当前位置:网站首页>Introduction to reverse debugging PE structure resource table 07/07
Introduction to reverse debugging PE structure resource table 07/07
2022-07-04 13:48:00 【51CTO】
Resource table :
PE The related resources in can be located in depth through the program , There is one-to-one correspondence between the obtained binary bytecode and the resource script statement .
These data may be used internally in the source code , such as Menu options 、 Interface description, etc ; It may also be external to the source code , For example, the icon file of the program 、 Background music file 、 To configure Documents, etc. , These data are collectively referred to as resources .
Common resources
The six types of resources commonly used in programs include :
1、 Bitmap resources
2、 cursor resource
3、 Icon resources
4、 Menu resources
5、 Dialog resources
6、 Custom resources
Structure :
IMAGE_RESOURCE_DIRECTORY STRUCT
Characteristics //dd 0000h Resource attribute
TimeDatestamp //dd 0004h Time stamp
MajorVersion //dw 0008h Resource large version number
MinorVersion //dw 0008h Resource minor version number
NumberOfNamedEntries //dw Number of entries named by name
NumberOfIdEntries //dw Number of named entries
IMAGE RESOURCE DIRECTORY ENDS
- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
- 8.
Resource directory structure
typedef struct _IMAGE_RESOURCE_DIRECTORY_ENTRY {
union {
struct {
DWORD NameOffset : 31; // Resource name offset
DWORD NameIsString : 1; // The resource name is string
};
DWORD Name; // resources / Language type
WORD Id; // Resource numbers ID
};
union {
DWORD OffsetToData; // Data offset address
struct {
DWORD OffsetToDirectory : 31; // Subdirectory offset address
DWORD DataIsDirectory : 1; // Data is directory
};
};
} IMAGE_RESOURCE_DIRECTORY_ENTRY, *PIMAGE_RESOURCE_DIRECTORY_ENTRY;
- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
- 8.
- 9.
- 10.
- 11.
- 12.
- 13.
- 14.
- 15.
- 16.
- 17.
We use tools to experiment
The tools are
1、360zip Program
2、resource hacker Or is it exescope
3、stud_pe
First let's look at PE Resource table
Yes 9 Resource groups
The first resource table
Let's observe
After we have a general understanding of the resource table of the program
Use resource Open the program
We modify the function of the menu
The file will simulate the menu options
Change the first level menu
Open the file in the secondary menu , Change the name
Select compile script
file save as
This document , If you open it directly
We put the files in the program directory
One is genuine , One is our modified program ( shell )
Normal picture
Modified screen
Modification successful .
because PE In the structure, resource tables are set one layer after another . Difficult to analyze manually , So using tools is the best choice .
边栏推荐
猜你喜欢
CTF competition problem solution STM32 reverse introduction
字节面试算法题
DGraph: 大规模动态图数据集
![[cloud native | kubernetes] in depth understanding of ingress (12)](/img/34/67eae1e5df89bb0a356a1c29a5e007.png)
[cloud native | kubernetes] in depth understanding of ingress (12)
![[AI system frontier dynamics, issue 40] Hinton: my deep learning career and research mind method; Google refutes rumors and gives up tensorflow; The apotheosis framework is officially open source](/img/2c/b1d6277c1b23a6a77f90d5b2874759.png)
[AI system frontier dynamics, issue 40] Hinton: my deep learning career and research mind method; Google refutes rumors and gives up tensorflow; The apotheosis framework is officially open source
面试官:Redis中哈希数据类型的内部实现方式是什么?
爬虫练习题(一)
CVPR 2022 | transfusion: Lidar camera fusion for 3D target detection with transformer
N++ is not reliable
上汽大通MAXUS正式发布全新品牌“MIFA”,旗舰产品MIFA 9正式亮相!
随机推荐
Personalized online cloud database hybrid optimization system | SIGMOD 2022 selected papers interpretation
在 Apache 上配置 WebDAV 服务器
AI painting minimalist tutorial
CVPR 2022 | transfusion: Lidar camera fusion for 3D target detection with transformer
实时云交互如何助力教育行业发展
三星量产3纳米产品引台媒关注:能否短期提高投入产出率是与台积电竞争关键
Apache服务器访问日志access.log设置
c#数组补充
《预训练周刊》第52期:屏蔽视觉预训练、目标导向对话
爬虫练习题(一)
老掉牙的 synchronized 锁优化,一次给你讲清楚!
动画与过渡效果
After the game starts, you will be prompted to install HMS core. Click Cancel, and you will not be prompted to install HMS core again (initialization failure returns 907135003)
模块化笔记软件综合评测:Craft、Notion、FlowUs
CTF competition problem solution STM32 reverse introduction
Go zero micro service practical series (IX. ultimate optimization of seckill performance)
Use fail2ban to prevent password attempts
n++也不靠谱
Comparative study of the gods in the twilight Era
Xilinx/system-controller-c/boardui/ unable to connect to the development board, the solution of jamming after arbitrary operation