菜单

4166金沙手机官网[PE结构分析] 十.基址重一直

2019年4月5日 - www6165com

4166金沙手机官网 1

4166金沙手机官网 2

Dos头:
![](https://upload-images.jianshu.io/upload_images/5676193-1017ee68ff187eb6.png)

image.png

ELF

ELF 文件标准里把系统中动用ELF 格式的文本归类为各样:

ELF 文件的完全组织大体上是那般的:

ELF Header
.text
.data
.bss
… other section
Section header table
String Tables, Symbol Tables,..

Constant

Value

Description

IMAGE_REL_BASED_ABSOLUTE

  0

The base relocation is skipped. This type can be used to pad a block.

IMAGE_REL_BASED_HIGH

  1

The base relocation adds the high 16 bits of the difference to the 16bit field at offset. The 16-bit field represents the high value of a 32-bit word.

IMAGE_REL_BASED_LOW

  2

The base relocation adds the low 16 bits of the difference to the 16-bit field at offset. The 16-bit field represents the low half of a 32-bit word.

IMAGE_REL_BASED_HIGHLOW

  3

The base relocation applies all 32 bits of the difference to the 32-bit field at offset.

IMAGE_REL_BASED_HIGHADJ

  4

The base relocation adds the high 16 bits of the difference to the 16-bit field at offset. The 16-bit field represents the high value of a 32-bit word. The low 16 bits of the 32-bit value are stored in the 16-bit word that follows this base relocation. This means that this base relocation occupies two slots.

IMAGE_REL_BASED_MIPS_JMPADDR

  5

The relocation interpretation is dependent on the machine type.

When the machine type is MIPS, the base relocation applies to a MIPS jump instruction.

IMAGE_REL_BASED_ARM_MOV32

  5

This relocation is meaningfull only when the machine type is ARM or Thumb. The base relocation applies the 32-bit address of a symbol across a consecutive MOVW/MOVT instruction pair.

IMAGE_REL_BASED_RISCV_HIGH20

  5

This relocation is only meaningful when the machine type is RISC-V. The base relocation applies to the high 20 bits of a 32-bit absolute address.

 

  6

Reserved, must be zero.

IMAGE_REL_BASED_THUMB_MOV32

  7

This relocation is meaningful only when the machine type is Thumb. The base relocation applies the 32-bit address of a symbol to a consecutive MOVW/MOVT instruction pair.

IMAGE_REL_BASED_RISCV_LOW12I

  7

This relocation is only meaningful when the machine type is RISC-V. The base relocation applies to the low 12 bits of a 32-bit absolute address formed in RISC-V I-type instruction format.

IMAGE_REL_BASED_RISCV_LOW12S

  8

This relocation is only meaningful when the machine type is RISC-V. The base relocation applies to the low 12 bits of a 32-bit absolute address formed in RISC-V S-type instruction format.

IMAGE_REL_BASED_MIPS_JMPADDR16

  9

The relocation is only meaningful when the machine type is MIPS. The base relocation applies to a MIPS16 jump instruction.

IMAGE_REL_BASED_DIR64

10

The base relocation applies the difference to the 64-bit field at offset.

分析普遍的dll:在QQ中的 zlib.dll 文件 (在QQ安装目录下的bin文件夹中):

文件头

4166金沙手机官网 3

image.png

RVA to RAW

明亮PE
最关键的3个有个别就是精晓文件从磁盘到内部存储器地址的映射进度,做逆向的人口,唯有熟稔地驾驭才能跟踪到程序的调用进度和岗位,才能分析和搜索漏洞。

对此文本和内存的映射关系,其实非常粗大略,他们通过2个简单易行的公式总括而来:

4166金沙手机官网 4

换算公式是这么的:

RAW -PointToRawData = RVA – VirtualAddress

追寻进程就是先找到途锐VA
所在的段,然后依照公式计算出文件偏移。因为大家因而逆向工具,能够在内部存款和储蓄器中查找到所在的LacrosseVA,进而我们就足以测算出在文书中所在的岗位,那样,就能够手动实行修改。

看回我们刚刚载入的nodepad++ ,个中的V Addr, 实际上正是VirtualAddress,R
offset 就是PointerToRawData。

4166金沙手机官网 5

假设大家的奥德赛VA 地址是四千,那么合算方法便是,查看区段,发未来.text
中,陆仟-一千+400 = 4400,这正是RAW
00004400,而实际,因为大家的ImageBase
是00500000,所以,大家在反编写翻译时候内部存款和储蓄器中的地址是00405000.

接下去,使大家的PE头中的大旨内容,IAT 和 EAT,也即是 Import address
table, export address table.

4166金沙手机官网 ,解析普遍的dll:在QQ中的 zlib.dll 文件 (在QQ安装目录下的bin文件夹中):

.DataDirect‌​ory[IMAGE_DIRECTORY_E‌​NTRY_BASERELOC].Size 成员中

4166金沙手机官网 6

段头

PE 的段头直接沿用的COFF 的段头结构,上面也说过了,大家查阅notepad++
的段头,能够收获各种段名,以及其信息,那里,大家得以采用1些软件查看,特别有利:

4166金沙手机官网 7

偏移类型的意思如下:

4166金沙手机官网 8

PE中有结构体数组的结构的下结论:

数录节入重!

4166金沙手机官网 9

image.png

.text 段:代码段
.data段:数据段
.bss段:表示未初叶化的数据,比如Static变量
.rdata 段:表示只读的数目,比如字符串
……
.relcoc段:存款和储蓄重一向新闻的区段
各变量存放于哪个区:
常量 ——————>.rdata区
静态变量————->.bss区
澳门金沙网上真人娱乐 ,全局变量————–>.data 区
节表里面包车型大巴多少个第三数据:
VirtualAddress:那么些区段的相对虚拟地址
SizeofRawData:那么些区段在磁盘中的大小,举办了文本对齐
PointerToRawData:区段的文本偏移,正是以此区段在磁盘文件中的初步位置
2个首要的公式:
offset(转)=卡宴VA(须要更换的奥迪Q3VA)-揽胜极光VA(所在区段的昂科拉VA)+offset(即是PointerToRawData)

PE 文件

上面大家去探望更为宽广的PE 文件格式,实际上PE 与 ELF
文件基本相同,也是采纳了基于段的格式,同时PE
也同意程序员将变量或许函数放在自定义的段中, GCC
**attribute(section(‘name’))** 扩大属性。

PE 文件的前身是COFF,所以分析PE 文件,先来看望COFF
的文件格式,他保存在WinNT.h 文件中。

COFF 的文件格式和ELF 差不多一毛1样:

Image Header
SectionTable Image_SECTION_HEADER
.text
data
.drectve
.debug$S
… other sections
Symbol Table

文件头定义在WinNT.h 中,大家开辟来看一下:

4166金沙手机官网 10

咱俩得以见见,它这么些文件头和ELF
实际上是1模一样的,也在文书头中定义了段数,符号表的地点,Optional Header
的轻重缓急,这一个Optional Header 后面就看到了,他正是PE
可执行文件的公文头的壹些,以及段的质量等。

跟在文书头前边的是COFF 文件的段表,结构体名称叫 IMAGE_SECTION_HEADER :

4166金沙手机官网 11

品质包罗那几个,和ELF 没差:

其余普通话翻译:

Constant

Value

Description

IMAGE_REL_BASED_ABSOLUTE

  0

The base relocation is skipped. This type can be used to pad a block.

IMAGE_REL_BASED_HIGH

  1

The base relocation adds the high 16 bits of the difference to the 16bit field at offset. The 16-bit field represents the high value of a 32-bit word.

IMAGE_REL_BASED_LOW

  2

The base relocation adds the low 16 bits of the difference to the 16-bit field at offset. The 16-bit field represents the low half of a 32-bit word.

IMAGE_REL_BASED_HIGHLOW

  3

The base relocation applies all 32 bits of the difference to the 32-bit field at offset.

IMAGE_REL_BASED_HIGHADJ

  4

The base relocation adds the high 16 bits of the difference to the 16-bit field at offset. The 16-bit field represents the high value of a 32-bit word. The low 16 bits of the 32-bit value are stored in the 16-bit word that follows this base relocation. This means that this base relocation occupies two slots.

IMAGE_REL_BASED_MIPS_JMPADDR

  5

The relocation interpretation is dependent on the machine type.

When the machine type is MIPS, the base relocation applies to a MIPS jump instruction.

IMAGE_REL_BASED_ARM_MOV32

  5

This relocation is meaningfull only when the machine type is ARM or Thumb. The base relocation applies the 32-bit address of a symbol across a consecutive MOVW/MOVT instruction pair.

IMAGE_REL_BASED_RISCV_HIGH20

  5

This relocation is only meaningful when the machine type is RISC-V. The base relocation applies to the high 20 bits of a 32-bit absolute address.

 

  6

Reserved, must be zero.

IMAGE_REL_BASED_THUMB_MOV32

  7

This relocation is meaningful only when the machine type is Thumb. The base relocation applies the 32-bit address of a symbol to a consecutive MOVW/MOVT instruction pair.

IMAGE_REL_BASED_RISCV_LOW12I

  7

This relocation is only meaningful when the machine type is RISC-V. The base relocation applies to the low 12 bits of a 32-bit absolute address formed in RISC-V I-type instruction format.

IMAGE_REL_BASED_RISCV_LOW12S

  8

This relocation is only meaningful when the machine type is RISC-V. The base relocation applies to the low 12 bits of a 32-bit absolute address formed in RISC-V S-type instruction format.

IMAGE_REL_BASED_MIPS_JMPADDR16

  9

The relocation is only meaningful when the machine type is MIPS. The base relocation applies to a MIPS16 jump instruction.

IMAGE_REL_BASED_DIR64

10

The base relocation applies the difference to the 64-bit field at offset.

PE底部包罗了Dos头,一直到节表的了断地方,.text区段开头以前
![](https://upload-images.jianshu.io/upload_images/5676193-cfbc56c21cd7568f.png)

image.png

NT头

上边进入正题,在H艾德itor 上也观看了PE,那1块正是正式的步入PE 的范畴。

4166金沙手机官网 12

那是三11个人的PE
文件头定义,6十八位对应改。第多个分子正是签字,如大家所说,正是大家见到的「PE」,对应为50四60000h。

此处边有多个东西,第1个正是大家在此以前看来的COFF
文件头,那里间接放进来了,大家不再分析。

看第3个,IMAGE_OPTIONAL_HEADE福特Explorer不是说那些头可选,而是里边某些变量是可选的,而且有壹部分变量是必须的,不然会招致文件不可能运维:

4166金沙手机官网 13

有这么多少个需求注重关注的积极分子,那么些都以文本运营所不可或缺的:

  1. Magic 魔数,对于3二结构体来说是十B,对于6四结构体来说是20B.
  2. AddressOfEntryPoint 持有EP 的奥迪Q伍VA
    值,之处程序早先执行的代码初阶地点,也等于先后入口。
  3. ImageBase 进度虚拟内部存款和储蓄器的界定是0-FFFFFFFF (三十一位)。PE
    文件被加载到如此的内部存款和储蓄器中,ImageBase 建议文件的预先装入地点。
  4. SectionAlignment, FileAlignment PE 文件的Body
    部分区划为多少段,FileAlignment
    之处段在磁盘文件中的最小单位,SectionAlignment钦定了段在内部存款和储蓄器中的最小单位。
  5. SizeOfImage 钦定 PE Image 在虚拟内部存款和储蓄器中所占的半空中尺寸。
  6. SizeOfHeader PE 头的轻重缓急
  7. Subsystem 用来差异系统驱动文件与常见可执行文件。
  8. NumberOfLANDvaAndSizes 钦定DataDirectory
    数组的个数,即便最终贰个值,提出个数是1陆,但实质上PE
    装载照旧经过辨认这几个值来分明大小的。至于DataDirectory 是如何看上面
  9. DataDirectory 它是3个由IMAGE_DATA_DIRECTOKoleosY
    结构体组成的数组,数组每壹项都有定义的值,里边有局部重中之重的值,EXPO逍客T/IMPO卡宴T/RESOU奥迪Q3CE,
    TLS direction 是重点关心的。

相关文章

发表评论

电子邮件地址不会被公开。 必填项已用*标注

网站地图xml地图