Shulou(Shulou.com)06/01 Report--

The DOS header of PE file analysis under win32 from the previous article

(1) NT of PE in win32:

NT header is the general title of standard PE header and optional PE header in PE file, and also contains a PE logo. Here is its definition in WINNT.h in Visual C++ 6.0:

Typedef struct _ IMAGE_NT_HEADERS64 {DWORD Signature; IMAGE_FILE_HEADER FileHeader; IMAGE_OPTIONAL_HEADER64 OptionalHeader;} IMAGE_NT_HEADERS64, * PIMAGE_NT_HEADERS64;typedef struct _ IMAGE_NT_HEADERS {DWORD Signature; / / PE ID IMAGE_FILE_HEADER FileHeader; / / standard PE header (also known as file header) IMAGE_OPTIONAL_HEADER32 OptionalHeader / / optional PE header} IMAGE_NT_HEADERS32, * PIMAGE_NT_HEADERS32

The first is 64bit's NT header definition, and the second is 32bit's. Only 32bit is discussed here. Standard PE headers are also called file headers, which is not important, just know that it is such a thing. I don't like to use high-end nouns very often. High-end nouns are mainly taken out for rigor, but very often they are obscure, easy to understand and easy to accept.

(2) Signature in NT head:

This is a PE logo, indicating that this is the starting position of the PE. Its offset in the PE file is determined by the last member e_lfanew in the DOS header. The previous section parsed its value as: 0xE0, as shown in the figure:

(3) the standard PE header in the NT header:

The standard PE header data width in the NT header is 0x14 bytes. The structure in Visual C++ 6.0is defined as follows:

Typedef struct _ IMAGE_FILE_HEADER {WORD Machine; WORD NumberOfSections; DWORD TimeDateSt DWORD PointerToSymbolTable; DWORD NumberOfSymbols; WORD SizeOfOptionalHeader; WORD Characteristics;} IMAGE_FILE_HEADER, * PIMAGE_FILE_HEADER

(2)。 The file structure of the code is as follows: each parsing header function definition is placed in a different header file to facilitate the observation of the header structure one by one, in order to be more familiar with the data structure of each header, each function is parsed from scratch again, which reduces efficiency. If available later, the optimized code will be provided. (optimization idea: at the beginning of parsing, put the address of each header into a global array of unsigned long*, so that the address in the array is called directly when it is used later, instead of having to redefine the DOS header structure every time and calculate the offset of each structure.)

(3)。 The code for parsing the file header is as follows (only some important data is output in the code, the number of code columns in the blog is limited, and the comment line can not be put down, which is not beautiful):

File.h

Void Output_File (void* buffer) {void* buf = buffer; / / use IMAGE_DOS_HEADER* pdos = (IMAGE_DOS_HEADER*) buf; / / pnt to store the address of the NT header when calculating the offset. IMAGE_NT_HEADERS32* pnt = (IMAGE_NT_HEADERS32*) ((unsigned char*) buf + pdos- > e_lfanew); / / pfile stores the address of the standard PE header structure in the NT header. IMAGE_FILE_HEADER* pfile = (IMAGE_FILE_HEADER*) & pnt- > FileHeader; printf ("\ nNT Header:\ n"); / / PE identification, the value corresponds to the ascii code of PE one-to-one printf ("PE:% # X\ n", pnt- > Signature); printf ("FileHeader:\ n"); / / on which CPU platform the output program can run. Printf ("Machine:% # X\ n", pfile- > Machine); / / number of sections in the output PE file printf ("NumberOfSec:% # X\ n", pfile- > NumberOfSections); / / timestamp, creation time of the file, generally filled by the compiler, modification will not affect the program running printf ("TimeStamp:% # X\ n", pfile- > TimeDateStamp) / / optional size of PE headers (32bit defaults to 0xE0penalty 64bit defaults to 0xF0) printf ("SizeOfOpHdr:% # X\ n", pfile- > SizeOfOptionalHeader); / / attributes of the file (identify the type to the file, such as exe or dll or other) printf ("Characteristics:% # X\ n", pfile- > Characteristics);}

Comment out the resolution of other headers: the running result is as follows:

(4). Optional PE head in NT head:

The structure of the optional PE header is complex and the most important. 32bit's and 64bit's are a little different. In Visual C++ 6.0, winnt.h is defined as follows:

Typedef struct _ IMAGE_OPTIONAL_HEADER {/ Standard fields. / / WORD Magic; BYTE MajorLinkerVersion; BYTE MinorLinkerVersion; DWORD SizeOfCode; DWORD SizeOfInitializedData; DWORD SizeOfUninitializedData; DWORD AddressOfEntryPoint; DWORD BaseOfCode; DWORD BaseOfData; / NT additional fields. / / DWORD ImageBase; DWORD SectionAlignment; DWORD FileAlignment; WORD MajorOperatingSystemVersion; WORD MinorOperatingSystemVersion; WORD MajorImageVersion; WORD MinorImageVersion; WORD MajorSubsystemVersion; WORD MinorSubsystemVersion; DWORD Win32VersionValue; DWORD SizeOfImage; DWORD SizeOfHeaders; DWORD CheckSum; WORD Subsystem; WORD DllCharacteristics; DWORD SizeOfStackReserve; DWORD SizeOfStackCommit; DWORD SizeOfHeapReserve; DWORD SizeOfHeapCommit; DWORD LoaderFlags; DWORD NumberOfRvaAndSizes IMAGE_DATA_DIRECTORY DataDirection [image _ NUMBEROF_DIRECTORY_ENTRIES];} IMAGE_OPTIONAL_HEADER32, * PIMAGE_OPTIONAL_HEADER32

The code for parsing the header is as follows:

Void Output_Optional (void* buffer) {void* buf = buffer; / / use IMAGE_DOS_HEADER* pdos = (IMAGE_DOS_HEADER*) buf when calculating offset / / the starting position where the optional PE header is stored in the pop. 0x4 is the PE in the NT header, and 0x14 is the standard PE header in the NT header. The offset of the optional PE header IMAGE_OPTIONAL_HEADER32* pop = (IMAGE_OPTIONAL_HEADER32*) ((unsigned char*) buf + pdos- > e_lfanew + 0x4 + 0x14) is calculated according to the structure; printf ("Optional PE Header:\ n") / / description file type: 010B is the PE file of 32bit, 020B is the PE file printf of 64bit ("Magic:% # X\ n", pop- > Magic); / / the sum of all code sections, the size must be an integral multiple of FileAlignment, filled by the compiler, modification has no effect. Printf ("SizeOfCode:% # X\ n", pop- > SizeOfCode); / / the sum of the data size has been initialized. Printf ("SizeOfinitializedData:% # X\ n", pop- > SizeOfInitializedData); / / sum of uninitialized data sizes. Printf ("SizeOfuninitializedData:% # X\ n", pop- > SizeOfUninitializedData); / / Program entry OEP printf ("AddressOfEntryPoint:% # X\ n", pop- > AddressOfEntryPoint); / / memory image base address printf ("ImageBase:% # X\ n", pop- > ImageBase) / / memory aligned printf ("SectionAlignment:% # X\ n", pop- > SectionAlignment); / / File aligned printf ("FileAlignment:% # X\ n", pop- > FileAlignment) / / the mapping size of the entire PE file in memory can be larger than the actual size, and must be an integral multiple of memory alignment printf ("SizeOfImage:% # X\ n", pop- > SizeOfImage); / / all header + section table files are aligned in strict accordance with the file alignment. Printf ("SizeOfHeaders:% # X\ n", pop- > SizeOfHeaders); / / checksum, which is used to determine whether the file has been tampered with. For example, some dll of the system will be used when loading. Printf ("CheckSum:% # X\ n", pop- > CheckSum);}

Comment out other parsing parts, and the running result is as follows:

(5) Description:

The most troublesome thing in the process of analysis is to calculate the offset. Just take a look at the structure diagram several times. That's how it all comes over.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.