久久综合伊人噜噜色,日本三级香港三级人妇电影精品,亚洲中文色资源,国产高清一区二区三区人妖

      <small id="r7w9x"></small>

          <td id="r7w9x"></td><sub id="r7w9x"><menu id="r7w9x"><samp id="r7w9x"></samp></menu></sub>
        2. 

          4. <th id="r7w9x"></th>
          1. 

            



    
            
    
    
    



            

            

            


            

            


            

            

            

            

            


            

            

            



 找回密碼

            

            



 注冊(cè)

            

            




            


            

            QQ登錄
            

            只需一步,快速開(kāi)始
            

            

            

            

            



            

            



            

            



            







            

            


            



            

            

            


            





            

            

            


            




            

            
關(guān)于PE下可執(zhí)行程序的修改!

            

[復(fù)制鏈接]

            		

            

            



            

            



            

            

            
 

            

            




            


1#


            

            

            

            

發(fā)表于 2008-9-28 16:20:46
|
只看該作者

|倒序?yàn)g覽
|閱讀模式

            

            

            
 

            
<P style="LINE-HEIGHT: 150%"><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">在</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">windows 9x</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">、</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">NT</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">、</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">2000</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">下,所有的可執(zhí)行文件都是基于</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">Microsoft</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">設(shè)計(jì)的一種新的文件格式</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">Portable Executable File Format</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">(可移植的執(zhí)行體),即</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">格式。有一些時(shí)候,我們需要對(duì)這些可執(zhí)行文件進(jìn)行修改,下面文字試圖詳細(xì)的描述</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件的格式及對(duì)</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">格式文件的修改。</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>1</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">、</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件框架構(gòu)成</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>DOS MZ header <BR>DOS stub <BR>PE header <BR>Section table <BR>Section 1 <BR>Section 2 <BR>Section ... <BR>Section n <?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /><o:p></o:p></SPAN></P>. x6 |- C3 N! N
            
<P style="LINE-HEIGHT: 150%"><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">上</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">表是</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件結(jié)構(gòu)的總體層次分布。所有</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">(</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">甚至</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">32</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">位的</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> DLLs) </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">必須以一個(gè)簡(jiǎn)單的</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> DOS MZ header </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">開(kāi)始,在偏移</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">0</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">處有</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">DOS</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">下可執(zhí)行文件的“</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">MZ</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">標(biāo)志”,有了它,一旦程序在</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">DOS</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">下執(zhí)行,</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">DOS</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">就能識(shí)別出這是有效的執(zhí)行體,然后運(yùn)行緊隨</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> MZ header </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">之后的</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <SPAN lang=EN-US>DOS stub</SPAN></SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">。</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">DOS stub</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">實(shí)際上是個(gè)有效的</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">EXE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">,在不支持</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件格式的操作系統(tǒng)中,它將簡(jiǎn)單顯示一個(gè)錯(cuò)誤提示,類似于字符串</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> " This program cannot run in DOS mode " </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">或者程序員可根據(jù)自己的意圖實(shí)現(xiàn)完整的</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> DOS</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">代碼。通常</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">DOS stub</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">由匯編器</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">/</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">編譯器自動(dòng)生成,對(duì)我們的用處不是很大,它簡(jiǎn)單調(diào)用中斷</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">21h</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">服務(wù)</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">9</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">來(lái)顯示字符串</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">"This program cannot run in DOS mode"</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">。</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR></SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">緊接著</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> DOS stub </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">的是</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> PE header</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">。</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> PE header </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">是</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">相關(guān)結(jié)構(gòu)</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> IMAGE_NT_HEADERS </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">的簡(jiǎn)稱,其中包含了許多</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">裝載器用到的重要域??蓤?zhí)行文件在支持</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件結(jié)構(gòu)的操作系統(tǒng)中執(zhí)行時(shí),</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">裝載器將從</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> DOS MZ header</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">的偏移</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">3CH</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">處找到</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> PE header </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">的起始偏移量。因而跳過(guò)了</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> DOS stub </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">直接定位到真正的文件頭</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> PE header</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">。</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <o:p></o:p></SPAN></P>1 O% C. y# m! J: H( [
            
<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件的真正內(nèi)容劃分成塊,稱之為</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">sections</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">(節(jié))。每節(jié)是一塊擁有共同屬性的數(shù)據(jù),比如“</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">.text</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">”節(jié)等,那么,每一節(jié)的內(nèi)容都是什么呢?實(shí)際上</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">格式的文件把具有相同屬性的內(nèi)容放入同一個(gè)節(jié)中,而不必關(guān)心類似“</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">.text</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">”、“</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">.data</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">”的命名,其命名只是為了便于識(shí)別,所有,我們?nèi)绻麑?duì)</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">格式的文件進(jìn)行修改,理論上講可以寫(xiě)入任何一個(gè)節(jié)內(nèi),并調(diào)整此節(jié)的屬性就可以了。</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR><BR>PE header </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">接下來(lái)的數(shù)組結(jié)構(gòu)</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> section table</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">(節(jié)表)。</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">每個(gè)結(jié)構(gòu)包含對(duì)應(yīng)節(jié)的屬性、文件偏移量、虛擬偏移量等。如果</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件里有</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">5</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">個(gè)節(jié),那么此結(jié)構(gòu)數(shù)組內(nèi)就有</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">5</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">個(gè)成員。</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <o:p></o:p></SPAN></P>
            
& k+ `* j  b, [<P style="LINE-HEIGHT: 150%"><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">以上就是</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件格式的物理分布,下面將總結(jié)一下裝載一</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件的主要步驟:</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>1</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">、</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件被執(zhí)行,</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">裝載器檢查</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> DOS MZ header </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">里的</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <SPAN lang=EN-US>PE header </SPAN></SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">偏移量。如果找到,則跳轉(zhuǎn)到</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> PE header</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">。</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>2</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">、</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">裝載器檢查</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> PE header </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">的有效性。如果有效,就跳轉(zhuǎn)到</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE header</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">的尾部。</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>3</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">、緊跟</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> PE header </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">的是節(jié)表。</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">裝載器讀取其中的節(jié)信息,并采用文件映射方法將這些節(jié)映射到內(nèi)存,同時(shí)付上節(jié)表里指定的節(jié)屬性。</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>4</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">、</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件映射入內(nèi)存后,</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">裝載器將處理</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件中類似</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> import table</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">(引入表)邏輯部分。</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR></SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">上述步驟是一些前輩分析的結(jié)果簡(jiǎn)述。</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>2</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">、</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件頭概述</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR></SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">我們可以在</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">winnt.h</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">這個(gè)文件中找到關(guān)于</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件頭的定義:</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>typedef struct _IMAGE_NT_HEADERS { <BR>DWORD Signature; <BR>//PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件頭標(biāo)志</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">:“</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE\0\0</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">”。在開(kāi)始</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">DOS header</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">的偏移</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">3CH</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">處所指向的地址開(kāi)始</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>IMAGE_FILE_HEADER FileHeader; //PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件物理分布的信息</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>IMAGE_OPTIONAL_HEADER32 OptionalHeader; //PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件邏輯分布的信息</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>} IMAGE_NT_HEADERS32, *PIMAGE_NT_HEADERS32; <o:p></o:p></SPAN></P>
            
3 f3 c* @( L& d+ P1 u<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">typedef struct _IMAGE_FILE_HEADER { <BR>WORD Machine; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">該文件運(yùn)行所需要的</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">CPU</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">,對(duì)于</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">Intel</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">平臺(tái)是</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">14Ch <BR>WORD NumberOfSections; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件的節(jié)數(shù)目</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>DWORD TimeDateStamp; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件創(chuàng)建日期和時(shí)間</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>DWORD PointerToSymbolTable; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">用于調(diào)試</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>DWORD NumberOfSymbols; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">符號(hào)表中符號(hào)個(gè)數(shù)</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>WORD SizeOfOptionalHeader; //OptionalHeader </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">結(jié)構(gòu)大小</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>WORD Characteristics; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件信息標(biāo)記,區(qū)分文件是</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">exe</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">還是</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">dll <BR>} IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER; <o:p></o:p></SPAN></P>3 Q6 Q7 s. X: J1 m
            
<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">typedef struct _IMAGE_OPTIONAL_HEADER { <BR>WORD Magic; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">標(biāo)志字</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">(</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">總是</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">010bh) <BR>BYTE MajorLinkerVersion; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">連接器版本號(hào)</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>BYTE MinorLinkerVersion; // <BR>DWORD SizeOfCode; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">代碼段大小</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>DWORD SizeOfInitializedData; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">已初始化數(shù)據(jù)塊大小</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>DWORD SizeOfUninitializedData; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">未初始化數(shù)據(jù)塊大小</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <SPAN lang=EN-US><BR>DWORD AddressOfEntryPoint; //PE</SPAN></SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">裝載器準(zhǔn)備運(yùn)行的</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件的第一個(gè)指令的</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">RVA</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">,若要改變整個(gè)執(zhí)行的流程,可以將該值指定到新的</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">RVA</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">,這樣新</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">RVA</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">處的指令首先被執(zhí)行。(許多文章都有介紹</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">RVA</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">,請(qǐng)去了解)</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>DWORD BaseOfCode; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">代碼段起始</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">RVA <BR>DWORD BaseOfData; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">數(shù)據(jù)段起始</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">RVA <BR>DWORD ImageBase; //PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件的裝載地址</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>DWORD SectionAlignment; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">塊對(duì)齊</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>DWORD FileAlignment; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件塊對(duì)齊</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>WORD MajorOperatingSystemVersion;//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">所需操作系統(tǒng)版本號(hào)</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>WORD MinorOperatingSystemVersion;// <BR>WORD MajorImageVersion; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">用戶自定義版本號(hào)</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>WORD MinorImageVersion; // <BR>WORD MajorSubsystemVersion; //win32</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">子系統(tǒng)版本。若</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件是專門(mén)為</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">Win32</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">設(shè)計(jì)的</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>WORD MinorSubsystemVersion; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">該子系統(tǒng)版本必定是</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">4.0</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">否則對(duì)話框不會(huì)有</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">3</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">維立體感</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>DWORD Win32VersionValue; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">保留</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>DWORD SizeOfImage; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">內(nèi)存中整個(gè)</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">映像體的尺寸</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>DWORD SizeOfHeaders; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">所有頭</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">+</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">節(jié)表的大小</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>DWORD CheckSum; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">校驗(yàn)和</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>WORD Subsystem; //NT</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">用來(lái)識(shí)別</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件屬于哪個(gè)子系統(tǒng)</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>WORD DllCharacteristics; // <BR>DWORD SizeOfStackReserve; // <BR>DWORD SizeOfStackCommit; // <BR>DWORD SizeOfHeapReserve; // <BR>DWORD SizeOfHeapCommit; // <BR>DWORD LoaderFlags; // <BR>DWORD NumberOfRvaAndSizes; // <BR>IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES]; <BR>//IMAGE_DATA_DIRECTORY </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">結(jié)構(gòu)數(shù)組。每個(gè)結(jié)構(gòu)給出一個(gè)重要數(shù)據(jù)結(jié)構(gòu)的</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">RVA</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">,比如引入地址表等</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>} IMAGE_OPTIONAL_HEADER32, *PIMAGE_OPTIONAL_HEADER32; <o:p></o:p></SPAN></P>
            
! e* G) ?* O" m& S3 L8 b+ W- ~<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">typedef struct _IMAGE_DATA_DIRECTORY { <BR>DWORD VirtualAddress; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">表的</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">RVA</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">地址</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>DWORD Size; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">大小</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>} IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY; <o:p></o:p></SPAN></P>
            
" Q; z8 I; {  l+ N! U<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件頭后是節(jié)表,在</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">winnt.h</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">下如下定義</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>typedef struct _IMAGE_SECTION_HEADER { <BR>BYTE Name[IMAGE_SIZEOF_SHORT_NAME];//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">節(jié)表名稱</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">,</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">如“</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">.text</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">”</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>union { <BR>DWORD PhysicalAddress; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">物理地址</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>DWORD VirtualSize; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">真實(shí)長(zhǎng)度</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>} Misc; <BR>DWORD VirtualAddress; //RVA <BR>DWORD SizeOfRawData; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">物理長(zhǎng)度</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>DWORD PointerToRawData; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">節(jié)基于文件的偏移量</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>DWORD PointerToRelocations; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">重定位的偏移</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>DWORD PointerToLinenumbers; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">行號(hào)表的偏移</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>WORD NumberOfRelocations; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">重定位項(xiàng)數(shù)目</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>WORD NumberOfLinenumbers; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">行號(hào)表的數(shù)目</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>DWORD Characteristics; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">節(jié)屬性</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>} IMAGE_SECTION_HEADER, *PIMAGE_SECTION_HEADER; <o:p></o:p></SPAN></P>9 R( j" l' D- T' n! ~' A
            
<P style="LINE-HEIGHT: 150%"><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">以上結(jié)構(gòu)就是在</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">winnt.h</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">中關(guān)于</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件頭的定義,如何我們用</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">C/C++</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">來(lái)進(jìn)行</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">可執(zhí)行文件操作,就要用到上面的所有結(jié)構(gòu),它詳細(xì)的描述了</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件頭的結(jié)構(gòu)。</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <o:p></o:p></SPAN></P>
            
3 P+ Y! G- T8 W7 C# A& `6 e+ b<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">3</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">、修改</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">可執(zhí)行文件</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR></SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">現(xiàn)在讓我們把一段代碼寫(xiě)入任何一個(gè)</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">格式的可執(zhí)行文件,代碼如下:</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>-- test.asm -- <BR>.386p <BR>.model flat, stdcall <BR>option casemap:none <o:p></o:p></SPAN></P>  X( e* u0 \9 @) P1 i+ m
            
<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">include \masm32\include\windows.inc <BR>include \masm32\include\user32.inc <BR>includelib \masm32\lib\user32.lib <o:p></o:p></SPAN></P>9 j. l. H2 W1 i# A/ ^! h
            
<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">.code <o:p></o:p></SPAN></P>, s  A1 V$ _0 i. g' u; S5 o( l
            
<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">start: <BR>INVOKE MessageBoxA,0,0,0,MB_ICONINFORMATION or MB_OK <BR>ret <BR>end start <o:p></o:p></SPAN></P>: \" u- k6 I) S8 c/ l0 J2 O3 V$ M; F
            
<P style="LINE-HEIGHT: 150%"><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">以上代碼只顯示一個(gè)</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">MessageBox</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">框,編譯后得到二進(jìn)制代碼如下:</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>unsigned char writeline[18]={ <BR>0x6a,0x40,0x6a,0x0,0x6a,0x0,0x6a,0x0,0xe8,0x01,0x0,0x0,0x0,0xe9,0x0,0x0,0x0,0x0 <BR>}; <o:p></o:p></SPAN></P>
            
' C& f9 M! }$ G. U7 p1 [* V<P style="LINE-HEIGHT: 150%"><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">好,現(xiàn)在讓我們看看該把這些代碼寫(xiě)到那?,F(xiàn)在用</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">Tdump.exe</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">顯示一個(gè)</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">格式得可執(zhí)行文件信息,可以發(fā)現(xiàn)如下描述:</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>Object table: <BR># Name VirtSize RVA PhysSize Phys off Flags <BR>-- -------- -------- -------- -------- -------- -------- <BR>01 .text 0000CCC0 00001000 0000CE00 00000600 60000020 [CER] <BR>02 .data 00004628 0000E000 00002C00 0000D400 C0000040 [IRW] <BR>03 .rsrc 000003C8 00013000 00000400 00010000 40000040 [IR] <o:p></o:p></SPAN></P>7 z8 R, l6 d' |* Y: c# D9 B
            
<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">Key to section flags: <BR>C - contains code <BR>E - executable <BR>I - contains initialized data <BR>R - readable <BR>W - writeable <o:p></o:p></SPAN></P>& T# q7 G2 P+ A4 O
            
<P style="LINE-HEIGHT: 150%"><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">上面描述此文件中存在</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">3</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">個(gè)段及每個(gè)段得信息,實(shí)際上我們的代碼可以寫(xiě)入任何一個(gè)段,這里我選擇“</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">.text</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">”段。</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <o:p></o:p></SPAN></P>. ]( w  N& c1 Q; i; y4 H3 P! `
            
<P style="LINE-HEIGHT: 150%"><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">用如下代碼得到一個(gè)</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">格式可執(zhí)行文件的頭信息:</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <o:p></o:p></SPAN></P>2 {+ C# B8 _3 ?; g8 q# Z
            
<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">//writePE.cpp <o:p></o:p></SPAN></P>
            
/ u" P+ q' q4 N& D" c* ?<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">#include &lt;windows.h&gt; <BR>#include &lt;stdio.h&gt; <BR>#include &lt;io.h&gt; <BR>#include &lt;fcntl.h&gt; <BR>#include &lt;time.h&gt; <BR>#include &lt;SYS\STAT.H&gt; <o:p></o:p></SPAN></P>
            
+ ]- k8 }  l7 p' i8 Y<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">unsigned char writeline[18]={ <BR>0x6a,0x40,0x6a,0x0,0x6a,0x0,0x6a,0x0,0xe8,0x01,0x0,0x0,0x0,0xe9,0x0,0x0,0x0,0x0 <BR>}; <o:p></o:p></SPAN></P>
            
. K- j' Z& n5 {7 z7 W<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">DWORD space; <BR>DWORD entryaddress; <BR>DWORD entrywrite; <BR>DWORD progRAV; <BR>DWORD oldentryaddress; <BR>DWORD newentryaddress; <BR>DWORD codeoffset; <BR>DWORD peaddress; <BR>DWORD flagaddress; <BR>DWORD flags; <o:p></o:p></SPAN></P>
            
) a- \; E& p4 K3 G+ }3 ^9 X<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">DWORD virtsize; <BR>DWORD physaddress; <BR>DWORD physsize; <BR>DWORD MessageBoxAadaddress; <o:p></o:p></SPAN></P>7 h$ Y, P& M6 ~( g2 E) Y# r
            
<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">int main(int argc,char * * argv) <BR>{ <BR>HANDLE hFile, hMapping; <BR>void *basepointer; <BR>FILETIME * Createtime; <BR>FILETIME * Accesstime; <BR>FILETIME * Writetime; <BR>Createtime = new FILETIME; <BR>Accesstime = new FILETIME; <BR>Writetime = new FILETIME; <o:p></o:p></SPAN></P>) u5 s0 r- E+ J& L: X' _1 T
            
<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">if ((hFile = CreateFile(argv[1], GENERIC_READ|GENERIC_WRITE, FILE_SHARE_READ|FILE_SHARE_WRITE, 0, OPEN_EXISTING, FILE_FLAG_SEQUENTIAL_SCAN, 0)) == INVALID_HANDLE_VALUE)//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">打開(kāi)要修改的文件</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>{ <BR>puts("(could not open)"); <BR>return EXIT_FAILURE; <BR>} <BR>if(!GetFileTime(hFile,Createtime,Accesstime,Writetime)) <BR>{ <BR>printf("\nerror getfiletime: %d\n",GetLastError()); <BR>} <BR>//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">得到要修改文件的創(chuàng)建、修改等時(shí)間</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>if (!(hMapping = CreateFileMapping(hFile, 0, PAGE_READONLY | SEC_COMMIT, 0, 0, 0))) <BR>{ <BR>puts("(mapping failed)"); <BR>CloseHandle(hFile); <BR>return EXIT_FAILURE; <BR>} <BR>if (!(basepointer = MapViewOfFile(hMapping, FILE_MAP_READ, 0, 0, 0))) <BR>{ <BR>puts("(view failed)"); <BR>CloseHandle(hMapping); <BR>CloseHandle(hFile); <BR>return EXIT_FAILURE; <BR>} <BR>//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">把文件頭映象存入</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">baseointer <BR>CloseHandle(hMapping); <BR>CloseHandle(hFile); <BR>map_exe(basepointer);//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">得到相關(guān)地址</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>UnmapViewOfFile(basepointer); <BR>printaddress(); <BR>printf("\n\n"); <BR>if(space&lt;50) <BR>{ <BR>printf("\n</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">空隙太小</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">,</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">數(shù)據(jù)不能寫(xiě)入</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">.\n"); <BR>} <BR>else <BR>{ <BR>writefile();//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">寫(xiě)文件</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>} <o:p></o:p></SPAN></P>
            
3 V8 `# ]* M) J3 F% g9 v' }4 f<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">if ((hFile = CreateFile(argv[1], GENERIC_READ|GENERIC_WRITE, FILE_SHARE_READ|FILE_SHARE_WRITE, 0, OPEN_EXISTING, FILE_FLAG_SEQUENTIAL_SCAN, 0)) == INVALID_HANDLE_VALUE) <BR>{ <BR>puts("(could not open)"); <BR>return EXIT_FAILURE; <BR>} <o:p></o:p></SPAN></P>3 z% D+ k5 y7 O. N$ y* a
            
<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">if(!SetFileTime(hFile,Createtime,Accesstime,Writetime)) <BR>{ <BR>printf("error settime : %d\n",GetLastError()); <BR>} <BR>//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">恢復(fù)修改后文件的建立時(shí)間等</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>delete Createtime; <BR>delete Accesstime; <BR>delete Writetime; <BR>CloseHandle(hFile); <BR>return 0; <BR>} <o:p></o:p></SPAN></P>* r  i  b* P% ~. @, x# I" ~1 b
            
<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">void map_exe(const void *base) <BR>{ <BR>IMAGE_DOS_HEADER * dos_head; <BR>dos_head =(IMAGE_DOS_HEADER *)base; <BR>#include &lt;pshpack1.h&gt; <BR>typedef struct PE_HEADER_MAP <BR>{ <BR>DWORD signature; <BR>IMAGE_FILE_HEADER _head; <BR>IMAGE_OPTIONAL_HEADER opt_head; <BR>IMAGE_SECTION_HEADER section_header[]; <BR>} peHeader; <BR>#include &lt;poppack.h&gt; <o:p></o:p></SPAN></P>& Z# L) J- q1 A: G; y
            
<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">if (dos_head-&gt;e_magic != IMAGE_DOS_SIGNATURE) <BR>{ <BR>puts("unknown type of file"); <BR>return; <BR>} <o:p></o:p></SPAN></P>
            
2 U6 p% }* ?8 L  e7 w<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">peHeader * header; <BR>header = (peHeader *)((char *)dos_head + dos_head-&gt;e_lfanew);//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">得到</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件頭</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>if (IsBadReadPtr(header, sizeof(*header)) <BR>{ <BR>puts("(no PE header, probably DOS executable)"); <BR>return; <BR>} <o:p></o:p></SPAN></P>0 S3 G3 S$ W# B. [4 c) j) s
            
<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">DWORD mods; <BR>char tmpstr[4]={0}; <BR>DWORD tmpaddress; <BR>DWORD tmpaddress1; <o:p></o:p></SPAN></P>' G; X7 a- L# M( d1 Z
            
<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">if(strstr((const char *)header-&gt;section_header[0].Name,".text")!=NULL) <BR>{ <BR>virtsize=header-&gt;section_header[0].Misc.VirtualSize; <BR>//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">此段的真實(shí)長(zhǎng)度</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>physaddress=header-&gt;section_header[0].PointerToRawData; <BR>//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">此段的物理偏移</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>physsize=header-&gt;section_header[0].SizeOfRawData; <BR>//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">此段的物理長(zhǎng)度</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>peaddress=dos_head-&gt;e_lfanew; <BR>//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">得到</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件頭的開(kāi)始偏移</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <o:p></o:p></SPAN></P>" |  P8 Q1 i& m" c% d
            
<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">peHeader peH; <BR>tmpaddress=(unsigned long )&amp;peH; <BR>//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">得到結(jié)構(gòu)的偏移</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>tmpaddress1=(unsigned long )&amp;(peH.section_header[0].Characteristics); <BR>//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">得到變量的偏移</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>flagaddress=tmpaddress1-tmpaddress+2; <BR>//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">得到屬性的相對(duì)偏移</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>flags=0x8000; <BR>//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">一般情況下,“</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">.text</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">”段是不可讀寫(xiě)的,如果我們要把數(shù)據(jù)寫(xiě)入這個(gè)段需要改變其屬性,實(shí)際上這個(gè)程序并沒(méi)有把數(shù)據(jù)寫(xiě)入“</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">.text</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">”段,所以并不需要更改,但如果你實(shí)現(xiàn)復(fù)雜的功能,肯定需要數(shù)據(jù),肯定需要更改這個(gè)值,</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <o:p></o:p></SPAN></P>
            
# }/ i, G0 d" v- H5 L0 x<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">space=physsize-virtsize; <BR>//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">得到代碼段的可用空間,用以判斷可不可以寫(xiě)入我們的代碼</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">用此段的物理長(zhǎng)度減去此段的真實(shí)長(zhǎng)度就可以得到</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>progRAV=header-&gt;opt_head.ImageBase; <BR>//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">得到程序的裝載地址,一般為</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">400000 <BR>codeoffset=header-&gt;opt_head.BaseOfCode-physaddress; <BR>//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">得到代碼偏移,用代碼段起始</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">RVA</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">減去此段的物理偏移</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">應(yīng)為程序的入口計(jì)算公式是一個(gè)相對(duì)的偏移地址,計(jì)算公式為:</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">代碼的寫(xiě)入地址+</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">codeoffset <o:p></o:p></SPAN></P>8 ~4 T5 u9 P4 m/ X* }! ?5 K( Q4 s8 ~
            
<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">entrywrite=header-&gt;section_header[0].PointerToRawData+header-&gt;section_header[0].Misc.VirtualSize; <BR>//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">代碼寫(xiě)入的物理偏移</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>mods=entrywrite%16; <BR>//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">對(duì)齊邊界</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>if(mods!=0) <BR>{ <BR>entrywrite+=(16-mods); <BR>} <BR>oldentryaddress=header-&gt;opt_head.AddressOfEntryPoint; <BR>//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">保存舊的程序入口地址</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>newentryaddress=entrywrite+codeoffset; <BR>//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">計(jì)算新的程序入口地址</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>return; <BR>} <o:p></o:p></SPAN></P>6 d2 w* Q6 o  N- f7 t$ T5 g( i0 r
            
<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">void printaddress() <BR>{ <BR>HINSTANCE gLibMsg=NULL; <BR>DWORD funaddress; <BR>gLibMsg=LoadLibrary("user32.dll"); <BR>funaddress=(DWORD)GetProcAddress(gLibMsg,"MessageBoxA"); <BR>MessageBoxAadaddress=funaddress; <BR>gLibAMsg=LoadLibrary("kernel32.dll"); <BR>//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">得到</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">MessageBox</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">在內(nèi)存中的地址,以便我們使用</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>} <o:p></o:p></SPAN></P>
            
: c0 z+ V' d$ Q3 p8 I3 D<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">void writefile() <BR>{ <BR>int ret; <BR>long retf; <BR>DWORD address; <BR>int tmp; <BR>unsigned char waddress[4]={0}; <o:p></o:p></SPAN></P>
            
" i4 d2 j+ j8 T<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">ret=_open(filename,_O_RDWR | _O_CREAT | _O_BINARY,_S_IREAD | _S_IWRITE); <BR>if(!ret) <BR>{ <BR>printf("error open\n"); <BR>return; <BR>} <o:p></o:p></SPAN></P>5 j% r# D7 M! }$ b9 E* m
            
<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">retf=_lseek(ret,(long)peaddress+40,SEEK_SET); <BR>//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">程序的入口地址在</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件頭開(kāi)始的</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">40</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">處</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>if(retf==-1) <BR>{ <BR>printf("error seek\n"); <BR>return; <BR>} <BR>address=newentryaddress; <BR>tmp=address&gt;&gt;24; <BR>waddress[3]=tmp; <BR>tmp=address&lt;&lt;8; <BR>tmp=tmp&gt;&gt;24; <BR>waddress[2]=tmp; <BR>tmp=address&lt;&lt;16; <BR>tmp=tmp&gt;&gt;24; <BR>waddress[1]=tmp; <BR>tmp=address&lt;&lt;24; <BR>tmp=tmp&gt;&gt;24; <BR>waddress[0]=tmp; <BR>retf=_write(ret,waddress,4); <BR>//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">把新的入口地址寫(xiě)入文件</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>if(retf==-1) <BR>{ <BR>printf("error write: %d\n",GetLastError()); <BR>return; <BR>} <o:p></o:p></SPAN></P>: O! l0 o! x* C% B) c( z  o
            
<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">retf=_lseek(ret,(long)entrywrite,SEEK_SET); <BR>if(retf==-1) <BR>{ <BR>printf("error seek\n"); <BR>return; <BR>} <BR>retf=_write(ret,writeline,18); <BR>if(retf==-1) <BR>{ <BR>printf("error write: %d\n",GetLastError()); <BR>return; <BR>} <BR>//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">把</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">writeline</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">寫(xiě)入我們計(jì)算出的空間</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <o:p></o:p></SPAN></P>( D8 [, G/ S% M8 z3 L
            
<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">retf=_lseek(ret,(long)entrywrite+9,SEEK_SET); <BR>//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">更改</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">MessageBox</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">函數(shù)地址,它的二進(jìn)制代碼在</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">writeline[10]</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">處</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>if(retf==-1) <BR>{ <BR>printf("error seek\n"); <BR>return; <BR>} <o:p></o:p></SPAN></P>' ^, z' P0 {- f! \- M+ E
            
<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">address=MessageBoxAadaddress-(progRAV+newentryaddress+9+4); <BR>//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">重新計(jì)算</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">MessageBox</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">函數(shù)的地址,</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">MessageBox</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">函數(shù)的原地址減去程序的裝載地址加上新的入口地址加</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">9</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">(它的二進(jìn)制代碼相對(duì)偏移)加上</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">4</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">(地址長(zhǎng)度)</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>tmp=address&gt;&gt;24; <BR>waddress[3]=tmp; <BR>tmp=address&lt;&lt;8; <BR>tmp=tmp&gt;&gt;24; <BR>waddress[2]=tmp; <BR>tmp=address&lt;&lt;16; <BR>tmp=tmp&gt;&gt;24; <BR>waddress[1]=tmp; <BR>tmp=address&lt;&lt;24; <BR>tmp=tmp&gt;&gt;24; <BR>waddress[0]=tmp; <BR>retf=_write(ret,waddress,4); <BR>//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">寫(xiě)入重新計(jì)算的</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">MessageBox</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">地址</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>if(retf==-1) <BR>{ <BR>printf("error write: %d\n",GetLastError()); <BR>return; <BR>} <o:p></o:p></SPAN></P>1 y' b* z  M+ c" i. c
            
<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">retf=_lseek(ret,(long)entrywrite+14,SEEK_SET); <BR>//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">更改返回地址,用</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">jpm</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">返回原程序入口地址,其它的二進(jìn)制代碼在</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">writeline[15]</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">處</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>if(retf==-1) <BR>{ <BR>printf("error seek\n"); <BR>return; <BR>} <o:p></o:p></SPAN></P>' G  c! a+ J* c6 o5 H+ K4 x/ o. S0 l2 \
            
<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">address=0-(newentryaddress-oldentryaddress+4+15); <BR>//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">返回地址計(jì)算的方法是新的入口地址減去老的入口地址加</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">4</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">(地址長(zhǎng)度)加</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">15</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">(二進(jìn)制代碼相對(duì)偏移)后取反</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>tmp=address&gt;&gt;24; <BR>waddress[3]=tmp; <BR>tmp=address&lt;&lt;8; <BR>tmp=tmp&gt;&gt;24; <BR>waddress[2]=tmp; <BR>tmp=address&lt;&lt;16; <BR>tmp=tmp&gt;&gt;24; <BR>waddress[1]=tmp; <BR>tmp=address&lt;&lt;24; <BR>tmp=tmp&gt;&gt;24; <BR>waddress[0]=tmp; <BR>retf=_write(ret,waddress,4); <BR>//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">寫(xiě)入返回地址</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>if(retf==-1) <BR>{ <BR>printf("error write: %d\n",GetLastError()); <BR>return; <BR>} <o:p></o:p></SPAN></P>
            
5 _3 J1 q) @: q$ Z# m<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">_close(ret); <BR>printf("\nall done...\n"); <BR>return; <BR>} <o:p></o:p></SPAN></P>- Q# b2 o. R" ^! S& B
            
<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">//end <o:p></o:p></SPAN></P>
            
% W  Y7 D/ {* }% i$ U<P style="LINE-HEIGHT: 150%"><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">由于在</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">格式的文件中,所有的地址都使用</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">RVA</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">地址,所以一些函數(shù)調(diào)用和返回地址都要經(jīng)過(guò)計(jì)算才可以得到,以上是我在實(shí)踐中的心得,如果你有更好的辦法,真心的希望你能告訴我。</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <o:p></o:p></SPAN></P>
            


            

            

            


            

            

            


            

            


            
    
            
    
    
    
            		

            

            

            




            

            



            

            

            

            



            






            






            



            

            

            

            








            

            

            


            

            
您需要登錄后才可以回帖 登錄 | 注冊(cè)





            

            

            

            

            

            

            






            
本版積分規(guī)則





            
            		

            

            

            

            




            


            

            

            

	
            

            

            

            
QQ|本地廣告聯(lián)系: QQ:905790666 TEL:13176190456|Archiver|手機(jī)版|小黑屋|汶上信息港
( 魯ICP備19052200號(hào)-1 )

            

            
GMT+8, 2025-5-21 01:06


            

            

            

            Powered by Discuz! X3.5
            

            © 2001-2025 Discuz! Team.
            

            



            
快速回復(fù)
返回頂部

返回列表