Figure 1 - PE File The CLR header stores information to indicate that the PE file is a .NET executable and the CLR data section contains metadata and Microsoft Intermediate Language (MSIL, or IL for short) code. Every common language runtime–complian…

Analyze PE file headers? { You'll need a OpenDialog to open a Exe-File and a Memo to show the file informations } { Man braucht einen OpenDialog um eine Exe-Datei zu öffnen und ein Memo, um die Informationen anzuzeigen. } procedure DumpDOSHeader(cons…

参考:http://www.mouseos.com/assembly/06.html 参考:http://www.cnblogs.com/tk091/archive/2012/04/18/2456174.html typedef struct CV_INFO_PDB70{    DWORD CvSignature;    GUID Guid;    DWORD Age;    //BYTE PdbFileName[];    char PdbFilePath[MAX_PATH];} CV_INF…

先声明这是不免杀的,只是演示. 哔哩哔哩视频 新增节 一般能实现特定功能的shellcode的长度都比较长,可以分到几个节上的空白区,但是这样麻烦啊,或者把最后一个节扩大,但是最后一个节一般没有执行的属性.所以选择新增一个节表. 修改添加节表 先判断一下最后一个节表后面有没有够40个字节新增一个节表的结构体,正常的都够. 把第一个节表拷贝写到最后一个节表的后面,因为第一个节表的属性默认是可执行的,可以省了后面的修改. 节表是复制过来的所以还要修改很多东西,先获取一下文件对齐和内存对齐. Sect…

Common Sections The .text section is where all general-purpose code emitted by the compiler or assembler ends up. Since PE files run in 32-bit mode and aren't restricted to 16-bit segments, there's no reason to break the code from separate source fil…

Portable Executable File Format PE Format  微软官方的 What is a .PE file in the .NET framework? [closed] The PE file you are talking about is the "Portable Executable" format. Almost every EXE and DLL on the Windows platform is formatted in PE format…

PE文件是以64字节的DOS文件头开始的(IMAGE_DOS_HEADER),接着是一段小DOS程序,然后是248字节的 NT文件头(IMAGE_NT_HEADERS),NT的文件头位置由IMAGE_DOS_HEADER的e_lfanew给出! NT文件头的前4个字节是文件签名(“PE00"字符串),紧接着是20字节的IMAGE_FILE_HEADER结构,它的 后面是224字节的IMAGE_OPTIONAL_HEADER结构,而就在这个结构里,里面有模块基地址,代码和数据大 小和基地址.线程堆…

  Article 1:Loading Win32/64 DLLs "manually" without LoadLibrary() The most important steps of DLL loading are: Mapping or loading the DLL into memory. Relocating offsets in the DLL using the relocating table of the DLL (if present). Resolving t…

PE文件其实就是Windows可执行文件,关于它的一些简要介绍摘自百度: PE文件被称为可移植的执行体是Portable Execute的全称,常见的EXE.DLL.OCX.SYS.COM都是PE文件,PE文件是微软Windows操作系统上的程序文件(可能是间接被执行,如DLL). http://baike.baidu.com/view/1087038.htm 有一种病毒是针对PE文件进行的操作,他们会感染一些exe,将自己的代码添加到exe中并在某处悄悄地窃取执行权限执行自己的代码进行破坏或者…

说明 恶意代码数字签名验证功能,WinverityTrust.CryptQueryObject 代码实现 WinVerifyTrust //------------------------------------------------------------------- // Copyright (C) Microsoft. All rights reserved. // Example of verifying the embedded signature of a PE file by…