当前位置:网站首页>Introduction to reverse debugging PE structure resource table 07/07
Introduction to reverse debugging PE structure resource table 07/07
2022-07-04 13:48:00 【51CTO】
Resource table :
PE The related resources in can be located in depth through the program , There is one-to-one correspondence between the obtained binary bytecode and the resource script statement .
These data may be used internally in the source code , such as Menu options 、 Interface description, etc ; It may also be external to the source code , For example, the icon file of the program 、 Background music file 、 To configure Documents, etc. , These data are collectively referred to as resources .
Common resources
The six types of resources commonly used in programs include :
1、 Bitmap resources
2、 cursor resource
3、 Icon resources
4、 Menu resources
5、 Dialog resources
6、 Custom resources
Structure :
IMAGE_RESOURCE_DIRECTORY STRUCT
Characteristics //dd 0000h Resource attribute
TimeDatestamp //dd 0004h Time stamp
MajorVersion //dw 0008h Resource large version number
MinorVersion //dw 0008h Resource minor version number
NumberOfNamedEntries //dw Number of entries named by name
NumberOfIdEntries //dw Number of named entries
IMAGE RESOURCE DIRECTORY ENDS
- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
- 8.
Resource directory structure
typedef struct _IMAGE_RESOURCE_DIRECTORY_ENTRY {
union {
struct {
DWORD NameOffset : 31; // Resource name offset
DWORD NameIsString : 1; // The resource name is string
};
DWORD Name; // resources / Language type
WORD Id; // Resource numbers ID
};
union {
DWORD OffsetToData; // Data offset address
struct {
DWORD OffsetToDirectory : 31; // Subdirectory offset address
DWORD DataIsDirectory : 1; // Data is directory
};
};
} IMAGE_RESOURCE_DIRECTORY_ENTRY, *PIMAGE_RESOURCE_DIRECTORY_ENTRY;
- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
- 8.
- 9.
- 10.
- 11.
- 12.
- 13.
- 14.
- 15.
- 16.
- 17.
We use tools to experiment
The tools are
1、360zip Program
2、resource hacker Or is it exescope
3、stud_pe
First let's look at PE Resource table
Yes 9 Resource groups
The first resource table
Let's observe
After we have a general understanding of the resource table of the program
Use resource Open the program
We modify the function of the menu
The file will simulate the menu options
Change the first level menu
Open the file in the secondary menu , Change the name
Select compile script
file save as
This document , If you open it directly
We put the files in the program directory
One is genuine , One is our modified program ( shell )
Normal picture
Modified screen
Modification successful .
because PE In the structure, resource tables are set one layer after another . Difficult to analyze manually , So using tools is the best choice .
边栏推荐
- C language Dormitory Management Query Software
- SQL语言
- JVM系列——栈与堆、方法区day1-2
- C语言小型商品管理系统
- Comprehensive evaluation of modular note taking software: craft, notation, flowus
- C#基础深入学习二
- 实时云交互如何助力教育行业发展
- C language dormitory management query software
- 《预训练周刊》第52期:屏蔽视觉预训练、目标导向对话
- XILINX/system-controller-c/BoardUI/无法连接开发板,任意操作后卡死的解决办法
猜你喜欢
Personalized online cloud database hybrid optimization system | SIGMOD 2022 selected papers interpretation
![[AI system frontier dynamics, issue 40] Hinton: my deep learning career and research mind method; Google refutes rumors and gives up tensorflow; The apotheosis framework is officially open source](/img/2c/b1d6277c1b23a6a77f90d5b2874759.png)
[AI system frontier dynamics, issue 40] Hinton: my deep learning career and research mind method; Google refutes rumors and gives up tensorflow; The apotheosis framework is officially open source
爬虫练习题(一)
分布式BASE理论
聊聊支付流程的设计与实现逻辑
高质量软件架构的唯一核心指标
unity不识别rider的其中一种解决方法
高效!用虚拟用户搭建FTP工作环境
After the game starts, you will be prompted to install HMS core. Click Cancel, and you will not be prompted to install HMS core again (initialization failure returns 907135003)
C#/VB. Net to add text / image watermarks to PDF documents
随机推荐
unity不识别rider的其中一种解决方法
诸神黄昏时代的对比学习
Using nsproxy to forward messages
Scripy framework learning
The old-fashioned synchronized lock optimization will make it clear to you at once!
. Net using redis
Building intelligent gray-scale data system from 0 to 1: Taking vivo game center as an example
高质量软件架构的唯一核心指标
CANN算子:利用迭代器高效实现Tensor数据切割分块处理
When MDK uses precompiler in header file, ifdef is invalid
光环效应——谁说头上有光的就算英雄
HAProxy高可用解决方案
Building intelligent gray-scale data system from 0 to 1: Taking vivo game center as an example
Etcd storage, watch and expiration mechanism
用fail2ban阻止密码尝试攻
Building intelligent gray-scale data system from 0 to 1: Taking vivo game center as an example
After the game starts, you will be prompted to install HMS core. Click Cancel, and you will not be prompted to install HMS core again (initialization failure returns 907135003)
读《认知觉醒》
Cors: standard scheme of cross domain resource request
Oracle 被 Ventana Research 评为数字创新奖总冠军