久久综合伊人噜噜色,日本三级香港三级人妇电影精品,亚洲中文色资源,国产高清一区二区三区人妖

      • <sub id="9pxky"></sub>
    2. 

      <small id="9pxky"></small>
        

          

          


    
          
    
    
    



          

          

          


          

          


          

          

          

          

          


          

          

          



 找回密碼

          

          



 注冊(cè)

          

          




          


          

          QQ登錄
          

          只需一步,快速開始
          

          

          

          

          



          

          



          

          



          







          

          


          



          

          

          


          





          

          

          


          




          

          
關(guān)于PE下可執(zhí)行程序的修改!

          

[復(fù)制鏈接]

          		

          

          



          

          



          

          

          
 

          

          




          


1#


          

          

          

          

發(fā)表于 2008-9-28 16:20:46
|
只看該作者

|倒序?yàn)g覽
|閱讀模式

          

          

          
 

          
<P style="LINE-HEIGHT: 150%"><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">在</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">windows 9x</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">、</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">NT</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">、</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">2000</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">下,所有的可執(zhí)行文件都是基于</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">Microsoft</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">設(shè)計(jì)的一種新的文件格式</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">Portable Executable File Format</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">(可移植的執(zhí)行體),即</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">格式。有一些時(shí)候,我們需要對(duì)這些可執(zhí)行文件進(jìn)行修改,下面文字試圖詳細(xì)的描述</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件的格式及對(duì)</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">格式文件的修改。</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>1</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">、</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件框架構(gòu)成</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>DOS MZ header <BR>DOS stub <BR>PE header <BR>Section table <BR>Section 1 <BR>Section 2 <BR>Section ... <BR>Section n <?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /><o:p></o:p></SPAN></P>
          
8 v. W4 N/ _. Y  f9 M" C, z7 l" h<P style="LINE-HEIGHT: 150%"><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">上</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">表是</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件結(jié)構(gòu)的總體層次分布。所有</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">(</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">甚至</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">32</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">位的</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> DLLs) </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">必須以一個(gè)簡(jiǎn)單的</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> DOS MZ header </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">開始,在偏移</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">0</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">處有</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">DOS</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">下可執(zhí)行文件的“</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">MZ</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">標(biāo)志”,有了它,一旦程序在</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">DOS</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">下執(zhí)行,</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">DOS</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">就能識(shí)別出這是有效的執(zhí)行體,然后運(yùn)行緊隨</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> MZ header </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">之后的</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <SPAN lang=EN-US>DOS stub</SPAN></SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">。</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">DOS stub</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">實(shí)際上是個(gè)有效的</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">EXE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">,在不支持</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件格式的操作系統(tǒng)中,它將簡(jiǎn)單顯示一個(gè)錯(cuò)誤提示,類似于字符串</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> " This program cannot run in DOS mode " </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">或者程序員可根據(jù)自己的意圖實(shí)現(xiàn)完整的</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> DOS</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">代碼。通常</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">DOS stub</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">由匯編器</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">/</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">編譯器自動(dòng)生成,對(duì)我們的用處不是很大,它簡(jiǎn)單調(diào)用中斷</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">21h</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">服務(wù)</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">9</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">來顯示字符串</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">"This program cannot run in DOS mode"</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">。</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR></SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">緊接著</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> DOS stub </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">的是</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> PE header</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">。</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> PE header </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">是</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">相關(guān)結(jié)構(gòu)</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> IMAGE_NT_HEADERS </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">的簡(jiǎn)稱,其中包含了許多</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">裝載器用到的重要域??蓤?zhí)行文件在支持</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件結(jié)構(gòu)的操作系統(tǒng)中執(zhí)行時(shí),</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">裝載器將從</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> DOS MZ header</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">的偏移</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">3CH</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">處找到</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> PE header </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">的起始偏移量。因而跳過了</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> DOS stub </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">直接定位到真正的文件頭</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> PE header</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">。</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <o:p></o:p></SPAN></P># l  X, _, V9 Y
          
<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件的真正內(nèi)容劃分成塊,稱之為</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">sections</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">(節(jié))。每節(jié)是一塊擁有共同屬性的數(shù)據(jù),比如“</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">.text</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">”節(jié)等,那么,每一節(jié)的內(nèi)容都是什么呢?實(shí)際上</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">格式的文件把具有相同屬性的內(nèi)容放入同一個(gè)節(jié)中,而不必關(guān)心類似“</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">.text</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">”、“</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">.data</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">”的命名,其命名只是為了便于識(shí)別,所有,我們?nèi)绻麑?duì)</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">格式的文件進(jìn)行修改,理論上講可以寫入任何一個(gè)節(jié)內(nèi),并調(diào)整此節(jié)的屬性就可以了。</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR><BR>PE header </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">接下來的數(shù)組結(jié)構(gòu)</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> section table</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">(節(jié)表)。</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">每個(gè)結(jié)構(gòu)包含對(duì)應(yīng)節(jié)的屬性、文件偏移量、虛擬偏移量等。如果</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件里有</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">5</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">個(gè)節(jié),那么此結(jié)構(gòu)數(shù)組內(nèi)就有</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">5</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">個(gè)成員。</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <o:p></o:p></SPAN></P>6 g4 j1 F: D/ Y
          
<P style="LINE-HEIGHT: 150%"><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">以上就是</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件格式的物理分布,下面將總結(jié)一下裝載一</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件的主要步驟:</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>1</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">、</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件被執(zhí)行,</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">裝載器檢查</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> DOS MZ header </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">里的</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <SPAN lang=EN-US>PE header </SPAN></SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">偏移量。如果找到,則跳轉(zhuǎn)到</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> PE header</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">。</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>2</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">、</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">裝載器檢查</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> PE header </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">的有效性。如果有效,就跳轉(zhuǎn)到</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE header</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">的尾部。</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>3</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">、緊跟</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> PE header </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">的是節(jié)表。</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">裝載器讀取其中的節(jié)信息,并采用文件映射方法將這些節(jié)映射到內(nèi)存,同時(shí)付上節(jié)表里指定的節(jié)屬性。</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>4</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">、</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件映射入內(nèi)存后,</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">裝載器將處理</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件中類似</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> import table</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">(引入表)邏輯部分。</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR></SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">上述步驟是一些前輩分析的結(jié)果簡(jiǎn)述。</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>2</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">、</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件頭概述</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR></SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">我們可以在</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">winnt.h</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">這個(gè)文件中找到關(guān)于</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件頭的定義:</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>typedef struct _IMAGE_NT_HEADERS { <BR>DWORD Signature; <BR>//PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件頭標(biāo)志</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">:“</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE\0\0</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">”。在開始</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">DOS header</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">的偏移</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">3CH</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">處所指向的地址開始</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>IMAGE_FILE_HEADER FileHeader; //PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件物理分布的信息</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>IMAGE_OPTIONAL_HEADER32 OptionalHeader; //PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件邏輯分布的信息</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>} IMAGE_NT_HEADERS32, *PIMAGE_NT_HEADERS32; <o:p></o:p></SPAN></P>
          
$ X1 I) L3 m* M5 V. q2 M<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">typedef struct _IMAGE_FILE_HEADER { <BR>WORD Machine; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">該文件運(yùn)行所需要的</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">CPU</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">,對(duì)于</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">Intel</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">平臺(tái)是</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">14Ch <BR>WORD NumberOfSections; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件的節(jié)數(shù)目</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>DWORD TimeDateStamp; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件創(chuàng)建日期和時(shí)間</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>DWORD PointerToSymbolTable; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">用于調(diào)試</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>DWORD NumberOfSymbols; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">符號(hào)表中符號(hào)個(gè)數(shù)</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>WORD SizeOfOptionalHeader; //OptionalHeader </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">結(jié)構(gòu)大小</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>WORD Characteristics; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件信息標(biāo)記,區(qū)分文件是</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">exe</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">還是</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">dll <BR>} IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER; <o:p></o:p></SPAN></P>9 s0 X# F: Q6 z' O  C+ r  H$ |0 O
          
<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">typedef struct _IMAGE_OPTIONAL_HEADER { <BR>WORD Magic; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">標(biāo)志字</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">(</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">總是</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">010bh) <BR>BYTE MajorLinkerVersion; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">連接器版本號(hào)</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>BYTE MinorLinkerVersion; // <BR>DWORD SizeOfCode; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">代碼段大小</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>DWORD SizeOfInitializedData; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">已初始化數(shù)據(jù)塊大小</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>DWORD SizeOfUninitializedData; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">未初始化數(shù)據(jù)塊大小</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <SPAN lang=EN-US><BR>DWORD AddressOfEntryPoint; //PE</SPAN></SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">裝載器準(zhǔn)備運(yùn)行的</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件的第一個(gè)指令的</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">RVA</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">,若要改變整個(gè)執(zhí)行的流程,可以將該值指定到新的</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">RVA</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">,這樣新</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">RVA</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">處的指令首先被執(zhí)行。(許多文章都有介紹</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">RVA</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">,請(qǐng)去了解)</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>DWORD BaseOfCode; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">代碼段起始</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">RVA <BR>DWORD BaseOfData; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">數(shù)據(jù)段起始</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">RVA <BR>DWORD ImageBase; //PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件的裝載地址</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>DWORD SectionAlignment; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">塊對(duì)齊</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>DWORD FileAlignment; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件塊對(duì)齊</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>WORD MajorOperatingSystemVersion;//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">所需操作系統(tǒng)版本號(hào)</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>WORD MinorOperatingSystemVersion;// <BR>WORD MajorImageVersion; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">用戶自定義版本號(hào)</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>WORD MinorImageVersion; // <BR>WORD MajorSubsystemVersion; //win32</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">子系統(tǒng)版本。若</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件是專門為</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">Win32</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">設(shè)計(jì)的</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>WORD MinorSubsystemVersion; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">該子系統(tǒng)版本必定是</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">4.0</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">否則對(duì)話框不會(huì)有</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">3</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">維立體感</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>DWORD Win32VersionValue; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">保留</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>DWORD SizeOfImage; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">內(nèi)存中整個(gè)</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">映像體的尺寸</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>DWORD SizeOfHeaders; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">所有頭</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">+</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">節(jié)表的大小</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>DWORD CheckSum; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">校驗(yàn)和</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>WORD Subsystem; //NT</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">用來識(shí)別</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件屬于哪個(gè)子系統(tǒng)</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>WORD DllCharacteristics; // <BR>DWORD SizeOfStackReserve; // <BR>DWORD SizeOfStackCommit; // <BR>DWORD SizeOfHeapReserve; // <BR>DWORD SizeOfHeapCommit; // <BR>DWORD LoaderFlags; // <BR>DWORD NumberOfRvaAndSizes; // <BR>IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES]; <BR>//IMAGE_DATA_DIRECTORY </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">結(jié)構(gòu)數(shù)組。每個(gè)結(jié)構(gòu)給出一個(gè)重要數(shù)據(jù)結(jié)構(gòu)的</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">RVA</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">,比如引入地址表等</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>} IMAGE_OPTIONAL_HEADER32, *PIMAGE_OPTIONAL_HEADER32; <o:p></o:p></SPAN></P>- W7 w8 l' w; c" I
          
<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">typedef struct _IMAGE_DATA_DIRECTORY { <BR>DWORD VirtualAddress; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">表的</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">RVA</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">地址</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>DWORD Size; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">大小</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>} IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY; <o:p></o:p></SPAN></P>
          
) d- V; {4 g+ y<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件頭后是節(jié)表,在</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">winnt.h</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">下如下定義</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>typedef struct _IMAGE_SECTION_HEADER { <BR>BYTE Name[IMAGE_SIZEOF_SHORT_NAME];//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">節(jié)表名稱</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">,</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">如“</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">.text</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">”</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>union { <BR>DWORD PhysicalAddress; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">物理地址</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>DWORD VirtualSize; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">真實(shí)長(zhǎng)度</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>} Misc; <BR>DWORD VirtualAddress; //RVA <BR>DWORD SizeOfRawData; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">物理長(zhǎng)度</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>DWORD PointerToRawData; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">節(jié)基于文件的偏移量</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>DWORD PointerToRelocations; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">重定位的偏移</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>DWORD PointerToLinenumbers; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">行號(hào)表的偏移</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>WORD NumberOfRelocations; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">重定位項(xiàng)數(shù)目</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>WORD NumberOfLinenumbers; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">行號(hào)表的數(shù)目</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>DWORD Characteristics; //</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">節(jié)屬性</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>} IMAGE_SECTION_HEADER, *PIMAGE_SECTION_HEADER; <o:p></o:p></SPAN></P>
          
& i  N, Q& q( D. B; v: i<P style="LINE-HEIGHT: 150%"><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">以上結(jié)構(gòu)就是在</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">winnt.h</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">中關(guān)于</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件頭的定義,如何我們用</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">C/C++</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">來進(jìn)行</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">可執(zhí)行文件操作,就要用到上面的所有結(jié)構(gòu),它詳細(xì)的描述了</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件頭的結(jié)構(gòu)。</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <o:p></o:p></SPAN></P>' O% D+ A" q- W
          
<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">3</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">、修改</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">可執(zhí)行文件</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR></SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">現(xiàn)在讓我們把一段代碼寫入任何一個(gè)</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">格式的可執(zhí)行文件,代碼如下:</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>-- test.asm -- <BR>.386p <BR>.model flat, stdcall <BR>option casemap:none <o:p></o:p></SPAN></P>2 v$ |- b" p, k" k! _* a* m* ~
          
<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">include \masm32\include\windows.inc <BR>include \masm32\include\user32.inc <BR>includelib \masm32\lib\user32.lib <o:p></o:p></SPAN></P>; c6 \# r5 Q6 K: M
          
<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">.code <o:p></o:p></SPAN></P>
          
. v1 P( Q+ t- s( J! P<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">start: <BR>INVOKE MessageBoxA,0,0,0,MB_ICONINFORMATION or MB_OK <BR>ret <BR>end start <o:p></o:p></SPAN></P>/ D+ B9 m9 d  R6 v
          
<P style="LINE-HEIGHT: 150%"><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">以上代碼只顯示一個(gè)</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">MessageBox</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">框,編譯后得到二進(jìn)制代碼如下:</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>unsigned char writeline[18]={ <BR>0x6a,0x40,0x6a,0x0,0x6a,0x0,0x6a,0x0,0xe8,0x01,0x0,0x0,0x0,0xe9,0x0,0x0,0x0,0x0 <BR>}; <o:p></o:p></SPAN></P>8 V. _( b1 p$ A7 Q6 I3 {
          
<P style="LINE-HEIGHT: 150%"><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">好,現(xiàn)在讓我們看看該把這些代碼寫到那?,F(xiàn)在用</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">Tdump.exe</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">顯示一個(gè)</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">格式得可執(zhí)行文件信息,可以發(fā)現(xiàn)如下描述:</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>Object table: <BR># Name VirtSize RVA PhysSize Phys off Flags <BR>-- -------- -------- -------- -------- -------- -------- <BR>01 .text 0000CCC0 00001000 0000CE00 00000600 60000020 [CER] <BR>02 .data 00004628 0000E000 00002C00 0000D400 C0000040 [IRW] <BR>03 .rsrc 000003C8 00013000 00000400 00010000 40000040 [IR] <o:p></o:p></SPAN></P>( K& M, t" O. W0 N+ k
          
<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">Key to section flags: <BR>C - contains code <BR>E - executable <BR>I - contains initialized data <BR>R - readable <BR>W - writeable <o:p></o:p></SPAN></P>4 x! j+ Y" |2 k( j* F" {2 z
          
<P style="LINE-HEIGHT: 150%"><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">上面描述此文件中存在</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">3</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">個(gè)段及每個(gè)段得信息,實(shí)際上我們的代碼可以寫入任何一個(gè)段,這里我選擇“</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">.text</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">”段。</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <o:p></o:p></SPAN></P>
          
# W. t4 j6 s: R% h% T<P style="LINE-HEIGHT: 150%"><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">用如下代碼得到一個(gè)</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">格式可執(zhí)行文件的頭信息:</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <o:p></o:p></SPAN></P>, {" n0 p$ H9 g5 e- q, U
          
<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">//writePE.cpp <o:p></o:p></SPAN></P>5 u& E. @+ C0 F; J1 W$ }
          
<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">#include &lt;windows.h&gt; <BR>#include &lt;stdio.h&gt; <BR>#include &lt;io.h&gt; <BR>#include &lt;fcntl.h&gt; <BR>#include &lt;time.h&gt; <BR>#include &lt;SYS\STAT.H&gt; <o:p></o:p></SPAN></P>
          
' ~$ @$ g' B* D, S( ?' q/ J<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">unsigned char writeline[18]={ <BR>0x6a,0x40,0x6a,0x0,0x6a,0x0,0x6a,0x0,0xe8,0x01,0x0,0x0,0x0,0xe9,0x0,0x0,0x0,0x0 <BR>}; <o:p></o:p></SPAN></P>
          
0 V: {( g' K( w3 N' a) `<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">DWORD space; <BR>DWORD entryaddress; <BR>DWORD entrywrite; <BR>DWORD progRAV; <BR>DWORD oldentryaddress; <BR>DWORD newentryaddress; <BR>DWORD codeoffset; <BR>DWORD peaddress; <BR>DWORD flagaddress; <BR>DWORD flags; <o:p></o:p></SPAN></P>
          
/ ~3 s: G. x( H+ A8 C<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">DWORD virtsize; <BR>DWORD physaddress; <BR>DWORD physsize; <BR>DWORD MessageBoxAadaddress; <o:p></o:p></SPAN></P>9 F- ]7 b0 z' W/ v# x& N. u! V# r
          
<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">int main(int argc,char * * argv) <BR>{ <BR>HANDLE hFile, hMapping; <BR>void *basepointer; <BR>FILETIME * Createtime; <BR>FILETIME * Accesstime; <BR>FILETIME * Writetime; <BR>Createtime = new FILETIME; <BR>Accesstime = new FILETIME; <BR>Writetime = new FILETIME; <o:p></o:p></SPAN></P>7 n$ `* x" Q0 k" R* K0 o
          
<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">if ((hFile = CreateFile(argv[1], GENERIC_READ|GENERIC_WRITE, FILE_SHARE_READ|FILE_SHARE_WRITE, 0, OPEN_EXISTING, FILE_FLAG_SEQUENTIAL_SCAN, 0)) == INVALID_HANDLE_VALUE)//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">打開要修改的文件</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>{ <BR>puts("(could not open)"); <BR>return EXIT_FAILURE; <BR>} <BR>if(!GetFileTime(hFile,Createtime,Accesstime,Writetime)) <BR>{ <BR>printf("\nerror getfiletime: %d\n",GetLastError()); <BR>} <BR>//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">得到要修改文件的創(chuàng)建、修改等時(shí)間</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>if (!(hMapping = CreateFileMapping(hFile, 0, PAGE_READONLY | SEC_COMMIT, 0, 0, 0))) <BR>{ <BR>puts("(mapping failed)"); <BR>CloseHandle(hFile); <BR>return EXIT_FAILURE; <BR>} <BR>if (!(basepointer = MapViewOfFile(hMapping, FILE_MAP_READ, 0, 0, 0))) <BR>{ <BR>puts("(view failed)"); <BR>CloseHandle(hMapping); <BR>CloseHandle(hFile); <BR>return EXIT_FAILURE; <BR>} <BR>//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">把文件頭映象存入</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">baseointer <BR>CloseHandle(hMapping); <BR>CloseHandle(hFile); <BR>map_exe(basepointer);//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">得到相關(guān)地址</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>UnmapViewOfFile(basepointer); <BR>printaddress(); <BR>printf("\n\n"); <BR>if(space&lt;50) <BR>{ <BR>printf("\n</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">空隙太小</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">,</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">數(shù)據(jù)不能寫入</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">.\n"); <BR>} <BR>else <BR>{ <BR>writefile();//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">寫文件</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>} <o:p></o:p></SPAN></P>
          
, y! g! h" q; G- X& {<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">if ((hFile = CreateFile(argv[1], GENERIC_READ|GENERIC_WRITE, FILE_SHARE_READ|FILE_SHARE_WRITE, 0, OPEN_EXISTING, FILE_FLAG_SEQUENTIAL_SCAN, 0)) == INVALID_HANDLE_VALUE) <BR>{ <BR>puts("(could not open)"); <BR>return EXIT_FAILURE; <BR>} <o:p></o:p></SPAN></P>
          
. `  s: D9 C0 e6 u& }  ~( o$ J<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">if(!SetFileTime(hFile,Createtime,Accesstime,Writetime)) <BR>{ <BR>printf("error settime : %d\n",GetLastError()); <BR>} <BR>//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">恢復(fù)修改后文件的建立時(shí)間等</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>delete Createtime; <BR>delete Accesstime; <BR>delete Writetime; <BR>CloseHandle(hFile); <BR>return 0; <BR>} <o:p></o:p></SPAN></P>- a6 r1 [$ P6 `5 n; q) N4 f
          
<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">void map_exe(const void *base) <BR>{ <BR>IMAGE_DOS_HEADER * dos_head; <BR>dos_head =(IMAGE_DOS_HEADER *)base; <BR>#include &lt;pshpack1.h&gt; <BR>typedef struct PE_HEADER_MAP <BR>{ <BR>DWORD signature; <BR>IMAGE_FILE_HEADER _head; <BR>IMAGE_OPTIONAL_HEADER opt_head; <BR>IMAGE_SECTION_HEADER section_header[]; <BR>} peHeader; <BR>#include &lt;poppack.h&gt; <o:p></o:p></SPAN></P>
          
0 e  h8 |, B; o1 z6 t4 b+ a$ h) S3 v<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">if (dos_head-&gt;e_magic != IMAGE_DOS_SIGNATURE) <BR>{ <BR>puts("unknown type of file"); <BR>return; <BR>} <o:p></o:p></SPAN></P>
          
. h4 P4 b6 A1 A! F" a<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">peHeader * header; <BR>header = (peHeader *)((char *)dos_head + dos_head-&gt;e_lfanew);//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">得到</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件頭</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>if (IsBadReadPtr(header, sizeof(*header)) <BR>{ <BR>puts("(no PE header, probably DOS executable)"); <BR>return; <BR>} <o:p></o:p></SPAN></P>
          
+ D' m/ ^; ]9 G# |5 O% L3 n) V<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">DWORD mods; <BR>char tmpstr[4]={0}; <BR>DWORD tmpaddress; <BR>DWORD tmpaddress1; <o:p></o:p></SPAN></P>/ [) `- g# {8 w( v& T0 E
          
<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">if(strstr((const char *)header-&gt;section_header[0].Name,".text")!=NULL) <BR>{ <BR>virtsize=header-&gt;section_header[0].Misc.VirtualSize; <BR>//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">此段的真實(shí)長(zhǎng)度</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>physaddress=header-&gt;section_header[0].PointerToRawData; <BR>//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">此段的物理偏移</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>physsize=header-&gt;section_header[0].SizeOfRawData; <BR>//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">此段的物理長(zhǎng)度</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>peaddress=dos_head-&gt;e_lfanew; <BR>//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">得到</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件頭的開始偏移</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <o:p></o:p></SPAN></P>
          
* `# J! K- t( t' U$ c) ~( C, F" h; F" l$ A<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">peHeader peH; <BR>tmpaddress=(unsigned long )&amp;peH; <BR>//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">得到結(jié)構(gòu)的偏移</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>tmpaddress1=(unsigned long )&amp;(peH.section_header[0].Characteristics); <BR>//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">得到變量的偏移</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>flagaddress=tmpaddress1-tmpaddress+2; <BR>//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">得到屬性的相對(duì)偏移</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>flags=0x8000; <BR>//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">一般情況下,“</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">.text</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">”段是不可讀寫的,如果我們要把數(shù)據(jù)寫入這個(gè)段需要改變其屬性,實(shí)際上這個(gè)程序并沒有把數(shù)據(jù)寫入“</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">.text</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">”段,所以并不需要更改,但如果你實(shí)現(xiàn)復(fù)雜的功能,肯定需要數(shù)據(jù),肯定需要更改這個(gè)值,</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <o:p></o:p></SPAN></P>$ e9 d# n# G: m9 k
          
<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">space=physsize-virtsize; <BR>//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">得到代碼段的可用空間,用以判斷可不可以寫入我們的代碼</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">用此段的物理長(zhǎng)度減去此段的真實(shí)長(zhǎng)度就可以得到</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>progRAV=header-&gt;opt_head.ImageBase; <BR>//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">得到程序的裝載地址,一般為</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">400000 <BR>codeoffset=header-&gt;opt_head.BaseOfCode-physaddress; <BR>//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">得到代碼偏移,用代碼段起始</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">RVA</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">減去此段的物理偏移</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">應(yīng)為程序的入口計(jì)算公式是一個(gè)相對(duì)的偏移地址,計(jì)算公式為:</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">代碼的寫入地址+</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">codeoffset <o:p></o:p></SPAN></P>
          
& \) V) S1 u# Z$ M% g4 f<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">entrywrite=header-&gt;section_header[0].PointerToRawData+header-&gt;section_header[0].Misc.VirtualSize; <BR>//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">代碼寫入的物理偏移</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>mods=entrywrite%16; <BR>//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">對(duì)齊邊界</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>if(mods!=0) <BR>{ <BR>entrywrite+=(16-mods); <BR>} <BR>oldentryaddress=header-&gt;opt_head.AddressOfEntryPoint; <BR>//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">保存舊的程序入口地址</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>newentryaddress=entrywrite+codeoffset; <BR>//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">計(jì)算新的程序入口地址</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>return; <BR>} <o:p></o:p></SPAN></P>
          
- ?7 X# P0 v5 ]# K8 W% d6 l) T<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">void printaddress() <BR>{ <BR>HINSTANCE gLibMsg=NULL; <BR>DWORD funaddress; <BR>gLibMsg=LoadLibrary("user32.dll"); <BR>funaddress=(DWORD)GetProcAddress(gLibMsg,"MessageBoxA"); <BR>MessageBoxAadaddress=funaddress; <BR>gLibAMsg=LoadLibrary("kernel32.dll"); <BR>//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">得到</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">MessageBox</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">在內(nèi)存中的地址,以便我們使用</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>} <o:p></o:p></SPAN></P>/ F+ N+ {5 g/ i& C
          
<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">void writefile() <BR>{ <BR>int ret; <BR>long retf; <BR>DWORD address; <BR>int tmp; <BR>unsigned char waddress[4]={0}; <o:p></o:p></SPAN></P>
          
. V, K8 V/ @! y/ W% N! Q  E<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">ret=_open(filename,_O_RDWR | _O_CREAT | _O_BINARY,_S_IREAD | _S_IWRITE); <BR>if(!ret) <BR>{ <BR>printf("error open\n"); <BR>return; <BR>} <o:p></o:p></SPAN></P>6 H. b" h/ I7 U5 R) D
          
<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">retf=_lseek(ret,(long)peaddress+40,SEEK_SET); <BR>//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">程序的入口地址在</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件頭開始的</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">40</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">處</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>if(retf==-1) <BR>{ <BR>printf("error seek\n"); <BR>return; <BR>} <BR>address=newentryaddress; <BR>tmp=address&gt;&gt;24; <BR>waddress[3]=tmp; <BR>tmp=address&lt;&lt;8; <BR>tmp=tmp&gt;&gt;24; <BR>waddress[2]=tmp; <BR>tmp=address&lt;&lt;16; <BR>tmp=tmp&gt;&gt;24; <BR>waddress[1]=tmp; <BR>tmp=address&lt;&lt;24; <BR>tmp=tmp&gt;&gt;24; <BR>waddress[0]=tmp; <BR>retf=_write(ret,waddress,4); <BR>//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">把新的入口地址寫入文件</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>if(retf==-1) <BR>{ <BR>printf("error write: %d\n",GetLastError()); <BR>return; <BR>} <o:p></o:p></SPAN></P>+ X) @) s. p) P, g& i6 z" x
          
<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">retf=_lseek(ret,(long)entrywrite,SEEK_SET); <BR>if(retf==-1) <BR>{ <BR>printf("error seek\n"); <BR>return; <BR>} <BR>retf=_write(ret,writeline,18); <BR>if(retf==-1) <BR>{ <BR>printf("error write: %d\n",GetLastError()); <BR>return; <BR>} <BR>//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">把</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">writeline</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">寫入我們計(jì)算出的空間</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <o:p></o:p></SPAN></P>" q1 s$ J7 W8 G
          
<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">retf=_lseek(ret,(long)entrywrite+9,SEEK_SET); <BR>//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">更改</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">MessageBox</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">函數(shù)地址,它的二進(jìn)制代碼在</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">writeline[10]</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">處</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>if(retf==-1) <BR>{ <BR>printf("error seek\n"); <BR>return; <BR>} <o:p></o:p></SPAN></P>
          
/ P+ ]2 V( \+ x4 D6 \<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">address=MessageBoxAadaddress-(progRAV+newentryaddress+9+4); <BR>//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">重新計(jì)算</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">MessageBox</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">函數(shù)的地址,</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">MessageBox</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">函數(shù)的原地址減去程序的裝載地址加上新的入口地址加</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">9</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">(它的二進(jìn)制代碼相對(duì)偏移)加上</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">4</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">(地址長(zhǎng)度)</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>tmp=address&gt;&gt;24; <BR>waddress[3]=tmp; <BR>tmp=address&lt;&lt;8; <BR>tmp=tmp&gt;&gt;24; <BR>waddress[2]=tmp; <BR>tmp=address&lt;&lt;16; <BR>tmp=tmp&gt;&gt;24; <BR>waddress[1]=tmp; <BR>tmp=address&lt;&lt;24; <BR>tmp=tmp&gt;&gt;24; <BR>waddress[0]=tmp; <BR>retf=_write(ret,waddress,4); <BR>//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">寫入重新計(jì)算的</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">MessageBox</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">地址</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>if(retf==-1) <BR>{ <BR>printf("error write: %d\n",GetLastError()); <BR>return; <BR>} <o:p></o:p></SPAN></P># N# g9 v2 }" r% j. e) g6 j: V
          
<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">retf=_lseek(ret,(long)entrywrite+14,SEEK_SET); <BR>//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">更改返回地址,用</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">jpm</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">返回原程序入口地址,其它的二進(jìn)制代碼在</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">writeline[15]</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">處</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>if(retf==-1) <BR>{ <BR>printf("error seek\n"); <BR>return; <BR>} <o:p></o:p></SPAN></P>
          
+ V/ [6 n2 G1 `, |+ R( h<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">address=0-(newentryaddress-oldentryaddress+4+15); <BR>//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">返回地址計(jì)算的方法是新的入口地址減去老的入口地址加</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">4</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">(地址長(zhǎng)度)加</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">15</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">(二進(jìn)制代碼相對(duì)偏移)后取反</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>tmp=address&gt;&gt;24; <BR>waddress[3]=tmp; <BR>tmp=address&lt;&lt;8; <BR>tmp=tmp&gt;&gt;24; <BR>waddress[2]=tmp; <BR>tmp=address&lt;&lt;16; <BR>tmp=tmp&gt;&gt;24; <BR>waddress[1]=tmp; <BR>tmp=address&lt;&lt;24; <BR>tmp=tmp&gt;&gt;24; <BR>waddress[0]=tmp; <BR>retf=_write(ret,waddress,4); <BR>//</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">寫入返回地址</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>if(retf==-1) <BR>{ <BR>printf("error write: %d\n",GetLastError()); <BR>return; <BR>} <o:p></o:p></SPAN></P>
          
9 U: o8 s% `7 I8 x, N5 W# ^<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">_close(ret); <BR>printf("\nall done...\n"); <BR>return; <BR>} <o:p></o:p></SPAN></P>& L- F( m- V1 Y, H) H
          
<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">//end <o:p></o:p></SPAN></P>! R6 }0 H3 E6 p" y; r- g
          
<P style="LINE-HEIGHT: 150%"><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">由于在</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">PE</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">格式的文件中,所有的地址都使用</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">RVA</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">地址,所以一些函數(shù)調(diào)用和返回地址都要經(jīng)過計(jì)算才可以得到,以上是我在實(shí)踐中的心得,如果你有更好的辦法,真心的希望你能告訴我。</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <o:p></o:p></SPAN></P>
          


          

          

          


          

          

          


          

          



          

          

          




          

          



          

          

          

          



          






          






          



          

          

          

          








          

          

          


          

          
您需要登錄后才可以回帖 登錄 | 注冊(cè)





          

          

          

          

          

          

          






          
本版積分規(guī)則





          
          		

          

          

          

          




          


          

          

          

	
          

          

          

          
QQ|本地廣告聯(lián)系: QQ:905790666 TEL:13176190456|Archiver|手機(jī)版|小黑屋|汶上信息港
( 魯ICP備19052200號(hào)-1 )

          

          
GMT+8, 2025-4-16 02:14


          

          

          

          Powered by Discuz! X3.5
          

          © 2001-2025 Discuz! Team.
          

          



          
快速回復(fù)
返回頂部

返回列表