我已经问了一个类似的问题,"PE Header requirements",但我对它的答案并不满意。
我正在Java SE 1.6中构建汇编程序/链接程序。我已经阅读了关于PE / COFF标题和文件格式的5种不同的文档/规范,但我遇到了一个问题:
我生成的文件无效,Windows说:“X不是有效的Win32应用程序。”我对可能出错的事情一无所知;我仔细检查了PE标题和PE可选标题中的每个条目,一切似乎都是正确的 我有三个部分:
code(RVA 0x1000,文件0x400)data(RVA 0x2000,文件0x600)import(RVA 0x3000,文件0x800)我的入口点值为0x1000(code的开头),我的图片库为0x400000。部分对齐为0x1000,文件对齐为0x200。
请参阅此问题的修订版以查看整个文件。
所以:我抓住了一个有效的PE文件(一个简单的“Hello World”消息框应用程序),并开始用十六进制编辑器(HxD)修改它。我收到了很多不同的错误消息,不“X不是有效的Win32应用程序。”:
我知道我的code内容不是“有效”代码,但我已经对其进行了测试:无效代码会导致应用程序崩溃错误。
如果导入部分内容在“Hello World”PE文件中无效,则会出现错误“无法在[...]中找到过程点”或“应用程序无法启动,因为[.. ]找不到dll。“或者应用程序崩溃。这些错误都非常有用;他们都给了我一些线索的错误。
但我的PE文件,错误“X不是一个有效的Win32应用程序。”,让我感到疯狂:我的PE文件出了什么问题?
Dumpbin输出:
E:\Documenten\CP Language\compiler\Win32Builder>dumpbin /ALL test.exe
Microsoft (R) COFF/PE Dumper Version 10.00.21003.01
Copyright (C) Microsoft Corporation. All rights reserved.
Dump of file test.exe
PE signature found
File Type: EXECUTABLE IMAGE
FILE HEADER VALUES
14C machine (x86)
3 number of sections
32EB4BF5 time date stamp Sun Jan 26 13:20:05 1997
0 file pointer to symbol table
0 number of symbols
E0 size of optional header
703 characteristics
Relocations stripped
Executable
32 bit word machine
Debug information stripped
CD - run from swapfile
OPTIONAL HEADER VALUES
10B magic # (PE32)
8.00 linker version
1000 size of code
1000 size of initialized data
0 size of uninitialized data
1000 entry point (00401000)
1000 base of code
2000 base of data
400000 image base (00400000 to 0040088F)
1000 section alignment
200 file alignment
4.00 operating system version
13.37 image version
4.00 subsystem version
0 Win32 version
890 size of image
400 size of headers
0 checksum
2 subsystem (Windows GUI)
0 DLL characteristics
40000 size of stack reserve
11000 size of stack commit
100000 size of heap reserve
1000 size of heap commit
0 loader flags
10 number of directories
0 [ 0] RVA [size] of Export Directory
3000 [ 1000] RVA [size] of Import Directory
0 [ 0] RVA [size] of Resource Directory
0 [ 0] RVA [size] of Exception Directory
0 [ 0] RVA [size] of Certificates Directory
0 [ 0] RVA [size] of Base Relocation Directory
0 [ 0] RVA [size] of Debug Directory
0 [ 0] RVA [size] of Architecture Directory
0 [ 0] RVA [size] of Global Pointer Directory
0 [ 0] RVA [size] of Thread Storage Directory
0 [ 0] RVA [size] of Load Configuration Directory
0 [ 0] RVA [size] of Bound Import Directory
0 [ 0] RVA [size] of Import Address Table Directory
0 [ 0] RVA [size] of Delay Import Directory
0 [ 0] RVA [size] of COM Descriptor Directory
0 [ 0] RVA [size] of Reserved Directory
SECTION HEADER #1
.code name
1000 virtual size
1000 virtual address (00401000 to 00401FFF)
23 size of raw data
400 file pointer to raw data (00000400 to 00000422)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
60000020 flags
Code
Execute Read
RAW DATA #1
00401000: 68 00 00 00 00 68 0D 20 40 00 68 00 20 40 00 68 h....h. @.h. @.h
00401010: 00 00 00 00 E8 64 30 40 00 68 00 00 00 00 E8 6C ....èd0@.h....èl
00401020: 30 40 00 0@.
SECTION HEADER #2
.data name
1000 virtual size
2000 virtual address (00402000 to 00402FFF)
23 size of raw data
600 file pointer to raw data (00000600 to 00000622)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
C0000040 flags
Initialized Data
Read Write
RAW DATA #2
00402000: 48 65 6C 6C 6F 20 57 6F 72 6C 64 21 00 48 65 6C Hello World!.Hel
00402010: 6C 6F 20 53 74 61 63 6B 20 4F 76 65 72 66 6C 6F lo Stack Overflo
00402020: 77 21 00 w!.
SECTION HEADER #3
.import name
1000 virtual size
3000 virtual address (00403000 to 00403FFF)
90 size of raw data
800 file pointer to raw data (00000800 to 0000088F)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
50000040 flags
Initialized Data
Shared
Read Only
RAW DATA #3
00403000: 54 30 00 00 00 00 00 00 00 00 00 00 3C 30 00 00 T0..........<0..
00403010: 64 30 00 00 5C 30 00 00 00 00 00 00 00 00 00 00 d0..\0..........
00403020: 47 30 00 00 6C 30 00 00 00 00 00 00 00 00 00 00 G0..l0..........
00403030: 00 00 00 00 00 00 00 00 00 00 00 00 75 73 65 72 ............user
00403040: 33 32 2E 64 6C 6C 00 6B 65 72 6E 65 6C 33 32 2E 32.dll.kernel32.
00403050: 64 6C 6C 00 74 30 00 00 00 00 00 00 82 30 00 00 dll.t0.......0..
00403060: 00 00 00 00 74 30 00 00 00 00 00 00 82 30 00 00 ....t0.......0..
00403070: 00 00 00 00 00 00 4D 65 73 73 61 67 65 42 6F 78 ......MessageBox
00403080: 41 00 00 00 45 78 69 74 50 72 6F 63 65 73 73 00 A...ExitProcess.
Section contains the following imports:
user32.dll
403064 Import Address Table
403054 Import Name Table
0 time date stamp
0 Index of first forwarder reference
0 MessageBoxA
kernel32.dll
40306C Import Address Table
40305C Import Name Table
0 time date stamp
0 Index of first forwarder reference
0 ExitProcess
Summary
1000 .code
1000 .data
1000 .import
答案 0 :(得分:0)
你肯定是从错误的一端解决这个问题。破解十六进制并不会让你得到你想要的东西,PE文件结构太复杂了。你需要两件事。
编写代码以从其声明中创建结构,这是获得有效可执行文件的唯一方法。
PS:您的十六进制转储挂起了试图查看您问题的任何人的浏览器。
答案 1 :(得分:0)
http://rcecafe.net/?p=26。这里没有人会为你挖掘你的字节,你可以期待的最好的工具指针。
答案 2 :(得分:0)
根据dumpbin 890,图像的大小应该是内存中图像的大小,即最新部分的RVA +该部分的舍入大小(例如0x5000 in这种情况)。
有效。感谢anserws,尤其是对dumpbin的提示!