PE File Format, notepad

① Address of Entry Point : 21860
② Image Base : 400000

③ EntryPoint : 00DE1860

 

③ EntryPoint - ① Address of Entry Point = Loading Address

00DE1860 - 21860 = DC0000

ASLR 기능에 의해 DC0000 주소에 로딩되었다.

(Loading Address + Address of Entry Point = Entry Point)

 

----------

 

https://sean.tistory.com/m/220

 

Address of Entry Point : 31C9
Image Base : 1000000

EntryPoint : B431C9

 

B431C9 - 000031C9 = B40000
ASLR 기능에 의해 B40000 주소에 로딩되었다.

 

----------

 

https://reverserslab.tistory.com/17

 

----------

 

IMAGE_DATA_DIRECTORY[5]

(Number of Data Directories[5])

Base Relocation Table 주소는 RVA 2B000

 

Base Relocation Table은 Image_BASE_RELOCATION 구조체 배열

typedef struct _IMAGE_BASE_RELOCATION {

        DWORD    VirtualAddress;

        DWORD    SizeOfBlock;

        //WORD    TypeOffset[1];

} IMAGE_BASE_RELOCATION;

구조체 멤버는 아니지만 주석으로 표시된 TypeOffset 배열의 의미는 이 구조체 밑으로 WORD 타입의 배열이 따라 온다는 뜻

 

 

----------

 

(PEview)

SECTION.text : D8 48 42 00 (= 00 42 48 D8)
IMAGE_OPTIONAL_HEADER : 00 00 40 00 (= 00 40 00 00)

004248D8 - 00400000 = 000248D8

8A0000 + 0248D8 = 8C48D8

 

(Ollydbg)

8C1860 - 21860 = 8A0000

로딩 주소 : 8A0000

 

IMAGE_BASE_RELOCATION
- RVA of Block : 1000
- Type RVA : 3000

8A0000 + 1000 + 0 = 8A1000

 

8A1000 D8488C00 (008C48D8)

 

 

8A0000 + 0248D8 = 8C48D8

 

* 생각

1. D8 48을 아침에 봤음
2. 8A1000을 따라가 봄
3. 008A1000 D8488C00을 봄

4. 어디서 text를 보고 찾아 다님
5. IMAGE_BASE_RELOCATION의 RVA of Block 1000을 보고 RVA 1000인 SECTION .text의 숫자를 봄

 

----------

 

1. IMAGE_DOS_HEADER

0000003C 00000100 Offset to New EXE Header (NT header의 옵셋을 표시)

IMAGE_NT_HEADERS는 00000100부터 시작

 

tydef struct _IMAGE_DOS_HEADER {

    WORD e_magic; 01

    WORD e_cblp;

    WORD e_cp;

    WORD e_crlc;

    WORD e_cparhdr;

    WORD e_minalloc;

    WORD e_maxalloc;

    WORD e_ss;

    WORD e_sp;

    WORD e_csum;

    WORD e_ip;

    WORD e_cs;

    WORD e_lfarlc;

    WORD e_ovno;

    WORD e_res[4];

    WORD e_oemid;

    WORD e_oeminfo;

    WORD e_res2[10];

    LONG e_lfanew;

} IMAGE_DOS_HEADER, *PIGMA_DOS_HEADER;

 

----------

 

3. IMAGE_NT_HEADERS

- ① Signature

- ② IMAGE_FILE_HEADER

- ③ IMAGE_OPTIONAL_HEADER

 

typedef struct _IMAGE_NT_HEADERS {

    DWORD Signature; 50 45 00 00

    IMAGE_FILE_HEADER FileHeader;

    IMAGE_OPTIONAL_HEADER32 OptionalHeader;

} IMAGE_NT_HEADERSS32, *PIMAGE_NT_HEADERS32;

 

* tydef struct _IMAGE_FILE_HEADER {

    WORD Machine; 4C 01 (Intel 386)

    WORD NumberOfSections; 06 00 (섹션의 개수)

    DWORD TimeDateStamp; 89 24 06 02

    DWORD PointerToSymbolTable; 00 00 00 00

    DWORD NumberOfSymbols; 00 00 00 00

    WORD SizeOfOptionalHeader; E0 00 (IMAGE_OPTIONAL)HEADER32 구조체의 크기)

    WORD Characteristics; 02 01

} IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;

 

* SizeOfOptionalHeader E0 00 (1F8 - 118 = E0)

----------