結(jié)合PE格式對(duì)linker分析1
這是以前我學(xué)習(xí)PE的時(shí)候的一些摘要。
分析摘要:
(*1*): 寫(xiě)程序�。a.cpp 和 foo.cpp
其中a.cpp的內(nèi)容為:
extern void Foo();
void main()
{
Foo();
}
foo.cpp的內(nèi)容為:
#include "stdio.h"
void Foo()
{
printf("I am Foo!");
}
編譯程序產(chǎn)生a.obj foo.obj a.exe.
(*2*):Copy以上3個(gè)文件到..\VisualStdio\VC98\BIN目錄下
用以下命令解析:
dumpbin /all a.obj >aobj.txt <Enter>
dumpbin /all foo.obj >fooobj.txt <Enter>
dumpbin /all a.exe >aexe.txt <Enter>
(*3*):
打開(kāi)文件a.obj,找到代碼節(jié)。內(nèi)容如下:
SECTION HEADER #3
.text name
0 physical address
0 virtual address
2E size of raw data
355 file pointer to raw data //Attention!!~!~
383 file pointer to relocation table
397 file pointer to line numbers
2 number of relocations
3 number of line numbers
60501020 flags
Code
Communal; sym= _main
16 byte align
Execute Read
RAW DATA #3
00000000: 55 8B EC 83 EC 40 53 56 57 8D 7D C0 B9 10 00 00 U....@SVW.}.....
00000010: 00 B8 CC CC CC CC F3 AB E8 00 00 00 00 5F 5E 5B ............._^[
00000020: 83 C4 40 3B EC E8 00 00 00 00 8B E5 5D C3 ..@;........].
(*4*):反編譯a.obj的代碼節(jié)�。
打開(kāi)工具URSoft W32Dasm (我用的是VERSION 8.93)
在打開(kāi)文件時(shí)選擇所有文件�����,因?yàn)楸拒浖饕轻槍?duì)PE,LE,NE等文件格式的。所以對(duì)于用來(lái)
反編譯OBJ文件需指定偏移量。如上Attention!處所示�。即為代碼節(jié)的文件偏移���。
所以在打開(kāi)OBJ文件的提示對(duì)話框中輸入:00000355
Start Disassembly from Offset 00000355 Hex.
無(wú)需選中Check For 16 Bit Disassembly .
反編譯之后的代碼節(jié)內(nèi)容如下:
:00000000 55 push ebp
:00000001 8BEC mov ebp, esp
:00000003 83EC40 sub esp, 00000040
:00000006 53 push ebx
:00000007 56 push esi
:00000008 57 push edi
:00000009 8D7DC0 lea edi, dword ptr [ebp-40]
:0000000C B910000000 mov ecx, 00000010
:00000011 B8CCCCCCCC mov eax, CCCCCCCC
:00000016 F3 repz
:00000017 AB stosd
:00000018 E800000000 call 0000001D //Attention!!!
:0000001D 5F pop edi
:0000001E 5E pop esi
:0000001F 5B pop ebx
:00000020 83C440 add esp, 00000040
:00000023 3BEC cmp ebp, esp
:00000025 E800000000 call 0000002A
:0000002A 8BE5 mov esp, ebp
:0000002C 5D pop ebp
:0000002D C3 ret
簡(jiǎn)要說(shuō)明:
The 0xE8 is the CALL instruction opcode. The next DWORD should contain the offset to the Foo function (relative to the CALL instruction). It's pretty clear that Foo probably isn't zero bytes away from the CALL instruction. Simply put, this code wouldn't work as expected if you were to execute it. The code is broken, and needs to be fixed up.
In the above example of a call to function Foo, there will be a REL32 fixup record, and it will have the offset of the DWORD that the linker needs to overwrite with the appropriate value.
(*5*):查看緊跟代碼節(jié)后的RELOCATIONS:
RELOCATIONS #3
Symbol Symbol
Offset Type Applied To Index Name
-------- ------- ------------- ------ --------------
00000019 REL32 00000000 12 ?Foo@@YAXXZ (void __cdecl Foo(void))
00000026 REL32 00000000 13 __chkesp
this(first) fixup record says that the linker needs to calculate the relative offset to
function Foo, and write that value to offset four in the section.
(*6*):實(shí)際的a.exe代碼節(jié)內(nèi)容:
:00401000 55 push ebp
:00401001 8BEC mov ebp, esp
:00401003 83EC40 sub esp, 00000040
:00401006 53 push ebx
:00401007 56 push esi
:00401008 57 push edi
:00401009 8D7DC0 lea edi, dword ptr [ebp-40]
:0040100C B910000000 mov ecx, 00000010
:00401011 B8CCCCCCCC mov eax, CCCCCCCC
:00401016 F3 repz
:00401017 AB stosd
:00401018 E813000000 call 00401030
:0040101D 5F pop edi
:0040101E 5E pop esi
:0040101F 5B pop ebx
:00401020 83C440 add esp, 00000040
:00401023 3BEC cmp ebp, esp
:00401025 E846000000 call 00401070
:0040102A 8BE5 mov esp, ebp
:0040102C 5D pop ebp
:0040102D C3 ret
:0040102E CC int 03
:0040102F CC int 03
//中間無(wú)內(nèi)容省略�����。
* Referenced by a CALL at Address:
|:00401018
|
:00401030 55 push ebp
:00401031 8BEC mov ebp, esp
:00401033 83EC40 sub esp, 00000040
:00401036 53 push ebx
:00401037 56 push esi
:00401038 57 push edi
:00401039 8D7DC0 lea edi, dword ptr [ebp-40]
:0040103C B910000000 mov ecx, 00000010
:00401041 B8CCCCCCCC mov eax, CCCCCCCC
:00401046 F3 repz
:00401047 AB stosd
:00401048 68ECC04000 push 0040C0EC
:0040104D E85E000000 call 004010B0
:00401052 83C404 add esp, 00000004
:00401055 5F pop edi
:00401056 5E pop esi
:00401057 5B pop ebx
:00401058 83C440 add esp, 00000040
:0040105B 3BEC cmp ebp, esp
:0040105D E80E000000 call 00401070
:00401062 8BE5 mov esp, ebp
:00401064 5D pop ebp
:00401065 C3 ret
(*7*)看一下FOO.OBJ的內(nèi)容:(由分析FOOOBJ.TXT中代碼節(jié)的偏移為0x000003bf,從而用W32Dasm反編譯。)
:00000000 55 push ebp
:00000001 8BEC mov ebp, esp
:00000003 83EC40 sub esp, 00000040
:00000006 53 push ebx
:00000007 56 push esi
:00000008 57 push edi
:00000009 8D7DC0 lea edi, dword ptr [ebp-40]
:0000000C B910000000 mov ecx, 00000010
:00000011 B8CCCCCCCC mov eax, CCCCCCCC
:00000016 F3 repz
:00000017 AB stosd
:00000018 6800000000 push 00000000
:0000001D E800000000 call 00000022
:00000022 83C404 add esp, 00000004
:00000025 5F pop edi
:00000026 5E pop esi
:00000027 5B pop ebx
:00000028 83C440 add esp, 00000040
:0000002B 3BEC cmp ebp, esp
:0000002D E800000000 call 00000032
:00000032 8BE5 mov esp, ebp
:00000034 5D pop ebp
:00000035 C3 ret
綜上分析可知:連接器在整合各個(gè)編譯單元(.obj)時(shí)�,如上A.OBJ和FOO.OBJ已記錄下需要調(diào)整的數(shù)據(jù),
比如a.obj中的FOO函數(shù)位置�����,即
:00000018 E800000000 call 0000001D //Attention!!!
RAW DATA #3
00000000: 55 8B EC 83 EC 40 53 56 57 8D 7D C0 B9 10 00 00 U....@SVW.}.....
00000010: 00 B8 CC CC CC CC F3 AB E8 00 00 00 00 5F 5E 5B ............._^[
00000020: 83 C4 40 3B EC E8 00 00 00 00 8B E5 5D C3 ..@;........].
節(jié)后緊跟的RELOCATIONS #3
Symbol Symbol
Offset Type Applied To Index Name
-------- ------- ------------- ------ --------------
00000019 REL32 00000000 12 ?Foo@@YAXXZ (void __cdecl Foo(void))
在連接時(shí)���,連接器整合代碼節(jié)���,將FOO.OBJ的代碼節(jié)接在A.OBJ的代碼節(jié)之后���。如下:
:00401000 55 push ebp
....
:00401018 E813000000 call 00401030
....
:0040102D C3 ret
:0040102E CC int 03
:0040102F CC int 03
//中間無(wú)內(nèi)容省略���。
* Referenced by a CALL at Address:
|:00401018
|
:00401030 55 push ebp
....
:00401065 C3 ret
其中CALL 00401030中的00400000為代碼優(yōu)先載入基地址���。
而E813000000中的13000000即為偏移值�。事實(shí)上為00000013,這是INTEL CPU的特性
a peculiarity of Intel processors where numerical data is stored in
reverse order to character data.
To copy a 32 bit value (56 A7 00 FE) into the eax register, you will find the opcode, A1 (MOV EAX) followed by (FE 00 A7 56).
A1 FE 00 A7 56
從偏移00401018跳到00401030�。如此可以得出指令為:E813000000
手工算法:
因?yàn)镃ALL指令本身占用5個(gè)字節(jié)(1個(gè)為CALL nmemonic(E8),另4個(gè)為偏移值)�����。
而0040101D-00401018=5所以偏移事實(shí)上應(yīng)該從0040101D算起。
故00401030-0040101D=13
所以產(chǎn)生的CALL指令為E813000000
借助軟件:
oPcodeR--由Cool McCool編寫(xiě)�����。非常好用�。
linker分析2
(*1*):建立DLL工程。在第二步選1���。即默認(rèn)。
//這個(gè)dll工程只用來(lái)輸出兩個(gè)函數(shù)�����。別無(wú)他用�����。
添加文件dll.cpp:
文件內(nèi)容如下:
#include"stdio.h"
void __declspec(dllexport) ExportOne( void )
{
printf("I am ExportOne!\n");
}
void __declspec(dllexport) ExportTwo( void )
{
printf("I am ExportTwo!\n");
}
編譯運(yùn)行產(chǎn)生dll.obj dll.dll.
[[[[[[[[[[[[[[[[[[[]]]]]]]]]]]]]]]]]]]]]]]]]]
也可這樣建立:
//文件dll.cpp
#include"stdio.h"
//void __declspec(dllexport) ExportOne( void )
void ExportOne(void)
{
printf("I am ExportOne!\n");
}
//void __declspec(dllexport) ExportTwo( void )
void ExportTwo(void)
{
printf("I am ExportTwo!\n");
}
//文件dll.def
; dll.def : Declares the module parameters for the DLL.
LIBRARY "dll"
DESCRIPTION 'dll Windows Dynamic Link Library'
EXPORTS
; Explicit exports can go here
ExportOne @1
ExportTwo @2
[[[[[[[[[[[[[[[[[[[]]]]]]]]]]]]]]]]]]]]]]]]]]
(*2*):建立LIB工程���。
//這個(gè)LIB工程只用來(lái)測(cè)試引入剛才DLL輸出的兩個(gè)函數(shù)���。
添加文件lib.cpp
文件內(nèi)容如下:
#include"stdio.h"
void ExportOne(void);
void ExportTwo(void);
void main()
{
ExportOne();
ExportTwo();
}
編譯運(yùn)行產(chǎn)生lib.obj lib.exe.
(*3*)LIB.OBJ分析
(*4*)反編譯LIB.OBJ.注意代碼節(jié)的文件偏移為00000392
:00000000 55 push ebp
......
:00000018 E800000000 call 0000001D //這里就是ExportOne()調(diào)用
:0000001D E800000000 call 00000022 //這里就是ExportTwo()調(diào)用
......
:00000032 C3 ret
(*5*)LIB.EXE分析:
:00401000 55 push ebp
......
:00401017 AB stosd
* Reference To: dll.ExportOne, Ord:0001h
|
:00401018 E81D000000 Call 0040103A
* Reference To: dll.ExportTwo, Ord:0002h
|
:0040101D E812000000 Call 00401034
......
:00401032 C3 ret
:00401033 CC int 03
* Referenced by a CALL at Address:
|:0040101D
|
* Reference To: dll.ExportTwo, Ord:0002h
|
:00401034 FF25C8C04000 Jmp dword ptr [0040C0C8]
* Referenced by a CALL at Address:
|:00401018
|
* Reference To: dll.ExportOne, Ord:0001h
|
:0040103A FF25C4C04000 Jmp dword ptr [0040C0C4]
(*6*)引入函數(shù)與非引入函數(shù)的區(qū)別�����。
從上我們可以看出,其實(shí)不管是不是引入函數(shù)�����,編譯器產(chǎn)生的函數(shù)調(diào)用代碼都是CALL XXXXXXXX形式的���。
//from dll.lib
Archive member name at 8: /
3E951F55 time/date Thu Apr 10 15:37:57 2003
...
correct header end
7 public symbols
1FE __IMPORT_DESCRIPTOR_dll
4F8 __NULL_IMPORT_DESCRIPTOR
62C dll_NULL_THUNK_DATA
778 ?ExportOne@@YAXXZ
778 __imp_?ExportOne@@YAXXZ
7E2 ?ExportTwo@@YAXXZ
7E2 __imp_?ExportTwo@@YAXXZ
我們可以看到�,在LIB文件中有引入函數(shù)的信息。
函數(shù)符號(hào)比如?ExportOne@@YAXXZ能夠被解析�����。并且LIB文件中有很多關(guān)于引入函數(shù)的信息�。比如:
Summary
BA .debug$S
14 .idata$2
14 .idata$3
4 .idata$4
4 .idata$5
8 .idata$6
所有的.idata節(jié)最終會(huì)被合并到可執(zhí)行文件的.IDATA節(jié)中。從而形成IAT和其他有關(guān)引入表的結(jié)構(gòu)���。
SECTION HEADER #2
.idata$5 name
...
C0300040 flags
...
RAW DATA #2
00000000: 00 00 00 00
如果函數(shù)是通過(guò)序號(hào)引入的。那么在.idata$5節(jié)的DWORD的最高位為1�。低位是引入(出)序號(hào)�����。
否則.idata$5節(jié)的DWORD為0�����。
如果函數(shù)是通過(guò)名字引入的�����。那么在.idata$6節(jié)的第一個(gè)WORD為引入(出)序號(hào)。接下去是一個(gè)函數(shù)名字。
**通過(guò)LIB文件,函數(shù)被決議為一個(gè)JMP DWORD PTR[XXXXXXXX]形式的指令。
通常稱為STUB���。當(dāng)然LIB文件中也有引入函數(shù)的真正地址。
010 00000000 SECT3 notype () External | ?ExportOne@@YAXXZ (void __cdecl ExportOne(void))
//以下為函數(shù)ExportOne的代碼。
SECTION HEADER #3
.text name
...
RAW DATA #3
00000000: 55 8B EC 83 EC 40 53 56 57 8D 7D C0 B9 10 00 00 U....@SVW.}.....
00000010: 00 B8 CC CC CC CC F3 AB 68 00 00 00 00 E8 00 00 ........h.......
00000020: 00 00 83 C4 04 5F 5E 5B 83 C4 40 3B EC E8 00 00 ....._^[..@;....
00000030: 00 00 8B E5 5D C3 ....].
綜上所述�����,對(duì)引入函數(shù)���。產(chǎn)生的代碼大致形式如下:
CALL XXXXXXXX
...
XXXXXXXX:
JMP DWORD PTR[YYYYYYYY]
YYYYYYYY地址在引入節(jié)部分�。
最后調(diào)到引入函數(shù)的地址去執(zhí)行。