[1] DOS Header
- IMAGE_DOS_HEADER 구조체
IMAGE_DOS_HADER 구조체는 "WinNT.h" 헤더 파일에 정의되어 있고 64비트로 구성되어 있다.
typedef struct _IMAGE_DOS_HEADER // DOS .EXE header
{
WORD e_magic; // Magic number
WORD e_cblp; // Byte on last page of file
WORD e_cp; // Pages in file
WORD e_crlc; // Relocations
WORD e_cparhdr; // Size of header in paragraphs
WORD e_minalloc; // Minimum extra paragraphs needed
WORD e_maxalloc; // Maximum extra paragraphs needed
WORD e_ss; // Initial (relative) SS value
WORD e_sp; // Checksum
WORD e_ip; // Initital IP value
WORD e_cs; // Initial (relative) CS value
WORD e_lfarlc; // File address of relocation table
WORD e_ovno; // Overlay number
WORD e_res[4]; // Reserved words
WORD e_oemid; // OEM identifier (for e_oeminfo)
WORD e_oeminfo; // OEM information; e_oemid specific
WORD e_res2[10]; // Reserved words
LONG e_lfanew; // File address of new exe header
} IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER;출처 : https://777bareman777.github.io/2019/09/17/UnderstandPE/
* IMAGE_DOS_HEADER의 중요 멤버
- WORLD e_magic : DOS signature (4D5A=> "MZ")
-> D0 CF 11 E0(OLE), 50 4B(ZIP), 25 50 44 46(PDF), 89 50 4E 47(PNG)
- WORLD e_lfanew : NT header의 offset (000000E0=> IMAGE_NT_HEADER 시작주소)
[2] DOS Stub
- DOS Stub은 IMAGE_DOS_HEADER 다음부터 NT Header 구조체 전까지이다.
[3] NT Header
- signature : 4byte공간 PE구조 파일 명시 (50450000=>"PE")
typedef struct _IMAGE_NT_HEADERS {
DWORD Signature;
IMAGE_FILE_HEADER FileHeader;
IMAGE_OPTIONAL_HEADER32 OptionalHeader;
} IMAGE_NT_HEADERS32, *PIMAGE_NT_HEADERS32;출처 : https://furysecurity.tistory.com/32?category=712491
구조체는 3개의 멤버로 이루어져 있다.
그 중 IMAGE_FILE_HEADER 와 Optional_Header 를 살펴보자.
① NT_Header - File Header
typedef struct _IMAGE_FILE_HEADER {
WORD Machine;
WORD NumberOfSections;
DWORD TimeDateStamp;
DWORD PointerToSymbolTable;
DWORD NumberOfSymbols;
WORD SizeOfOptionalHeader;
WORD Characteristics;
} IMAGE_NT_HEADER, *PIMAGE_NT_HEADER;* IMAGE_FILE_HEADER의 중요 멤버
- WORLD Machine : CPU별로 고유한 값이다.
- WORLD NumberOfSections : 섹션의 개수를 나타내는 멤버이다. 정의된 섹션 개수와 실제 섹션이 다르면 실행 에러가 발생한다.
- WORLD SizeOfOptionalHeader : IMAGE_OPTIONAL_HEADER32 구조체의 크기를 나타낸다.
- WORLD Characteristics : 파일의 속성 값을 나타내는 값으로 bit OR 형식으로 조합하여 나타낸다.
② Optinonal_Header
typedef struct _IMAGE_OPTIONAL_HEADER {
WORD Magic;
BYTE MajorLinkerVersion;
BYTE MinorLinkerVersion;
DWORD SizeOfCode;
DWORD SizeOfInitializedData;
DWORD SizeOfUninitializedData;
DWORD AddressOfEntryPoint;
DWORD BaseOfCode;
DWORD BaseOfData;
DWORD ImageBase;
DWORD SectionAlignment;
DWORD FileAlignment;
WORD MajorOperatingSystemVersion;
WORD MinorOperatingSystemVersion;
WORD MajorImageVersion;
WORD MinorImageVersion;
WORD MajorSubsystemVersion;
WORD MinorSubsystemVersion;
DWORD Win32VersionValue;
DWORD SizeOfImage;
DWORD SizeOfHeaders;
DWORD CheckSum;
WORD Subsystem;
WORD DllCharacteristics;
DWORD SizeOfStackReserve;
DWORD SizeOfStackCommit;
DWORD SizeOfHeapReserve;
DWORD SizeOfHeapCommit;
DWORD LoaderFlags;
DWORD NumberOfRvaAndSizes;
IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
} IMAGE_OPTIONAL_HEADER32, *PIMAGE_OPTIONAL_HEADER32;출처 : https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-image_optional_header32
[4] SECTION Header
typedef struct _IMAGE_SECTION_HEADER {
BYTE Name[IMAGE_SIZEOF_SHORT_NAME];
union {
DWORD PhysicalAddress;
DWORD VirtualSize;
} Misc;
DWORD VirtualAddress;
DWORD SizeOfRawData;
DWORD PointerToRawData;
DWORD PointerToRelocations;
DWORD PointerToLinenumbers;
WORD NumberOfRelocations;
WORD NumberOfLinenumbers;
DWORD Characteristics;
} IMAGE_SECTION_HEADER, *PIMAGE_SECTION_HEADER;
'Security study > Reversing' 카테고리의 다른 글
| 32bit IAT, EAT 로딩 과정 및 개념 (0) | 2021.09.27 |
|---|---|
| notepad.exe 패킹 언패킹(tool없이 패킹 풀기 & PEID 결과 비교) (0) | 2021.09.13 |
| 어셈블리 명령어 정리 (0) | 2021.09.13 |
| 32bit / 64bit 함수 호출 규약 (0) | 2021.09.11 |
| 64bit 레지스터 개념 정리 (0) | 2021.09.11 |
