打造最小的PE文件
(bkbll#cnhonker.net 2005-9-18 9:01)
一. 前言.
最近在鼓搗windows下PE文件格式, 在達到既定目標后, 對生成最小PE文件產生了興趣, 恰好
看到 watercloud(watercloud_at_xfocus.org)在近2年前寫過一篇文章<<手工打造微型Win32
可執行文件>>(
http://www.xfocus.net/articles/200302/482.html), 我也依葫蘆畫瓢,打造
一下我認為最小的PE文件,由于是初次接觸PE格式,如有差錯,敬請斧正.
本文所有程序均在win2k sp4 cn和windows xp sp1 cn上測試通過.
二. PE文件格式,結構
在winnt.h中,有PE各種結構的定義,這里就不一一列舉, 僅將相關結構名列舉如下:
IMAGE_DOS_HEADER,IMAGE_NT_HEADERS,IMAGE_FILE_HEADER,IMAGE_OPTIONAL_HEADER,
IMAGE_DATA_DIRECTORY,IMAGE_SECTION_HEADER,IMAGE_IMPORT_DESCRIPTOR
因為目標是打造最小的PE文件,所以僅用到一個IMPORT表.
PE整個文件框架大致如下:
| IMAGE_DOS_HEADER |
| Signature |
| IMAGE_NT_HEADER | -> | IMAGE_FILE_HEADER |
| IMAGE_OPTIONAL_HEADER | ->
| IMAGE_DATA_DIRECTORY |
......
| IMAGE_SECTION_HEADER |
........
| 代碼段 |
三. 不一樣的地方
watercloud 的PE已經比較小了,但還有幾個地方我處理的不大一樣:
1. WindowsXP 可以允許PE section為1個. 試驗系統是xp sp1 cn
2. 文件對齊 windows是規定是2的冪, 當然可以比0x200小.
當然,除了上面2點以外,我還有用到一種比較巧妙的技巧.
運行PE文件,會在屏幕上打印Hello,world信息.
四. 打造過程.
1. 過程一:
最開始我們按照PE結構和順序一步步填充結構,看能有多大:
我們先選取對齊值為0x20.
這里我們選MAGE_OPTIONAL_HEADER.DataDirectory個數為16個(所有都用上),但
只用到IMPORT table.
這個過程沒有什么技巧,因為只用到一個section,文件對齊又小了很多,最終大小為
496字節, 其中我們的匯編代碼占了47字節.
00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000000h: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 ; MZ?........??..
00000010h: B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ; ?......@.......
00000020h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00000030h: 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 ; ............@...
00000040h: 50 45 00 00 4C 01 01 00 00 00 00 00 00 00 00 00 ; PE..L...........
00000050h: 00 00 00 00 E0 00 0F 01 0B 01 06 00 00 00 00 00 ; ....?..........
00000060h: 00 00 00 00 00 00 00 00 B4 01 00 00 00 00 00 00 ; ........?......
00000070h: 00 00 00 00 00 00 40 00 10 00 00 00 10 00 00 00 ; ......@.........
00000080h: 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 ; ................
00000090h: 00 10 00 00 00 00 00 00 00 00 00 00 03 00 00 00 ; ................
000000a0h: 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 ; ................
000000b0h: 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ; ................
000000c0h: 60 01 00 00 28 00 00 00 00 00 00 00 00 00 00 00 ; `...(...........
000000d0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
000000e0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
000000f0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00000100h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00000110h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00000120h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00000130h: 00 00 00 00 00 00 00 00 2E 74 65 78 74 00 00 00 ; .........text...
00000140h: 00 08 00 00 60 01 00 00 00 08 00 00 60 01 00 00 ; ....`.......`...
00000150h: 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 E0 ; ............ ..?
00000160h: 88 01 00 00 00 00 00 00 00 00 00 00 98 01 00 00 ; ?..........?..
00000170h: 90 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ?..............
00000180h: 00 00 00 00 00 00 00 00 A8 01 00 00 00 00 00 00 ; ........?......
00000190h: A8 01 00 00 00 00 00 00 6B 65 72 6E 65 6C 33 32 ; ?......kernel32
000001a0h: 2E 64 6C 6C 00 00 00 00 00 00 57 72 69 74 65 46 ; .dll......WriteF
000001b0h: 69 6C 65 00 8B 43 10 8B 40 1C 33 D2 52 68 72 6C ; ile.婥.婡.3襌hrl
000001c0h: 64 0A 68 6F 2C 77 6F 68 68 65 6C 6C 8B CC 52 54 ; d.ho,wohhell嬏RT
000001d0h: 6A 0C 51 50 68 90 01 00 00 58 03 43 08 FF 10 83 ; j.QPh?..X.C.?.?
000001e0h: C4 10 C3 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ??............
2. 過程二:
壓縮一下 IMAGE_OPTIONAL_HEADER 的DataDirectory,因為只用到import表,所以
IMAGE_OPTIONAL_HEADER 的 NumberOfRvaAndSizes 可以為 2 , 這樣就減少了0x70字節,
最終大小為384字節, 47字節為我們的匯編代碼,因為這個沒什么技巧,和前面差不多,所
以不貼出文件內容了.
3. 過程三:
對比一下,我們發現 IMAGE_DOS_HEADER 的0x40大小結構,除了 e_magic 和 e_lfanew
兩個結構外,其他對我們的mini-pe 似乎沒什么影響,那么這個結構沒用的部分可不可以
利用起來呢? 答案是肯定的, 我決定將 IMAGE_NT_HEADERS 和 IMAGE_DOS_HEADER 重疊
起來, 但是因為 e_lfanew 是標記IMAGE_NT_HEADERS 偏移的唯一值, 所以這個值不能被
覆蓋, 同時因為兩個頭部重疊了,所以 e_lfanew 所在的文件偏移位置在 IMAGE_NT_HEADERS
結構中應該是個可以被忽略的結構.
我們來分析一下 IMAGE_NT_HEADERS 的頭0x40大小的結構:
typedef struct _IMAGE_NT_HEADERS
{
DWORD Signature; //+0
IMAGE_FILE_HEADER FileHeader;
IMAGE_OPTIONAL_HEADER OptionalHeader;
} IMAGE_NT_HEADERS, *PIMAGE_NT_HEADERS;
typedef struct _IMAGE_FILE_HEADER
{
WORD Machine; //+4
WORD NumberOfSections; //+6
DWORD TimeDateStamp; //+8
DWORD PointerToSymbolTable; //+12
DWORD NumberOfSymbols; //+16
WORD SizeOfOptionalHeader; //+20
WORD Characteristics; //+22
} IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;
typedef struct _IMAGE_OPTIONAL_HEADER
{
WORD Magic; //+24
BYTE MajorLinkerVersion; //+26
BYTE MinorLinkerVersion; //+27
DWORD SizeOfCode; //+28
DWORD SizeOfInitializedData; //+32
DWORD SizeOfUninitializedData; //+36
DWORD AddressOfEntryPoint; //+40
DWORD BaseOfCode; //+44
DWORD BaseOfData; //+48
DWORD ImageBase; //+52
DWORD SectionAlignment; //+56
DWORD FileAlignment; //+60
WORD MajorOperatingSystemVersion; //+64
..........
}
e_lfanew 是在 IMAGE_DOS_HEADER 的0x3c = 60 處, 我們從56除往回找可以被覆蓋
又沒什么用處的結構, 好像最近一個就只有 BaseOfData 了. 也就是說 e_lfanew =
60 - 48 = 12 = 0xc.
重疊后的 IMAGE_DOS_HEADER 和 IMAGE_FILE_HEADER 結構圖如下:
WORD e_magic; //+0
WORD e_cblp; //+2
WORD e_cp; //+4
WORD e_crlc; //+6
WORD e_cparhdr; //+8
WORD e_minalloc; //+10
WORD e_maxalloc; WORD e_ss; //+12 IMAGE_NT_HEADERS.Signature //+0
WORD e_sp; //+16 IMAGE_FILE_HEADER.Machine //+4
WORD e_csum; //+18 IMAGE_FILE_HEADER.NumberOfSections//+6
WORD e_ip; WORD e_cs; //+20 IMAGE_FILE_HEADER.TimeDateStamp //+8
WORD e_lfarlc; WORD e_ovno; //+24 IMAGE_FILE_HEADER.PointerToSymbolTable
WORD e_res[4]; //+28 IMAGE_FILE_HEADER. NumberOfSymbols
//+32 IMAGE_FILE_HEADER.SizeOfOptionalHeader
//+34 IMAGE_FILE_HEADER.Characteristics
WORD e_oemid; //+36 IMAGE_OPTIONAL_HEADER.Magic
WORD e_oeminfo; //+38 IMAGE_OPTIONAL_HEADER.MajorLinkerVersion
//+39 IMAGE_OPTIONAL_HEADER.MinorLinkerVersion
WORD e_res2[10]; //+40 IMAGE_OPTIONAL_HEADER.SizeOfCode
//+44 IMAGE_OPTIONAL_HEADER.SizeOfInitializedData
//+48 IMAGE_OPTIONAL_HEADER.SizeOfUninitializedData
//+52 IMAGE_OPTIONAL_HEADER.AddressOfEntryPoint
//+56 IMAGE_OPTIONAL_HEADER.BaseOfCode;
LONG e_lfanew; //+60 IMAGE_OPTIONAL_HEADER.BaseOfData;//+48
//+64 IMAGE_OPTIONAL_HEADER.ImageBase
這樣光重疊這部分就可以省下一點空間,最終大小為336字節,其中47字節為我們的匯編代碼.
文件內容:
00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000000h: 4D 5A 90 00 03 00 00 00 04 00 00 00 50 45 00 00 ; MZ?........PE..
00000010h: 4C 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 ; L...............
00000020h: 70 00 0F 01 0B 01 06 00 00 00 00 00 00 00 00 00 ; p...............
00000030h: 00 00 00 00 14 01 00 00 00 00 00 00 0C 00 00 00 ; ................
00000040h: 00 00 40 00 10 00 00 00 10 00 00 00 04 00 00 00 ; ..@.............
00000050h: 00 00 00 00 04 00 00 00 00 00 00 00 00 10 00 00 ; ................
00000060h: 00 00 00 00 00 00 00 00 03 00 00 00 00 00 10 00 ; ................
00000070h: 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 ; ................
00000080h: 02 00 00 00 00 00 00 00 00 00 00 00 C0 00 00 00 ; ............?..
00000090h: 28 00 00 00 2E 74 65 78 74 00 00 00 00 08 00 00 ; (....text.......
000000a0h: C0 00 00 00 00 08 00 00 C0 00 00 00 00 00 00 00 ; ?......?......
000000b0h: 00 00 00 00 00 00 00 00 20 00 00 E0 00 00 00 00 ; ........ ..?...
000000c0h: E8 00 00 00 00 00 00 00 00 00 00 00 F8 00 00 00 ; ?..........?..
000000d0h: F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ?..............
000000e0h: 00 00 00 00 00 00 00 00 08 01 00 00 00 00 00 00 ; ................
000000f0h: 08 01 00 00 00 00 00 00 6B 65 72 6E 65 6C 33 32 ; ........kernel32
00000100h: 2E 64 6C 6C 00 00 00 00 00 00 57 72 69 74 65 46 ; .dll......WriteF
00000110h: 69 6C 65 00 8B 43 10 8B 40 1C 33 D2 52 68 72 6C ; ile.婥.婡.3襌hrl
00000120h: 64 0A 68 6F 2C 77 6F 68 68 65 6C 6C 8B CC 52 54 ; d.ho,wohhell嬏RT
00000130h: 6A 0C 51 50 68 F0 00 00 00 58 03 43 08 FF 10 83 ; j.QPh?..X.C.?.?
00000140h: C4 10 C3 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ??............
4. 過程四.
現在已經小很多了,我們在前這幾個結構 IMAGE_DOS_HEADER,IMAGE_NT_HEADERS
和IMAGE_SECTION_HEADER 上,可以重疊的不多了, 那么剩下就只有IMPORT表的描述了.
在前面我們用的import表的描述是這樣的結構:
import descriptor(PEDataDir->Size) bytes
OriginalFirstThunk + 0x0000 //8 bytes
FirstThunk(IAT) + 0x0000 //8 bytes
"kernel32.dll"+0x0 //12+4 = 16 bytes
0x00 +iatfunction1("WriteFile")// 2 + 10 = 12 bytes
這樣就占了 PEDataDir->Size + 8 + 8 + 16 + 12字節,好像比較大哦,那我們就對它動手吧.
我們看看能不能把它整合到已有的結構里面去.
先調整唯一的section的內容:
IMAGE_SECTION_HEADER.VirtualAddress = 0x00;
IMAGE_SECTION_HEADER.PointerToRawData = 0x00;
這樣,整個文件結構以及偏移地址就都可以使用了.
import descriptor 所需要的最小大小是 sizeof(IMAGE_IMPORT_DESCRIPTOR) *2,
其中要求最后4字節內容為0
我們對比搜尋結構,發現 IMAGE_OPTIONAL_HEADER 結構從DllCharacteristics開始滿足我們的要求,
import descriptor 指向這里:
WORD DllCharacteristics;
DWORD SizeOfStackReserve;
DWORD SizeOfStackCommit;
DWORD SizeOfHeapReserve;
DWORD SizeOfHeapCommit;
DWORD LoaderFlags;
DWORD NumberOfRvaAndSizes;
IMAGE_DATA_DIRECTORY DataDirectory[0];
因為剛好第一個DataDirectory內容都是0,滿足我們的要求.
剩下的就需要找一個8字節大小的空間,要求第一個4字節改變不會影響程序運行(這里用來保存第
一個IAT的地址),第二個4字節內容為0. 這里用來存放 IMAGE_IMPORT_DESCRIPTOR 的 OriginalFirstThunk
和 FirstThunk ,根據需求來看,這兩個地址顯然可以相等.
很幸運的是 IMAGE_IMPORT_DESCRIPTOR 自己的結構就滿足這樣的要求:
typedef struct _IMAGE_IMPORT_DESCRIPTOR
{
union
{
DWORD Characteristics;
DWORD OriginalFirstThunk;
};
DWORD TimeDateStamp;
DWORD ForwarderChain;
DWORD Name;
DWORD FirstThunk;
} IMAGE_IMPORT_DESCRIPTOR;
當ForwarderChain為0的時候,TimeDateStamp偏移就可以用來存放我們需要的IAT地址.
OK,現在還剩下兩個地方沒有解決:dll名字以及導入函數的名字.
和上面一樣,我們還是到已有的結構里面去找可以填充的空間:
Dll名字存放要求很簡單,后面有一個'\0'結尾,然后填充內容不影響程序運行.
IMAGE_SECTION_HEADER好像可以滿足我們的要求:
DWORD PointerToRelocations;
DWORD PointerToLinenumbers;
WORD NumberOfRelocations;
WORD NumberOfLinenumbers;
DWORD Characteristics;
一共有12字節存放我們的dll名字,同時Characteristics還有后1為可以供存放,所以一
共有13字節,保存"Kernel32.dll"剛剛好.
IMAGE_FILE_HEADER 結構也有12字節空間:
DWORD TimeDateStamp; //+8 可以隨便填
DWORD PointerToSymbolTable; //+12
DWORD NumberOfSymbols; //+16
我們就在這里容納我們的函數名就可以了.
這樣整個 IMAGE_IMPORT_DESCRIPTOR 結構和import表其他內容就被我們拆散整合到
已有的結構里面去了.
接著我們再優化一下shellcode, 使用msvcrt.dll的printf來輸出信息.
這樣,經過精心裁減后,整個PE文件大小為224字節,其中匯編代碼占了28字節.
最終結果:
00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000000h: 4D 5A 90 00 03 00 00 00 04 00 00 00 50 45 00 00 ; MZ?........PE..
00000010h: 4C 01 01 00 00 00 70 72 69 6E 74 66 00 00 00 00 ; L.....printf....
00000020h: 70 00 0F 01 0B 01 06 00 00 00 00 00 00 00 00 00 ; p...............
00000030h: 00 00 00 00 C0 00 00 00 00 00 00 00 0C 00 00 00 ; ....?..........
00000040h: 00 00 40 00 10 00 00 00 10 00 00 00 04 00 00 00 ; ..@.............
00000050h: 00 00 00 00 04 00 00 00 00 00 00 00 00 10 00 00 ; ................
00000060h: 00 00 00 00 00 00 00 00 03 00 6E 00 00 00 14 00 ; ..........n.....
00000070h: 00 00 00 00 00 00 AC 00 00 00 6E 00 00 00 00 00 ; ......?..n.....
00000080h: 02 00 00 00 00 00 00 00 00 00 00 00 6A 00 00 00 ; ............j...
00000090h: 14 00 00 00 2E 74 65 78 74 00 00 00 00 08 00 00 ; .....text.......
000000a0h: 00 00 00 00 00 08 00 00 00 00 00 00 6D 73 76 63 ; ............msvc
000000b0h: 72 74 2E 64 6C 6C 00 00 20 00 10 E0 00 00 00 00 ; rt.dll.. ..?...
000000c0h: 50 68 72 6C 64 0A 68 6F 2C 77 6F 68 68 65 6C 6C ; Phrld.ho,wohhell
000000d0h: 54 B0 6E 03 43 08 FF 10 83 C4 14 C3 00 00 00 00 ; T皀.C.?.兡.?...
注意,這個PE文件是不能直接被windbg(6.3.0017.0)調試器直接啟動的,要想調試
代碼可以在匯編代碼前加上int 3(0xcc)來調試.
5.過程五:
最后,來考慮一下我們文件的對齊IMAGE_OPTIONAL_HEADER.SectionAlignment和
IMAGE_OPTIONAL_HEADER.FileAlignment, 既然要求是2的冪,那么我們完全可以
用2的0次方即1來做我們的alignment.
最終生成的EXE又瘦身了,大小僅為216字節,其中包括28字節的匯編代碼
00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000000h: 4D 5A 90 00 03 00 00 00 04 00 00 00 50 45 00 00 ; MZ?........PE..
00000010h: 4C 01 01 00 00 00 70 72 69 6E 74 66 00 00 00 00 ; L.....printf....
00000020h: 70 00 0F 01 0B 01 06 00 00 00 00 00 00 00 00 00 ; p...............
00000030h: 00 00 00 00 BC 00 00 00 00 00 00 00 0C 00 00 00 ; ....?..........
00000040h: 00 00 40 00 01 00 00 00 01 00 00 00 04 00 00 00 ; ..@.............
00000050h: 00 00 00 00 04 00 00 00 00 00 00 00 00 10 00 00 ; ................
00000060h: 00 00 00 00 00 00 00 00 03 00 6E 00 00 00 14 00 ; ..........n.....
00000070h: 00 00 00 00 00 00 AC 00 00 00 6E 00 00 00 00 00 ; ......?..n.....
00000080h: 02 00 00 00 00 00 00 00 00 00 00 00 6A 00 00 00 ; ............j...
00000090h: 14 00 00 00 2E 74 65 78 74 00 00 00 00 08 00 00 ; .....text.......
000000a0h: 00 00 00 00 00 08 00 00 00 00 00 00 6D 73 76 63 ; ............msvc
000000b0h: 72 74 2E 64 6C 6C 00 00 20 00 10 E0 50 68 72 6C ; rt.dll.. ..郟hrl
000000c0h: 64 0A 68 6F 2C 77 6F 68 68 65 6C 6C 54 B0 6E 03 ; d.ho,wohhellT皀.
000000d0h: 43 08 FF 10 83 C4 14 C3 ; C.?.兡.?
五. 后記.
理論上來說,后面的匯編代碼部分可以用任意自己的代碼來填充,只要獲得了kernel32.dll
的GetProcAddress函數的地址,那書寫自己控制的代碼并不是問題,而代碼長度部分可以由
IMAGE_SECTION_HEADER的SizeOfRawData來控制. 我沒有試過,不過相信用188字節的PE頭結構
寫出的PE文件一定很cool. PE頭還可以減小嗎?你想,你能.
最后祝大家中秋快樂!
六.參考.
1.MSDN.
2.winnt.h
3.watercloud<<手工打造微型Win32可執行文件>>
http://www.xfocus.net/articles/200302/482.html