📄 chap8-1-5.htm.primary
字号:
<html>
<head>
<title>Crack Tutorial</title>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<link rel="stylesheet" href="style/css.css" type="text/css">
<link rel="stylesheet" href="../STYLE/Css.css" type="text/css">
</head>
<body bgcolor="white" text="#000000" link="#004080" vlink="#004080" background="../image/Back.gif">
<p><a href="../catalog.htm">目录</a>>>第8章</p>
<p align="center" class="shadow1Copy"><b class="p3">第8章 压缩与脱壳</b></p>
<table width="80%" border="0" cellspacing="0" cellpadding="3" align="center" bgcolor="#bcbcbc" bordercolor="#111111" class="shadow1">
<tr>
<td class="shadow1" width="20%">
<div align="center"><a href="Chap8-1.htm"><font color="#FFFFFF">第一节 PE文件格式</font></a></div>
</td>
<td class="shadow1" width="20%">
<div align="center"><a href="Chap8-2.htm"><font color="#FFFFFF">第二节 认识脱壳</font></a></div>
</td>
<td class="shadow1" width="20%">
<div align="center"><a href="Chap8-3-1.htm"><font color="#FFFFFF">第三节 自动脱壳</font></a></div>
</td>
<td class="shadow1" width="20%">
<div align="center"><a href="Chap8-4.htm"><font color="#FFFFFF">第四节 手动脱壳</font></a></div>
</td>
<td class="shadow1" width="20%">
<div align="center"><a href="Chap8-5.htm"><font color="#FFFFFF">第五节 脱壳高级篇</font></a></div>
</td>
</tr>
</table>
<p align="center"><span class="p9"><b>第一节 PE文件格式</b></span></p>
<table width="80%" border="1" align="center" bgcolor="#efefef" cellpadding="5" cellspacing="0" bordercolor="#111111">
<tr>
<td>1、<a href="Chap8-1-1.htm">PE文件格式一览 </a></td>
<td>2、<a href="Chap8-1-2.htm">检验PE文件的有效性 </a> </td>
<td><span class="p9"><span class="p9">3、<span class="p9"><a href="Chap8-1-3.htm">File
Header(文件头)</a></span></span></span></td>
<td>4、<a href="Chap8-1-4.htm">Optional Header</a></td>
</tr>
<tr>
<td>5、<a href="Chap8-1-5.htm">Section Table</a></td>
<td>6、<a href="Chap8-1-6.htm">Import Table</a></td>
<td>7、<a href="Chap8-1-7.htm">Export Table</a></td>
<td> </td>
</tr>
</table>
<h1 align="center"><font color="#000000">PE教程5: Section Table(节表)</font></h1>
<p><font size="2" color="#000000">请下载 </font><font color="#000000"><a href="technology/PE-tut05.zip"><font
size="2">范例</font></a><font size="2">。</font></font></p>
<h3><font color="#000000">理论<font face="MS Sans Serif">:</font></font></h3>
<p><font size="2" color="#000000">到本课为止,我们已经学了许多关于 </font><font size="2" face="MS Sans Serif" color="#000000">DOS
header </font><font size="2" color="#000000">和 </font><font size="2" face="MS Sans Serif" color="#000000">PE
header </font><font size="2" color="#000000">的知识。接下来就该轮到 </font><font size="2" face="MS Sans Serif" color="#000000">section
table</font><font size="2" color="#000000">(节表)了。节表其实就是紧挨着 </font><font size="2" face="MS Sans Serif" color="#000000">PE
header </font><font size="2" color="#000000">的一结构数组。该数组成员的数目由 </font><font size="2" face="MS Sans Serif" color="#000000">file
header (<b>IMAGE_FILE_HEADER</b>) </font><font size="2" color="#000000">结构中
</font><font color="#000000" size="2" face="MS Sans Serif"><b>NumberOfSections</b>
</font><font size="2" color="#000000">域的域值来决定。节表结构又命名为 </font><font color="#000000" size="2" face="MS Sans Serif"><b>IMAGE_SECTION_HEADER</b></font><font size="2" color="#000000">。</font></p>
<p><font size="2" face="MS Sans Serif" color="#000000"><b>IMAGE_SIZEOF_SHORT_NAME
equ 8 </b></font></p>
<p><font size="2" face="MS Sans Serif" color="#000000"><b>IMAGE_SECTION_HEADER
STRUCT <br>
Name1 db IMAGE_SIZEOF_SHORT_NAME dup(?) <br>
union Misc <br>
PhysicalAddress dd ? <br>
VirtualSize dd ? <br>
ends <br>
VirtualAddress dd ? <br>
SizeOfRawData dd ? <br>
PointerToRawData dd ? <br>
PointerToRelocations dd ? <br>
PointerToLinenumbers dd ? </b></font><font size="2" color="#000000"><b>哦<br>
</b></font><font size="2" face="MS Sans Serif" color="#000000"><b> NumberOfRelocations
dw ? <br>
NumberOfLinenumbers dw ? <br>
Characteristics dd ? <br>
IMAGE_SECTION_HEADER ENDS </b></font></p>
<p><font size="2" color="#000000">同样,不是所有成员都是很有用的,我们只关心那些真正重要的。</font></p>
<table border="1" cellpadding="2">
<tr>
<th bgcolor="#006666"><font size="2" face="MS Sans Serif" color="#FFFFFF"><b>Field</b></font></th>
<th bgcolor="#006666"><font size="2" face="MS Sans Serif" color="#FFFFFF">Meanings</font></th>
</tr>
<tr>
<td align="center" bgcolor="#003333"><font size="2" face="MS Sans Serif" color="#FFFFFF"><b>Name1</b></font></td>
<td align="center" bgcolor="#003333"><font size="2" color="#FFFFFF">事实上本域的名称是</font><font size="2" face="MS Sans Serif" color="#FFFFFF">"name"</font><font size="2" color="#FFFFFF">,只是</font><font size="2" face="MS Sans Serif" color="#FFFFFF">"name"</font><font size="2" color="#FFFFFF">已被</font><font size="2" face="MS Sans Serif" color="#FFFFFF">MASM</font><font size="2" color="#FFFFFF">用作关键字,所以我们只能用</font><font size="2" face="MS Sans Serif" color="#FFFFFF">"Name1"</font><font size="2" color="#FFFFFF">代替。这儿的节名长不超过</font><font size="2" face="MS Sans Serif" color="#FFFFFF">8</font><font size="2" color="#FFFFFF">字节。记住节名仅仅是个标记而已,我们选择任何名字甚至空着也行,注意这里不用</font><font size="2" face="MS Sans Serif" color="#FFFFFF">null</font><font size="2" color="#FFFFFF">结束。命名<b><font color="#FF3399">不是</font></b>一个</font><font size="2" face="MS Sans Serif" color="#FFFFFF">ASCIIZ</font><font size="2" color="#FFFFFF">字符串,所以不用</font><font size="2" face="MS Sans Serif" color="#FFFFFF">null</font><font size="2" color="#FFFFFF">结尾。</font></td>
</tr>
<tr>
<td align="center" bgcolor="#003333"><font size="2" face="MS Sans Serif" color="#FFFFFF"><b>VirtualAddress</b></font></td>
<td align="center" bgcolor="#003333"><font size="2" color="#FFFFFF">本节的</font><font size="2" face="MS Sans Serif" color="#FFFFFF">RVA</font><font size="2" color="#FFFFFF">(相对虚拟地址)。</font><font size="2" face="MS Sans Serif" color="#FFFFFF">PE</font><font size="2" color="#FFFFFF">装载器将节映射至内存时会读取本值,因此如果域值是</font><font size="2" face="MS Sans Serif" color="#FFFFFF">1000h</font><font size="2" color="#FFFFFF">,而</font><font size="2" face="MS Sans Serif" color="#FFFFFF">PE</font><font size="2" color="#FFFFFF">文件装在地址</font><font size="2" face="MS Sans Serif" color="#FFFFFF">400000h</font><font size="2" color="#FFFFFF">处,那么本节就被载到</font><font size="2" face="MS Sans Serif" color="#FFFFFF">401000h</font><font size="2" color="#FFFFFF">。</font></td>
</tr>
<tr>
<td align="center" bgcolor="#003333"><font size="2" face="MS Sans Serif" color="#FFFFFF"><b>SizeOfRawData</b></font></td>
<td align="center" bgcolor="#003333"><font size="2" color="#FFFFFF">经过文件对齐处理后节尺寸,</font><font size="2" face="MS Sans Serif" color="#FFFFFF">PE</font><font size="2" color="#FFFFFF">装载器提取本域值了解需映射入内存的节字节数。(译者注</font><font size="2" face="MS Sans Serif" color="#FFFFFF">:
</font><font size="2" color="#FFFFFF">假设一个文件的文件对齐尺寸是</font><font size="2" face="MS Sans Serif" color="#FFFFFF">0x200</font><font size="2" color="#FFFFFF">,如果前面的</font><font size="2" face="MS Sans Serif" color="#FFFFFF"><b> VirtualSize</b></font><font size="2" color="#FFFFFF">域指示本节长度是</font><font size="2" face="MS Sans Serif" color="#FFFFFF">0x388</font><font size="2" color="#FFFFFF">字节,则本域值为</font><font size="2" face="MS Sans Serif" color="#FFFFFF">0x400</font><font size="2" color="#FFFFFF">,表示本节是</font><font size="2" face="MS Sans Serif" color="#FFFFFF">0x400</font><font size="2" color="#FFFFFF">字节长)。</font></td>
</tr>
<tr>
<td align="center" bgcolor="#003333"><font size="2" face="MS Sans Serif" color="#FFFFFF"><b>PointerToRawData</b></font></td>
<td align="center" bgcolor="#003333"><font size="2" color="#FFFFFF">这是节基于文件的偏移量,</font><font size="2" face="MS Sans Serif" color="#FFFFFF">PE</font><font size="2" color="#FFFFFF">装载器通过本域值找到节数据在文件中的位置。</font></td>
</tr>
<tr>
<td align="center" bgcolor="#003333"><font size="2" face="MS Sans Serif" color="#FFFFFF"><b>Characteristics</b></font></td>
<td align="center" bgcolor="#003333"><font size="2" color="#FFFFFF">包含标记以指示节属性,比如节是否含有可执行代码、初始化数据、未初始数据,是否可写、可读等。</font></td>
</tr>
</table>
<p><font size="2" color="#000000">现在我们已知晓 </font><font color="#000000" size="2" face="MS Sans Serif"><b>IMAGE_SECTION_HEADER</b>
</font><font size="2" color="#000000">结构,再来模拟一下 </font><font size="2" face="MS Sans Serif" color="#000000">PE</font><font size="2" color="#000000">装载器的工作吧</font><font size="2" face="MS Sans Serif" color="#000000">:</font></p>
<ol>
<li><font size="2" color="#000000">读取 </font><font color="#000000" size="2" face="MS Sans Serif"><b>IMAGE_FILE_HEADER</b>
</font><font size="2" color="#000000">的 </font><font color="#000000" size="2" face="MS Sans Serif"><b>NumberOfSections</b></font><font size="2" color="#000000">域,知道文件的节数目。</font></li>
<li><font color="#000000" size="2" face="MS Sans Serif"><b>SizeOfHeaders</b>
</font><font size="2" color="#000000">域值作为节表的文件偏移量,并以此定位节表。</font></li>
<li><font size="2" color="#000000">遍历整个结构数组检查各成员值。</font></li>
<li><font size="2" color="#000000">对于每个结构,我们读取</font><font color="#000000" size="2" face="MS Sans Serif"><b>PointerToRawData</b></font><font size="2" color="#000000">域值并定位到该文件偏移量。然后再读取</font><font color="#000000" size="2" face="MS Sans Serif"><b>SizeOfRawData</b></font><font size="2" color="#000000">域值来决定映射内存的字节数。将</font><font color="#000000" size="2" face="MS Sans Serif"><b>VirtualAddress</b></font><font size="2" color="#000000">域值加上</font><font color="#000000" size="2" face="MS Sans Serif"><b>ImageBase</b></font><font size="2" color="#000000">域值等于节起始的虚拟地址。然后就准备把节映射进内存,并根据</font><font color="#000000" size="2" face="MS Sans Serif"><b>Characteristics</b></font><font size="2" color="#000000">域值设置属性。</font></li>
<li><font size="2" color="#000000">遍历整个数组,直至所有节都已处理完毕。</font></li>
</ol>
<p><font size="2" color="#000000">注意我们并没有使用节名</font><font size="2" face="MS Sans Serif" color="#000000">:
</font><font size="2" color="#000000">这其实并不重要。</font></p>
<h3><font color="#000000">示例<font face="Arial, Helvetica, sans-serif">:</font></font></h3>
<p><font size="2" color="#000000">本例程打开一</font><font size="2" face="MS Sans Serif" color="#000000">PE</font><font size="2" color="#000000">文件遍历其节表,并在列表框控件显示各节的信息。</font></p>
<p><font face="Fixedsys" color="#000000">.386 <br>
.model flat,stdcall <br>
option casemap:none <br>
include \masm32\include\windows.inc <br>
include \masm32\include\kernel32.inc <br>
include \masm32\include\comdlg32.inc <br>
include \masm32\include\user32.inc <br>
include \masm32\include\comctl32.inc <br>
includelib \masm32\lib\comctl32.lib <br>
includelib \masm32\lib\user32.lib <br>
includelib \masm32\lib\kernel32.lib <br>
includelib \masm32\lib\comdlg32.lib <br>
<br>
IDD_SECTIONTABLE equ 104 <br>
IDC_SECTIONLIST equ 1001 <br>
<br>
SEH struct </font></p>
<p><font face="Fixedsys" color="#000000"><br>
PrevLink dd ? ; the address of the previous seh structure <br>
CurrentHandler dd ? ; the address of the new exception handler <br>
SafeOffset dd ? ; The offset where it's safe to continue execution <br>
PrevEsp dd ? ; the old value in esp <br>
PrevEbp dd ? ; The old value in ebp <br>
SEH ends <br>
<br>
.data <br>
AppName db "PE tutorial no.5",0 <br>
ofn OPENFILENAME <> <br>
FilterString db "Executable Files (*.exe, *.dll)",0,"*.exe;*.dll",0
<br>
db
"All Files",0,"*.*",0,0 <br>
FileOpenError db "Cannot open the file for reading",0 <br>
FileOpenMappingError db "Cannot open the file for memory mapping",0
<br>
FileMappingError db "Cannot map the file into memory",0 <br>
FileInValidPE db "This file is not a valid PE",0 <br>
template db "%08lx",0 <br>
SectionName db "Section",0 <br>
VirtualSize db "V.Size",0 <br>
VirtualAddress db "V.Address",0 <br>
SizeOfRawData db "Raw Size",0 <br>
RawOffset db "Raw Offset",0 <br>
Characteristics db "Characteristics",0 <br>
<br>
.data? <br>
hInstance dd ? <br>
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -