-
21-09-2019 - |
题
什么是PE文件(PE / COFF)的要求?哪些字段应该设置为使得它能够“运行”在Windows(即执行“RET”指令,然后关闭,没有错误),该值,在最低限度。
我建立第一库是接头:现在,我有问题是PE文件(PE / COFF)。 我不知道之前它实际上我的平台上执行什么是“必需”的PE文件。我的测试平台是Vista系统。我得到一个错误信息,称“这是不是有效的Win32可执行程序。”当我通过双击执行它,我得到一个“访问被拒绝”。与CLI执行时,它 CMD 。我有两个部分,和的.text。数据。
我已经实现了PE头如由几个在线文档,即MSDN和一些其他第三方提供的文件。如果我使用一个十六进制编辑器,它看起来几乎像一个普通的PE文件。我不使用任何进口,也不IAT,也没有任何目录中PE头部。
编辑:我添加了一个导入表后,仍然没有一个有效的.exe文件我的Windows说。我试图使用的也是在最小的PE文件指南中提到的值。没运气。真的,我似乎无法找出的唯一的事情是什么是需要的,哪些不是。一些导游告诉我需要的一切,而别人说deprications:它可以是零
。我希望这是足够的信息。 谢谢提前。的
当前PE头的原始数据(如请求):
4D 5A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 50 45 00 00 4C 01 02 00 C8 7A 55 4B 00 00 00 00 00 00 00 00 E0 00 82 01 0B 01 0D 25 00 10 00 00 00 10 00 00 00 00 00 00 00 10 00 00 00 10 00 00 00 20 00 00 00 00 40 00 00 10 00 00 00 02 00 00 01 00 0B 00 00 00 00 00 03 00 0A 00 00 00 00 00 00 22 00 00 38 01 00 00 00 00 00 00 03 00 00 00 00 40 00 00 00 40 00 00 00 40 00 00 00 40 00 00 00 00 00 00 0E 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2E 74 65 78 74 00 00 00 00 00 00 00 00 10 00 00 00 02 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 69 64 61 74 61 00 00 00 00 00 00 00 20 00 00 00 02 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3C 20 00 00 00 00 00 00 00 00 00 00 24 20 00 00 34 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C 00 00 00 00 01 00 00 80 00 00 00 00 01 00 00 80 00 00 00 00
解决方案
您可以尝试一本书像.NET 2.0 IL汇编。这本书有专门介绍一下一个PE格式的可执行看起来像一整章(那叫一个净PE的样子)。
您也可以尝试用PE文件阅读器加载你的PE文件,并检查结果。 如果PE读者您的PE斗争,那么你有一个指针什么是失败的。
下面是一个 PE文件读出DLL 我写(带有源) 。还存在使用它的GUI(与源)。
在源是完全开源的(不是由GPL担保),这样你可以做你想做的与它(除处以GPL,这将防止它被完全打开),包括把你的版本关闭。
其他提示
这是一个完整的疼痛复制粘贴到一个十六进制编辑器,所以很遗憾,我不能说什么太聪明了蝙蝠的权利。
观光PE文件通知: 确保您的DOS头是有效的。 确保IMAGE_OPTIONAL_HEADER格式正确,因为尽管它的名字,Windows并不真正喜欢它无法正确完成。
有关的进一步信息,超出该MS的格式,查找 pe.txt 一>,最好自制导板与PE格式我知道之一。
如果你可以发布只是个字节,我可以尝试把它在我自己的PE解析器,看看我是否能帮助更多。
你所试图做的是依赖于Windows版本所使用。例如,方式PE文件中读取在Windows 2000上是不一样的方式,Windows 7的读取它们。我是OSX用户,但在Windows 7中有我,我无法操纵,将在Windows 2000和更早的工作方式PE文件。我没有测试XP或Vista(或2000和Win7之间等)的时候看到的Windows开始阅读PE不同。在Windows 7,在MS-DOS头存储器和存根每单位被忽略。唯一的2个说事是“幻数”(字等于“MZ”)和偏移量的PE,这是定义在存储器中的地方PE头部开始一个DWORD。我不知道Windows是否真正忽略了MS-DOS头所有其他值和存根的100%的时间,但不包括我刚才提到的两个,如果所有其他值都设置为0,一个有效的可执行程序将正常运行
在Windows 2000和更早的版本,我不知道如果我上面提到的是真实的,但你在允许修改MS-DOS存根的长度时间(或者删除),前提是PE偏移值仍指向正确的位置在内存中找到的PE头。在Windows 7中,如果修改了MS-DOS存根的长度可言,即使PE偏移指向正确的,修改过的位置,Windows将无法运行exe文件,并声称它是不是有效的Win32应用程序。
<强> 4D 5A 强> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00的 80 强> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
这是至少一个PE文件的MS-DOS部分可具有在Windows 7上,同时仍具有有效,功能的可执行文件。该位不能被缩短。
希望这会清除一些东西。
在微软PE / COFF规范是我知道的唯一的规范。