?
PE 文件格式
?
PE. Portable Executable, 可移植的可執(zhí)行文件, 是 MS WinNT, Win95, Win32中可執(zhí)行的二進制文件
???a.在 Win 中��,驅動也是這種格式
?? b.這種文件格式由MS設計
?
1. DOS 頭是這樣的一個結構(也叫 'MZ' 頭), 總共是 64 bytes
??? typedef struct _IMAGE_DOS_HEADER
?? {??????
??????? WORD?? e_magic;??????? // 必需為 4D 5A???? 'MZ'?? IMAGE_DOS_SIGNATURE
??????? WORD?? e_cblp;????????? // 文件最后頁的字節(jié)數???????????
??????? WORD?? e_cp;??????????? // 文件頁數
??????? WORD?? e_crlc;????????? // 重定義元素個數
??????? WORD?? e_cparhdr;???? // 頭部盡寸, 以段落為單位??????????????
??????? WORD?? e_minalloc;???? // 所需的最小附加段
??????? WORD?? e_maxalloc;??? // 所需的最大附加段
??????? WORD?? e_ss;??????????? // 初始的SS值 (相對偏移量)
??????? WORD?? e_sp;??????????? // 實始的SP值?
????????WORD?? e_csum;??????? // 校驗和
????????WORD?? e_ip;???????????? // 初始的IP值
????????WORD?? e_cs;??????????? // 初始的CS值(相對偏移量)
????????WORD?? e_lfarlc;???????? // 重分配表文件地址
????????WORD?? e_ovno;???????? // 覆蓋號
????????WORD?? e_res[4];?????? // 保留字?
??????? WORD?? e_oemid;?????? // OEM標識符 (相對 e_oeminfo)??????????????
??????? WORD?? e_oeminfo;???? // OEM 信息????????????????
??????? WORD?? e_res2[10];??? // 保留字
??????? LONG?? e_lfanew;?????? //? PE頭文件偏移量 , IMAGE_NT_HEADER32 結構所在的文件地址?????????
?? }IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER;
???
?? (1). “MZ”是MS-DOS開發(fā)者之一的馬克·茨柏克沃斯基(Mark Zbikowski)的姓名首字母縮寫�����。
?? (2).? e_lfanew定位到PE文件頭
?
???P:? 1. 如何修改 DOS Stub
??????? A:?? If you're compiling and linking the program yourself using MS compilers then the simplest approach would be to put in a custom DOS stub using the linkers /STUB[^] switch. Put in one which simply does nothing and returns immediately.?
???????
/STUB:filename
?Remarks
where:
- filename
An MS-DOS application.
?Remarks
The /STUB option attaches an MS-DOS stub program to a Win32 program.
A stub program is invoked if the file is executed in MS-DOS. It usually displays an appropriate message; however, any valid MS-DOS application can be a stub program.
Specify a filename for the stub program after a colon (:) on the command line. The linker checks filename and issues an error message if the file is not an executable. The program must be an .exe file; a .com file is invalid for a stub program.
If this option is not used, the linker attaches a default stub program that issues the following message:
When building a virtual device driver, filename allows the user to specify a file name that contains an IMAGE_DOS_HEADER structure (defined in WINNT.H) to be used in the VXD, rather than the default header.
To set this linker option in the Visual Studio development environment
Open the project's Property Pages dialog box. For details, see Setting Visual C++ Project Properties.
Click the Linker folder.
Click the Command Line property page.
Type the option into the Additional Options box.
To set this linker option programmatically
?
??????? 2. DOS 下的程序 與 (Win32下的程序?/ VC6編譯的DOS程序), MZ頭的不同?
?
???---------------------------------------------------------------------------------
?? Offset?????? 00 01 02 03 04 05 06 07? 08 09 0A 0B 0C 0D 0E 0F
?? 00000000? 4D 5A 90 00 03 00 00 00?? 04 00 00 00 FF FF 00 00?? MZ?..........
?? 00000010? B8 00 00 00 00 00 00 00?? 40 00 00 00 00 00 00 00?? ?......@.......
?? 00000020? 00 00 00 00 00 00 00 00?? 00 00 00 00 00 00 00 00?? ................
?? 00000030? 00 00 00 00 00 00 00 00?? 00 00 00 00 F0 00 00 00?? ............?..
???---------------------------------------------------------------------------------??
??
?? 第一行:
?? (1). 4D 5A 對應 IMAGE_DOS_HEADER.e_magic 字段, 分別為 'MZ' 的 ASCII 碼
?? (2). 90 00 對應 IMAGE_DOS_HEADER.e_cblp 字段�����,值為 0x0090,
?? (3). 03 00 對應 IMAGE_DOS_HEADER.e_cp 字段�����,值為 0x0003,
??
(4). 00 00 對應 IMAGE_DOS_HEADER.e_crlc 字段���,值為 0x0000
??
?? (5). 04 00 對應 IMAGE_DOS_HEADER.e_cparhdr?? 0x0004;???? // 頭部盡寸, 以段落為單位??????????????
???(6). 00 00 對應 IMAGE_DOS_HEADER.e_minalloc?? 0x0000;???? // 所需的最小附加段
???(7). FF FF 對應 IMAGE_DOS_HEADER.e_maxalloc? 0xFFFF;??? // 所需的最大附加段
???(8). 00 00 對應 IMAGE_DOS_HEADER.e_ss;???????? 0x0000???? // 初始的SS值 (相對偏移量)
???
?? 第二行:
???(9) . B8 00 對應 IMAGE_DOS_HEADER.e_sp;??? 0x00B8???????? // 實始的SP值?
???(10).00 00 對應 IMAGE_DOS_HEADER.e_csum; 0x0000?????? // 校驗和
???(11).00 00 對應 IMAGE_DOS_HEADER.e_ip;?? 0x00????????? // 初始的IP值
???(12).00 00?對應?IMAGE_DOS_HEADER.e_cs;? 0x00????????? // 初始的CS值(相對偏移量)
???
????(13). 40 00 對應 IMAGE_DOS_HEADER.e_lfarlc;? 0x0040??????? // 重分配表文件地址
????(14). 00 00 對應 IMAGE_DOS_HEADER.e_ovno;? 0x0000?????? // 覆蓋號
????(15). 00 00 對應 IMAGE_DOS_HEADER.e_res[4]; 0x0000????? // 保留字
??????????? 00 00
??????????? 00 00
?
??? 第三行:
????(16). 00 00
??? (17). 00 00 對應 IMAGE_DOS_HEADER.e_oemid;?????? // OEM標識符 (相對 e_oeminfo)??
??? (18). 00 00 對應 IMAGE_DOS_HEADER.WORD?? e_oeminfo;???? // OEM 信息
????(16).?00 00 對應 IMAGE_DOS_HEADER.WORD?? e_res2[10];??? // 保留字?
???????????
????(17).?00 00
????(18).?00 00?
????(19).?00 00
????(20).?00 00
?
??? 第四行:
????(21).?00 00
????(22).?00 00?
????(23).?00 00
????(24).?00 00
?
????(25).?00 00
????(26).?00 00?
????(27).?F0 00 對應 IMAGE_DOS_HEADER.LONG?? e_lfanew;? 這里的地址為 0x000000F0 //? PE頭文件偏移量 , IMAGE_NT_HEADER32 結構所在的文件地址
????(28).?00 00
2. DOS Stub (DOS實模式殘余程序)
?? (1). 實模式殘余程序 是一個在裝載時能夠被 MS-DOS運行的實際程序����。
?? (2). Dos Stub 只是提供了 PE 文件在DOS下面執(zhí)行時�����,DOS會把它當作有效的執(zhí)行文件而順利執(zhí)行��。
???????? 通常 Win32 的程序會在屏幕上輸入"This Program cannot run in DOS mode"之類的提示語
?? (3). 可以隨便改變 DOS Stub, 根據自己的意圖實現完整的 DOS 代碼
???(4). DOS 下的EXE文件,長度不定
?? (5). 在 Win32下, MZ頭 跟 DOS 加載模塊 用不上, 加上這兩個只為兼容性問題
P:
1.? 只取 MZ 頭與 DOS Stub
Offset????? 0? 1? 2? 3? 4? 5? 6? 7?? 8? 9? A? B? C? D? E? F
00000000?? 4D 5A 90 00 03 00 00 00? 04 00 00 00 FF FF 00 00?? MZ?..........
00000010?? B8 00 00 00 00 00 00 00? 40 00 00 00 00 00 00 00?? ?......@.......
00000020?? 00 00 00 00 00 00 00 00? 00 00 00 00 00 00 00 00?? ................
00000030?? 00 00 00 00 00 00 00 00? 00 00 00 00?00 0F 00 00?? ............?..
00000040?? 0E 1F BA 0E 00 B4 09 CD? 21 B8 01 4C CD 21 54 68?? ..?.???L?Th
00000050?? 69 73 20 70 72 6F 67 72? 61 6D 20 63 61 6E 6E 6F?? is program canno
00000060?? 74 20 62 65 20 72 75 6E? 20 69 6E 20 44 4F 53 20?? t be run in DOS
00000070?? 6D 6F 64 65 2E 0D 0D 0A? 24 00 00 00 00 00 00 00?? mode....$.......
00000080?? 8D 44 CE 8E C9 25 A0 DD? C9 25 A0 DD C9 25 A0 DD?? 岲螏?犦?犦?犦
00000090?? AB 3A B3 DD CD 25 A0 DD? 4A 39 AE DD C8 25 A0 DD?? ?齒?犦J9?犦
000000A0?? A6 3A AA DD C2 25 A0 DD? A6 3A A4 DD CB 25 A0 DD?? ??犦?ぽ?犦
000000B0?? FF 03 A4 DD CA 25 A0 DD? C9 25 A1 DD BA 25 A0 DD?? .ぽ?犦?≥?犦
000000C0?? FF 03 AB DD CF 25 A0 DD? 0E 23 A6 DD C8 25 A0 DD?? .?犦.#?犦
000000D0?? 52 69 63 68 C9 25 A0 DD? 00 00 00 00 00 00 00 00?? Rich?犦........
000000E0?? 00 00 00 00 00 00 00 00? 00 00 00 00 00 00 00 00?? ................
結果�����,
運行程序并沒有顯示 '?This program cannot be run in DOS?mode?' ..........??
在純DOS下會顯示 'Errror in exe file'
難道跟 MZ 頭除了e_lfanew的字段有關�?........
將開頭的? 4D 5A 90 00 03 00 改為
????????????????? 4D 5A 00 01 01 00
之后,在純DOS下就會顯示??'?This program cannot be run in DOS?mode?'
在 Win 下會一閃而過, 需要先 run cmd, 再run debug, -q 退出, 再執(zhí)行,就會顯示 '?This program cannot be run in DOS?mode?'
原因暫時未知.