http://hi.baidu.com/sageking2/blog/item/c653a23dfe2bfae73c6d9715.html
把某个PE文件里的DOS Stub程序分离出来
正常PE文件格式会有一个Dos Stub块,事实上就是一个DOS下的*.exe程序。
当我们拿一个Win32程序跑到DOS系统下运行就会执行这个程序。
先拿十六进制工具WinHex打开一个Delphi 7编译的程序,它的DOS MZ文件头+DOS Stub块+部分PE头截图如下:
直接把DOS Stub块复制到新文件不能正常运行的。因为文件头部对它的一些寄存器初始化被省去了。所以必须把DOS MZ文件头+DOS Stub块一起复制到新文件(file1.exe)。新文件内容如下:
4D 5A 50 00 02 00 00 00 04 00 0F 00 FF FF 00 00
B8 00 00 00 00 00 00 00 40 00 1A 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00
BA 10 00 0E 1F B4 09 CD 21 B8 01 4C CD 21 90 90 //从这行开始是DOS Stub
54 68 69 73 20 70 72 6F 67 72 61 6D 20 6D 75 73 // This program mus
74 20 62 65 20 72 75 6E 20 75 6E 64 65 72 20 57
69 6E 33 32 0D 0A 24 37 00 00 00 00 00 00 00 00 // 24就是'$'
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
此时还是不能正常运行,必须在把前六个字节改成4D 5A 00 01 01 00 。这六个字节代表什么,请对照Dos MZ Head的数据结构:
(为什么这么改, 还不是很明白)
IMAGE_DOS_HEADER STRUCT
e_magic WORD ? ;DOS可执行文件标记,为“MZ”
e_cblp WORD ? ;Bytes on last page of file
e_cp WORD ? ;Pages in file
e_crlc WORD ? ;Relocations
e_cparhdr WORD ? ;Size of header in paragraphs
e_minalloc WORD ? ;Minimum extra paragraphs needed
e_maxalloc WORD ? ;Maximum extra paragraphs needed
e_ss WORD ? ;DOS代码的初始化堆栈段
e_sp WORD ? ;DOS代码的初始化堆栈指针
e_csum WORD ? ;Checksum
e_ip WORD ? ;DOS代码的入口IP
e_cs WORD ? ;DOS代码的入口CS
e_lfarlc WORD ? ;File address of relocation table
e_ovno WORD ? ;Overlay number
e_res WORD 4 dup(?) ;Reserved words
e_oemid WORD ? ;OEM identifier (for e_oeminfo)
e_oeminfo WORD ? ;OEM information; e_oemid specific
e_res2 WORD 10 dup(?) ;Reserved words
e_lfanew DWORD ? ;指向PE文件头
IMAGE_DOS_HEADER ENDS
这样就能正常运行了,事实上这个Dos stub真正有效的部分到了'$'那里就结束了,所以程序还可以变小一点,体积只有0x00000077字节,最终结果(file1.exe的内容)是:
4D 5A 77 00 01 00 00 00 04 00 0F 00 FF FF 00 00
B8 00 00 00 00 00 00 00 40 00 1A 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00
BA 10 00 0E 1F B4 09 CD 21 B8 01 4C CD 21 90 90
54 68 69 73 20 70 72 6F 67 72 61 6D 20 6D 75 73
74 20 62 65 20 72 75 6E 20 75 6E 64 65 72 20 57
69 6E 33 32 0D 0A 24
运行效果:
http://hi.baidu.com/sageking2/blog/item/c653a23dfe2bfae73c6d9715.html