📄 pe-tut5.html
字号:
<html>
<head>
<title>Iczelion's PE Tutorial 5: Section Table</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>
<body bgcolor="#003366" text="#FFFFFF" link="#FFFFCC" vlink="#FFCCCC" alink="#CCFFCC">
<h1 align="center"><font face="Arial, Helvetica, sans-serif" color="#FFFFCC">Tutorial
5: Section Table</font></h1>
<p><font face="MS Sans Serif" size="-1">Download <a href="files/PE-tut05.zip">the
example</a>.</font></p>
<h3><font face="MS Sans Serif">Theory:</font></h3>
<p><font face="MS Sans Serif" size="-1">Up to this tutorial, we learned about
the DOS header, the PE header. What remains is the section table. A section
table is actually an array of structure immediately following the PE header.
The number of the array members is determined by <font color="#FFFFCC"><b>NumberOfSections</b></font>
field in the file header (<font color="#CCFFCC"><b>IMAGE_FILE_HEADER</b></font>)
structure. The structure is called <font color="#CCFFCC"><b>IMAGE_SECTION_HEADER</b></font>.</font></p>
<p><font face="MS Sans Serif" size="-1"><b>IMAGE_SIZEOF_SHORT_NAME equ 8 </b></font></p>
<p><font face="MS Sans Serif" size="-1"><b>IMAGE_SECTION_HEADER STRUCT <br>
Name1 db IMAGE_SIZEOF_SHORT_NAME dup(?) <br>
union Misc <br>
PhysicalAddress dd ? <br>
VirtualSize dd ? <br>
ends <br>
VirtualAddress dd ? <br>
SizeOfRawData dd ? <br>
PointerToRawData dd ? <br>
PointerToRelocations dd ? <br>
PointerToLinenumbers dd ? <br>
NumberOfRelocations dw ? <br>
NumberOfLinenumbers dw ? <br>
Characteristics dd ? <br>
IMAGE_SECTION_HEADER ENDS </b></font></p>
<p><font face="MS Sans Serif" size="-1">Again, not all members are useful. I'll
describe only the ones that are really important.</font></p>
<table border="1" cellspacing="2" cellpadding="2" align="center">
<tr bgcolor="#006666">
<th><b><font face="MS Sans Serif" size="-1">Field</font></b></th>
<th><font face="MS Sans Serif" size="-1">Meanings</font></th>
</tr>
<tr bgcolor="#003333">
<td><b><font face="MS Sans Serif" size="-1">Name1</font></b></td>
<td><font face="MS Sans Serif" size="-1">Actually the name of this field is
"name" but the word "name" is an MASM keyword so we
have to use "Name1" instead. This member contains the name of
the section. Note that the maximum length is 8 bytes. The name is just a
label, nothing more. You can use any name or even leave this field blank.
Note that there is no mention of the terminating null. The name is<font color="#FF0000"><b>
not </b></font>an ASCIIZ string so don't expect it to be terminated with
a null.</font></td>
</tr>
<tr bgcolor="#003333">
<td><b><font face="MS Sans Serif" size="-1">VirtualAddress</font></b></td>
<td><font face="MS Sans Serif" size="-1">The RVA of the section. The PE loader
examines and uses the value in this field when it's mapping the section
into memory. Thus if the value in this field is 1000h and the PE file is
loaded at 400000h, the section will be loaded at 401000h.</font></td>
</tr>
<tr bgcolor="#003333">
<td><b><font face="MS Sans Serif" size="-1">SizeOfRawData</font></b></td>
<td><font face="MS Sans Serif" size="-1">The size of the section's data rounded
up to the next multiple of file alignment. The PE loader examines the value
in this field so it knows how many bytes in the section it should map into
memory.</font></td>
</tr>
<tr bgcolor="#003333">
<td><b><font face="MS Sans Serif" size="-1">PointerToRawData</font></b></td>
<td><font face="MS Sans Serif" size="-1">The file offset of the beginning
of the section. The PE loader uses the value in this field to find where
the data in the section is in the file.</font></td>
</tr>
<tr bgcolor="#003333">
<td><b><font face="MS Sans Serif" size="-1">Characteristics</font></b></td>
<td><font face="MS Sans Serif" size="-1">Contains flags such as whether this
section contains executable code, initialized data, uninitialized data,
can it be written to or read from.</font></td>
</tr>
</table>
<p><font face="MS Sans Serif" size="-1">Now that we know about <font color="#CCFFCC"><b>IMAGE_SECTION_HEADER</b></font>
structure, let's see how we can emulate the PE loader's job:</font></p>
<ol>
<li><font face="MS Sans Serif" size="-1">Read <font color="#FFFFCC"><b>NumberOfSections</b></font>
in<font color="#CCFFCC"><b> IMAGE_FILE_HEADER</b></font> so we know how many
sections there are in the file.</font></li>
<li><font face="MS Sans Serif" size="-1">Use the value in <font color="#CCFFCC"><b>SizeOfHeaders</b></font>
as the file offset of the section table and moves the file pointer to that
offset.</font></li>
<li><font face="MS Sans Serif" size="-1">Walk the structure array, examining
each member.</font></li>
<li><font face="MS Sans Serif" size="-1">For each structure, we obtain the value
in <font color="#FFFFCC"><b>PointerToRawData</b></font> and move the file
pointer to that offset. Then we read the value in <font color="#FFFFCC"><b>SizeOfRawData
</b></font>so we know how many bytes we should map into memory. Read the value
in <font color="#FFFFCC"><b>VirtualAddress</b></font> and add the value in
<font color="#FFFFCC"> <b>ImageBase</b></font> to it to get the virtual address
the section should start from. And then we are ready to map the section into
memory and mark the attribute of the memory according to the flags in <font color="#FFFFCC"><b>Characteristics</b></font>.</font></li>
<li><font face="MS Sans Serif" size="-1">Walk the array until all the sections
are processed.</font></li>
</ol>
<p><font face="MS Sans Serif" size="-1">Note that we didn't make use the the name
of the section: it's not really necessary.</font></p>
<h3><font face="Arial, Helvetica, sans-serif">Example:</font></h3>
<p><font face="MS Sans Serif" size="-1">This example opens a PE file and walks
the section table, showing the information about the sections in a listview
control. </font></p>
<p><font face="Fixedsys">.386 <br>
.model flat,stdcall <br>
option casemap:none <br>
include \masm32\include\windows.inc <br>
include \masm32\include\kernel32.inc <br>
include \masm32\include\comdlg32.inc <br>
include \masm32\include\user32.inc <br>
include \masm32\include\comctl32.inc <br>
includelib \masm32\lib\comctl32.lib <br>
includelib \masm32\lib\user32.lib <br>
includelib \masm32\lib\kernel32.lib <br>
includelib \masm32\lib\comdlg32.lib <br>
<br>
IDD_SECTIONTABLE equ 104 <br>
IDC_SECTIONLIST equ 1001 <br>
<br>
SEH struct <br>
PrevLink dd ? ; the address of the previous seh structure <br>
CurrentHandler dd ? ; the address of the new exception handler <br>
SafeOffset dd ? ; The offset where it's safe to continue execution <br>
PrevEsp dd ? ; the old value in esp <br>
PrevEbp dd ? ; The old value in ebp <br>
SEH ends <br>
<br>
.data <br>
AppName db "PE tutorial no.5",0 <br>
ofn OPENFILENAME <> <br>
FilterString db "Executable Files (*.exe, *.dll)",0,"*.exe;*.dll",0 <br>
db
"All Files",0,"*.*",0,0 <br>
FileOpenError db "Cannot open the file for reading",0 <br>
FileOpenMappingError db "Cannot open the file for memory mapping",0 <br>
FileMappingError db "Cannot map the file into memory",0 <br>
FileInValidPE db "This file is not a valid PE",0 <br>
template db "%08lx",0 <br>
SectionName db "Section",0 <br>
VirtualSize db "V.Size",0 <br>
VirtualAddress db "V.Address",0 <br>
SizeOfRawData db "Raw Size",0 <br>
RawOffset db "Raw Offset",0 <br>
Characteristics db "Characteristics",0 <br>
<br>
.data? <br>
hInstance dd ? <br>
buffer db 512 dup(?) <br>
hFile dd ? <br>
hMapping dd ? <br>
pMapping dd ? <br>
ValidPE dd ? <br>
NumberOfSections dd ? <br>
<br>
.code <br>
start proc <br>
LOCAL seh:SEH <br>
invoke GetModuleHandle,NULL <br>
mov hInstance,eax <br>
mov ofn.lStructSize,SIZEOF ofn <br>
mov ofn.lpstrFilter, OFFSET FilterString <br>
mov ofn.lpstrFile, OFFSET buffer <br>
mov ofn.nMaxFile,512 <br>
mov ofn.Flags, OFN_FILEMUSTEXIST or OFN_PATHMUSTEXIST or OFN_LONGNAMES
or OFN_EXPLORER or OFN_HIDEREADONLY <br>
invoke GetOpenFileName, ADDR ofn <br>
.if eax==TRUE <br>
invoke CreateFile, addr buffer, GENERIC_READ,
FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL <br>
.if eax!=INVALID_HANDLE_VALUE <br>
mov hFile, eax <br>
invoke CreateFileMapping, hFile,
NULL, PAGE_READONLY,0,0,0 <br>
.if eax!=NULL <br>
mov hMapping,
eax <br>
invoke MapViewOfFile,hMapping,FILE_MAP_READ,0,0,0
<br>
.if eax!=NULL
<br>
mov
pMapping,eax <br>
assume fs:nothing <br>
push fs:[0] <br>
pop seh.PrevLink <br>
mov seh.CurrentHandler,offset SEHHandler <br>
mov seh.SafeOffset,offset FinalExit <br>
lea eax,seh <br>
mov fs:[0], eax <br>
mov seh.PrevEsp,esp <br>
mov seh.PrevEbp,ebp <br>
mov edi, pMapping <br>
assume edi:ptr IMAGE_DOS_HEADER <br>
.if [edi].e_magic==IMAGE_DOS_SIGNATURE <br>
add edi, [edi].e_lfanew <br>
assume
edi:ptr IMAGE_NT_HEADERS <br>
.if [edi].Signature==IMAGE_NT_SIGNATURE <br>
mov ValidPE, TRUE <br>
.else
<br>
mov ValidPE, FALSE <br>
.endif <br>
.else <br>
mov
ValidPE,FALSE <br>
.endif <br>
FinalExit: <br>
push
seh.PrevLink <br>
pop fs:[0] <br>
.if ValidPE==TRUE <br>
call ShowSectionInfo <br>
.else <br>
invoke MessageBox, 0, addr FileInValidPE, addr AppName, MB_OK+MB_ICONINFORMATION
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -