一直都挺喜欢瑞士军刀,可惜自己没能有一把:)今天说到的“瑞士军刀”是被很多大牛提起的Dumpbin。这个小工具其实很早就已经装在自己的机器里面了,以前装vc好像只是为了个架势,证明自己是计算机专业自欺欺人一下。后来看到基本经典的著作都提起这个小东西。现在让我们来看看这把锋利的小刀吧。
1 获取途径:许多的win32开发工具中都包含了这个实用的工具。例如:VC 6.0中是放在Microsoft Visual Studio/VC98/Bin中,MASM32 8.0也是放在bin目录下面。
2 轻巧的身材:大小只有20k:)一会看到它的强大威力后你就会觉得这个小家伙是多么的不简单。
3 强大的功能:dumpbin的运行环境是在Dos下,(感觉国外的牛们好像特别的喜欢dos,他们觉得用鼠标的不能算是真正的hacker,个人意见呵呵)运行dumpbin会出现命令格式和提示信息
C:/Documents and Settings/cc>dumpbin
Microsoft (R) COFF Binary File Dumper Version 6.00.8168
Copyright (C) Microsoft Corp 1992-1998. All rights reserved.
usage: DUMPBIN [options] [files]
options:
/ALL
/ARCH
/ARCHIVEMEMBERS
/DEPENDENTS
/DIRECTIVES
/DISASM
/EXPORTS
/FPO
/HEADERS
/IMPORTS
/LINENUMBERS
/LINKERMEMBER[:{1|2}]
/LOADCONFIG
/OUT:filename
/PDATA
/RAWDATA[:{NONE|BYTES|SHORTS|LONGS}[,#]]
/RELOCATIONS
/SECTION:name
/SUMMARY
/SYMBOLS
可以看到在选项中有很多项可选,我只用过其中几项就简单得说说吧。
4 几个功能简单介绍
一查看.dll,.exe文件的各个节的列表
看看WINDOWS/system32/a3d.dll这个动态链接库的结构
icrosoft (R) COFF Binary File Dumper Version 6.00.81
Copyright (C) Microsoft Corp 1992-1998. All rights re
Dump of file a3d.dll
PE signature found
File Type: DLL
FILE HEADER VALUES
14C machine (i386)
5 number of sections
3AACA1D5 time date stamp Mon Mar 12 18:15:49
0 file pointer to symbol table
0 number of symbols
E0 size of optional header
210E characteristics
Executable
Line numbers stripped
Symbols stripped
32 bit word machine
DLL
OPTIONAL HEADER VALUES
10B magic #
6.00 linker version
8000 size of code
A8000 size of initialized data
0 size of uninitialized data
3297 RVA of entry point
1000 base of code
9000 base of data
10000000 image base
1000 section alignment
1000 file alignment
4.00 operating system version
0.00 image version
4.00 subsystem version
0 Win32 version
B1000 size of image
1000 size of headers
0 checksum
2 subsystem (Windows GUI)
0 DLL characteristics
100000 size of stack reserve
1000 size of stack commit
100000 size of heap reserve
1000 size of heap commit
0 loader flags
10 number of directories
A0B0 [ 82] RVA [size] of Export Dire
9888 [ 78] RVA [size] of Import Dire
F000 [ 9F340] RVA [size] of Resource Di
0 [ 0] RVA [size] of Exception D
0 [ 0] RVA [size] of Certificate
AF000 [ 798] RVA [size] of Base Reloca
0 [ 0] RVA [size] of Debug Direc
0 [ 0] RVA [size] of Architectur
0 [ 0] RVA [size] of Special Dir
0 [ 0] RVA [size] of Thread Stor
0 [ 0] RVA [size] of Load Config
0 [ 0] RVA [size] of Bound Impor
9000 [ 178] RVA [size] of Import Addr
0 [ 0] RVA [size] of Delay Impor
0 [ 0] RVA [size] of Reserved Di
0 [ 0] RVA [size] of Reserved Di
SECTION HEADER #1
.text name
75D6 virtual size
1000 virtual address
8000 size of raw data
1000 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
60000020 flags
Code
Execute Read
SECTION HEADER #2
.rdata name
1132 virtual size
9000 virtual address
2000 size of raw data
9000 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
40000040 flags
Initialized Data
Read Only
SECTION HEADER #3
.data name
3514 virtual size
B000 virtual address
3000 size of raw data
B000 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
C0000040 flags
Initialized Data
Read Write
SECTION HEADER #4
.rsrc name
9F340 virtual size
F000 virtual address
A0000 size of raw data
E000 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
40000040 flags
Initialized Data
Read Only
SECTION HEADER #5
.reloc name
1552 virtual size
AF000 virtual address
2000 size of raw data
AE000 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
42000040 flags
Initialized Data
Discardable
Read Only
Summary
4000 .data
2000 .rdata
2000 .reloc
A0000 .rsrc
8000 .text
/OUT:filename
/PDATA
/RAWDATA[:{NONE|BYTES|SHORTS|LONGS}[,#]]
/RELOCATIONS
/SECTION:name
/SUMMARY
/SYMBOLS
如果你熟悉pe文件格式,那么应该对上面的数值感到很熟悉:)
二 反汇编功能
它可以对一个.exe或.dll文件的指定段进行反汇编(主要是.text段)。命令格式如下:
〉dumpbin /SECTION:.text(.data/.rdata…) 目标文件 〉重定位文件名
下面的代码是截取a3d.dll text节反汇编后的一部分。
ump of file a3d.dll
File Type: DLL
SECTION HEADER #1
.text name
75D6 virtual size
1000 virtual address
8000 size of raw data
1000 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
60000020 flags
Code
Execute Read
10001000: 8B 44 24 04 mov eax,dword ptr [esp+4]
10001004: 56 push esi
10001005: 57 push edi
10001006: 6A 30 push 30h
10001008: C7 00 00 00 00 00 mov dword ptr [eax],0
1000100E: E8 76 1C 00 00 call 10002C89
10001013: 8B F0 mov esi,eax
10001015: 83 C4 04 add esp,4
10001018: 85 F6 test esi,esi
1000101A: 75 08 jne 10001024
1000101C: 5F pop edi
1000101D: B8 0E 00 07 80 mov eax,8007000Eh
10001022: 5E pop esi
10001023: C3 ret
10001024: B8 02 00 00 00 mov eax,2
10001029: 6A 00 push 0
1000102B: C7 46 0C 01 00 00 mov dword ptr [esi+0Ch],1
00
10001032: C7 06 68 92 00 10 mov dword ptr [esi],10009268h
10001038: C7 46 04 10 92 00 mov dword ptr [esi+4],10009210h
10
1000103F: C7 46 08 38 92 00 mov dword ptr [esi+8],10009238h
10
10001046: C7 46 14 00 00 00 mov dword ptr [esi+14h],0
00
1000104D: 89 46 18 mov dword ptr [esi+18h],eax
10001050: 89 46 1C mov dword ptr [esi+1Ch],eax
10001053: C7 46 20 01 00 00 mov dword ptr [esi+20h],1
00
1000105A: C7 46 24 00 00 00 mov dword ptr [esi+24h],0
00
10001061: C7 46 28 00 00 00 mov dword ptr [esi+28h],0
00
10001068: C7 46 2C 00 00 80 mov dword ptr [esi+2Ch],3F800000h
3F
1000106F: FF 15 6C 91 00 10 call dword ptr ds:[1000916Ch]
10001075: 8B F8 mov edi,eax
10001077: 85 FF test edi,edi
10001079: 74 13 je 1000108E
1000107B: 83 FF 01 cmp edi,1
1000107E: 74 0E je 1000108E
10001080: 56 push esi
10001081: E8 1A 1B 00 00 call 10002BA0
10001086: 83 C4 04 add esp,4
10001089: 8B C7 mov eax,edi
1000108B: 5F pop edi
1000108C: 5E pop esi
1000108D: C3 ret
1000108E: 8D 4E 10 lea ecx,[esi+10h]
10001091: 51 push ecx
10001092: 68 D8 91 00 10 push 100091D8h
10001097: 6A 01 push 1
10001099: 6A 00 push 0
1000109B: 68 E8 91 00 10 push 100091E8h
100010A0: FF 15 70 91 00 10 call dword ptr ds:[10009170h]
100010A6: 8B F8 mov edi,eax
100010A8: 85 FF test edi,edi
100010AA: 74 0E je 100010BA
100010AC: 56 push esi
100010AD: E8 EE 1A 00 00 call 10002BA0
100010B2: 83 C4 04 add esp,4
100010B5: 8B C7 mov eax,edi
100010B7: 5F pop edi
100010B8: 5E pop esi
100010B9: C3 ret
100010BA: 8B 54 24 0C mov edx,dword ptr [esp+0Ch]
100010BE: 5F pop edi
100010BF: 33 C0 xor eax,eax
100010C1: 89 32 mov dword ptr [edx],esi
100010C3: 5E pop esi
100010C4: C3 ret
100010C5: 90 nop
100010C6: 90 nop
100010C7: 90 nop
100010C8: 90 nop
100010C9: 90 nop
100010CA: 90 nop
100010CB: 90 nop
100010CC: 90 nop
100010CD: 90 nop
100010CE: 90 nop
100010CF: 90 nop
100010D0: 8B 54 24 04 mov edx,dword ptr [esp+4]
100010D4: 8B 4C 24 0C mov ecx,dword ptr [esp+0Ch]
100010D8: 8B 44 24 08 mov eax,dword ptr [esp+8]
100010DC: 89 4A 1C mov dword ptr [edx+1Ch],ecx
100010DF: 8B 4C 24 10 mov ecx,dword ptr [esp+10h]
100010E3: 83 F9 01 cmp ecx,1
100010E6: 89 42 18 mov dword ptr [edx+18h],eax
100010E9: 89 4A 20 mov dword ptr [edx+20h],ecx
100010EC: 75 39 jne 10001127
100010EE: 48 dec eax
100010EF: 74 26 je 10001117
100010F1: 48 dec eax
100010F2: 74 03 je 100010F7
100010F4: 48 dec eax
100010F5: 74 10 je 10001107
100010F7: 8B 4A 10 mov ecx,dword ptr [edx+10h]
100010FA: B8 04 00 14 00 mov eax,140004h
100010FF: 50 push eax
10001100: 51 push ecx
这个功能对于加密解密来说很重要,对于一些明文密码可以通过反汇编进行突破。具体的可以看看《黑客反汇编揭秘》这本书。
三 /imports和/exports选项可以查看动态链接的输入输出函数。
四 /dependents选项可以查看文件的依赖关系。依旧以a3d.dll为例
Dump of file a3d.dll
File Type: DLL
Image has the following dependencies:
USER32.dll
GDI32.dll
ADVAPI32.dll
ole32.dll
KERNEL32.dll
Summary
4000 .data
2000 .rdata
2000 .reloc
A0000 .rsrc
8000 .text
呵呵
这对程序分析是很有用的,可以看到程序调用的动态链接库。当然在vc下面还有一个专门查看依赖关系的工具Microsoft Visual Studio/Common/Tools在这个目录下的DEPENDS.EXE可以让你清楚地看到程序调用的每一个函数:)
今天就到这里吧,都是自己总结的一点小东西,有很多不全面的地方,以后会慢慢积累的:)也欢迎您指出文章中的错误和您的疑问。
休息,休息一会~~~~~
1 获取途径:许多的win32开发工具中都包含了这个实用的工具。例如:VC 6.0中是放在Microsoft Visual Studio/VC98/Bin中,MASM32 8.0也是放在bin目录下面。
2 轻巧的身材:大小只有20k:)一会看到它的强大威力后你就会觉得这个小家伙是多么的不简单。
3 强大的功能:dumpbin的运行环境是在Dos下,(感觉国外的牛们好像特别的喜欢dos,他们觉得用鼠标的不能算是真正的hacker,个人意见呵呵)运行dumpbin会出现命令格式和提示信息
C:/Documents and Settings/cc>dumpbin
Microsoft (R) COFF Binary File Dumper Version 6.00.8168
Copyright (C) Microsoft Corp 1992-1998. All rights reserved.
usage: DUMPBIN [options] [files]
options:
/ALL
/ARCH
/ARCHIVEMEMBERS
/DEPENDENTS
/DIRECTIVES
/DISASM
/EXPORTS
/FPO
/HEADERS
/IMPORTS
/LINENUMBERS
/LINKERMEMBER[:{1|2}]
/LOADCONFIG
/OUT:filename
/PDATA
/RAWDATA[:{NONE|BYTES|SHORTS|LONGS}[,#]]
/RELOCATIONS
/SECTION:name
/SUMMARY
/SYMBOLS
可以看到在选项中有很多项可选,我只用过其中几项就简单得说说吧。
4 几个功能简单介绍
一查看.dll,.exe文件的各个节的列表
看看WINDOWS/system32/a3d.dll这个动态链接库的结构
icrosoft (R) COFF Binary File Dumper Version 6.00.81
Copyright (C) Microsoft Corp 1992-1998. All rights re
Dump of file a3d.dll
PE signature found
File Type: DLL
FILE HEADER VALUES
14C machine (i386)
5 number of sections
3AACA1D5 time date stamp Mon Mar 12 18:15:49
0 file pointer to symbol table
0 number of symbols
E0 size of optional header
210E characteristics
Executable
Line numbers stripped
Symbols stripped
32 bit word machine
DLL
OPTIONAL HEADER VALUES
10B magic #
6.00 linker version
8000 size of code
A8000 size of initialized data
0 size of uninitialized data
3297 RVA of entry point
1000 base of code
9000 base of data
10000000 image base
1000 section alignment
1000 file alignment
4.00 operating system version
0.00 image version
4.00 subsystem version
0 Win32 version
B1000 size of image
1000 size of headers
0 checksum
2 subsystem (Windows GUI)
0 DLL characteristics
100000 size of stack reserve
1000 size of stack commit
100000 size of heap reserve
1000 size of heap commit
0 loader flags
10 number of directories
A0B0 [ 82] RVA [size] of Export Dire
9888 [ 78] RVA [size] of Import Dire
F000 [ 9F340] RVA [size] of Resource Di
0 [ 0] RVA [size] of Exception D
0 [ 0] RVA [size] of Certificate
AF000 [ 798] RVA [size] of Base Reloca
0 [ 0] RVA [size] of Debug Direc
0 [ 0] RVA [size] of Architectur
0 [ 0] RVA [size] of Special Dir
0 [ 0] RVA [size] of Thread Stor
0 [ 0] RVA [size] of Load Config
0 [ 0] RVA [size] of Bound Impor
9000 [ 178] RVA [size] of Import Addr
0 [ 0] RVA [size] of Delay Impor
0 [ 0] RVA [size] of Reserved Di
0 [ 0] RVA [size] of Reserved Di
SECTION HEADER #1
.text name
75D6 virtual size
1000 virtual address
8000 size of raw data
1000 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
60000020 flags
Code
Execute Read
SECTION HEADER #2
.rdata name
1132 virtual size
9000 virtual address
2000 size of raw data
9000 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
40000040 flags
Initialized Data
Read Only
SECTION HEADER #3
.data name
3514 virtual size
B000 virtual address
3000 size of raw data
B000 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
C0000040 flags
Initialized Data
Read Write
SECTION HEADER #4
.rsrc name
9F340 virtual size
F000 virtual address
A0000 size of raw data
E000 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
40000040 flags
Initialized Data
Read Only
SECTION HEADER #5
.reloc name
1552 virtual size
AF000 virtual address
2000 size of raw data
AE000 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
42000040 flags
Initialized Data
Discardable
Read Only
Summary
4000 .data
2000 .rdata
2000 .reloc
A0000 .rsrc
8000 .text
/OUT:filename
/PDATA
/RAWDATA[:{NONE|BYTES|SHORTS|LONGS}[,#]]
/RELOCATIONS
/SECTION:name
/SUMMARY
/SYMBOLS
如果你熟悉pe文件格式,那么应该对上面的数值感到很熟悉:)
二 反汇编功能
它可以对一个.exe或.dll文件的指定段进行反汇编(主要是.text段)。命令格式如下:
〉dumpbin /SECTION:.text(.data/.rdata…) 目标文件 〉重定位文件名
下面的代码是截取a3d.dll text节反汇编后的一部分。
ump of file a3d.dll
File Type: DLL
SECTION HEADER #1
.text name
75D6 virtual size
1000 virtual address
8000 size of raw data
1000 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
60000020 flags
Code
Execute Read
10001000: 8B 44 24 04 mov eax,dword ptr [esp+4]
10001004: 56 push esi
10001005: 57 push edi
10001006: 6A 30 push 30h
10001008: C7 00 00 00 00 00 mov dword ptr [eax],0
1000100E: E8 76 1C 00 00 call 10002C89
10001013: 8B F0 mov esi,eax
10001015: 83 C4 04 add esp,4
10001018: 85 F6 test esi,esi
1000101A: 75 08 jne 10001024
1000101C: 5F pop edi
1000101D: B8 0E 00 07 80 mov eax,8007000Eh
10001022: 5E pop esi
10001023: C3 ret
10001024: B8 02 00 00 00 mov eax,2
10001029: 6A 00 push 0
1000102B: C7 46 0C 01 00 00 mov dword ptr [esi+0Ch],1
00
10001032: C7 06 68 92 00 10 mov dword ptr [esi],10009268h
10001038: C7 46 04 10 92 00 mov dword ptr [esi+4],10009210h
10
1000103F: C7 46 08 38 92 00 mov dword ptr [esi+8],10009238h
10
10001046: C7 46 14 00 00 00 mov dword ptr [esi+14h],0
00
1000104D: 89 46 18 mov dword ptr [esi+18h],eax
10001050: 89 46 1C mov dword ptr [esi+1Ch],eax
10001053: C7 46 20 01 00 00 mov dword ptr [esi+20h],1
00
1000105A: C7 46 24 00 00 00 mov dword ptr [esi+24h],0
00
10001061: C7 46 28 00 00 00 mov dword ptr [esi+28h],0
00
10001068: C7 46 2C 00 00 80 mov dword ptr [esi+2Ch],3F800000h
3F
1000106F: FF 15 6C 91 00 10 call dword ptr ds:[1000916Ch]
10001075: 8B F8 mov edi,eax
10001077: 85 FF test edi,edi
10001079: 74 13 je 1000108E
1000107B: 83 FF 01 cmp edi,1
1000107E: 74 0E je 1000108E
10001080: 56 push esi
10001081: E8 1A 1B 00 00 call 10002BA0
10001086: 83 C4 04 add esp,4
10001089: 8B C7 mov eax,edi
1000108B: 5F pop edi
1000108C: 5E pop esi
1000108D: C3 ret
1000108E: 8D 4E 10 lea ecx,[esi+10h]
10001091: 51 push ecx
10001092: 68 D8 91 00 10 push 100091D8h
10001097: 6A 01 push 1
10001099: 6A 00 push 0
1000109B: 68 E8 91 00 10 push 100091E8h
100010A0: FF 15 70 91 00 10 call dword ptr ds:[10009170h]
100010A6: 8B F8 mov edi,eax
100010A8: 85 FF test edi,edi
100010AA: 74 0E je 100010BA
100010AC: 56 push esi
100010AD: E8 EE 1A 00 00 call 10002BA0
100010B2: 83 C4 04 add esp,4
100010B5: 8B C7 mov eax,edi
100010B7: 5F pop edi
100010B8: 5E pop esi
100010B9: C3 ret
100010BA: 8B 54 24 0C mov edx,dword ptr [esp+0Ch]
100010BE: 5F pop edi
100010BF: 33 C0 xor eax,eax
100010C1: 89 32 mov dword ptr [edx],esi
100010C3: 5E pop esi
100010C4: C3 ret
100010C5: 90 nop
100010C6: 90 nop
100010C7: 90 nop
100010C8: 90 nop
100010C9: 90 nop
100010CA: 90 nop
100010CB: 90 nop
100010CC: 90 nop
100010CD: 90 nop
100010CE: 90 nop
100010CF: 90 nop
100010D0: 8B 54 24 04 mov edx,dword ptr [esp+4]
100010D4: 8B 4C 24 0C mov ecx,dword ptr [esp+0Ch]
100010D8: 8B 44 24 08 mov eax,dword ptr [esp+8]
100010DC: 89 4A 1C mov dword ptr [edx+1Ch],ecx
100010DF: 8B 4C 24 10 mov ecx,dword ptr [esp+10h]
100010E3: 83 F9 01 cmp ecx,1
100010E6: 89 42 18 mov dword ptr [edx+18h],eax
100010E9: 89 4A 20 mov dword ptr [edx+20h],ecx
100010EC: 75 39 jne 10001127
100010EE: 48 dec eax
100010EF: 74 26 je 10001117
100010F1: 48 dec eax
100010F2: 74 03 je 100010F7
100010F4: 48 dec eax
100010F5: 74 10 je 10001107
100010F7: 8B 4A 10 mov ecx,dword ptr [edx+10h]
100010FA: B8 04 00 14 00 mov eax,140004h
100010FF: 50 push eax
10001100: 51 push ecx
这个功能对于加密解密来说很重要,对于一些明文密码可以通过反汇编进行突破。具体的可以看看《黑客反汇编揭秘》这本书。
三 /imports和/exports选项可以查看动态链接的输入输出函数。
四 /dependents选项可以查看文件的依赖关系。依旧以a3d.dll为例
Dump of file a3d.dll
File Type: DLL
Image has the following dependencies:
USER32.dll
GDI32.dll
ADVAPI32.dll
ole32.dll
KERNEL32.dll
Summary
4000 .data
2000 .rdata
2000 .reloc
A0000 .rsrc
8000 .text
呵呵
这对程序分析是很有用的,可以看到程序调用的动态链接库。当然在vc下面还有一个专门查看依赖关系的工具Microsoft Visual Studio/Common/Tools在这个目录下的DEPENDS.EXE可以让你清楚地看到程序调用的每一个函数:)
今天就到这里吧,都是自己总结的一点小东西,有很多不全面的地方,以后会慢慢积累的:)也欢迎您指出文章中的错误和您的疑问。
休息,休息一会~~~~~