Window PE
- -
Windows PE ꡬ쑰
1. Windows Preinstallation Environment
2. Windows Portable Executable
1. Dos Header > μκ·Έλμ² μ½λ : MZ (4D 5A)
2. Dos Stub > μλ―Έ μλ μ½λλ‘ λ§μλλ‘ λ³κ²½ν΄λ μ€νμ λ¬Έμ κ° μλ€
3. NT Header
3-1) Signature > μκ·Έλμ² μ½λ : PE(50 45)
3-2) File Header
WORD Machine; > νμ¬ μ»΄ν¨ν°μ μ’
λ₯ : 01 4C ( λλΈμλ νμ λμκΈ°μ λ€μ§ν )
WORD NumberOfSections; > μΉμ
μ κ°μ : 00 03 ( λλΈμλ νμ λμκΈ°μ λ€μ§ν )
DWORD TimeDateStamp; > μμ± μκ° : 48 02 52 87 ( λλΈμλ νμ λμκΈ°μ λ€μ§ν ) https://opentechtips.com/integer8/ Mon, 01 Jan 1601 09:00:04 GMT
DWORD PointerToSymbolTable;
DWORD NumberOfSymbols;
WORD SizeOfOptionalHeader;> Optional Headerμ ν¬κΈ° : 00 E0 ( λλΈμλ νμ λμκΈ°μ λ€μ§ν ) 224
WORD Characteristics; > ν΄λΉ νμΌμ κΈ°λ₯ 01 0F ( 0x0001 + 0x0002 + 0x0004 + 0x0008 + 0x0100 = 0x010F )
3-3) Optional Header
Windows PE
1. Windows Preinstallation Environment
2. Windows Portable Executable
1. Dos Header > μκ·Έλμ² μ½λ : MZ (4D 5A)
2. Dos Stub > μλ―Έ μλ μ½λλ‘ λ§μλλ‘ λ³κ²½ν΄λ μ€νμ λ¬Έμ κ° μλ€
3. NT Header
3-1) Signature > μκ·Έλμ² μ½λ : PE(50 45)
3-2) File Header
WORD Machine; > νμ¬ μ»΄ν¨ν°μ μ’
λ₯ : 01 4C ( λλΈμλ νμ λμκΈ°μ λ€μ§ν )
WORD NumberOfSections; > μΉμ
μ κ°μ : 00 03 ( λλΈμλ νμ λμκΈ°μ λ€μ§ν )
DWORD TimeDateStamp; > μμ± μκ° : 48 02 52 87 ( λλΈμλ νμ λμκΈ°μ λ€μ§ν ) https://opentechtips.com/integer8/
Mon, 01 Jan 1601 09:00:04 GMT
DWORD PointerToSymbolTable;
DWORD NumberOfSymbols;
WORD SizeOfOptionalHeader;> Optional Headerμ ν¬κΈ° : 00 E0 ( λλΈμλ νμ λμκΈ°μ λ€μ§ν ) 224
WORD Characteristics; > ν΄λΉ νμΌμ κΈ°λ₯ 01 0F ( 0x0001 + 0x0002 + 0x0004 + 0x0008 + 0x0100 = 0x010F )
3-3) Optional Header
WORD Magic; > μ€ν νμΌμ μ’
λ₯ 01 0B
BYTE MajorLinkerVersion;
BYTE MinorLinkerVersion;
DWORD SizeOfCode;
DWORD SizeOfInitializedData;
DWORD SizeOfUninitializedData;
DWORD AddressOfEntryPoint; > νμΌμ΄ λ©λͺ¨λ¦¬ μμ μ¬λΌκ° λ μμμ μ΄ λλ μ£Όμ 00 00 73 9D
DWORD BaseOfCode; > μ½λ μμμ μμμ
DWORD BaseOfData; > λ°μ΄ν° μμμ μμμ
DWORD ImageBase; > 01 00 00 00 ( κΈ°μ€μ )
DWORD SectionAlignment; > λ©λͺ¨λ¦¬ ννμΌ λ λ°°μμ κΈ°μ€
DWORD FileAlignment; > νμΌ ννμΌ λ λ°°μμ κΈ°μ€
WORD MajorOperatingSystemVersion; >
WORD MinorOperatingSystemVersion; >
WORD MajorImageVersion; >
WORD MinorImageVersion; >
WORD MajorSubsystemVersion; >
WORD MinorSubsystemVersion; >
DWORD Win32VersionValue; >
DWORD SizeOfImage; > λ©λͺ¨λ¦¬ ννμΌ λ ν¬κΈ°
DWORD SizeOfHeaders; > ν€λμ ν¬κΈ°
DWORD CheckSum; >
WORD Subsystem; > μ€ν νμλ μ€ν νλ©΄ ( GUI, CUI )
WORD DllCharacteristics;
DWORD SizeOfStackReserve;
DWORD SizeOfStackCommit;
DWORD SizeOfHeapReserve;
DWORD SizeOfHeapCommit;
DWORD LoaderFlags;
DWORD NumberOfRvaAndSizes;
IMAGE_DATA_DIRECTORY DataDirectory
4. Text(Code) Header
5. Data Header
6. Resource Header
7. Text(Code) Section
8. Data Section
9. Resource Section
4. Text(Code) Header
5. Data Header
6. Resource Header
7. Text(Code) Section
8. Data Section
9. Resource Section
Image_NT_headers32
- Signature
- Image_File_headers32
- Image_Optional_header32
- address of entry point
- Image base
RVA (realative virture address) - μλ μ£Όμ
VA(virture address) - μ λ μ£Όμ
32bit μ»΄ν¨ν° - μ΅λ 4G λ©λͺ¨λ¦¬ μ¬μ© κ°λ₯
Section Alignment : 00 00 10 00 ( 1000 λ¨μ )
File Alignment : 00 00 02 00 ( 200 λ¨μ )
-- ν΄λ¬μ€ν°μ λΉμ·ν μν μ νλ€
section = λ©λͺ¨λ¦¬
file = νμΌ
Number Of Rva And Sizes : 00 00 00 10
- Image_DATA_DIRECTORY μ λ°°μ΄ κ°μ
16κ° Data Driectoryκ° μ‘΄μ¬νλ€
158λΆν° μμ
Data Directory[0] > Export
> 0000 0000 / 0000 0000
Data Diretcory[1] > Import
> 0000 7604 / 0000 00C8
..
..
..
Data Directory[F] >
--- μμμ ꡬν μ£Όμκ°μ λμ€μ INT IATμ EATμμ μ¬μ©ν μμ
INT = Import Name Table
IAT = Import Application Table
EAT = Export Application Table
κ° μμλ³(text,data,rsrc) ν€λ 보기
μμλ³ ν€λμ ꡬ쑰λ μ λΆ λμΌνλ€
typedef struct _IMAGE_SECTION_HEADER {
BYTE Name[IMAGE_SIZEOF_SHORT_NAME];
union {
DWORD PhysicalAddress;
DWORD VirtualSize; # λ©λͺ¨λ¦¬μμ μΉμ
μ΄ μ°¨μ§νλ ν¬κΈ°
} Misc;
DWORD VirtualAddress; # λ©λͺ¨λ¦¬μμ μΉμ
μ΄ μμνλ μ£Όμ ( RVA )
DWORD SizeOfRawData; # νμΌμμ μΉμ
μ΄ μ°¨μ§νλ ν¬κΈ°
DWORD PointerToRawData; # νμΌμμ μΉμ
μ΄ μμνλ μ£Όμ
DWORD PointerToRelocations;
DWORD PointerToLinenumbers;
WORD NumberOfRelocations;
WORD NumberOfLinenumbers;
DWORD Characteristics; # μμ±
} IMAGE_SECTION_HEADER, *PIMAGE_SECTION_HEADER;
Text Section
Data Section
Rsrc Section
RVA(λ©λͺ¨λ¦¬) to RAW(νμΌμ μμλ)
νΉμ κΈ°λ₯μ νλ λ©λͺ¨λ¦¬ μ£Όμκ° λμμ λ μ΄ μμΉ(HxDλ‘ λ³Ό μ μλ)λ₯Ό μ°ΎμμΌνλ€
곡μ : λ΄κ° μ°Ύλ(offsetμ£Όμ μΆμΆ) RAW = RVA - Virtual Address + Point to Raw Data
RVA : 5000 μΌ λ RAW(offsetμ£Όμ)λ 무μμΌκΉμ ?
RVA = 5000μ text λ©λͺ¨λ¦¬ μΉμ μ μ‘΄μ¬
RAW = 5000 - 1000(λ©λͺ¨λ¦¬μμ μΉμ μ΄ μμνλ μ£Όμ) + 400(νμΌμμ μΉμ μ΄ μμνλ μ£Όμ)
RAW = 4400
RVA : 13314μΌ λ RAW(offset μ£Όμ)λ 무μμΌκΉμ ?
RVA = 13314μ rscrc λ©λͺ¨λ¦¬ μΉμ μ μ‘΄μ¬
RAW = 13314 - B000(λ©λͺ¨λ¦¬μμ μΉμ μ΄ μμνλ μ£Όμ) + 8400(νμΌμμ μΉμ μ΄ μμνλ μ£Όμ)
RAW = 10714
RVA : ABA8μΌ λ RAW(offset μ£Όμ)λ 무μμΌκΉμ ?
RVA = ABA8μ data λ©λͺ¨λ¦¬ μΉμ μ μ‘΄μ¬
RAW = ABA8 - 9000(λ©λͺ¨λ¦¬μμ μΉμ μ΄ μμνλ μ£Όμ) + 7C00(νμΌμμ μΉμ μ΄ μμνλ μ£Όμ)
RAW = 97A8
'π Secure' μΉ΄ν κ³ λ¦¬μ λ€λ₯Έ κΈ
2022-06-20 (0) | 2022.06.28 |
---|---|
2022-06-16 (0) | 2022.06.28 |
DLL Ejection (0) | 2022.06.28 |
Windows PE μ€μ΅ ( μμ νμ ) (0) | 2022.06.27 |
INT / IAT (0) | 2022.06.23 |
λΉμ μ΄ μ’μν λ§ν μ½ν μΈ
μμ€ν κ³΅κ° κ°μ¬ν©λλ€