PE file tour (C language description) - 1 Sections

Whether it is a Top Cracker with a true technology (of course, I belong to the latter, Ha), the familiarity of the PE file format is definitely necessary to study the technology of transparent and master, this is believed There is no controversy (of course, if you don't study the decryption of the Windows platform)? I have seen a lot of PE file tutorials on the Internet, but I'm thinking about it. When I go to the application, such as shelling, it is still a slice of IAT in my mind (huh, at least I am doing D, vegetables ~) , Learning is like this, just learning principles, but not practical, it seems to be understood, but when you really do it, you don't know where to start. In particular, the computer is very practical discipline, must be supplemented by practice to truly learn knowledge. Thank you to Menglong [DFCG], his <

> Analysis of the PE file format from the perspective of programming practices, but also let me have the idea of ​​studying. Ok, there are so many, forgot to say, purely rookie tutorial, let the master laugh late. PE file (C language description) - the first sections platform: Windows XP SP1 compiler: VC 6.0 Time: 2004.12 - 2005.01 Reference: See the snow <

>, Menglong [DFCG] <

>, <

>. Code by: prince e-mail: cracker_prince@163.com Note: This tutorial begins directly from Sections to explain, see the knowledge and code, please refer to <

The following is only the core partial code listed below, and the full code see the follow-up level. First of all, please look at the PE file pattern. This is also a pattern that PE files stored on disk.

Offset 0 ------------------------------- | Image_dos_header | <- DOS Ni PE SIGNATURE ------ ------------------------- / | 'PE', 0,0 | <- PE file logo | -------- ----------------------- | | Image_file_header | <- Image File Head | - Image_NT_Headers ------------- -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------- / ------------ | Section Table | <- Section Table - Image_SECTION_HEADER (array) | | | | ------ ------------------------- | | | | / -> | .text | <- code section | | | ------------------------------ | | / ----> | .data | <- Data Section | | ------------------------------- | | / ------> | .idata | <- input table | | ------------------------------- | / --------> | .edata | < - Output table | ----------------------------- / ----------> | .reloc | <- Relocated sector ------------------------------- | .... | --------------------------- | Debug information | ------------------- ------------ We get the offset from the image_dos_header.e_lfaNew to the PE file header in the PE file, that is, the image_nt_headers structure, as follows: typedef struct _image_nt_headers {dword signature; ** PE file standard Knowledge "PE", 0,0 IMAGE_FILE_HEADER FileHeader; ** image file header (which specifies the number of members NumberOfSections Sections of) IMAGE_OPTIONAL_HEADER32 OptionalHeader; ** image optional header} IMAGE_NT_HEADERS32, * PIMAGE_NT_HEADERS32; core code: IMAGE_DOS_HEADER myDosHeader; LONG E_LFANEW; File * Pfile; Pfile = FOPEN ("File Path", R B); FREAD (& MYDOSHEADER, SIZEOF (Image_DOS_HEADER), 1, PFILE); // Pfile is open file pointer E_LFANEW = mydosheader.e_lfanew; // save PE header offset IMAGE_FILE_HEADER myFileHeader; int nSectionCount; fseek (pFile, (e_lfanew sizeof (DWORD)), SEEK_SET); fread (& myFileHeader, sizeof (IMAGE_FILE_HEADER), 1, pFile); nSectionCount = myFileHeader.NumberOfSections;

/ / Save the section // Over the image_nt_headers structure is the image_section_header structure array, note that there are several steps, there are several elements of the structure, and this structure is dynamically open up NumberOfSections memory to store different section information image_section_header * pmySectionHeader = (IMAGE_SECTION_HEADER *) calloc (nSectionCount, sizeof (IMAGE_SECTION_HEADER)); fseek (pFile, (e_lfanew sizeof (IMAGE_NT_HEADERS)), SEEK_SET); fread (pmySectionHeader, sizeof (IMAGE_SECTION_HEADER), nSectionCount, pFile); // Print Sections Information for (int i = 0; i name); Printf ("Union_PhysicalAddress:% 08X / N", PMYSECTIONHEADER-> MISC. PhysicalAddress); printf ( "union_VirtualSize:% 04x / n", pmySectionHeader-> Misc.VirtualSize); printf ( "VirtualAddress:% 08x / n", pmySectionHeader-> VirtualAddress); printf ( "SizeOfRawData:% 08x / n", pmySectionHeader-> SizeOfRawData); printf ( "PointerToRawData:% 04x / n", pmySectionHeader-> PointerToRawData); printf ( "PointerToRelocations:% 04x / n", pmySectionHeader-> PointerToRelocations); printf ( "PointerToLinenumbers:% 04x / n" , P mySectionHeader-> PointerToLinenumbers); printf ( "NumberOfRelocations:% 04x / n", pmySectionHeader-> NumberOfRelocations); printf ( "NumberOfLinenumbers:% 04x / n", pmySectionHeader-> NumberOfLinenumbers); printf ( "Charateristics:% 04x / n" , pmySectionHeader-> Characteristics);} // restore pointer pmySectionHeader - = m_nSectionCount; if (pmySectionHeader = NULL) // free the memory {free (pmySectionHeader); pmySectionHeader = NULL;} // Do not forget to close the file fclose (pFile)! I have rewritten the above code with a Win32 program, which can easily view the section information of the PE file. I will inevitably exist in my own rookie, wrong and wrong, if you find any problems, don't be 吝, please let me.