使用Windbg認識pe的文件結構

0x0 環境

Windows 7 32位
Windbg 32位
調試notepad.exe

0x1 步驟

打開notepad.exe

用windbg attach 到 notepad進程上

lm 查看模塊和模塊的加載情況

0:001> lm
start    end        module name
00300000 00330000   notepad    (deferred)             
6e870000 6e8c1000   WINSPOOL   (deferred)             
73c10000 73c23000   dwmapi     (deferred)             
73f40000 73f80000   uxtheme    (deferred)             
740c0000 7425e000   COMCTL32   (deferred)             
74630000 74639000   VERSION    (deferred)             
75330000 7533c000   CRYPTBASE   (deferred)             
75490000 754da000   KERNELBASE   (deferred)             
756e0000 7575b000   COMDLG32   (deferred)             
75a50000 75a69000   sechost    (deferred)             
75a70000 75b10000   ADVAPI32   (deferred)             
75b10000 75bb1000   RPCRT4     (deferred)             
75bd0000 75bef000   IMM32      (deferred)             
75bf0000 75cc4000   kernel32   (deferred)             
75dd0000 76a1a000   SHELL32    (deferred)             
76bd0000 76c5f000   OLEAUT32   (deferred)             
76c60000 76cfd000   USP10      (deferred)             
76d00000 76e5c000   ole32      (deferred)             
76e60000 76f29000   USER32     (deferred)             
76f80000 76fce000   GDI32      (deferred)             
76fd0000 7709c000   MSCTF      (deferred)             
770a0000 7714c000   msvcrt     (deferred)             
77290000 773cc000   ntdll      (pdb symbols)          c:\symbols\ntdll.pdb\120028FA453F4CD5A6A404EC37396A582\ntdll.pdb
77440000 77497000   SHLWAPI    (deferred)             
774b0000 774ba000   LPK        (deferred)

lm 查看模塊及模塊的符號加載情況:
1. lm l，查看已加載符號的模塊
2. lm m somemodulename*，查看和指定名稱匹配的模塊
3. lm v，查看所有模塊及一些詳細信息
4. !lmi moduleName，查看指定模塊詳細信息
5. !dh module Start Address | module Name -f，進一步查看模塊頭部信息，包括pdb信息，默認分配堆棧大小等

!dh命令

！dh -f notepad 顯示notepad的頭部

0:001> !dh -f notepad

File Type: EXECUTABLE IMAGE
FILE HEADER VALUES
     14C machine (i386)
       4 number of sections
4A5BC60F time date stamp Tue Jul 14 07:41:03 2009

       0 file pointer to symbol table
       0 number of symbols
      E0 size of optional header
     102 characteristics
            Executable
            32 bit word machine

OPTIONAL HEADER VALUES
     10B magic #
    9.00 linker version
    A800 size of code
   22400 size of initialized data
       0 size of uninitialized data
    3689 address of entry point
    1000 base of code
         ----- new -----
00300000 image base
    1000 section alignment
     200 file alignment
       2 subsystem (Windows GUI)
    6.01 operating system version
    6.01 image version
    6.01 subsystem version
   30000 size of image
     400 size of headers
   39741 checksum
00040000 size of stack reserve
00011000 size of stack commit
00100000 size of heap reserve
00001000 size of heap commit
    8140  DLL characteristics
            Dynamic base
            NX compatible
            Terminal server aware
       0 [       0] address [size] of Export Directory
    A048 [     12C] address [size] of Import Directory
    F000 [   1F160] address [size] of Resource Directory
       0 [       0] address [size] of Exception Directory
       0 [       0] address [size] of Security Directory
   2F000 [     E34] address [size] of Base Relocation Directory
    B62C [      38] address [size] of Debug Directory
       0 [       0] address [size] of Description Directory
       0 [       0] address [size] of Special Directory
       0 [       0] address [size] of Thread Storage Directory
    6D58 [      40] address [size] of Load Configuration Directory
     278 [     128] address [size] of Bound Import Directory
    1000 [     400] address [size] of Import Address Table Directory
       0 [       0] address [size] of Delay Import Directory
       0 [       0] address [size] of COR20 Header Directory
       0 [       0] address [size] of Reserved Directory

[dt命令]（https://blog.csdn.net/pureman_mega/article/details/78884277 ）

dt -n (_IMAGE_DOS_HEADER)00300000

0:001> dt -n (_IMAGE_DOS_HEADER)00300000
uxtheme!_IMAGE_DOS_HEADER
   +0x000 e_magic          : 0x5a4d
   +0x002 e_cblp           : 0x90
   +0x004 e_cp             : 3
   +0x006 e_crlc           : 0
   +0x008 e_cparhdr        : 4
   +0x00a e_minalloc       : 0
   +0x00c e_maxalloc       : 0xffff
   +0x00e e_ss             : 0
   +0x010 e_sp             : 0xb8
   +0x012 e_csum           : 0
   +0x014 e_ip             : 0
   +0x016 e_cs             : 0
   +0x018 e_lfarlc         : 0x40
   +0x01a e_ovno           : 0
   +0x01c e_res            : [4] 0
   +0x024 e_oemid          : 0
   +0x026 e_oeminfo        : 0
   +0x028 e_res2           : [10] 0
   +0x03c e_lfanew         : 0n224

PE學習（二） IMAGE_DOS_HEADER

dt -n (_IMAGE_NT_HEADERS)00300000+0n224

0:001> dt -n (_IMAGE_NT_HEADERS)00300000+0n224
uxtheme!_IMAGE_NT_HEADERS
   +0x000 Signature        : 0x4550
   +0x004 FileHeader       : _IMAGE_FILE_HEADER
   +0x018 OptionalHeader   : _IMAGE_OPTIONAL_HEADER

PE文件詳解之IMAGE_NT_HEADER結構

查看PE頭的地址

0:001> ? notepad
Evaluate expression: 3145728 = 00300000
0:001> ? notepad+0n224
Evaluate expression: 3145952 = 003000e0

查看

0:001> dt ntdll!_IMAGE_FILE_HEADER 003000e4
   +0x000 Machine          : 0x14c
   +0x002 NumberOfSections : 4
   +0x004 TimeDateStamp    : 0x4a5bc60f
   +0x008 PointerToSymbolTable : 0
   +0x00c NumberOfSymbols  : 0
   +0x010 SizeOfOptionalHeader : 0xe0
   +0x012 Characteristics  : 0x102

查看

0:001> dt ntdll!_IMAGE_OPTIONAL_HEADER 003000f8
   +0x000 Magic            : 0x10b
   +0x002 MajorLinkerVersion : 0x9 ''
   +0x003 MinorLinkerVersion : 0 ''
   +0x004 SizeOfCode       : 0xa800
   +0x008 SizeOfInitializedData : 0x22400
   +0x00c SizeOfUninitializedData : 0
   +0x010 AddressOfEntryPoint : 0x3689
   +0x014 BaseOfCode       : 0x1000
   +0x018 BaseOfData       : 0xc000
   +0x01c ImageBase        : 0x300000
   +0x020 SectionAlignment : 0x1000
   +0x024 FileAlignment    : 0x200
   +0x028 MajorOperatingSystemVersion : 6
   +0x02a MinorOperatingSystemVersion : 1
   +0x02c MajorImageVersion : 6
   +0x02e MinorImageVersion : 1
   +0x030 MajorSubsystemVersion : 6
   +0x032 MinorSubsystemVersion : 1
   +0x034 Win32VersionValue : 0
   +0x038 SizeOfImage      : 0x30000
   +0x03c SizeOfHeaders    : 0x400
   +0x040 CheckSum         : 0x39741
   +0x044 Subsystem        : 2
   +0x046 DllCharacteristics : 0x8140
   +0x048 SizeOfStackReserve : 0x40000
   +0x04c SizeOfStackCommit : 0x11000
   +0x050 SizeOfHeapReserve : 0x100000
   +0x054 SizeOfHeapCommit : 0x1000
   +0x058 LoaderFlags      : 0
   +0x05c NumberOfRvaAndSizes : 0x10
   +0x060 DataDirectory    : [16] _IMAGE_DATA_DIRECTORY

查看DataDirectory

0:001> dt ntdll!_IMAGE_OPTIONAL_HEADER -v -ny DataDirectory 003000f8
struct _IMAGE_OPTIONAL_HEADER, 31 elements, 0xe0 bytes
   +0x060 DataDirectory : [16] struct _IMAGE_DATA_DIRECTORY, 2 elements, 0x8 bytes

0:001> ? 003000f8+0x060
Evaluate expression: 3146072 = 00300158

0:001> dt ole32!_IMAGE_DATA_DIRECTORY 00300158
   +0x000 VirtualAddress   : 0
   +0x004 Size             : 0

0:001> dt /r1 ntdll!_IMAGE_NT_HEADERS notepad+e0
   +0x000 Signature        : 0x4550
   +0x004 FileHeader       : _IMAGE_FILE_HEADER
      +0x000 Machine          : 0x14c
      +0x002 NumberOfSections : 4
      +0x004 TimeDateStamp    : 0x4a5bc60f
      +0x008 PointerToSymbolTable : 0
      +0x00c NumberOfSymbols  : 0
      +0x010 SizeOfOptionalHeader : 0xe0
      +0x012 Characteristics  : 0x102
   +0x018 OptionalHeader   : _IMAGE_OPTIONAL_HEADER
      +0x000 Magic            : 0x10b
      +0x002 MajorLinkerVersion : 0x9 ''
      +0x003 MinorLinkerVersion : 0 ''
      +0x004 SizeOfCode       : 0xa800
      +0x008 SizeOfInitializedData : 0x22400
      +0x00c SizeOfUninitializedData : 0
      +0x010 AddressOfEntryPoint : 0x3689
      +0x014 BaseOfCode       : 0x1000
      +0x018 BaseOfData       : 0xc000
      +0x01c ImageBase        : 0x300000
      +0x020 SectionAlignment : 0x1000
      +0x024 FileAlignment    : 0x200
      +0x028 MajorOperatingSystemVersion : 6
      +0x02a MinorOperatingSystemVersion : 1
      +0x02c MajorImageVersion : 6
      +0x02e MinorImageVersion : 1
      +0x030 MajorSubsystemVersion : 6
      +0x032 MinorSubsystemVersion : 1
      +0x034 Win32VersionValue : 0
      +0x038 SizeOfImage      : 0x30000
      +0x03c SizeOfHeaders    : 0x400
      +0x040 CheckSum         : 0x39741
      +0x044 Subsystem        : 2
      +0x046 DllCharacteristics : 0x8140
      +0x048 SizeOfStackReserve : 0x40000
      +0x04c SizeOfStackCommit : 0x11000
      +0x050 SizeOfHeapReserve : 0x100000
      +0x054 SizeOfHeapCommit : 0x1000
      +0x058 LoaderFlags      : 0
      +0x05c NumberOfRvaAndSizes : 0x10
      +0x060 DataDirectory    : [16] _IMAGE_DATA_DIRECTORY

THE DOS Header

0:001> db 00300000 L0n224
00300000  4d 5a 90 00 03 00 00 00-04 00 00 00 ff ff 00 00  MZ..............
00300010  b8 00 00 00 00 00 00 00-40 00 00 00 00 00 00 00  ........@.......
00300020  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
00300030  00 00 00 00 00 00 00 00-00 00 00 00 e0 00 00 00  ................
00300040  0e 1f ba 0e 00 b4 09 cd-21 b8 01 4c cd 21 54 68  ........!..L.!Th
00300050  69 73 20 70 72 6f 67 72-61 6d 20 63 61 6e 6e 6f  is program canno
00300060  74 20 62 65 20 72 75 6e-20 69 6e 20 44 4f 53 20  t be run in DOS 
00300070  6d 6f 64 65 2e 0d 0d 0a-24 00 00 00 00 00 00 00  mode....$.......
00300080  b2 be c2 62 f6 df ac 31-f6 df ac 31 f6 df ac 31  ...b...1...1...1
00300090  ff a7 39 31 f5 df ac 31-ff a7 3f 31 eb df ac 31  ..91...1..?1...1
003000a0  f6 df ad 31 00 df ac 31-ff a7 2f 31 e9 df ac 31  ...1...1../1...1
003000b0  ff a7 28 31 f4 df ac 31-ff a7 38 31 f7 df ac 31  ..(1...1..81...1
003000c0  ff a7 3d 31 f7 df ac 31-52 69 63 68 f6 df ac 31  ..=1...1Rich...1
003000d0  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................

NT Headers

OPtional Header

The DataDirectory

Locating the Section Headers

The Section Headers

00300000  4d 5a 90 00 03 00 00 00-04 00 00 00 ff ff 00 00  MZ..............
00300010  b8 00 00 00 00 00 00 00-40 00 00 00 00 00 00 00  ........@.......
00300020  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
00300030  00 00 00 00 00 00 00 00-00 00 00 00 e0 00 00 00  ................
00300040  0e 1f ba 0e 00 b4 09 cd-21 b8 01 4c cd 21 54 68  ........!..L.!Th
00300050  69 73 20 70 72 6f 67 72-61 6d 20 63 61 6e 6e 6f  is program canno
00300060  74 20 62 65 20 72 75 6e-20 69 6e 20 44 4f 53 20  t be run in DOS 
00300070  6d 6f 64 65 2e 0d 0d 0a-24 00 00 00 00 00 00 00  mode....$.......
00300080  b2 be c2 62 f6 df ac 31-f6 df ac 31 f6 df ac 31  ...b...1...1...1
00300090  ff a7 39 31 f5 df ac 31-ff a7 3f 31 eb df ac 31  ..91...1..?1...1
003000a0  f6 df ad 31 00 df ac 31-ff a7 2f 31 e9 df ac 31  ...1...1../1...1
003000b0  ff a7 28 31 f4 df ac 31-ff a7 38 31 f7 df ac 31  ..(1...1..81...1
003000c0  ff a7 3d 31 f7 df ac 31-52 69 63 68 f6 df ac 31  ..=1...1Rich...1
003000d0  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
003000e0  50 45 00 00 4c 01 04 00-0f c6 5b 4a 00 00 00 00  PE..L.....[J....
003000f0  00 00 00 00 e0 00 02 01-0b 01 09 00 00 a8 00 00  ................
00300100  00 24 02 00 00 00 00 00-89 36 00 00 00 10 00 00  .$.......6......
00300110  00 c0 00 00 00 00 30 00-00 10 00 00 00 02 00 00  ......0.........
00300120  06 00 01 00 06 00 01 00-06 00 01 00 00 00 00 00  ................
00300130  00 00 03 00 00 04 00 00-41 97 03 00 02 00 40 81  ........A.....@.
00300140  00 00 04 00 00 10 01 00-00 00 10 00 00 10 00 00  ................
00300150  00 00 00 00 10 00 00 00-00 00 00 00 00 00 00 00  ................
00300160  48 a0 00 00 2c 01 00 00-00 f0 00 00 60 f1 01 00  H...,.......`...
00300170  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
00300180  00 f0 02 00 34 0e 00 00-2c b6 00 00 38 00 00 00  ....4...,...8...
00300190  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
003001a0  00 00 00 00 00 00 00 00-58 6d 00 00 40 00 00 00  ........Xm..@...
003001b0  78 02 00 00 28 01 00 00-00 10 00 00 00 04 00 00  x...(...........
003001c0  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
003001d0  00 00 00 00 00 00 00 00-2e 74 65 78 74 00 00 00  .........text...
003001e0  8c a6 00 00 00 10 00 00-00 a8 00 00 00 04 00 00  ................
003001f0  00 00 00 00 00 00 00 00-00 00 00 00 20 00 00 60  ............ ..`
00300200  2e 64 61 74 61 00 00 00-64 21 00 00 00 c0 00 00  .data...d!......
00300210  00 10 00 00 00 ac 00 00-00 00 00 00 00 00 00 00  ................
00300220  00 00 00 00 40 00 00 c0-2e 72 73 72 63 00 00 00  [email protected]...
00300230  60 f1 01 00 00 f0 00 00-00 f2 01 00 00 bc 00 00  `...............
00300240  00 00 00 00 00 00 00 00-00 00 00 00 40 00 00 40  ............@..@
00300250  2e 72 65 6c 6f 63 00 00-34 0e 00 00 00 f0 02 00  .reloc..4.......
00300260  00 10 00 00 00 ae 02 00-00 00 00 00 00 00 00 00  ................
00300270  00 00 00 00 40 00 00 42-7e d9 5b 4a 80 00 00 00  [email protected]~.[J....
00300280  ad da 5b 4a 8d 00 01 00-db da 5b 4a 9a 00 00 00  ..[J......[J....
00300290  dd d9 5b 4a a4 00 00 00-2f db 5b 4a ae 00 00 00  ..[J..../.[J....
003002a0  6f da 5b 4a b9 00 00 00-25 da 5b 4a c4 00 00 00  o.[J....%.[J....
003002b0  01 db 5b 4a d1 00 00 00-4b db 5b 4a dd 00 00 00  ..[J....K.[J....
003002c0  c7 da 5b 4a ea 00 00 00-05 db 5b 4a f4 00 00 00  ..[J......[J....
003002d0  76 d9 5b 4a 00 01 00 00-ca da 5b 4a 0d 01 00 00  v.[J......[J....
003002e0  db da 5b 4a 9a 00 00 00-2b db 5b 4a 1a 01 00 00  ..[J....+.[J....
003002f0  00 00 00 00 00 00 00 00-41 44 56 41 50 49 33 32  ........ADVAPI32
00300300  2e 64 6c 6c 00 4b 45 52-4e 45 4c 33 32 2e 64 6c  .dll.KERNEL32.dl
00300310  6c 00 4e 54 44 4c 4c 2e-44 4c 4c 00 47 44 49 33  l.NTDLL.DLL.GDI3
00300320  32 2e 64 6c 6c 00 55 53-45 52 33 32 2e 64 6c 6c  2.dll.USER32.dll
00300330  00 6d 73 76 63 72 74 2e-64 6c 6c 00 43 4f 4d 44  .msvcrt.dll.COMD
00300340  4c 47 33 32 2e 64 6c 6c-00 53 48 45 4c 4c 33 32  LG32.dll.SHELL32
00300350  2e 64 6c 6c 00 57 49 4e-53 50 4f 4f 4c 2e 44 52  .dll.WINSPOOL.DR
00300360  56 00 6f 6c 65 33 32 2e-64 6c 6c 00 53 48 4c 57  V.ole32.dll.SHLW
00300370  41 50 49 2e 64 6c 6c 00-43 4f 4d 43 54 4c 33 32  API.dll.COMCTL32
00300380  2e 64 6c 6c 00 4f 4c 45-41 55 54 33 32 2e 64 6c  .dll.OLEAUT32.dl
00300390  6c 00 56 45 52 53 49 4f-4e 2e 64 6c 6c 00 00 00  l.VERSION.dll...