PE 标头要求

问题描述 投票:0回答:5

PE文件(PE/COFF)有什么要求?应该设置哪些字段、哪些值,以使其能够在 Windows 上“运行”(即执行“ret”指令然后关闭,没有错误)。

我首先构建的库是链接器:现在,我遇到的问题是 PE 文件(PE/COFF)。 我不知道PE文件在我的平台上实际执行之前“需要”什么。我的测试平台是Vista。当我双击执行它时,我收到一条错误消息,显示“这不是有效的 Win32 可执行文件。”,并且收到“访问被拒绝”。使用 CLI cmd 执行它时。我有两个部分,.text 和 .data。

我已经实现了多个在线文档(即 MSDN 和其他一些第三方文档)提供的 PE 标头。如果我使用十六进制编辑器,它看起来几乎就像一个普通的 PE 文件。我不使用任何导入,也不使用 IAT,也不使用 PE 标头中的任何目录。

编辑:我添加了一个导入表,但仍然不是有效的 .exe 文件,我的 Windows 说。我尝试使用最小 PE 文件指南中也提到的值。没有运气。实际上,我似乎唯一无法弄清楚的是需要什么和不需要什么。一些指南告诉我一切都是必需的,而另一些指南则说贬值:而且可以为零。

我希望这是足够的信息。 提前谢谢您。

当前 PE 标头的原始数据(根据要求):

4D 5A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 50 45 00 00 4C 01 02 00
C8 7A 55 4B 00 00 00 00 00 00 00 00 E0 00 82 01 0B 01 0D 25 00 10 00 00
00 10 00 00 00 00 00 00 00 10 00 00 00 10 00 00 00 20 00 00 00 00 40 00
00 10 00 00 00 02 00 00 01 00 0B 00 00 00 00 00 03 00 0A 00 00 00 00 00
00 22 00 00 38 01 00 00 00 00 00 00 03 00 00 00 00 40 00 00 00 40 00 00
00 40 00 00 00 40 00 00 00 00 00 00 0E 00 00 00 00 00 00 00 00 00 00 00
00 20 00 00 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2E 74 65 78 74 00 00 00 00 00 00 00 00 10 00 00 00 02 00 00 00 02 00 00
00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 69 64 61 74 61 00 00
00 00 00 00 00 20 00 00 00 02 00 00 00 04 00 00 00 00 00 00 00 00 00 00
00 00 00 00 40 00 00 C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3C 20 00 00 00 00 00 00
00 00 00 00 24 20 00 00 34 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C 00 00 00 00 01 00 00 80
00 00 00 00 01 00 00 80 00 00 00 00
java winapi assembly portable-executable coff
5个回答
2
投票

将粘贴复制到十六进制编辑器中是一件非常痛苦的事情,所以不幸的是我不能立即说任何太聪明的话。

PE文件需要注意的事项: 确保您的 DOS 标头有效。 确保 IMAGE_OPTIONAL_HEADER 格式正确,因为尽管有它的名称,Windows 并不真正喜欢它不正确完成。

有关 MS 格式之外的更多信息,请查找 pe.txt,这是我所知道的最好的 PE 格式自制指南之一。

如果您可以只发布字节,我可以尝试将其放入我自己的 PE 解析器中,看看我是否可以提供更多帮助。

2
投票

这篇关于创建小型 PE 可执行文件的文章可能会引起兴趣:特别是,它提到 Win2k 加载程序需要导入 KERNEL32.DLL,因此可能值得研究。

2
投票
您尝试执行的操作取决于您所使用的 Windows 版本。例如,在 Windows 2000 上读取 PE 文件的方式与 Windows 7 上读取它们的方式不同。我是 OSX 用户,但在我拥有的 Windows 7 上,我无法以适用于 Windows 2000 及更早版本的方式操作 PE 文件。我还没有测试 XP 或 Vista(或 2000 到 Win7 之间的其他版本)来了解 Windows 何时开始以不同方式读取 PE。在 Windows 7 上,MS-DOS 标头和存根中的每一位内存都会被忽略。唯一重要的两部分是“幻数”(等于“MZ”的字)和 PE 偏移量,这是一个 DWORD,定义了 PE 标头在内存中的开始位置。我不确定 Windows 是否真的在 100% 的情况下忽略 MS-DOS 标头和存根中的所有其他值,但排除我刚才提到的两个,如果所有其他值都设置为 0,则有效的可执行程序将正常运行.

在 Windows 2000 及更早版本中,我不知道我上面提到的是否属实,但当时允许您修改 MS-DOS 存根的长度(或者可能删除它),前提是 PE Offset 值仍然指向内存中的正确位置来查找 PE 标头。在 Windows 7 上,如果您完全修改 MS-DOS 存根的长度,即使 PE Offset 指向正确的修改位置,Windows 也不会运行该 exe,并声称它不是有效的 Win32 应用程序。

4D 5A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0 0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0 0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

这是 PE 文件在 Windows 7 上至少可以拥有的 MS-DOS 部分,同时仍然具有有效的、功能正常的可执行文件。那一点不能缩短。

希望这能澄清一些事情。

1
投票
您可以尝试诸如 .NET 2.0 IL Assembler 这样的书。本书有一整章专门介绍 PE 格式可执行文件的外观(以及 .Net PE 的外观)。

您还可以尝试使用 PE 文件阅读器加载 PE 文件并检查结果。 如果 PE 读者对你的 PE 感到困惑,那么你可以指出失败的原因。

这是我编写的

PE文件读取DLL(带有源代码)。还有一个使用它的 GUI(带有源代码)。

源代码是完全开源的(不受 GPL 的阻碍),因此您可以用它做您想做的事情(除了对其强加 GPL,这会阻止它完全开放),包括关闭您的版本。

0
投票
Microsoft PE/COFF 规范是我所知道的唯一规范。

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.