Opening language:
This article is just some of the learning notes in the PE process, there is no technical content. :)
The PE format is the most commonly used executable format under Windows. This article will be described with Win32 assembly.
------------------------------
| Image_dos_header | <------- DOS MZ File Head
------------------------------
| Dos stub | <------- DOS bobbin code block
------------------------------
| Image_nt_headers | <------- PE file header
------------------------------
| Section Table | <------- Section Table
------------------------------
| Section | <------- Section
------------------------------
| Section |
------------------------------
| ... |
------------------------------
PE file format list
The above picture is the basic structure of the PE file. In the PE file, the code, data, and resources are stored in different properties, and each section is in information and location, etc. Structure to describe, all image_section_header structures constitute a section table.
Throughout the PE format, we can find that a PE file is divided into two blocks: DOS section (DOS file head DOS block) Win32 section (PE file head section section)
DOS part
The MZ format file header (image_dos_header) and executable code (DOS STUB) form a DOS section. The DOS file header in the MZ format is defined by the image_dos_header structure:
Image_dos_header struct
E_MAGIC WORD?; 00000000 DOS executable file tag, "MZ", predefined as image_dos_signature in Windows.inc.
E_CBLP WORD?
E_CP WORD?
E_CRLC WORD?
E_CPARHDR WORD?
E_MINAlloc Word?
E_MAXALLOC WORD?
E_ss Word?
E_SP WORD?
E_CSUM WORD?
E_IP WORD?
e_CS Word?
E_LFARLC WORD?
e_ovno word?
E_RES WORD 4 DUP (?)
E_OEMID WORD?
E_OEMINFO WORD?
E_RES2 WORD 10 DUP (?)
E_LFANEW DWORD?; 0000003CH points to the PE file header to lead the PE file header
Generally we only care about the value of the two fields of E_MAGIC and E_LFANEW. The value of the E_LFANEW field is most important in this structure. DOS's executable code section is generally simply displayed "this Program Connot Be Run in dos mode." Some "this Program Requires Win32." These code is generally completed, of course we can customize DOS STUB part, as long as the link option when using /stub:dos_file_name.exe link on it. :) Practice is the standard for testing truth.
----------------------------- cut -------------------- ---------------
.386
.Model flat, stdcall
Option CaseMAP: NONE
INCLUDE Windows.inc
INCLUDE User32.inc
INCLUDE KERNEL32.INC
INCLUDELIB USER32.LIB
IncludeLib kernel32.lib
.DATA
SZCAPTION DB 'Wensir!', 0
Sztext DB 'Hello World!', 0
.code
Start:
invoke MessageBox, NULL, offset szText, offset szCaption, MB_OK
Invoke EXITPROCESS, NULL
End Start
--------------------------- cut ---------------------- -----------------
Saved as * .asm, I save it here as wensir.asm, then compile:
ml / c / coff wensir.asm
LINK / SUBSYSTEM: Windows Wensir.Obj
Now we get a simple "Hello World" Win32 program winsir.exe, of course, it is PE format. Just to go DOWN a hex editor, I use UltraEdit, the hexadecimal editor to open wensir.exe:
-------------------------------------------------- ----------------------------
0 1 2 3 4 5 6 7 8 9 A b C D e f
00000000h: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00; MZ ........ ..?
00000010h:? B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00; ...... @ .......
00000020h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00; ................
00000030h: 00 00 00 00 00 00 00 00 00 00 00 00 B0 00 00 00; ............ ..?
00000040H: 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68; ..?. ??? L? TH
00000050h: 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F; is program canno
00000060h: 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20; t be run in DOS
00000070H: 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 00 00 00 00 00 00 001 ... $ ...... 00000080H: 5D 65 FD C8 19 04 93 9B 19 04 93 9B 19 04 93 9B ;] E .. 摏 .. 摏 .. 摏
00000090H: 97 1B 80 9B 11 04 93 9B E5 24 81 9B 18 04 93 9B;? € ?. 摏? 仜 .. 摏
000000a0h: 52 69 63 68 19 04 93 9B 00 00 00 00 00 00; Rich .. 摏 ........
000000B0H: 50 45 00 00 4C 01 03 00 1C 8C 45 42 00 00 00; PE..L .... 孍 B ....
........
-------------------------------------------------- ---------------------------
5A4D at 00000000H is the value "MZ" of the E_MAGIC field in image_dos_header, 0000000BH value at 0000003CH is E_LFANEW, which points to the PE file header. From 00000040H-000000a0, it is a DOS Stub block. From the above figure we can see the words "this program cannot bernot bernot."
Head play in Win32 section. :) If you want to know, please follow the decomposition.
