Luevelsmeyer µÄpe.txt×ÜËãÊÇ¿´ÍêÁË£¬¸Ðлah007µÄ·Òë¡£
×îºóÒëÕß˵µÀ¾«»ªÔÚÓÚ¸½Â¼ÖÐ,ÎÒÂÔ×÷ÐÞ¸ÄÖؽ¨Ò»¸öÎļþ£¬µ«²»¹ÜÔõôµ÷£¬¶¼ÎÞ·¨ÔËÐС£
Ò»¿ªÊ¼»¹ÒÔΪÊÇʲôµØ·½Ã»ÓÐд¶Ô£¬¿ÉÔËÐи½µÄhello.exeÒ²ÊDZ¨´í¡£
¿´À´ÓÃ0x20¶ÔÆëÔÚXPÏÂÊDz»Ðеġ£Õâƪ¸½Â¼ÖоÍÊÇÌ«ÀÏÁË...
ÎÒÀ´ËµËµÎÒ¸ÄдµÄ¹ý³Ì°É¡£
1.ÏÈдһ¶Î¼òµ¥µÄ´úÂë
;MASMPlus ´úÂëÄ£°å - ÆÕͨµÄ Windows ³ÌÐò´úÂë
.386
.Model Flat, StdCall
Option Casemap :None
Include user32.inc
Include kernel32.inc
IncludeLib user32.lib
IncludeLib kernel32.lib
.data
MsgBoxText db "Hello.",0
MsgCaption db "Test",0
.CODE
START:
invoke MessageBox, NULL,addr MsgBoxText, addr MsgCaption, MB_OK
invoke ExitProcess,NULL
END START
˳±ãÌáһϣ¬ÎÒÓõÄÊÇMASMPlus£¬¿ÉÒÔÔÚhttp://www.aogosoft.com/ÏÂÔØ¡£
2.±àÒëÍêÖ®ºóÓÃOD¿´Ò»¿´
00401000 >/$ 6A 00 push 0 ; /Style = MB_OK|MB_APPLMODAL
00401002 |. 68 07304000 push 00403007 ; |Title = "Test"
00401007 |. 68 00304000 push 00403000 ; |Text = "Hello."
0040100C |. 6A 00 push 0 ; |hOwner = NULL
0040100E |. E8 07000000 call <jmp.&user32.MessageBoxA> ; \MessageBoxA
00401013 |. 6A 00 push 0 ; /ExitCode = 0
00401015 \. E8 06000000 call <jmp.&kernel32.ExitProcess> ; \ExitProcess
0040101A $- FF25 08204000 jmp dword ptr [<&user32.MessageBoxA>> ; user32.MessageBoxA
00401020 .- FF25 00204000 jmp dword ptr [<&kernel32.ExitProces> ; kernel32.ExitProcess
²»´í£¬ÒÔºó´úÂëÕÕÕâ¸ö³¾Í¿ÉÒÔÁË¡£
·¢ÏÖÓõ½ÁËÁ½¸öDLLµÄº¯Êý£¬ÉÔ΢¸´ÔÓÁËÒ»µã¡£
ÔÙ¿´¿´ÔÎÄÖеĴúÂë
6A 00 ; push 0x00000000
68 d0 01 10 00 ; push offset _written
6A 0D ; push 0x0000000d
68 c0 01 10 00 ; push offset hello_string
6A F5 ; push 0xfffffff5
2E FF 15 28 02 10 00 ; call dword ptr cs:__imp__GetStdHandle@4
50 ; push eax
2E FF 15 24 02 10 00 ; call dword ptr cs:__imp__WriteConsoleA@20
C3 ; ret
×¢ÒâÁ½¸öcall¶ÔÓ¦µÄ»úÆ÷Â룺E8ºÍ2EµÄ²»Í¬£¬¿´À´E8ºóÃæ¸úµÄÊÇÒ»¸öÆ«ÒÆÁ¿£¬
0040101A $- FF25 08204000 jmp dword ptr [<&user32.MessageBoxA>> ; user32.MessageBoxA
ÕâÌõÃüÁîËãÊÇÌø°åµÄÌø°å¡£²»ÏëÕâÑùд£¬»¹ÊÇÓÃ2E FF 15 ¡£
¹ÀËãһϣ¬´úÂ볤¶ÈÔÚ0x20Ö®ÄÚ¡£
3.½¨Ò»¸öHello.exe£¬ÓÃWinHexÀ´¸Ä¡£
a£© ÏÈ´óÔ¼Óиö˼·¡£
Îļþ¶ÔÆë 0x00 00 02 00£»
Çø¶Î¶ÔÆë 0x00 00 10 00£»
ImageBase 0x00 40 00 00£»
Ö»ÒªÁ½¸ö¶Î£¬Ò»¸ö´úÂë¶Î(Raw£º0x200 / Rva£º0x1000)£¬°ÑÉÏÃæµÄ´úÂë·Å½øÈ¥¾Í¿ÉÒÔÁË;
Ò»¸öÊý¾Ý¶Î(Raw£º0x400 / Rva£º0x2000)£¬Ò»ÉÏÀ´ÏÈ·ÅÁ½¸ö×Ö·û´®£¬È»ºóÊÇÊäÈëĿ¼¡£
ÕâÑù¿´À´×î¶à0x600¸ö×ֽھͿÉÒԸ㶨ÁË£¬´ò¿ªWinHex£¬¼ÓÕâô¶àµÄ0¡£
È»ºó¾Í¿ÉÒÔ¿ªÊ¼¸ÄÁË¡£
b£©Dos Stub Õⲿ·ÖºÜ¼òµ¥£¬Ö»ÒªÓÐMZ£¬È»ºóÉèÒ»ÏÂe_lfanew¾Í¿ÉÒÔÁË¡£
00000000 4D 5A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 MZ..............
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000030 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 ............@...
c£©NT Header ²¿·ÖÕâÑù¿´¿Ï¶¨Ò»Í·ÎíË®...
00000040 50 45 00 00 4C 01 02 00 00 00 00 00 00 00 00 00 PE..L...........
00000050 00 00 00 00 E0 00 02 01 0B 01 00 00 20 00 00 00 ....?...... ...
00000060 D0 00 00 00 00 00 00 00 00 10 00 00 00 10 00 00 ?..............
00000070 00 20 00 00 00 00 40 00 00 10 00 00 00 02 00 00 . ....@.........
00000080 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 ................
00000090 00 30 00 00 00 02 00 00 00 00 00 00 02 00 00 00 .0..............
000000A0 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 ................
000000B0 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ................
000000C0 20 20 00 00 B0 00 00 00 00 00 00 00 00 00 00 00 ..?..........
000000D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000130 00 00 00 00 00 00 00 00 2E 63 6F 64 65 00 00 00 .........code...
00000140 00 00 00 00 00 10 00 00 20 00 00 00 00 02 00 00 ........ .......
00000150 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 ............ ..`
00000160 2E 64 61 74 61 00 00 00 00 00 00 00 00 20 00 00 .data........ ..
00000170 C0 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 ?..............
00000180 00 00 00 00 40 00 00 C0 ....@..
¾ßÌå˵һÏ£º
Signature 0x4550 £»Ö±½ÓÔÚÓÒ±ßÊäÈëPE¾Í¿ÉÒÔÁË
ÎļþÍ·²¿·Ö£º
Machine 0x14c £»Intel 386
NumberOfSections 0x2 £»2¸öÇø¶Î
TimeDateStamp 0x0
PointerToSymbolTable 0x0
NumberOfSymbols 0x0
SizeOfOptionalHeader 0xe0 £»¿ÉÑ¡Í·´óС£¬ÓÀÔ¶ÊÇ0xe0
Characteristics 0x102 £»¾ßÌå¿´pe˵Ã÷
----------------------------------------
¿ÉÑ¡Í·²¿·Ö£º
Magic 0x10b £»32-λ
MajorLinkerVersion 0x0
MinorLinkerVersion 0x0
SizeOfCode 0x20 £»Ëæ±ãд 0x0~0xFF FF FF FF¶¼¿ÉÒÔ
SizeOfInitializedData 0xd0 £»Ëæ±ãд 0x0~0xFF FF FF FF¶¼¿ÉÒÔ
SizeOfUninitializedData 0x0
AddressOfEntryPoint 0x1000 £»Èë¿Ú£¬ÕâÀï¾ÍÊÇ´úÂë¶Î¿ªÍ·´¦µÄRva
BaseOfCode 0x1000 £»´úÂë¶Î¿ªÍ·´¦µÄRva
BaseOfData 0x2000 £»Êý¾Ý¶Î¿ªÍ·´¦µÄRva
ImageBase 0x400000 £»Ð´´úÂëÊÇҪעÒâ°ÑBase¼ÓÉÏ
SectionAlignment 0x1000 £»Çø¶Î¶ÔÆë
FileAlignment 0x200 £»Îļþ¶ÔÆë
MajorOperatingSystemVersion 0x4 £»NT 4.0
MinorOperatingSystemVersion 0x0
MajorImageVersion 0x0
MinorImageVersion 0x0
MajorSubsystemVersion 0x4 £»Win32 4.0
MinorSubsystemVersion 0x0
Reserved1 0x0
SizeOfImage 0x3000 £»Çë¿´ÏÂÃæµÄ»°
SizeOfHeaders 0x200 £»ÎļþÖеÚÒ»¸öÇø¶ÎµÄÆ«ÒÆÁ¿
/*
ÕâÀï²å¶Î»°£¬ÔÚÔÎĵĸ½Â¼ÖУ¬¹ØÓÚÕâÁ½¸ö×Ö¶ÎÊÇÕâÑùÃèÊöµÄ¡£
SizeOfImage c0 00 00 00 ; sum of all section sizes
SizeOfHeaders a0 01 00 00 ; offset to 1st section
Õâ¸öÃèÊöºÜ²»ºÃ£¬Ê×ÏÈall sectionÊÇ°üÀ¨HeadersÕâ¸öSectionµÄ
µ«ÏÂÃæµÄ1st section£¬ÏÔȻָµÄÊÇHeadersºóµÄµÚÒ»¸öÇø¶Î¡£
ÕâÁ½¸ösectionº¬Òå²»Ò»Ö¡£
ÎҾͱ»Îóµ¼ÁË£¬Ò»¿ªÊ¼ÕâÀïÌîÁË0x2000£¬¾ÍûÓÐͨ¹ý¡£
ÆäʵÔÎÄÇ°ÃæµÄ½âÊͱȽÏÇå³þ£º
...Ëü¾ÍÊÇËùÓÐÍ·ºÍ½ÚµÄ³¤¶ÈµÄ×ܺ͡£
*/
CheckSum 0x0
Subsystem 0x2 £»Win GUI
DllCharacteristics 0x0
SizeOfStackReserve 0x100000 £»¾ÍÕâÑùд°É
SizeOfStackCommit 0x1000 £»
SizeOfHeapReserve 0x100000 £»
SizeOfHeapCommit 0x1000 £»
LoaderFlags 0x0
NumberOfRvaAndSizes 0x10 £»×ÜÊÇÕâ¸öÖµ£¬ÏÂÃæÓжàÉÙ¸öĿ¼
----------------------------------------
Êý¾ÝĿ¼²¿·Ö
Directory 0
Size 0x0
VirtualAddress 0x0
----------------------------------------
Directory 1
Size 0xb0 £»Ëæ±ãд 0x0~0xFF FF FF FF¶¼¿ÉÒÔ
VirtualAddress 0x2020 £»Á½¸ö×Ö·û´®0x20×ܹ»ÁË°É
----------------------------------------
. £»»¹ÓÐ14¸ö£¬È«ÊÇ0
.
.
----------------------------------------
Çø¶ÎÍ·
Section 0
Name .code £»Çø¶ÎµÄÃû×Ö
VirtualAddress 0x1000 £»ÄÚ´æÖеÄλÖÃ
SizeOfRawData 0x20 £»Ëæ±ãд 0x1~0x10 00¶¼¿ÉÒÔ
PointerToRawData 0x200 £»ÎļþÖеÄλÖÃ
PointerToRelocations 0x0
PointerToLinenumbers 0x0
NumberOfRelocations 0x0
NumberOfLinenumbers 0x0
Characteristics 0x6000002 £»¾ßÌå¿´pe˵Ã÷
----------------------------------------
Section 1
Name .data £»Çø¶ÎµÄÃû×Ö
VirtualAddress 0x2000 £»ÄÚ´æÖеÄλÖÃ
SizeOfRawData 0xc0 £»Ð´´óÒ»µã¾Í¿ÉÒÔÁË
PointerToRawData 0x400 £»ÎļþÖеÄλÖÃ
PointerToRelocations 0x0
PointerToLinenumbers 0x0
NumberOfRelocations 0x0
NumberOfLinenumbers 0x0
Characteristics 0xc000004 £»¾ßÌå¿´pe˵Ã÷
----------------------------------------
¹ØÓÚ¡°Ëæ±ãд¡±µÄµØ·½£¬¶¼ÊÇsize¡£
¿´À´.code¶ÎÎÞËùνsize£¬±ð³¬¹ý¶Î´óС¾ÍÐС£
.data¶Î¾Í²»ÐУ¬²»ÄÜÉÙ£¬µ«¿ÉÒԶ࣬Äܶà¶àÉÙ¾ÍÒª¿´ÎļþµÄ´óС¡£
SizeOfCode 0x20 £»Ëæ±ãд 0x0~0xFF FF FF FF¶¼¿ÉÒÔ
SizeOfInitializedData 0xd0 £»Ëæ±ãд 0x0~0xFF FF FF FF¶¼¿ÉÒÔ
Directory 1
Size 0xb0 £»Ëæ±ãд 0x0~0xFF FF FF FF¶¼¿ÉÒÔ
Õâ3¸öÓеã¿äÕÅ£¬µ«¿ÉÒÔÕý³£ÔËÐС£
c£©ÏÖÔÚ²»·ÁÌø¹ý.code¶Î£¬Ïȸã.data¶Î
00000400 50 45 D1 A7 CF B0 00 00 BF B4 B5 BD C4 E3 C1 CB PEѧϰ..¿´µ½ÄãÁË
00000410 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000420 5C 20 00 00 00 00 00 00 FF FF FF FF 7C 20 00 00 \ ......ÿÿÿÿ| ..
00000430 64 20 00 00 6C 20 00 00 00 00 00 00 FF FF FF FF d ..l ......ÿÿÿÿ
00000440 8C 20 00 00 74 20 00 00 00 00 00 00 00 00 00 00 ?..t ..........
00000450 00 00 00 00 00 00 00 00 00 00 00 00 AC 20 00 00 ............?..
00000460 00 00 00 00 AC 20 00 00 00 00 00 00 BC 20 00 00 ....?......?..
00000470 00 00 00 00 BC 20 00 00 00 00 00 00 75 73 65 72 ....?......user
00000480 33 32 2E 64 6C 6C 00 00 00 00 00 00 6B 65 72 6E 32.dll......kern
00000490 65 6C 33 32 2E 64 6C 6C 00 00 00 00 00 00 00 00 el32.dll........
000004A0 00 00 00 00 00 00 00 00 00 00 00 00 01 00 4D 65 ..............Me
000004B0 73 73 61 67 65 42 6F 78 41 00 00 00 02 00 45 78 ssageBoxA.....Ex
000004C0 69 74 50 72 6F 63 65 73 73 00 00 00 00 00 00 00 itProcess.......
000004D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000004E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000004F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
ÉÏÀ´Á½¸ö×Ö·û´®£¬×¢Òâ×îºó¼Ó'\0'¡£¶ÔÓ¦µÄRvaÊÇ0x00 40 20 00ºÍ0x00 40 20 08
´Ó0x420¿ªÊ¼ÊÇÊäÈëĿ¼
ÒòΪÓÐ2¸öDLL£¬ËùÒÔÏÈÁô3*0x14=0x3cµÄµØ·½£¬ÏÈ°Ñ4¸öFFдºÃ£¬ÒÔºóÕÒÆðÀ´·½±ãЩ£¬Ò»Ò»¡£
OriginalFirstThunk 0x205c
TimeDateStamp 0x0 £»
ForwarderChain 0xffffffff £»²»ÖÐת
Name 0x207c
user32.dll
FirstThunk 0x2064
----------------------------------------
OriginalFirstThunk 0x206c
TimeDateStamp 0x0 £»
ForwarderChain 0xffffffff £»²»ÖÐת
Name 0x208c
kernel32.dll
FirstThunk 0x2074
----------------------------------------
È«0
----------------------------------------
Ö®ºóÎҷŵÄÊÇ4×éThunk£¬×¢Òâÿ×é×îºóÒ»¸öÔªËض¼ÊÇ0¡£
ÕâÑùÉÏÃæÁ½¸öOriginalFirstThunkºÍFirstThunk¶¼¿ÉÒÔ¶¨ÏÂÀ´ÁË¡£
Ö®ºóÊÇÁ½¸öDLLµÄÃû×Ö£¬ÓÚÊÇName¿ÉÒÔ¶¨ÏÂÀ´ÁË¡£
È»ºóÊÇÁ½¸öIMAGE_IMPORT_BY_NAME
WORD Hint £»Ëæ±ãдһ¸ö
BYTE Name[1] £»º¯ÊýÃû
MessageBoxAÊÇuser32.dllµÄ¡£
ExitProcessÊÇkernel32.dllµÄ¡£
ÕâÑùÉÏÃæµÄThunk¿ÉÒÔ¶¨ÁË¡£
ºÃ£¬Êý¾Ý¶ÎµÄ´óСҲ¶¨ÁË¡£»Øµ½ÉÏÃæÈ¥¸Äһϡ£
d£©×îºóд´úÂë¡£
00000200 6A 00 68 00 20 40 00 68 08 20 40 00 6A 00 2E FF j.h. @.h. @.j..ÿ
00000210 15 64 20 40 00 6A 00 2E FF 15 74 20 40 00 00 00 .d @.j..ÿ.t @...
00000220 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000230 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00401000 >/$ 6A 00 push 0 ; /Style = MB_OK|MB_APPLMODAL
00401002 |. 68 00204000 push 00402000 ; |Title = "PEѧ?,B0,""
00401007 |. 68 08204000 push 00402008 ; |Text = "?,B4,"?,BD,"ÄãÁË"
0040100C |. 6A 00 push 0 ; |hOwner = NULL
0040100E |. 2E:FF15 64204000> call dword ptr cs:[<&user32.MessageBoxA> ; \MessageBoxA
00401015 |. 6A 00 push 0
00401017 \. 2E:FF15 74204000> call dword ptr cs:[<&kernel32.ExitProcess>] ; kernel32.ExitProcess
´úÂëºÜ¼òµ¥£¬00 20 40 00Ò²¾ÍÊÇ 00 40 20 00£¬ÊǵÚÒ»¸ö×Ö·û´®µÄµØÖ·¡£
ҪעÒâ¡°¸ß¸ßµÍµÍ¡±µÄ¹æÔò¡£
64 20 40 00 ÊÇ00 40 20 64ÊÇuser32.dllµÄFirstThunk,Ö¸ÏòµÄ¾ÍÊÇMessageBoxA
ÆäËû£º
ѧϰpeµÄʱºò£¬ÓÃcдÁ˶ζÁpe½á¹¹µÄ´úÂ룬¶ÔÓÚѧϰ»¹ÊǺÜÓаïÖúµÄ¡£
winnt.h°üº¬ÁËpe½á¹¹µÄ˵Ã÷£¬µ«Ò»¿ªÊ¼includeÖ®ºóÒ»ÅÅ´í¡£
ÔÀ´»¹Òªinclude <window.h>¡£
ÖÕÓÚ½áÊøÁË£¬´òÍêÊÕ¹¤...