<div class="blogpost-body" id="cnblogs_post_body">
<p>环境工具:<br>Windows 10</p>
<p>010Editor</p>
<p>目标程序功能:</p>
<p>调用MessageBoxA弹出消息框。</p>
<p> </p>
<p><strong>1.构造DOS头 </strong></p>
<p>typedef struct _IMAGE_DOS_HEADER { // DOS .EXE header</p>
<p> WORD e_magic; // Magic number</p>
<p> WORD e_cblp; // Bytes on last page of file</p>
<p> WORD e_cp; // Pages in file</p>
<p> WORD e_crlc; // Relocations</p>
<p> WORD e_cparhdr; // Size of header in paragraphs</p>
<p> WORD e_minalloc; // Minimum extra paragraphs needed</p>
<p> WORD e_maxalloc; // Maximum extra paragraphs needed</p>
<p> WORD e_ss; // Initial (relative) SS value</p>
<p> WORD e_sp; // Initial SP value</p>
<p> WORD e_csum; // Checksum</p>
<p> WORD e_ip; // Initial IP value</p>
<p> WORD e_cs; // Initial (relative) CS value</p>
<p> WORD e_lfarlc; // File address of relocation table</p>
<p> WORD e_ovno; // Overlay number</p>
<p> WORD e_res[4]; // Reserved words</p>
<p> WORD e_oemid; // OEM identifier (for e_oeminfo)</p>
<p> WORD e_oeminfo; // OEM information; e_oemid specific</p>
<p> WORD e_res2[10]; // Reserved words</p>
<p> LONG e_lfanew; // File address of new exe header</p>
<p> } IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER;</p>
<p><br>关键字段:<br>WORD e_magic; MZ 4D 5A (标识符)<br>LONG e_lfanew; 40h 40 00 00 00(DosStub去除后,IMAGE_DOS_HEADER 的结构体大小就是Dos头大小)</p>
<p>4D 5A 00 00 00 00 00 00 00 00 00 00 00 00 00 00</p>
<p>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00</p>
<p>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00</p>
<p>00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00</p>
<p><br><strong>2.构造NT头 </strong></p>
<p>typedef struct _IMAGE_NT_HEADERS64 {<!-- --></p>
<p> DWORD Signature; </p>
<p> IMAGE_FILE_HEADER FileHeader; </p>
<p> IMAGE_OPTIONAL_HEADER64 OptionalHeader; </p>
<p>} IMAGE_NT_HEADERS64, *PIMAGE_NT_HEADERS64;</p>
<p> </p>
<p>typedef struct _IMAGE_NT_HEADERS {<!-- --></p>
<p> DWORD Signature; //标示符(PE)</p>
<p> IMAGE_FILE_HEADER FileHeader; //文件头结构体</p>
<p> IMAGE_OPTIONAL_HEADER32 OptionalHeader; //可选映像头结构体</p>
<p><br>} IMAGE_NT_HEADERS32, *PIMAGE_NT_HEADERS32;</p>
<p>关键字段:<br>DWORD Signature; 50 45 00 00 (标识符)</p>
<p>IMAGE_FILE_HEADER FileHeader; </p>
<p>typedef struct _IMAGE_FILE_HEADER {<!-- --></p>
<p> WORD Machine; //运行平台</p>
<p> WORD NumberOfSections; //文件区块数量</p>
<p> DWORD TimeDateStamp; //文件创建日期和时间</p>
<p> DWORD PointerToSymbolTable; //指向符号表(主要用于调试)</p>
<p> DWORD NumberOfSymbols; //符号表中符号个数</p>
<p> WORD SizeOfOptionalHeader; //IMAGE_OPTIONAL_HEADER32结构大小</p>
<p> WORD Characteristics; //文件属性</p>
<p>} IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;</p>
<p>关键字段<br>2.1 WORD Machine; 4c 01 (0x014c x86)<br>2.2 WORD NumberOfSections; 02 00 (1.text 2.rdata)<br>2.3 WORD SizeOfOptionalHeader; E0 00 (NT扩展头大小)<br>2.4 WORD Characteristics; 0F 01 (可以自定义)</p>
<p>IMAGE_OPTIONAL_HEADER32 OptionalHeader; // 可选映像头结构体</p>
<p>typedef struct _IMAGE_OPTIONAL_HEADER </p>
<p>{ </p>
<p>// </p>
<p>// Standard fields. </p>
<p>// </p>
<p>+18h WORD Magic; // 标志字, ROM 映像(0107h),普通可执行文件(010Bh) </p>
<p>+1Ah BYTE MajorLinkerVersion; // 链接程序的主版本号 </p>
<p>+1Bh BYTE MinorLinkerVersion; // 链接程序的次版本号 </p>
<p>+1Ch DWORD SizeOfCode; // 所有含代码的节的总大小 </p>
<p>+20h DWORD SizeOfInitializedData; // 所有含已初始化数据的节的总大小 </p>
<p>+24h DWORD SizeOfUninitializedData; // 所有含未初始化数据的节的大小 </p>
<p>+28h DWORD AddressOfEntryPoint; //-----> 程序执行入口RVA(OEP) </p>
<p>+2Ch DWORD BaseOfCode; // 代码的区块的起始RVA </p>
<p>+30h DWORD BaseOfData; // 数据的区块的起始RVA </p>
<p>// </p>
<p>// NT additional fields. 以下是属于NT结构增加的领域。 </p>
<p>// </p>
<p>+34h DWORD ImageBase; // ---------->程序的首选装载地址(基地址) </p>
<p>+38h DWORD SectionAlignment; // 内存中的区块的对齐大小 </p>
<p>+3Ch DWORD FileAlignment; // 文件中的区块的对齐大小 </p>
<p>+40h WORD MajorOperatingSystemVersion; // 要求操作系统最低版本号的主版本号 </p>
<p>+42h WORD MinorOperatingSystemVersion; // 要求操作系统最低版本号的副版本号 </p>
<p>+44h WORD MajorImageVersion; // 可运行于操作系统的主版本号 </p>
<p>+46h WORD MinorImageVersion; // 可运行于操作系统的次版本号 </p>
<p>+48h WORD MajorSubsystemVersion; // 要求最低子系统版本的主版本号 </p>
<p>+4Ah WORD MinorSubsystemVersion; // 要求最低子系统版本的次版本号 </p>
<p>+4Ch DWORD Win32VersionValue; // 莫须有字段,不被病毒利用的话一般为0 </p>
<p>+50h DWORD SizeOfImage; // 映像装入内存后的总尺寸 </p>
<p>+54h DWORD SizeOfHeaders; // 所有头 + 区块表的尺寸大小 </p>
<p>+58h DWORD CheckSum; // 映像的校检和 </p>
<p>+5Ch WORD Subsystem; // 可执 |
|