{"id":126,"date":"2020-01-05T09:40:42","date_gmt":"2020-01-05T01:40:42","guid":{"rendered":"http:\/\/blog.73007300.xyz\/?p=126"},"modified":"2020-01-08T01:41:50","modified_gmt":"2020-01-07T17:41:50","slug":"%e7%90%86%e8%a7%a3pe%e6%a0%bc%e5%bc%8f-%e6%89%be%e5%87%ba%e5%af%bc%e5%87%ba%e8%a1%a8%ef%bc%88export-table%ef%bc%89%e4%b8%ad%e7%9a%84%e5%87%bd%e6%95%b0%e5%9c%b0%e5%9d%80","status":"publish","type":"post","link":"https:\/\/blog.73007300.xyz\/?p=126","title":{"rendered":"\u7406\u89e3PE\u683c\u5f0f\u2014\u627e\u51fa\u5bfc\u51fa\u8868(Export Table)\u4e2d\u7684\u51fd\u6570\u5730\u5740(\u7406\u8bba\u7bc7)"},"content":{"rendered":"\n<p>PE\u7684\u7ed3\u6784\uff0c\u53c2\u8003\u6587\u6863https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/debug\/pe-format\u7684\u76ee\u5f55\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"336\" height=\"786\" src=\"https:\/\/blog.73007300.xyz\/wp-content\/uploads\/2020\/01\/image.png\" alt=\"\" class=\"wp-image-127\"\/><\/figure>\n\n\n\n<p>\u6839\u636e\u8fd9\u4e2a\u7ed3\u6784\u6765\u627ekernel32.dll\u4e2d\u7684\u51fd\u6570\u540d\u548c\u51fd\u6570\u540d\u7684RVA\u3002<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"> PE signature <\/h2>\n\n\n\n<p>\u6587\u4ef6 0x3c \u7684\u5730\u65b9\u6307\u5b9a\u4e86PE signature\u7684\u4f4d\u7f6e\uff08\u4e5f\u5c31\u662fNT_Header\uff0c\u52a0\u5bc6\u89e3\u5bc6\u91cc\u8bf4NT_Header\uff0c\u5fae\u8f6f\u7684\u6587\u6863\u91cc\u6ca1\u6709\u8fd9\u4e48\u4e00\u8bf4\uff09  E8<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"499\" height=\"393\" src=\"https:\/\/blog.73007300.xyz\/wp-content\/uploads\/2020\/01\/image-1.png\" alt=\"\" class=\"wp-image-128\"\/><\/figure>\n\n\n\n<p>E8\u7684\u524d\u56db\u4e2a\u5b57\u8282\u662f PE00,\u5728\u8fd9\u4e4b\u540e\u662f  COFF file header <\/p>\n\n\n\n<h2 class=\"wp-block-heading\">  COFF file header  <\/h2>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"624\" height=\"346\" src=\"https:\/\/blog.73007300.xyz\/wp-content\/uploads\/2020\/01\/image-2.png\" alt=\"\" class=\"wp-image-129\"\/><\/figure>\n\n\n\n<p>\u7d27\u63a5\u7740PE signature\u76842\u4e2aByte\uff08Machine\uff09  \u5224\u65adPE\u6587\u4ef6\u65f6\u8fd0\u884c\u5728\u4ec0\u4e48\u5e73\u53f0\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"624\" height=\"215\" src=\"https:\/\/blog.73007300.xyz\/wp-content\/uploads\/2020\/01\/image-3.png\" alt=\"\" class=\"wp-image-130\"\/><\/figure>\n\n\n\n<p>COFF file header + 2  \u5904\u76842\u4e2abyte\u6307\u5b9a\u4e86\u8fd9\u4e2aPE\u6587\u4ef6\u6709\u591a\u5c11\u4e2aSection : 06<br> \u7528010Editor\u67e5\u770b\u4e5f\u662f6\u4e2aSection<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"624\" height=\"373\" src=\"https:\/\/blog.73007300.xyz\/wp-content\/uploads\/2020\/01\/image-4.png\" alt=\"\" class=\"wp-image-131\"\/><\/figure>\n\n\n\n<p>COFF file header + 16 \u5904\u7684\u4e24byte\u6307\u5b9a\u4e86OptionalHeader\u7684\u5927\u5c0f \uff1a F0<\/p>\n\n\n\n<p>COFF file header + 20 \u5904\u662f OptionalHeader \u7684\u5f00\u59cb\u4f4d\u7f6e\uff1a100h. \u5927\u5c0fF0.<\/p>\n\n\n\n<p>\u4e5f\u5c31\u662f100h \u2013 1F0h\u4e4b\u95f4\u5168\u662f OptionalHeader<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">OptionalHeader<\/h2>\n\n\n\n<p>OptionalHeader \u7684\u524d\u4e24\u4e2a\u5b57\u8282\u5224\u65ad\u4e86\u8fd9\u662f\u4e2aPE\u6587\u4ef6\u8fd8\u662f\u4e2aPE+\u6587\u4ef6<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"594\" height=\"308\" src=\"https:\/\/blog.73007300.xyz\/wp-content\/uploads\/2020\/01\/image-5.png\" alt=\"\" class=\"wp-image-132\"\/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"582\" height=\"130\" src=\"https:\/\/blog.73007300.xyz\/wp-content\/uploads\/2020\/01\/image-6.png\" alt=\"\" class=\"wp-image-133\"\/><\/figure>\n\n\n\n<p>\u672c\u6b21\u662f20b ,\u662f\u572864\u4f4d\u5e73\u53f0\u7684pe+\u683c\u5f0f\u3002<br>\nOptionalHeader \u5206\u4e09\u90e8\u5206\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"624\" height=\"211\" src=\"https:\/\/blog.73007300.xyz\/wp-content\/uploads\/2020\/01\/image-7.png\" alt=\"\" class=\"wp-image-134\"\/><\/figure>\n\n\n\n<p>Standard fields \uff0c Windows-specific fields \u548c Data directories\u3002<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Standard fields<\/h4>\n\n\n\n<p>100h \u2013 118h \u662f Standard fields\u90e8\u5206<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"624\" height=\"382\" src=\"https:\/\/blog.73007300.xyz\/wp-content\/uploads\/2020\/01\/image-8.png\" alt=\"\" class=\"wp-image-135\"\/><\/figure>\n\n\n\n<p>\u5728PE32\u4e2d\u8fd8\u6709\u989d\u5916\u7684\u5b57\u6bb5BaseOfData\u3002<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Windows-specific fields<\/h4>\n\n\n\n<p>118h \u2013 12Eh \u662f Windows-Specific Fields\u90e8\u5206<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"624\" height=\"377\" src=\"https:\/\/blog.73007300.xyz\/wp-content\/uploads\/2020\/01\/image-9.png\" alt=\"\" class=\"wp-image-136\"\/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"624\" height=\"605\" src=\"https:\/\/blog.73007300.xyz\/wp-content\/uploads\/2020\/01\/image-10.png\" alt=\"\" class=\"wp-image-137\"\/><\/figure>\n\n\n\n<p>SizeOfHeaders \u5728100h + 60 = 13Ch\u7684\u4f4d\u7f6e \uff1a400h<br>\n400 h\u5c31\u662fFile Header \u548c Section Table(Section Header)\u7684\u603b\u5927\u5c0f<br>\n\u5373 400h\u5f00\u59cb\u90e8\u5206\u5c31\u662fSection Data\u90e8\u5206<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Data directories<\/h4>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"624\" height=\"672\" src=\"https:\/\/blog.73007300.xyz\/wp-content\/uploads\/2020\/01\/image-11.png\" alt=\"\" class=\"wp-image-138\"\/><\/figure>\n\n\n\n<p>\u56e0\u6b64PE signature\u7684\u4f4d\u7f6e\u5f00\u59cb+4\uff08PE signature\u7684\u957f\u5ea6\uff09+20\uff08Standard fields\u7684\u957f\u5ea6\uff09+96\uff08Export Table\u7684\u504f\u79fb\uff09= +120 = +78h \u7684\u5730\u65b9\u5c31\u662fExport Table\u76f8\u5bf9PE signature\u7684\u504f\u79fb\u3002<br>\nExport Table \u91cc\u6307\u5411\u4e86Export Table\u7684\u5730\u5740\u548c\u5927\u5c0f\uff0c100h+112=100+70h=170h<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"443\" height=\"103\" src=\"https:\/\/blog.73007300.xyz\/wp-content\/uploads\/2020\/01\/image-12.png\" alt=\"\" class=\"wp-image-139\"\/><\/figure>\n\n\n\n<p>Address: 90170h<br>\nSize:DD40h=56640<br>\n\u7531\u4e8e\u8fd9\u4e2a\u5730\u5740\u662fRVA \u76f8\u5bf9\u865a\u5740\u3002\u5728\u6587\u4ef6\u4e0a\u67e5\u770b\u8fd8\u8981\u7b97\u51fa \u5185\u5b58\u504f\u79fb \u548c \u6587\u4ef6\u504f\u79fb\u7684\u5dee\u503c\u25b3k<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Section Table(Section Header)<\/h2>\n\n\n\n<p>\u4ece100h + 232 + 8 = 1F0 \u5f00\u59cb\u662fSection Table(Section Header) \u7684\u8d77\u59cb\u4f4d\u7f6e\u3002<br>\n\u6309\u7167\u4e4b\u524d\u7684\u8ba1\u7b97\uff0c\u4e00\u5171\u67096\u4e2aSection,\u6240\u4ee5\u67096\u4e2aSection Header\uff0c\u6bcf\u4e2a\u7684\u683c\u5f0f\u5982\u4e0b\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"624\" height=\"642\" src=\"https:\/\/blog.73007300.xyz\/wp-content\/uploads\/2020\/01\/image-13.png\" alt=\"\" class=\"wp-image-140\"\/><\/figure>\n\n\n\n<p>\u6bcf\u4e2aSecion Header \u7684\u5927\u5c0f\u662f40 = 28h\u3002  Secion Header\u7684\u603b\u5927\u5c0f\u662f\uff1a 6*40=240=F0h<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"604\" height=\"244\" src=\"https:\/\/blog.73007300.xyz\/wp-content\/uploads\/2020\/01\/image-14.png\" alt=\"\" class=\"wp-image-141\"\/><\/figure>\n\n\n\n<p>\u7b2c\u4e00\u4e2aSection\uff08.text\uff09, \u5fae\u8f6f\u7528\u8fd9\u4e2a\u540d\u5b57\u7684Section\u6765\u5b58\u4ee3\u7801\u3002<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"624\" height=\"42\" src=\"https:\/\/blog.73007300.xyz\/wp-content\/uploads\/2020\/01\/image-15.png\" alt=\"\" class=\"wp-image-142\"\/><\/figure>\n\n\n\n<p>VirtualAddress\uff1a1000h<br>\nPe\u88ab\u52a0\u8f7d\u5230\u5185\u5b58\uff0c\u8fd9\u90e8\u5206Section\u5728\u76f8\u5bf9 image base\u504f\u79fb1000h\u7684\u4f4d\u7f6e<br>\nVirtualSize\uff1a7529Ch<br>\n\u5728\u5185\u5b58\u4e2d\u7684\u5730\u5740\u8303\u56f4\u662f1000h --- 7629Ch<br>\nPointerToRawData\uff1a400h<br>\nPE\u5728\u78c1\u76d8\u4e0a\u5f53\u6587\u4ef6\u5b58\u653e\u65f6\uff0c\u8fd9\u90e8\u5206Section\u5728\u76f8\u5bf9 image base\u504f\u79fb400h\u7684\u4f4d\u7f6e\u3002<br>\n\u5185\u5b58\u504f\u79fb \u548c \u6587\u4ef6\u504f\u79fb\u7684\u5dee\u503c\u25b3k1= 1000h \u2013 400h = C00h<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"624\" height=\"389\" src=\"https:\/\/blog.73007300.xyz\/wp-content\/uploads\/2020\/01\/image-16.png\" alt=\"\" class=\"wp-image-143\"\/><\/figure>\n\n\n\n<p>\u7b2c\u4e8c\u4e2aSection\uff08.rdata\uff09<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"624\" height=\"55\" src=\"https:\/\/blog.73007300.xyz\/wp-content\/uploads\/2020\/01\/image-19.png\" alt=\"\" class=\"wp-image-146\"\/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"597\" height=\"294\" src=\"https:\/\/blog.73007300.xyz\/wp-content\/uploads\/2020\/01\/image-18.png\" alt=\"\" class=\"wp-image-145\"\/><\/figure>\n\n\n\n<p>VirtualAddress\uff1a77000h<br>\nVirtualSize\uff1a31BC6<br>\n\u5728\u5185\u5b58\u4e2d\u7684\u5730\u5740\u8303\u56f4\u662f77000h --- A8BC6h<br>\n\u8fd9\u91cc\u7b2c\u4e8c\u4e2aSection\u4ece77000h\u5f00\u59cb\u662f\u56e0\u4e3a\u5185\u5b58\u5bf9\u9f50\u4e86\u3002<br>\nPointerToRawData\uff1a75800h<br>\n\u25b3k2=77000h-75800=1800h<\/p>\n\n\n\n<p>\u56e0\u6b64\uff0c\u4e4b\u524d\u627e\u5230\u7684Export Table\u7684RVA\uff0890170h\uff09\u5c31\u5728.rdata\u7684Section Data\u4e2d\u3002<br>\n\u7b97\u51fa\u4e86\u4ee5\u4e0a\u6570\u636e\uff0c\u5373\u53ef\u4ee5\u901a\u8fc7\u4ee5\u4e0a\u6570\u636e\u627e\u5230Export Table\u5728\u6587\u4ef6\u4e0a\u7684\u504f\u79fb\u4f4d\u7f6e\uff1a<br>\n90170h-\u25b3k2=90170h-1800h=8E970h<br>\n8E970h \u5f00\u59cb\u5c31\u662fThe export data section<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Section Data<\/h2>\n\n\n\n<p>The export data section \u5206\u4e3a5\u4e2a\u8868\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"624\" height=\"288\" src=\"https:\/\/blog.73007300.xyz\/wp-content\/uploads\/2020\/01\/image-20.png\" alt=\"\" class=\"wp-image-147\"\/><\/figure>\n\n\n\n<p>\u6211\u53ea\u5173\u5fc3\u7b2c\u4e00\u4e2a\u8868\uff1aExport Directory Table\u3002<br>\nExport Directory Table\u8868\u7ed3\u6784\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"624\" height=\"436\" src=\"https:\/\/blog.73007300.xyz\/wp-content\/uploads\/2020\/01\/image-21.png\" alt=\"\" class=\"wp-image-148\"\/><\/figure>\n\n\n\n<p>\u6587\u4ef6\u4e0a\u7684\u6570\u636e\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"624\" height=\"139\" src=\"https:\/\/blog.73007300.xyz\/wp-content\/uploads\/2020\/01\/image-22.png\" alt=\"\" class=\"wp-image-149\"\/><\/figure>\n\n\n\n<p>Ordinal Base \u6307\u5b9a\u4e86\u5e8f\u53f7\u4ece\u591a\u5c11\u5f00\u59cb\uff1a01h<br> Address Table Entries \u6307\u5b9a\u4e86\u6709\u591a\u5c11\u4e2aFunction: 65D<\/p>\n\n\n\n<p> Export Address Table RVA : 90198h-1800h=8E998h <\/p>\n\n\n\n<p>Name Pointer RVA \u6307\u5b9a\u4e86Function Name\u7684\u5730\u5740\uff1a91B0Ch-1800h=9030Ch<br> Ordinal Table RVA \u6307\u5b9a\u4e86\u51fd\u6570\u7684\u987a\u5e8f\u8868\u7684\u5730\u5740\uff1a93480h-1800h=91C80\u202ch<\/p>\n\n\n\n<p>\u67e5\u770bOrdinal Table \uff1a<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"621\" height=\"295\" src=\"https:\/\/blog.73007300.xyz\/wp-content\/uploads\/2020\/01\/image-23.png\" alt=\"\" class=\"wp-image-150\"\/><\/figure>\n\n\n\n<p>\u8fd9\u662f\u4e00\u4e2a\u6570\u7ec4\uff0c\u4e00\u4e2a\u5143\u7d202\u5b57\u8282\u3002<br>\n\u8868\u4e2d\u5e8f\u53f7\u4ece0\u5f00\u59cb\uff0c\u52a0\u4e0aOrdinal Base\u7684\u503c\uff081\uff09\uff0c\u6240\u4ee500 00 \u4ee3\u8868\u4e86\u5e8f\u6570\u662f1\u3002<\/p>\n\n\n\n<p>\u67e5\u770bName Pointer RVA<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"490\" height=\"379\" src=\"https:\/\/blog.73007300.xyz\/wp-content\/uploads\/2020\/01\/image-24.png\" alt=\"\" class=\"wp-image-151\"\/><\/figure>\n\n\n\n<p>\u8fd9\u662f\u4e00\u4e2a\u6570\u7ec4\uff0c\u4e00\u4e2a\u5143\u7d204\u4e2a\u5b57\u8282\u3002<br>\n\u6839\u636e\u5730\u5740\u67e5\u770b\u7b2c\u4e00\u4e2a\u51fd\u6570\u540d\u79f0\uff1a<br>\n94147h-1800h=92947h<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"614\" height=\"116\" src=\"https:\/\/blog.73007300.xyz\/wp-content\/uploads\/2020\/01\/image-25.png\" alt=\"\" class=\"wp-image-152\"\/><\/figure>\n\n\n\n<p>00 \u4ee3\u8868\u7ed3\u675f\u3002\u53ef\u89c1 \u51fd\u6570\u662f\u4eceA\u5f00\u59cb\u6392\u5217\u7684<\/p>\n\n\n\n<p>\u67e5\u770bExport Address Table RVA<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"624\" height=\"335\" src=\"https:\/\/blog.73007300.xyz\/wp-content\/uploads\/2020\/01\/image-26.png\" alt=\"\" class=\"wp-image-153\"\/><\/figure>\n\n\n\n<p>\u8fd9\u4e2a\u5730\u5740\u6709\u53ef\u80fd\u662f\u4e2a\u5185\u5b58\u5730\u5740\uff0c\u6709\u53ef\u80fd\u662f\u4e2a\u5176\u4ed6dll\u7684\u51fd\u6570\u540d\u79f0\u3002<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"624\" height=\"283\" src=\"https:\/\/blog.73007300.xyz\/wp-content\/uploads\/2020\/01\/image-27.png\" alt=\"\" class=\"wp-image-154\"\/><\/figure>\n\n\n\n<p>Name Pointer  \u548cOrdinal Table \u8fd9\u4e24\u4e2a\u662f\u5e73\u884c\u7684\u6570\u7ec4\u3002<br> \u6bd4\u5982\u4e24\u4e2a\u6570\u7ec4\u7684\u7b2c\u4e94\u4e2a\u5143\u7d20\u662f\u5bf9\u5e94\u7684\uff0c\u901a\u8fc7Name Pointer\u7684\u7b2c\u4e94\u4e2a\u5143\u7d20\u6307\u5411\u7684\u5730\u5740\u53ef\u4ee5\u77e5\u9053\u8fd9\u4e2a\u51fd\u6570\u7684\u51fd\u6570\u540d\uff0c\u901a\u8fc7Ordinal Table \u7684\u7b2c\u4e94\u4e2a\u5143\u7d20\u6307\u5411\u7684\u6570\u5b57\uff08\u5047\u5982\u662f20\uff09\uff0c\u518d\u53bbExport Address Table \u67e5\u7b2c\uff0820 - Ordinal Base\uff09\u4e2a\u5143\u7d20\u7684\u5730\u5740\uff0c\u5c31\u53ef\u4ee5\u67e5\u5230\u6307\u5b9a\u51fd\u6570\u7684\u540d\u79f0\u548c\u5730\u5740\u3002<br> \u5b9e\u9645\u5728\u5185\u5b58\u4e2d\u7684\u5730\u5740\u8fd8\u8981\u52a0\u4e0a\u57fa\u5740\u3002<\/p>\n\n\n\n<p>\u7edd\u77e5\u6b64\u4e8b\u8981\u8eac\u884c\uff0c\u5b9e\u8df5\u7bc7\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-embed-wordpress wp-block-embed is-type-wp-embed is-provider-han-0-x-7300-039-s-blog\"><div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"wp-embedded-content\" data-secret=\"IBMQJOVo2K\"><a href=\"https:\/\/blog.73007300.xyz\/?p=160\">\u7406\u89e3PE\u683c\u5f0f\u2014\u627e\u51fa\u5bfc\u51fa\u8868(Export Table)\u4e2d\u7684\u51fd\u6570\u5730\u5740(ShellCode\u7bc7)<\/a><\/blockquote><iframe class=\"wp-embedded-content\" sandbox=\"allow-scripts\" security=\"restricted\" style=\"position: absolute; clip: rect(1px, 1px, 1px, 1px);\" title=\"&#8220;\u7406\u89e3PE\u683c\u5f0f\u2014\u627e\u51fa\u5bfc\u51fa\u8868(Export Table)\u4e2d\u7684\u51fd\u6570\u5730\u5740(ShellCode\u7bc7)&#8221; &#8212; han0x7300&#039;s blog\" src=\"https:\/\/blog.73007300.xyz\/?p=160&#038;embed=true#?secret=p6qNlTjadg#?secret=IBMQJOVo2K\" data-secret=\"IBMQJOVo2K\" width=\"600\" height=\"338\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\"><\/iframe>\n<\/div><\/figure>\n","protected":false},"excerpt":{"rendered":"<p>PE\u7684\u7ed3\u6784\uff0c\u53c2\u8003\u6587\u6863https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/debug\/pe-format\u7684\u76ee\u5f55\uff1a \u6839\u636e\u8fd9\u4e2a\u7ed3\u6784\u6765\u627ekernel32.dll\u4e2d\u7684\u51fd\u6570\u540d\u548c\u51fd\u6570\u540d\u7684RVA\u3002 PE signature \u6587\u4ef6 0x3c \u7684\u5730\u65b9\u6307\u5b9a\u4e86PE signature\u7684\u4f4d\u7f6e\uff08\u4e5f\u5c31\u662fNT_Header\uff0c\u52a0\u5bc6\u89e3\u5bc6\u91cc\u8bf4NT_Header\uff0c\u5fae\u8f6f\u7684\u6587\u6863\u91cc\u6ca1\u6709\u8fd9\u4e48\u4e00\u8bf4\uff09 E8 E8\u7684\u524d\u56db\u4e2a\u5b57\u8282\u662f PE00,\u5728\u8fd9\u4e4b\u540e\u662f COFF file header COFF file header \u7d27\u63a5\u7740PE signature\u76842\u4e2aByte\uff08Machine\uff09 \u5224\u65adPE\u6587\u4ef6\u65f6\u8fd0\u884c\u5728\u4ec0\u4e48\u5e73\u53f0\uff1a COFF file header + 2 \u5904\u76842\u4e2abyte\u6307\u5b9a\u4e86\u8fd9\u4e2aPE\u6587\u4ef6\u6709\u591a\u5c11\u4e2aSection : 06 \u7528010Editor\u67e5\u770b\u4e5f\u662f6\u4e2aSection COFF file header + 16 \u5904\u7684\u4e24byte\u6307\u5b9a\u4e86OptionalHeader\u7684\u5927\u5c0f \uff1a F0 COFF file header + 20 \u5904\u662f OptionalHeader \u7684\u5f00\u59cb\u4f4d\u7f6e\uff1a100h. \u5927\u5c0fF0. \u4e5f\u5c31\u662f100h \u2013 1F0h\u4e4b\u95f4\u5168\u662f OptionalHeader OptionalHeader OptionalHeader \u7684\u524d\u4e24\u4e2a\u5b57\u8282\u5224\u65ad\u4e86\u8fd9\u662f\u4e2aPE\u6587\u4ef6\u8fd8\u662f\u4e2aPE+\u6587\u4ef6 \u672c\u6b21\u662f20b ,\u662f\u572864\u4f4d\u5e73\u53f0\u7684pe+\u683c\u5f0f\u3002 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6,2],"tags":[],"_links":{"self":[{"href":"https:\/\/blog.73007300.xyz\/index.php?rest_route=\/wp\/v2\/posts\/126"}],"collection":[{"href":"https:\/\/blog.73007300.xyz\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.73007300.xyz\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.73007300.xyz\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.73007300.xyz\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=126"}],"version-history":[{"count":3,"href":"https:\/\/blog.73007300.xyz\/index.php?rest_route=\/wp\/v2\/posts\/126\/revisions"}],"predecessor-version":[{"id":165,"href":"https:\/\/blog.73007300.xyz\/index.php?rest_route=\/wp\/v2\/posts\/126\/revisions\/165"}],"wp:attachment":[{"href":"https:\/\/blog.73007300.xyz\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=126"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.73007300.xyz\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=126"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.73007300.xyz\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=126"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}