PE文件加载流程

时间:2024-03-15 13:41:34

PE加载器流程

1.将PE文件用ReadFile读取数据

char szFileName[] = "1.exe";

//打开文件,设置属性可读可写
HANDLE hFile = CreateFileA(szFileName,
        GENERIC_READ | GENERIC_WRITE,
        FILE_SHARE_READ | FILE_SHARE_WRITE,
        NULL,
        OPEN_EXISTING,
        FILE_ATTRIBUTE_ARCHIVE,
        NULL);

if (INVALID_HANDLE_VALUE == hFile)
{
        printf("文件打开失败\n");
        return 1;
}

//获取文件大小
DWORD dwFileSize = GetFileSize(hFile, NULL);

//申请空间将exe读取到内存中
char *pData = new char[dwFileSize];
if (NULL == pData)
{
        printf("空间申请失败\n");
        return 2;
}

DWORD dwRet = 0;
ReadFile(hFile, pData, dwFileSize, &dwRet, NULL);
CloseHandle(hFile);

2.根据PE结构获取镜像大小,在自己的程序中申请可读可写可执行的内存

char* chBaseAddress = NULL;

//获取镜像大小
DWORD dwSizeOfImage = GetSizeOfImage(pFileBuff);

//在进程中开辟一块内存空间
chBaseAddress = (char*)VirtualAlloc(NULL,
        dwSizeOfImage,
        MEM_COMMIT | MEM_RESERVE,
        PAGE_EXECUTE_READWRITE);
if (NULL == chBaseAddress)
{
        printf("申请进程空间失败\n");
        return NULL;
}

3.将申请的空间全部填为0

RtlZeroMemory(chBaseAddress, dwSizeOfImage);

4.将用ReadFile读取的数据映射到内存中

PE文件加载流程由上图可知,PE文件在加载到内存中对齐粒度不同,因此在写代码时要注意这个问题

PIMAGE_DOS_HEADER pDos = (PIMAGE_DOS_HEADER)pFileBuff;
PIMAGE_NT_HEADERS pNt = (PIMAGE_NT_HEADERS)(pFileBuff + pDos->e_lfanew);
PIMAGE_SECTION_HEADER pSection = IMAGE_FIRST_SECTION(pNt);
//所有头 + 结表头的大小
DWORD dwSizeOfHeaders = pNt->OptionalHeader.SizeOfHeaders;
//获取区段数量
int nNumerOfSections = pNt->FileHeader.NumberOfSections;

// 将前一部分都拷贝过去
RtlCopyMemory(chBaseAddress, pFileBuff, dwSizeOfHeaders);

char* chSrcMem = NULL;
char* chDestMem = NULL;
DWORD dwSizeOfRawData = 0;
for (int i = 0; i < nNumerOfSections; i++)
{
        if ((0 == pSection->VirtualAddress) ||
                (0 == pSection->SizeOfRawData))
        {
                pSection++;
                continue;
        }

        chSrcMem = (char*)((DWORD)pFileBuff + pSection->PointerToRawData);
        chDestMem = (char*)((DWORD)chBaseAddress + pSection->VirtualAddress);
        dwSizeOfRawData = pSection->SizeOfRawData;
        RtlCopyMemory(chDestMem, chSrcMem, dwSizeOfRawData);

        pSection++;
}

return TRUE;

5.修复重定位

重定位后的地址=需要重定位的地址-默认加载基址+当前加载基址

PIMAGE_DOS_HEADER pDos = (PIMAGE_DOS_HEADER)chBaseAddress;
PIMAGE_NT_HEADERS pNt = (PIMAGE_NT_HEADERS)(chBaseAddress + pDos->e_lfanew);
PIMAGE_BASE_RELOCATION pLoc = (PIMAGE_BASE_RELOCATION)(chBaseAddress + pNt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress);

//判断是否有重定位表
if ((char*)pLoc == (char*)pDos)
{
        return TRUE;
}

while ((pLoc->VirtualAddress + pLoc->SizeOfBlock) != 0) //开始扫描重定位表
{
        WORD *pLocData = (WORD *)((PBYTE)pLoc + sizeof(IMAGE_BASE_RELOCATION));
        //计算需要修正的重定位项(地址)的数目
        int nNumberOfReloc = (pLoc->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) / sizeof(WORD);

        for (int i = 0; i < nNumberOfReloc; i++)
        {
                // 每个WORD由两部分组成。高4位指出了重定位的类型,WINNT.H中的一系列IMAGE_REL_BASED_xxx定义了重定位类型的取值。
                // 低12位是相对于VirtualAddress域的偏移,指出了必须进行重定位的位置。

                if ((DWORD)(pLocData[i] & 0x0000F000) == 0x00003000) //这是一个需要修正的地址
                {
                        DWORD* pAddress = (DWORD *)((PBYTE)pDos + pLoc->VirtualAddress +                                                                                                                                (pLocData[i] & 0x0FFF));        
                        DWORD dwDelta = (DWORD)pDos - pNt->OptionalHeader.ImageBase;
                        *pAddress += dwDelta;
                }
        }

        //转移到下一个节进行处理
        pLoc = (PIMAGE_BASE_RELOCATION)((PBYTE)pLoc + pLoc->SizeOfBlock);
}

return TRUE;

6.根据PE结构的导入表,加载所需要的dll,并获取导入函数的地址并写入导入表中。

导入表有函数名称表、函数地址表、函数序号表

PIMAGE_DOS_HEADER pDos = (PIMAGE_DOS_HEADER)chBaseAddress;
PIMAGE_NT_HEADERS pNt = (PIMAGE_NT_HEADERS)(chBaseAddress + pDos->e_lfanew);
PIMAGE_IMPORT_DESCRIPTOR pImportTable = (PIMAGE_IMPORT_DESCRIPTOR)((DWORD)pDos +
        pNt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);

// 循环遍历DLL导入表中的DLL及获取导入表中的函数地址
char *lpDllName = NULL;
HMODULE hDll = NULL;
PIMAGE_THUNK_DATA lpImportNameArray = NULL;
PIMAGE_IMPORT_BY_NAME lpImportByName = NULL;
PIMAGE_THUNK_DATA lpImportFuncAddrArray = NULL;
FARPROC lpFuncAddress = NULL;
DWORD i = 0;

while (TRUE)
{
        if (0 == pImportTable->OriginalFirstThunk)
        {
                break;
        }

        // 获取导入表中DLL的名称并加载DLL
        lpDllName = (char *)((DWORD)pDos + pImportTable->Name);
        hDll = GetModuleHandleA(lpDllName);
        if (NULL == hDll)
        {
                hDll = LoadLibraryA(lpDllName);
                if (NULL == hDll)
                {
                        pImportTable++;
                        continue;
                }
        }

        i = 0;
        // 获取OriginalFirstThunk以及对应的导入函数名称表首地址
        lpImportNameArray = (PIMAGE_THUNK_DATA)((DWORD)pDos + pImportTable->OriginalFirstThunk);
        // 获取FirstThunk以及对应的导入函数地址表首地址
        lpImportFuncAddrArray = (PIMAGE_THUNK_DATA)((DWORD)pDos + pImportTable->FirstThunk);
        while (TRUE)
        {
                if (0 == lpImportNameArray[i].u1.AddressOfData)
                {
                        break;
                }

                // 获取IMAGE_IMPORT_BY_NAME结构
                lpImportByName = (PIMAGE_IMPORT_BY_NAME)((DWORD)pDos + lpImportNameArray[i].u1.AddressOfData);

                // 判断导出函数是序号导出还是函数名称导出
                if (0x80000000 & lpImportNameArray[i].u1.Ordinal)
                {
                        // 序号导出
                        lpFuncAddress = GetProcAddress(hDll, (LPCSTR)                                                   (lpImportNameArray[i].u1.Ordinal & 0x0000FFFF));
                }
                else
                {
                        // 名称导出
                        lpFuncAddress = GetProcAddress(hDll, (LPCSTR)lpImportByName->Name);
                }
                lpImportFuncAddrArray[i].u1.Function = (DWORD)lpFuncAddress;
                i++;
        }

        pImportTable++;
}

7.修改PE文件的加载基址

PIMAGE_DOS_HEADER pDos = (PIMAGE_DOS_HEADER)chBaseAddress;
PIMAGE_NT_HEADERS pNt = (PIMAGE_NT_HEADERS)(chBaseAddress + pDos->e_lfanew);
pNt->OptionalHeader.ImageBase = (ULONG32)chBaseAddress;

8.跳转到PE的入口点处执行

PIMAGE_DOS_HEADER pDos = (PIMAGE_DOS_HEADER)chBaseAddress;
PIMAGE_NT_HEADERS pNt = (PIMAGE_NT_HEADERS)(chBaseAddress + pDos->e_lfanew);
char* ExeEntry = (char*)(chBaseAddress + pNt->OptionalHeader.AddressOfEntryPoint);
// 跳转到入口点处执行
__asm
{
        mov eax, ExeEntry
        jmp eax
}