Sender: RUFI (such as flying), the letter area: Arch_compiler Title: The shortage of the shortest PE file: Sun and Moonlight (March 24, 2004 23:45:03 Wednesday), station letter
Decipherment of the shortest PE file
The research PE format starts from seeing Chsoft's instruction gear: Chsoft (Get Busy Living or get busy Dying) Top 2086 times [Leo] last at: [2004 March 24th 10:54:22 Wednesday] From [10.100.118.60] to this site. Currently online: [Meter: (Open) Tale: (Open)] Performance: [Senior] Mailbox: [] Number of Articles: [3549] Experience: [#] Virtuality: [149] Current CHSOFT status is as follows: Taste Articles to view the new article shortest short and delicious PE file full version 00000000H: 4D 5A B8 EC 00 40 00 E9 B0 00 00 00 00 00 00 00 4c 01 00 00000014H: 75 73 65 72 33 32 2E 64 6C 6C 00 00 c8 00 03 01 0B 01 00 00 00000028h: 00 10 00 00 00 10 00 00 00 00 00 00 02 00 00 00 02 00 00 00 0000003Ch: 0C 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 02 01 00 00 00000050h: 00 00 00 00 04 00 00 00 00 00 00 00 00 20 00 00 00 02 00 00 00000064h: 00 00 00 00 02 00 00 00 00 00 10 00 00 20 00 00 00 00 10 00 00000078h: 00 10 00 00 00 00 00 00 0D 00 00 00 00 00 00 00 00 00 00 00 0000008Ch: 94 00 00 00 28 00 00 00 00 00 00 00 00 00 00 00 FF FF FF FF 000000A0h: 14 00 00 00 4C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000000B4h: 00 00 00 00 00 00 00 00 6A 00 50 50 6A 00 FF 15 4C 00 40 00 000000C8h: C3 90 90 90 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00- 1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E0 a total of 276 bytes, guess what is the result of operation? ?
This file is not much, it is not very difficult to analyze, analyze a standard PE file, which has spent a lot of time. After understanding the standard PE format, the mechanism of this document will understand.
The following is the source program of the deciphery:
ORG 0X400000; ImageBase Origin:
DOS_MZ_HEADER: .e_magic DB "MZ" Start: USE32 MOV EAX, Section_Table.Name; Ascii "Hello!" JMP main
PE_header: .Signature db "PE", 0,0 FileHeader: .Machine dw 0x014C; Machine = IMAGE_FILE_MACHINE_I386 (14Ch) .NumberOfSections dw 0x01 .TimeDateStamp dd "user"; db "user32.dll", 0 .PointerToSymbolTable dd "32. d ".NumberOfSymbols dd" ll ".SizeOfOptionalHeader dw 0x00C8 .Characteristics dw 0x0103; exe or dll OptionalHeader:; OptionalHeader has 31 fields .Magic dw 0x010B .MajorLinkerVersion db 0 .MinerLinkerVersion db 0 .SizeOfCode dd 0x1000 .SizeOfInitializedData dd 0x1000 .SizeOfUnInitializedData dd 0 .AddressOfEntryPoint dd start-origin .BaseOfCode dd start-origin .BaseOfData dd PE_header-origin; e_lfanew .ImageBase dd origin .SectionAlignment dd 0x1000 .FileAlignment dd 0x0200 messagebox: .MajorOSVersion dw 0x0102; point to dword before "MessageBoxA" .MinorOSVersion dw 0x0000 .MajorImageVersion dw 0 .MinorImageVersion dw 0 .MajorSubSystemVerion dw 4 .MinorSubSystemVerion dw 0 .Win32VersionValue dd 0 .SizeOfImage dd 0x2000 .SizeOfHeaders dd 0x0200 .CheckSum dd 0 .SubSystem dw 2 .DllCharacteristics dw 0 .SizeOfStackReserve dd 0x100000 .SizeOfStackCommit DD 0x2000 .sizeofheapReserve DD 0x100000 .sizeOfheaprCommit DD 0x1000 .Loaderflags DD 0 .NumberofDataDirectories DD 0x0D; 13
Data_Directories: .Export_Table dd 0,0; Rva, Size .Import_Table dd 0x94,0x28; Rva, Size .Resource_Table dd 0,0; Rva, Size .Exception_Table dd 0xFFFFFFFF, 0x14; Rva, Size .Security_Table dd 0x4C, 0; Rva Size .relocation_table DD 0, 0; RVA, Size .debug DD 0, 0; RVA, Size; SIZE; .GLOBAL_PTR DD 0x0040004C, 0x909090C3; RVA, Size Main: Push 0; / Style = MB_OK | M PUSH EAX; | Title Push Eax; | HowNer = Null Call Dword [DS: MessageBox]; / MessageBoxa Retn Nop Nop .tls_table DD 0, 0; RVA, Size .load_config_table DD 0 , 0; RVA, Size .Bound_import DD 0, 0; RVA, Size. IMPORTADDRESSTABLE DD 0X94, 0X28; RVA, SIZESECTION_TABLE: .NAME DB "Hello!", 0, 0 .VIRT ualSize dd 0x1000 .VirtaulAddress dd 0x1000 .SizeOfRawData dd 0 .PointerToRawData dd 0; after five dwords, appear "user32.dll" .PointerToRelocations dd "Mess"; db "MessageBoxA", 0 .PointerToLinenumbers dd "ageB" .NumberOfRelocations dw "ox ".Numberoflinenumbers dw" a ".Characteristics DD 0xE0000060
After compiling, I get the 276 bytes, the result of running is to display a message box for "Hello!". Analyze this source will find: 1. The entry point of the program is in DOS HEADER, then After jump to DTA_Directories, the contents of Data_Directories and the contents of the Data_Directories are Code. 2.pe header's baseofData field at the same time is the DOS HEADER's E_LFANEW field, pointing to the position of Pe Header. 3.NumberofDataDirectories set to 13, Under normal circumstances, there is only one festival in schection_table, and this section is scattered in the previous data, so that there is no Rawdata. 5.pointertorawData is 0, which is 5.point 5. After DWORD, find the file name of the DLL. 6. IMPORT_TABLE's RVA is 0x94, so the 5th dword after the OX94, which is equivalent to the firstthunk of ImageImportDescripto R, this field is 0x4c, and the fields at OX4c are MajorosVersion, The content of this place (0x0102) is equivalent to ThunkValue, pointing to an ImageImportByname structure, the double byte at 0x0102 is hint, and after Hint is a function name MessageBoxa. Summary, this file is not important Unused bytes, filled with useful data or code. Then some key fields are in the pointer, clever points to those data or code, so files can be executed. --Add Life, Coding Push Limits Mov REALITY, Ideas
