsigned char*) buf + pdos- > e_lfanew + 0x4 + 0x14 + pfile- > SizeOfOptionalHeader); / / traverse the section table for (int sec_num = 1; sec_num NumberOfSections) Sec_num++) {printf ("\ nSection%d:% s\ n", sec_num, psec- > Name); printf ("Misc:% # X\ n", psec- > Misc); printf ("VirtualAddress:% # X\ n", psec- > VirtualAddress) Printf ("SizeOfRawData:% # X\ n", psec- > SizeOfRawData); printf ("PointToRawData:% # X\ n", psec- > PointerToRawData); printf ("Charactoeristcs:% # X\ n", psec- > Characteristics); psec++;}}

Comment out the function that parses other headers, and the running result is as follows:

(4). Description:

Only part of the information is output in the above code, mainly some useful information.

The value Characteristics of the last member in the section table determines the permissions of this section. The following figure is a comparison table of its properties:

We will continue to update when we are free. Please leave a comment if you have any suggestions.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.