PE标头要求

PE文件(PE / COFF)有哪些要求? 应该设置哪些字段,哪个值最小,以使其能够在Windows上“运行”(即执行“ret”指令然后关闭,没有错误)。

我首先建立的库是链接器:现在,问题是PE文件(PE / COFF)。 我不知道PE文件在我的平台上实际执行之前需要什么。 我的测试平台是Vista。 我收到一条错误消息,说“ 这不是一个有效的Win32可执行文件。 ”当我通过双击执行它时,我得到一个“访问被拒绝”。 使用CLI cmd执行时。 我有两个部分,.text和.data。

我已经实现了几个在线文档提供的PE头文件,即MSDN和其他一些第三方文档。 如果我使用hex编辑器,它看起来几乎像一个普通的PE文件。 我不使用任何导入,也不使用IAT,也不使用PE头中的任何目录。

编辑: 我添加了一个导入表 ,仍然不是一个有效的.exe文件,我的Windows说。 我试过使用最小的PE文件指南中提到的值。 没运气。 真正唯一我无法弄清楚的是需要什么,什么不需要。 一些指南告诉我一切都是必需的,而其他人则说关于掠夺:它可以是零。

我希望这是足够的信息。 先感谢您。

当前PE头的原始数据(按要求): 

4D 5A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 50 45 00 00 4C 01 02 00 C8 7A 55 4B 00 00 00 00 00 00 00 00 E0 00 82 01 0B 01 0D 25 00 10 00 00 00 10 00 00 00 00 00 00 00 10 00 00 00 10 00 00 00 20 00 00 00 00 40 00 00 10 00 00 00 02 00 00 01 00 0B 00 00 00 00 00 03 00 0A 00 00 00 00 00 00 22 00 00 38 01 00 00 00 00 00 00 03 00 00 00 00 40 00 00 00 40 00 00 00 40 00 00 00 40 00 00 00 00 00 00 0E 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2E 74 65 78 74 00 00 00 00 00 00 00 00 10 00 00 00 02 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 69 64 61 74 61 00 00 00 00 00 00 00 20 00 00 00 02 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3C 20 00 00 00 00 00 00 00 00 00 00 24 20 00 00 34 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C 00 00 00 00 01 00 00 80 00 00 00 00 01 00 00 80 00 00 00 00

你可以试试像.NET 2.0 IL Assembler这样的书。 本书有一整章专门讨论PE格式可执行文件的外观(以及.Net PE的外观)。

您还可以尝试使用PE文件读取器加载PE文件并检查结果。 如果PE阅读器与你的PE挣扎,那么你有一个指向失败的指针。

这是我写的一个PE文件读取DLL (带源代码)。 还有一个使用它的GUI(带源)。

源代码是完全开源的(不受GPL的阻碍)所以你可以用它做你想做的事情(除了在它上面施加GPL,这会阻止它完全打开),包括关闭你的版本。

将粘贴复制到hex编辑器是一件非常痛苦的事情,所以不幸的是我不能说任何太聪明的东西。

PE文件中需要注意的事项:确保DOS标头有效。 确保IMAGE_OPTIONAL_HEADER格式正确,因为尽管它的名称,Windows并不喜欢它没有正确完成。

有关MS格式之上和之外的更多信息,请查看pe.txt ,这是我所知道的PE格式的最佳自制指南之一。

如果你只发布字节,我可以尝试将它放在我自己的PE解析器中,看看我是否可以提供更多帮助。

这篇关于创建微小的PE可执行文件的文章可能很有意思:特别是,它提到Win2k加载器需要导入KERNEL32.DLL,因此可能值得研究。

您尝试执行的操作取决于您使用的Windows版本。 例如,在Windows 2000上读取PE文件的方式与Windows 7读取它们的方式不同。 我是OSX用户,但在我拥有的Windows 7上,我无法以适用于Windows 2000及更早版本的方式操作PE文件。 我没有测试过XP或Vista(或2000和Win7之间的其他版本),看看Windows何时开始以不同的方式阅读PE。 在Windows 7上,MS-DOS标头和存根中的每一位内存都将被忽略。 唯一重要的两个部分是“幻数”(一个等于“MZ”的WORD)和PE Offset,它是一个DWORD,用于定义PE头的内存位置。 我不确定Windows是否真正忽略了MS-DOS标头中的所有其他值和100%的时间存根,但不包括我刚提到的两个,如果所有其他值都设置为0,则有效的可执行程序将正常运行。

在Windows 2000及更早版本中,我不知道上面提到的是否属实,但是当时允许修改MS-DOS存根的长度(或者可能删除它),前提是PE偏移值是仍然指向内存中的正确位置来查找PE头。 在Windows 7上,如果你完全修改MS-DOS存根的长度,即使PE Offset指向正确的修改位置,Windows也不会运行exe并声称它不是有效的Win32应用程序。

4D 5A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00今日00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00今日00 00 00 00 00 00 00 00 00今日00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

这是PE文件的MS-DOS部分在Windows 7上可以拥有的最少,同时仍然具有有效的,可正常运行的可执行文件。 这一点不能缩短。

希望这可以解决一些问题。

Microsoft PE / COFF规范是我所知道的唯一规范。

Interesting Posts