I have always liked a Swiss army knife, but unfortunately I haven't had one :) Today, the "Swiss Army Knife" is a lot of Dumpbin. This gadget has been installed in his own machine very early. It used to install VC as if it is just for a stand, prove that he is a computer professional self-deception. Later, I saw that the basic classic books mentioned this little thing. Let us now take a look at this sharp knife.
1 Acquisition: Many Win32 development tools contain this practical tool. For example: VC 6.0 is placed in Microsoft Visual Studio / VC98 / BIN, MASM32 8.0 is also placed under the bin directory.
2 Lightweight figure: The size is only 20k :) I will see how powerful after I see it. How much this little guy is not simple.
3 Powerful features: Dumpbin's operating environment is under DOS, (feeling that foreign cows seem to like DOS, they think that the mouse cannot be considered true Hacker, personal opinion huh) Run Dumpbin will appear command format and prompt information
C: / Documents and Settings / CC> Dumpbin
Microsoft (R) Coff Binary File Dumper Version 6.00.8168
Copyright (c) Microsoft Corp 1992-1998. All Rights Reserved.
USAGE: DUMPBIN [OPTION] [Files]
Options:
/ All
/ Arch
/ Archivemembers
/ Dependents
/ DIRECTIVES
/ Disasm
/ Exports
/ Fpo
/ Headers
/ Imports
/ Linenumbers
/ Linkermember [: {1 | 2}]
/ LoadingConfig
/ OUT: FileName
/ PDATA
/ Rawdata [: {none | BYTES | SHORTS | Longs} [, #]]
/ Relocations
/ Section: name
/ Summary
/ Symbols
You can see that there are many options in the options. I have just taken a few more items.
4 features simple introduction
A list of each section of the .dll, .exe file
Take a look at the structure of Windows / System32 / A3D.dll this dynamic link library
ICrosoft (R) Coff Binary File Dumper Version 6.00.81
Copyright (c) Microsoft Corp 1992-1998. All Rights Re
DUMP of File A3D.dll
PE Signature Found
FILE TYPE: DLL
File header Values
14c Machine (i386)
5 Number of Sections
3AACA1D5 TIME DATE Stamp Mon Mar 12 18:15:49
0 File Pointer to Symbol Table
0 Number of Symbols
E0 Size of Optional HEADER
210e Characteristics
Executable
Line NumBers Stripped
Symbols Stripped
32 Bit Word Machine
DLL
Optional Header Values
10b Magic #
6.00 Linker Version
8000 Size Of Code
A8000 Size of Initialized Data
0 Size of Uninitialized Data
3297 RVA of Entry Point
1000 Base Of Code
9000 Base of Data10000000 Image Base
1000 Section Alignment
1000 file alignment
4.00 OPERATING SYSTEM VERSION
0.00 Image Version
4.00 Subsystem Version
0 Win32 Version
B1000 SIZE OF Image
1000 Size of Headers
0 checksum
2 Subsystem (Windows GUI)
0 DLL Characteristics
100000 Size of Stack Reserve
1000 Size of Stack Commit
100000 Size of HEAP Reserve
1000 Size of Heap Commit
0 loader flags
10 Number Of Directories
A0B0 [82] RVA [Size] of export Dire
9888 [78] RVA [Size] of import Dire
F000 [9F340] RVA [Size] of Resource Di
0 [0] RVA [Size] of Exception D
0 [0] RVA [Size] of certificate
AF000 [798] RVA [Size] of Base Reloca
0 [0] RVA [Size] of debug Direc
0 [0] RVA [Size] of Architectur
0 [0] RVA [Size] of Special Dir
0 [0] RVA [Size] of Thread Stor
0 [0] RVA [Size] of loading config
0 [0] RVA [Size] of Bound IMPOR
9000 [178] RVA [Size] of imported
0 [0] RVA [Size] of Delay IMPOR
0 [0] RVA [Size] of Reserved Di
0 [0] RVA [Size] of Reserved Di
Section Header # 1
.Text Name
75D6 Virtual Size
1000 Virtual Address
8000 Size of Raw Data
1000 File Pointer to Raw Data
0 File Pointer to Relocation Table
0 File Pointer to Line Numbers
0 Number of Relocations
0 Number of Line Numbers
60000020 Flags
Code
Execute Read
Section Header # 2
.rdata name
1132 Virtual Size
9000 Virtual Address
2000 Size of Raw Data
9000 File Pointer to Raw Data
0 File Pointer to Relocation Table
0 File Pointer to Line Numbers
0 Number of Relocations
0 Number of Line Numbers
40000040 Flags
Initialized Data
Read Only
Section Header # 3
.DATA NAME
3514 Virtual Size
B000 Virtual Address
3000 Size of Raw DataB000 File Pointer To Raw Data
0 File Pointer to Relocation Table
0 File Pointer to Line Numbers
0 Number of Relocations
0 Number of Line Numbers
C0000040 Flags
Initialized Data
Read Write
Section Header # 4
.rsrc name
9F340 Virtual Size
F000 Virtual Address
A0000 Size of Raw Data
E000 File Pointer to Raw Data
0 File Pointer to Relocation Table
0 File Pointer to Line Numbers
0 Number of Relocations
0 Number of Line Numbers
40000040 Flags
Initialized Data
Read Only
Section Header # 5
.reloc name
1552 Virtual Size
AF000 Virtual Address
2000 Size of Raw Data
AE000 File Pointer to Raw Data
0 File Pointer to Relocation Table
0 File Pointer to Line Numbers
0 Number of Relocations
0 Number of Line Numbers
42000040 Flags
Initialized Data
Discardable
Read Only
Summary
4000.data
2000.rdata
2000 .reloc
A0000.RSRC
8000 .Text
/ OUT: FileName
/ PDATA
/ Rawdata [: {none | BYTES | SHORTS | Longs} [, #]]
/ Relocations
/ Section: name
/ Summary
/ Symbols
If you are familiar with the PE file format, you should be very familiar with the value above :)
Two disassembly function
It can disassemble the specified segment of a .exe or .dll file (mainly .TEXT segment). The command format is as follows:
> Dumpbin /section :.text (.data/.rdata "destination file> Relocation file name
The following code is part of the anti-assembly of the A3D.dll Text section.
UMP of file a3d.dll
FILE TYPE: DLL
Section Header # 1
.Text Name
75D6 Virtual Size
1000 Virtual Address
8000 Size of Raw Data
1000 File Pointer to Raw Data
0 File Pointer to Relocation Table
0 File Pointer to Line Numbers
0 Number of Relocations
0 Number of Line Numbers
60000020 Flags
Code
Execute Read
10001000: 8B 44 24 04 MOV EAX, DWORD PTR [ESP 4]
10001004: 56 Push ESI
10001005: 57 Push EDI
10001006: 6A 30 Push 30H
10001008: C7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00102c89
10001013: 8B F0 MOV ESI, EAX
100015: 83 C4 04 Add ESP, 4
100018: 85 F6 Test ESI, ESI
100011A: 75 08 JNE 10001024
1000101C: 5F POP EDI
1000101D: B8 0e 00 07 80 MOV EAX, 8007000EH
10001022: 5E POP ESI
10001023: C3 RET
10001024: B8 02 00 00 00 MOV EAX, 2
10001029: 6A 00 Push 0
1000102B: C7 46 0C 01 00 00 MOV DWORD PTR [ESI 0CH], 1
00
10001032: C7 06 68 92 00 10 MOV DWORD PTR [ESI], 10009268H
10001038: C7 46 04 10 92 00 MOV DWORD PTR [ESI 4], 10009210H
10
1000103F: C7 46 08 38 92 00 MOV DWORD PTR [ESI 8], 10009238H
10
10001046: C7 46 14 00 00 00 MOV DWORD PTR [ESI 14H], 0
00
1000104D: 89 46 18 MOV DWORD PTR [ESI 18H], EAX
10001050: 89 46 1C MOV DWORD PTR [ESI 1CH], EAX
10001053: C7 46 20 01 00 00 MOV DWORD PTR [ESI 20H], 1
00
1000105A: C7 46 24 00 00 00 MOV DWORD PTR [ESI 24h], 0
00
10001061: C7 46 28 00 00 00 MOV DWORD PTR [ESI 28H], 0
00
10001068: C7 46 2C 00 00 80 MOV DWORD PTR [ESI 2CH], 3F800000H
3F
1000106F: FF 15 6C 91 00 10 Call DWORD PTR DS: [1000916CH]
100075: 8B F8 MOV EDI, EAX
100077: 85 FF Test EDI, EDI
1000199: 74 13 JE 1000108E
1000107B: 83 FF 01 CMP EDI, 1
1000107E: 74 0E JE 1000108E
100080: 56 Push ESI
10001081: E8 1A 1B 00 00 Call 10002BA010001086: 83 C4 04 Add ESP, 4
100089: 8B C7 MOV Eax, EDI
1000108B: 5F POP EDI
10008C: 5E POP ESI
1000108D: C3 RET
1000108e: 8D 4E 10 Lea ECX, [ESI 10h]
10001091: 51 PUSH ECX
100092: 68 D8 91 00 10 Push 100091D8H
100097: 6A 01 PUSH 1
100099: 6A 00 Push 0
10009B: 68 E8 91 00 10 Push 100091E8H
100010A0: FF 15 70 91 00 10 Call DWORD PTR DS: [10009170H]
100010A6: 8B F8 MOV EDI, EAX
100010A8: 85 FF TEST EDI, EDI
100010AA: 74 0E JE 100010BA
1000AC: 56 Push ESI
100010AD: E8 EE 1A 00 00 Call 10002BA0
100010B2: 83 C4 04 Add ESP, 4
100010B5: 8B C7 MOV EAX, EDI
100010B7: 5F POP EDI
100010B8: 5E POP ESI
100010B9: C3 RET
100010BA: 8B 54 24 0C MOV EDX, DWORD PTR [ESP 0CH]
100010BE: 5F POP EDI
100010BF: 33 C0 xor Eax, EAX
100010C1: 89 32 MOV DWORD PTR [EDX], ESI
100010c3: 5E POP ESI
100010C4: C3 RET
100010c5: 90 NOP
100010c6: 90 NOP
100010c7: 90 NOP
100010c8: 90 NOP
100010c9: 90 NOP
100010CA: 90 NOP
100010cb: 90 NOP
100010cc: 90 NOP
100010CD: 90 NOP
1000CE: 90 NOP100010CF: 90 NOP
100010D0: 8B 54 24 04 MOV EDX, DWORD PTR [ESP 4]
100010D4: 8B 4C 24 0C MOV ECX, DWORD PTR [ESP 0CH]
100010D8: 8B 44 24 08 MOV EAX, DWORD PTR [ESP 8]
100010DC: 89 4A 1C MOV DWORD PTR [EDX 1CH], ECX
100010DF: 8B 4C 24 10 MOV ECX, DWORD PTR [ESP 10h]
100010E3: 83 F9 01 CMP ECX, 1
100010E6: 89 42 18 MOV DWORD PTR [EDX 18H], EAX
100010E9: 89 4A 20 MOV DWORD PTR [EDX 20H], ECX
100010 EC: 75 39 JNE 10001127
100010ee: 48 DEC EAX
100010ef: 74 26 JE 10001117
100010F1: 48 DEC EAX
100010f2: 74 03 JE 100010f7
100010F4: 48 DEC EAX
100010F5: 74 10 JE 10001107
100010F7: 8B 4A 10 MOV ECX, DWORD PTR [EDX 10h]
100010FA: B8 04 00 14 00 MOV EAX, 140004H
100010FF: 50 Push EAX
10001100: 51 Push ECX
This feature is important for encrypted decryption, and for some plaintext passwords can be broken through disassembly. Specifically, you can see the book "hacker anti-excitement".
The three / imports and / exports options can view the input and output functions of the dynamic link.
The four / dependents options can view the dependencies of the file. Occurrence as an example of A3D.DLL
DUMP of File A3D.dll
FILE TYPE: DLL
Image Has The Following Dependencies:
User32.dll
GDI32.DLL
Advapi32.dll
Ole32.dll
Kernel32.dll
Summary
4000.data
2000.rdata
2000 .reloc
A0000.RSRC
8000 .Text
Ha ha
This is useful for program analysis, you can see the dynamic link library called. Of course, there is also a tool that is specifically viewing dependencies Microsoft Visual Studio / Common / Tools Depends.exe in this directory allows you to clearly see every function called :)
Today, you are here, you are a little bit of your own, there are many uncomfortable places, and you will slowly accumulate :) Welcome to your mistakes in your article. Rest, take a break ~~~~~
