当前位置:网站首页>Introduction to reverse debugging PE structure resource table 07/07
Introduction to reverse debugging PE structure resource table 07/07
2022-07-04 13:48:00 【51CTO】
Resource table :
PE The related resources in can be located in depth through the program , There is one-to-one correspondence between the obtained binary bytecode and the resource script statement .
These data may be used internally in the source code , such as Menu options 、 Interface description, etc ; It may also be external to the source code , For example, the icon file of the program 、 Background music file 、 To configure Documents, etc. , These data are collectively referred to as resources .
Common resources
The six types of resources commonly used in programs include :
1、 Bitmap resources
2、 cursor resource
3、 Icon resources
4、 Menu resources
5、 Dialog resources
6、 Custom resources
Structure :
IMAGE_RESOURCE_DIRECTORY STRUCT
Characteristics //dd 0000h Resource attribute
TimeDatestamp //dd 0004h Time stamp
MajorVersion //dw 0008h Resource large version number
MinorVersion //dw 0008h Resource minor version number
NumberOfNamedEntries //dw Number of entries named by name
NumberOfIdEntries //dw Number of named entries
IMAGE RESOURCE DIRECTORY ENDS
- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
- 8.
Resource directory structure
typedef struct _IMAGE_RESOURCE_DIRECTORY_ENTRY {
union {
struct {
DWORD NameOffset : 31; // Resource name offset
DWORD NameIsString : 1; // The resource name is string
};
DWORD Name; // resources / Language type
WORD Id; // Resource numbers ID
};
union {
DWORD OffsetToData; // Data offset address
struct {
DWORD OffsetToDirectory : 31; // Subdirectory offset address
DWORD DataIsDirectory : 1; // Data is directory
};
};
} IMAGE_RESOURCE_DIRECTORY_ENTRY, *PIMAGE_RESOURCE_DIRECTORY_ENTRY;
- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
- 8.
- 9.
- 10.
- 11.
- 12.
- 13.
- 14.
- 15.
- 16.
- 17.
We use tools to experiment
The tools are
1、360zip Program
2、resource hacker Or is it exescope
3、stud_pe
First let's look at PE Resource table
Yes 9 Resource groups
The first resource table
Let's observe
After we have a general understanding of the resource table of the program
Use resource Open the program
We modify the function of the menu
The file will simulate the menu options
Change the first level menu
Open the file in the secondary menu , Change the name
Select compile script
file save as
This document , If you open it directly
We put the files in the program directory
One is genuine , One is our modified program ( shell )
Normal picture
Modified screen
Modification successful .
because PE In the structure, resource tables are set one layer after another . Difficult to analyze manually , So using tools is the best choice .
边栏推荐
- XILINX/system-controller-c/BoardUI/无法连接开发板,任意操作后卡死的解决办法
- Deploy halo blog with pagoda
- Samsung's mass production of 3nm products has attracted the attention of Taiwan media: whether it can improve the input-output rate in the short term is the key to compete with TSMC
- remount of the / superblock failed: Permission denied
- . Net using redis
- Apache服务器访问日志access.log设置
- 求解:在oracle中如何用一条语句用delete删除两个表中jack的信息
- Agile development / agile testing experience
- Read the BGP agreement in 6 minutes.
- JVM系列——栈与堆、方法区day1-2
猜你喜欢
室外LED屏幕防水吗?
源码编译安装MySQL
字节面试算法题
CVPR 2022 | transfusion: Lidar camera fusion for 3D target detection with transformer
【云原生 | Kubernetes篇】深入了解Ingress(十二)
Etcd storage, watch and expiration mechanism
Database lock table? Don't panic, this article teaches you how to solve it
Efficient! Build FTP working environment with virtual users
Annual comprehensive analysis of China's mobile reading market in 2022
【AI系统前沿动态第40期】Hinton:我的深度学习生涯与研究心法;Google辟谣放弃TensorFlow;封神框架正式开源
随机推荐
用fail2ban阻止密码尝试攻
Building intelligent gray-scale data system from 0 to 1: Taking vivo game center as an example
面试官:Redis中哈希数据类型的内部实现方式是什么?
C语言程序设计
Samsung's mass production of 3nm products has attracted the attention of Taiwan media: whether it can improve the input-output rate in the short term is the key to compete with TSMC
Using nsproxy to forward messages
When MDK uses precompiler in header file, ifdef is invalid
JVM系列——栈与堆、方法区day1-2
Iptables foundation and Samba configuration examples
分布式BASE理论
Solution: how to delete the information of Jack in two tables with delete in one statement in Oracle
[AI system frontier dynamics, issue 40] Hinton: my deep learning career and research mind method; Google refutes rumors and gives up tensorflow; The apotheosis framework is officially open source
Runc hang causes the kubernetes node notready
实战:fabric 用户证书吊销操作流程
mysql三级分销代理关系存储
7 月数据库排行榜:MongoDB 和 Oracle 分数下降最多
Is the outdoor LED screen waterproof?
C foundation in-depth learning II
诸神黄昏时代的对比学习
求解:在oracle中如何用一条语句用delete删除两个表中jack的信息