Shulou(Shulou.com)06/01 Report--

(1) PE file under .win32:

PE is the abbreviation of Portable Execute, which means portable and executable. As long as the data structure of the file follows the PE structure, it belongs to PE file. The common PE files in windows include

* .sys driver class file

* .dll dynamic link library file

* .exe executable file

* .ocx object category extension

* .obj object files, etc.

Similarly, the ELF format is used in linux, which is somewhat different from windows's PE format, such as:

Relocatable file * .o

Executable files such as / bin/ls, etc.

Share the target file * .so

Core dump file core

All follow the ELF data structure. Unix has also used ELF since system v4, and their ancestors are all medium COFF of unix system v3. As shown below:

(2) binary data structure of PE file in win32:

The binary data structure, such as the figure below, looks complex, but when you parse the wave yourself, it may change your worldview, as long as it is for beginners. In order to show it all, I can't see it clearly and put it in the attachment.

(3) the logic diagram of PE in .win32:

A standard PE file consists of DOS headers, stub headers, NT headers (including PE identification, standard PE headers and optional PE first three members), section tables, section contents, and some 0. 0 filled for memory alignment.

The above is a general logic diagram of a PE file, although its content is binary, but by no means randomly filled with data, but strictly generated in a certain format, such as a piece of code written in C language, an exe file (one of the PE files) generated after preprocessing, assembly, compilation and link, the generation process is completed by the compiler.

(4). Data structure in the DOS header:

Definition in the WinNT header file in Visual C++ 6.0:

Typedef struct _ IMAGE_DOS_HEADER {/ / DOS .EXE header WORD estrangement magic; / / Magic number WORD eBay cblp; / / Bytes on last page of file WORD eBay cp; / / Pages in file WORD eBay crlc; / / Relocations WORD e_cparhdr / / Size of header in paragraphs WORD estrangminalloco; / / Minimum extra paragraphs needed WORD eBay maxalloco; / / Maximum extra paragraphs needed WORD estrangsss; / / Initial (relative) SS value WORD eBay spp; / / Initial SP value WORD e_csum / / Checksum WORD eBay; / / Initial IP value WORD estrangcs; / / Initial (relative) CS value WORD estranglfarlc; / / File address of relocation table WORD estrangovno; / / Overlay number WORD e_res [4] / / Reserved words WORD eBay emid; / / OEM identifier (for e_oeminfo) WORD eBay eminence; / / OEM information; e_oemid specific WORD e_res2 [10]; / / Reserved words LONG e_lfanew / / File address of new exe header} IMAGE_DOS_HEADER, * PIMAGE_DOS_HEADER

C language realizes the simple parsing of the DOS header of notepad.exe in win32:

This code simply outputs two useful data in the DOS header, the first and the last (e_magic and e_lfanew), as follows:

Dos_Header_Analyze.cpp:

/ / Dos_Header_Analyze.cpp: Defines the entry point for the console application.//#include "stdafx.h" # include "dos.h" / / include the self-written dos.h file # define filepath "notepad.exe" / / specify the location of the notepad.exe, write the absolute path, or put it in the source code directory int main (int argc, char* argv []) {void* pbuff = NULL / / convenient later when the parameter uses pbuff = ReadFileToBuff (filepath); Output_Dos (pbuff); / / parses the DOS header free (pbuff); / / frees up space return 0;}

Dos.h:

Void* ReadFileToBuff (char* file) / / read the file into memory {FILE* fp = fopen (file, "rb"); / / Open the file void* buff = NULL; / / to point to the requested memory buffer unsigned long sz = 0 in binary read-only format / / the size if (! fp) {printf ("Failed to open file\"% s\ "\ n", file) used to store files; exit (- 1);} fseek (fp, 0, SEEK_END) / / Let the file pointer fp point to the last position of the file, which is used to calculate the file size sz = ftell (fp); / / get the offset fseek of the current file pointer from the starting position (fp, 0, SEEK_SET) / / Let the file pointer fp point to the starting location of the file printf ("File\"% s\ "size:% ld KB\ n", file, sz / 1024); / / output file size (in KB) buff = malloc (sz) / / request a memory equal to the file size to be used as file buffer if (! buff) {printf ("Alloc memery failed!\ n"); exit (- 2)} memset (buff, 0, sz) / / Zero buffer / / writes the data in the file to the file buffer, reading 128bytes at a time, reading sz/128 times, just reading sz bytes if (! fread (buff, 128s, sz/128, fp)) {printf ("Read file\"% s\ "error!\ n", file); exit (- 3) } fclose (fp); / / close the newly opened file return buff; / / return the memory address of the file buffer} / / output the important information of the DOS header void Output_Dos (void* buffer) {void* buf = buffer / / define a pointer IMAGE_DOS_HEADER* pdos = (IMAGE_DOS_HEADER*) buf; printf ("DOS Header:\ n") to the file buffered DOS header; / / MZ tag to determine whether the file is executable (its value corresponds to the ascii of MZ) printf ("Magic Number:% # X\ n", pdos- > e_magic) / / PE identifies the offset from the actual location of the file (in bytes) printf ("PE Offset:% # X\ n", pdos- > e_lfanew);}

Stdafx.h:

# if! defined (AFX_STDAFX_H__BBCA9272_49A3_4E1E_9262_9F0211C5BA05__INCLUDED_) # define AFX_STDAFX_H__BBCA9272_49A3_4E1E_9262_9F0211C5BA05__INCLUDED_#if _ MSC_VER > 1000#pragma once#endif / / _ MSC_VER > 1000#define WIN32_LEAN_AND_MEAN / / Exclude rarely-used stuff from Windows headers// is mainly to include the corresponding header file # include # include

The execution result is as follows:

I will continue to update if I am free.

Attachment: http://down.51cto.com/data/2366651

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.