菜单

[PE结构解析] 1壹.能源表结构

2019年4月3日 - www6165com

 

 

[PE结构分析] 1一.能源表结构,pe结构

财富表是2个树形结构,能够设置成二的三拾5遍方的层数,Windows 使用了三级:

类型->名称->语言

 

内部涉及到八个结构:

 

Data

Description

Resource Directory Tables (and Resource Directory Entries)

A series of tables, one for each group of nodes in the tree. All top-level (Type) nodes are listed in the first table. Entries in this table point to second-level tables. Each second-level tree has the same Type ID but different Name IDs. Third-level trees have the same Type and Name IDs but different Language IDs.

Each individual table is immediately followed by directory entries, in which each entry has a name or numeric identifier and a pointer to a data description or a table at the next lower level.

Resource Directory Strings

Two-byte-aligned Unicode strings, which serve as string data that is pointed to by directory entries.

Resource Data Description

An array of records, pointed to by tables, that describe the actual size and location of the resource data. These records are the leaves in the resource-description tree.

Resource Data

Raw data of the resource section. The size and location information in the Resource Data Descriptions field delimit the individual regions of resource data.

 

 

 

 

WINNT.H

[cpp] view
plain
copy

 

  1. typedef struct _IMAGE_RESOURCE_DIR_STRING_U {  
  2.     USHORT  Length;  
  3.     WCHAR   NameString[ 1 ];  
  4. } IMAGE_RESOURCE_DIR_STRING_U, *PIMAGE_RESOURCE_DIR_STRING_U;  

This structure is simply a 2-byte Length field followed
by Length UNICODE characters.

On the other hand, if the most significant bit of the Name field is
clear, the lower 31 bits are used to represent the integer ID of the
resource. Figure 2 shows the menu resource as a named resource and the
string table as an ID resource.

If there were two menu resources, one identified by name and one by
resource, they would both have entries immediately after the menu
resource directory. The named resource entry would appear first,
followed by the integer-identified resource. The directory
fields NumberOfNamedEntries and NumberOfIdEntries would each contain
the value 1, indicating the presence of one entry.

Below level two, the resource tree does not branch out any further.
Level one branches into directories representing each type of resource,
and level two branches into directories representing each resource by
identifier. Level three maps a one-to-one correspondence between the
individually identified resources and their respective language IDs. To
indicate the language ID of a resource, the Name field of the
directory entry structure is used to indicate both the primary language
and sublanguage ID for the resource. The Win32 SDK for Windows NT lists
the default value resources. For the value 0x0409, 0x09 represents the
primary language as LANG_ENGLISH, and 0x04 is defined as
SUBLANG_ENGLISH_CAN for the sublanguage. The entire set of language
IDs is defined in the file WINNT.H, included as part of the Win32 SDK
for Windows NT.

Since the language ID node is the last directory node in the tree,
the OffsetToData field in the entry structure is an offset to a leaf
node—the IMAGE_RESOURCE_DATA_ENTRY structure mentioned earlier.

Referring back to Figure 2, you can see one data entry node for each
language directory entry. This node simply indicates the size of the
resource data and the relative virtual address where the resource data
is located.

One advantage to having so much structure to the resource data section,
.rsrc, is that you can glean a great deal of information from the
section without accessing the resources themselves. For example, you can
find out how many there are of each type of resource, what resources—if
any—use a particular language ID, whether a particular resource exists
or not, and the size of individual types of resources. To demonstrate
how to make use of this information, the following function shows how to
determine the different types of resources a file includes:

 

 

 

Locating Data Directories

Data directories exist within the body of their corresponding data
section. Typically, data directories are the first structure within the
section body, but not out of necessity. For that reason, you need to
retrieve information from both the section header and optional header to
locate a specific data directory.

To make this process easier, the following function was written to
locate the data directory for any of the directories defined in WINNT.H:

Resource Directory Table

Each resource directory
table has the following format. This data structure should be considered
the heading of a table because the table actually consists of directory
entries (described in section 6.9.2, “Resource Directory Entries”) and
this structure:

Offset Size Field Description
0 4 Characteristics Resource flags. This field is reserved for future use. It is currently set to zero.
4 4 Time/Date Stamp The time that the resource data was created by the resource compiler.
8 2 Major Version The major version number, set by the user.
10 2 Minor Version The minor version number, set by the user.
12 2 Number of Name Entries The number of directory entries immediately following the table that use strings to identify Type, Name, or Language entries (depending on the level of the table).
14 2 Number of ID Entries The number of directory entries immediately following the Name entries that use numeric IDs for Type, Name, or Language entries.

 

Resource Data Entry

Each Resource Data
entry describes an actual unit of raw data in the Resource Data area. A
Resource Data entry has the following format:

Offset

Size

Field

Description

  0

4

Data RVA

The address of a unit
of resource data in the Resource Data area.

  4

4

Size

The size, in bytes, of
the resource data that is pointed to by the Data RVA field.

  8

4

Codepage

The code page that is
used to decode code point values within the resource data. Typically,
the code page would be the Unicode code page.

12

4

Reserved, must be
0.

Resource Directory String

The resource directory string area consists of Unicode strings, which
are word-aligned. These strings are stored together after the last
Resource Directory entry and before the first Resource Data entry. This
minimizes the impact of these variable-length strings on the alignment
of the fixed-size directory entries. Each resource directory string has
the following format:

Offset

Size

Field

Description

0

2

Length

The size of the string, not including length field itself.

2

variable

Unicode String

The variable-length Unicode string data, word-aligned.

Data sections, .bss, .rdata, .data

The .bss section represents uninitialized data for the application,
including all variables declared as static within a function or source
module.

The .rdata section represents read-only data, such as literal strings,
constants, and debug directory information.

All other variables (except automatic variables, which appear on the
stack) are stored in the .data section. Basically, these are application
or module global variables.

 

当中提到到多个结构:

Resource Directory Table

Each resource directory table has the following format. This data
structure should be considered the heading of a table because the table
actually consists of directory entries (described in section 6.9.2,
“Resource Directory Entries”) and this structure:

Offset

Size

Field

Description

  0

4

Characteristics

Resource flags. This field is reserved for future use. It is currently set to zero.

  4

4

Time/Date Stamp

The time that the resource data was created by the resource compiler.

  8

2

Major Version

The major version number, set by the user.

10

2

Minor Version

The minor version number, set by the user.

12

2

Number of Name Entries

The number of directory entries immediately following the table that use strings to identify Type, Name, or Language entries (depending on the level of the table).

14

2

Number of ID Entries

The number of directory entries immediately following the Name entries that use numeric IDs for Type, Name, or Language entries.

PEFILE.C

#define PEFHDROFFSET(a) ((LPVOID)((BYTE *)a +  /
    ((PIMAGE_DOS_HEADER)a)->e_lfanew + SIZE_OF_NT_SIGNATURE))

The only difference between this and the previous macro is that this one
adds in the constant SIZE_OF_NT_SIGNATURE. Sad to say, this constant
is not defined in WINNT.H, but is instead one I defined in PEFILE.H as
the size of a DWORD.

Now that we know the location of the PE file header, we can examine the
data in the header simply by assigning this location to a structure, as
in the following example:

PIMAGE_FILE_HEADER   pfh;

pfh = (PIMAGE_FILE_HEADER)PEFHDROFFSET (lpFile);

I n this example, lpFile represents a pointer to the base of the
memory-mapped executable file, and therein lies the convenience of
memory-mapped files. No file I/O needs to be performed; simply
dereference the pointer pfh to access information in the file. The PE
file header structure is defined as:

能源表是三个树形结构,可以安装成二的叁十八回方的层数,Windows 使用了三级:

 

Resource Directory Entries

The directory entries make up the rows of a table. Each resource
directory entry has the following format. Whether the entry is a Name or
ID entry is indicated by the resource directory table, which indicates
how many Name and ID entries follow it (remember that all the Name
entries precede all the ID entries for the table). All entries for the
table are sorted in ascending order: the Name entries by case-sensitive
string and the ID entries by numeric value.  Offsets are relative to the
address in the IMAGE_DIRECTORY_ENTRY_RESOURCE DataDirectory.

Offset

Size

Field

Description

0

4

Name Offset

The offset of a string that gives the Type, Name, or Language ID entry, depending on level of table.

0

4

Integer ID

A 32-bit integer that identifies the Type, Name, or Language ID entry.

4

4

Data Entry Offset

High bit 0. Address of a Resource Data entry (a leaf).

4

4

Subdirectory Offset

High bit 1. The lower 31 bits are the address of another resource directory table (the next level down).

Section Header Fields

Value Definition
0x00000020 Code section
0x00000040 Initialized data section
0x00000080 Uninitialized data section
0x04000000 Section cannot be cached
0x08000000 Section is not pageable
0x10000000 Section is shared
0x20000000 Executable section
0x40000000 Readable section
0x80000000 Writable section

 

个中涉及到多少个结构:

 

 

WINUSER.H

[cpp] view
plain
copy

 

  1. /* 
  2.  * Predefined Resource Types 
  3.  */  
  4. #define RT_CURSOR           MAKEINTRESOURCE(1)  
  5. #define RT_BITMAP           MAKEINTRESOURCE(2)  
  6. #define RT_ICON             MAKEINTRESOURCE(3)  
  7. #define RT_MENU             MAKEINTRESOURCE(4)  
  8. #define RT_DIALOG           MAKEINTRESOURCE(5)  
  9. #define RT_STRING           MAKEINTRESOURCE(6)  
  10. #define RT_FONTDIR          MAKEINTRESOURCE(7)  
  11. #define RT_FONT             MAKEINTRESOURCE(8)  
  12. #define RT_ACCELERATOR      MAKEINTRESOURCE(9)  
  13. #define RT_RCDATA           MAKEINTRESOURCE(10)  
  14. #define RT_MESSAGETABLE     MAKEINTRESOURCE(11)  

At the top level of the tree, the MAKEINTRESOURCE values listed above
are placed in the Name field of each type entry, identifying the
different resources by type.

Each of the entries in the root directory points to a sibling node in
the second level of the tree. These nodes are directories, too, each
having their own entries. At this level, the directories are used to
identify the name of each resource within a given type. If you had
multiple menus defined in your application, there would be an entry for
each one here at the second level of the tree.

As you are probably already aware, resources can be identified by name
or by integer. They are distinguished in this level of the tree via
the Name field in the directory structure. If the most significant bit
of the Name field is set, the other 31 bits are used as an offset to
an IMAGE_RESOURCE_DIR_STRING_U structure.

 

Resource Directory String

The resource directory
string area consists of Unicode strings, which are word-aligned. These
strings are stored together after the last Resource Directory entry and
before the first Resource Data entry. This minimizes the impact of these
variable-length strings on the alignment of the fixed-size directory
entries. Each resource directory string has the following format:

Offset

Size

Field

Description

0

2

Length

The size of the string, not including length field itself.

2

variable

Unicode String

The variable-length Unicode string data, word-aligned.

Resource Data Entry

Each Resource Data entry describes an actual unit of raw data in the
Resource Data area. A Resource Data entry has the following format:

Offset

Size

Field

Description

  0

4

Data RVA

The address of a unit of resource data in the Resource Data area.

  4

4

Size

The size, in bytes, of the resource data that is pointed to by the Data RVA field.

  8

4

Codepage

The code page that is used to decode code point values within the resource data. Typically, the code page would be the Unicode code page.

12

4

Reserved, must be 0.

] 1一.能源表结构,pe结构
能源表是二个树形结构,能够设置成二的三十一回方的层数,Windows 使用了三级:
类型-名称-语言 在那之中涉及到④…

PEFILE.H

#define OPTHDROFFSET(a) ((LPVOID)((BYTE *)a                 + /
    ((PIMAGE_DOS_HEADER)a)->e_lfanew + SIZE_OF_NT_SIGNATURE + /
    sizeof (IMAGE_FILE_HEADER)))

The optional header contains most of the meaningful information about
the executable image, such as initial stack size, program entry point
location, preferred base address, operating system version, section
alignment information, and so forth.
The IMAGE_OPTIONAL_HEADER structure represents the optional header
as follows:

Data

Description

Resource Directory Tables (and Resource Directory Entries)

A series of tables, one for each group of nodes in the tree. All top-level (Type) nodes are listed in the first table. Entries in this table point to second-level tables. Each second-level tree has the same Type ID but different Name IDs. Third-level trees have the same Type and Name IDs but different Language IDs.

Each individual table is immediately followed by directory entries, in which each entry has a name or numeric identifier and a pointer to a data description or a table at the next lower level.

Resource Directory Strings

Two-byte-aligned Unicode strings, which serve as string data that is pointed to by directory entries.

Resource Data Description

An array of records, pointed to by tables, that describe the actual size and location of the resource data. These records are the leaves in the resource-description tree.

Resource Data

Raw data of the resource section. The size and location information in the Resource Data Descriptions field delimit the individual regions of resource data.

 

 

Summary of the PE File Format

The PE file format for Windows NT introduces a completely new structure
to developers familiar with the Windows and MS-DOS environments. Yet
developers familiar with the UNIX environment will find that the PE file
format is similar to, if not based on, the COFF specification.

The entire format consists of an MS-DOS MZ header, followed by a
real-mode stub program, the PE file signature, the PE file header, the
PE optional header, all of the section headers, and finally, all of the
section bodies.

The optional header ends with an array of data directory entries that
are relative virtual addresses to data directories contained within
section bodies. Each data directory indicates how a specific section
body’s data is structured.

The PE file format has eleven predefined sections, as is common to
applications for Windows NT, but each application can define its own
unique sections for code and data.

The .debug predefined section also has the capability of being stripped
from the file into a separate debug file. If so, a special debug header
is used to parse the debug file, and a flag is specified in the PE file
header to indicate that the debug data has been stripped.

Resource Directory String

The resource directory
string area consists of Unicode strings, which are word-aligned. These
strings are stored together after the last Resource Directory entry and
before the first Resource Data entry. This minimizes the impact of these
variable-length strings on the alignment of the fixed-size directory
entries. Each resource directory string has the following format:

Offset

Size

Field

Description

0

2

Length

The size of the string, not including length field itself.

2

variable

Unicode String

The variable-length Unicode string data, word-aligned.

Resource Directory Table

Each resource directory
table has the following format. This data structure should be considered
the heading of a table because the table actually consists of directory
entries (described in section 6.9.2, “Resource Directory Entries”) and
this structure:

Offset Size Field Description
0 4 Characteristics Resource flags. This field is reserved for future use. It is currently set to zero.
4 4 Time/Date Stamp The time that the resource data was created by the resource compiler.
8 2 Major Version The major version number, set by the user.
10 2 Minor Version The minor version number, set by the user.
12 2 Number of Name Entries The number of directory entries immediately following the table that use strings to identify Type, Name, or Language entries (depending on the level of the table).
14 2 Number of ID Entries The number of directory entries immediately following the Name entries that use numeric IDs for Type, Name, or Language entries.

 

WINNT.H

[cpp] view
plain
copy

 

  1. // Directory Entries  
  2.   
  3. // Export Directory  
  4. #define IMAGE_DIRECTORY_ENTRY_EXPORT         0  
  5. // Import Directory  
  6. #define IMAGE_DIRECTORY_ENTRY_IMPORT         1  
  7. // Resource Directory  
  8. #define IMAGE_DIRECTORY_ENTRY_RESOURCE       2  
  9. // Exception Directory  
  10. #define IMAGE_DIRECTORY_ENTRY_EXCEPTION      3  
  11. // Security Directory  
  12. #define IMAGE_DIRECTORY_ENTRY_SECURITY       4  
  13. // Base Relocation Table  
  14. #define IMAGE_DIRECTORY_ENTRY_BASERELOC      5  
  15. // Debug Directory  
  16. #define IMAGE_DIRECTORY_ENTRY_DEBUG          6  
  17. // Description String  
  18. #define IMAGE_DIRECTORY_ENTRY_COPYRIGHT      7  
  19. // Machine Value (MIPS GP)  
  20. #define IMAGE_DIRECTORY_ENTRY_GLOBALPTR      8  
  21. // TLS Directory  
  22. #define IMAGE_DIRECTORY_ENTRY_TLS            9  
  23. // Load Configuration Directory  
  24. #define IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG    10  

Each data directory is basically a structure defined as
an IMAGE_DATA_DIRECTORY . And although data directory entries
themselves are the same, each specific directory type is entirely
unique. The definition of each defined data directory is described in
“Predefined Sections” later in this article.

图片 1

Resource Directory Entries

The directory entries
make up the rows of a table. Each resource directory entry has the
following format. Whether the entry is a Name or ID entry is indicated
by the resource directory table, which indicates how many Name and ID
entries follow it (remember that all the Name entries precede all the ID
entries for the table). All entries for the table are sorted in
ascending order: the Name entries by case-sensitive string and the ID
entries by numeric value.  Offsets are relative to the address in the
IMAGE_DIRECTORY_ENTRY_RESOURCE DataDirectory.

Offset

Size

Field

Description

0

4

Name Offset

The offset of a string that gives the Type, Name, or Language ID entry, depending on level of table.

0

4

Integer ID

A 32-bit integer that identifies the Type, Name, or Language ID entry.

4

4

Data Entry Offset

High bit 0. Address of a Resource Data entry (a leaf).

4

4

Subdirectory Offset

High bit 1. The lower 31 bits are the address of another resource directory table (the next level down).

PE Optional Header

The next 224 bytes in the executable file make up the PE optional
header. Though its name is “optional header,” rest assured that this is
not an optional entry in PE executable files. A pointer to the optional
header is obtained with the OPTHDROFFSET macro:

类型->名称->语言

财富表是一个树形结构,可以安装成二的三10七回方的层数,Windows 使用了叁级:

WINNT.H

[cpp] view
plain
copy

 

  1. typedef struct _IMAGE_RESOURCE_DIRECTORY_ENTRY {  
  2.     ULONG   Name;  
  3.     ULONG   OffsetToData;  
  4. } IMAGE_RESOURCE_DIRECTORY_ENTRY, *PIMAGE_RESOURCE_DIRECTORY_ENTRY;  

The two fields are used for different things depending on the level of
the tree. The Name field is used to identify either a type of
resource, a resource name, or a resource’s language ID.
The OffsetToData field is always used to point to a sibling in the
tree, either a directory node or a leaf node.

Leaf nodes are the lowest node in the resource tree. They define the
size and location of the actual resource data. Each leaf node is
represented using the
following IMAGE_RESOURCE_DATA_ENTRY structure:

 

Data

Description

Resource Directory Tables (and Resource Directory Entries)

A series of tables, one for each group of nodes in the tree. All top-level (Type) nodes are listed in the first table. Entries in this table point to second-level tables. Each second-level tree has the same Type ID but different Name IDs. Third-level trees have the same Type and Name IDs but different Language IDs.

Each individual table is immediately followed by directory entries, in which each entry has a name or numeric identifier and a pointer to a data description or a table at the next lower level.

Resource Directory Strings

Two-byte-aligned Unicode strings, which serve as string data that is pointed to by directory entries.

Resource Data Description

An array of records, pointed to by tables, that describe the actual size and location of the resource data. These records are the leaves in the resource-description tree.

Resource Data

Raw data of the resource section. The size and location information in the Resource Data Descriptions field delimit the individual regions of resource data.

PEFILE.H

#define NTSIGNATURE(a) ((LPVOID)((BYTE *)a +    /
                        ((PIMAGE_DOS_HEADER)a)->e_lfanew))

When manipulating PE file information, I found that there were several
locations in the file that I needed to refer to often. Since these
locations are merely offsets into the file, it is easier to implement
these locations as macros because they provide much better performance
than functions do.

Notice that instead of retrieving the offset of the PE file header, this
macro retrieves the location of the PE file signature. Starting with
Windows and OS/2 executables, .EXE files were given file signatures to
specify the intended target operating system. For the PE file format in
Windows NT, this signature occurs immediately before the PE file header
structure. In versions of Windows and OS/2, the signature is the first
word of the file header. Also, for the PE file format, Windows NT uses a
DWORD for the signature.

The macro presented above returns the offset of where the file signature
appears, regardless of which type of executable file it is. So depending
on whether it’s a Windows NT file signature or not, the file header
exists either after the signature DWORD or at the signature WORD. To
resolve this confusion, I wrote the ImageFileType function
(following), which returns the type of image file:

 

图片 2

WINNT.H

[cpp] view
plain
copy

 

  1. typedef struct _IMAGE_DEBUG_DIRECTORY {  
  2.     ULONG   Characteristics;  
  3.     ULONG   TimeDateStamp;  
  4.     USHORT  MajorVersion;  
  5.     USHORT  MinorVersion;  
  6.     ULONG   Type;  
  7.     ULONG   SizeOfData;  
  8.     ULONG   AddressOfRawData;  
  9.     ULONG   PointerToRawData;  
  10. } IMAGE_DEBUG_DIRECTORY, *PIMAGE_DEBUG_DIRECTORY;  

The section is divided into separate portions of data representing
different types of debug information. For each one there is a debug
directory described above. The different types of debug information are
listed below:

 

 

Debug information section, .debug

Debug information is initially placed in the .debug section. The PE file
format also supports separate debug files (normally identified with a
.DBG extension) as a means of collecting debug information in a central
location. The debug section contains the debug information, but the
debug directories live in the .rdata section mentioned earlier. Each of
those directories references debug information in the .debug section.
The debug directory structure is defined as
an IMAGE_DEBUG_DIRECTORY , as follows:

相关文章

发表评论

电子邮件地址不会被公开。 必填项已用*标注

网站地图xml地图