20140820 (PE 구조)

123일차

--------------

PE 구조

--------------

--- Dos Header

Dos와 호환용으로 있는 부분으로

항상 64 byte 크기이며 안에 여러 구조체 멤버가 있는데, 

e_magic, e_lfanew 이 두 멤버가 가장 중요하고 나머지는 0으로 채워도 돌아간다.

magic은 항상 아스키값으로 MZ를 나타내야 하고, 

e_lfanew 는 PE 헤더의 시작 점을 나타내고 있다.

--- Dos stub

가변적인 크기로 dos 모드에서 실행되는 것을 방지하기 위한 곳이라고 한다.

가끔 바이러스 코드를 이 곳에 넣기도 한다고 한다.

--- 각 구조체

C++

typedef struct _IMAGE_NT_HEADERS {
  DWORD                 Signature;
  IMAGE_FILE_HEADER     FileHeader;
  IMAGE_OPTIONAL_HEADER OptionalHeader;
} IMAGE_NT_HEADERS, *PIMAGE_NT_HEADERS;

Signature 의 값은 항상 50 45 00 00 값으로 PE구조라고 부른다.

http://msdn.microsoft.com/en-us/library/windows/desktop/ms680336(v=vs.85).aspx

C++

typedef struct _IMAGE_FILE_HEADER {
  WORD  Machine;
  WORD  NumberOfSections;
  DWORD TimeDateStamp;
  DWORD PointerToSymbolTable;
  DWORD NumberOfSymbols;
  WORD  SizeOfOptionalHeader;
  WORD  Characteristics;
} IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;

Machine 은 이 파일이 실행 가능한 cpu의 타입 정보를 갖고 있다.

http://msdn.microsoft.com/en-us/library/windows/desktop/ms680313(v=vs.85).aspx

C++

typedef struct _IMAGE_OPTIONAL_HEADER {
  WORD                 Magic;
  BYTE                 MajorLinkerVersion;
  BYTE                 MinorLinkerVersion;
  DWORD                SizeOfCode;
  DWORD                SizeOfInitializedData;
  DWORD                SizeOfUninitializedData;
  DWORD                AddressOfEntryPoint;
  DWORD                BaseOfCode;
  DWORD                BaseOfData;
  DWORD                ImageBase;
  DWORD                SectionAlignment;
  DWORD                FileAlignment;
  WORD                 MajorOperatingSystemVersion;
  WORD                 MinorOperatingSystemVersion;
  WORD                 MajorImageVersion;
  WORD                 MinorImageVersion;
  WORD                 MajorSubsystemVersion;
  WORD                 MinorSubsystemVersion;
  DWORD                Win32VersionValue;
  DWORD                SizeOfImage;
  DWORD                SizeOfHeaders;
  DWORD                CheckSum;
  WORD                 Subsystem;
  WORD                 DllCharacteristics;
  DWORD                SizeOfStackReserve;
  DWORD                SizeOfStackCommit;
  DWORD                SizeOfHeapReserve;
  DWORD                SizeOfHeapCommit;
  DWORD                LoaderFlags;
  DWORD                NumberOfRvaAndSizes;
  IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
} IMAGE_OPTIONAL_HEADER, *PIMAGE_OPTIONAL_HEADER;

http://msdn.microsoft.com/en-us/library/windows/desktop/ms680339(v=vs.85).aspx

C++

typedef struct _IMAGE_DATA_DIRECTORY {
  DWORD VirtualAddress;
  DWORD Size;
} IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY;

http://msdn.microsoft.com/en-us/library/windows/desktop/ms680305(v=vs.85).aspx

C++

typedef struct _IMAGE_SECTION_HEADER {
  BYTE  Name[IMAGE_SIZEOF_SHORT_NAME];
  union {
    DWORD PhysicalAddress;
    DWORD VirtualSize;
  } Misc;
  DWORD VirtualAddress;
  DWORD SizeOfRawData;
  DWORD PointerToRawData;
  DWORD PointerToRelocations;
  DWORD PointerToLinenumbers;
  WORD  NumberOfRelocations;
  WORD  NumberOfLinenumbers;
  DWORD Characteristics;
} IMAGE_SECTION_HEADER, *PIMAGE_SECTION_HEADER;

http://msdn.microsoft.com/en-us/library/windows/desktop/ms680341(v=vs.85).aspx

--- PEViewer 프로그램

PEview.exe

--- 실습

PE.zip