010 editor手寫pe文件
原則:嚴謹細節web
【文章標題】: 010 editor手寫pe文件
【文章做者】: Clark
【做者郵箱】: lost_poet@foxmail.com
【做者QQ號】: 515996958
【軟件名稱】:彈窗Hello World!
【軟件大小】: 3K
【使用工具】: 010 editor
【操做平臺】: Win10 x64
【文章做者】: Clark
【做者郵箱】: lost_poet@foxmail.com
【做者QQ號】: 515996958
【軟件名稱】:彈窗Hello World!
【軟件大小】: 3K
【使用工具】: 010 editor
【操做平臺】: Win10 x64
【聲明:複習PE文件結構】
PE文件的結構的重要性毋庸置疑,在軟件逆向,漏洞分析,以及病毒分析中均相當重要,因此PE文件的結構必須不能忘,計劃隔一段就本身手寫一個PE程序以溫故知新
正題:
PE文件結構;
(
Portable Executable(可移植的執行體)
):
--------------------------------------
| DOS頭部 (IMAGE_DOS_HEADER) |
DOS HEADER DosHeader | 64byte(40h) | 爲兼容DOS程序而立 |
| DOS 頭使用的數據(此段不重要) | DOS STUB DosStub | 大小取決於DOS頭的最後一個元素 由於e_lfanew記錄的NT 頭的偏移的位置 |
(能夠將PE頭部放在這裏,甚至使DOS頭與PE頭重合 |
| NT頭 (IMAGE_NT_HEADER32) |
NT HEADRS NtHeader | DWORD Signature 標記,4byte IMAGE_FILE_HEADER FileHeader 文件頭,20byte IMAGE_OPTIONAL_HEADER32 OPtionlHeader 擴展頭,32位00E0,64位00F0 |
存儲PE文件的所有屬性,初始化信息等(包含,文件頭,擴展頭) |
| 區段頭表(結構體數組) (IMAGE_SECTION_HEADER) |
SECTION HEADER SectionHeader | 每一個區段頭40byte | 對於PE文件主體屬性的分段描述,個數不定 |
| 各個區段(常見的區段) | .text 通常是代碼段 .data 通常是數據段 .bss 表示未初始化的數據,像static變量 .rdata 表示只讀的數據,好比字符串 .textbss 和代碼有關,暫不清楚做用 .idata和edata 存儲導入表導出表的信息 .rsrc 存儲資源的區段 .relcoc 存儲重定位的區段 |
個數不定, 大小視程序決定, 咱們本身寫的簡單的helloworld,三個區段,各200byte 足夠了 |
PE文件的主體,分段存儲着可執行的代碼,各類數據,資源等 |
| 一些調試信息 | 暫時不表述 | 暫時不表述 | 暫時不表述 |
全部的PE文件(exe,dll)必須以DOS頭開始;
//DOS頭---須要設置的有兩個元素 typedef struct _IMAGE_DOS_HEADER { // DOS .EXE header WORD e_magic; // Magic number(魔數,值恆爲4D5A) WORD e_cblp; // Bytes on last page of file WORD e_cp; // Pages in file WORD e_crlc; // Relocations WORD e_cparhdr; // Size of header in paragraphs WORD e_minalloc; // Minimum extra paragraphs needed WORD e_maxalloc; // Maximum extra paragraphs needed WORD e_ss; // Initial (relative) SS value WORD e_sp; // Initial SP value WORD e_csum; // Checksum WORD e_ip; // Initial IP value WORD e_cs; // Initial (relative) CS value WORD e_lfarlc; // File address of relocation table WORD e_ovno; // Overlay number WORD e_res[4]; // Reserved words WORD e_oemid; // OEM identifier (for e_oeminfo) WORD e_oeminfo; // OEM information; e_oemid specific WORD e_res2[10]; // Reserved words LONG e_lfanew; // File address of new exe header(NT 頭的偏移)能夠本身填寫 } IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER;
//NT頭--都很重要,文件頭跟擴展頭須要細說 typedef struct _IMAGE_NT_HEADERS { DWORD Signature; //標記,判斷是不是PE文件的第二個標誌,恆爲0x00004550,ASCII爲「PE00」 IMAGE_FILE_HEADER FileHeader; //文件頭 IMAGE_OPTIONAL_HEADER32 OptionalHeader; //擴展頭 } IMAGE_NT_HEADERS32, *PIMAGE_NT_HEADERS32;
//文件頭---共20個字節 typedef struct _IMAGE_FILE_HEADER { WORD Machine; 1,文件的運行CPU平臺-------0x014c,i386,,0x0200表明64位平臺 WORD NumberOfSections; 2,區段的數量-------------咱們這個程序寫成3個區段 DWORD TimeDateStamp; 3,文件的建立時間---------不過重要,0x00000000 DWORD PointerToSymbolTable; 4,符號表偏移------------對程序執行無影響,0x00000000 DWORD NumberOfSymbols; 5,符號個數--------------對程序執行無影響,0x00000000 WORD SizeOfOptionalHeader; 6,擴展頭大小------------擴展頭大小通常32位是00E0,64位是00F0 WORD Characteristics; 7,PE文件的一些屬性------dll通常是0x0210,exe是0x010F } IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;
//擴展頭31個成員--擴展頭大小通常32位是00E0,64位是00F0 typedef struct _IMAGE_OPTIONAL_HEADER { WORD Magic; 1,標誌PE文件的類型,32位通常是0X010B,64位是0x020B,0X0107表示ROM映像 BYTE MajorLinkerVersion; 2,連接器主板本號,能夠0x00000000 BYTE MinorLinkerVersion; 3,連接器此版本號,能夠0x00000000 DWORD SizeOfCode; 4,代碼區段的大小,不影響執行,能夠0x00000000 DWORD SizeOfInitializedData, 5,已初始化數據的大小,不影響執行,能夠0x00000000 DWORD SizeOfUninitializedData; 6,未初始化數據的大小,不影響執行,能夠0x00000000 DWORD AddressOfEntryPoint; 7,程序執行入口RVA,OEP,通常.text段是代碼段,因此這個值是.text段的首地址,可是應該是內存對齊後的 而咱們整個pe頭在內存中對齊後也就能佔用1000,因此這個值是1000 DWORD BaseOfCode; 8,起始代碼的RVA,不影響執行,能夠0x00000000 DWORD BaseOfData; 9,起始數據的RVA,不影響執行,能夠0x00000000 // NT additional fields. DWORD ImageBase; 10,默認加載基址:若是沒有加載到這個基址,會發生重定位,必須是64K的倍數,DLL是0x100 0000--- PE裝載器將嘗試把文件裝到虛擬地址空間的0040 0000h處。 字眼"優先"表 示若該地址區域已被其餘模塊佔用,那PE裝載器會 選用其餘空閒地址。咱們這裏的值設爲「00400000」。 DWORD SectionAlignment; 11,塊對齊單位---通常是0X1000 DWORD FileAlignment; 12,文件對齊單位-通常是0X200 WORD MajorOperatingSystemVersion; 13,主操做系統版本號,能夠0x00000000 WORD MinorOperatingSystemVersion; 14,次操做系統版本號,能夠0x00000000 WORD MajorImageVersion; 15,主映像版本,能夠0x00000000 WORD MinorImageVersion; 16,次映像版本,能夠0x00000000 WORD MajorSubsystemVersion; 17,主子系統版本,能夠0x00000000 WORD MinorSubsystemVersion; 18,次子系統版本,win32子系統版本。PE文件是專門爲Win32設計的,該子系統版本一定是4.0那麼此處值爲「04」。 DWORD Win32VersionValue; 19,保留值,,能夠0x00000000 DWORD SizeOfImage; 20,映像大小,要把文件加載進內存須要的總大小,內存對齊後的--文件PE結構總長小於1000h,可是內存中的對齊粒度是1000h,因此PE結構被映射後要佔1000h, 儘管不少空間沒有使用,另外咱們有3個段,每一個段的長度小於1000h,可是被映射後一樣要佔1000h, 因此總共佔用內存的大 小爲1000h + 3* 1000h = 4000h,所以此值爲「00400000」。 DWORD SizeOfHeaders; 21,全部頭部大小,也是文件主體相對文件偏移的位置,文件對齊後的, DOS頭+sub+文件頭中的Signature+NT頭+擴展頭+3個區段頭; 64 +80 + 4 + 20 + 224 + 3*40 = 512 = 200h,以200h對齊後,實際爲200h的空間,0x00020000 DWORD CheckSum; 22,校驗和,能夠0x00000000 WORD Subsystem; 23,子系統平臺,在windows中的合法值只能是2或者3,2是GUI,表示無控制檯,3是CUI,表示帶控制檯 WORD DllCharacteristics; 24,指示Dll特徵的標誌,能夠0x00000000 DWORD SizeOfStackReserve; 25,進程中棧通常能夠增加到的最大值,通常是1MB,能夠0x00000000 DWORD SizeOfStackCommit; 26,棧的初始值,每次分配增加的值,通常是4kb,填爲0x04000000 DWORD SizeOfHeapReserve; 27,堆能夠增加到的最大值,通常是1mb,能夠0x00000000 DWORD SizeOfHeapCommit; 28,進程堆的初始值,能夠0x00000000 DWORD LoaderFlags; 29,無用,能夠0x00000000 DWORD NumberOfRvaAndSizes; 30,數據目錄表的個數,也就是下面那個數組的元素個數,,按照正常的PE格式此處應該爲0x10,可改動,需從新研究位置 IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES]; 31,數據目錄表, } IMAGE_OPTIONAL_HEADER32, *PIMAGE_OPTIONAL_HEADER32;
//區段頭表--每個區段頭表中都是如下這個結構體--40個字節 typedef struct _IMAGE_SECTION_HEADER { BYTE Name[IMAGE_SIZEOF_SHORT_NAME]; 1,區段的名字,只是一些約定俗稱的名稱 union { DWORD PhysicalAddress; DWORD VirtualSize; } Misc; 2,這個區段的大小,pe程序對此值的效驗並無那麼嚴謹,可是最好與SizeOfRawData的值一致 DWORD VirtualAddress; 3,區段的起始相對虛擬地址RVA,,好比咱們.text是第一個區段,以前的全部文件大小對齊後佔用的空間爲1000h,那麼這個值即是1000h,第二個區段的這個值是2000h DWORD SizeOfRawData; 4,區段在文件中的大小,是對齊後的,咱們的代碼較少,則這個值即是200h DWORD PointerToRawData; 5,區段的文件偏移,,,咱們上面計算的PE文件頭的大小恰好是200h,那麼這個值即是200h,,後面的每一個區段的這個值是,當前區段的SizeOfRawData+前一個區段的PointerToRawData DWORD PointerToRelocations; 6,區段的重定位的信息的文件偏移,早OBJ文件中可用 DWORD PointerToLinenumbers; 7,沒用 WORD NumberOfRelocations; 8,沒用 WORD NumberOfLinenumbers; 9,沒用 DWORD Characteristics; 10,重要,這個區段的屬性,(如代碼/數據/可讀/可寫)的標誌 } IMAGE_SECTION_HEADER, *PIMAGE_SECTION_HEADER; PE文件識別區段靠的不是區段的名字,是區段的屬性 //比較重要的區段屬性值 IAMGE_SCN_CNT_CODE 0x20h 包含代碼,常與10000000h 一塊兒設置 IMAGE_SCN_CNT_INITIALIZED_DATA 0x40h 該塊包含已初始化的數據 IMAGE_SCN_CNT_UNINITIALIZED_DATA 0x80h 該塊包含未初始化的數據 IAMGE_SCN_MEM_DISCARDABLE 0x02000000h 該塊可被丟棄,一旦加載可被丟棄的塊.reloc(重定位塊) IAMGE_SCN_MEM_SHARED 0x10000000h 該塊爲共享塊 IAMGE_SCN_MEM_EXECUTE 0x20000000h 該塊可執行一般與0x20標誌一塊兒被設置 IAMGE_SCN_MEM_READ 0x40000000h 該塊可讀 IAMGE_SCN_MEM_WRITE 0x80000000h 該塊可寫 經常使用區段設置的值: .text 0x6000 0020 內存中 20 00 00 60 .textbss 0xE000 00A0 內存中 A0 00 00 E0 .data 0xC000 0040 內存中 40 00 00 C0 .rdata 0x4000 0040 內存中 40 00 00 40 .idata 0x4000 0040 內存中 40 00 00 40 .rerc 0x4000 0040 內存中 40 00 00 40
以上填寫完畢後代碼以下: 4D 5A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 03 00 00 00 00 00 00 00 00 00 00 00 00 00 E0 00 0F 01 0B 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 00 00 00 02 00 00 00 00 00 00 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 10 20 00 00 3C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2E 74 65 78 74 00 00 00 00 02 00 00 00 10 00 00 00 02 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 72 64 61 74 61 00 00 00 02 00 00 00 20 00 00 00 02 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2E 64 61 74 61 00 00 00 00 02 00 00 00 30 00 00 00 02 00 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0
以上咱們已經徹底解析了文件頭部的問題,還有個問題就是數據目錄表的結構:
咱們這個手寫程序只須要用到導入表,因此我門只須要解析導入表便可,其他所有置零便可
導入表是數據目錄表的第二項,當前咱們暫時把它也置零 ,後面咱們把.rdata段寫好,來填寫這兩個值
每一個數據目錄表的結構: typedef struct _IMAGE_DATA_DIRECTORY { DWORD VirtualAddress; 數據的相對虛擬地址 DWORD Size; 數據的大小 } IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY; 數據目錄表的16個成員 IMAGE_DIRECTORY_ENTRY_EXPORT (0)導出表 IMAGE_DIRECTORY_ENTRY_IMPORT (1)導入表 IMAGE_DIRECTORY_ENTRY_RESOURCE (2)資源表 IMAGE_DIRECTORY_ENTRY_EXCEPTION (3)異常表 IMAGE_DIRECTORY_ENTRY_SECURITY (4)安全目錄 IMAGE_DIRECTORY_ENTRY_BASERELOC (5)重定位表 IMAGE_DIRECTORY_ENTRY_DEBUG (6)調試目錄 IMAGE_DIRECTORY_ENTRY_COPYRIGHT (7)描述版權串 IMAGE_DIRECTORY_ENTRY_GLOBALPTR (8)機器值 IMAGE_DIRECTORY_ENTRY_TLS (9)指向線程局部存儲(Thread local storage)初始化節 IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG (10)載入配置表 IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT (11)綁定輸入目錄 IMAGE_DIRECTORY_ENTRY_IAT (12)導入地址表目錄 IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT (13)延遲載入描述 IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR (14)COM信息
導出表(此程序用不到,僅供複習);
//導出表結構---40字節 typedef struct _IMAGE_EXPORT_DIRECTORY { DWORD Characteristics; //1,沒用,保留值,長爲0 DWORD TimeDateStamp; //2,沒用,和文件頭中的時間同樣的 WORD MajorVersion; //3,沒用,主板本號 WORD MinorVersion; //4,沒用,次版本號 DWORD Name; //5,有用,本PE文件的名字,也就是誰導出的這些函數(變量,類) DWORD Base; //6,有用,序號基數 DWORD NumberOfFunctions; //7,重要,函數數量 DWORD NumberOfNames; //8,函數名稱數量 DWORD AddressOfFunctions; //9,重要,函數地址表的相對虛擬地址// RVA from base of image DWORD AddressOfNames; //10,重要,函數名稱表的相對虛擬地址/// RVA from base of image DWORD AddressOfNameOrdinals; //11,重要,函數序號表的相對虛擬地址/// RVA from base of image } IMAGE_EXPORT_DIRECTORY, *PIMAGE_EXPORT_DIRECTORY;
下面解析導入表:
//導入表結構---20字節 若是程序從10個不一樣的dll中導入函數,那麼這個數組就有10個成員,該數組以一個全0的成員結尾 typedef struct _IMAGE_IMPORT_DESCRIPTOR { union { DWORD Characteristics; // DWORD OriginalFirstThunk; //1,重要,指向一個結構體數組的相對虛擬地址,RVA,結構體數組名叫作INT,(import Name table) } DUMMYUNIONNAME; DWORD TimeDateStamp; //2,(沒用) DWORD ForwarderChain; //3,轉發機制用,這裏用不到 DWORD Name; //4,導入的PE文件的名字 DWORD FirstThunk; //5,指向一個結構體數組的相對虛擬地址,RVA,結構體數組叫作IAT,(Import Address Table) } IMAGE_IMPORT_DESCRIPTOR; 1,第一個元素OriginalFirstThunk與第五個元素FirstThunk指向的是相同的結構體 IMAGE_THUNK_DATA; 2,在磁盤文件中,OriginalFirstThunk 與 FirstThunk中的數據是相同的,能夠將輸入名稱表INT看作是輸入地址表IAT的一個備份, 可是在加載到內存中的時候,輸入地址表會 由加載器把相應的PE文件的函數地址 覆蓋到這裏來,這時候 IAT纔是真正的IAT --INT是原始的,加載到內存中的時候,就是IAT了 3,在有些文件中,輸入名稱表是空的,全零,什麼都沒有。這說明輸入地址表有時候沒有備份。因此解析輸入表的時候最好使用輸入地址表來解析,也能夠兩個分別查看 4,指向的結構體以全零爲結尾,能夠做爲解析時的結束條件 //這是指向的那個結構體 32位下 //能夠看到是一個聯合體,共4字節,可是不要忘記每個這個結構體後面都須要一個全零的結構體來做爲結尾 typedef struct _IMAGE_THUNK_DATA32 { union { DWORD ForwarderString; // 轉發纔用到 DWORD Function; // 導入函數的地址,在加載到內存後,這裏才起做用 DWORD Ordinal; // 假如是序號導入到的,用到這裏 DWORD AddressOfData; // 假如是函數名稱導入的,用這裏,它指向一個PIMAGE_IMPORT_BY_NAME的結構體 } u1; } IMAGE_THUNK_DATA32; //1,在磁盤文件中,起做用的只有後面兩個成員 //2,這個結構佔4個字節,假如最高位是1,那麼序號導入起做用,只需輸出一個序號, // 假如最高位是0,那麼是最後一個成員起做用,指向一個_IMAGE_IMPORT_BY_NAME //下面這個包含了序號和函數名 typedef struct _IMAGE_IMPORT_BY_NAME { WORD Hint; CHAR Name[1]; } IMAGE_IMPORT_BY_NAME, *PIMAGE_IMPORT_BY_NAME;
那麼OK,咱們的.rdata段的導入表解析完成了,而後咱們以前在數據目錄表的導入表的位置空置着的兩個值也能夠填入了, VirtualAddress是2010h(在內存對齊後的),Size是三個結構體的大小是60==3Ch
整個.rdata段的代碼
76 20 00 00 00 00 00 00 5C 20 00 00 00 00 00 00 4C 20 00 00 00 00 00 00 00 00 00 00 6A 20 00 00 08 20 00 00 54 20 00 00 00 00 00 00 00 00 00 00 84 20 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5C 20 00 00 00 00 00 00 76 20 00 00 00 00 00 00 00 00 4D 65 73 73 61 67 65 42 6F 78 41 00 75 73 65 72 33 32 2E 64 6C 6C 00 00 00 00 45 78 69 74 50 72 6F 63 65 73 73 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
.Text 段
咱們暫時在OD,或者x64DBG 裏面寫下以下的彙編指令;
push 0; push 0; push 0; push 0; call [00402008];//導入表內MessageBoxA地址 push 0; call [00402000];//導入表內ExitProcess的地址 獲得的OPCode代碼爲: 6A 00 6A 00 6A 00 6A 00 FF 15 08 20 40 00 6A 00 FF 15 00 20 40 00 粘貼到010裏面; 即: 6A 00 6A 00 6A 00 6A 00 FF 15 08 20 40 00 6A 00 FF 15 00 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
程序完成!
咱們的helloworld 尚未彈出來呢,那就很簡單了:
.data段
把字符串「消息框」「helloworld」轉換成opcode; CF FB CF A2 BF F2 00 48 65 6C 6C 6F 2C 20 57 6F 72 6C 64 20 21 00 粘貼到.data段 而後修改.text段的push的時候的地址便可; push 0的時候的OPCode: 6A 00 6A 00 6A 00 6A 00 FF 15 08 20 40 00 6A 00 FF 15 00 20 40 00 修改成咱們push 字符串地址--》即 : push 0; push 00403000; pusn 00403008; push 0; call [00402008];//導入表內MessageBoxA地址 push 0; call [00402000];//導入表內ExitProcess的地址 即: 6A 00 68 00 30 40 00 68 07 30 40 00 6A 00 FF 15 08 20 40 00 6A 00 FF 15 00 20 40 00 以上,便可;
修正後:windows
6A 00 68 00 30 40 00 68 07 30 40 00 6A 00 FF 15 08 20 40 00 6A 00 FF 15 00 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 76 20 00 00 00 00 00 00 5C 20 00 00 00 00 00 00 4C 20 00 00 00 00 00 00 00 00 00 00 6A 20 00 00 08 20 00 00 54 20 00 00 00 00 00 00 00 00 00 00 84 20 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5C 20 00 00 00 00 00 00 76 20 00 00 00 00 00 00 00 00 4D 65 73 73 61 67 65 42 6F 78 41 00 75 73 65 72 33 32 2E 64 6C 6C 00 00 00 00 45 78 69 74 50 72 6F 63 65 73 73 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 CF FB CF A2 BF F2 00 48 65 6C 6C 6F 2C 20 57 6F 72 6C 64 20 21 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
完成
相關文章
- 1. 010 Editor體驗
- 2. 010 Editor Mac安裝教程
- 3. 手寫 editor web 富文本編輯器
- 4. 修正 010 Editor 模板文件 MachO.bt 的錯誤
- 5. 使用 010 Editor 分析二進制文件格式
- 6. windows的PE詳解,教你手寫,可執行文件
- 7. 編寫PE文件解析器(一)
- 8. PE文件
- 9. 1、PE文件
- 10. PE文件格式和ELF文件格式(上)----PE文件
- 更多相關文章...
- • C# 文本文件的讀寫 - C#教程
- • C# 二進制文件的讀寫 - C#教程
- • Docker容器實戰(七) - 容器眼光下的文件系統
- • SpringBoot中properties文件不能自動提示解決方法
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
最新文章
歡迎關注本站公眾號,獲取更多信息
相關文章