• Like
程式設計師的自我修養 Chapter 5
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

程式設計師的自我修養 Chapter 5

  • 937 views
Published

 

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
937
On SlideShare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
24
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. 程式設計師的自我修養Chapter 5 Windows PE/COFF Shu-Yu Fu
  • 2. Windows的二進位檔案格式PE/COFF PE PE+ (64-bit) COFF ELF COFF Linker PE (*.exe) (*.obj)#pragma data_seg("FOO")int global = 1;#pragma data_seg(".data")
  • 3. PE的前身—COFF Image Header IMAGE_FILE_HEADER Section Table IMAGE_SECTION_HEADER[ ] .code / CODE / .text .data / DATA .drectve .debug$S ... other sections Symbol Table
  • 4. PE的前身—COFFImage Header Image Header IMAGE_FILE_HEADER Section Table IMAGE_SECTION_HEADER[ ]File Type: COFF OBJECT .code / CODE / .textFILE HEADER VALUES 14C machine (x86) DATA .data / 5 number of sections 4F98DB48 time date.drectve stamp Thu Apr 26 13:21:12 2012 1E8 file pointer to symbol table .debug$S 14 number of symbols 0 size of optional header ... 0 characteristics other sections Symbol Table
  • 5. PE的前身—COFF typedef struct _IMAGE_SECTION_HEADER { Section Header BYTE Name[8]; union { DWORD PhysicalAddress; Image Header // 載入記憶體後的大小 DWORD VirtualSize; IMAGE_FILE_HEADER } Misc; // 載入記憶體後的位置 Section Table DWORD VirtualAddress;IMAGE_SECTION_HEADER[ ] // 該區段在檔案中的大小 DWORD SizeOfRawData; .code / CODE / .text DWORD PointerToRawData; DWORD PointerToRelocations; .data / DATA DWORD PointerToLinenumbers; WORD NumberOfRelocations; .drectve WORD NumberOfLinenumbers; // 該區段的屬性 .debug$S DWORD Characteristics; } IMAGE_SECTION_HEADER; ... other sections Symbol Table
  • 6. Image Header IMAGE_FILE_HEADER 連結指示資訊 Section Table IMAGE_SECTION_HEADER[ ] Directive .code / CODE / .text編譯器希望傳給連結器的參數 .data / DATASECTION HEADER #1 .drectve.drectve name 0 physical address .debug$S 0 virtual address 18 size of raw data ... DC file pointer to raw data (000000DC to 000000F3) other sections 0 file pointer to relocation table Symbol Table 0 file pointer to line numbers 0 number of relocations 0 number of line numbers 100A00 flags Info Remove 1 byte alignRAW DATA #1 00000000: 20 20 20 2F 44 45 46 41 55 4C 54 4C 49 42 3A 22/DEFAULTLIB:" 00000010: 4C 49 42 43 4D 54 22 20 LIBCMT" Linker Directives ----------------- /DEFAULTLIB:"LIBCMT"
  • 7. Image Header IMAGE_FILE_HEADER Section Table除錯資訊 IMAGE_SECTION_HEADER[ ] .code / CODE / .text .data / DATA● .debug開始的區段都包含著除錯資訊,比如 .drectve● .debug$S包含的是symbol相關的除錯資訊 .debug$S● .debug$P => precompiled header files ... other sections● .debug$T => type Symbol Table● 具體格式定義在PE格式檔案標準
  • 8. Image Header IMAGE_FILE_HEADER Section Table 大家都有符號表 IMAGE_SECTION_HEADER[ ] .code / CODE / .text .data / DATA .drectve .debug$S索引 空間 位置 類型 範圍 名稱 ...COFF SYMBOL TABLE other sections000 0083521E ABS notype Static | @comp.id001 00000001 ABS notype Static | @feat.00 Symbol Table002 00000000 SECT1 notype Static | .drectve Section length 18, #relocs 0, #linenums 0, checksum 0004 00000000 SECT2 notype Static | .debug$S Section length 68, #relocs 0, #linenums 0, checksum 0006 00000004 UNDEF notype External | _global_uninit_var007 00000000 SECT3 notype Static | .data Section length C, #relocs 0, #linenums 0, checksum 2FC02927009 00000000 SECT3 notype External | _global_init_var00A 00000004 SECT3 notype Static | $SG720 自動產生的符號00B 00000008 SECT3 notype Static | ?static_var@?1??main@@9@9 (`main::`2::static_var)00C 00000000 SECT4 notype Static | .text Section length 4E, #relocs 5, #linenums 0, checksum CC61DB9400E 00000000 SECT4 notype () External | _func100F 00000000 UNDEF notype () External | _printf010 00000020 SECT4 notype () External | _main011 00000000 SECT5 notype Static | .bss Section length 4, #relocs 0, #linenums 0, checksum 0013 00000000 SECT5 notype Static | ?static_var2@?1??main@@9@9 (`main::`2::static_var
  • 9. Windows下的ELF—PEDOS MZ可執行檔格 e_lfanew式的檔頭的虛設常式 透過巨集_WIN64決 PE真正的檔頭 定使用64或32位元 版
  • 10. PE資料目錄● 儲存用於很快地找到載入所需要的資料 ○ 匯入表 ○ 匯出表 ○ 資料 ○ 重定表 ○ ...等● 動態載入相關
  • 11. 本章小結● 用MINGW產生的PE/COFF檔,似乎沒有. drectve section
  • 12. 作業● 怎麼認出COFF檔?● 算checksum