[PE结构深入剖判] 11.财富表结构,pe结构

在 PE文件头的 IMAGE_OPTIONAL_HEADE如虎 CTR 3 结构中的 DataDirectory(数据目录表)
的第2个成员就是指向输入表的。每个被链接进来的 DLL文件都各自对应一个IMAGE_IMPORT_DESC哈弗IPTOOdyssey (简单的称呼IID) 数组结构。

财富表是二个树形结构,能够安装成2的二十九回方的层数,Windows 使用了3级:

[PE结构分析] 11.财富表结构,pe结构

财富表是三个树形结构,能够安装成2的三十三次方的层数,Windows 使用了3级:

类型->名称->语言

 

里面涉嫌到多个组织:

 

Data

Description

Resource Directory Tables (and Resource Directory Entries)

A series of tables, one for each group of nodes in the tree. All top-level (Type) nodes are listed in the first table. Entries in this table point to second-level tables. Each second-level tree has the same Type ID but different Name IDs. Third-level trees have the same Type and Name IDs but different Language IDs.

Each individual table is immediately followed by directory entries, in which each entry has a name or numeric identifier and a pointer to a data description or a table at the next lower level.

Resource Directory Strings

Two-byte-aligned Unicode strings, which serve as string data that is pointed to by directory entries.

Resource Data Description

An array of records, pointed to by tables, that describe the actual size and location of the resource data. These records are the leaves in the resource-description tree.

Resource Data

Raw data of the resource section. The size and location information in the Resource Data Descriptions field delimit the individual regions of resource data.

 

 

 

 

typedef struct _IMAGE_IMPORT_DESCRIPTOR {
    union {
        DWORD   Characteristics;            // 0 for terminating null import descriptor
        DWORD   OriginalFirstThunk;         // RVA to original unbound IAT (PIMAGE_THUNK_DATA)
    } DUMMYUNIONNAME;
    DWORD   TimeDateStamp;                  // 0 if not bound,
                                            // -1 if bound, and real date\time stamp
                                            // in IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT (new BIND)
                                            // O.W. date/time stamp of DLL bound to (Old BIND)

    DWORD   ForwarderChain;                 // -1 if no forwarders
    DWORD   Name;
    DWORD   FirstThunk;                     // RVA to IAT (if bound this IAT has actual addresses)
} IMAGE_IMPORT_DESCRIPTOR;
typedef IMAGE_IMPORT_DESCRIPTOR UNALIGNED *PIMAGE_IMPORT_DESCRIPTOR;

类型->名称->语言

Resource Directory Table

Each resource directory table has the following format. This data
structure should be considered the heading of a table because the table
actually consists of directory entries (described in section 6.9.2,
“Resource Directory Entries”) and this structure:

Offset

Size

Field

Description

  0

4

Characteristics

Resource flags. This field is reserved for future use. It is currently set to zero.

  4

4

Time/Date Stamp

The time that the resource data was created by the resource compiler.

  8

2

Major Version

The major version number, set by the user.

10

2

Minor Version

The minor version number, set by the user.

12

2

Number of Name Entries

The number of directory entries immediately following the table that use strings to identify Type, Name, or Language entries (depending on the level of the table).

14

2

Number of ID Entries

The number of directory entries immediately following the Name entries that use numeric IDs for Type, Name, or Language entries.

在这里个
IID数组中,并从未提出有稍许个项(便是从未明了指明有微微个链接文件),但它最终是以三个全为NULL(0)
的 IID 作为达成的申明。

图片 1

 

上边只摘录比较主要的字段:

 

Resource Directory Entries

The directory entries make up the rows of a table. Each resource
directory entry has the following format. Whether the entry is a Name or
ID entry is indicated by the resource directory table, which indicates
how many Name and ID entries follow it (remember that all the Name
entries precede all the ID entries for the table). All entries for the
table are sorted in ascending order: the Name entries by case-sensitive
string and the ID entries by numeric value.  Offsets are relative to the
address in the IMAGE_DIRECTORY_ENTRY_RESOURCE DataDirectory.

Offset

Size

Field

Description

0

4

Name Offset

The offset of a string that gives the Type, Name, or Language ID entry, depending on level of table.

0

4

Integer ID

A 32-bit integer that identifies the Type, Name, or Language ID entry.

4

4

Data Entry Offset

High bit 0. Address of a Resource Data entry (a leaf).

4

4

Subdirectory Offset

High bit 1. The lower 31 bits are the address of another resource directory table (the next level down).

OriginalFirstThunk

它指向first thunk,IMAGE_THUNK_DATA,该 thunk 拥有 Hint 和 Function
name 的地址。

里面提到到八个布局:

 

Name

它象征DLL
名称的相持虚地址(译注:相对一个用null作为完毕符的ASCII字符串的贰个XC90VA,该字符串是该导入DLL文件的称谓。如:KE君越NEL32.DLL卡塔 尔(英语:State of Qatar)。

 

Resource Directory String

The resource directory string area consists of Unicode strings, which
are word-aligned. These strings are stored together after the last
Resource Directory entry and before the first Resource Data entry. This
minimizes the impact of these variable-length strings on the alignment
of the fixed-size directory entries. Each resource directory string has
the following format:

Offset

Size

Field

Description

0

2

Length

The size of the string, not including length field itself.

2

variable

Unicode String

The variable-length Unicode string data, word-aligned.

FirstThunk

它包蕴由IMAGE_THUNK_DATA定义的 first
thunk数组的虚地址,通过loader用函数虚地址开头化thunk。

在Orignal First Thunk缺席下,它指向first thunk:Hints和The Function
names的thunks。

 

上面来解释下OriginalFirstThunk和FirstThunk。就个人精通来说:

1.
在文书中时,他们都各自指向多个XC90VA地址。那一个地点调换来文件中,分别对应三个以
IMAGE_THUNK_DATA 为因素的的数组,那多少个数组是以一个填写为 0
的IMAGE_THUNK_DATA作为实现标记符。就算她们那三个表地方区别,但实际上内容是一模二样的。那时,每一种IMAGE_THUNK_DATA 成分指向的是二个记下了函数名和相呼应的DLL文件名的
IMAGE_IMPORT_BY_NAME结构体。

  1. 何以会有几个相似的数组呢?是有来头的:

OriginalFirstThunk 指向的数组经常称为  hint-name table,即 HNT ,他在 PE
加载到内部存款和储蓄器中时被保存了下去且永恒不会被改动。不过在 Windows 加载过 PE
到内部存款和储蓄器之后,Windows 会重写 FirstThunk
所指向的数组成分中的内容,使得数组中种种 IMAGE_THUNK_DATA
不再代表针对带有函数描述的 IMAGE_THUNK_DATA
成分,而是向来针对了函数地址。这时候,FirstThunk
所指向的数组就称为输入地址表(Import Address Table ,即日常说的
IAT卡塔 尔(英语:State of Qatar)。

重写前:

图片 2

重写后:

 图片 3

(以上两张图纸来源:)

typedef struct _IMAGE_THUNK_DATA32 {
    union {
        DWORD ForwarderString;      // PBYTE  指向一个转向者字符串的RVA
        DWORD Function;             // PDWORD 被输入的函数的内存地址
         DWORD Ordinal;              // 被输入的 API 的序数值
         DWORD AddressOfData;        // PIMAGE_IMPORT_BY_NAME   指向 IMAGE_IMPORT_BY_NAME
    } u1;
} IMAGE_THUNK_DATA32;
typedef IMAGE_THUNK_DATA32 * PIMAGE_THUNK_DATA32;

根据 _IMAGE_THUNK_DATA32 所指设想地址转到文件地方能够拿走实质上的
_IMAGE_IMPORT_BY_NAME 数据

typedef struct _IMAGE_IMPORT_BY_NAME {
    WORD   Hint;     // 序号 

    CHAR   Name[1];  // 实际上是一个可变长的以0为结尾的字符串

} IMAGE_IMPORT_BY_NAME, *PIMAGE_IMPORT_BY_NAME;

 

比方有程序:

图片 4

文字版:

#include <windows.h>
int WINAPI WinMain(_In_ HINSTANCE hInstance, 
    _In_opt_ HINSTANCE hPrevInstance,
    _In_ LPSTR lpCmdLine,
    _In_ int nShowCmd)
{
    MessageBoxA(0, "hello", "my message", MB_OK);
    SetWindowTextA(0, "Si Wang");

    return 0;
}

此程序行使了八个 Windows API : MessageBoxA 和 SetWindowTextA

编写翻译获得程序(为简化表明,区段地方由软件计算出卡塔 尔(阿拉伯语:قطر‎:

图片 5

图片 6

咱俩试着搜索 MessageBoxA。首先深入分析 PE 头文件,找到导出表在文件中之处:

图片 7

输入表地方在 .rdata 区段内, 0x2264 – 0x2002 = 0x0264
获得偏移量。加上文件地方 0x0E00 获得实际文件偏移量(0x0E00 + 0x264 =
0x1064卡塔 尔(英语:State of Qatar):0x1064。

接下去翻看 0x1064 处:

图片 8

能够获得多个 DLL 的汇报,最终二个_IMAGE_IMPORT_DESC宝马X5IPTO昂科雷以0填充表示甘休:

那便是说风流倜傥旦多少个个查看各类DLL对应的多寡就能够找到,然而早前作者把具有的数量都看了下,在率先个DLL中

基于第三个DLL描述的 OriginalFirstThunk 的 0x2350
转变可以明白,_IMAGE_THUNK_DATA32 在文件的 0x1150处,FirstThunk
指向的数目大器晚成致:

图片 9

于是乎就获取了文本中的 Message博克斯A 的新闻。

末尾,在内部存款和储蓄器中 FirstThunk 所指地方上的_IMAGE_THUNK_DATA32 数组被
Windows 加载后被重写后就成了轶闻中的 IAT ,Import Address
Table,输入地址表。使用 OllyDbg 查看运转时景况:

图片 10

Data

Description

Resource Directory Tables (and Resource Directory Entries)

A series of tables, one for each group of nodes in the tree. All top-level (Type) nodes are listed in the first table. Entries in this table point to second-level tables. Each second-level tree has the same Type ID but different Name IDs. Third-level trees have the same Type and Name IDs but different Language IDs.

Each individual table is immediately followed by directory entries, in which each entry has a name or numeric identifier and a pointer to a data description or a table at the next lower level.

Resource Directory Strings

Two-byte-aligned Unicode strings, which serve as string data that is pointed to by directory entries.

Resource Data Description

An array of records, pointed to by tables, that describe the actual size and location of the resource data. These records are the leaves in the resource-description tree.

Resource Data

Raw data of the resource section. The size and location information in the Resource Data Descriptions field delimit the individual regions of resource data.

 

 

Resource Data Entry

Each Resource Data entry describes an actual unit of raw data in the
Resource Data area. A Resource Data entry has the following format:

Offset

Size

Field

Description

  0

4

Data RVA

The address of a unit of resource data in the Resource Data area.

  4

4

Size

The size, in bytes, of the resource data that is pointed to by the Data RVA field.

  8

4

Codepage

The code page that is used to decode code point values within the resource data. Typically, the code page would be the Unicode code page.

12

4

Reserved, must be 0.

] 11.能源表结构,pe结构
财富表是三个树形结构,能够设置成2的三14遍方的层数,Windows 使用了3级:
类型-名称-语言 此中涉嫌到四…

 

 

 

Resource Directory Table

Each resource directory
table has the following format. This data structure should be considered
the heading of a table because the table actually consists of directory
entries (described in section 6.9.2, “Resource Directory Entries”) and
this structure:

Offset Size Field Description
0 4 Characteristics Resource flags. This field is reserved for future use. It is currently set to zero.
4 4 Time/Date Stamp The time that the resource data was created by the resource compiler.
8 2 Major Version The major version number, set by the user.
10 2 Minor Version The minor version number, set by the user.
12 2 Number of Name Entries The number of directory entries immediately following the table that use strings to identify Type, Name, or Language entries (depending on the level of the table).
14 2 Number of ID Entries The number of directory entries immediately following the Name entries that use numeric IDs for Type, Name, or Language entries.

 

Resource Directory Entries

The directory entries
make up the rows of a table. Each resource directory entry has the
following format. Whether the entry is a Name or ID entry is indicated
by the resource directory table, which indicates how many Name and ID
entries follow it (remember that all the Name entries precede all the ID
entries for the table). All entries for the table are sorted in
ascending order: the Name entries by case-sensitive string and the ID
entries by numeric value.  Offsets are relative to the address in the
IMAGE_DIRECTORY_ENTRY_RESOURCE DataDirectory.

Offset

Size

Field

Description

0

4

Name Offset

The offset of a string that gives the Type, Name, or Language ID entry, depending on level of table.

0

4

Integer ID

A 32-bit integer that identifies the Type, Name, or Language ID entry.

4

4

Data Entry Offset

High bit 0. Address of a Resource Data entry (a leaf).

4

4

Subdirectory Offset

High bit 1. The lower 31 bits are the address of another resource directory table (the next level down).

 

Resource Directory String

The resource directory
string area consists of Unicode strings, which are word-aligned. These
strings are stored together after the last Resource Directory entry and
before the first Resource Data entry. This minimizes the impact of these
variable-length strings on the alignment of the fixed-size directory
entries. Each resource directory string has the following format:

Offset

Size

Field

Description

0

2

Length

The size of the string, not including length field itself.

2

variable

Unicode String

The variable-length Unicode string data, word-aligned.

 

Resource Data Entry

Each Resource Data
entry describes an actual unit of raw data in the Resource Data area. A
Resource Data entry has the following format:

Offset

Size

Field

Description

  0

4

Data RVA

The address of a unit
of resource data in the Resource Data area.

  4

4

Size

The size, in bytes, of
the resource data that is pointed to by the Data RVA field.

  8

4

Codepage

The code page that is
used to decode code point values within the resource data. Typically,
the code page would be the Unicode code page.

12

4

Reserved, must be
0.

发表评论

电子邮件地址不会被公开。 必填项已用*标注