<SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">最近構(gòu)造了一個(gè)微型的</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> PE </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件�����,下面把構(gòu)造的方法和一點(diǎn)心得寫出來(lái)和大家交流�����,也算是</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"><BR></SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">對(duì)</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> PE </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">格式的一個(gè)復(fù)習(xí)吧�。</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"><?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /><o:p></o:p></SPAN>
4 ~- v" b- \" \<P style="LINE-HEIGHT: 150%"><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">最終構(gòu)造好的文件大小是</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> 180 </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">字節(jié),可以在</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> Win2k </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">下運(yùn)行��,運(yùn)行后會(huì)彈出一個(gè)消息框�����。</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"><o:p></o:p></SPAN></P>
6 {' w" ~1 l/ Q" }4 K<P style="LINE-HEIGHT: 150%"><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">來(lái)看看最后生成的文件的內(nèi)容:</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"><o:p></o:p></SPAN></P>
1 p2 f' ^) Q4 o8 {, V<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">00000000 4D 5A 00 00 50 45 00 00 4C 01 01 00 75 73 65 72 MZ..PE..L...user<BR>00000010 33 32 2E 64 6C 6C 00 00 70 00 0F 01 0B 01 6A 00 32.dll..p.....j.<BR>00000020 B8 8C 00 40 00 50 50 6A 00 EB 05 00 1E 00 00 00 <A href="mailto:...@.PPj"><FONT color=#333333>...@.PPj</FONT></A>........<BR>00000030 FF 15 78 00 40 00 C3 00 00 00 40 00 04 00 00 00 ..x.@.....@.....<BR>00000040 04 00 00 00 04 00 00 00 00 00 00 00 04 00 00 00 ................<BR>00000050 00 00 00 00 B4 00 00 00 00 00 00 00 00 00 00 00 ................<BR>00000060 02 00 00 00 00 00 10 00 00 00 00 00 00 00 10 00 ................<BR>00000070 00 10 00 00 00 00 00 00 C4 01 00 80 00 00 00 00 ................<BR>00000080 00 00 00 00 9C 00 00 00 28 00 00 00 5A 54 53 B1 ........(...ZTS.<BR>00000090 E0 D0 B4 00 B4 00 00 00 00 00 00 00 B4 00 00 00 ................<BR>000000A0 00 00 00 00 00 00 00 00 0C 00 00 00 78 00 00 00 ............x...<BR>000000B0 E0 00 00 E0 .... <o:p></o:p></SPAN></P>" W0 `: _/ R/ w
<P style="LINE-HEIGHT: 150%"><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">用</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> dumpbin </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">顯示文件結(jié)構(gòu)如下:</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"><o:p></o:p></SPAN></P>
0 H4 f a$ K u& O$ _% S9 o$ A" W<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">FILE HEADER VALUES<BR> 14C machine (i386)<BR> 1 number of sections<BR> 72657375 time date stamp Sat Oct 26 21:21:57 2030<BR> 642E3233 file pointer to symbol table<BR> 6C6C number of symbols<BR> 70 size of optional header<BR> 10F characteristics<BR> Relocations stripped<BR> Executable<BR> Line numbers stripped<BR> Symbols stripped<BR> 32 bit word machine<o:p></o:p></SPAN></P># o: G2 Q: q( n- t. W- F- T/ e! A
<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">OPTIONAL HEADER VALUES<BR> 10B magic #<BR> 106.00 linker version<BR> 40008CB8 size of code<BR> 6A505000 size of initialized data<BR> 5EB00 size of uninitialized data<BR> 1E RVA of entry point <----<BR> 7815FF base of code<BR> C30040 base of data<BR> 400000 image base<BR> 4 section alignment<BR> 4 file alignment<BR> 4.00 operating system version<BR> 0.00 image version<BR> 4.00 subsystem version<BR> 0 Win32 version<BR> B4 size of image<BR> 0 size of headers<BR> 0 checksum<BR> 2 subsystem (Windows GUI)<BR> 0 DLL characteristics<BR> 100000 size of stack reserve<BR> 0 size of stack commit<BR> 100000 size of heap reserve<BR> 1000 size of heap commit<BR> 0 loader flags<BR> 800001C4 number of directories<BR> 0 [ 0] RVA [size] of Export Directory<BR> 9C [ 28] RVA [size] of Import Directory <----<BR> 0 [ 0] RVA [size] of Resource Directory<BR> 0 [ 0] RVA [size] of Exception Directory<BR> 0 [ 0] RVA [size] of Certificates Directory<BR> 0 [ 0] RVA [size] of Base Relocation Directory<BR> 0 [ 0] RVA [size] of Debug Directory<BR> 0 [ 0] RVA [size] of Architecture Directory<BR> 0 [ 0] RVA [size] of Special Directory<BR> 0 [ 0] RVA [size] of Thread Storage Directory<BR> 0 [ 0] RVA [size] of Load Configuration Directory<BR> 0 [ 0] RVA [size] of Bound Import Directory<BR> 0 [ 0] RVA [size] of Import Address Table Directory<BR> 0 [ 0] RVA [size] of Delay Import Directory<BR> 0 [ 0] RVA [size] of Reserved Directory<BR> 0 [ 0] RVA [size] of Reserved Directory<o:p></o:p></SPAN></P> R+ z6 ~! d8 V! Y' p' `4 T
<P style="LINE-HEIGHT: 150%"><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">現(xiàn)在開始具體的步驟</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"><o:p></o:p></SPAN></P>
3 ]/ q8 ~' y) ]" p2 k<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">1. Dos Header<o:p></o:p></SPAN></P>
9 Z1 ~# `+ s6 Q( ~9 E<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">IMAGE_DOS_HEADER STRUCT<BR> e_magic <-- 4D 5A<BR> ... <-- </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">其他的都填</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> 0<BR> e_lfanew <-- 04 00 00 00<BR>IMAGE_DOS_HEADER ENDS<o:p></o:p></SPAN></P>
A9 ~; n$ [( Q1 Y+ w2 _1 F<P style="LINE-HEIGHT: 150%"><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">為了把文件做得盡可能的小�����,所以</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> PE Header </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">準(zhǔn)備放在文件偏移</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> 4 </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">的地方���,本來(lái)還可以</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"><BR></SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">往前放,由于</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> Dos Header </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">的</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <SPAN lang=EN-US>e_lfanew </SPAN></SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">必須指向</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> PE Header </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">的偏移位置���。當(dāng)放在偏移</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"><BR>4 </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">的地方�,</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">Dos Header </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">的</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> e_lfanew </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">正好對(duì)應(yīng)著</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> PE Header </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">的</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> SectionAlignment</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">,</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"><BR></SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">我們只需要把</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> SectionAlignment </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">設(shè)為</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> 4 </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">就可以達(dá)到兩個(gè)目的�。</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"><o:p></o:p></SPAN></P># K! B9 P8 p) G
<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">2. PE Header<o:p></o:p></SPAN></P>& e/ r, j* ]8 [ ?. P1 T
<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">IMAGE_NT_HEADERS STRUCT<BR> Signature <-- 50 45 00 00<BR> FileHeader<BR> OptionalHeader<BR>IMAGE_NT_HEADERS ENDS<o:p></o:p></SPAN></P>
3 E$ \4 M0 f/ w3 _1 d* u" y+ y<P style="LINE-HEIGHT: 150%"><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">下面打了</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> * </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">標(biāo)志的意味著不能隨便填數(shù)據(jù),具體的數(shù)據(jù)可以參考上面</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> dumpbin </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">顯示的數(shù)</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"><BR></SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">據(jù)���。凡是沒有打</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> * </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">標(biāo)志的可以填入任意數(shù)據(jù)���,我們的代碼就準(zhǔn)備塞在這些結(jié)構(gòu)里面。</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"><o:p></o:p></SPAN></P>& ^, D" C: v5 ~. \* u
<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">IMAGE_FILE_HEADER STRUCT<BR> Machine *<BR> NumberOfSections *<BR> TimeDateStamp<BR> PointerToSymbolTable<BR> NumberOfSymbols<BR> SizeOfOptionalHeader *<BR> Characteristics *<BR>IMAGE_FILE_HEADER ENDS<o:p></o:p></SPAN></P>* I, P( C$ h, t! H: T
<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">IMAGE_OPTIONAL_HEADER32 STRUCT<BR> Magic *<BR> MajorLinkerVersion<BR> MinorLinkerVersion<BR> SizeOfCode<BR> SizeOfInitializedData<BR> SizeOfUninitializedData<BR> AddressOfEntryPoint *<BR> BaseOfCode<BR> BaseOfData<BR> ImageBase *<BR> SectionAlignment *<BR> FileAlignment *<BR> MajorOperatingSystemVersion *<BR> MinorOperatingSystemVersion *<BR> MajorImageVersion *<BR> MinorImageVersion *<BR> MajorSubsystemVersion *<BR> MinorSubsystemVersion *<BR> Win32VersionValue *<BR> SizeOfImage *<BR> SizeOfHeaders *<BR> CheckSum<BR> Subsystem *<BR> DllCharacteristics *<BR> SizeOfStackReserve *<BR> SizeOfStackCommit *<BR> SizeOfHeapReserve *<BR> SizeOfHeapCommit *<BR> LoaderFlags<BR> NumberOfRvaAndSizes *<BR> DataDirectory<BR>IMAGE_OPTIONAL_HEADER32 ENDS<o:p></o:p></SPAN></P>
# W$ q* f7 V# C5 |( z) |0 L<P style="LINE-HEIGHT: 150%"><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">對(duì)于</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> DataDirectory </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">中不需要的成員可以不要���,只留下</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> Export Directory </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">和</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> Import Directory</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">��。</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"><o:p></o:p></SPAN></P>
: S; P* H1 l9 G8 y& Y, a<P style="LINE-HEIGHT: 150%"><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">整個(gè)</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> PE Header </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">的大小為</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> 88h </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">字節(jié)��,其中</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> Optional Header </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">的大小為</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> 70h </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">字節(jié)���。</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"><o:p></o:p></SPAN></P>
. L J& L# G! R' U X<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">3. Section Table<o:p></o:p></SPAN></P>) {5 _0 @/ [8 g( Q3 @; I* J
<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">IMAGE_SECTION_HEADER STRUCT<BR> Name1 <-- ZTS </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">編寫</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"><BR> union Misc<BR> PhysicalAddress<BR> VirtualSize <-- B4 00 00 00<BR> ends<BR> VirtualAddress <-- 00 00 00 00<BR> SizeOfRawData <-- B4 00 00 00<BR> PointerToRawData <-- 00 00 00 00<BR> PointerToRelocations <-- 00 00 00 00<BR> PointerToLinenumbers <-- 00 00 00 00<BR> NumberOfRelocations <-- 00 00<BR> NumberOfLinenumbers <-- 00 00<BR> Characteristics <-- E0 00 00 E0<BR>IMAGE_SECTION_HEADER ENDS<o:p></o:p></SPAN></P>! Y( g$ q: q; j- P* l
<P style="LINE-HEIGHT: 150%"><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">整個(gè)文件的內(nèi)容就是節(jié)的內(nèi)容,最后文件的全部?jī)?nèi)容會(huì)被完整的映射到</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> 400000h </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">的地址處����。</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"><o:p></o:p></SPAN></P>' N! ]3 B$ Q8 ]
<P style="LINE-HEIGHT: 150%"><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">因?yàn)橛成涞絻?nèi)存中后文件的內(nèi)容后面都是</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> 0</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">,所以相當(dāng)于節(jié)表以一個(gè)全</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> 0 </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">元素結(jié)束。</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"><o:p></o:p></SPAN></P>0 {9 Z+ T2 H$ f2 L0 s6 \
<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">4. Import<o:p></o:p></SPAN></P>
" m! }# f5 y' s<P style="LINE-HEIGHT: 150%"><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件只需要從</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> user32.dll </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">中輸入一個(gè)函數(shù)</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> MessageBoxA</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">���,所以輸入表中有一個(gè)非</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> 0 </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">成員</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"><BR></SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">和一個(gè)結(jié)束的全</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> 0 </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">成員�。就因?yàn)橐WC有一個(gè)全</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> 0 </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">成員來(lái)結(jié)束輸入表�����,所以也把輸入表放</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"><BR></SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">在文件的末尾��,和節(jié)的情況一樣����,當(dāng)文件被映射到內(nèi)存中后,文件后面的內(nèi)容都是</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <SPAN lang=EN-US>0</SPAN></SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">�����,就相當(dāng)</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"><BR></SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">于有一個(gè)全</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> 0 </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">成員�����。</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"><o:p></o:p></SPAN></P>
5 y3 s# u H1 n# U- o<P style="LINE-HEIGHT: 150%"><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">一個(gè)輸入表成員的大小是</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> 20 </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">字節(jié)���,在節(jié)表當(dāng)中找出沒有被利用的域用來(lái)放輸入表,找到了從</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"><BR>SizeOfRawData </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">開始的位置。輸入表中的</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <SPAN lang=EN-US>OriginalFirstThunk </SPAN></SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">�����,</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">TimeDateStamp </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">和</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>ForwarderChain </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">都是沒用的域�����,不用管他們是什么值�����,所以不會(huì)因?yàn)樵诠?jié)表中插入輸入表而</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"><BR></SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">改變節(jié)表中有用的域:</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">SizeOfRawData </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">和</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> PointerToRawData </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">�����。</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"><o:p></o:p></SPAN></P>
6 e" E$ C& ~- y<P style="LINE-HEIGHT: 150%"><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">還有的就是</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> Name </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">和</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> FirstThunk </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">啦���,在文件中找到偏移</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> 0Ch </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">的地方寫入</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> user32.dll</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">����,然</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"><BR></SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">后把</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <SPAN lang=EN-US>Name </SPAN></SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">指向偏移</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <SPAN lang=EN-US>0Ch</SPAN></SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">����,這個(gè)偏移就是文件頭中</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> TimeDateStamp </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">的偏移位置。在文件中再</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"><BR></SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">找到一個(gè)偏移位置</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> 78h </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">來(lái)放</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> IAT</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">,然后把</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> FirstThunk </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">指向偏移</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> 78h</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">����,這個(gè)偏移是文件頭中</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"><BR>NumberOfRvaAndSizes </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">的偏移位置。在上面雖然說(shuō)了</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> NumberOfRvaAndSizes </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">域不能隨便填</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"><BR></SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">數(shù)據(jù)(打了</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> * </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">標(biāo)志)����,但這個(gè)域只要不填</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> 2 </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">以下的值就可以,所以我們可以利用�����。</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"><o:p></o:p></SPAN></P>) R7 \: L. S* ~5 O2 X X
<P style="LINE-HEIGHT: 150%"><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">填好的樣子如下:</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"><o:p></o:p></SPAN></P>- B l5 t/ B/ X6 w
<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">00000070 C4 01 00 80 00 00 00 00 ................<BR>00000080<BR>00000090 B4 00 00 00 ................<BR>000000A0 00 00 00 00 00 00 00 00 0C 00 00 00 78 00 00 00 ............x...<o:p></o:p></SPAN></P>" D2 {' p: h) u, {- P+ m& X
<P style="LINE-HEIGHT: 150%"><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">為了減少文件的大小�����,輸入</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> MessageBoxA </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">函數(shù)是通過(guò)序號(hào)的方式引入的����。</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"><o:p></o:p></SPAN></P>4 R1 W. [$ d( J1 r; a
<P style="LINE-HEIGHT: 150%"><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">手工寫好輸入表之后把輸入表的偏移和大小填到</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> DataDirectory </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">數(shù)組的</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> Import Directory <BR></SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">成員中去,偏移為</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> 9Ch</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">����,大小為</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <SPAN lang=EN-US>28h</SPAN></SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">。</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"><o:p></o:p></SPAN></P>2 X l2 M3 ?5 [* p0 [+ b
<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">5. </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">代碼</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"><o:p></o:p></SPAN></P>
' C+ a F* p+ u/ H3 A* B& \- a1 Z<P style="LINE-HEIGHT: 150%"><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">所有準(zhǔn)備工作做完就開始寫代碼����,代碼也需要從文件頭中間找沒用的域來(lái)存放。找找文件頭發(fā)現(xiàn)</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"><BR></SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">還有兩個(gè)地方?jīng)]有被使用����,一個(gè)是</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <SPAN lang=EN-US>MajorLinkerVersion </SPAN></SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">開始的</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> 14 </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">個(gè)字節(jié),偏移為</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> 1Eh</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">����,另</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"><BR></SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">一個(gè)是</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> BaseOfCode </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">開始的</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> 8 </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">個(gè)字節(jié),偏移為</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> 30h</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">�。</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"><o:p></o:p></SPAN></P>$ W d3 e2 f( U
<P style="LINE-HEIGHT: 150%"><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">需要的代碼寫好就是下面的樣子:</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"><o:p></o:p></SPAN></P>4 L9 P1 X# X q
<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">0000001E: 6A00 push 0<BR>00000020: B88C004000 mov eax,40008C<BR>00000025: 50 push eax<BR>00000026: 50 push eax<BR>00000027: 6A00 push 0<BR>00000029: EB05 jmp 000000030<o:p></o:p></SPAN></P>. h, D d; y4 i% {+ W8 X
<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">00000030: FF1578004000 call dword ptr [00400078]<BR>00000036: C3 ret<o:p></o:p></SPAN></P>6 P2 G6 E- ]2 h& U
<P style="LINE-HEIGHT: 150%"><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">把代碼對(duì)應(yīng)的</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> 16 </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">進(jìn)制值填到偏移</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> 1Eh </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">和</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> 30h </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">處就行了。</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"><o:p></o:p></SPAN></P>/ T& y' T- r- |- V: \' U
<P style="LINE-HEIGHT: 150%"><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">保存文件�,所有的工作就結(jié)束了。最后把注意事項(xiàng)再總結(jié)一下:</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"><o:p></o:p></SPAN></P>8 U; A! U* x! f, D( i3 U$ B
<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">1. </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">如果</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> FileAlignment </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">小于</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> 200h</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">����,則要求</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> FileAlignment == SectionAlignment >= 2<o:p></o:p></SPAN></P>
9 T+ d* M0 S% S& P8 p3 C. @<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">2. </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">如果</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> FileAlignment </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">小于</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> 200h</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">,則要求</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> VirtualAddress == PointerToRawData<o:p></o:p></SPAN></P>0 {5 U3 W E& E5 B
<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">3. VirtualSize <= SizeOfRawData<o:p></o:p></SPAN></P>
. S# f6 G ]" x; i' P<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">4. SizeOfHeaders < SizeOfImage<o:p></o:p></SPAN></P># |( {: r4 A2 b X
<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">5. NumberOfRvaAndSizes >= 2 </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">數(shù)據(jù)目錄結(jié)構(gòu)的數(shù)量要求不小于</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> 2<o:p></o:p></SPAN></P>( |$ u; R2 p8 a0 B; A( I
<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">6. </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">節(jié)表和輸入表都要求有一個(gè)結(jié)束的全</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> 0 </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">成員</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"><o:p></o:p></SPAN></P>' ?# f: Y% b1 w7 l: `
<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"><BR></SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">胡亂寫了一點(diǎn)���,希望不會(huì)浪費(fèi)大家太多時(shí)間�,如果有錯(cuò)誤還望各位大俠指點(diǎn)指點(diǎn)���,也好讓象我這</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"><BR></SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">樣的菜鳥能多學(xué)一些東西�。</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"><o:p></o:p></SPAN></P> |
發(fā)表于 2008-9-28 16:38:19
QQ好友和群
QQ空間
提升卡
置頂卡
沉默卡
喧囂卡
變色卡
顯身卡