<SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">最近構(gòu)造了一個(gè)微型的</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> PE </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件���,下面把構(gòu)造的方法和一點(diǎn)心得寫(xiě)出來(lái)和大家交流����,也算是</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"><BR></SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">對(duì)</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> PE </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">格式的一個(gè)復(fù)習(xí)吧�。</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"><?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /><o:p></o:p></SPAN>
" q! `% b8 D, C4 a5 ? Y<P style="LINE-HEIGHT: 150%"><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">最終構(gòu)造好的文件大小是</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> 180 </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">字節(jié)�����,可以在</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> Win2k </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">下運(yùn)行�����,運(yùn)行后會(huì)彈出一個(gè)消息框��。</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"><o:p></o:p></SPAN></P>* d4 [% s) g$ A, r
<P style="LINE-HEIGHT: 150%"><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">來(lái)看看最后生成的文件的內(nèi)容:</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"><o:p></o:p></SPAN></P>, x! i5 h3 l! ]5 N+ }4 O
<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">00000000 4D 5A 00 00 50 45 00 00 4C 01 01 00 75 73 65 72 MZ..PE..L...user<BR>00000010 33 32 2E 64 6C 6C 00 00 70 00 0F 01 0B 01 6A 00 32.dll..p.....j.<BR>00000020 B8 8C 00 40 00 50 50 6A 00 EB 05 00 1E 00 00 00 <A href="mailto:...@.PPj"><FONT color=#333333>...@.PPj</FONT></A>........<BR>00000030 FF 15 78 00 40 00 C3 00 00 00 40 00 04 00 00 00 ..x.@.....@.....<BR>00000040 04 00 00 00 04 00 00 00 00 00 00 00 04 00 00 00 ................<BR>00000050 00 00 00 00 B4 00 00 00 00 00 00 00 00 00 00 00 ................<BR>00000060 02 00 00 00 00 00 10 00 00 00 00 00 00 00 10 00 ................<BR>00000070 00 10 00 00 00 00 00 00 C4 01 00 80 00 00 00 00 ................<BR>00000080 00 00 00 00 9C 00 00 00 28 00 00 00 5A 54 53 B1 ........(...ZTS.<BR>00000090 E0 D0 B4 00 B4 00 00 00 00 00 00 00 B4 00 00 00 ................<BR>000000A0 00 00 00 00 00 00 00 00 0C 00 00 00 78 00 00 00 ............x...<BR>000000B0 E0 00 00 E0 .... <o:p></o:p></SPAN></P>
& S2 T" L6 E2 ?9 p1 q' l<P style="LINE-HEIGHT: 150%"><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">用</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> dumpbin </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">顯示文件結(jié)構(gòu)如下:</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"><o:p></o:p></SPAN></P>' \2 Y! x* ]6 G& U" k0 O/ b: e
<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">FILE HEADER VALUES<BR> 14C machine (i386)<BR> 1 number of sections<BR> 72657375 time date stamp Sat Oct 26 21:21:57 2030<BR> 642E3233 file pointer to symbol table<BR> 6C6C number of symbols<BR> 70 size of optional header<BR> 10F characteristics<BR> Relocations stripped<BR> Executable<BR> Line numbers stripped<BR> Symbols stripped<BR> 32 bit word machine<o:p></o:p></SPAN></P>! L& w2 _2 ~9 Q/ \5 {
<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">OPTIONAL HEADER VALUES<BR> 10B magic #<BR> 106.00 linker version<BR> 40008CB8 size of code<BR> 6A505000 size of initialized data<BR> 5EB00 size of uninitialized data<BR> 1E RVA of entry point <----<BR> 7815FF base of code<BR> C30040 base of data<BR> 400000 image base<BR> 4 section alignment<BR> 4 file alignment<BR> 4.00 operating system version<BR> 0.00 image version<BR> 4.00 subsystem version<BR> 0 Win32 version<BR> B4 size of image<BR> 0 size of headers<BR> 0 checksum<BR> 2 subsystem (Windows GUI)<BR> 0 DLL characteristics<BR> 100000 size of stack reserve<BR> 0 size of stack commit<BR> 100000 size of heap reserve<BR> 1000 size of heap commit<BR> 0 loader flags<BR> 800001C4 number of directories<BR> 0 [ 0] RVA [size] of Export Directory<BR> 9C [ 28] RVA [size] of Import Directory <----<BR> 0 [ 0] RVA [size] of Resource Directory<BR> 0 [ 0] RVA [size] of Exception Directory<BR> 0 [ 0] RVA [size] of Certificates Directory<BR> 0 [ 0] RVA [size] of Base Relocation Directory<BR> 0 [ 0] RVA [size] of Debug Directory<BR> 0 [ 0] RVA [size] of Architecture Directory<BR> 0 [ 0] RVA [size] of Special Directory<BR> 0 [ 0] RVA [size] of Thread Storage Directory<BR> 0 [ 0] RVA [size] of Load Configuration Directory<BR> 0 [ 0] RVA [size] of Bound Import Directory<BR> 0 [ 0] RVA [size] of Import Address Table Directory<BR> 0 [ 0] RVA [size] of Delay Import Directory<BR> 0 [ 0] RVA [size] of Reserved Directory<BR> 0 [ 0] RVA [size] of Reserved Directory<o:p></o:p></SPAN></P>
) ]8 h. Z5 I: |. v" \$ c7 t4 _<P style="LINE-HEIGHT: 150%"><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">現(xiàn)在開(kāi)始具體的步驟</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"><o:p></o:p></SPAN></P>
- Q4 f& K) P; m<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">1. Dos Header<o:p></o:p></SPAN></P>
/ N3 v5 x( S( `& K: }+ ^<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">IMAGE_DOS_HEADER STRUCT<BR> e_magic <-- 4D 5A<BR> ... <-- </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">其他的都填</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> 0<BR> e_lfanew <-- 04 00 00 00<BR>IMAGE_DOS_HEADER ENDS<o:p></o:p></SPAN></P>
9 ]( C5 w7 K) k; H; p7 k( `! ?<P style="LINE-HEIGHT: 150%"><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">為了把文件做得盡可能的小��,所以</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> PE Header </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">準(zhǔn)備放在文件偏移</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> 4 </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">的地方���,本來(lái)還可以</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"><BR></SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">往前放����,由于</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> Dos Header </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">的</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <SPAN lang=EN-US>e_lfanew </SPAN></SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">必須指向</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> PE Header </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">的偏移位置。當(dāng)放在偏移</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"><BR>4 </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">的地方�����,</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">Dos Header </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">的</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> e_lfanew </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">正好對(duì)應(yīng)著</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> PE Header </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">的</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> SectionAlignment</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">�,</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"><BR></SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">我們只需要把</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> SectionAlignment </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">設(shè)為</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> 4 </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">就可以達(dá)到兩個(gè)目的。</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"><o:p></o:p></SPAN></P>
! e. D4 {2 r6 C' J2 w6 [( l8 H<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">2. PE Header<o:p></o:p></SPAN></P>
' h0 O. R6 _8 `4 F4 {* {' `<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">IMAGE_NT_HEADERS STRUCT<BR> Signature <-- 50 45 00 00<BR> FileHeader<BR> OptionalHeader<BR>IMAGE_NT_HEADERS ENDS<o:p></o:p></SPAN></P>4 e0 j' G5 v. {
<P style="LINE-HEIGHT: 150%"><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">下面打了</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> * </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">標(biāo)志的意味著不能隨便填數(shù)據(jù)�����,具體的數(shù)據(jù)可以參考上面</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> dumpbin </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">顯示的數(shù)</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"><BR></SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">據(jù)�����。凡是沒(méi)有打</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> * </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">標(biāo)志的可以填入任意數(shù)據(jù)�,我們的代碼就準(zhǔn)備塞在這些結(jié)構(gòu)里面。</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"><o:p></o:p></SPAN></P>
$ j' I |) ~8 [) @: e# S<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">IMAGE_FILE_HEADER STRUCT<BR> Machine *<BR> NumberOfSections *<BR> TimeDateStamp<BR> PointerToSymbolTable<BR> NumberOfSymbols<BR> SizeOfOptionalHeader *<BR> Characteristics *<BR>IMAGE_FILE_HEADER ENDS<o:p></o:p></SPAN></P>
9 O7 r1 ?$ e( V# Z/ M4 j$ s<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">IMAGE_OPTIONAL_HEADER32 STRUCT<BR> Magic *<BR> MajorLinkerVersion<BR> MinorLinkerVersion<BR> SizeOfCode<BR> SizeOfInitializedData<BR> SizeOfUninitializedData<BR> AddressOfEntryPoint *<BR> BaseOfCode<BR> BaseOfData<BR> ImageBase *<BR> SectionAlignment *<BR> FileAlignment *<BR> MajorOperatingSystemVersion *<BR> MinorOperatingSystemVersion *<BR> MajorImageVersion *<BR> MinorImageVersion *<BR> MajorSubsystemVersion *<BR> MinorSubsystemVersion *<BR> Win32VersionValue *<BR> SizeOfImage *<BR> SizeOfHeaders *<BR> CheckSum<BR> Subsystem *<BR> DllCharacteristics *<BR> SizeOfStackReserve *<BR> SizeOfStackCommit *<BR> SizeOfHeapReserve *<BR> SizeOfHeapCommit *<BR> LoaderFlags<BR> NumberOfRvaAndSizes *<BR> DataDirectory<BR>IMAGE_OPTIONAL_HEADER32 ENDS<o:p></o:p></SPAN></P>
0 W. D2 i" j3 q. Y3 C4 H- ^<P style="LINE-HEIGHT: 150%"><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">對(duì)于</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> DataDirectory </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">中不需要的成員可以不要���,只留下</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> Export Directory </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">和</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> Import Directory</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">���。</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"><o:p></o:p></SPAN></P>9 p% n2 c8 }! K
<P style="LINE-HEIGHT: 150%"><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">整個(gè)</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> PE Header </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">的大小為</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> 88h </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">字節(jié),其中</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> Optional Header </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">的大小為</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> 70h </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">字節(jié)���。</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"><o:p></o:p></SPAN></P>
7 d3 ^. g* c7 z( h9 C' i( ~+ d* K: X0 _<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">3. Section Table<o:p></o:p></SPAN></P>
g q: i& O0 g3 m: ]2 b J6 ]<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">IMAGE_SECTION_HEADER STRUCT<BR> Name1 <-- ZTS </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">編寫(xiě)</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"><BR> union Misc<BR> PhysicalAddress<BR> VirtualSize <-- B4 00 00 00<BR> ends<BR> VirtualAddress <-- 00 00 00 00<BR> SizeOfRawData <-- B4 00 00 00<BR> PointerToRawData <-- 00 00 00 00<BR> PointerToRelocations <-- 00 00 00 00<BR> PointerToLinenumbers <-- 00 00 00 00<BR> NumberOfRelocations <-- 00 00<BR> NumberOfLinenumbers <-- 00 00<BR> Characteristics <-- E0 00 00 E0<BR>IMAGE_SECTION_HEADER ENDS<o:p></o:p></SPAN></P>! i) e. M r. U# a9 j% K
<P style="LINE-HEIGHT: 150%"><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">整個(gè)文件的內(nèi)容就是節(jié)的內(nèi)容�����,最后文件的全部?jī)?nèi)容會(huì)被完整的映射到</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> 400000h </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">的地址處��。</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"><o:p></o:p></SPAN></P>% J2 D( T H' H$ ?) c
<P style="LINE-HEIGHT: 150%"><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">因?yàn)橛成涞絻?nèi)存中后文件的內(nèi)容后面都是</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> 0</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">�����,所以相當(dāng)于節(jié)表以一個(gè)全</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> 0 </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">元素結(jié)束��。</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"><o:p></o:p></SPAN></P>
+ d& V& q: a7 C1 m<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">4. Import<o:p></o:p></SPAN></P>; g2 c3 x4 L4 U+ L) L
<P style="LINE-HEIGHT: 150%"><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">文件只需要從</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> user32.dll </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">中輸入一個(gè)函數(shù)</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> MessageBoxA</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">�,所以輸入表中有一個(gè)非</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> 0 </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">成員</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"><BR></SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">和一個(gè)結(jié)束的全</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> 0 </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">成員����。就因?yàn)橐WC有一個(gè)全</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> 0 </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">成員來(lái)結(jié)束輸入表,所以也把輸入表放</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"><BR></SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">在文件的末尾��,和節(jié)的情況一樣�,當(dāng)文件被映射到內(nèi)存中后,文件后面的內(nèi)容都是</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <SPAN lang=EN-US>0</SPAN></SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">����,就相當(dāng)</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"><BR></SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">于有一個(gè)全</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> 0 </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">成員。</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"><o:p></o:p></SPAN></P>8 J3 J* ` x" V$ N* \
<P style="LINE-HEIGHT: 150%"><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">一個(gè)輸入表成員的大小是</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> 20 </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">字節(jié),在節(jié)表當(dāng)中找出沒(méi)有被利用的域用來(lái)放輸入表��,找到了從</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"><BR>SizeOfRawData </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">開(kāi)始的位置���。輸入表中的</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <SPAN lang=EN-US>OriginalFirstThunk </SPAN></SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">�����,</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">TimeDateStamp </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">和</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <BR>ForwarderChain </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">都是沒(méi)用的域�,不用管他們是什么值���,所以不會(huì)因?yàn)樵诠?jié)表中插入輸入表而</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"><BR></SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">改變節(jié)表中有用的域:</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">SizeOfRawData </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">和</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> PointerToRawData </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">����。</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"><o:p></o:p></SPAN></P>
# ^3 R( V0 y* X<P style="LINE-HEIGHT: 150%"><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">還有的就是</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> Name </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">和</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> FirstThunk </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">啦����,在文件中找到偏移</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> 0Ch </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">的地方寫(xiě)入</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> user32.dll</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">,然</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"><BR></SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">后把</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <SPAN lang=EN-US>Name </SPAN></SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">指向偏移</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <SPAN lang=EN-US>0Ch</SPAN></SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">����,這個(gè)偏移就是文件頭中</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> TimeDateStamp </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">的偏移位置。在文件中再</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"><BR></SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">找到一個(gè)偏移位置</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> 78h </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">來(lái)放</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> IAT</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">��,然后把</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> FirstThunk </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">指向偏移</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> 78h</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">,這個(gè)偏移是文件頭中</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"><BR>NumberOfRvaAndSizes </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">的偏移位置��。在上面雖然說(shuō)了</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> NumberOfRvaAndSizes </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">域不能隨便填</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"><BR></SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">數(shù)據(jù)(打了</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> * </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">標(biāo)志)�����,但這個(gè)域只要不填</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> 2 </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">以下的值就可以����,所以我們可以利用。</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"><o:p></o:p></SPAN></P>
/ \, A1 A5 J" `0 z& I9 N; W/ T<P style="LINE-HEIGHT: 150%"><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">填好的樣子如下:</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"><o:p></o:p></SPAN></P>( l5 B7 v# I6 x
<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">00000070 C4 01 00 80 00 00 00 00 ................<BR>00000080<BR>00000090 B4 00 00 00 ................<BR>000000A0 00 00 00 00 00 00 00 00 0C 00 00 00 78 00 00 00 ............x...<o:p></o:p></SPAN></P>8 `# m( b8 @; `- q! n
<P style="LINE-HEIGHT: 150%"><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">為了減少文件的大小����,輸入</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> MessageBoxA </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">函數(shù)是通過(guò)序號(hào)的方式引入的。</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"><o:p></o:p></SPAN></P>
* _1 J# ?) A2 m: O: ]- s8 {3 |<P style="LINE-HEIGHT: 150%"><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">手工寫(xiě)好輸入表之后把輸入表的偏移和大小填到</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> DataDirectory </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">數(shù)組的</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> Import Directory <BR></SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">成員中去��,偏移為</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> 9Ch</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">���,大小為</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <SPAN lang=EN-US>28h</SPAN></SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">。</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"><o:p></o:p></SPAN></P>
7 @3 g# r r. M2 m9 [7 y<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">5. </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">代碼</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"><o:p></o:p></SPAN></P>
: y5 t6 x4 ]% G" K3 U1 n<P style="LINE-HEIGHT: 150%"><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">所有準(zhǔn)備工作做完就開(kāi)始寫(xiě)代碼���,代碼也需要從文件頭中間找沒(méi)用的域來(lái)存放���。找找文件頭發(fā)現(xiàn)</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"><BR></SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">還有兩個(gè)地方?jīng)]有被使用��,一個(gè)是</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> <SPAN lang=EN-US>MajorLinkerVersion </SPAN></SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">開(kāi)始的</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> 14 </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">個(gè)字節(jié)�����,偏移為</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> 1Eh</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">��,另</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"><BR></SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">一個(gè)是</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> BaseOfCode </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">開(kāi)始的</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> 8 </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">個(gè)字節(jié)����,偏移為</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> 30h</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">�����。</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"><o:p></o:p></SPAN></P>
! Y. A' ], A/ b% ]<P style="LINE-HEIGHT: 150%"><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">需要的代碼寫(xiě)好就是下面的樣子:</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"><o:p></o:p></SPAN></P>
4 B4 A+ G+ ~8 Y6 q9 y, G<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">0000001E: 6A00 push 0<BR>00000020: B88C004000 mov eax,40008C<BR>00000025: 50 push eax<BR>00000026: 50 push eax<BR>00000027: 6A00 push 0<BR>00000029: EB05 jmp 000000030<o:p></o:p></SPAN></P>
|0 q5 S/ [2 O" o" {<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">00000030: FF1578004000 call dword ptr [00400078]<BR>00000036: C3 ret<o:p></o:p></SPAN></P>+ g4 u2 [2 H f
<P style="LINE-HEIGHT: 150%"><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">把代碼對(duì)應(yīng)的</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> 16 </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">進(jìn)制值填到偏移</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> 1Eh </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">和</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> 30h </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">處就行了���。</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"><o:p></o:p></SPAN></P>2 Z8 d, x3 ]$ Y. G- A. z5 D( [
<P style="LINE-HEIGHT: 150%"><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">保存文件�����,所有的工作就結(jié)束了����。最后把注意事項(xiàng)再總結(jié)一下:</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"><o:p></o:p></SPAN></P>
- h& e9 J9 h4 t3 l3 t. ?# S5 k+ Y) \6 i<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">1. </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">如果</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> FileAlignment </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">小于</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> 200h</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">�����,則要求</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> FileAlignment == SectionAlignment >= 2<o:p></o:p></SPAN></P>
0 o0 u! }+ {, }* C<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">2. </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">如果</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> FileAlignment </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">小于</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> 200h</SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">,則要求</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> VirtualAddress == PointerToRawData<o:p></o:p></SPAN></P>
7 B3 q, b7 e" O<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">3. VirtualSize <= SizeOfRawData<o:p></o:p></SPAN></P>* y3 a0 {4 u# v$ ]7 F9 g- o
<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">4. SizeOfHeaders < SizeOfImage<o:p></o:p></SPAN></P># |; E1 y8 A4 ^7 S ^, c1 |) w
<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">5. NumberOfRvaAndSizes >= 2 </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">數(shù)據(jù)目錄結(jié)構(gòu)的數(shù)量要求不小于</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> 2<o:p></o:p></SPAN></P>
; Z2 l- N# T+ ~/ J3 |4 P+ @) ~: u: H<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial">6. </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">節(jié)表和輸入表都要求有一個(gè)結(jié)束的全</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"> 0 </SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">成員</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"><o:p></o:p></SPAN></P>: e5 L/ O) J6 \- l) B& e
<P style="LINE-HEIGHT: 150%"><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"><BR></SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">胡亂寫(xiě)了一點(diǎn)����,希望不會(huì)浪費(fèi)大家太多時(shí)間,如果有錯(cuò)誤還望各位大俠指點(diǎn)指點(diǎn)�,也好讓象我這</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"><BR></SPAN><SPAN style="FONT-SIZE: 9pt; COLOR: #333333; mso-bidi-font-family: Arial; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial">樣的菜鳥(niǎo)能多學(xué)一些東西。</SPAN><SPAN lang=EN-US style="FONT-SIZE: 9pt; COLOR: #333333; FONT-FAMILY: Arial"><o:p></o:p></SPAN></P> |
發(fā)表于 2008-9-28 16:38:19
QQ好友和群
QQ空間
提升卡
置頂卡
沉默卡
喧囂卡
變色卡
顯身卡