重读PE文件(3)
上一篇讲到16个IMAGE_DATA_DIRECTORY 字段,这16个字段如下:
0: IMAGE_DIRECTORY_ENTRY_EXPORT- 导出表
1: IMAGE_DIRECTORY_ENTRY_IMPORT- 导入表
2: IMAGE_DIRECTORY_ENTRY_RESOURCE- 资源
3: IMAGE_DIRECTORY_ENTRY_EXCEPTION- 异常(具体资料不详)
4: IMAGE_DIRECTORY_ENTRY_SECURITY- 安全(具体资料不详)
5: IMAGE_DIRECTORY_ENTRY_BASERELOC- 重定位表
6: IMAGE_DIRECTORY_ENTRY_DEBUG- 调试信息
7: IMAGE_DIRECTORY_ENTRY_ARCHITECTURE -版权信息
8: IMAGE_DIRECTORY_ENTRY_GLOBALPTR -具体资料不详
9: IMAGE_DIRECTORY_ENTRY_TLS- Thread Local Storage
10: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG- 具体资料不详
11: IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT- 具体资料不详
12: IMAGE_DIRECTORY_ENTRY_IAT- 导入函数地址表
13: IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT- 具体资料不详
14: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR- 具体资料不详
15: 未使用
IMAGE_DATA_DIRECTORY结构的定义如下:
typedef struct _IMAGE_DATA_DIRECTORY {
DWORD VirtualAddress;//数据的起始RVA
DWORD Size;//数据的长度,即字节数
} IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY;
用数据其实RVA+数据长度-1即数据结束RVA
现在一个一个解释吧
1.对于IMAGE_DIRECTORY_ENTRY_EXPORT,即导出表,一般情况下,当前文件为exe的时候此处为0,当前文件为DLL的时候此处才有指,IMAGE_DIRECTORY_ENTRY_EXPORT结构的定义如下,本文不做解释
typedef struct _IMAGE_EXPORT_DIRECTORY {
DWORD Characteristics;
DWORD TimeDateStamp;
WORD MajorVersion;
WORD MinorVersion;
DWORD Name;
DWORD Base;
DWORD NumberOfFunctions;
DWORD NumberOfNames;
DWORD AddressOfFunctions; // RVA from base of image
DWORD AddressOfNames; // RVA from base of image
DWORD AddressOfNameOrdinals; // RVA from base of image
} IMAGE_EXPORT_DIRECTORY, *PIMAGE_EXPORT_DIRECTORY;
2.对于IMAGE_DIRECTORY_ENTRY_IMPORT,即导入表,其结构如下:
typedef struct _IMAGE_IMPORT_DESCRIPTOR {
union {
DWORD Characteristics; // 0 for terminating null import descriptor
DWORD OriginalFirstThunk; // RVA to original unbound IAT (PIMAGE_THUNK_DATA)
};
DWORD TimeDateStamp; // 0 if not bound,
// -1 if bound, and real date\time stamp
// in IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT (new BIND)
// O.W. date/time stamp of DLL bound to (Old BIND)
DWORD ForwarderChain; // -1 if no forwarders
DWORD Name;
DWORD FirstThunk; // RVA to IAT (if bound this IAT has actual addresses)
} IMAGE_IMPORT_DESCRIPTOR;
晚上还要上课,导入表还有一些地方没研究完,等研究完了再来把本文补充完整吧
回来了,发现在IAT、导入表这些地方我卡住了,总是觉得不清不楚的,决定潜心下来好好看看《加密与解密》这本书,希望能让自己思路清晰一点