Scribd Logo
Încărcați

Bine ați venit la Scribd!

  • Pe

    Încărcat de

    openid_9V8YnhpL
    130 vizualizări4 pagini
    Physical file Virtual Address Stack Virtual memory offset 0 Environment Header FileAlignment rounded Section.Address Section.PSize EntryPoint Section.text code Section.data data SizeOfData Section.VSize Section.Offset __imp__MessageBox_: dd aMessageBox the PE Format standard file and memory layouts Ange Albertini 2010 Creative Commons Attribution - cc by offset PSize address VSize libraries system libraries

    Descriere originală:

    Titlu original

    pe

    Drepturi de autor

    © Attribution Non-Commercial (BY-NC)

    Formate disponibile

    PDF, TXT sau citiți online pe Scribd

    Vi se pare util acest document?

    Este necorespunzător acest conținut?

    Raportați acest document
    Physical file Virtual Address Stack Virtual memory offset 0 Environment Header FileAlignment rounded Section.Address Section.PSize EntryPoint Section.text code Section.data data SizeOfData Section.VSize Section.Offset __imp__MessageBox_: dd aMessageBox the PE Format standard file and memory layouts Ange Albertini 2010 Creative Commons Attribution - cc by offset PSize address VSize libraries system libraries

    Drepturi de autor:

    Attribution Non-Commercial (BY-NC)
    Descărcați ca PDF, TXT sau citiți online pe Scribd
    Indicator pentru conținut neadecvat
    130 vizualizări4 pagini

    Pe

    Încărcat de

    openid_9V8YnhpL
    Physical file Virtual Address Stack Virtual memory offset 0 Environment Header FileAlignment rounded Section.Address Section.PSize EntryPoint Section.text code Section.data data SizeOfData Section.VSize Section.Offset __imp__MessageBox_: dd aMessageBox the PE Format standard file and memory layouts Ange Albertini 2010 Creative Commons Attribution - cc by offset PSize address VSize libraries system libraries

    Drepturi de autor:

    Attribution Non-Commercial (BY-NC)
    Descărcați ca PDF, TXT sau citiți online pe Scribd
    Indicator pentru conținut neadecvat
    din 4

    Virtual

    Physical Address Virtual


    file memory
    Stack

    Offset Environment

    0 ImageBase
    MZ

    Header SizeOfHeaders Header SizeOfHeaders

    FileAlignment rounded

    Section[0].Offset SectionAlignment rounded

    push ebp BaseOfCode


    Section[0].Address

    Section .text EntryPoint


    Section[0].PSize
    code Section .text Section[0].VSize
    code
    FileAlignment rounded
    SizeOfCode
    Section[1].Offset
    i dd 0
    SectionAlignment rounded

    Section .data Section[1].PSize BaseOfData


    Section[1].Address
    data

    FileAlignment rounded
    Section .data Section[1].VSize
    data
    Section[2].Offset
    __imp__MessageBox_:
    dd aMessageBox SizeOfData
    PE

    Section .idata Section[2].PSize SectionAlignment rounded

    imports Section[2].Address
    Import table

    FileAlignment rounded
    Section .idata Section[2].VSize
    Imports imports
    File

    Appended data

    filesize
    SectionAlignment rounded

    SizeOfImage

    offset PointerToRawData libraries


    the PE Format PSize SizeOfRawData
    Standard File & Memory layouts address VirtualAddress system libraries
    VSize VirtualSize
    Ange Albertini 2010
    Creative Commons Attribution - cc by
    http://code.google.com/p/corkami/source/browse/trunk/misc/graphs/pe-layout.svg
    offset 0
    IMAGE_DOS_HEADER
    0x00 dw e_magic MZ
    0x02 dw e_cblp
    0x04 dw e_cp exe size
    0x06 dw e_crlc
    0x08 dw e_cparhdr exe start
    0x0a dw e_minalloc
    0x0c dw e_maxalloc
    0x0e dw e_ss
    0x10 dw e_sp
    0x12 dw e_csum
    0x14 dw e_ip
    0x16 dw e_cs
    0x18 dw e_lfarlc
    0x1a dw e_ovno
    0x1c dw e_res[4]
    0x24 dw e_oemid
    0x26 dw e_oeminfo
    0x28 dw e_res2[10]

    0x3c dd e_lfanew

    0x00 dd Signature PE,0,0 IMAGE_NT_HEADERS[32/64]

    0x04 FileHeader

    0x00 dw Machine 0x014c/0x8664 [64b] IMAGE_FILE_HEADER


    0x02 dw NumberOfSections
    0x04 dd TimeDateStamp
    0x08 dd PointerToSymbolTable
    0x0c dd NumberOfSymbols

    0x10 dw SizeOfOptionalHeader
    0x12 dw Characteristics exe/dll,relocs

    0x18 OptionalHeader
    0x00 dw Magic 0x10b/0x20b [64b] IMAGE_OPTIONAL_HEADER[32/64]
    0x02 db MajorLinkerVersion
    0x03 db MinorLinkerVersion
    0x04 dd SizeOfCode
    0x08 dd SizeOfInitializedData
    0x0c dd SizeOfUninitializedData
    0x10 dd AddressOfEntryPoint
    0x14 dd BaseOfCode
    0x18 dd BaseOfData 32b only

    SizeofOptionalHeader
    0x1c dd ImageBase dq [64b]
    0x20 dd SectionAlignment 2^y, y >=x

    0x24 dd FileAlignment 2^x


    0x28 dw MajorOperatingSystemVersion
    the PE Format (1/2)
    =4
    0x2a dw MinorOperatingSystemVersion
    0x2c dw MajorImageVersion
    0x2e dw MinorImageVersion
    the PE Headers 0x30
    0x32
    dw
    dw
    MajorSubsystemVersion
    MinorSubsystemVersion
    0x34 dd Win32VersionValue
    0x38 dd SizeOfImage
    relative offset 0x3c dd SizeOfHeaders
    0x40 dd CheckSum drivers only
    offset 0x44 dw Subsystem driver/gui/cli

    RVA 0x46 dw DllCharacteristics


    0x48 dd SizeOfStackReserve dq [64b]
    0x4c dd SizeOfStackCommit dq [64b]
    0x50 dd SizeOfHeapReserve dq [64b]
    0x54 dd SizeOfHeapCommit dq [64b]
    Critical 0x58 dd LoaderFlags
    standard 0x5c dd NumberOfRvaAndSizes <=16
    minor/ignored 0x60 DataDirectory
    NumberOfRvaAndSizes

    list
    0x00 dd VirtualAddress
    0x04 dd Size IMAGE_DATA_DIRECTORY

    Data Directories

    0x00 db Name[8] IMAGE_SECTION_HEADER


    NumberOfSections

    0x08 dd PhysicalAddress | VirtualSize


    0x0c dd VirtualAddress
    0x10 dd SizeOfRawData
    0x14 dd PointerToRawData
    0x18 dd PointerToRelocations
    0x1c dd PointerToLinenumbers
    0x20 dw NumberOfRelocations
    0x22 dw NumberOfLinenumbers

    0x24 dd Characteristics RWX

    Section Table

    Ange Albertini 2010


    Creative Commons Attribution - cc by
    http://corkami.googlecode.com/files/pe-headers.pdf
    DATA DIRECTORIES
    1 IMAGE_DIRECTORY_ENTRY_EXPORT
    2 IMAGE_DIRECTORY_ENTRY_IMPORT 00 dd
    IMAGE_EXPORT_DIRECTORY
    Characteristics
    3 IMAGE_DIRECTORY_ENTRY_RESOURCE 04 dd TimeDateStamp
    4 IMAGE_DIRECTORY_ENTRY_SECURITY 08 dw MajorVersion
    5 IMAGE_DIRECTORY_ENTRY_EXCEPTION 0a dw MinorVersion
    6 IMAGE_DIRECTORY_ENTRY_BASERELOC 0c dd Name MyLib.dll 00 dd Function
    7 IMAGE_DIRECTORY_ENTRY_DEBUG 10 dd Base Export Table
    8 IMAGE_DIRECTORY_ENTRY_COPYRIGHT
    9 IMAGE_DIRECTORY_ENTRY_GLOBALPTR 14 dd NumberOfFunctions 401020: MyFunction (ord:01)
    A IMAGE_DIRECTORY_ENTRY_TLS 18 dd NumberOfNames
    B IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
    C IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 1c dd AddressOfFunctions
    D IMAGE_DIRECTORY_ENTRY_IAT
    E IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT
    20 dd AddressOfNames 00 dd Name
    F IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 24 dd AddressOfNameOrdinals

    00 dd NameOrdinal

    IMAGE_IMPORT_DESCRIPTOR
    00 OriginalFirstThunk/Characteristics
    04 dd TimeDateStamp
    08 dd ForwarderChain
    0c dd Name Kernel32.dll
    10 FirstThunk
    the PE Format dd 0,0,0,0,0
    Data Directories 1/2 IMAGE_THUNK_DATA IMAGE_THUNK_DATA
    00 dd AddressOfData 00 dd AddressOfData
    /Ordinal/ForwarderString/Function /Ordinal/ForwarderString/Function

    dd 0 dd 0

    (on file) IMAGE_IMPORT_BY_NAME


    (after loading) 00 dw Hint
    02 db Name[1]

    IAT
    7C81127A Kernel32.dll!GetVersion (hint:4)

    Ange Albertini 2010


    Creative Commons Attribution - cc by
    http://corkami.blogspot.com
    DATA DIRECTORIES ROOT
    1 IMAGE_DIRECTORY_ENTRY_EXPORT
    2 IMAGE_DIRECTORY_ENTRY_IMPORT IMAGE_RESOURCE_DIRECTORY
    3 IMAGE_DIRECTORY_ENTRY_RESOURCE
    00
    04
    dd
    dd
    Characteristics
    TimeDateStamp
    TYPE
    4 IMAGE_DIRECTORY_ENTRY_SECURITY 08 dw MajorVersion
    5 IMAGE_DIRECTORY_ENTRY_EXCEPTION 0a dw MinorVersion
    IMAGE_RESOURCE_DIRECTORY
    6 IMAGE_DIRECTORY_ENTRY_BASERELOC 0c dw NumberOfNamedEntries 00 dd Characteristics OBJECT
    7 IMAGE_DIRECTORY_ENTRY_DEBUG 0e dw NumberOfIdEntries 04 dd TimeDateStamp
    8 IMAGE_DIRECTORY_ENTRY_COPYRIGHT 08 dw MajorVersion

    NumberOfNamedEntries
    9 IMAGE_DIRECTORY_ENTRY_GLOBALPTR 0a dw MinorVersion
    A IMAGE_DIRECTORY_ENTRY_TLS IMAGE_RESOURCE_DIRECTORY_ENTRY IMAGE_RESOURCE_DIRECTORY
    0c dw NumberOfNamedEntries 00 dd Characteristics
    B IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
    C IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT
    00 dd Name 0e dw NumberOfIdEntries 04 dd TimeDateStamp
    08 dw MajorVersion
    D IMAGE_DIRECTORY_ENTRY_IAT 04 dd OffsetToData

    NumberOfNamedEntries
    0a dw MinorVersion
    E IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT IMAGE_RESOURCE_DIRECTORY_ENTRY
    F IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 0c dw NumberOfNamedEntries
    00 dd Name 0e dw NumberOfIdEntries
    04 dd OffsetToData

    NumberOfNamedEntries
    IMAGE_RESOURCE_DIRECTORY_ENTRY
    00 dd Name
    04 dd OffsetToData

    IMAGE_BASE_RELOCATION block of code

    DIRECTORY.SIZE
    00 dd VirtualAddress PUSH EBP
    04 dd SizeOfBlock DATA
    SizeOfBlock
    dw TypeOffset
    PUSH offset szMyString

    the PE Format
    Data Directories 2/2 IMAGE_DEBUG_DIRECTORY
    00 dd Characteristics
    04 dd TimeDateStamp
    08 dw MajorVersion
    0a dw MinorVersion
    0c dd Type
    IMAGE_TLS_DIRECTORY 10 dd SizeOfData
    00 dd StartAddressOfRawData 14 dd AddressOfRawData
    04 dd EndAddressOfRawData
    08 LPDWORD AddressOfIndex
    18 dd PointerToRawData

    0c AddressOfCallBacks 00 dd Callback VA
    10 dd SizeOfZeroFill
    14 dd Characteristics dd 0

    IMAGE_DELAY_IMPORT_DESCRIPTOR
    00 dd grAttrs
    04 dd szName
    08 dd phmod
    0c dd pIAT
    10 dd pINT
    14 dd pBoundIAT
    18 dd pUnloadIAT
    1c dd dwTimeStamp

    Ange Albertini 2010


    Creative Commons Attribution - cc by
    http://corkami.blogspot.com

    S-ar putea să vă placă și