drip42

滴水逆向作业42

作业

步骤

dos头和pe头是大小固定的，可选pe头是不固定的，而节表和可选pe头是紧挨着的，所以算出前面的大小就可以算出节表的偏移

1.首先需要把pe文件读到内存

2.通过dos头中的 e_lfanew(DWORD)字段获得NT头的偏移(e_lfanew在dos头中的偏移位0x3c)

3.通过获得的NT头获得标准pe头中的 WORD SizeOfOptionalHeader(在标准pe头中偏移为0x10),就可以知道可选pe头的大小，同时在偏移为0x02位置获得 WORD NumberOfSections(节的数量)

4.e_lfanew + 4 + 0x14 + SizeOfOptionalHeader就是第一个节表的偏移

节表结构如下

代码

#include<stdio.h>
#include<stdlib.h>
#include<string.h>
void* readtest()
{
	FILE* fp = fopen("test32.exe","rb");
	long n;
	void* p;
	if(fp == NULL)
	{
		printf("failed");
		exit(0);
	}
	fseek(fp,0,2); 
	n = ftell(fp);
	p = malloc(n);
	if(p == NULL)
	{
		printf("failed");
		exit(0);
	}
	fseek(fp,0,0);
	fread(p,1,n,fp);
	return p;
}
int main()
{
	char* p;
	p = (char*)readtest();
	int NT_offset;
	int sizeofoptionalheader;
	int numberofsections;
	int sec_offset;
	int i;
	NT_offset = *(int*)(p + 0x3c);
	sizeofoptionalheader = *(short*)(p + NT_offset + 4 + 0x10);
	numberofsections = *(short*)(p + NT_offset + 4 + 2);
	printf("DWORD e_lfanew:0x%x\n",NT_offset);
	printf("WORD SizeOfOptionalHeader:0x%x\n",sizeofoptionalheader);
	printf("WORD NumberOfSections:0x%x\n",numberofsections);
	sec_offset = NT_offset + 4 + 0x14 + sizeofoptionalheader;
	for(i=0;i<numberofsections;i++)
	{
		char tmp[9];
		tmp[8] = '\0';
		memcpy(tmp,(p + sec_offset + i*0x28),8);
		printf("Name:%s\n",tmp);
		printf("Misc:0x%x\n",*(int*)(p + sec_offset + i*0x28 + 8));
		printf("VirtualAddress:0x%x\n",*(int*)(p + sec_offset + i*0x28 + 0x0c));
		printf("SizeOfRawData:0x%x\n",*(int*)(p + sec_offset + i*0x28 + 0x10));
		printf("PointerToRawData:0x%x\n",*(int*)(p + sec_offset + i*0x28 + 0x14));
		printf("PointerToRelocations:0x%x\n",*(int*)(p + sec_offset + i*0x28 + 0x18));
		printf("PointerToLinenumbers:0x%x\n",*(int*)(p + sec_offset + i*0x28 + 0x1c));
		printf("NumberOfRelocations:0x%x\n",*(short*)(p + sec_offset + i*0x28 + 0x20));
		printf("NumberOfLinenumbers:0x%x\n",*(short*)(p + sec_offset + i*0x28 + 0x22));
		printf("Characteristics:0x%x\n",*(int*)(p + sec_offset + i*0x28 + 0x24));
	}
	return 0;
}