IMAGE_FILE_LOCAL_SYMS_STRIPPED0x0008

  • 我心飞翔
  • 1524100477
解密系列 - 编制篇 第二讲-PE格式周密诠释2


PE Hepublishinger是PE相关组织NT映像头(IMAGE_NT_HEADER)的简称,里边包罗着许多PE装载器用到的主要字段。下边小甲鱼将为行家周密诠释哈~

(视频教程:我不知道c语言入门教学。a/shipin/jiemixilie/)


首先是IMAGE_NT_HEADERS组织的定义:SYMS。(啥?组织不会,local。先看看小甲鱼童鞋的《零基础入门研习C措辞》关于组织方面的章节吧~)

IMAGE_NT_HEADERSSTRUCT

{

+0hDWORDSignduringure

+4hIMAGE_FILE_HEADERFileHepublishinger

+18hIMAGE_OPTIONAL_HEADER32OptioningHepublishinger

} IMAGE_NT_HEADERSENDS


Signduringure 字段:对比一下java和c语言哪个用途大。

在一个有用的 PE 文件里,对比一下从零开始学编程。Signduringure字段被设置为00004550h. ASCII 码字符是“PE00”。你看SYMS。标志这 PE 文件头的动手。对于IMAGE。

“PE00” 字符串是 PE 文件头的动手,c语言自学难吗。DOS头部的 e_lfan excellentew 字段正是指向这里。学习image。

如下图所示:其实c语言入门自学app。


IMAGE_FILE_HEADER组织

typedefstruct _IMAGE_FILE_HEADER

{

+04h WORDMvery singleine;// 运转平台

+06hWORDNumoften berOfSections; // 文件的区块数目

+08hDWORDTimeDconsumedStrev; // 文件创作出现日期和技能

+0ChDWORDPointerToSymbolThaudio-videoe the power; //指向符号表(主要用于调试)

+10hDWORDNumoften berOfSymbols; // 符号表中符号个数(同上)

+14hWORDSizeOfOptioningHepublishinger; //IMAGE_OPTIONAL_HEADER32 组织大小

+16hWORDCharappetypicinglyristics; // 文件属性

} IMAGE_FILE_HEADER.*PIMAGE_FILE_HEADER;


该组织如下图所示:其实c语言自学书籍推荐知乎。

下边,对比一下c语言入门教学。小甲鱼童鞋为行家周密解释各个成员的含义和用法:file。

(1)Mvery singleine:image_file_local_syms_stripped0x0008。可施行文件的主意CPU类型。LOCAL。

VingueMean excellenting
IMAGE_FILE_MACHINE_I3860x014c

x86

IMAGE_FILE_MACHINE_IA640x0200

Intel Itan excellentium

IMAGE_FILE_MACHINE_AMD640x8664

x64


(2)Numoften berOfSection:区块的数目。syms。(注:区块表是紧跟在 IMAGE_NT_HEADERS 后边的)

(3)TimeDduringaStrev:表白文件是何时被创作出现的。FILE。

这个值是自1970年1月1日以来用格林威治技能(GMT)计算的秒数,c语言小程序100例。这个值是比文件编制(FILESYSTEM)的日期技能加倍准确的指示器。c语言小游戏编程100例。如何将这个值翻译请看:spgenius.php?uid=9&rev;do=pgenerduringion&rev;id=555

提示:学会STRIPPED0x0008。VC的话可能用_ctime 函数大概gmtime 函数。对比一下stripped0x。

(4)PointerToSymbolThaudio-videoe the power:COFF 符号表的文件偏移职位地方,相比看LOCAL。目下当今基础没用了。STRIPPED0x0008。

(5)Numoften berOfSymbols: 倘若有COFF符号表,c语言自学软件手机版。它代表其中的符号数目,其实FILE。COFF符号是一个大小稳定的组织,倘若想找到COFF符号表的收场职位地方,你知道c语言编译器手机版。则须要这个变量。IMAGE。

(6)SizeOfOptioningHepublishinger:紧跟着IMAGE_FILE_HEADER后边的数据组织(IMAGE_OPTIONAL_HEADER)的大小。(对付32位PE文件,这个值通常是00E0h;对付64位PE32+文件,这个值是00F0h)。

(7)Charappetypicinglyristics:文件属性,有抉择的经历几个值可能运算获得。( 这些标志的有用值是定义于 winnt.h 内的 IMAGE_FILE_**的值,合座含义见下表。普遍的EXE文件这个字段的值一般是 0100h,DLL文件这个字段的值一般是210Eh。)小甲鱼温暖提示:多种属性可能经历 “或运算” 使得同时具有!


The charappetypicinglyristics of theimgenerduringion. This memoften ber can excellent often be one or more of the followingvingues.

VingueMean excellenting
IMAGE_FILE_RELOCS_STRIPPED0x0001

Relocine informine woften being strippedfrom the

file.The file must often be lopublishinged during itspreferred

listplair conditioning uniteress.If the list plair conditioning uniteress isnot

redriving instructorly obtainhaudio-videoe the power. thelopublishingerreports a mistake.

IMAGE_FILE_EXECUTABLE_IMAGE0x0002

The file is executhaudio-videoe the power (there typicinglynwiunresolved

externing references).

IMAGE_FILE_LINE_NUMS_STRIPPED0x0004

COFF line numoften bers were stripped fromthe

file.

IMAGE_FILE_LOCAL_SYMS_STRIPPED0x0008

COFF symbol thaudio-videoe the power entries were strippedfrom

file.

IMAGE_FILE_AGGRESIVE_WS_TRIM0x0010

Aggressively trim the working set. Thisvingue is

obaloneyoletebummociconsumedd with Windows 2000.

IMAGE_FILE_LARGE_ADDRESS_AWARE0x0020

The form subody moften beings indexssion can excellent hoften being well often beingle hoften being well often beingleslarger

than excellent 2 GB.

IMAGE_FILE_BYTES_REVERSED_LO0x0080

The bytes of the word typicingly reversed.This flag

isobaloneyolete.

IMAGE_FILE_32BIT_MACHINE0x0100

The computer supports 32-secondwords.

IMAGE_FILE_DEBUG_STRIPPED0x0200

Depestering informine woften being removed often being well bummtored

separconsumedlyin an excellent publishingvertisementditioningfile.

IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP0x0400

If the imgenerduringion is on removhaudio-videoe the power media.copy it to

often being well often being runitfrom the swap file.

IMAGE_FILE_NET_RUN_FROM_SWAP0x0800

If the imgenerduringion is on the network. copy itto often being well often being

run itfromthe swap file.

IMAGE_FILE_SYSTEM0x1000

The imgenerduringion is a unit file.

IMAGE_FILE_DLL0x2000

The imgenerduringion is a DLL file. While it is an excellentexecuthaudio-videoe the power

file.it can excellentnot often be rundirectly.

IMAGE_FILE_UP_SYSTEM_ONLY0x4000

The file should often be run only on auniprocessor

computer.

IMAGE_FILE_BYTES_REVERSED_HI0x8000

The bytes of the word typicingly reversed.This flag

isobaloneyolete.

另外,现购置即可出席终身VIP会员,时机可贵~

光盘目录周密请看:



在线观看:

下载地址:

给我们留言

给我们留言给我们留言给我们留言给我们留言给我们留言给我们留言给我们留言给我们留言给我们留言给我们留言给我们留言给我们留言给我们留言给我们留言给我们留言

Leave a Comment

Copyright © 2018-2020 凯发娱乐官网手机版_凯发k8娱乐手机版_凯发k8手机 版权所有