反汇编时,需要确定只反汇编代码部分,那么如何才能知道PE文件的代码部分?
有一个文件的结表如下:
Section Header 1
Name:
VirtualSize: 000CC000
VirtualAddress: 00001000
SizeOfRawData: 0002EE00
PointerToRawData: 00001000
PointerToRelocations: 00000000
PointerToLinenumbers: 00000000
NumberOfRelocations: 0000
NumberOfLinenumbers: 0000
Characteristics: E0000040
Section Header 2
Name:
VirtualSize: 00005000
VirtualAddress: 000CD000
SizeOfRawData: 00000200
PointerToRawData: 0002FE00
PointerToRelocations: 00000000
PointerToLinenumbers: 00000000
NumberOfRelocations: 0000
NumberOfLinenumbers: 0000
Characteristics: E0000040
Section Header 3
Name: .rsrc
VirtualSize: 00001000
VirtualAddress: 000D2000
SizeOfRawData: 00001000
PointerToRawData: 00030000
PointerToRelocations: 00000000
PointerToLinenumbers: 00000000
NumberOfRelocations: 0000
NumberOfLinenumbers: 0000
Characteristics: E0000040
Section Header 4
Name: .data
VirtualSize: 00069000
VirtualAddress: 000D3000
SizeOfRawData: 00068400
PointerToRawData: 00031000
PointerToRelocations: 00000000
PointerToLinenumbers: 00000000
NumberOfRelocations: 0000
NumberOfLinenumbers: 0000
Characteristics: E0000040
Section Header 5
Name: .adata
VirtualSize: 00001000
VirtualAddress: 0013C000
SizeOfRawData: 00000000
PointerToRawData: 00099400
PointerToRelocations: 00000000
PointerToLinenumbers: 00000000
NumberOfRelocations: 0000
NumberOfLinenumbers: 0000
Characteristics: E0000040
我用W32DAsm,反汇编的时候只会反汇编前两个节,W32DAsm是如何确定第三个节不是代码的?
我将SizeOfCode 改为整个PE文件大小,将DATA_DIRECTORY中所有与资源、导入表、导出表相关的项全置为0,将BaseOfData设为0xFFFFFFF,可W32DAsm仍只认为第一、二两个节为代码.
在PE入口处,有一个JMP,直接跳到第三节的起始地址,说明第三节是代码,要怎么修改才能使W32DAsm认为第三节是代码?
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
