portable-executable

问题 I trying to get my own PEB and get my own module address. i wrote a simple code like this: PLIST_ENTRY myModule = (PLIST_ENTRY)pebLdr->InMemoryOrderModuleList.Flink; PLDR_DATA_TABLE_ENTRY myImageBase = (PLDR_DATA_TABLE_ENTRY)myModule; PIMAGE_DOS_HEADER dosHeader = (PIMAGE_DOS_HEADER)myImageBase->DllBase; But i dont see a proper PE header in dosHeader . This is what i see in the MSVC debugger in dosHeader variable : e_magic=???,e_cblp=??? . Why cant i get my own header? I checked everything,

问题 I want to write some code that will print the addresses and lengths of each of the code sections in its own process when run. Is there an easy way to do this? I know it is relatively easy to find the location of functions like main using code like void* main_address = main; , but I want to find sections like .data and .text and I don't know if I can do the same thing with them when I compile. I am writing this experiment on a Windows system and compiling for the x86 architecture. I know a

问题 I have gone through How does a PE file get mapped into memory?, this is not what i am asking for. I want to know which sections (data, text, code, ...) of a PE file are always completely loaded into memory by the loader no matter whatever the condition is? As per my understanding, none of the sections (code,data,resources,text,...) are always loaded completely, they are loaded as and when needed, page by page. If few pages of code (in the middle or at the end), are not required to process

问题 I have gone through How does a PE file get mapped into memory?, this is not what i am asking for. I want to know which sections (data, text, code, ...) of a PE file are always completely loaded into memory by the loader no matter whatever the condition is? As per my understanding, none of the sections (code,data,resources,text,...) are always loaded completely, they are loaded as and when needed, page by page. If few pages of code (in the middle or at the end), are not required to process

问题 Can a section in a Win32 PE contain a combination of both executable code, initialized data and unitialized data? Is it possible for a section to contain any combination of code and (un)initialized data as section data, or can the section only contain one type of data? It is the Characteristics field of the section header that has flags that determine its properties, but I'm uncertain whether it is possible to mix things up? Below I've included the flags from the official PE documentation:

问题 I have an exe that I need to increase the size of its .text section . used LORDPE to alter the Virtual and Raw address, but having a hard time where to append the null bytes ? Do I need to reallocate every following section ? Is there a tool for similar tasks ? following these links tut2 tut1 回答1: What you must do depends on how many bytes you want to add to the section and the status of the section. If you just add a few bytes and the section has a gap big enough to contain the bytes to add,

问题 Recently I disassembled a DLL (written in c/c++) and noticed that there are many "jump stubs" inside the code segment. These stubs do nothing but jump to a function inside the DLL. eg: jmp foo() jmp foo2() ... Why does the compiler (Visual studio 2012) include these function stubs inside the binary? Thanks! 回答1: Is there a big bunch of 0xCC bytes after all the stubs? If so, you're looking at code which has been compiled with incremental linking enabled (default for debug builds). When

问题 Building a windows xp application using Visual Studio 2015 IDE isn't hard at all, you just need to use the right platform toolset (v120_xp or v140_xp) and just make sure you install the proper redistributable visual studio runtime dlls on the target machine, easy peasy. Now, I've been trying to figure out how to build a windows xp application targetting windows xp without using the VS GUI but using VS2015 command line + SCons All the SCons flags are docummented here but I don't see anything

问题 I'm attempting to use JetBrains dotPeek 1.4 symbol server however I've encountered some 3rd party assemblies that fail, with dotPeek status of: Pdb has not been generated because assembly does not contain debug directory Using CFF Explorer I've discovered that these assemblies have empty "Debug Directory" Portable Executable (PE) header values. Is there an (easy) way to edit the PE to add Debug Directory header values? 回答1: de4dot creates invalid .net executable module in the eyes of dotPeek.

问题 Alright so my idea was some way to bind both 64-bit and 32-bit Windows executables into one application so if it doesn't run the 64-bit version it would then try the 32-bit one. I was reading up about PE's and learned a little about MS-DOS Real Mode Stub and it says how it invokes an application (usually an error message). But every time I tried to do research about MS-DOS Real Mode Stub it seemed to only show error messages. So my idea was to overwrite the STUB with my 32-bit application. My