本文介绍了如何从页眉和/或页脚确定 PE 可执行文件的大小的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

假设您有一个数据流或一个字节块要雕刻,您如何确定可执行文件的大小?

PE 可执行文件格式中有许多头文件,但是我使用哪些头文件部分来确定(如果可能)可执行文件的总长度?

这是文件格式的图片.

解决方案

如果PE文件格式正确,计算可以简化为(伪代码):

size = IMAGE_NT_HEADERS.OptionalHeader.SizeOfHeaders在 section_headers 中 foreach section_header:大小 += section_header.SizeOfRawData

地点:

  • SizeOfHeaders

    • SizeOfRawData 每个部分:
      • .text: 0x15400
      • .data: 0x800
      • .idata: 0x1A00
      • .rsrc: 0x19C00
      • .reloc: 0x1600

    (注意:SizeOfRawData在下图中被称为Raw Size):

    总结一切:

    >>>size_of_headers = 0x400>>>sec_sizes = [0x15400, 0x800, 0x1a00, 0x19c00, 0x1600]>>>size_of_headers + sum(sec_sizes)207872>>>

    总大小:207872 字节.

    验证:

    注意:上面的计算没有考虑PE是否形成不良或是否有覆盖.

    Assuming you have a stream of data or a block of bytes you want to carve, how can you determine the size of the executables?

    There are numerous headers inside the PE executable format, but what header sections do I use to determine (if possible) the total length of the executable?

    Here is a picture of the file format.

    解决方案

    If the PE file is well formed, the calculation can be simplified as (pseudo-code):

    size = IMAGE_NT_HEADERS.OptionalHeader.SizeOfHeaders
    
    foreach section_header in section_headers:
        size += section_header.SizeOfRawData
    

    Where:

    SizeOfHeaders field gives the length of all the headers (note: including the 16-bit stub).

    • Each section header is an IMAGE_SECTION_HEADER structure
    • SizeOfRawData field gives the length of each section on disk.

    Example with notepad (Windows 10):

    • SizeOfHeaders : 0x400
    • SizeOfRawDataof each sections :
      • .text: 0x15400
      • .data: 0x800
      • .idata: 0x1A00
      • .rsrc: 0x19C00
      • .reloc: 0x1600

    (note: SizeOfRawData is called Raw Size in the below picture):

    Sum everything:

    >>> size_of_headers = 0x400
    >>> sec_sizes = [0x15400, 0x800, 0x1a00, 0x19c00, 0x1600]
    >>> size_of_headers + sum(sec_sizes)
    207872
    >>>
    

    Total size: 207872 bytes.

    Verification:

    Note: the above calculation doesn't take into account if the PE is badly formed or if there is an overlay.

    这篇关于如何从页眉和/或页脚确定 PE 可执行文件的大小的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

08-24 11:13