In summary, the code of the "DOS Information Part" correspondence frame:
Code
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F00000000 4D 5A 00 5B D5 E2 C0 EF B6 BC C3 BB D3 C3 2C 2C MZ. [There is no use here, 00000010 B1 C8 C8 E7 CE D2 D0 B4 3A CE D2 D2 B2 D6 BB 2C, for example, I write: I am only, 00000020 CA C7 D2 BB B0 E3 CB A7 2C B2 BB CA C7 CC D8 2C is general handsome, not special, 800000030 B1 F0 CB A7 B5 C0 B2 5D 00 00 00 40 00 00 00 handshakers] ... @ ...
It can be seen that the last 4 bytes "400000" is 00000040h (below if the "H" is added directly after the value is 16.) is a pointer at the end of him, which means that we will put "DOS block" "The part gives it.
Next is the "PE information section", his structure can be represented by the following figure:
Quote
[PE Sign] [0x04] <== PE Information Part [PE Full] [0x18] [Custom Data Structure] [0x0e]
The "PE information section" structure is like this:
Code
typedef struct _IMAGE_NT_HEADERS {DWORD Signature; // "PE flag" section, always "PE00" IMAGE_FILE_HEADER FileHeader; // "PE header" section, point IMAGE_FILE_HEADER structure IMAGE_OPTIONAL_HEADER OptionalHeader; // "custom data" section, the structure point IMAGE_OPTIONAL_HEADER } Image_nt_headers, * pimage_nt_headers;
Image_file_header structure (PE file header) and image_optional_header structure are as follows:
Code
TypeDef struct _image_file_header {Word Machine; // If the platform, 386 is the 104ch word numberofsections; // file section number, the number of files is 2 dword timedatestamp; // creation time, casually set (but in order to generate convenience, casually set) It is best to set it to 0) DWORD POINTOSYMBOLTABLE; / / This two items here are used to debug, but also set DWORD NUMBEROFSYMBOLS; Word SizeOfoptionalHeader; // The length of the image_optional_header structure is usually 000EH (including 16 image_data_directory structures), we As long as 2 structures, set to 0070H Word Characteristics; // file properties, PE files are 010h, the DLL is 210h} image_file_header, * pimage_file_header;
Image_file_header illustrates the basic running information of the PE file, but light against this short structure does not meet our needs, after all, Microsoft design is still considered very well, so he keeps up with a long structure in it. OptionHeader structure) comes as an additional information supply system.
Code
OptionHeader structure (custom data structure) is defined as follows: typedef struct _image_optional_header {Word Magic; // EXE file here is here 10b Byte Majorlinkerversion; // Connector version, casual Byte minorlinkerversion; dword sizeofcode; // All code section total size, We will be a section, so 512, that is, 200h dword sizeofinitializeddata; // .... Not initialized data section ... No, set to 0 dword sizeofunitializedData; // .... ..... ......................... DWORD addressofentryPoint; // code execute the start address, pay attention, this is where your code is stored, [here Note 1] DWORD BASEOFCODE; // Code segment ... (here all are memory addresses), here is 0 dword baseofData; // data segment ... (not the hard disk file address), Here is 0 dword imagebase; // Recommended loading position, usually 00400000H, 9X system may be slightly smaller than this value, can not remember .. :( DWord sectionalignment; // Memory Size, general 1000 hours, nt A memory film, 4KB dword fileAlignment; // file ........, set the smallest, 200h, compatible with all system Word Majoroperthenticingsystemversion; //, a few are all system version, casually set Word MinorOperatingsystemversion; Word MajorImageVersion; Word MinorImageVersion; Wor D MajorsubsystemVersion; // To set to 04H Word MinorsubsystemVersion; DWORD WIN32VERSIONVALUE; // Unused memory space occupied by DWORD SIZEOFIMAGE; // PE file, we set to 3000H dword sizeofheaders; // PE file head size (including festival table) Here is 200h dword checksum; // Equity (I don't know how to do it, PE is almost 000000000, maybe and other aspects, such as debugging?) Word subsystem; // file subsystem, subsystem's meaning You can refer to the NT core, set to 02,03 (console and window subsystem) Word Dllcharacteristics; dword sizeofstackreserve; //, a few are the settings of the stacks and stacks, basically casually, but it is best to set enough Use it (not 0!) DWORD SIZEOFSTACKCOMMIT; DWORD SIZEOFHEAPRESERVE; DWORD SIZEOFHEAPCOMMIT; DWORD loaderflags; // unused DWord NumberofrvaAndsizes
// number of IMAGE_DATA_DIRECTORY the following, the original 16, a minimum of two IMAGE_DATA_DIRECTORY DataDirectory [IMAGE_NUMBEROF_DIRECTORY_ENTRIES];} IMAGE_OPTIONAL_HEADER, * PIMAGE_OPTIONAL_HEADER; IMAGE_OPTIONAL_HEADER With this structure, the role of the PE file and contains a glance what resources.
The image_data_directory structure is as follows, and the PE file contains many data types, such as export, import functions, resources, relocation, debugging, copyright information, etc., this structure can have up to 16, which is used to locate these data:
Code
TypedEf struct _image_data_directory {dword virt;} image_data_directory, * piMage_data_directory;
Image_data_directory structure is pointed out of the loading position and length of each of your data types. Note that this structure is different from the section table below, although they may point to the same address, but image_data_directory distinguishes strict The data type, and the section table is only based on the type of data, and if it is normal EXE, it is usually stored separately, and the data is usually classified with the same method with the same method, so the image_data_directory structure and The address points to the section may be the same, but this example is different, because our handwritten PE must be as small as possible, so I put all the data of several tables in a section, so that the watch table is only One, and image_data_directory structure to point to the correct data type address from the mixed data, and the difference between the section table is not the same.
In summary, the code of the "PE information section" corresponding framework is:
Code
Offset 0 1 2 3 4 5 6 7 8 9 A B C D e f00000040 50 45 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 00 0F 01 0B 01 00 00 00 02 00 00 .... p ........... 00000060 00 00 00 00 00 00 00 00 79 01 00 00 00 00 00 00 .. ... y .... 00000070 00 00 00 00 00 00 00 00 00 00 02 00 00 ... @ ....... 00000080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00. ............. 000000A0 00 01 00 00 00 00 00 00 00 01 00 00 00 10 00 00 ................ 000000B0 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00-
Most of this is explained, here should look at "28 11 00 00 200 00 00 00" at the address "000000c0", this is the second one of the image_data_directory structure, that is, the address of the import table, "00 00 00 00 28 "This is the length, not more," 00 00 11 28 "? This is why? Take this problem ... [Here, pay attention 2] The last thing to introduce" data parts ":
Quote
[Data Festival Table] [0x24 * n 1] <== PE Data Part [Data Festival] [Us ]
Where image_section_header (data section table) is as follows:
Code
Typedef struct _image_section_header {byte name [image_sizeof_short_name]; // This 8-byte space is to define the name of this section, such as everyone who is common ".text .data .code", etc., I here is convenient for future fills Set a blank .. (00000000H), in fact, this is a casually written, such as you define ".zvrop" can also be union {dWord physicaladdress; // This is a joint structure, indicating the size of the section, and our entire PE file It is a section, so it is 200h dword virtualsize;} Misc; dword virtualaddress; // Located in the memory (offset address relative to the loading position) We are here to say this. [Calculate attention here 3] DWord sizeOfrawData; // Dimensions in files, here is different from the combined structure, here is the logged address, we set to 200h dword PointertorawData; // This section is in the file, relative to the file header, here You can set it casually, but the rear code pointer is set to follow, we set 100h dword pointertoCations; // The following four is parameters for the connector, casually DWORD POINTERTOLINENUMBERS; Word NumberofreloCations; Word Numberoflinenumbers; DWord Characteristics; The properties of the festival, the catalog table, based on the space, this table I will not provide, I can PM, the general code section is 60000020h (40000000 & 2000000 & 00000020), that is, the executable, readable code segment, we set it to 60000060H, because we all contain data and code.} Image_section_header, * pimage_section_header; can see the number of this structure is uncertain, that is, how many of you have below, how many image_section_header 1 structure, because System requires a total of 0 I Mage_section_Header structure is identified. In addition, XP least requires two image_section_header structures, otherwise it will report illegal 32-bit programs (this familiar prompt, I don't know if I didn't know when I finished this, I was deeply sick!), 2K does not have this restriction (from WaterCloud research, I didn't have much time to dig this ha ...).
Below is the specific "data section" content (our document "The entire PE file is a section), the entire PE file structure is probably so much.
In summary, the code of the "data part" corresponds to the framework:
Code
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 00 00 00 00 00 00 00 00 (... (........... 000000D0 00 02 00 00 00 10 00 00 00 02 00 00 00 00 00 .............. 000000 00 00 00 00 00 00 00 00 00 00 00 60 ......... ... `..`000000F0 00 00 00 00 00 00 00 00 02 00 00 00 00 20 00 00 ............. ..00000100 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 .............. 0000 00 00 00 00 00 00 00 00 00 00 .... `..` ... ..... [this is jmp s1]
Around this big circle to return to the topic .... (1 _ one ...., I don't think about the problem, so everyone has no attitude ..), remember the above What is the data type, the most important thing is to import the table, our urldownloadtofile children have been sitting on the bench ....... This import table is tailored to him. Our purpose is to let PE File executes the function of URLDownloadTofile, naturally add URLDOWNLOADTOFILE this function to the import table.
Say the definition of the introduction table? I have to talk about the modification of the IAT (Import Address Table, Import Address Table) when Windows Loading Executable Procedure, We know that each function of each system is different in memory. (At least 2K, XP, 2003 is basically different), so there are many time to write shellcode, the location is calculated for a half day. In this way, it is impossible to determine a function when we compile EXE. Address. To execute this function, you must find his entry address, and this address will help you "fill in the blank" when loading the PE file, this dynamic completion function address is the origin of "Dynamic Connection". .
Now I simulate the steps of the system reprint the PE file and give the function address, first we give the import table in a PE file:
Code
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F00000120 58 11 00 00 00 00 00 00 50 11 00 00 00 00 00 00 X ....... P ....... 00000130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 .............. 00000150 58 11 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
It can be seen that this table is divided into four parts, wherein the two paragraphs of the two equal lengths of 0x1 are image_import_descriptor structures in the import table, which is as follows:
Code
typedef struct _IMAGE_IMPORT_DESCRIPTOR {union {DWORD Characteristics; DWORD OriginalFirstThunk; // pointer to a "pointer to a structure of a function list"};. DWORD TimeDateStamp; // may be considered useless temporarily, 0 DWORD ForwarderChain; // may be considered useless Buyer 0 dword name; // Point to a DLL, the function in this structure must be the dword firstthunk inside this DLL; // Point to an IAT table, the last operating system modified this} image_import_descriptor; note that this structure must also have N 1, because we only need a function "URLDOWNLOADTOFILE", so we only have this structure, the second structure is all 0. The end.
This "Function List Pointer Structure" is image_thunk_data32 structure:
Code
Typedef struct _image_thunk_data32 {UNION {Pbyte Forwarderstring; pdword function; dword order_import_by_name addressofdata;} u1;} image_thunk_data32;
He has only a double word type value. If it is 1xxxxxxxh, then this function is imported by the function, the serial number is except for the remaining 7 digits, if it is 0xxxxxxh, then this except 0 7 is the name of this function as a virtual address.
About what is serial number introduction What is a name import, I will not say, these involves the concept of exporting tables. This article does not need.
Suppose I am a Windows operating system PE loader, I am locked from some of this PE file format to this 00000128H address is the import table address, now my purpose is to replace "58 11 00 00" this address to The correct function address (note, the "58 11 00 00" at 00000150H, 00000150H, is a pointer to the system "URLDOWNLOADTOFILE" string position, this address will not change, it will change the 00000120h " 58 11 00 00 ", in fact," 58 11 00 00 "at 00000120H can be set casually.).
I started to position:
Code
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E f 50 11 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00110 00 00 20 11 00 00
The location of this function is found to be "50 11 00 00", the associated DLL is "6e 11 00 00", so I found this location of the PE file (the relative position in memory), found "50 11 00 00) "The value of the image_thunk_data32 structure is" 58 11 00 00 ". This value is not 1 start, so I use this value as an address search, I found that the content of this value pointing is" 31 00 urldownloadtofile ", remove the front Two serial numbers, found the name of this function, followed by "Urlmon.dll" found in the "6e 11 00 00" position, use loadLibrary () and getProcaddress () to find the function "urldownloadtofile" in memory The location, suppose is "XX XX XX XX", then "XX XX XX XX", fill in the "20 11 00 00" pointing to the position ... is complete. In this way, everyone will understand, UrldownloadTofile The storage location of the function should be determined according to "50 11 00 00" (exactly, it should be a pointer to the position pointed to by "50 11 00 00" (determined the DLL existing in this function).
