]]>
MS-DOS MZ header 鐨勭粨鏋勬槸榪欐牱鐨?/span>
MS-DOS MZ header
typedef struct _IMAGE_DOS_HEADER { // DOS .EXE header
WORD e_magic; // Magic number WORD e_cblp; // Bytes on last page of file WORD e_cp; // Pages in file WORD e_crlc; // Relocations WORD e_cparhdr; // Size of header in paragraphs WORD e_minalloc; // Minimum extra paragraphs needed WORD e_maxalloc; // Maximum extra paragraphs needed WORD e_ss; // Initial (relative) SS value WORD e_sp; // Initial SP value WORD e_csum; // Checksum WORD e_ip; // Initial IP value WORD e_cs; // Initial (relative) CS value WORD e_lfarlc; // File address of relocation table WORD e_ovno; // Overlay number WORD e_res[4]; // Reserved words WORD e_oemid; // OEM identifier (for e_oeminfo) WORD e_oeminfo; // OEM information; e_oemid specific WORD e_res2[10]; // Reserved words LONG e_lfanew; // File address of new exe header
} IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER;鍏朵腑姣旇緝鍏抽敭鐨勬垚鍛樻槸榪欎釜 e_lfanew 瀹冩寚鍚戜簡PE鏂囦歡澶村湪PE鏂囦歡涓殑鐩稿铏氭嫙鍦板潃RAV(Relative Virtual Addresses)錛宔_magic鐨勫煎簲璇ョ瓑浜?0x5A4D 鏄疢S-DOS MZ header鐨勬爣蹇?MZ濂藉儚鏄釜紼嬪簭鍛樺悕瀛楃殑緙╁啓 鍏朵粬鎴愬憳鍩烘湰娌″暐澶х敤錛屼竴浜涘姞澹寵蔣浠朵細淇敼瀹冪殑鎴愬憳涓鴻嚜宸辯殑鑺傝吘鍑虹┖闂達紝鎴栬呭湪娣誨姞鑺傚艦寮忔劅鏌撴椂鑺傝〃灝鵑儴鐨勭┖闅欎笉澶熷啓鍏ヤ竴涓柊鐨勮В琛ㄧ粨鏋勭殑鏃跺欐妸IMAGE_DOS_HEADE 鍜?IMAGE_NT_HEADER 铻嶅悎銆?/p>
鍙互鑷繁鍐欎竴涓皬紼嬪簭鏉ヨ緭鍑轟竴涓婭MAGE_DOS_HEADE
IMAGE_DOS_HEADE榪欎釜緇撴瀯浣撳畾涔夊湪windows.h涓?/p>
緋葷粺鍔犺澆PE鏍煎紡鐨勬枃浠舵椂錛屼細鍏堝姞杞絀MAGE_DOS_HEADE榪欎釜緇撴瀯浣擄紝鍐嶆牴鎹粨鏋勪綋閲岀殑e_lfanew鎻愪緵鐨勭浉瀵瑰亸縐繪壘鍒癙E鏂囦歡澶淬?/p>
鐢╟璇█鍙互鐩存帴璇誨嚭IMAGE_DOS_HEADE榪欎釜緇撴瀯浣擄紝涓嬮潰寮濮嬪啓銆?/p>
浠庢枃浠剁殑寮濮嬩綅緗鍙朓MAGE_DOS_HEADE緇撴瀯浣?br />
fread(&mydosheader,sizeof(mydosheader),1,p);鍚ф枃浠舵寚閽堢Щ鍔ㄥ埌e_lfanew鎵鎸囩殑鐩稿鍋忕Щ錛屽嵆PE鏂囦歡澶?br />
fseek(p,mydosheader.e_lfanew,SEEK_SET);璇誨彇PE鏂囦歡鏍囧織錛岃繖涓狿E Signature鏄?PE\0\0 榪欐牱涓涓鹼紝璇佹槑瀹冩槸PE鏍煎紡鐨勮韓浠姐?br />
fread(&sig,4,1,p);榪欎釜鍒ゆ柇涓ぇ鍐欑殑鍙橀噺閮芥槸錛寃indows.h涓殑甯告暟
IMAGE_NT_SIGNATURE 鐨勫兼槸 PE\0\0
IMAGE_DOS_SIGN
ATURE 鐨勫兼槸 MZ
鍏蜂綋鐨勫畾涔夊彲浠ヨ嚜宸卞幓windows.h涓湅
銆if((mydosheader.e_magic ==IMAGE_DOS_SIGNATURE) &&銆銆銆銆銆銆銆銆(sig == IMAGE_NT_SIGNATURE))銆銆銆銆銆銆銆printf("鏈夋晥鐨凱E鏂囦歡/n");銆銆銆銆else銆銆銆銆銆銆printf("鏃犳晥鐨凱E鏂囦歡/n");銆銆銆銆return 0;涓嬮潰鏄畬鏁寸殑紼嬪簭
#include "windows.h"#include "stdio.h"int main(int argc, char* argv[]){銆銆銆銆FILE *p;銆銆銆銆IMAGE_DOS_HEADER mydosheader;銆銆銆銆unsigned long sig;銆銆銆銆p = fopen("test1.exe","r+b");銆銆銆銆if(p == NULL)return -1;銆銆銆銆fread(&mydosheader,sizeof(mydosheader),1,p);銆銆銆銆fseek(p,mydosheader.e_lfanew,SEEK_SET);銆銆銆銆fread(&sig,4,1,p);銆銆銆銆fclose(p);銆銆銆銆printf("IMAGE_DOS_HEADER dump:/n");銆銆銆銆printf("e_magic銆 : %04x/n",mydosheader.e_magic);銆銆銆銆printf("e_cblp銆銆: %04x/n",mydosheader.e_cblp);銆銆銆銆printf("e_cp銆銆銆: %04x/n",mydosheader.e_cp);銆銆銆銆printf("e_crlc銆銆: %04x/n",mydosheader.e_crlc);銆銆銆銆printf("e_cparhdr : %04x/n",mydosheader.e_cparhdr);銆銆銆銆printf("e_minalloc: %04x/n",mydosheader.e_minalloc);銆銆銆銆printf("e_maxalloc: %04x/n",mydosheader.e_maxalloc);銆銆銆銆printf("e_ss銆銆銆: %04x/n",mydosheader.e_ss);銆銆銆銆printf("e_sp銆銆銆: %04x/n",mydosheader.e_sp);銆銆銆銆printf("e_csum銆銆: %04x/n",mydosheader.e_csum);銆銆銆銆printf("e_ip銆銆銆: %04x/n",mydosheader.e_ip);銆銆銆銆printf("e_cs銆銆銆: %04x/n",mydosheader.e_cs);銆銆銆銆printf("e_lfarlc銆: %04x/n",mydosheader.e_lfarlc);銆銆銆銆printf("e_ovno銆銆: %04x/n",mydosheader.e_ovno);銆銆銆銆printf("e_res[0]銆: %04x/n",mydosheader.e_res[0]);銆銆銆銆printf("e_oemid銆 : %04x/n",mydosheader.e_oemid);銆銆銆銆printf("e_oeminfo : %04x/n",mydosheader.e_oeminfo);銆銆銆銆printf("res2[0]銆 : %04x/n",mydosheader.e_res2[0]);銆銆銆銆printf("lfanew銆銆: %08x/n",mydosheader.e_lfanew);銆銆銆銆if((mydosheader.e_magic ==IMAGE_DOS_SIGNATURE) &&銆銆銆銆銆銆銆銆(sig == IMAGE_NT_SIGNATURE))銆銆銆銆銆銆銆printf("鏈夋晥鐨凱E鏂囦歡/n");銆銆銆銆else銆銆銆銆銆銆printf("鏃犳晥鐨凱E鏂囦歡/n");銆銆銆銆return 0;}鏈鍚庨檮涓婂弬鑰冩枃绔犵殑鍦板潃
http://xue23.blog.163.com/blog/static/9793442005431142120/
http://bbs.fishc.com/home.php?mod=space&uid=9&do=blog&id=558
Peering Inside the PE.pdf
http://xue23.blog.163.com/blog/static/9793442005431142120/
]]>