这是本人对标准PE文件各个重要部分进行的修改测试,一些数据和结果或许希望大家有所帮助
本文来自:http://blog.csdn.net/soft_biao
标准PE文件的数据:
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F
00000000 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 MZ?..........
00000010 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ?......@.......
00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000030 00 00 00 00 00 00 00 00 00 00 00 00 B0 00 00 00 ............?..
00000040 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 ..?.???L?Th
00000050 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F is program canno
00000060 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 t be run in DOS
00000070 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 mode....$.......
00000080 5D 65 FD C8 19 04 93 9B 19 04 93 9B 19 04 93 9B ]e..摏..摏..摏
00000090 97 1B 80 9B 11 04 93 9B E5 24 81 9B 18 04 93 9B ?€?.摏?仜..摏
000000A0 52 69 63 68 19 04 93 9B 00 00 00 00 00 00 00 00 Rich..摏........
000000B0 50 45 00 00 4C 01 03 00 3E FD 24 45 00 00 00 00 PE..L...>?E....
000000C0 00 00 00 00 E0 00 0F 01 0B 01 05 0C 00 02 00 00 ....?..........
000000D0 00 04 00 00 00 00 00 00 00 10 00 00 00 10 00 00 ................
000000E0 00 20 00 00 00 00 40 00 00 10 00 00 00 02 00 00 . ....@.........
000000F0 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 ................
00000100 00 40 00 00 00 04 00 00 00 00 00 00 02 00 00 00 .@..............
00000110 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 ................
00000120 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ................
00000130 14 20 00 00 3C 00 00 00 00 00 00 00 00 00 00 00 . ..<...........
00000140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000180 00 00 00 00 00 00 00 00 00 20 00 00 14 00 00 00 ......... ......
00000190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000001A0 00 00 00 00 00 00 00 00 2E 74 65 78 74 00 00 00 .........text...
000001B0 30 00 00 00 00 10 00 00 00 02 00 00 00 04 00 00 0...............
000001C0 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 E0 ............ ..?
000001D0 2E 72 64 61 74 61 00 00 A6 00 00 00 00 20 00 00 .rdata..?... ..
000001E0 00 02 00 00 00 06 00 00 00 00 00 00 00 00 00 00 ................
000001F0 00 00 00 00 40 00 00 40 2E 64 61 74 61 00 00 00 ....@..@.data...
00000200 42 00 00 00 00 30 00 00 00 02 00 00 00 08 00 00 B....0..........
00000210 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 ............@..
|
|
|
|
|
修改测试记录:
DOS头IMAGE_DOS_HEADER | 1.DOS头部标记(Magic number) |
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 00000000 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 | |
状况:弹出控制台界面又立即自动退出 | |
2.PE头文件偏移量(IMAGE_DOS_HEADER 结构的e_lfanew成员) | |
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 00000030 00 00 00 00 00 00 00 00 00 00 00 00 B0 00 00 00 | |
状况:弹出控制台界面又立即自动退出 | |
|
|
PE头IMAGE_NT_HEADERS | 1. PE头标记(Signature) |
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 000000B0 50 45 00 00 4C 01 03 00 3E FD 24 45 00 00 00 00 | |
状况:弹出控制台界面又立即自动退出 | |
2. 该文件运行所要求的CPU(Machine) [对于Intel平台,该值是IMAGE_FILE_MACHINE_I386 (14Ch)] | |
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 000000B0 50 45 00 00 4C 01 03 00 3E FD 24 45 00 00 00 00 | |
状况:弹出错误对话框,提示不是有效的 Win32 应用程序 | |
|
|
[PE头]文件头IMAGE_FILE_HEADER | 3. 文件的节数目(NumberOfSections) |
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 000000B0 50 45 00 00 4C 01 03 00 3E FD 24 45 00 00 00 00 | |
状况:如果该值与节表(Section Table)节的数目不一致则弹出错误对话框,提示不是有效的 Win32 应用程序 | |
4. 任选表(OptionalHeader) 大小(SizeOfOptionalHeader) | |
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 000000C0 00 00 00 00 E0 00 0F 01 0B 01 05 0C 00 02 00 00 | |
状况:如果该值与任选表(OptionalHeader) 实际大小不相同则弹出错误对话框,提示不是有效的 Win32 应用程序 | |
5. 文件信息的标记(Characteristics) | |
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 000000C0 00 00 00 00 E0 00 0F 01 0B 01 05 0C 00 02 00 00 | |
状况:弹出错误对话框,提示不是有效的 Win32 应用程序 | |
|
|
[PE头]任选头 IMAGE_OPTIONAL_HEADER32 | 6. Magic标记(Magic) |
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 000000C0 00 00 00 00 E0 00 0F 01 0B 01 05 0C 00 02 00 00 | |
状况:弹出错误对话框,提示不是有效的 Win32 应用程序 | |
7.第一条指令的RVA(AddressOfEntryPoint) | |
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 000000D0 00 04 00 00 00 00 00 00 00 10 00 00 00 10 00 00 | |
状况:修改不当会弹出错误调试窗口 附加:若您要改变整个执行的流程,可以将该值指定到新的RVA,这样新RVA处的指令首先被执行 | |
8. PE文件的优先装载地址(ImageBase) | |
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 000000E0 00 20 00 00 00 00 40 00 00 10 00 00 00 02 00 00 | |
状况:弹出错误调试窗口或者错误对话框,提示不是有效的 Win32 应用程序 | |
9. 内存中节对齐的粒度(SectionAlignment) | |
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 000000E0 00 20 00 00 00 00 40 00 00 10 00 00 00 02 00 00 | |
状况:弹出错误对话框,提示不是有效的 Win32 应用程序 附加:该值与节表里各节的RVA相关 | |
10. 文件中节对齐的粒度(FileAlignment) | |
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 000000E0 00 20 00 00 00 00 40 00 00 10 00 00 00 02 00 00 | |
状况:笔者将该值改为400h、800h、1000h均可正常运行(针对此文件而言),其他情况则弹出错误对话框,提示不是有效的 Win32 应用程序 附加:该值与节表里各节基于文件的偏移量(PointerToRawData)相关 | |
11. win32子系统版本(MajorSubsystemVersion) | |
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 000000F0 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 | |
状况:弹出错误对话框,提示不是有效的 Win32 应用程序 附加:若PE文件是专门为Win32设计的,该子系统版本必定是4.0否则对话框不会有3维立体感。 | |
12. 内存中整个PE映像体的尺寸(SizeOfImage) | |
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 00000100 00 40 00 00 00 04 00 00 00 00 00 00 02 00 00 00 | |
状况:弹出错误对话框,提示不是有效的 Win32 应用程序 附加:必须为所有节映入到内存的大小 | |
13. 所有头+节表的大小(SizeOfHeaders) | |
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 00000100 00 40 00 00 00 04 00 00 00 00 00 00 02 00 00 00 | |
状况:当该值小于190h时会出现应用程序正常初始化(0xc0000005)失败或者(0xc000007b)失败,大于1000h即文件的大小则提示不是有效的 Win32 应用程序 | |
14. NT用来识别PE文件属于哪个子系统(Subsystem) | |
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 00000100 00 40 00 00 00 04 00 00 00 00 00 00 02 00 00 00 | |
状况:弹出错误对话框,提示应用程序无法在 Win32 模式中运行 附加:对于大多数Win32程序,只有两类值: Windows GUI 和 Windows CUI (控制台) | |
|
|
[PE头-任选头]数据目录IMAGE_DATA_DIRECTORY | 1.引入表的RVA(Import Table. VirtualAddress) |
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 00000130 14 20 00 00 3C 00 00 00 00 00 00 00 00 00 00 00 | |
状况:提示应用程序正常初始化(0xc0000005)失败或弹出错误调试对话框 附加:当不需要引入函数时可设置为0 | |
2.资源表的RVA(Resource Table. VirtualAddress) | |
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 00000130 14 20 00 00 3C 00 00 00 00 00 00 00 00 00 00 00 | |
状况:会提示“内存分配访问无效”或者“仅完成部分的 ReadProcessMemoty 或 WriteProcessMemory 请求”错误 | |
3.调试目录后4个字节(Debug. isize) | |
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 00000150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | |
状况:提示应用程序正常初始化(0xc0000005)失败或弹出错误调试对话框 | |
4.TLS表的RVA(TLS Table. VirtualAddress) | |
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 00000170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | |
状况:提示应用程序正常初始化(0xc0000005)失败 | |
5.加载配置表的RVA(Load Config Table. VirtualAddress) | |
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 00000170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | |
状况:弹出错误对话框,提示不是有效的 Win32 应用程序 | |
6.Bound表的RVA(Bound Table. VirtualAddress) | |
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 00000180 00 00 00 00 00 00 00 00 00 20 00 00 14 00 00 00 | |
状况:提示应用程序正常初始化(0xc0000005)失败 | |
7.IAT目录 | |
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 00000180 00 00 00 00 00 00 00 00 00 20 00 00 14 00 00 00 | |
状况:提示应用程序正常初始化(0xc00000XX)失败 附加:当引入表(Imoprt Table)RVA的值为0的话,则该值可以进行修改,否则IAT目录的RVA和第一个引入描述结构(IMAGE_IMPORT_DESCRIPTOR)的FirstThunk指向相同的地址 | |
8.COM+ Runtime头目录的RVA(COM+ Runtime Header. VirtualAddress) | |
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 00000190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | |
状况:提示应用程序正常初始化(0xc0000005)失败 | |
|
|
节表 IMAGE_SECTION_HEADER | 1.节(举.text节作例子)映入内存后的大小(VirtualSize) |
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 000001B0 30 00 00 00 00 10 00 00 00 02 00 00 00 04 00 00 | |
状况:当该值超出本节映入内存的实际大小时会提示不是有效的 Win32 应用程序 附加:该值只要比本节映入内存的实际大小小就没问题了 | |
2.节(举.text节作例子)的RVA(VirtualAddress) | |
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 000001B0 30 00 00 00 00 10 00 00 00 02 00 00 00 04 00 00 | |
状况:提示不是有效的 Win32 应用程序 附加:该值与任选头里内存中节对齐的粒度(SectionAlignment)有关 | |
3.节(举.text节作例子)需映射入内存的节字节数(SizeOfRawData) | |
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 000001B0 30 00 00 00 00 10 00 00 00 02 00 00 00 04 00 00 | |
状况:当该值为0时弹出错误调试窗口 附加:只要该值不为0都可以正常运行 | |
4.节(举.text节作例子)基于文件的偏移量(PointerToRawData) | |
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 000001B0 30 00 00 00 00 10 00 00 00 02 00 00 00 04 00 00 | |
状况:当该值小于本节文件起始偏移量时出现可能会出现调试错误,当该值大于本节文件末尾偏移量时没任何反映 附加:只要该值在本节文件范围内都可以运行正常 |