国产十八禁AV网站,欧美日韩亚洲国产综合乱,亚洲国产aⅴ成人精品无吗,秋霞午夜福利影院合集





      

      


    
      
    
    
    



      

      

      


      

      


      

      

      

      

      


      

      

      



 找回密碼

      

      



 注冊

      

      




      


      

      QQ登錄
      

      只需一步,快速開始
      

      

      

      

      



      

      



      

      



      







      

      


      



      

      

      


      





      

      

      


      




      

      
關(guān)于PE下可執(zhí)行程序的修改!

      

[復(fù)制鏈接]

      		

      

      



      

      



      

      

      
 

      

      




      


1#


      

      

      

      

發(fā)表于 2008-9-28 16:20:46
|
只看該作者

|倒序瀏覽
|閱讀模式

      

      

      
 

      
<P style="LINE-HEIGHT: 150%"><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">在</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">windows 9x</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">、</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">NT</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">、</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">2000</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">下,所有的可執(zhí)行文件都是基于</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">Microsoft</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">設(shè)計的一種新的文件格式</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">Portable Executable File Format</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">(可移植的執(zhí)行體),即</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">格式。有一些時候,我們需要對這些可執(zhí)行文件進行修改,下面文字試圖詳細(xì)的描述</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件的格式及對</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">格式文件的修改。</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>1</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">、</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件框架構(gòu)成</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>DOS MZ header <BR>DOS stub <BR>PE header <BR>Section table <BR>Section 1 <BR>Section 2 <BR>Section ... <BR>Section n <?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /><o:p></o:p></SPAN></P>6 C- r! O6 C. s1 ^0 V
      
<P style="LINE-HEIGHT: 150%"><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">上</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">表是</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件結(jié)構(gòu)的總體層次分布。所有</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">(</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">甚至</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">32</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">位的</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> DLLs) </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">必須以一個簡單的</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> DOS MZ header </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">開始,在偏移</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">0</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">處有</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">DOS</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">下可執(zhí)行文件的“</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">MZ</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">標(biāo)志”,有了它,一旦程序在</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">DOS</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">下執(zhí)行,</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">DOS</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">就能識別出這是有效的執(zhí)行體,然后運行緊隨</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> MZ header </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">之后的</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <SPAN lang=EN-US>DOS stub</SPAN></SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">。</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">DOS stub</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">實際上是個有效的</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">EXE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">,在不支持</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件格式的操作系統(tǒng)中,它將簡單顯示一個錯誤提示,類似于字符串</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> " This program cannot run in DOS mode " </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">或者程序員可根據(jù)自己的意圖實現(xiàn)完整的</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> DOS</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">代碼。通常</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">DOS stub</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">由匯編器</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">/</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">編譯器自動生成,對我們的用處不是很大,它簡單調(diào)用中斷</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">21h</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">服務(wù)</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">9</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">來顯示字符串</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">"This program cannot run in DOS mode"</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">。</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR></SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">緊接著</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> DOS stub </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">的是</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> PE header</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">。</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> PE header </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">是</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">相關(guān)結(jié)構(gòu)</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> IMAGE_NT_HEADERS </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">的簡稱,其中包含了許多</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">裝載器用到的重要域??蓤?zhí)行文件在支持</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件結(jié)構(gòu)的操作系統(tǒng)中執(zhí)行時,</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">裝載器將從</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> DOS MZ header</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">的偏移</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">3CH</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">處找到</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> PE header </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">的起始偏移量。因而跳過了</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> DOS stub </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">直接定位到真正的文件頭</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> PE header</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">。</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <o:p></o:p></SPAN></P>: _$ \: {7 `; k3 O
      
<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件的真正內(nèi)容劃分成塊,稱之為</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">sections</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">(節(jié))。每節(jié)是一塊擁有共同屬性的數(shù)據(jù),比如“</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">.text</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">”節(jié)等,那么,每一節(jié)的內(nèi)容都是什么呢?實際上</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">格式的文件把具有相同屬性的內(nèi)容放入同一個節(jié)中,而不必關(guān)心類似“</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">.text</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">”、“</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">.data</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">”的命名,其命名只是為了便于識別,所有,我們?nèi)绻麑?lt;/SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">格式的文件進行修改,理論上講可以寫入任何一個節(jié)內(nèi),并調(diào)整此節(jié)的屬性就可以了。</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR><BR>PE header </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">接下來的數(shù)組結(jié)構(gòu)</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> section table</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">(節(jié)表)。</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">每個結(jié)構(gòu)包含對應(yīng)節(jié)的屬性、文件偏移量、虛擬偏移量等。如果</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件里有</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">5</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">個節(jié),那么此結(jié)構(gòu)數(shù)組內(nèi)就有</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">5</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">個成員。</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <o:p></o:p></SPAN></P>2 S- ^5 r2 ?& J
      
<P style="LINE-HEIGHT: 150%"><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">以上就是</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件格式的物理分布,下面將總結(jié)一下裝載一</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件的主要步驟:</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>1</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">、</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件被執(zhí)行,</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">裝載器檢查</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> DOS MZ header </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">里的</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <SPAN lang=EN-US>PE header </SPAN></SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">偏移量。如果找到,則跳轉(zhuǎn)到</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> PE header</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">。</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>2</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">、</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">裝載器檢查</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> PE header </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">的有效性。如果有效,就跳轉(zhuǎn)到</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE header</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">的尾部。</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>3</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">、緊跟</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> PE header </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">的是節(jié)表。</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">裝載器讀取其中的節(jié)信息,并采用文件映射方法將這些節(jié)映射到內(nèi)存,同時付上節(jié)表里指定的節(jié)屬性。</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>4</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">、</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件映射入內(nèi)存后,</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">裝載器將處理</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件中類似</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> import table</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">(引入表)邏輯部分。</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR></SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">上述步驟是一些前輩分析的結(jié)果簡述。</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>2</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">、</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件頭概述</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR></SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">我們可以在</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">winnt.h</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">這個文件中找到關(guān)于</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件頭的定義:</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>typedef struct _IMAGE_NT_HEADERS { <BR>DWORD Signature; <BR>//PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件頭標(biāo)志</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">:“</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE\0\0</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">”。在開始</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">DOS header</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">的偏移</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">3CH</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">處所指向的地址開始</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>IMAGE_FILE_HEADER FileHeader; //PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件物理分布的信息</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>IMAGE_OPTIONAL_HEADER32 OptionalHeader; //PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件邏輯分布的信息</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>} IMAGE_NT_HEADERS32, *PIMAGE_NT_HEADERS32; <o:p></o:p></SPAN></P>
      
9 s3 ^9 u* j& M) C<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">typedef struct _IMAGE_FILE_HEADER { <BR>WORD Machine; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">該文件運行所需要的</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">CPU</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">,對于</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">Intel</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">平臺是</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">14Ch <BR>WORD NumberOfSections; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件的節(jié)數(shù)目</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>DWORD TimeDateStamp; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件創(chuàng)建日期和時間</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>DWORD PointerToSymbolTable; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">用于調(diào)試</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>DWORD NumberOfSymbols; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">符號表中符號個數(shù)</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>WORD SizeOfOptionalHeader; //OptionalHeader </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">結(jié)構(gòu)大小</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>WORD Characteristics; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件信息標(biāo)記,區(qū)分文件是</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">exe</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">還是</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">dll <BR>} IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER; <o:p></o:p></SPAN></P>
      
. ]$ n9 a4 d; j1 L% Q1 V( V<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">typedef struct _IMAGE_OPTIONAL_HEADER { <BR>WORD Magic; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">標(biāo)志字</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">(</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">總是</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">010bh) <BR>BYTE MajorLinkerVersion; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">連接器版本號</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>BYTE MinorLinkerVersion; // <BR>DWORD SizeOfCode; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">代碼段大小</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>DWORD SizeOfInitializedData; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">已初始化數(shù)據(jù)塊大小</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>DWORD SizeOfUninitializedData; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">未初始化數(shù)據(jù)塊大小</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <SPAN lang=EN-US><BR>DWORD AddressOfEntryPoint; //PE</SPAN></SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">裝載器準(zhǔn)備運行的</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件的第一個指令的</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">RVA</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">,若要改變整個執(zhí)行的流程,可以將該值指定到新的</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">RVA</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">,這樣新</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">RVA</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">處的指令首先被執(zhí)行。(許多文章都有介紹</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">RVA</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">,請去了解)</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>DWORD BaseOfCode; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">代碼段起始</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">RVA <BR>DWORD BaseOfData; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">數(shù)據(jù)段起始</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">RVA <BR>DWORD ImageBase; //PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件的裝載地址</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>DWORD SectionAlignment; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">塊對齊</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>DWORD FileAlignment; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件塊對齊</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>WORD MajorOperatingSystemVersion;//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">所需操作系統(tǒng)版本號</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>WORD MinorOperatingSystemVersion;// <BR>WORD MajorImageVersion; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">用戶自定義版本號</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>WORD MinorImageVersion; // <BR>WORD MajorSubsystemVersion; //win32</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">子系統(tǒng)版本。若</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件是專門為</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">Win32</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">設(shè)計的</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>WORD MinorSubsystemVersion; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">該子系統(tǒng)版本必定是</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">4.0</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">否則對話框不會有</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">3</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">維立體感</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>DWORD Win32VersionValue; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">保留</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>DWORD SizeOfImage; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">內(nèi)存中整個</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">映像體的尺寸</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>DWORD SizeOfHeaders; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">所有頭</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">+</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">節(jié)表的大小</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>DWORD CheckSum; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">校驗和</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>WORD Subsystem; //NT</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">用來識別</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件屬于哪個子系統(tǒng)</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>WORD DllCharacteristics; // <BR>DWORD SizeOfStackReserve; // <BR>DWORD SizeOfStackCommit; // <BR>DWORD SizeOfHeapReserve; // <BR>DWORD SizeOfHeapCommit; // <BR>DWORD LoaderFlags; // <BR>DWORD NumberOfRvaAndSizes; // <BR>IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES]; <BR>//IMAGE_DATA_DIRECTORY </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">結(jié)構(gòu)數(shù)組。每個結(jié)構(gòu)給出一個重要數(shù)據(jù)結(jié)構(gòu)的</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">RVA</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">,比如引入地址表等</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>} IMAGE_OPTIONAL_HEADER32, *PIMAGE_OPTIONAL_HEADER32; <o:p></o:p></SPAN></P>8 `1 Q9 \* D1 W# R& f0 U. L/ c
      
<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">typedef struct _IMAGE_DATA_DIRECTORY { <BR>DWORD VirtualAddress; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">表的</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">RVA</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">地址</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>DWORD Size; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">大小</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>} IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY; <o:p></o:p></SPAN></P>% ?8 }5 Y" X: a( W# T  ^9 O
      
<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件頭后是節(jié)表,在</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">winnt.h</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">下如下定義</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>typedef struct _IMAGE_SECTION_HEADER { <BR>BYTE Name[IMAGE_SIZEOF_SHORT_NAME];//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">節(jié)表名稱</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">,</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">如“</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">.text</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">”</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>union { <BR>DWORD PhysicalAddress; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">物理地址</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>DWORD VirtualSize; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">真實長度</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>} Misc; <BR>DWORD VirtualAddress; //RVA <BR>DWORD SizeOfRawData; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">物理長度</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>DWORD PointerToRawData; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">節(jié)基于文件的偏移量</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>DWORD PointerToRelocations; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">重定位的偏移</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>DWORD PointerToLinenumbers; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">行號表的偏移</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>WORD NumberOfRelocations; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">重定位項數(shù)目</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>WORD NumberOfLinenumbers; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">行號表的數(shù)目</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>DWORD Characteristics; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">節(jié)屬性</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>} IMAGE_SECTION_HEADER, *PIMAGE_SECTION_HEADER; <o:p></o:p></SPAN></P>
      
. t- K5 z' k( H2 U1 e' f. R9 J<P style="LINE-HEIGHT: 150%"><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">以上結(jié)構(gòu)就是在</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">winnt.h</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">中關(guān)于</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件頭的定義,如何我們用</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">C/C++</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">來進行</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">可執(zhí)行文件操作,就要用到上面的所有結(jié)構(gòu),它詳細(xì)的描述了</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件頭的結(jié)構(gòu)。</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <o:p></o:p></SPAN></P>
      
1 q  R2 q* y* G, @<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">3</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">、修改</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">可執(zhí)行文件</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR></SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">現(xiàn)在讓我們把一段代碼寫入任何一個</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">格式的可執(zhí)行文件,代碼如下:</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>-- test.asm -- <BR>.386p <BR>.model flat, stdcall <BR>option casemap:none <o:p></o:p></SPAN></P>
      
  o1 }7 C4 C) ^$ F( p2 |* Q<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">include \masm32\include\windows.inc <BR>include \masm32\include\user32.inc <BR>includelib \masm32\lib\user32.lib <o:p></o:p></SPAN></P>' Y' I3 J. N- n9 C# Q4 v/ i' t5 {
      
<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">.code <o:p></o:p></SPAN></P>
      
, Y: j0 J, x  h, z) A/ c<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">start: <BR>INVOKE MessageBoxA,0,0,0,MB_ICONINFORMATION or MB_OK <BR>ret <BR>end start <o:p></o:p></SPAN></P>, W' G9 }3 ^6 k9 m8 D% P* G( }$ P: p
      
<P style="LINE-HEIGHT: 150%"><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">以上代碼只顯示一個</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">MessageBox</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">框,編譯后得到二進制代碼如下:</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>unsigned char writeline[18]={ <BR>0x6a,0x40,0x6a,0x0,0x6a,0x0,0x6a,0x0,0xe8,0x01,0x0,0x0,0x0,0xe9,0x0,0x0,0x0,0x0 <BR>}; <o:p></o:p></SPAN></P>
      
& ?  E6 o6 o( w1 k5 ^- @2 l  L1 p<P style="LINE-HEIGHT: 150%"><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">好,現(xiàn)在讓我們看看該把這些代碼寫到那?,F(xiàn)在用</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">Tdump.exe</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">顯示一個</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">格式得可執(zhí)行文件信息,可以發(fā)現(xiàn)如下描述:</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>Object table: <BR># Name VirtSize RVA PhysSize Phys off Flags <BR>-- -------- -------- -------- -------- -------- -------- <BR>01 .text 0000CCC0 00001000 0000CE00 00000600 60000020 [CER] <BR>02 .data 00004628 0000E000 00002C00 0000D400 C0000040 [IRW] <BR>03 .rsrc 000003C8 00013000 00000400 00010000 40000040 [IR] <o:p></o:p></SPAN></P>* \# S  ~% `- k* l
      
<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">Key to section flags: <BR>C - contains code <BR>E - executable <BR>I - contains initialized data <BR>R - readable <BR>W - writeable <o:p></o:p></SPAN></P>" Y: o7 o6 E$ e* `5 Z$ S1 h
      
<P style="LINE-HEIGHT: 150%"><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">上面描述此文件中存在</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">3</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">個段及每個段得信息,實際上我們的代碼可以寫入任何一個段,這里我選擇“</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">.text</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">”段。</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <o:p></o:p></SPAN></P>% {8 {- k8 l/ s; }
      
<P style="LINE-HEIGHT: 150%"><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">用如下代碼得到一個</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">格式可執(zhí)行文件的頭信息:</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <o:p></o:p></SPAN></P>
      
8 A' u* ]; C% ?- i% e& i<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">//writePE.cpp <o:p></o:p></SPAN></P>
      
& q2 ?, F% G& w<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">#include &lt;windows.h&gt; <BR>#include &lt;stdio.h&gt; <BR>#include &lt;io.h&gt; <BR>#include &lt;fcntl.h&gt; <BR>#include &lt;time.h&gt; <BR>#include &lt;SYS\STAT.H&gt; <o:p></o:p></SPAN></P>
      
; |& g3 H: |$ W0 w" L; k<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">unsigned char writeline[18]={ <BR>0x6a,0x40,0x6a,0x0,0x6a,0x0,0x6a,0x0,0xe8,0x01,0x0,0x0,0x0,0xe9,0x0,0x0,0x0,0x0 <BR>}; <o:p></o:p></SPAN></P>0 W5 D4 t$ q" s5 ]2 y
      
<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">DWORD space; <BR>DWORD entryaddress; <BR>DWORD entrywrite; <BR>DWORD progRAV; <BR>DWORD oldentryaddress; <BR>DWORD newentryaddress; <BR>DWORD codeoffset; <BR>DWORD peaddress; <BR>DWORD flagaddress; <BR>DWORD flags; <o:p></o:p></SPAN></P>* y& k1 |$ J2 w% p: o3 l& n
      
<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">DWORD virtsize; <BR>DWORD physaddress; <BR>DWORD physsize; <BR>DWORD MessageBoxAadaddress; <o:p></o:p></SPAN></P>
      
9 z% \1 |' b( R9 h$ q* o# h<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">int main(int argc,char * * argv) <BR>{ <BR>HANDLE hFile, hMapping; <BR>void *basepointer; <BR>FILETIME * Createtime; <BR>FILETIME * Accesstime; <BR>FILETIME * Writetime; <BR>Createtime = new FILETIME; <BR>Accesstime = new FILETIME; <BR>Writetime = new FILETIME; <o:p></o:p></SPAN></P>; T2 A4 j2 e3 ?+ N
      
<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">if ((hFile = CreateFile(argv[1], GENERIC_READ|GENERIC_WRITE, FILE_SHARE_READ|FILE_SHARE_WRITE, 0, OPEN_EXISTING, FILE_FLAG_SEQUENTIAL_SCAN, 0)) == INVALID_HANDLE_VALUE)//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">打開要修改的文件</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>{ <BR>puts("(could not open)"); <BR>return EXIT_FAILURE; <BR>} <BR>if(!GetFileTime(hFile,Createtime,Accesstime,Writetime)) <BR>{ <BR>printf("\nerror getfiletime: %d\n",GetLastError()); <BR>} <BR>//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">得到要修改文件的創(chuàng)建、修改等時間</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>if (!(hMapping = CreateFileMapping(hFile, 0, PAGE_READONLY | SEC_COMMIT, 0, 0, 0))) <BR>{ <BR>puts("(mapping failed)"); <BR>CloseHandle(hFile); <BR>return EXIT_FAILURE; <BR>} <BR>if (!(basepointer = MapViewOfFile(hMapping, FILE_MAP_READ, 0, 0, 0))) <BR>{ <BR>puts("(view failed)"); <BR>CloseHandle(hMapping); <BR>CloseHandle(hFile); <BR>return EXIT_FAILURE; <BR>} <BR>//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">把文件頭映象存入</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">baseointer <BR>CloseHandle(hMapping); <BR>CloseHandle(hFile); <BR>map_exe(basepointer);//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">得到相關(guān)地址</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>UnmapViewOfFile(basepointer); <BR>printaddress(); <BR>printf("\n\n"); <BR>if(space&lt;50) <BR>{ <BR>printf("\n</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">空隙太小</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">,</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">數(shù)據(jù)不能寫入</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">.\n"); <BR>} <BR>else <BR>{ <BR>writefile();//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">寫文件</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>} <o:p></o:p></SPAN></P>1 J# A5 O  K; Y# |; K  x
      
<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">if ((hFile = CreateFile(argv[1], GENERIC_READ|GENERIC_WRITE, FILE_SHARE_READ|FILE_SHARE_WRITE, 0, OPEN_EXISTING, FILE_FLAG_SEQUENTIAL_SCAN, 0)) == INVALID_HANDLE_VALUE) <BR>{ <BR>puts("(could not open)"); <BR>return EXIT_FAILURE; <BR>} <o:p></o:p></SPAN></P>
      
0 G" H' h/ z8 T* {- l+ s<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">if(!SetFileTime(hFile,Createtime,Accesstime,Writetime)) <BR>{ <BR>printf("error settime : %d\n",GetLastError()); <BR>} <BR>//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">恢復(fù)修改后文件的建立時間等</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>delete Createtime; <BR>delete Accesstime; <BR>delete Writetime; <BR>CloseHandle(hFile); <BR>return 0; <BR>} <o:p></o:p></SPAN></P>
      
& K/ C4 c( I: Z* S6 a  H/ L<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">void map_exe(const void *base) <BR>{ <BR>IMAGE_DOS_HEADER * dos_head; <BR>dos_head =(IMAGE_DOS_HEADER *)base; <BR>#include &lt;pshpack1.h&gt; <BR>typedef struct PE_HEADER_MAP <BR>{ <BR>DWORD signature; <BR>IMAGE_FILE_HEADER _head; <BR>IMAGE_OPTIONAL_HEADER opt_head; <BR>IMAGE_SECTION_HEADER section_header[]; <BR>} peHeader; <BR>#include &lt;poppack.h&gt; <o:p></o:p></SPAN></P>: c* B+ D$ ?  U# r- V# r% E
      
<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">if (dos_head-&gt;e_magic != IMAGE_DOS_SIGNATURE) <BR>{ <BR>puts("unknown type of file"); <BR>return; <BR>} <o:p></o:p></SPAN></P>
      
# q& t# ]4 C9 t<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">peHeader * header; <BR>header = (peHeader *)((char *)dos_head + dos_head-&gt;e_lfanew);//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">得到</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件頭</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>if (IsBadReadPtr(header, sizeof(*header)) <BR>{ <BR>puts("(no PE header, probably DOS executable)"); <BR>return; <BR>} <o:p></o:p></SPAN></P>
      
; i# _  L; n0 M; n9 Y<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">DWORD mods; <BR>char tmpstr[4]={0}; <BR>DWORD tmpaddress; <BR>DWORD tmpaddress1; <o:p></o:p></SPAN></P>* N- `/ D. p7 L) R4 O
      
<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">if(strstr((const char *)header-&gt;section_header[0].Name,".text")!=NULL) <BR>{ <BR>virtsize=header-&gt;section_header[0].Misc.VirtualSize; <BR>//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">此段的真實長度</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>physaddress=header-&gt;section_header[0].PointerToRawData; <BR>//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">此段的物理偏移</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>physsize=header-&gt;section_header[0].SizeOfRawData; <BR>//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">此段的物理長度</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>peaddress=dos_head-&gt;e_lfanew; <BR>//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">得到</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件頭的開始偏移</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <o:p></o:p></SPAN></P>
      
  ?) i# L2 ?( O3 a9 O% N+ z2 n5 M<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">peHeader peH; <BR>tmpaddress=(unsigned long )&amp;peH; <BR>//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">得到結(jié)構(gòu)的偏移</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>tmpaddress1=(unsigned long )&amp;(peH.section_header[0].Characteristics); <BR>//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">得到變量的偏移</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>flagaddress=tmpaddress1-tmpaddress+2; <BR>//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">得到屬性的相對偏移</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>flags=0x8000; <BR>//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">一般情況下,“</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">.text</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">”段是不可讀寫的,如果我們要把數(shù)據(jù)寫入這個段需要改變其屬性,實際上這個程序并沒有把數(shù)據(jù)寫入“</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">.text</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">”段,所以并不需要更改,但如果你實現(xiàn)復(fù)雜的功能,肯定需要數(shù)據(jù),肯定需要更改這個值,</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <o:p></o:p></SPAN></P>
      
+ ^7 g$ U0 q/ X  [<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">space=physsize-virtsize; <BR>//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">得到代碼段的可用空間,用以判斷可不可以寫入我們的代碼</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">用此段的物理長度減去此段的真實長度就可以得到</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>progRAV=header-&gt;opt_head.ImageBase; <BR>//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">得到程序的裝載地址,一般為</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">400000 <BR>codeoffset=header-&gt;opt_head.BaseOfCode-physaddress; <BR>//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">得到代碼偏移,用代碼段起始</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">RVA</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">減去此段的物理偏移</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">應(yīng)為程序的入口計算公式是一個相對的偏移地址,計算公式為:</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">代碼的寫入地址+</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">codeoffset <o:p></o:p></SPAN></P>( j) h1 U! ]$ x3 I2 C6 p! f
      
<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">entrywrite=header-&gt;section_header[0].PointerToRawData+header-&gt;section_header[0].Misc.VirtualSize; <BR>//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">代碼寫入的物理偏移</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>mods=entrywrite%16; <BR>//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">對齊邊界</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>if(mods!=0) <BR>{ <BR>entrywrite+=(16-mods); <BR>} <BR>oldentryaddress=header-&gt;opt_head.AddressOfEntryPoint; <BR>//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">保存舊的程序入口地址</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>newentryaddress=entrywrite+codeoffset; <BR>//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">計算新的程序入口地址</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>return; <BR>} <o:p></o:p></SPAN></P>
      
0 D4 T9 z: L7 g2 Q  _7 b" n- |<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">void printaddress() <BR>{ <BR>HINSTANCE gLibMsg=NULL; <BR>DWORD funaddress; <BR>gLibMsg=LoadLibrary("user32.dll"); <BR>funaddress=(DWORD)GetProcAddress(gLibMsg,"MessageBoxA"); <BR>MessageBoxAadaddress=funaddress; <BR>gLibAMsg=LoadLibrary("kernel32.dll"); <BR>//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">得到</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">MessageBox</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">在內(nèi)存中的地址,以便我們使用</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>} <o:p></o:p></SPAN></P>
      
, ^" h% m3 q% h. L: x9 g. J<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">void writefile() <BR>{ <BR>int ret; <BR>long retf; <BR>DWORD address; <BR>int tmp; <BR>unsigned char waddress[4]={0}; <o:p></o:p></SPAN></P>4 w3 m5 n4 p! y& n2 Q4 W3 i  W
      
<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">ret=_open(filename,_O_RDWR | _O_CREAT | _O_BINARY,_S_IREAD | _S_IWRITE); <BR>if(!ret) <BR>{ <BR>printf("error open\n"); <BR>return; <BR>} <o:p></o:p></SPAN></P>; U1 r" Z* o! x) }0 W* @
      
<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">retf=_lseek(ret,(long)peaddress+40,SEEK_SET); <BR>//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">程序的入口地址在</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件頭開始的</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">40</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">處</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>if(retf==-1) <BR>{ <BR>printf("error seek\n"); <BR>return; <BR>} <BR>address=newentryaddress; <BR>tmp=address&gt;&gt;24; <BR>waddress[3]=tmp; <BR>tmp=address&lt;&lt;8; <BR>tmp=tmp&gt;&gt;24; <BR>waddress[2]=tmp; <BR>tmp=address&lt;&lt;16; <BR>tmp=tmp&gt;&gt;24; <BR>waddress[1]=tmp; <BR>tmp=address&lt;&lt;24; <BR>tmp=tmp&gt;&gt;24; <BR>waddress[0]=tmp; <BR>retf=_write(ret,waddress,4); <BR>//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">把新的入口地址寫入文件</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>if(retf==-1) <BR>{ <BR>printf("error write: %d\n",GetLastError()); <BR>return; <BR>} <o:p></o:p></SPAN></P>
      
8 f3 R" |; }& i# u<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">retf=_lseek(ret,(long)entrywrite,SEEK_SET); <BR>if(retf==-1) <BR>{ <BR>printf("error seek\n"); <BR>return; <BR>} <BR>retf=_write(ret,writeline,18); <BR>if(retf==-1) <BR>{ <BR>printf("error write: %d\n",GetLastError()); <BR>return; <BR>} <BR>//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">把</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">writeline</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">寫入我們計算出的空間</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <o:p></o:p></SPAN></P>, ~5 S0 l5 `7 r
      
<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">retf=_lseek(ret,(long)entrywrite+9,SEEK_SET); <BR>//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">更改</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">MessageBox</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">函數(shù)地址,它的二進制代碼在</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">writeline[10]</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">處</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>if(retf==-1) <BR>{ <BR>printf("error seek\n"); <BR>return; <BR>} <o:p></o:p></SPAN></P>8 O& g8 T3 o9 A3 A! @% w
      
<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">address=MessageBoxAadaddress-(progRAV+newentryaddress+9+4); <BR>//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">重新計算</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">MessageBox</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">函數(shù)的地址,</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">MessageBox</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">函數(shù)的原地址減去程序的裝載地址加上新的入口地址加</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">9</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">(它的二進制代碼相對偏移)加上</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">4</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">(地址長度)</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>tmp=address&gt;&gt;24; <BR>waddress[3]=tmp; <BR>tmp=address&lt;&lt;8; <BR>tmp=tmp&gt;&gt;24; <BR>waddress[2]=tmp; <BR>tmp=address&lt;&lt;16; <BR>tmp=tmp&gt;&gt;24; <BR>waddress[1]=tmp; <BR>tmp=address&lt;&lt;24; <BR>tmp=tmp&gt;&gt;24; <BR>waddress[0]=tmp; <BR>retf=_write(ret,waddress,4); <BR>//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">寫入重新計算的</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">MessageBox</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">地址</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>if(retf==-1) <BR>{ <BR>printf("error write: %d\n",GetLastError()); <BR>return; <BR>} <o:p></o:p></SPAN></P>
      
% \1 q* P% j4 F<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">retf=_lseek(ret,(long)entrywrite+14,SEEK_SET); <BR>//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">更改返回地址,用</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">jpm</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">返回原程序入口地址,其它的二進制代碼在</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">writeline[15]</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">處</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>if(retf==-1) <BR>{ <BR>printf("error seek\n"); <BR>return; <BR>} <o:p></o:p></SPAN></P>' A1 H% W% A0 P! _3 e$ [
      
<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">address=0-(newentryaddress-oldentryaddress+4+15); <BR>//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">返回地址計算的方法是新的入口地址減去老的入口地址加</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">4</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">(地址長度)加</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">15</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">(二進制代碼相對偏移)后取反</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>tmp=address&gt;&gt;24; <BR>waddress[3]=tmp; <BR>tmp=address&lt;&lt;8; <BR>tmp=tmp&gt;&gt;24; <BR>waddress[2]=tmp; <BR>tmp=address&lt;&lt;16; <BR>tmp=tmp&gt;&gt;24; <BR>waddress[1]=tmp; <BR>tmp=address&lt;&lt;24; <BR>tmp=tmp&gt;&gt;24; <BR>waddress[0]=tmp; <BR>retf=_write(ret,waddress,4); <BR>//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">寫入返回地址</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>if(retf==-1) <BR>{ <BR>printf("error write: %d\n",GetLastError()); <BR>return; <BR>} <o:p></o:p></SPAN></P>! G9 v! W% F4 `* x* i6 t0 T6 k
      
<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">_close(ret); <BR>printf("\nall done...\n"); <BR>return; <BR>} <o:p></o:p></SPAN></P>
      
) e2 R4 H; x. k<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">//end <o:p></o:p></SPAN></P>7 I, _3 F& H! @1 j7 S5 T: u
      
<P style="LINE-HEIGHT: 150%"><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">由于在</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">格式的文件中,所有的地址都使用</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">RVA</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">地址,所以一些函數(shù)調(diào)用和返回地址都要經(jīng)過計算才可以得到,以上是我在實踐中的心得,如果你有更好的辦法,真心的希望你能告訴我。</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <o:p></o:p></SPAN></P>
      


      

      

      


      

      

      


      

      



      

      

      




      

      



      

      

      

      



      






      






      



      

      

      

      








      

      

      


      

      
您需要登錄后才可以回帖 登錄 | 注冊





      

      

      

      

      

      

      






      
本版積分規(guī)則





      
      		

      

      

      

      




      


      

      

      

	
      

      

      

      
QQ|本地廣告聯(lián)系: QQ:905790666 TEL:13176190456|Archiver|手機版|小黑屋|汶上信息港
( 魯ICP備19052200號-1 )

      

      
GMT+8, 2025-4-20 08:46


      

      

      

      Powered by Discuz! X3.5
      

      © 2001-2025 Discuz! Team.
      

      



      
快速回復(fù)
返回頂部

返回列表