type
status
date
slug
summary
tags
category
icon
password
PE格式是进行逆向分析的基础
学习中使用的工具及文档
密码:4bo5
📝 PE文件
PE文件的概念
PE(Protable Executable File Format)可移植的执行体文件格式
可执行文件
- 可执行文件(executable file)指的是可以由操作系统进行加载的文件
- 可执行文件格式
Windows PE(Portable Executable)文件结构(.EXE,.DLL,.SYS)
PE文件的识别
这里我使用的是WinHex拖到WinHex里面
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F582ce2af-2e77-4e62-b5fc-f70c97e80a61%2Fd694facc-d31d-460c-8b74-1efcce67b481%2FUntitled.png?table=block&id=14d5d664-26cc-439d-b57a-c6a1e7d2cb6f&t=14d5d664-26cc-439d-b57a-c6a1e7d2cb6f&width=707.9874877929688&cache=v2)
首先我们要注意到的是,在WinHex/010editor当中,数据是小端排序的
小端排序:例如0x11223344,小端排序就是 44 33 22 11
PE文件的标志
开头的0x4D5A,其实就是我们的MZ头,而我们PE文件的标志就是
(base+0x3C处去四个字节),例如上图就是0x00000060,它指向的就是PE头,我们在地址0x00000060处得到的四个字节 0x00004550就是我们的PE头,这就是我们PE文件的标志
PE文件结构
![notion image](https://s2.loli.net/2024/07/16/H72UWLQSiIudhaM.png?t=d73a2592-cdec-409e-8cb0-892c72c89714)
但是这个图一开始看,我们肯定脑子就非常的混乱,因此笔者选择一个比较简单的图进行学习
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F582ce2af-2e77-4e62-b5fc-f70c97e80a61%2F9c09e034-88dd-4b04-b854-3b5e54d02ad7%2FUntitled.png?table=block&id=b621a1b0-0042-4eaf-8c5e-965968b39fb0&t=b621a1b0-0042-4eaf-8c5e-965968b39fb0&width=707.9874877929688&cache=v2)
其实我们把这些看成一个一个的文件夹
例如在上图中有三个大的文件夹:PE文件头,Section,Debug Information
而PE文件头里面也包含Dos头部,IMAGE_NT_HEADERS ,Section Table…
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F582ce2af-2e77-4e62-b5fc-f70c97e80a61%2F8f03df0c-bf27-4dc7-b7a5-c40d46bd8e71%2FUntitled.png?table=block&id=3011b6a1-7286-4bad-bb8b-76c3f919d9e6&t=3011b6a1-7286-4bad-bb8b-76c3f919d9e6&width=708&cache=v2)
我们可以用PEtools查看petools
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F582ce2af-2e77-4e62-b5fc-f70c97e80a61%2Fd1e5c8f4-f818-4e0a-a2d1-2a46631c7853%2FUntitled.png?table=block&id=a53627dc-9aa5-4b42-9289-92806e640c11&t=a53627dc-9aa5-4b42-9289-92806e640c11&width=708&cache=v2)
我们可以选择”O”选项,然后会看到IMAGE_OPTIONAL_HEADER部分,这里我先了解到
程序的入口点: ImageBase+EntryPoint
我们可以用x96dbg看一下,是不是一样
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F582ce2af-2e77-4e62-b5fc-f70c97e80a61%2Ff1fce52b-3b09-487b-9102-fdcdd46e526c%2FUntitled.png?table=block&id=4d2a6e6d-0394-4ae7-af2c-c1f5daccd2e6&t=4d2a6e6d-0394-4ae7-af2c-c1f5daccd2e6&width=2560&cache=v2)
如果初始的话就是系统断点,我们需设置入口断点
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F582ce2af-2e77-4e62-b5fc-f70c97e80a61%2F5994e31c-f8e3-4a41-a29e-8e17ab3d2dc4%2FUntitled.png?table=block&id=8a32ce82-fc09-4554-896c-9a50243c6462&t=8a32ce82-fc09-4554-896c-9a50243c6462&width=707.9874877929688&cache=v2)
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F582ce2af-2e77-4e62-b5fc-f70c97e80a61%2F9b1a67ba-1aa1-4bf8-ab14-307ce134f374%2FUntitled.png?table=block&id=2463435d-7a9e-4e9b-9a35-7395eb226f57&t=2463435d-7a9e-4e9b-9a35-7395eb226f57&width=707.9874877929688&cache=v2)
设置完以后再运行就是断到入口点
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F582ce2af-2e77-4e62-b5fc-f70c97e80a61%2F61a45d4c-d503-4cb9-99e2-ed859814e7b4%2FUntitled.png?table=block&id=7cb3a17f-8978-462c-a0c2-2c913bfeacc2&t=7cb3a17f-8978-462c-a0c2-2c913bfeacc2&width=707.9750366210938&cache=v2)
HEADER-IMAGE_DOS_HEADER
- IMAGE_DOS_HEADER结构是面对16位程序的,现在大部分程序都是32或者64位的。
- 32或64位的程序仅使用其中两个成员。
e_magic: 该成员为MZ标记(DOS系统开发人员中一个人的名字),用于判断是否为可执行文件,如果此值不是0x5a4d程序将不会正常启动。
e_lfanew: 该成员中存储的值为IMAGE_NT_HEADERS结构的偏移,加上文件头来定位IMAGE_NT_HEADERS结构。
IMAGE_DOS_HEADER结构之后的IMAGE_NT_HEADERS 结构之前的数据为垃圾值编译器填充称为DOS_SUB,可随意修改,不会影响程序正常运行。
修改后的DOS_SUB
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F582ce2af-2e77-4e62-b5fc-f70c97e80a61%2F304f8a4a-424d-4836-8e2d-8b426c865886%2FUntitled.png?table=block&id=2d276587-4332-4367-bdf4-fa6899f4ca0f&t=2d276587-4332-4367-bdf4-fa6899f4ca0f&width=707.9750366210938&cache=v2)
还是可以正常运行
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F582ce2af-2e77-4e62-b5fc-f70c97e80a61%2Ffbc17e6a-e6f4-423b-94ef-3ef9128083ba%2FUntitled.png?table=block&id=a16fe85f-d3f9-4ae8-b970-4f0f6380b4dc&t=a16fe85f-d3f9-4ae8-b970-4f0f6380b4dc&width=708&cache=v2)
读取IMAGE_DOS_HEADER
Main.c
Tools.c
Tools.h
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F582ce2af-2e77-4e62-b5fc-f70c97e80a61%2F0856a5b7-89c4-45ae-8400-29769ef6aadb%2FUntitled.png?table=block&id=5957181c-d61d-484e-aa88-8582f9572498&t=5957181c-d61d-484e-aa88-8582f9572498&width=707.9874877929688&cache=v2)
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F582ce2af-2e77-4e62-b5fc-f70c97e80a61%2F7fc3eff3-aa3e-46ad-91d8-9365c00f9ff4%2FUntitled.png?table=block&id=55fddd60-4de6-481b-8c91-c050fce7b518&t=55fddd60-4de6-481b-8c91-c050fce7b518&width=708&cache=v2)
IMAGE_NT_HEADER
通过IMAGE_DOS_HEADER中成员 e_lfanew+文件起始地址可以定位IMAGE_NT_HEADER结构
IMAGE_NT_HEADER结构定义如下:
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F582ce2af-2e77-4e62-b5fc-f70c97e80a61%2Fcdedf79e-57c6-438c-a73a-b3c6ce717a9b%2FUntitled.png?table=block&id=1b78c3c5-c9d1-429d-8958-ec8a97f96e17&t=1b78c3c5-c9d1-429d-8958-ec8a97f96e17&width=707.9625244140625&cache=v2)
Signature:成员为PE文件标识,该值必须为0x00004550(’P’’E’’0’’0’)否则程序无法正常启动
FileHeader:成员指向了标准PE头IMAGE_FILE_HEADER
OptionalHeader:成员指向了扩展PE头IMAGE_OPTIONAL_HEADER
IMAGE_FILE_HEADER
标准PE头位于IMAGE_NT_HEADER中,紧挨着PE标记。(IMAGE_NT_HEADER+4)
- IMAGE_FILE_HEADER大小为20字节。(0x14)
IMAGE_FILE_HEADER结构如下:
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F582ce2af-2e77-4e62-b5fc-f70c97e80a61%2F159c1d16-291d-4d12-acaf-5f756aca4414%2FUntitled.png?table=block&id=db1c8209-4d9a-43f7-af49-4eb62f19a60e&t=db1c8209-4d9a-43f7-af49-4eb62f19a60e&width=707.9375&cache=v2)
Machine:该成员用来指定PE文件运行的平台.定义如下:
NumberOfSections:该成员表示了PE文件中节的总数(虽然是2字节,但是节最大值不能超过96)
TimeDateStamp:该成员为时间戳,编译器创建此文件时的时间戳.32位存放的值是自1970年1月1日00:00时开始到创建时间为止的总秒数.该数值可以随意修改而不会影响程序运行。
SizeOfOptionalHeader:该成员制定了IMAGE_OPTIONAL_HEADER结构的大小即拓展PE头大小,32位PE文件扩展PE头大小默认为0xE0,64位PE文件扩展PE头大小默认为0xF0。
Characteristics:该成员为PE文件属性标志字段(是否可执行,是否为DLL等等)此值每一位都代表不同含义,如下图所示:
读取IMAGE_FILE_HEADER
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F582ce2af-2e77-4e62-b5fc-f70c97e80a61%2F48378651-87d1-4144-89b6-5a31f4a1b6bf%2FUntitled.png?table=block&id=f01c9580-aa25-47b9-b6ee-c6d5f2f9e1fb&t=f01c9580-aa25-47b9-b6ee-c6d5f2f9e1fb&width=708&cache=v2)
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F582ce2af-2e77-4e62-b5fc-f70c97e80a61%2F3f1d5889-ad73-46da-b479-267ddf9196f8%2FUntitled.png?table=block&id=77dbca6a-3c27-4a45-abf2-3532340c9e82&t=77dbca6a-3c27-4a45-abf2-3532340c9e82&width=707.9625244140625&cache=v2)
IMAGE_OPTIONAL_HEADER
IMAGE_OPTIONAL_HEADER结构定义:
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F582ce2af-2e77-4e62-b5fc-f70c97e80a61%2F9c09e034-88dd-4b04-b854-3b5e54d02ad7%2FUntitled.png?table=block&id=c310546b-8289-4b9e-b7c4-888fc38a309a&t=c310546b-8289-4b9e-b7c4-888fc38a309a&width=707.9874877929688&cache=v2)
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F582ce2af-2e77-4e62-b5fc-f70c97e80a61%2F5e44c2fc-ce92-43a2-8c13-31a1467977ea%2FUntitled.png?table=block&id=677183c9-f827-4d18-a02e-b46afeb31c13&t=677183c9-f827-4d18-a02e-b46afeb31c13&width=707.9874877929688&cache=v2)
Magic:魔术字,表示了PE文件类型
常量符号 | 常量值 | 含义 |
IMAGE_NT_OPTIONAL_HDR32_MAGIC | 0x10b | PE32 |
IMAGE_NT_OPTIONAL_HDR64_MAGIC | 0x20b | PE64 |
AddressOfEntryPoint:表示了程序入口地址,该值是一个RVA,加上Imagebase为程序在内存中的入口地址(OEP)。如果在一个可执行文件中附加了一段自己的代码,并且想让这段代码首先被执行,需要修改这里的值指向自己的代码位置。
对于普通程序来说它就是启动地址;对于设备驱动程序来说它是初始化函数的地址入口点对于DLL来说是可选的,如果不存在入口点,这个字段必须设置为0
ImageBase:指出PE文件的优先载入内存中的起始地址,如果这个地址已经被占用,操作系统会重新分配(DLL会出现这种情况),这时就需要重定位表提供的数据来修复,EXE首先加载不会出现这种情况,大部分EXEimagebase默认为0x400000。
此值可随便修改,不能超出虚拟地址空间以及必须是64KB的整数倍,并修复重定位数据即可正常运行。
SectionAlignment:内存中节的对齐粒度,该字段指定了节被装入内存后的对齐单位.Win32的页面大小是4KB,所以Win32PE文件中节的内存对齐粒度般都为4KB大小,十六进制表示为10ooh.SectionAlignment必须大于或等于FileAlignment.当它小于系统页面大小时,必须保证SectionAlignment与FileAlignment相等
FileAlignment:文件中节的对齐粒度,Win32PE文件中节的文件对齐粒度一般都为200h,Windows会选择使用512字节的大小(一个物理扇区的大小).
SizeOfImage:表示内存中整个PE文件的映射尺寸,必须是SectionAlignment的整数倍.(该值可以比实际的值大,但不能比它小).
基地址(Imagebase)
虚拟内存地址(VA - Virtual Address) = 基地址(Imagebase) + 相对虚拟基址(RVA)
相对虚拟地址(RVA - Relative Virtual Address) = VA - 基地址(Imagebase)
文件偏移地址(FOA - File offset Address)
读取IMAGE_OPTIONAL_HEADER
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F582ce2af-2e77-4e62-b5fc-f70c97e80a61%2F06e2050d-583c-45e2-9fd9-3877949a0eaa%2FUntitled.png?table=block&id=165982d7-2c60-4d89-b4bb-0951672a5049&t=165982d7-2c60-4d89-b4bb-0951672a5049&width=707.9750366210938&cache=v2)
IMAGE_SECTION_HEADER
IMAGE_SECTION_HEADER
- 每个节表项记录了PE中与某个特定的节有关的信息,如节的属性,节的大小,节在文件和内存中的起始位置等.节表中节的数量由IMAGE_FILE_HEADER.NumberOfSection来定义
通过WinHex定位第一个节表:
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F582ce2af-2e77-4e62-b5fc-f70c97e80a61%2F662495e5-9205-406d-a163-3a0588a46f9e%2FUntitled.png?table=block&id=26105c58-f7ea-408f-9302-f2671cfcd19c&t=26105c58-f7ea-408f-9302-f2671cfcd19c&width=707.9750366210938&cache=v2)
Name:节表名称.大小8字节.一般情况下是以”\0”结尾的ASCII码字符串.如果不是以“\0”结尾,系统会截取8个字节的长度进行处理.内容可自定义.
- 常见样式
.data | 初始化的数据 |
.idata | 导入表 |
.rsrc | 资源数据 |
.reloc | 基地址重定位表 |
.edata | 导出表 |
.tls | thread local storage,线程局部存储器 |
.rdata | 存放调试目录和说明字符串 |
Misc.VirtualSize:节在内存中实际的大小(单位为字节)。默认为编译器填充。
VirtualAddress:该值为RVA(Relative Virtual Address)相对虚拟地址,必须是SectionAlignment的整数倍.节在内存中的偏移地址.加上ImageBase才是在内存的地址.
SizeOfRawData:节在文件中按照文件对齐后的大小(单位为字节).必须是FileAlignment的整数倍.
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F582ce2af-2e77-4e62-b5fc-f70c97e80a61%2Ff5b6de6e-b76d-4c22-b973-32efc9260cbd%2FUntitled.png?table=block&id=64745e7f-d078-4f24-a5ab-41651c4b8ba2&t=64745e7f-d078-4f24-a5ab-41651c4b8ba2&width=707.9625244140625&cache=v2)
节的属性很多,这里只记几个常见的
这里的属性在在文件中的体现是多个属性进行异或的
读取IMAGE_SECTION_HEADER
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F582ce2af-2e77-4e62-b5fc-f70c97e80a61%2Fe108eaca-4326-4592-b3e3-86a987f2923d%2FUntitled.png?table=block&id=49442b88-d674-471f-87f6-7b9537c9bb10&t=49442b88-d674-471f-87f6-7b9537c9bb10&width=707.9874877929688&cache=v2)
BUFFER-FileBufferToImageBuffer
用到的样例:bgview.exe
Header在内存中的体现
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F582ce2af-2e77-4e62-b5fc-f70c97e80a61%2F5cdeb497-35ab-4600-9c69-120b6e22c6d4%2FUntitled.png?table=block&id=33238aa0-7637-4060-8c2f-e00cb35fd06a&t=33238aa0-7637-4060-8c2f-e00cb35fd06a&width=707.9750366210938&cache=v2)
在内存中我们以文件大小对齐为标准
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F582ce2af-2e77-4e62-b5fc-f70c97e80a61%2F4c935ad4-1fa3-4023-b542-7ca6ce9e7bfe%2FUntitled.png?table=block&id=8cf3e801-fce6-4837-939a-0779f8860083&t=8cf3e801-fce6-4837-939a-0779f8860083&width=708&cache=v2)
我们可以看到SectionAlignment为0x1000,FileAlignment为0x200,在前面学习中我们提到SizeOfImage的大小为FileAlignment的整数倍.
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F582ce2af-2e77-4e62-b5fc-f70c97e80a61%2Feae4a6e9-e0b8-4bee-86c3-82769df9bd79%2FUntitled.png?table=block&id=30aea9b2-e119-4a02-9a6e-f41ceae85e22&t=30aea9b2-e119-4a02-9a6e-f41ceae85e22&width=707.9750366210938&cache=v2)
这里我们复习一下IMAGE_SECTION_HEADER的结构
首先前8个字节为节的名称,接下来的4个字节0x05dc68为它的内存大小,后面的4个字节0x1000为在内存的偏移,后面4个字节0x05DE00为它的文件大小,再后面的4个字节0x400为文件的偏移
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F582ce2af-2e77-4e62-b5fc-f70c97e80a61%2Fd4617541-1bc3-452e-b553-7020dc6d2ac4%2FUntitled.png?table=block&id=09c0ee78-0192-4781-9d22-8403950e29d5&t=09c0ee78-0192-4781-9d22-8403950e29d5&width=703&cache=v2)
在内存中都按文件大小对齐,不足的补0
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F582ce2af-2e77-4e62-b5fc-f70c97e80a61%2F8eb8b4dc-88ca-44f2-a4b0-738ccfe38c4a%2FUntitled.png?table=block&id=23eb4ea7-cd4e-4038-b889-300ba7f43d2b&t=23eb4ea7-cd4e-4038-b889-300ba7f43d2b&width=707.9874877929688&cache=v2)
实现缓存转换
我们要实现从FileBuffer——>ImageBuffer的转变
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F582ce2af-2e77-4e62-b5fc-f70c97e80a61%2F9c51b763-8caf-481e-9f88-7d80df1435bb%2FUntitled.png?table=block&id=d405c0d4-957f-49c1-89a3-340f9e4af6d9&t=d405c0d4-957f-49c1-89a3-340f9e4af6d9&width=707.9750366210938&cache=v2)
RVA-FOA的转换
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F582ce2af-2e77-4e62-b5fc-f70c97e80a61%2Ffc7fcda6-0286-4f99-9b99-f8744b7fcb3c%2FUntitled.png?table=block&id=f67e176a-ba5f-43b6-8a00-f80957b83ac6&t=f67e176a-ba5f-43b6-8a00-f80957b83ac6&width=707.9750366210938&cache=v2)
我们是为了实现RVA(虚拟内存地址)到FOA(文件偏移地址)的转变.
Main.c
Tool.c
EXPORT
LIB
我们为啥导入头文件之后可以直接调用strlen
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F582ce2af-2e77-4e62-b5fc-f70c97e80a61%2F444d45da-29be-4616-ab17-a0b13f96adfa%2FUntitled.png?table=block&id=cdc29abb-b059-4936-b41f-7e73db900c92&t=cdc29abb-b059-4936-b41f-7e73db900c92&width=590&cache=v2)
原因是在我们导入头文件之后在生成工程的时候会调用静态链接库
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F582ce2af-2e77-4e62-b5fc-f70c97e80a61%2Fa2697feb-ae02-41c3-b081-758480a2086c%2FUntitled.png?table=block&id=7ca9477f-c656-466f-b856-cec706849953&t=7ca9477f-c656-466f-b856-cec706849953&width=707.9750366210938&cache=v2)
DLL
所谓DLL就是动态链接库(Dynamic-link library)
声明导出
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F582ce2af-2e77-4e62-b5fc-f70c97e80a61%2F82add857-033a-4bc6-9fe1-5ef46ab435ac%2FUntitled.png?table=block&id=e157a6e2-9748-41e0-a727-01899f286378&t=e157a6e2-9748-41e0-a727-01899f286378&width=595&cache=v2)
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F582ce2af-2e77-4e62-b5fc-f70c97e80a61%2Fc2ff0324-0d2b-49e2-8e19-1fdfcd0b8afd%2FUntitled.png?table=block&id=b68f493f-af83-427e-939f-7a5275ebf1d1&t=b68f493f-af83-427e-939f-7a5275ebf1d1&width=707.9874877929688&cache=v2)
但其实这个时候程序默认的是_cdecl,你命名的是什么导出表里面就显示的是什么
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F582ce2af-2e77-4e62-b5fc-f70c97e80a61%2F6abee62b-142c-48ec-858f-4e32b20340b3%2FUntitled.png?table=block&id=dd51d388-0848-45ec-9baf-3a5ff308977f&t=dd51d388-0848-45ec-9baf-3a5ff308977f&width=707.9874877929688&cache=v2)
我们把它改成_stdcall
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F582ce2af-2e77-4e62-b5fc-f70c97e80a61%2Fd32b4945-2131-4e17-8cfb-30e7ba9b7597%2FUntitled.png?table=block&id=08d4b968-961c-4433-ba23-ca34175b47d8&t=08d4b968-961c-4433-ba23-ca34175b47d8&width=707.96875&cache=v2)
我们发现这个名字变成了_Add@8,后面这个@8其实就是指的是参数的大小
我们如果想调用dll文件可以这样
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F582ce2af-2e77-4e62-b5fc-f70c97e80a61%2F971a8ee3-87ef-434f-b4f1-a39bb21e0456%2FUntitled.png?table=block&id=8f819b8e-b77f-4c99-87a0-5510266c143a&t=8f819b8e-b77f-4c99-87a0-5510266c143a&width=707.9874877929688&cache=v2)
我们也可以自己定义模块
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F582ce2af-2e77-4e62-b5fc-f70c97e80a61%2F4d579eab-9d52-4eb1-bc98-d2e98fc821f8%2FUntitled.png?table=block&id=d771989d-a668-4e25-8d56-213ec8a52707&t=d771989d-a668-4e25-8d56-213ec8a52707&width=575&cache=v2)
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F582ce2af-2e77-4e62-b5fc-f70c97e80a61%2Fbf9c70ea-984d-449a-80ee-5f79e78cbdb1%2FUntitled.png?table=block&id=374bb6c4-9b1b-413a-9b05-80e0c3a7abd9&t=374bb6c4-9b1b-413a-9b05-80e0c3a7abd9&width=707.9750366210938&cache=v2)
IMAGE_EXPORT_DIRECTORY
PE中的导出表通常存在于动态链接库文件里.有些EXE也会存在导出表.导出表的的主要作用是将PE中存在的函数引出到外部,以便其他人可以使用这些函数,实现代码的重用.导出表的存在可以让程序的开发者很容易清楚PE中到底有多少可以使用的函数.
IMAGE_EXPORT_DIRECTORY
我们定位到 IMAGE_DATA_DIRECTORY DataDirectory的位置,在这个数组里面第一个值就是导出表
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F582ce2af-2e77-4e62-b5fc-f70c97e80a61%2F32b39a0b-8001-494d-9507-274fd51ff642%2FUntitled.png?table=block&id=d9257418-0a63-48b5-97e1-9d0e60191430&t=d9257418-0a63-48b5-97e1-9d0e60191430&width=707.9750366210938&cache=v2)
但是这是RVA,我们需要转变成FOA
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F582ce2af-2e77-4e62-b5fc-f70c97e80a61%2F1406abda-0c81-44b1-8924-5a972b90e8fc%2FUntitled.png?table=block&id=3fe00375-4356-482d-96ed-44a83840f74f&t=3fe00375-4356-482d-96ed-44a83840f74f&width=590&cache=v2)
定位到文件中
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F582ce2af-2e77-4e62-b5fc-f70c97e80a61%2F4d0b1158-b6be-455b-8fbe-9a7c53299799%2FUntitled.png?table=block&id=520b35e7-e9f8-4012-933c-099f5616dcaa&t=520b35e7-e9f8-4012-933c-099f5616dcaa&width=707.9874877929688&cache=v2)
解析每个部分
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F582ce2af-2e77-4e62-b5fc-f70c97e80a61%2F076a6cdd-fdf1-4626-bc5b-48238e1334ce%2FUntitled.png?table=block&id=5d4e484b-58b4-4d84-903a-d1e0813ab522&t=5d4e484b-58b4-4d84-903a-d1e0813ab522&width=707.9625244140625&cache=v2)
这里面有好多RVA,因此我们在后面进行读取的时候需要进行转换
读取IMAGE_EXPORT_DIRECTORY
Import
IMAGE_IMPORT_DESCRIPTOR
读取IMAGE_IMPORT_DESCRIPTOR
RELOCATION
IMAGE_BASE_RELOCATION
RepairRelocation
读取IMAGE_BASE_RELOCATION
🤗总结归纳
总结文章的内容
📎 参考文章
- 一些引用
- 引用文章
有关Notion安装或者使用上的问题,欢迎您在底部评论区留言,一起交流~
- Author:5m10v3
- URL:https://5m10v3.top/article/9dcee71d-1e23-4132-89f5-7a153f9dbcfd
- Copyright:All articles in this blog, except for special statements, adopt BY-NC-SA agreement. Please indicate the source!