ASPack UnPack
ASPackのUnpackは大きく2つの方法に分かれる。(他にもあるかもしれない。)
1。retn 0c 命令を見つけてその下にあるPUSH ~~~部分のアドレスがOEPになる。
2。pushad をtraceした後全てのRegisterがStackに入った後、ESPの値にHardware BreakPointをセットしてtraceする。
Python Challenge] Level1. maketrans()
str.maketrans(intab, outtab]);
Parameters
-
intab − This is the string having actual characters.
-
outtab − This is the string having corresponding mapping character.
example code :
intab = "aeiou" outtab = "12345" trantab = str.maketrans(intab, outtab) str = "this is string example....wow!!!" print (str.translate(trantab))
Result
When we run above program, it produces the following result −
th3s 3s str3ng 2x1mpl2....w4w!!!
by.
PE FORMAT] -5- Section Header
参考:
PE FILEを多数のSECTION構造にした時得られる利点→安定性
typedef struct _IMAGE_SECTION_HEADER {
BYTE Name[IMAGE_SIZEOF_SHORT_NAME];
union {
DWORD PhysicalAddress;
DWORD VirtualSize;
} Misc;
DWORD VirtualAddress;
DWORD SizeOfRawData;
DWORD PointerToRawData;
DWORD PointerToRelocations;
DWORD PointerToLinenumbers;
WORD NumberOfRelocations;
WORD NumberOfLinenumbers;
DWORD Characteristics;
} IMAGE_SECTION_HEADER, *PIMAGE_SECTION_HEADER;
<member>
Name
An 8-byte, null-padded UTF-8 string. There is no terminating null character if the string is exactly eight characters long. For longer names, this member contains a forward slash (/) followed by an ASCII representation of a decimal number that is an offset into the string table. Executable images do not use a string table and do not support section names longer than eight characters.
Misc.VirtualSize
The total size of the section when loaded into memory, in bytes. If this value is greater than the SizeOfRawData member, the section is filled with zeroes. This field is valid only for executable images and should be set to 0 for object files.
VirtualAddress
The address of the first byte of the section when loaded into memory, relative to the image base. For object files, this is the address of the first byte before relocation is applied.
SizeOfRawData
The size of the initialized data on disk, in bytes. This value must be a multiple of the FileAlignment member of the IMAGE_OPTIONAL_HEADER structure. If this value is less than the VirtualSize member, the remainder of the section is filled with zeroes. If the section contains only uninitialized data, the member is zero.
PointerToRawData
A file pointer to the first page within the COFF file. This value must be a multiple of the FileAlignment member of the IMAGE_OPTIONAL_HEADER structure. If a section contains only uninitialized data, set this member is zero.
Characteristics
The characteristics of the image. The following values are defined.
(sectionの属性)
| Flag | Meaning |
|---|---|
|
Reserved. |
|
Reserved. |
|
Reserved. |
|
Reserved. |
|
The section should not be padded to the next boundary. This flag is obsolete and is replaced by IMAGE_SCN_ALIGN_1BYTES. |
|
Reserved. |
|
The section contains executable code. |
|
The section contains initialized data. |
|
The section contains uninitialized data. |
|
Reserved. |
|
The section contains comments or other information. This is valid only for object files. |
|
Reserved. |
|
The section will not become part of the image. This is valid only for object files. |
|
The section contains COMDAT data. This is valid only for object files. |
|
Reserved. |
|
Reset speculative exceptions handling bits in the TLB entries for this section. |
|
The section contains data referenced through the global pointer. |
|
Reserved. |
|
Reserved. |
|
Reserved. |
|
Reserved. |
|
Align data on a 1-byte boundary. This is valid only for object files. |
|
Align data on a 2-byte boundary. This is valid only for object files. |
|
Align data on a 4-byte boundary. This is valid only for object files. |
|
Align data on a 8-byte boundary. This is valid only for object files. |
|
Align data on a 16-byte boundary. This is valid only for object files. |
|
Align data on a 32-byte boundary. This is valid only for object files. |
|
Align data on a 64-byte boundary. This is valid only for object files. |
|
Align data on a 128-byte boundary. This is valid only for object files. |
|
Align data on a 256-byte boundary. This is valid only for object files. |
|
Align data on a 512-byte boundary. This is valid only for object files. |
|
Align data on a 1024-byte boundary. This is valid only for object files. |
|
Align data on a 2048-byte boundary. This is valid only for object files. |
|
Align data on a 4096-byte boundary. This is valid only for object files. |
|
Align data on a 8192-byte boundary. This is valid only for object files. |
|
The section contains extended relocations. The count of relocations for the section exceeds the 16 bits that is reserved for it in the section header. If the NumberOfRelocations field in the section header is 0xffff, the actual relocation count is stored in the VirtualAddress field of the first relocation. It is an error if IMAGE_SCN_LNK_NRELOC_OVFL is set and there are fewer than 0xffff relocations in the section. |
|
The section can be discarded as needed. |
|
The section cannot be cached. |
|
The section cannot be paged. |
|
The section can be shared in memory. |
|
The section can be executed as code. |
|
The section can be read. |
|
The section can be written to. |
PE FORMAT] -4- NT Header (DOS Sign, IMAGE_FILE_HEADER, IMAGE_OPTIONAL_HEADER)
参考:
NT Headerの構造体はIMAGE_NT_HEADERS.
typedef struct _IMAGE_NT_HEADERS {
DWORD Signature; // PE sign (50 45 00 00)
IMAGE_FILE_HEADER FileHeader;
IMAGE_OPTIONAL_HEADER32 OptionalHeader;
} IMAGE_NT_HEADERS32, *PIMAGE_NT_HEADERS32;
size : F8
<member>
[DWORD Signature]
[IMAGE_FILE_HEADER FileHeader;]
typedef struct _IMAGE_FILE_HEADER {
WORD Machine;
WORD NumberOfSections;
DWORD TimeDateStamp;
DWORD PointerToSymbolTable;
DWORD NumberOfSymbols;
WORD SizeOfOptionalHeader;
WORD Characteristics;
} IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;
Machine
The architecture type of the computer. An image file can only be run on the specified computer or a system that emulates the specified computer. This member can be one of the following values.
| Value | Meaning |
|---|---|
|
x86 |
|
Intel Itanium |
|
x64 |
NumberOfSections
The number of sections. This indicates the size of the section table, which immediately follows the headers. Note that the Windows loader limits the number of sections to 96.
SizeOfOptionalHeader
The size of the optional header, in bytes. This value should be 0 for object files.
Characteristics
The characteristics of the image. This member can be one or more of the following values.
| Value | Meaning |
|---|---|
|
Relocation information was stripped from the file. The file must be loaded at its preferred base address. If the base address is not available, the loader reports an error. |
|
The file is executable (there are no unresolved external references). |
|
COFF line numbers were stripped from the file. |
|
COFF symbol table entries were stripped from file. |
|
Aggressively trim the working set. This value is obsolete. |
|
The application can handle addresses larger than 2 GB. |
|
The bytes of the word are reversed. This flag is obsolete. |
|
The computer supports 32-bit words. |
|
Debugging information was removed and stored separately in another file. |
|
If the image is on removable media, copy it to and run it from the swap file. |
|
If the image is on the network, copy it to and run it from the swap file. |
|
The image is a system file. |
|
The image is a DLL file. While it is an executable file, it cannot be run directly. |
|
The file should be run only on a uniprocessor computer. |
|
The bytes of the word are reversed. This flag is obsolete. |
[IMAGE_OPTIONAL_HEADER32 OptionalHeader;]
typedef struct _IMAGE_OPTIONAL_HEADER {
WORD Magic;
BYTE MajorLinkerVersion;
BYTE MinorLinkerVersion;
DWORD SizeOfCode;
DWORD SizeOfInitializedData;
DWORD SizeOfUninitializedData;
DWORD AddressOfEntryPoint;
DWORD BaseOfCode;
DWORD BaseOfData;
DWORD ImageBase;
DWORD SectionAlignment;
DWORD FileAlignment;
WORD MajorOperatingSystemVersion;
WORD MinorOperatingSystemVersion;
WORD MajorImageVersion;
WORD MinorImageVersion;
WORD MajorSubsystemVersion;
WORD MinorSubsystemVersion;
DWORD Win32VersionValue;
DWORD SizeOfImage;
DWORD SizeOfHeaders;
DWORD CheckSum;
WORD Subsystem;
WORD DllCharacteristics;
DWORD SizeOfStackReserve;
DWORD SizeOfStackCommit;
DWORD SizeOfHeapReserve;
DWORD SizeOfHeapCommit;
DWORD LoaderFlags;
DWORD NumberOfRvaAndSizes;
IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
} IMAGE_OPTIONAL_HEADER32, *PIMAGE_OPTIONAL_HEADER32;
WORD Magic;
BYTE MajorLinkerVersion;
BYTE MinorLinkerVersion;
DWORD SizeOfCode;
DWORD SizeOfInitializedData;
DWORD SizeOfUninitializedData;
DWORD AddressOfEntryPoint;
DWORD BaseOfCode;
DWORD BaseOfData;
DWORD ImageBase;
DWORD SectionAlignment;
DWORD FileAlignment;
WORD MajorOperatingSystemVersion;
WORD MinorOperatingSystemVersion;
WORD MajorImageVersion;
WORD MinorImageVersion;
WORD MajorSubsystemVersion;
WORD MinorSubsystemVersion;
DWORD Win32VersionValue;
DWORD SizeOfImage;
DWORD SizeOfHeaders;
DWORD CheckSum;
WORD Subsystem;
WORD DllCharacteristics;
DWORD SizeOfStackReserve;
DWORD SizeOfStackCommit;
DWORD SizeOfHeapReserve;
DWORD SizeOfHeapCommit;
DWORD LoaderFlags;
DWORD NumberOfRvaAndSizes;
IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
} IMAGE_OPTIONAL_HEADER32, *PIMAGE_OPTIONAL_HEADER32;
Magic
The state of the image file. This member can be one of the following values.
| Value | Meaning |
|---|---|
|
The file is an executable image. This value is defined as IMAGE_NT_OPTIONAL_HDR32_MAGIC in a 32-bit application and as IMAGE_NT_OPTIONAL_HDR64_MAGIC in a 64-bit application. |
|
The file is an executable image. |
|
The file is an executable image. |
|
The file is a ROM image. |
AddressOfEntryPoint
A pointer to the entry point function, relative to the image base address. For executable files, this is the starting address. For device drivers, this is the address of the initialization function. The entry point function is optional for DLLs. When no entry point is present, this member is zero.
(Entry PointのRVA値を持つ)
ImageBase
The preferred address of the first byte of the image when it is loaded in memory. This value is a multiple of 64K bytes. The default value for DLLs is 0x10000000. The default value for applications is 0x00400000, except on Windows CE where it is 0x00010000.
(PE FILEがロードされるスタート地点)
SectionAlignment
The alignment of sections loaded in memory, in bytes. This value must be greater than or equal to the FileAlignment member. The default value is the page size for the system.
(MEMORYでSECTIONの最小単位)
SizeOfImage
The size of the image, in bytes, including all headers. Must be a multiple ofSectionAlignment.
SizeOfHeaders
The combined size of the following items, rounded to a multiple of the value specified in the FileAlignment member.
- e_lfanew member of IMAGE_DOS_HEADER
- 4 byte signature
- size of IMAGE_FILE_HEADER
- size of optional header
- size of all section headers
Subsystem
The subsystem required to run this image. The following values are defined.
| Value | Meaning |
|---|---|
|
Unknown subsystem. |
|
No subsystem required (device drivers and native system processes). |
| Windows graphical user interface (GUI) subsystem. | |
| Windows character-mode user interface (CUI) subsystem. | |
|
OS/2 CUI subsystem. |
| POSIX CUI subsystem. | |
| Windows CE system. | |
|
Extensible Firmware Interface (EFI) application. |
|
EFI driver with boot services. |
|
EFI driver with run-time services. |
|
EFI ROM image. |
|
Xbox system. |
|
Boot application. |
NumberOfRvaAndSizes
The number of directory entries in the remainder of the optional header. Each entry describes a location and size.
DataDirectory
The following is a list of the data directories. Offsets are relative to the beginning of the optional header.
| Offset (PE/PE32+) | Description |
|---|---|
| 96/112 | Export table address and size |
| 104/120 | Import table address and size |
| 112/128 | Resource table address and size |
| 120/136 | Exception table address and size |
| 128/144 | Certificate table address and size |
| 136/152 | Base relocation table address and size |
| 144/160 | Debugging information starting address and size |
| 152/168 | Architecture-specific data address and size |
| 160/176 | Global pointer register relative virtual address |
| 168/184 | Thread local storage (TLS) table address and size |
| 176/192 | Load configuration table address and size |
| 184/200 | Bound import table address and size |
| 192/208 | Import address table address and size |
| 200/216 | Delay import descriptor address and size |
| 208/224 | The CLR header address and size |
| 216/232 | Reserved |
PE FORMAT] -2- DOS MZ HEADER
PE HEADERは最初にDOS EXE Headerを拡張させたIMAGE_DOS_HEADER構造体が存在。
typedef struct _IMAGE_DOS_HEADER {
WORD e_magic;
.
.
.
WORD e_lfanew;
} IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER;
*structure size: 40
<必見member>
e_magic : DOS signature (4D5A -> "MZ")
e_lfanew : IMAGE_NT_HEADERのアドレス (offset: 00 00 00 E8 ;LittleEndian)
