]]>
MS-DOS MZ header 鐨勭粨鏋勬槸榪欐牱鐨?/span>
MS-DOS MZ header
typedef struct _IMAGE_DOS_HEADER { // DOS .EXE header
WORD e_magic; // Magic number WORD e_cblp; // Bytes on last page of file WORD e_cp; // Pages in file WORD e_crlc; // Relocations WORD e_cparhdr; // Size of header in paragraphs WORD e_minalloc; // Minimum extra paragraphs needed WORD e_maxalloc; // Maximum extra paragraphs needed WORD e_ss; // Initial (relative) SS value WORD e_sp; // Initial SP value WORD e_csum; // Checksum WORD e_ip; // Initial IP value WORD e_cs; // Initial (relative) CS value WORD e_lfarlc; // File address of relocation table WORD e_ovno; // Overlay number WORD e_res[4]; // Reserved words WORD e_oemid; // OEM identifier (for e_oeminfo) WORD e_oeminfo; // OEM information; e_oemid specific WORD e_res2[10]; // Reserved words LONG e_lfanew; // File address of new exe header
} IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER;鍏朵腑姣旇緝鍏抽敭鐨勬垚鍛樻槸榪欎釜 e_lfanew 瀹冩寚鍚戜簡(jiǎn)PE鏂囦歡澶村湪PE鏂囦歡涓殑鐩稿铏氭嫙鍦板潃RAV(Relative Virtual Addresses)錛宔_magic鐨勫煎簲璇ョ瓑浜?0x5A4D 鏄疢S-DOS MZ header鐨勬爣蹇?MZ濂藉儚鏄釜紼嬪簭鍛樺悕瀛楃殑緙╁啓 鍏朵粬鎴愬憳鍩烘湰娌″暐澶х敤錛屼竴浜涘姞澹寵蔣浠朵細(xì)淇敼瀹冪殑鎴愬憳涓鴻嚜宸辯殑鑺傝吘鍑虹┖闂達(dá)紝鎴栬呭湪娣誨姞鑺傚艦寮忔劅鏌撴椂鑺傝〃灝鵑儴鐨勭┖闅欎笉澶熷啓鍏ヤ竴涓柊鐨勮В琛ㄧ粨鏋勭殑鏃跺欐妸IMAGE_DOS_HEADE 鍜?IMAGE_NT_HEADER 铻嶅悎銆?/p>
鍙互鑷繁鍐欎竴涓皬紼嬪簭鏉ヨ緭鍑轟竴涓婭MAGE_DOS_HEADE
IMAGE_DOS_HEADE榪欎釜緇撴瀯浣撳畾涔夊湪windows.h涓?/p>
緋葷粺鍔犺澆PE鏍煎紡鐨勬枃浠舵椂錛屼細(xì)鍏堝姞杞絀MAGE_DOS_HEADE榪欎釜緇撴瀯浣擄紝鍐嶆牴鎹粨鏋勪綋閲岀殑e_lfanew鎻愪緵鐨勭浉瀵瑰亸縐繪壘鍒癙E鏂囦歡澶淬?/p>
鐢╟璇█鍙互鐩存帴璇誨嚭IMAGE_DOS_HEADE榪欎釜緇撴瀯浣擄紝涓嬮潰寮濮嬪啓銆?/p>
浠庢枃浠剁殑寮濮嬩綅緗鍙朓MAGE_DOS_HEADE緇撴瀯浣?br />
fread(&mydosheader,sizeof(mydosheader),1,p);鍚ф枃浠舵寚閽堢Щ鍔ㄥ埌e_lfanew鎵鎸囩殑鐩稿鍋忕Щ錛屽嵆PE鏂囦歡澶?br />
fseek(p,mydosheader.e_lfanew,SEEK_SET);璇誨彇PE鏂囦歡鏍囧織錛岃繖涓狿E Signature鏄?PE\0\0 榪欐牱涓涓鹼紝璇佹槑瀹冩槸PE鏍煎紡鐨勮韓浠姐?br />
fread(&sig,4,1,p);榪欎釜鍒ゆ柇涓ぇ鍐欑殑鍙橀噺閮芥槸錛寃indows.h涓殑甯告暟
IMAGE_NT_SIGNATURE 鐨勫兼槸 PE\0\0
IMAGE_DOS_SIGN
ATURE 鐨勫兼槸 MZ
鍏蜂綋鐨勫畾涔夊彲浠ヨ嚜宸卞幓windows.h涓湅
銆if((mydosheader.e_magic ==IMAGE_DOS_SIGNATURE) &&銆銆銆銆銆銆銆銆(sig == IMAGE_NT_SIGNATURE))銆銆銆銆銆銆銆printf("鏈夋晥鐨凱E鏂囦歡/n");銆銆銆銆else銆銆銆銆銆銆printf("鏃犳晥鐨凱E鏂囦歡/n");銆銆銆銆return 0;涓嬮潰鏄畬鏁寸殑紼嬪簭
#include "windows.h"#include "stdio.h"int main(int argc, char* argv[]){銆銆銆銆FILE *p;銆銆銆銆IMAGE_DOS_HEADER mydosheader;銆銆銆銆unsigned long sig;銆銆銆銆p = fopen("test1.exe","r+b");銆銆銆銆if(p == NULL)return -1;銆銆銆銆fread(&mydosheader,sizeof(mydosheader),1,p);銆銆銆銆fseek(p,mydosheader.e_lfanew,SEEK_SET);銆銆銆銆fread(&sig,4,1,p);銆銆銆銆fclose(p);銆銆銆銆printf("IMAGE_DOS_HEADER dump:/n");銆銆銆銆printf("e_magic銆 : %04x/n",mydosheader.e_magic);銆銆銆銆printf("e_cblp銆銆: %04x/n",mydosheader.e_cblp);銆銆銆銆printf("e_cp銆銆銆: %04x/n",mydosheader.e_cp);銆銆銆銆printf("e_crlc銆銆: %04x/n",mydosheader.e_crlc);銆銆銆銆printf("e_cparhdr : %04x/n",mydosheader.e_cparhdr);銆銆銆銆printf("e_minalloc: %04x/n",mydosheader.e_minalloc);銆銆銆銆printf("e_maxalloc: %04x/n",mydosheader.e_maxalloc);銆銆銆銆printf("e_ss銆銆銆: %04x/n",mydosheader.e_ss);銆銆銆銆printf("e_sp銆銆銆: %04x/n",mydosheader.e_sp);銆銆銆銆printf("e_csum銆銆: %04x/n",mydosheader.e_csum);銆銆銆銆printf("e_ip銆銆銆: %04x/n",mydosheader.e_ip);銆銆銆銆printf("e_cs銆銆銆: %04x/n",mydosheader.e_cs);銆銆銆銆printf("e_lfarlc銆: %04x/n",mydosheader.e_lfarlc);銆銆銆銆printf("e_ovno銆銆: %04x/n",mydosheader.e_ovno);銆銆銆銆printf("e_res[0]銆: %04x/n",mydosheader.e_res[0]);銆銆銆銆printf("e_oemid銆 : %04x/n",mydosheader.e_oemid);銆銆銆銆printf("e_oeminfo : %04x/n",mydosheader.e_oeminfo);銆銆銆銆printf("res2[0]銆 : %04x/n",mydosheader.e_res2[0]);銆銆銆銆printf("lfanew銆銆: %08x/n",mydosheader.e_lfanew);銆銆銆銆if((mydosheader.e_magic ==IMAGE_DOS_SIGNATURE) &&銆銆銆銆銆銆銆銆(sig == IMAGE_NT_SIGNATURE))銆銆銆銆銆銆銆printf("鏈夋晥鐨凱E鏂囦歡/n");銆銆銆銆else銆銆銆銆銆銆printf("鏃犳晥鐨凱E鏂囦歡/n");銆銆銆銆return 0;}鏈鍚庨檮涓婂弬鑰冩枃绔犵殑鍦板潃
http://xue23.blog.163.com/blog/static/9793442005431142120/
http://bbs.fishc.com/home.php?mod=space&uid=9&do=blog&id=558
Peering Inside the PE.pdf
http://xue23.blog.163.com/blog/static/9793442005431142120/
]]>