参考:http://www.mouseos.com/assembly/06.html 参考:http://www.cnblogs.com/tk091/archive/2012/04/18/2456174.html typedef struct CV_INFO_PDB70{    DWORD CvSignature;    GUID Guid;    DWORD Age;    //BYTE PdbFileName[];    char PdbFilePath[MAX_PATH];} CV_INF…

Figure 1 - PE File The CLR header stores information to indicate that the PE file is a .NET executable and the CLR data section contains metadata and Microsoft Intermediate Language (MSIL, or IL for short) code. Every common language runtime–complian…

Analyze PE file headers? { You'll need a OpenDialog to open a Exe-File and a Memo to show the file informations } { Man braucht einen OpenDialog um eine Exe-Datei zu öffnen und ein Memo, um die Informationen anzuzeigen. } procedure DumpDOSHeader(cons…

先声明这是不免杀的,只是演示. 哔哩哔哩视频 新增节 一般能实现特定功能的shellcode的长度都比较长,可以分到几个节上的空白区,但是这样麻烦啊,或者把最后一个节扩大,但是最后一个节一般没有执行的属性.所以选择新增一个节表. 修改添加节表 先判断一下最后一个节表后面有没有够40个字节新增一个节表的结构体,正常的都够. 把第一个节表拷贝写到最后一个节表的后面,因为第一个节表的属性默认是可执行的,可以省了后面的修改. 节表是复制过来的所以还要修改很多东西,先获取一下文件对齐和内存对齐. Sect…

Common Sections The .text section is where all general-purpose code emitted by the compiler or assembler ends up. Since PE files run in 32-bit mode and aren't restricted to 16-bit segments, there's no reason to break the code from separate source fil…

Portable Executable File Format PE Format  微软官方的 What is a .PE file in the .NET framework? [closed] The PE file you are talking about is the "Portable Executable" format. Almost every EXE and DLL on the Windows platform is formatted in PE format…

Malware Analysis Tutorial 8: PE Header and Export Table 2. Background Information of PE HeaderAny binary executable file (no matter on Unix or Windows) has to include a header to describe its structure: e.g., the base address of its code section, dat…

@date: 2016/11/24 @author: dlive ​ PE (portable executable) ,它是微软在Unix平台的COFF(Common Object File Format 通用对象文集格式)的基础上制成的. ​ PE文件是指32位的可执行文件,也称PE32,64位的可执行文件称为PE+或者PE32+ ​ PE文件的种类 种类 主扩展名 可执行系列 exe ,scr 驱动程序系列 sys, vxd 库系列 dll, dcx, cpl, drv 对象文件系列 ob…

PE文件是以64字节的DOS文件头开始的(IMAGE_DOS_HEADER),接着是一段小DOS程序,然后是248字节的 NT文件头(IMAGE_NT_HEADERS),NT的文件头位置由IMAGE_DOS_HEADER的e_lfanew给出! NT文件头的前4个字节是文件签名(“PE00"字符串),紧接着是20字节的IMAGE_FILE_HEADER结构,它的 后面是224字节的IMAGE_OPTIONAL_HEADER结构,而就在这个结构里,里面有模块基地址,代码和数据大 小和基地址.线程堆…

  Article 1:Loading Win32/64 DLLs "manually" without LoadLibrary() The most important steps of DLL loading are: Mapping or loading the DLL into memory. Relocating offsets in the DLL using the relocating table of the DLL (if present). Resolving t…