找到原始入口点
我希望能够通过查看 PE 头来找出出现在入口点的代码来自哪里。
例如,这段代码是我程序的起始代码(401000h)
00401000 >/$ 58 POP EAX ; kernel32.76E93677
00401001 |. 2D 77360100 SUB EAX,13677
00401006 |. BB 4A184000 MOV EBX,<JMP.&kernel32.VirtualProtect>
我想知道这段代码来自哪里。如何在不手动扫描文件的情况下找到它? (为了完成该示例,这里是来自同一文件的十六进制转储,代码现在位于 200h)
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F
00000200 58 2D 77 36 01 00 BB 4A 18 40 00
如何从虚拟入口点 (401000h) 到达原始入口点 (200h)? 我当然尝试自己解决它。但我错过了一些东西。起初我想:
.text[ Entrypoint (1000h) - VirtualOffset (1000d) ] = raw Entrypoint 由于文件对齐 = 200,并且原始入口点位于 .text 部分的开头,因此我认为可以将其用于所有可执行文件。
已解决,我在计算原始入口点时犯了愚蠢的错误
.text[ 入口点 - 虚拟偏移量 ] + 文件对齐 = 原始入口点(相对于 .text 部分)
I want to be able to find out where the code appearing at the entry point comes from by looking at the PE header.
For example, this piece of code is the starting code of my program(401000h)
00401000 >/$ 58 POP EAX ; kernel32.76E93677
00401001 |. 2D 77360100 SUB EAX,13677
00401006 |. BB 4A184000 MOV EBX,<JMP.&kernel32.VirtualProtect>
I want to know where this code comes from. How can I find it without manually scanning my file? (to complete the example, here's an hexdump from the same file, the code now resides at 200h)
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F
00000200 58 2D 77 36 01 00 BB 4A 18 40 00
How can I get from my virtual entry point (401000h) to the raw entry point (200h)?
I tried solving it myself of course. But I'm missing something. At first I thought:
.text[ Entrypoint (1000h) - VirtualOffset (1000d) ] = raw entrypoint
since the file alignment = 200, and the raw entry point was at the very start of my .text section, I thought I could use this for all the executables.
Solved, I made stupid mistakes when calculating the raw entry point
.text[ Entry point - Virtual offset ] + File Alignment = Raw entry point (relative to .text section)
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
要自行查找文件中的偏移量,您需要查看 _IMAGE_NT_HEADERS 结构。从中您可以获得IMAGE_OPTIONAL_HEADER在哪里
您对 ImageBase 感兴趣的成员是。您可以使用 EditBin /REBASE 更改其值,因此几乎不需要推出自己的工具。
参考如何通过 dumpbin 确定入口点。
您可以使用
dumpbin /headers
对于入口点,图像基值是相关的。但这仅适用于未启用 ASLR 的图像。为它们选择一个随机基地址(128 个不同基地址中的一个)。
指示图像是否启用 ASLR 的标志是 DLL 特性中设置的值 0x40。
例如,对于 svchost.exe,它是为较旧的程序设置的,通常为 0。
您的,
阿洛伊斯·克劳斯
To locate the offset in the file by yourself you need to have a look at the _IMAGE_NT_HEADERS structure. From this you can get the IMAGE_OPTIONAL_HEADER where
the member you are interested in ImageBase is. You can change its value with EditBin /REBASE so there is little need to roll your own tool.
For reference how you can determine the entry point via dumpbin.
You can use
dumpbin /headers
For the entry point the image base value is relevant. But this is only true for images that are not ASLR enabled. For them a random base address (1 of 128 different ones) is choosen.
The flag that indicates if an image is ASLR enabled is the value 0x40 which is set in DLL characteristics.
For svchost.exe for example it is set for older programs it is generally 0.
Yours,
Alois Kraus
看看这个线程,包括带有详细解释的答案:计算PE文件中入口点的文件偏移量
Have a look at this thread including an answer with a detailed explanation: Calculating the file offset of a entry point in a PE file