ICZelion PE TUTCN1

zhaozj2021-02-11  197

PE tutorial 1: PE file format list

Considering the early PE tutorial 1 is the worst one in all the tutorials, this is determined to rewrite an reader.

The meaning of PE is Portable Executable (portable executive). It is the executive file format of the Win32 environment itself. Its features inherit the format of the Unix's Coff (Common Object File Format). "Portable Executable" means that this file format is across the Win32 platform: even if Windows runs on a non-Intel's CPU, any Win32 platform's PE loader recognizes and uses the file format. Of course, the PE actues that are ported to different CPUs must have some changes. All Win32 executives (in addition to VXD and 16-bit DLL) use PE file format, including NT's kernel mode drivers. Therefore, the PE file format has given us a good opportunity for us to understand the WINDOWS structure.

This tutorial lets us browse the summary of the PE file format.

DOS MZ Headerdos Stubpe HeadersECTION TABLESECTION 1SECTION 2SECTION ... Section N

The above figure is the overall hierarchy distribution of the PE file structure. All PE files (or even 32-bit DLLs) must start with a simple DOS MZ HEADER. We usually don't have much interest in this structure. With it, once the program is executed under DOS, DOS can identify this is a valid executive, and then run the DOS STUB following MZ Header. DOS Stub is actually a valid EXE, in the operating system that does not support PE file format, it will simply display an error message, similar to string "this program requires windows" or programmers can achieve complete DOS according to their intentions Code. Usually we are not interested in dos stub: because most of the case it is automatically generated by the assembler / compiler. Typically, it simply invokes the interrupt 21h service 9 to display the string "this Program Cannot Run in Dos Mode".

The DOS Stub is PE Header. PE Header is an abbreviation for the PE-related structure image_nt_headers, which contains many important domains used in the PE loader. When we study the PE file format more, we will refer to these important domains. When executed in the operating system that supports the PE file structure, the PE loader will find the start offset from the DOS MZ HEADER. Therefore, the DOS STUB is jumped directly to the real file header PE Header.

The true content of the PE file is divided into a block, called Sections (section). Each section is a piece of data with common attributes, such as code / data, read / write, etc. We can imagine the PE file into a logical disk. Pe Header is a Boot sector of the disk, while Sections is a variety of files, each file naturally has different attributes such as read-only, system, hidden, document, and more. It is worth noting that the division of the section is based on the common attributes of each group of data: rather than logical concepts. What is important is not how the data / code is used, and if the data / code in the PE file has the same properties, they can be classified into the same section. It is not necessary to care about "Data", "CODE" or other logical concepts in the festival: If the data and code have the same properties, they can be classified into the same section. (Translator Note: The name is just a symbol of different sections. Similar to "data", "code" naming is only for ease of identification, only the festive property setting determines the feature and function of the section) if a block of data For the read-only properties, the block data can be placed in a read-only section. When the PE loader maps, it checks the relevant segment attribute parallel corresponding memory block as the specified property. If we regard PE file format as a logical disk, Pe Header is a Boot sector and sections is a variety of files, but we still lack enough information to locate different files on disk, for example, what is a PE file format medium price Dongdong? Don't worry, that is, the next array structure of Pe Header Section Table. Each structure contains the attributes, file offset, virtual offset, and the like of the corresponding section. If there are 5 festivals in the PE file, there are 5 members in this structure. Therefore, we can regard the section table as the root directory in the logical disk, each array member is equivalent to the directory entry in the root directory.

The above is the physical distribution of the PE file format. He summarizes the main steps of loading a PE file:

When the PE file is executed, the PE loader checks the PE HEADER offset in the DOS MZ HEADER. If you find it, you jump to the pe header. The PE loader checks the effectiveness of the Pe header. If it is effective, jump to the tail of Pe Header. It is the chart of the PE HEADER. The PE loader reads the section information, and uses the file mapping method to map these sections to the memory, and pay the feature specified in the section table. After the PE file is mapped into the memory, the PE loader will process the PE file similar to the Import Table logic section.

The above steps are based on the observations after it, apparently there are some places that are not accurate enough, but the process of the actuator is processed.

You should download the "PE file format" of LuevelSmeyer. The description of this article is quite detailed and can be used as a reference manual for the case.

Translation: IAMGUFENG [ICZelion's Win32 Assembly Home] [Luoyunbin's Win32 ASM Page]

转载请注明原文地址:https://www.9cbs.com/read-4655.html

New Post(0)