PE文件-PE文件格式
来源:互联网 发布:linux 目录树 命令 编辑:程序博客网 时间:2024/04/28 19:44
在研究之前首先拜读了来自网络的多篇文档,首先根据分析结果附图两张:
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
以下内容摘自网络:
PE 的意思就是 Portable Executable(可移植的执行体)。它是 Win32环境自身所带的执行体文件格式。它的一些特性继承自 Unix的 Coff (common object file format)文件格式。"portable executable"(可移植的执行体)意味着此文件格式是跨win32平台的 : 即使Windows运行在非Intel的CPU上,任何win32平台的PE装载器都能识别和使用该文件格式。当然,移植到不同的CPU上PE执行体必然得有一些改变。所有 win32执行体 (除了VxD和16位的Dll)都使用PE文件格式,包括NT的内核模式驱动程序(kernel mode drivers)。因而研究PE文件格式给了我们洞悉Windows结构的良机。
本教程就让我们浏览一下 PE文件格式的概要。
DOS MZ headerDOS stubPE headerSection tableSection 1Section 2Section ...Section n上图是 PE文件结构的总体层次分布。所有 PE文件(甚至32位的 DLLs) 必须以一个简单的 DOS MZ header 开始。我们通常对此结构没有太大兴趣。有了它,一旦程序在DOS下执行,DOS就能识别出这是有效的执行体,然后运行紧随 MZ header 之后的 DOS stub。DOS stub实际上是个有效的 EXE,在不支持 PE文件格式的操作系统中,它将简单显示一个错误提示,类似于字符串 "This program requires Windows" 或者程序员可根据自己的意图实现完整的 DOS代码。通常我们也不对 DOS stub 太感兴趣: 因为大多数情况下它是由汇编器/编译器自动生成。通常,它简单调用中断21h服务9来显示字符串"This program cannot run in DOS mode"。
紧接着 DOS stub 的是 PE header。 PE header 是PE相关结构 IMAGE_NT_HEADERS 的简称,其中包含了许多PE装载器用到的重要域。当我们更加深入研究PE文件格式后,将对这些重要域耳目能详。执行体在支持PE文件结构的操作系统中执行时,PE装载器将从 DOS MZ header 中找到 PE header 的起始偏移量。因而跳过了 DOS stub 直接定位到真正的文件头 PE header。
PE文件的真正内容划分成块,称之为sections(节)。每节是一块拥有共同属性的数据,比如代码/数据、读/写等。我们可以把PE文件想象成一逻辑磁盘,PE header 是磁盘的boot扇区,而sections就是各种文件,每种文件自然就有不同属性如只读、系统、隐藏、文档等等。 值得我们注意的是 ---- 节的划分是基于各组数据的共同属性: 而不是逻辑概念。重要的不是数据/代码是如何使用的,如果PE文件中的数据/代码拥有相同属性,它们就能被归入同一节中。不必关心节中类似于"data", "code"或其他的逻辑概念: 如果数据和代码拥有相同属性,它们就可以被归入同一个节中。(译者注:节名称仅仅是个区别不同节的符号而已,类似"data", "code"的命名只为了便于识别,惟有节的属性设置决定了节的特性和功能)如果某块数据想付为只读属性,就可以将该块数据放入置为只读的节中,当PE装载器映射节内容时,它会检查相关节属性并置对应内存块为指定属性。
如果我们将PE文件格式视为一逻辑磁盘,PE header是boot扇区而sections是各种文件,但我们仍缺乏足够信息来定位磁盘上的不同文件,譬如,什么是PE文件格式中等价于目录的东东?别急,那就是 PE header 接下来的数组结构 section table(节表)。 每个结构包含对应节的属性、文件偏移量、虚拟偏移量等。如果PE文件里有5个节,那么此结构数组内就有5个成员。因此,我们便可以把节表视为逻辑磁盘中的根目录,每个数组成员等价于根目录中目录项。
以上就是PE文件格式的物理分布,下面将总结一下装载一PE文件的主要步骤:
- 当PE文件被执行,PE装载器检查 DOS MZ header 里的 PE header 偏移量。如果找到,则跳转到 PE header。
- PE装载器检查 PE header 的有效性。如果有效,就跳转到PE header的尾部。
- 紧跟 PE header 的是节表。PE装载器读取其中的节信息,并采用文件映射方法将这些节映射到内存,同时付上节表里指定的节属性。
- PE文件映射入内存后,PE装载器将处理PE文件中类似 import table(引入表)逻辑部分。
上述步骤是基于本人观察后的简述,显然还有一些不够精确的地方,但基本明晰了执行体被处理的过程。
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
根据上文分析,我们可以通过OD来应证PE结构组成,我用OD来加载本机一个程序navicat.exe,观察PE Header:
以下是上图中提到的DOS MZ HEADER,真实类型是结构:IMAGE_DOS_HEADER
00400000 4D 5A ASCII "MZ" ; DOS EXE Signature00400002 5000 DW 0050 ; DOS_PartPag = 50 (80.)00400004 0200 DW 0002 ; DOS_PageCnt = 200400006 0000 DW 0000 ; DOS_ReloCnt = 000400008 0400 DW 0004 ; DOS_HdrSize = 40040000A 0F00 DW 000F ; DOS_MinMem = F (15.)0040000C FFFF DW FFFF ; DOS_MaxMem = FFFF (65535.)0040000E 0000 DW 0000 ; DOS_ReloSS = 000400010 B800 DW 00B8 ; DOS_ExeSP = B800400012 0000 DW 0000 ; DOS_ChkSum = 000400014 0000 DW 0000 ; DOS_ExeIP = 000400016 0000 DW 0000 ; DOS_ReloCS = 000400018 4000 DW 0040 ; DOS_TablOff = 400040001A 1A00 DW 001A ; DOS_Overlay = 1A0040001C 00 DB 000040001D 00 DB 000040001E 00 DB 000040001F 00 DB 0000400020 00 DB 0000400021 00 DB 0000400022 00 DB 0000400023 00 DB 0000400024 00 DB 0000400025 00 DB 0000400026 00 DB 0000400027 00 DB 0000400028 00 DB 0000400029 00 DB 000040002A 00 DB 000040002B 00 DB 000040002C 00 DB 000040002D 00 DB 000040002E 00 DB 000040002F 00 DB 0000400030 00 DB 0000400031 00 DB 0000400032 00 DB 0000400033 00 DB 0000400034 00 DB 0000400035 00 DB 0000400036 00 DB 0000400037 00 DB 0000400038 00 DB 0000400039 00 DB 000040003A 00 DB 000040003B 00 DB 000040003C 00010000 DD 00000100 ; Offset to PE signature
以下是DOS STUB[我们似乎看不到什么数据]:
00400040 BA DB BA00400041 10 DB 1000400042 00 DB 0000400043 0E DB 0E00400044 1F DB 1F00400045 B4 DB B400400046 09 DB 0900400047 CD DB CD00400048 21 DB 2100400049 B8 DB B80040004A 01 DB 010040004B 4C DB 4C0040004C CD DB CD0040004D 21 DB 210040004E 90 DB 900040004F 90 DB 9000400050 54 DB 5400400051 68 DB 6800400052 69 DB 6900400053 73 DB 7300400054 20 DB 2000400055 70 DB 7000400056 72 DB 7200400057 6F DB 6F00400058 67 DB 6700400059 72 DB 720040005A 61 DB 610040005B 6D DB 6D0040005C 20 DB 200040005D 6D DB 6D0040005E 75 DB 750040005F 73 DB 7300400060 74 DB 7400400061 20 DB 2000400062 62 DB 6200400063 65 DB 6500400064 20 DB 2000400065 72 DB 7200400066 75 DB 7500400067 6E DB 6E00400068 20 DB 2000400069 75 DB 750040006A 6E DB 6E0040006B 64 DB 640040006C 65 DB 650040006D 72 DB 720040006E 20 DB 200040006F 57 DB 5700400070 69 DB 6900400071 6E DB 6E00400072 33 DB 3300400073 32 DB 3200400074 0D DB 0D00400075 0A DB 0A00400076 24 DB 2400400077 37 DB 3700400078 00 DB 0000400079 00 DB 000040007A 00 DB 000040007B 00 DB 000040007C 00 DB 000040007D 00 DB 000040007E 00 DB 000040007F 00 DB 0000400080 00 DB 0000400081 00 DB 0000400082 00 DB 0000400083 00 DB 0000400084 00 DB 0000400085 00 DB 0000400086 00 DB 0000400087 00 DB 0000400088 00 DB 0000400089 00 DB 000040008A 00 DB 000040008B 00 DB 000040008C 00 DB 000040008D 00 DB 000040008E 00 DB 000040008F 00 DB 0000400090 00 DB 0000400091 00 DB 0000400092 00 DB 0000400093 00 DB 0000400094 00 DB 0000400095 00 DB 0000400096 00 DB 0000400097 00 DB 0000400098 00 DB 0000400099 00 DB 000040009A 00 DB 000040009B 00 DB 000040009C 00 DB 000040009D 00 DB 000040009E 00 DB 000040009F 00 DB 00004000A0 00 DB 00004000A1 00 DB 00004000A2 00 DB 00004000A3 00 DB 00004000A4 00 DB 00004000A5 00 DB 00004000A6 00 DB 00004000A7 00 DB 00004000A8 00 DB 00004000A9 00 DB 00004000AA 00 DB 00004000AB 00 DB 00004000AC 00 DB 00004000AD 00 DB 00004000AE 00 DB 00004000AF 00 DB 00004000B0 00 DB 00004000B1 00 DB 00004000B2 00 DB 00004000B3 00 DB 00004000B4 00 DB 00004000B5 00 DB 00004000B6 00 DB 00004000B7 00 DB 00004000B8 00 DB 00004000B9 00 DB 00004000BA 00 DB 00004000BB 00 DB 00004000BC 00 DB 00004000BD 00 DB 00004000BE 00 DB 00004000BF 00 DB 00004000C0 00 DB 00004000C1 00 DB 00004000C2 00 DB 00004000C3 00 DB 00004000C4 00 DB 00004000C5 00 DB 00004000C6 00 DB 00004000C7 00 DB 00004000C8 00 DB 00004000C9 00 DB 00004000CA 00 DB 00004000CB 00 DB 00004000CC 00 DB 00004000CD 00 DB 00004000CE 00 DB 00004000CF 00 DB 00004000D0 00 DB 00004000D1 00 DB 00004000D2 00 DB 00004000D3 00 DB 00004000D4 00 DB 00004000D5 00 DB 00004000D6 00 DB 00004000D7 00 DB 00004000D8 00 DB 00004000D9 00 DB 00004000DA 00 DB 00004000DB 00 DB 00004000DC 00 DB 00004000DD 00 DB 00004000DE 00 DB 00004000DF 00 DB 00004000E0 00 DB 00004000E1 00 DB 00004000E2 00 DB 00004000E3 00 DB 00004000E4 00 DB 00004000E5 00 DB 00004000E6 00 DB 00004000E7 00 DB 00004000E8 00 DB 00004000E9 00 DB 00004000EA 00 DB 00004000EB 00 DB 00004000EC 00 DB 00004000ED 00 DB 00004000EE 00 DB 00004000EF 00 DB 00004000F0 00 DB 00004000F1 00 DB 00004000F2 00 DB 00004000F3 00 DB 00004000F4 00 DB 00004000F5 00 DB 00004000F6 00 DB 00004000F7 00 DB 00004000F8 00 DB 00004000F9 00 DB 00004000FA 00 DB 00004000FB 00 DB 00004000FC 00 DB 00004000FD 00 DB 00004000FE 00 DB 00004000FF 00 DB 00
把DOS STUB转换成ASCII再看:
00400040 ?.???L?悙This program mus00400060 t be run under Win32..$7........00400080 ................................004000A0 ................................004000C0 ................................004000E0 ................................
以下是PE HEADER、PE OPTIONAL HEADER[包含DataDirectory]:
00400100 50 45 00 00>ASCII "PE" ; PE signature (PE)00400104 4C01 DW 014C ; Machine = IMAGE_FILE_MACHINE_I38600400106 0800 DW 0008 ; NumberOfSections = 800400108 195E422A DD 2A425E19 ; TimeDateStamp = 2A425E190040010C 00000000 DD 00000000 ; PointerToSymbolTable = 000400110 00000000 DD 00000000 ; NumberOfSymbols = 000400114 E000 DW 00E0 ; SizeOfOptionalHeader = E0 (224.)00400116 8E81 DW 818E ; Characteristics = EXECUTABLE_IMAGE|32BIT_MACHINE|LINE_NUMS_STRIPPED|LOCAL_SYMS_STRIPPED|BYTES_REVERSED_LO|BYTES_REVERSED_HI00400118 0B01 DW 010B ; MagicNumber = PE320040011A 02 DB 02 ; MajorLinkerVersion = 20040011B 19 DB 19 ; MinorLinkerVersion = 19 (25.)0040011C 001E6D00 DD 006D1E00 ; SizeOfCode = 6D1E00 (7151104.)00400120 00863100 DD 00318600 ; SizeOfInitializedData = 318600 (3245568.)00400124 00000000 DD 00000000 ; SizeOfUninitializedData = 000400128 D42C6D00 DD 006D2CD4 ; AddressOfEntryPoint = 6D2CD40040012C 00100000 DD 00001000 ; BaseOfCode = 100000400130 00306D00 DD 006D3000 ; BaseOfData = 6D300000400134 00004000 DD 00400000 ; ImageBase = 40000000400138 00100000 DD 00001000 ; SectionAlignment = 10000040013C 00020000 DD 00000200 ; FileAlignment = 20000400140 0400 DW 0004 ; MajorOSVersion = 400400142 0000 DW 0000 ; MinorOSVersion = 000400144 0000 DW 0000 ; MajorImageVersion = 000400146 0000 DW 0000 ; MinorImageVersion = 000400148 0400 DW 0004 ; MajorSubsystemVersion = 40040014A 0000 DW 0000 ; MinorSubsystemVersion = 00040014C 00000000 DD 00000000 ; Reserved00400150 00809F00 DD 009F8000 ; SizeOfImage = 9F8000 (10452992.)00400154 00040000 DD 00000400 ; SizeOfHeaders = 400 (1024.)00400158 00000000 DD 00000000 ; CheckSum = 00040015C 0200 DW 0002 ; Subsystem = IMAGE_SUBSYSTEM_WINDOWS_GUI0040015E 0000 DW 0000 ; DLLCharacteristics = 000400160 00001000 DD 00100000 ; SizeOfStackReserve = 100000 (1048576.)00400164 00400000 DD 00004000 ; SizeOfStackCommit = 4000 (16384.)00400168 00001000 DD 00100000 ; SizeOfHeapReserve = 100000 (1048576.)0040016C 00100000 DD 00001000 ; SizeOfHeapCommit = 1000 (4096.)00400170 00000000 DD 00000000 ; LoaderFlags = 000400174 10000000 DD 00000010 ; NumberOfRvaAndSizes = 10 (16.)00400178 00000000 DD 00000000 ; Export Table address = 00040017C 00000000 DD 00000000 ; Export Table size = 000400180 00506F00 DD 006F5000 ; Import Table address = 6F500000400184 2A3F0000 DD 00003F2A ; Import Table size = 3F2A (16170.)00400188 00A07700 DD 0077A000 ; Resource Table address = 77A0000040018C 00E02700 DD 0027E000 ; Resource Table size = 27E000 (2613248.)00400190 00000000 DD 00000000 ; Exception Table address = 000400194 00000000 DD 00000000 ; Exception Table size = 000400198 00000000 DD 00000000 ; Certificate File pointer = 00040019C 00000000 DD 00000000 ; Certificate Table size = 0004001A0 00B06F00 DD 006FB000 ; Relocation Table address = 6FB000004001A4 0CEC0700 DD 0007EC0C ; Relocation Table size = 7EC0C (519180.)004001A8 00000000 DD 00000000 ; Debug Data address = 0004001AC 00000000 DD 00000000 ; Debug Data size = 0004001B0 00000000 DD 00000000 ; Architecture Data address = 0004001B4 00000000 DD 00000000 ; Architecture Data size = 0004001B8 00000000 DD 00000000 ; Global Ptr address = 0004001BC 00000000 DD 00000000 ; Must be 0004001C0 00A06F00 DD 006FA000 ; TLS Table address = 6FA000004001C4 18000000 DD 00000018 ; TLS Table size = 18 (24.)004001C8 00000000 DD 00000000 ; Load Config Table address = 0004001CC 00000000 DD 00000000 ; Load Config Table size = 0004001D0 00000000 DD 00000000 ; Bound Import Table address = 0004001D4 00000000 DD 00000000 ; Bound Import Table size = 0004001D8 00000000 DD 00000000 ; Import Address Table address = 0004001DC 00000000 DD 00000000 ; Import Address Table size = 0004001E0 00000000 DD 00000000 ; Delay Import Descriptor address = 0004001E4 00000000 DD 00000000 ; Delay Import Descriptor size = 0004001E8 00000000 DD 00000000 ; COM+ Runtime Header address = 0004001EC 00000000 DD 00000000 ; Import Address Table size = 0004001F0 00000000 DD 00000000 ; Reserved004001F4 00000000 DD 00000000 ; Reserved
PE HEADER、PE OPTIONAL HEADER都属于IMAGE_NT_HEADERS结构的成员:
typedef struct _IMAGE_NT_HEADERS { DWORD Signature; IMAGE_FILE_HEADER FileHeader; IMAGE_OPTIONAL_HEADER32 OptionalHeader;} IMAGE_NT_HEADERS32, *PIMAGE_NT_HEADERS32;
IMAGE_FILE_HEADER结构定义如下:
typedef struct _IMAGE_FILE_HEADER { WORD Machine; WORD NumberOfSections; DWORD TimeDateStamp; DWORD PointerToSymbolTable; DWORD NumberOfSymbols; WORD SizeOfOptionalHeader; WORD Characteristics;} IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;IMAGE_OPTIONAL_HEADER32 结构定义如下:typedef struct _IMAGE_OPTIONAL_HEADER { // // Standard fields. // WORD Magic; BYTE MajorLinkerVersion; BYTE MinorLinkerVersion; DWORD SizeOfCode; DWORD SizeOfInitializedData; DWORD SizeOfUninitializedData; DWORD AddressOfEntryPoint; DWORD BaseOfCode; DWORD BaseOfData; // // NT additional fields. // DWORD ImageBase; DWORD SectionAlignment; DWORD FileAlignment; WORD MajorOperatingSystemVersion; WORD MinorOperatingSystemVersion; WORD MajorImageVersion; WORD MinorImageVersion; WORD MajorSubsystemVersion; WORD MinorSubsystemVersion; DWORD Win32VersionValue; DWORD SizeOfImage; DWORD SizeOfHeaders; DWORD CheckSum; WORD Subsystem; WORD DllCharacteristics; DWORD SizeOfStackReserve; DWORD SizeOfStackCommit; DWORD SizeOfHeapReserve; DWORD SizeOfHeapCommit; DWORD LoaderFlags; DWORD NumberOfRvaAndSizes; IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];} IMAGE_OPTIONAL_HEADER32, *PIMAGE_OPTIONAL_HEADER32;我们可以看出IMAGE_OPTIONAL_HEADER的最后一个成员就是一个DataDirectory结构的数组以下是节表数据:004001F8 43 4F 44 45>ASCII "CODE" ; SECTION00400200 FC1D6D00 DD 006D1DFC ; VirtualSize = 6D1DFC (7151100.)00400204 00100000 DD 00001000 ; VirtualAddress = 100000400208 001E6D00 DD 006D1E00 ; SizeOfRawData = 6D1E00 (7151104.)0040020C 00040000 DD 00000400 ; PointerToRawData = 40000400210 00000000 DD 00000000 ; PointerToRelocations = 000400214 00000000 DD 00000000 ; PointerToLineNumbers = 000400218 0000 DW 0000 ; NumberOfRelocations = 00040021A 0000 DW 0000 ; NumberOfLineNumbers = 00040021C 20000060 DD 60000020 ; Characteristics = CODE|EXECUTE|READ00400220 44 41 54 41>ASCII "DATA" ; SECTION00400228 84740100 DD 00017484 ; VirtualSize = 17484 (95364.)0040022C 00306D00 DD 006D3000 ; VirtualAddress = 6D300000400230 00760100 DD 00017600 ; SizeOfRawData = 17600 (95744.)00400234 00226D00 DD 006D2200 ; PointerToRawData = 6D220000400238 00000000 DD 00000000 ; PointerToRelocations = 00040023C 00000000 DD 00000000 ; PointerToLineNumbers = 000400240 0000 DW 0000 ; NumberOfRelocations = 000400242 0000 DW 0000 ; NumberOfLineNumbers = 000400244 400000C0 DD C0000040 ; Characteristics = INITIALIZED_DATA|READ|WRITE00400248 42 53 53 00>ASCII "BSS" ; SECTION00400250 F9930000 DD 000093F9 ; VirtualSize = 93F9 (37881.)00400254 00B06E00 DD 006EB000 ; VirtualAddress = 6EB00000400258 00000000 DD 00000000 ; SizeOfRawData = 00040025C 00000000 DD 00000000 ; PointerToRawData = 000400260 00000000 DD 00000000 ; PointerToRelocations = 000400264 00000000 DD 00000000 ; PointerToLineNumbers = 000400268 0000 DW 0000 ; NumberOfRelocations = 00040026A 0000 DW 0000 ; NumberOfLineNumbers = 00040026C 000000C0 DD C0000000 ; Characteristics = READ|WRITE00400270 2E 69 64 61>ASCII ".idata" ; SECTION00400278 2A3F0000 DD 00003F2A ; VirtualSize = 3F2A (16170.)0040027C 00506F00 DD 006F5000 ; VirtualAddress = 6F500000400280 00400000 DD 00004000 ; SizeOfRawData = 4000 (16384.)00400284 00986E00 DD 006E9800 ; PointerToRawData = 6E980000400288 00000000 DD 00000000 ; PointerToRelocations = 00040028C 00000000 DD 00000000 ; PointerToLineNumbers = 000400290 0000 DW 0000 ; NumberOfRelocations = 000400292 0000 DW 0000 ; NumberOfLineNumbers = 000400294 400000C0 DD C0000040 ; Characteristics = INITIALIZED_DATA|READ|WRITE00400298 2E 74 6C 73>ASCII ".tls" ; SECTION004002A0 54000000 DD 00000054 ; VirtualSize = 54 (84.)004002A4 00906F00 DD 006F9000 ; VirtualAddress = 6F9000004002A8 00000000 DD 00000000 ; SizeOfRawData = 0004002AC 00000000 DD 00000000 ; PointerToRawData = 0004002B0 00000000 DD 00000000 ; PointerToRelocations = 0004002B4 00000000 DD 00000000 ; PointerToLineNumbers = 0004002B8 0000 DW 0000 ; NumberOfRelocations = 0004002BA 0000 DW 0000 ; NumberOfLineNumbers = 0004002BC 000000C0 DD C0000000 ; Characteristics = READ|WRITE004002C0 2E 72 64 61>ASCII ".rdata" ; SECTION004002C8 18000000 DD 00000018 ; VirtualSize = 18 (24.)004002CC 00A06F00 DD 006FA000 ; VirtualAddress = 6FA000004002D0 00020000 DD 00000200 ; SizeOfRawData = 200 (512.)004002D4 00D86E00 DD 006ED800 ; PointerToRawData = 6ED800004002D8 00000000 DD 00000000 ; PointerToRelocations = 0004002DC 00000000 DD 00000000 ; PointerToLineNumbers = 0004002E0 0000 DW 0000 ; NumberOfRelocations = 0004002E2 0000 DW 0000 ; NumberOfLineNumbers = 0004002E4 40000050 DD 50000040 ; Characteristics = INITIALIZED_DATA|SHARED|READ004002E8 2E 72 65 6C>ASCII ".reloc" ; SECTION004002F0 0CEC0700 DD 0007EC0C ; VirtualSize = 7EC0C (519180.)004002F4 00B06F00 DD 006FB000 ; VirtualAddress = 6FB000004002F8 00EE0700 DD 0007EE00 ; SizeOfRawData = 7EE00 (519680.)004002FC 00DA6E00 DD 006EDA00 ; PointerToRawData = 6EDA0000400300 00000000 DD 00000000 ; PointerToRelocations = 000400304 00000000 DD 00000000 ; PointerToLineNumbers = 000400308 0000 DW 0000 ; NumberOfRelocations = 00040030A 0000 DW 0000 ; NumberOfLineNumbers = 00040030C 40000050 DD 50000040 ; Characteristics = INITIALIZED_DATA|SHARED|READ00400310 2E 72 73 72>ASCII ".rsrc" ; SECTION00400318 00E02700 DD 0027E000 ; VirtualSize = 27E000 (2613248.)0040031C 00A07700 DD 0077A000 ; VirtualAddress = 77A00000400320 00E02700 DD 0027E000 ; SizeOfRawData = 27E000 (2613248.)00400324 00C87600 DD 0076C800 ; PointerToRawData = 76C80000400328 00000000 DD 00000000 ; PointerToRelocations = 00040032C 00000000 DD 00000000 ; PointerToLineNumbers = 000400330 0000 DW 0000 ; NumberOfRelocations = 000400332 0000 DW 0000 ; NumberOfLineNumbers = 000400334 40000050 DD 50000040 ; Characteristics = INITIALIZED_DATA|SHARED|READ00400338 00 DB 0000400339 00 DB 00
- PE文件-PE文件格式
- PE文件 COFF文件格式
- PE文件格式和ELF文件格式(上)----PE文件
- PE文件格式
- PE文件格式
- PE文件格式
- PE文件格式
- PE文件格式
- PE文件格式
- PE文件格式
- PE文件格式
- PE文件格式
- PE文件格式
- pe文件格式
- PE文件格式
- PE文件格式
- PE文件格式
- PE文件格式
- Ubuntu修改命令行提示符 (linux - customize prompt in shell)
- shell中以-f的方式调用awk脚本
- 今天星期六
- 单片机利用软件抗干扰的几种滤波方法
- 怕麻烦
- PE文件-PE文件格式
- distinct关键字
- 位图学习
- 关于互联网的一些想法
- (转载)建站准备
- 哈佛积极心理学的十条幸福忠告
- 解决The selection is not within a valid module
- JavaScript Math Object
- 写优先读写锁,读效率比 WINDOWS 的 SRWLOCK 慢一倍左右,百万级读锁要156ms