[原创]PE格式简析-软件逆向-看雪-安全社区|安全招聘|kanxue.com

最新回复 (7)
GoodGavin 雪币： 119 活跃值： (10) 能力值： ( LV9，RANK：160 ) 在线值：发帖 20 回帖 291 粉丝 0 关注私信	GoodGavin 3 2 楼下面比较了一下用工具添加API前后应用程序的变化：正在比较文件 crackme.exe 和添加API后的CRACKME.EXE 000000CE: 04 05 添加了一个块 ..idata 00000119: 50 60 SizeOfImage，映像装入内存后的总尺寸，增加了块，所以这个相应增加 00000148: 40 00 输入表地址由2040改为5000 00000149: 20 50 输入表地址由2040改为5000 ..idata RAddress = VAddress - (VOffset - ROffset ) = 5000 - (5000 - 2400) = 2400 00000260: 00 2E 添加块的块信息 00000261: 00 2E 添加块的块信息 00000262: 00 69 添加块的块信息 00000263: 00 64 添加块的块信息 00000264: 00 61 添加块的块信息 00000265: 00 74 添加块的块信息 00000266: 00 61 添加块的块信息 00000269: 00 10 添加块的块信息 0000026D: 00 50 添加块的块信息 00000271: 00 02 添加块的块信息 00000275: 00 24 添加块的块信息 00000284: 00 02 添加块的块信息 00000287: 00 E0 添加块的块信息下面是PEditor添加的使用他的标志信息 ************** Modified with PEditor 1.7 by yoda & M.o.D. -> come.to/f2f ************** 00000290: 00 2A 00000291: 00 2A …… …… 000002EE: 00 2A 000002EF: 00 2A FC: 添加API后的CRACKME.EXE 比 crackme.exe 长（这个应该指的是添加的新块）内容如下：原来程序输入表IID的拷贝： 00002400h:[A0 20 00 00 00 00 00 00 00 00 00 00 18 21 00 00 ; ?...........!.. 00002410h: 24 20 00 00 7C 20 00 00 00 00 00 00 00 00 00 00 ; $ ..\| .......... 添加的IID 00002420h: 9E 21 00 00 00 20 00 00][6D 50 00 00 00 00 00 00 ; ?... ..mP...... 00002430h: 00 00 00 00 50 50 00 00 6D 50 00 00]00 00 00 00 ; ....PP..mP...... 00002440h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00002450h: 75 73 65 72 33 32 2E 64 6C 6C 00 00 00 47 65 74 ; user32.dll...Get 00002460h: 44 6C 67 49 74 65 6D 54 65 78 74 41 00 5B 50 00 ; DlgItemTextA.[P. 00002470h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00002480h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00002490h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000024a0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000024b0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000024c0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000024d0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000024e0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000024f0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00002500h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00002510h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00002520h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00002530h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00002540h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00002550h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00002560h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00002570h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00002580h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00002590h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000025a0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000025b0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000025c0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000025d0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000025e0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 000025f0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 再看一下IID: OrignalFirstThunk TimeDateStamp ForwardChain Name FirstThunk 6D 50 00 00 00 00 00 00 00 00 00 00 50 50 00 00 6D 50 00 00 相对偏移: 0x506DH 0x5050H 0x506DH 绝对偏移: 0x246DH 0x2450H 在程序运时被初始化 user32.dll RAddress = VAddress - (VOffset - ROffset ) = 506D - (5000 - 2400) = 506D - 2C00 = 246D 所以新添加的DLL的FirstThunk和OrignalFirstThunk的地址相同，相对偏移地址为506D，绝对偏移地址为2460 因此添加API的操作应该是： 1、添加一个新块 2、更改PE文件头的输入表地址到指定位置 3、在指定位置放置原输入表的IID拷贝，并追加新添加的IID 4、在新块中为新添加的IID加入希望添加的API 5、（猜测）在更改过的程序中作标记，以便不用在每次添加API时都添加新的段（直接更改自己曾经添加过的段）另外突然发现PEditor添加API后会生成一个文本文件：“应用程序名_IData.txt”,里面便是告诉我们如何调用添加的API，汗！ GetDlgItemTextA - call dword ptr [0040506D] 不过如果提前发现了，可能暂时就不去分析PE文件格式了 2010-2-18 22:01 0
IdeaStruct 雪币： 1 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 11 粉丝 0 关注私信	IdeaStruct 3 楼对，就是这样。可是CHUNK不变。 2010-2-18 22:47 0
张相公雪币： 358 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 7 回帖 142 粉丝 0 关注私信	张相公 4 楼谢谢楼主的分享 2010-2-25 17:13 0
GoodGavin 雪币： 119 活跃值： (10) 能力值： ( LV9，RANK：160 ) 在线值：发帖 20 回帖 291 粉丝 0 关注私信	GoodGavin 3 5 楼又得到一个精华，非常高兴，感谢kanxue，感谢PEDIY！ 2010-2-26 10:45 0
aoyuhuaoju 雪币： 211 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 4 回帖 118 粉丝 0 关注私信	aoyuhuaoju 6 楼我也找着分析一下 2010-2-26 10:49 0
Funnyhe 雪币： 34 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 18 粉丝 0 关注私信	Funnyhe 7 楼嗯，不错学习了 2010-7-14 09:38 0
awdder 雪币： 101 活跃值： (11) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 6 粉丝 0 关注私信	awdder 8 楼精通PE文件，真的可以干很多事啊 2010-8-5 08:43 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

GoodGavin

雪币： 119

活跃值： (10)

能力值：

( LV9，RANK：160 )

在线值：

发帖

20

回帖

291

粉丝

0

关注

私信

GoodGavin 3: 2 楼

下面比较了一下用工具添加API前后应用程序的变化：

正在比较文件 crackme.exe 和添加API后的CRACKME.EXE

000000CE: 04 05  添加了一个块 ..idata
00000119: 50 60  SizeOfImage，映像装入内存后的总尺寸，增加了块，所以这个相应增加
00000148: 40 00  输入表地址由2040改为5000
00000149: 20 50  输入表地址由2040改为5000

..idata  RAddress = VAddress - (VOffset - ROffset )
               = 5000 - (5000 - 2400) = 2400

00000260: 00 2E  添加块的块信息
00000261: 00 2E  添加块的块信息
00000262: 00 69  添加块的块信息
00000263: 00 64  添加块的块信息
00000264: 00 61  添加块的块信息
00000265: 00 74  添加块的块信息
00000266: 00 61  添加块的块信息
00000269: 00 10  添加块的块信息
0000026D: 00 50  添加块的块信息
00000271: 00 02  添加块的块信息
00000275: 00 24  添加块的块信息
00000284: 00 02  添加块的块信息
00000287: 00 E0  添加块的块信息

下面是PEditor添加的使用他的标志信息
**************** Modified with PEditor 1.7 by yoda & M.o.D. -> come.to/f2f ****************
00000290: 00 2A
00000291: 00 2A
……
……
000002EE: 00 2A
000002EF: 00 2A

FC: 添加API后的CRACKME.EXE 比 crackme.exe 长（这个应该指的是添加的新块）

内容如下：

      原来程序输入表IID的拷贝：
00002400h:[A0 20 00 00 00 00 00 00 00 00 00 00 18 21 00 00 ; ?...........!..
00002410h: 24 20 00 00 7C 20 00 00 00 00 00 00 00 00 00 00 ; $ ..| ..........
                                 添加的IID
00002420h: 9E 21 00 00 00 20 00 00][6D 50 00 00 00 00 00 00 ; ?... ..mP......
00002430h: 00 00 00 00 50 50 00 00  6D 50 00 00]00 00 00 00 ; ....PP..mP......
00002440h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00002450h: 75 73 65 72 33 32 2E 64 6C 6C 00 00 00 47 65 74 ; user32.dll...Get
00002460h: 44 6C 67 49 74 65 6D 54 65 78 74 41 00 5B 50 00 ; DlgItemTextA.[P.
00002470h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00002480h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00002490h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
000024a0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
000024b0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
000024c0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
000024d0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
000024e0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
000024f0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00002500h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00002510h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00002520h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00002530h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00002540h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00002550h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00002560h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00002570h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00002580h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00002590h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
000025a0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
000025b0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
000025c0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
000025d0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
000025e0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
000025f0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................

再看一下IID: OrignalFirstThunk TimeDateStamp ForwardChain    Name             FirstThunk
         6D 50 00 00    00 00 00 00    00 00 00 00    50 50 00 00    6D 50 00 00
相对偏移: 0x506DH                                           0x5050H          0x506DH
绝对偏移: 0x246DH                                           0x2450H          在程序运时被初始化
                                                               user32.dll
RAddress = VAddress - (VOffset - ROffset )
      = 506D - (5000 - 2400) = 506D - 2C00 = 246D
所以新添加的DLL的FirstThunk和OrignalFirstThunk的地址相同，相对偏移地址为506D，绝对偏移地址为2460

因此添加API的操作应该是：
1、添加一个新块
2、更改PE文件头的输入表地址到指定位置
3、在指定位置放置原输入表的IID拷贝，并追加新添加的IID
4、在新块中为新添加的IID加入希望添加的API
5、（猜测）在更改过的程序中作标记，以便不用在每次添加API时都添加新的段（直接更改自己曾经添加过的段）

另外突然发现PEditor添加API后会生成一个文本文件：“应用程序名_IData.txt”,里面便是告诉我们如何调用添加的API，汗！

GetDlgItemTextA - call dword ptr [0040506D]

不过如果提前发现了，可能暂时就不去分析PE文件格式了

2010-2-18 22:01

0