堆栈内存溢出
  简体   繁体   English

PE文件读取c中的一节

[英]PE file read one section in c

 原文  2022-08-27 18:56:36       c/ portable-executable

问题描述

I just read one section in PE file.我刚刚阅读了 PE 文件中的一节。 I have output like this:我有这样的 output :

Section Info (1 of 6)
---------------------
Section Header name :               .text
ActualSize of code or data :        0x49937
Virtual Address(RVA) :              0x1000
Size of raw data (rounded to FA) :  0x49a00
Pointer to Raw Data :               0x400
Pointer to Relocations :            0
Pointer to Line numbers :           0
Number of relocations :             0
Number of line numbers :            0
Characteristics :                   Contains executable code, Readable,

Section Info (2 of 6)
---------------------
Section Header name :               .rdata
ActualSize of code or data :        0x1ed60
Virtual Address(RVA) :              0x4b000
Size of raw data (rounded to FA) :  0x1ee00
Pointer to Raw Data :               0x49e00
Pointer to Relocations :            0
Pointer to Line numbers :           0
Number of relocations :             0
Number of line numbers :            0
Characteristics :                   Contains initialized data, Readable,

I just want to read executable sections.我只想阅读可执行部分。 For example, how can read.text section?例如,如何才能 read.text 部分?

1 个解决方案

解决方案1
 0  2022-08-28 03:01:07

Caveat: Don't know for sure, but the following is based on some [obvious] deductions...警告:不确定,但以下是基于一些 [明显的] 推论......

  1. In .text , the Pointer to Raw Data value is 0x400 ..text中, Pointer to Raw Data的指针值为0x400

  2. This [probably] isn't a valid memory address.这个 [可能] 不是有效的memory地址。 So, it's [probably] a file offset (as this is what makes sense).所以,它[可能]是一个文件偏移量(因为这是有道理的)。

  3. This is further supported by the fact that the .text section Size of raw data is 0x49a00 .原始数据的.text部分Size of raw data0x49a00的事实进一步支持了这一点。

  4. Now, 0x400 + 0x49a00 --> 0x49e00 which is the Pointer to Raw Data value of the next section .rdata现在, 0x400 + 0x49a00 --> 0x49e00一部分.rdataPointer to Raw Data值的指针

So, if you seek the PE file to 0x400 and read 0x49a00 bytes, you'll be getting the contents of the .text section [as you desire].因此,如果您将 PE 文件查找到0x400并读取0x49a00字节,您将获得.text部分的内容[如您所愿]。 That length is the rounded up length [to align to the next section's data], so a better length to read might be the ActualSize of code or data value of 0x49937该长度是向上取整的长度[与下一部分的数据对齐],因此更好的读取长度可能是ActualSize of code or data0x49937

Side note: Although it's not a guarantee, the 0x400 offset of the .text section (the first section) data implies that the PE file header and all the [basic] section header structs fit in the first 0x400 (1024 decimal) bytes of the file.旁注:虽然不能保证, .text部分(第一部分)数据0x400偏移量意味着 PE 文件 header 和所有 [basic] 部分 header 结构适合前0x400 (十进制的 1024)字节文件。 This is a reasonable assumption, given that PE is a simple format with a fixed number of section types (vs ELF that can have arbitrary/extensible sections).这是一个合理的假设,因为 PE 是一种具有固定数量的节类型的简单格式(与可以具有任意/可扩展节的 ELF 相比)。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 PE文件.text节大小 - PE File .text Section Size PE文件格式部分添加 - PE File Format Section Add On 在 c 中读取 PE 文件 - PE FILE reading in c 获取PE文件的.text节头 - Getting .text section header of PE file 为什么要在PE文件中创建不同的code / data / bss部分? - Why would one want to create a different code/data/bss section in a PE file? 在PE文件中查找.text部分的原始偏移量 - Finding the raw offset of .text section in a PE file 获取.text段代码PE文件格式的偏移量? VirtualAddress,PointerToRawData? - Getting the offset to .text section code PE file format? VirtualAddress, PointerToRawData? PE部分数据 - PE Section Data 用C获取PE和VA的可执行文件 - Get PE and VA of executable file with C 将部分添加到PE文件中,将“入口点”更改为新部分并执行任何代码 - Adding a section to a PE file, change Entry Point to the new section and execute any code
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM