PE 标头要求
PE 文件 (PE/COFF) 有哪些要求?应该设置哪些字段、哪些值,以使其能够在 Windows 上“运行”(即执行“ret”指令然后关闭,没有错误)。
我首先构建的库是链接器:现在,我遇到的问题是 PE 文件(PE/COFF)。 我不知道PE文件在我的平台上实际执行之前“需要”什么。我的测试平台是Vista。当我双击执行它时,我收到一条错误消息,显示“这不是有效的 Win32 可执行文件。”,并且收到“访问被拒绝”的消息。使用 CLI cmd 执行它时。我有两个部分,.text 和.data。
我已经实现了几个在线文档(即 MSDN 和其他一些第三方文档)提供的 PE 标头。如果我使用十六进制编辑器,它看起来几乎就像一个普通的 PE 文件。我不使用任何导入,也不使用 IAT,也不使用 PE 标头中的任何目录。
编辑:我添加了一个导入表,但仍然不是有效的 .exe 文件,我的 Windows 说。我尝试使用最小 PE 文件指南中也提到的值。运气不好。实际上,我似乎唯一无法弄清楚的是需要什么和不需要什么。一些指南告诉我一切都是必需的,而另一些指南则说贬值:而且可以为零。
我希望这是足够的信息。 提前谢谢您。
当前 PE 标头的原始数据(根据要求):
4D 5A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 50 45 00 00 4C 01 02 00
C8 7A 55 4B 00 00 00 00 00 00 00 00 E0 00 82 01 0B 01 0D 25 00 10 00 00
00 10 00 00 00 00 00 00 00 10 00 00 00 10 00 00 00 20 00 00 00 00 40 00
00 10 00 00 00 02 00 00 01 00 0B 00 00 00 00 00 03 00 0A 00 00 00 00 00
00 22 00 00 38 01 00 00 00 00 00 00 03 00 00 00 00 40 00 00 00 40 00 00
00 40 00 00 00 40 00 00 00 00 00 00 0E 00 00 00 00 00 00 00 00 00 00 00
00 20 00 00 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2E 74 65 78 74 00 00 00 00 00 00 00 00 10 00 00 00 02 00 00 00 02 00 00
00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 69 64 61 74 61 00 00
00 00 00 00 00 20 00 00 00 02 00 00 00 04 00 00 00 00 00 00 00 00 00 00
00 00 00 00 40 00 00 C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3C 20 00 00 00 00 00 00
00 00 00 00 24 20 00 00 34 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C 00 00 00 00 01 00 00 80
00 00 00 00 01 00 00 80 00 00 00 00
What are the requirements of a PE file (PE/COFF)? What fields should be set, which value, at a bare minimum for enabling it to "run" on Windows (i.e. executing "ret" instruction and then close, without error).
The library I am building first is the linker: Now, the problem I have is the PE file (PE/COFF). I don't know what is "required" for a PE file before it can actually execute on my platform. My testing platform is Vista. I get an error message, saying "This is not a valid Win32 executable." when I execute it by double-clicking, and I get an "Access Denied." when executing it with CLI cmd. I have two sections, .text and .data.
I've implemented the PE headers as provided by several online documents, i.e. MSDN and some other thirdparty documentation. If I use a hex-editor, it looks almost like a regular PE file. I don't use any imports, nor IAT, nor any directories in the PE header.
Edit: I've added an import table, still not a valid .exe-file, says my Windows. I've tried to use values which are also mentioned at the smallest PE-file guide. No luck. Really the only thing I can't seem to figure out is what is required and what isn't. Some guides tell me everything is required, whilst others say about deprications: and it can be zero.
I hope this is enough information. Thank you, in advance.
Raw data (as requested) of current PE header:
4D 5A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 50 45 00 00 4C 01 02 00
C8 7A 55 4B 00 00 00 00 00 00 00 00 E0 00 82 01 0B 01 0D 25 00 10 00 00
00 10 00 00 00 00 00 00 00 10 00 00 00 10 00 00 00 20 00 00 00 00 40 00
00 10 00 00 00 02 00 00 01 00 0B 00 00 00 00 00 03 00 0A 00 00 00 00 00
00 22 00 00 38 01 00 00 00 00 00 00 03 00 00 00 00 40 00 00 00 40 00 00
00 40 00 00 00 40 00 00 00 00 00 00 0E 00 00 00 00 00 00 00 00 00 00 00
00 20 00 00 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2E 74 65 78 74 00 00 00 00 00 00 00 00 10 00 00 00 02 00 00 00 02 00 00
00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 69 64 61 74 61 00 00
00 00 00 00 00 20 00 00 00 02 00 00 00 04 00 00 00 00 00 00 00 00 00 00
00 00 00 00 40 00 00 C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3C 20 00 00 00 00 00 00
00 00 00 00 24 20 00 00 34 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C 00 00 00 00 01 00 00 80
00 00 00 00 01 00 00 80 00 00 00 00
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(5)
将粘贴复制到十六进制编辑器中是一件非常痛苦的事情,所以不幸的是我不能立即说任何太聪明的话。
PE文件中需要注意的事项:
确保您的 DOS 标头有效。
确保 IMAGE_OPTIONAL_HEADER 的格式正确,因为尽管它的名称如此,Windows 并不真正喜欢它不正确地完成。
有关 MS 格式之外的更多信息,请查找 pe.txt,我所知道的最好的 PE 格式自制指南之一。
如果您可以只发布字节,我可以尝试将其放入我自己的 PE 解析器中,看看是否可以提供更多帮助。
This is a complete pain to copy paste into a hex editor, so unfortunately I cannot say anything too intelligent right off the bat.
Things to notice in a PE file:
Make sure your DOS header is valid.
Make sure the IMAGE_OPTIONAL_HEADER is properly formatted, because despite it's name, Windows does not really like it to not be done properly.
For further information, above and beyond the MS format, lookup pe.txt, one of the best homebrew guides to the PE format I know.
If you could post just the bytes, I could try putting it in my own PE parsers and see if I can help more.
这篇关于创建小型 PE 可执行文件的文章可能会令人感兴趣:特别是,它提到Win2k 加载程序需要导入 KERNEL32.DLL,因此这可能值得研究。
This article about creating tiny PE executables might be of interest: in particular, it mentions that the Win2k loader needs KERNEL32.DLL to be imported, so that might be worth investigating.
您尝试执行的操作取决于您所使用的 Windows 版本。例如,在 Windows 2000 上读取 PE 文件的方式与 Windows 7 上读取它们的方式不同。我是 OSX 用户,但在我拥有的 Windows 7 上,我无法以适用于 Windows 2000 及更早版本的方式操作 PE 文件。我还没有测试 XP 或 Vista(或 2000 到 Win7 之间的其他版本)来了解 Windows 何时开始以不同方式读取 PE。在 Windows 7 上,MS-DOS 标头和存根中的每一位内存都被忽略。唯一重要的两部分是“幻数”(等于“MZ”的字)和 PE 偏移量,这是一个 DWORD,定义了 PE 标头在内存中的开始位置。我不确定 Windows 是否真的在 100% 的情况下忽略 MS-DOS 标头和存根中的所有其他值,但排除我刚才提到的两个,如果所有其他值都设置为 0,则有效的可执行程序将正常运行。
在 Windows 2000 及更早版本中,我不知道上面提到的是否属实,但当时允许您修改 MS-DOS 存根的长度(或者可能删除它),前提是 PE Offset 值为仍然指向内存中的正确位置来查找 PE 标头。在 Windows 7 上,如果您完全修改 MS-DOS 存根的长度,即使 PE Offset 指向正确的修改位置,Windows 也不会运行该 exe,并声称它不是有效的 Win32 应用程序。
4D 5A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
这是最少的MS-DOS PE 文件的一部分可以在 Windows 7 上保留,同时仍然具有有效的、功能正常的可执行文件。那一点不能缩短。
希望这能澄清一些事情。
What you are attempting to do is dependent upon the version of Windows you are using. For example, the way PE files were read on Windows 2000 are not the same way that Windows 7 reads them. I'm an OSX user, but on the Windows 7 I have, I am unable to manipulate PE files in ways that would work on Windows 2000 and earlier. I haven't tested XP or Vista (or others between 2000 and Win7) to see when Windows started reading PE differently. On Windows 7, every single bit of memory in the MS-DOS header and stub is ignored. The only 2 pieces that matter are the "magic number" (a WORD that is equal to "MZ") and the PE Offset, which is a DWORD that defines the place in memory for the PE header begins. I'm not sure if Windows truly ignores all other values in the MS-DOS header and stub 100% of the time, but excluding the two I just mentioned, if all other values are set to 0, a valid executable program will function properly.
In Windows 2000 and earlier, I don't know if what I mentioned above was true, but you were at that time allowed to modify the length of the MS-DOS stub (or remove it perhaps), provided that the PE Offset value was still pointing to the correct place in memory to find the PE header. On Windows 7, if you modify the length of the MS-DOS stub at all, even when PE Offset points to the correct, modified location, Windows will not run the exe and claims it is not a valid Win32 application.
4D 5A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
This is the least the MS-DOS portion of a PE file can have on Windows 7 while still having a valid, functioning executable. That bit cannot be shortened.
Hope this clears some things up.
您可以尝试诸如 .NET 2.0 IL Assembler 这样的书。本书有一整章专门介绍 PE 格式可执行文件的外观(以及 .Net PE 的外观)。
您还可以尝试使用 PE 文件阅读器加载 PE 文件并检查结果。
如果 PE 读者对你的 PE 感到困惑,那么你就可以指出问题所在。
这是我编写的PE文件读取DLL(带有源代码)。还有一个使用它的 GUI(带有源代码)。
源代码是完全开源的(不受 GPL 阻碍),因此您可以用它做您想做的事情(除了对其强加 GPL,这会阻止它完全开放),包括关闭您的版本。
You could try a book like .NET 2.0 IL Assembler. This book has a whole chapter devoted to what a PE format executable looks like (and what a .Net PE looks like).
You could also try loading your PE files with a PE File Reader and examining the results.
If the PE reader struggles with your PE, then you have a pointer to what is failing.
Here is a PE File Reading DLL I wrote (with source). There is also a GUI (with source) that uses it.
The source is completely open source (not encumbered by the GPL) so you can do what you want with it (except impose a GPL on it, which would prevent it from being completely open), including take your version closed.
Microsoft PE/COFF 规范是我所知道的唯一规范。
The Microsoft PE/COFF spec is the only spec I know of.