打造最小的PE文件
(bkbll#cnhonker.net 2005-9-18 9:01)
一. 前言.
最近在鼓搗windows下PE文件格式, 在達(dá)到既定目標(biāo)后, 對(duì)生成最小PE文件產(chǎn)生了興趣, 恰好
看到 watercloud(watercloud_at_xfocus.org)在近2年前寫過一篇文章<<手工打造微型Win32
可執(zhí)行文件>>(
http://www.xfocus.net/articles/200302/482.html), 我也依葫蘆畫瓢,打造
一下我認(rèn)為最小的PE文件,由于是初次接觸PE格式,如有差錯(cuò),敬請(qǐng)斧正.
本文所有程序均在win2k sp4 cn和windows xp sp1 cn上測(cè)試通過.
二. PE文件格式,結(jié)構(gòu)
在winnt.h中,有PE各種結(jié)構(gòu)的定義,這里就不一一列舉, 僅將相關(guān)結(jié)構(gòu)名列舉如下:
IMAGE_DOS_HEADER,IMAGE_NT_HEADERS,IMAGE_FILE_HEADER,IMAGE_OPTIONAL_HEADER,
IMAGE_DATA_DIRECTORY,IMAGE_SECTION_HEADER,IMAGE_IMPORT_DESCRIPTOR
因?yàn)槟繕?biāo)是打造最小的PE文件,所以僅用到一個(gè)IMPORT表.
PE整個(gè)文件框架大致如下:
| IMAGE_DOS_HEADER |
| Signature |
| IMAGE_NT_HEADER | -> | IMAGE_FILE_HEADER |
| IMAGE_OPTIONAL_HEADER | ->
| IMAGE_DATA_DIRECTORY |
......
| IMAGE_SECTION_HEADER |
........
| 代碼段 |
三. 不一樣的地方
watercloud 的PE已經(jīng)比較小了,但還有幾個(gè)地方我處理的不大一樣:
1. WindowsXP 可以允許PE section為1個(gè). 試驗(yàn)系統(tǒng)是xp sp1 cn
2. 文件對(duì)齊 windows是規(guī)定是2的冪, 當(dāng)然可以比0x200小.
當(dāng)然,除了上面2點(diǎn)以外,我還有用到一種比較巧妙的技巧.
運(yùn)行PE文件,會(huì)在屏幕上打印Hello,world信息.
四. 打造過程.
1. 過程一:
最開始我們按照PE結(jié)構(gòu)和順序一步步填充結(jié)構(gòu),看能有多大:
我們先選取對(duì)齊值為0x20.
這里我們選MAGE_OPTIONAL_HEADER.DataDirectory個(gè)數(shù)為16個(gè)(所有都用上),但
只用到IMPORT table.
這個(gè)過程沒有什么技巧,因?yàn)橹挥玫揭粋€(gè)section,文件對(duì)齊又小了很多,最終大小為
496字節(jié), 其中我們的匯編代碼占了47字節(jié).
00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000000h: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 ; MZ?........??..
00000010h: B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ; ?......@.......
00000020h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00000030h: 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 ; ............@...
00000040h: 50 45 00 00 4C 01 01 00 00 00 00 00 00 00 00 00 ; PE..L...........
00000050h: 00 00 00 00 E0 00 0F 01 0B 01 06 00 00 00 00 00 ; ....?..........
00000060h: 00 00 00 00 00 00 00 00 B4 01 00 00 00 00 00 00 ; ........?......
00000070h: 00 00 00 00 00 00 40 00 10 00 00 00 10 00 00 00 ; ......@.........
00000080h: 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 ; ................
00000090h: 00 10 00 00 00 00 00 00 00 00 00 00 03 00 00 00 ; ................
000000a0h: 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 ; ................
000000b0h: 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ; ................
000000c0h: 60 01 00 00 28 00 00 00 00 00 00 00 00 00 00 00 ; `...(...........
000000d0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
000000e0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
000000f0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00000100h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00000110h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00000120h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00000130h: 00 00 00 00 00 00 00 00 2E 74 65 78 74 00 00 00 ; .........text...
00000140h: 00 08 00 00 60 01 00 00 00 08 00 00 60 01 00 00 ; ....`.......`...
00000150h: 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 E0 ; ............ ..?
00000160h: 88 01 00 00 00 00 00 00 00 00 00 00 98 01 00 00 ; ?..........?..
00000170h: 90 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ?..............
00000180h: 00 00 00 00 00 00 00 00 A8 01 00 00 00 00 00 00 ; ........?......
00000190h: A8 01 00 00 00 00 00 00 6B 65 72 6E 65 6C 33 32 ; ?......kernel32
000001a0h: 2E 64 6C 6C 00 00 00 00 00 00 57 72 69 74 65 46 ; .dll......WriteF
000001b0h: 69 6C 65 00 8B 43 10 8B 40 1C 33 D2 52 68 72 6C ; ile.婥.婡.3襌hrl
000001c0h: 64 0A 68 6F 2C 77 6F 68 68 65 6C 6C 8B CC 52 54 ; d.ho,wohhell嬏RT
000001d0h: 6A 0C 51 50 68 90 01 00 00 58 03 43 08 FF 10 83 ; j.QPh?..X.C.?.?
000001e0h: C4 10 C3 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ??............
2. 過程二:
壓縮一下 IMAGE_OPTIONAL_HEADER 的DataDirectory,因?yàn)橹挥玫絠mport表,所以
IMAGE_OPTIONAL_HEADER 的 NumberOfRvaAndSizes 可以為 2 , 這樣就減少了0x70字節(jié),
最終大小為384字節(jié), 47字節(jié)為我們的匯編代碼,因?yàn)檫@個(gè)沒什么技巧,和前面差不多,所
以不貼出文件內(nèi)容了.
3. 過程三:
對(duì)比一下,我們發(fā)現(xiàn) IMAGE_DOS_HEADER 的0x40大小結(jié)構(gòu),除了 e_magic 和 e_lfanew
兩個(gè)結(jié)構(gòu)外,其他對(duì)我們的mini-pe 似乎沒什么影響,那么這個(gè)結(jié)構(gòu)沒用的部分可不可以
利用起來(lái)呢? 答案是肯定的, 我決定將 IMAGE_NT_HEADERS 和 IMAGE_DOS_HEADER 重疊
起來(lái), 但是因?yàn)?e_lfanew 是標(biāo)記IMAGE_NT_HEADERS 偏移的唯一值, 所以這個(gè)值不能被
覆蓋, 同時(shí)因?yàn)閮蓚€(gè)頭部重疊了,所以 e_lfanew 所在的文件偏移位置在 IMAGE_NT_HEADERS
結(jié)構(gòu)中應(yīng)該是個(gè)可以被忽略的結(jié)構(gòu).
我們來(lái)分析一下 IMAGE_NT_HEADERS 的頭0x40大小的結(jié)構(gòu):
typedef struct _IMAGE_NT_HEADERS
{
DWORD Signature; //+0
IMAGE_FILE_HEADER FileHeader;
IMAGE_OPTIONAL_HEADER OptionalHeader;
} IMAGE_NT_HEADERS, *PIMAGE_NT_HEADERS;
typedef struct _IMAGE_FILE_HEADER
{
WORD Machine; //+4
WORD NumberOfSections; //+6
DWORD TimeDateStamp; //+8
DWORD PointerToSymbolTable; //+12
DWORD NumberOfSymbols; //+16
WORD SizeOfOptionalHeader; //+20
WORD Characteristics; //+22
} IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;
typedef struct _IMAGE_OPTIONAL_HEADER
{
WORD Magic; //+24
BYTE MajorLinkerVersion; //+26
BYTE MinorLinkerVersion; //+27
DWORD SizeOfCode; //+28
DWORD SizeOfInitializedData; //+32
DWORD SizeOfUninitializedData; //+36
DWORD AddressOfEntryPoint; //+40
DWORD BaseOfCode; //+44
DWORD BaseOfData; //+48
DWORD ImageBase; //+52
DWORD SectionAlignment; //+56
DWORD FileAlignment; //+60
WORD MajorOperatingSystemVersion; //+64
..........
}
e_lfanew 是在 IMAGE_DOS_HEADER 的0x3c = 60 處, 我們從56除往回找可以被覆蓋
又沒什么用處的結(jié)構(gòu), 好像最近一個(gè)就只有 BaseOfData 了. 也就是說(shuō) e_lfanew =
60 - 48 = 12 = 0xc.
重疊后的 IMAGE_DOS_HEADER 和 IMAGE_FILE_HEADER 結(jié)構(gòu)圖如下:
WORD e_magic; //+0
WORD e_cblp; //+2
WORD e_cp; //+4
WORD e_crlc; //+6
WORD e_cparhdr; //+8
WORD e_minalloc; //+10
WORD e_maxalloc; WORD e_ss; //+12 IMAGE_NT_HEADERS.Signature //+0
WORD e_sp; //+16 IMAGE_FILE_HEADER.Machine //+4
WORD e_csum; //+18 IMAGE_FILE_HEADER.NumberOfSections//+6
WORD e_ip; WORD e_cs; //+20 IMAGE_FILE_HEADER.TimeDateStamp //+8
WORD e_lfarlc; WORD e_ovno; //+24 IMAGE_FILE_HEADER.PointerToSymbolTable
WORD e_res[4]; //+28 IMAGE_FILE_HEADER. NumberOfSymbols
//+32 IMAGE_FILE_HEADER.SizeOfOptionalHeader
//+34 IMAGE_FILE_HEADER.Characteristics
WORD e_oemid; //+36 IMAGE_OPTIONAL_HEADER.Magic
WORD e_oeminfo; //+38 IMAGE_OPTIONAL_HEADER.MajorLinkerVersion
//+39 IMAGE_OPTIONAL_HEADER.MinorLinkerVersion
WORD e_res2[10]; //+40 IMAGE_OPTIONAL_HEADER.SizeOfCode
//+44 IMAGE_OPTIONAL_HEADER.SizeOfInitializedData
//+48 IMAGE_OPTIONAL_HEADER.SizeOfUninitializedData
//+52 IMAGE_OPTIONAL_HEADER.AddressOfEntryPoint
//+56 IMAGE_OPTIONAL_HEADER.BaseOfCode;
LONG e_lfanew; //+60 IMAGE_OPTIONAL_HEADER.BaseOfData;//+48
//+64 IMAGE_OPTIONAL_HEADER.ImageBase
這樣光重疊這部分就可以省下一點(diǎn)空間,最終大小為336字節(jié),其中47字節(jié)為我們的匯編代碼.
文件內(nèi)容:
00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000000h: 4D 5A 90 00 03 00 00 00 04 00 00 00 50 45 00 00 ; MZ?........PE..
00000010h: 4C 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 ; L...............
00000020h: 70 00 0F 01 0B 01 06 00 00 00 00 00 00 00 00 00 ; p...............
00000030h: 00 00 00 00 14 01 00 00 00 00 00 00 0C 00 00 00 ; ................
00000040h: 00 00 40 00 10 00 00 00 10 00 00 00 04 00 00 00 ; ..@.............
00000050h: 00 00 00 00 04 00 00 00 00 00 00 00 00 10 00 00 ; ................
00000060h: 00 00 00 00 00 00 00 00 03 00 00 00 00 00 10 00 ; ................
00000070h: 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 ; ................
00000080h: 02 00 00 00 00 00 00 00 00 00 00 00 C0 00 00 00 ; ............?..
00000090h: 28 00 00 00 2E 74 65 78 74 00 00 00 00 08 00 00 ; (....text.......
000000a0h: C0 00 00 00 00 08 00 00 C0 00 00 00 00 00 00 00 ; ?......?......
000000b0h: 00 00 00 00 00 00 00 00 20 00 00 E0 00 00 00 00 ; ........ ..?...
000000c0h: E8 00 00 00 00 00 00 00 00 00 00 00 F8 00 00 00 ; ?..........?..
000000d0h: F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ?..............
000000e0h: 00 00 00 00 00 00 00 00 08 01 00 00 00 00 00 00 ; ................
000000f0h: 08 01 00 00 00 00 00 00 6B 65 72 6E 65 6C 33 32 ; ........kernel32
00000100h: 2E 64 6C 6C 00 00 00 00 00 00 57 72 69 74 65 46 ; .dll......WriteF
00000110h: 69 6C 65 00 8B 43 10 8B 40 1C 33 D2 52 68 72 6C ; ile.婥.婡.3襌hrl
00000120h: 64 0A 68 6F 2C 77 6F 68 68 65 6C 6C 8B CC 52 54 ; d.ho,wohhell嬏RT
00000130h: 6A 0C 51 50 68 F0 00 00 00 58 03 43 08 FF 10 83 ; j.QPh?..X.C.?.?
00000140h: C4 10 C3 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ??............
4. 過程四.
現(xiàn)在已經(jīng)小很多了,我們?cè)谇斑@幾個(gè)結(jié)構(gòu) IMAGE_DOS_HEADER,IMAGE_NT_HEADERS
和IMAGE_SECTION_HEADER 上,可以重疊的不多了, 那么剩下就只有IMPORT表的描述了.
在前面我們用的import表的描述是這樣的結(jié)構(gòu):
import descriptor(PEDataDir->Size) bytes
OriginalFirstThunk + 0x0000 //8 bytes
FirstThunk(IAT) + 0x0000 //8 bytes
"kernel32.dll"+0x0 //12+4 = 16 bytes
0x00 +iatfunction1("WriteFile")// 2 + 10 = 12 bytes
這樣就占了 PEDataDir->Size + 8 + 8 + 16 + 12字節(jié),好像比較大哦,那我們就對(duì)它動(dòng)手吧.
我們看看能不能把它整合到已有的結(jié)構(gòu)里面去.
先調(diào)整唯一的section的內(nèi)容:
IMAGE_SECTION_HEADER.VirtualAddress = 0x00;
IMAGE_SECTION_HEADER.PointerToRawData = 0x00;
這樣,整個(gè)文件結(jié)構(gòu)以及偏移地址就都可以使用了.
import descriptor 所需要的最小大小是 sizeof(IMAGE_IMPORT_DESCRIPTOR) *2,
其中要求最后4字節(jié)內(nèi)容為0
我們對(duì)比搜尋結(jié)構(gòu),發(fā)現(xiàn) IMAGE_OPTIONAL_HEADER 結(jié)構(gòu)從DllCharacteristics開始滿足我們的要求,
import descriptor 指向這里:
WORD DllCharacteristics;
DWORD SizeOfStackReserve;
DWORD SizeOfStackCommit;
DWORD SizeOfHeapReserve;
DWORD SizeOfHeapCommit;
DWORD LoaderFlags;
DWORD NumberOfRvaAndSizes;
IMAGE_DATA_DIRECTORY DataDirectory[0];
因?yàn)閯偤玫谝粋€(gè)DataDirectory內(nèi)容都是0,滿足我們的要求.
剩下的就需要找一個(gè)8字節(jié)大小的空間,要求第一個(gè)4字節(jié)改變不會(huì)影響程序運(yùn)行(這里用來(lái)保存第
一個(gè)IAT的地址),第二個(gè)4字節(jié)內(nèi)容為0. 這里用來(lái)存放 IMAGE_IMPORT_DESCRIPTOR 的 OriginalFirstThunk
和 FirstThunk ,根據(jù)需求來(lái)看,這兩個(gè)地址顯然可以相等.
很幸運(yùn)的是 IMAGE_IMPORT_DESCRIPTOR 自己的結(jié)構(gòu)就滿足這樣的要求:
typedef struct _IMAGE_IMPORT_DESCRIPTOR
{
union
{
DWORD Characteristics;
DWORD OriginalFirstThunk;
};
DWORD TimeDateStamp;
DWORD ForwarderChain;
DWORD Name;
DWORD FirstThunk;
} IMAGE_IMPORT_DESCRIPTOR;
當(dāng)ForwarderChain為0的時(shí)候,TimeDateStamp偏移就可以用來(lái)存放我們需要的IAT地址.
OK,現(xiàn)在還剩下兩個(gè)地方?jīng)]有解決:dll名字以及導(dǎo)入函數(shù)的名字.
和上面一樣,我們還是到已有的結(jié)構(gòu)里面去找可以填充的空間:
Dll名字存放要求很簡(jiǎn)單,后面有一個(gè)'\0'結(jié)尾,然后填充內(nèi)容不影響程序運(yùn)行.
IMAGE_SECTION_HEADER好像可以滿足我們的要求:
DWORD PointerToRelocations;
DWORD PointerToLinenumbers;
WORD NumberOfRelocations;
WORD NumberOfLinenumbers;
DWORD Characteristics;
一共有12字節(jié)存放我們的dll名字,同時(shí)Characteristics還有后1為可以供存放,所以一
共有13字節(jié),保存"Kernel32.dll"剛剛好.
IMAGE_FILE_HEADER 結(jié)構(gòu)也有12字節(jié)空間:
DWORD TimeDateStamp; //+8 可以隨便填
DWORD PointerToSymbolTable; //+12
DWORD NumberOfSymbols; //+16
我們就在這里容納我們的函數(shù)名就可以了.
這樣整個(gè) IMAGE_IMPORT_DESCRIPTOR 結(jié)構(gòu)和import表其他內(nèi)容就被我們拆散整合到
已有的結(jié)構(gòu)里面去了.
接著我們?cè)賰?yōu)化一下shellcode, 使用msvcrt.dll的printf來(lái)輸出信息.
這樣,經(jīng)過精心裁減后,整個(gè)PE文件大小為224字節(jié),其中匯編代碼占了28字節(jié).
最終結(jié)果:
00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000000h: 4D 5A 90 00 03 00 00 00 04 00 00 00 50 45 00 00 ; MZ?........PE..
00000010h: 4C 01 01 00 00 00 70 72 69 6E 74 66 00 00 00 00 ; L.....printf....
00000020h: 70 00 0F 01 0B 01 06 00 00 00 00 00 00 00 00 00 ; p...............
00000030h: 00 00 00 00 C0 00 00 00 00 00 00 00 0C 00 00 00 ; ....?..........
00000040h: 00 00 40 00 10 00 00 00 10 00 00 00 04 00 00 00 ; ..@.............
00000050h: 00 00 00 00 04 00 00 00 00 00 00 00 00 10 00 00 ; ................
00000060h: 00 00 00 00 00 00 00 00 03 00 6E 00 00 00 14 00 ; ..........n.....
00000070h: 00 00 00 00 00 00 AC 00 00 00 6E 00 00 00 00 00 ; ......?..n.....
00000080h: 02 00 00 00 00 00 00 00 00 00 00 00 6A 00 00 00 ; ............j...
00000090h: 14 00 00 00 2E 74 65 78 74 00 00 00 00 08 00 00 ; .....text.......
000000a0h: 00 00 00 00 00 08 00 00 00 00 00 00 6D 73 76 63 ; ............msvc
000000b0h: 72 74 2E 64 6C 6C 00 00 20 00 10 E0 00 00 00 00 ; rt.dll.. ..?...
000000c0h: 50 68 72 6C 64 0A 68 6F 2C 77 6F 68 68 65 6C 6C ; Phrld.ho,wohhell
000000d0h: 54 B0 6E 03 43 08 FF 10 83 C4 14 C3 00 00 00 00 ; T皀.C.?.兡.?...
注意,這個(gè)PE文件是不能直接被windbg(6.3.0017.0)調(diào)試器直接啟動(dòng)的,要想調(diào)試
代碼可以在匯編代碼前加上int 3(0xcc)來(lái)調(diào)試.
5.過程五:
最后,來(lái)考慮一下我們文件的對(duì)齊IMAGE_OPTIONAL_HEADER.SectionAlignment和
IMAGE_OPTIONAL_HEADER.FileAlignment, 既然要求是2的冪,那么我們完全可以
用2的0次方即1來(lái)做我們的alignment.
最終生成的EXE又瘦身了,大小僅為216字節(jié),其中包括28字節(jié)的匯編代碼
00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000000h: 4D 5A 90 00 03 00 00 00 04 00 00 00 50 45 00 00 ; MZ?........PE..
00000010h: 4C 01 01 00 00 00 70 72 69 6E 74 66 00 00 00 00 ; L.....printf....
00000020h: 70 00 0F 01 0B 01 06 00 00 00 00 00 00 00 00 00 ; p...............
00000030h: 00 00 00 00 BC 00 00 00 00 00 00 00 0C 00 00 00 ; ....?..........
00000040h: 00 00 40 00 01 00 00 00 01 00 00 00 04 00 00 00 ; ..@.............
00000050h: 00 00 00 00 04 00 00 00 00 00 00 00 00 10 00 00 ; ................
00000060h: 00 00 00 00 00 00 00 00 03 00 6E 00 00 00 14 00 ; ..........n.....
00000070h: 00 00 00 00 00 00 AC 00 00 00 6E 00 00 00 00 00 ; ......?..n.....
00000080h: 02 00 00 00 00 00 00 00 00 00 00 00 6A 00 00 00 ; ............j...
00000090h: 14 00 00 00 2E 74 65 78 74 00 00 00 00 08 00 00 ; .....text.......
000000a0h: 00 00 00 00 00 08 00 00 00 00 00 00 6D 73 76 63 ; ............msvc
000000b0h: 72 74 2E 64 6C 6C 00 00 20 00 10 E0 50 68 72 6C ; rt.dll.. ..郟hrl
000000c0h: 64 0A 68 6F 2C 77 6F 68 68 65 6C 6C 54 B0 6E 03 ; d.ho,wohhellT皀.
000000d0h: 43 08 FF 10 83 C4 14 C3 ; C.?.兡.?
五. 后記.
理論上來(lái)說(shuō),后面的匯編代碼部分可以用任意自己的代碼來(lái)填充,只要獲得了kernel32.dll
的GetProcAddress函數(shù)的地址,那書寫自己控制的代碼并不是問題,而代碼長(zhǎng)度部分可以由
IMAGE_SECTION_HEADER的SizeOfRawData來(lái)控制. 我沒有試過,不過相信用188字節(jié)的PE頭結(jié)構(gòu)
寫出的PE文件一定很cool. PE頭還可以減小嗎?你想,你能.
最后祝大家中秋快樂!
六.參考.
1.MSDN.
2.winnt.h
3.watercloud<<手工打造微型Win32可執(zhí)行文件>>
http://www.xfocus.net/articles/200302/482.html