資源結(jié)構(gòu)詳解

1、5PE之資源文件結(jié)構(gòu)詳解由DOS頭結(jié)構(gòu)0X3C地值指向PE頭地址Offset0123456789ABCDEF000000004D5A5000020000000400OF00FFIT0000MZP.0000001058DO00000D00co0040001A000000DO007翹00000020000000000000000000000000000000000000003000DO000000000000000000000002DO0000000040BA10000EIFB4gCD21B2014CCD2190909999J90000005054686973207072GF6772616D206

2、D7573Thisprcgroinmus0000006074206265207275GE2075GE6465722057tberununderW00000070696E33320DOA2437000000000000DO00in32$70000008000000000000000000000000000000000nnrinnnonnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn托BP臺(tái)0*3A由圖知PE頭地址為0X2000000020000000210nnnnn?2n504500004C010800F8D200000000E0000E030B01nn3nncnnnnnnnnn

3、nR4454B00000000PEL?製(050000301B000nnnnnnmnnnnn巾由PE頭地址+0x88定位到數(shù)據(jù)目錄表的第三項(xiàng)資源項(xiàng)IMAGE_DIRECTORY_ENTRY_RESOURCE該結(jié)構(gòu)包含8個(gè)字節(jié)前四個(gè)字節(jié)存儲(chǔ)資源的RVA0x282000后四個(gè)字節(jié)存儲(chǔ)資源的SIZE0x34c00000002700000028000000290000000001000000000902700C7300000000000000000000000DO27006447000000202800004C03000000000000000000?dG'？(L查看文件節(jié)表知道資源位于rsr

4、c塊中data30033030001B400000057BD0O01B2AO030C00C40tlsOOOJ1OTO00277000000300300020A800C0C000400003IODO00278000000302300020AAOOS0C00C40.idataDOO34ODO00279000000332300020XCOO40C00C40.edataDOO35O3O00271000000349300020DEOO40C00C40(.rsrc0OO35OJOcuzezoouOO34UJOOOZIZBOO40C00C40i-clccOOOIAODO002B700000019230002

5、47200S0C00C40去壯乂佢占土臼打七迸強(qiáng)涇彳旦壬友診摳C：IJsersiXdministratorD|C00C15E4C04C00C0Icoocioco文件:節(jié)數(shù):旳間IKZO付r由此計(jì)算出文件偏移=0x212600+(0x282000-0x282000)=0x212600跳轉(zhuǎn)帶資源塊中資源目錄結(jié)構(gòu)中的每一個(gè)節(jié)點(diǎn)都是由IMAGE_RESOURCE_DIRECTORY結(jié)構(gòu)和緊隨其后的數(shù)個(gè)IMAGE_RESOURCE_DIRECTORT_ENTRY結(jié)構(gòu)組成這兩種結(jié)構(gòu)組成一個(gè)目錄塊一般為三層:第一層資源類型，第二層是資源名，第三層是資源代碼頁資源目錄結(jié)構(gòu)（16個(gè)字節(jié)，4個(gè)字段）typedef

6、structMAGE_RESOURCE_DIRECTORYDWORDCharacteristics;DWORDTimeDateStamp;WORDMajorVersion;WORDMinorVersion;/理論上是資源的屬性標(biāo)志，但是通常為0資源建立的時(shí)間主版本次版本W(wǎng)ORDNumberOfNamedEntries;使用名字的資源條目的個(gè)數(shù)WORDNumberOfldEntries;使用ID數(shù)字資源條目的個(gè)數(shù)/IMAGE_RESOURCE_DIRECTORY_ENTRYDirectoryEntries;IMAGE_RESOURCE_DIRECTORY*PIMAGE_RESOURCE_DIRE

7、CTORY;斥】號(hào)尢標(biāo)Q朮絆2光妹沖文|一F3*200號(hào)殖取第三層目汞淡譚代囲炙-IMAGEJiESOURSEJJIBE=nv<AGEJtESOURCE二"IMAGEJtESOURn：矣一層口朮床200東單（中文祥200味單（英又E5第二層目永淡湛ID先扮2FE文作頭教tea親第3靈A2個(gè)細(xì)目04（谿覃C2E3絆200號(hào)孩草目錄NumberOfNamedEntries（以字符串命名的資源數(shù)量）和NumberOfldEntries（以整型數(shù)字來命名的資源數(shù)量）兩個(gè)字段說明了本目錄中目錄項(xiàng)的數(shù)量，兩者加起來即為后面緊跟的IMAGE_RESOURCE_DIRECTORY_ENTRY的

8、數(shù)目資源目錄入口結(jié)構(gòu)（8個(gè)字節(jié)，2個(gè)字段）緊跟著資源目錄結(jié)構(gòu)后的就是資源目錄入II結(jié)構(gòu)，此結(jié)構(gòu)長度為8個(gè)字節(jié)typedefstructJMAGE_RESOURCE_DIRECTORY_ENTRYunionstructDWORDNameOffset:31;DWORDNamelsString:l;DWORDName;目錄項(xiàng)的名字字符串指針或IDWORDId;；unionDWORDOffsetToData;資源數(shù)據(jù)偏移地址或子目錄偏移地址structDWORDOffsetToDirectory:31;DWORDDatalsDirectory:l;IMAGE_RESOURCE_DIRECTORY_EN

9、TRX*PIMAGE_RESOURCE_DIRECTORY_ENTRY;(l)Name字段:定義目錄項(xiàng)的名字或者id作為指針時(shí):該指針是從資源區(qū)塊開始地方算起的偏移量當(dāng)結(jié)構(gòu)用于第一層目錄時(shí)，定義的是資源類型當(dāng)結(jié)構(gòu)用于第二層目錄時(shí)，定義的是資源的名稱當(dāng)結(jié)構(gòu)用于第三層目錄時(shí)，定義的是代碼頁編號(hào)當(dāng)最高位位0,作為ID使用，范W0-16之間，表示系統(tǒng)預(yù)定義的類型0x01:光標(biāo)0x05:對(duì)話框0x09:加速鍵OxOE:圖標(biāo)組0x02:位圖0x06:字符串0x0A:未格式資源0x10:版本信息0x03:圖標(biāo)0x07:字體目錄0x0B:消息表0x04:菜單0x08:字頭0x0C:光標(biāo)組當(dāng)最高位為1時(shí)，字段的

10、低位作為指針使用，資源名稱字符串是使用的UNICODE編碼，這個(gè)指針并不指向字符串，而是指向一個(gè)IMAGE_RESOURCE_DIR_STRING_U結(jié)構(gòu)typedefstructMAGE_RESOURCE_DIR_STRING_UWORDLength;字符串的長度WCHARNameString1;/UNICODE字符串，字對(duì)其的，長度可變IMAGE_RESOURCE_DIR_STRING_U,忡IMAGE_RESOURCE_DIR_STRING_U;(2).OffsetToData字段該字段是一個(gè)指針，當(dāng)最高位為1,低位數(shù)據(jù)指向下一目錄塊的起始地址為0時(shí)，指針指向IMAGE_RESOURCE

11、_DATA_ENTRY結(jié)構(gòu)作為指針時(shí):該指針是從資源區(qū)塊開始地方算起的偏移量typedefstructJMAGE_RESOURCE_DATA_ENTRYDWORDOffsetToData;資源數(shù)據(jù)的RVADWORDSize;資源數(shù)據(jù)的長度DWORDCodePage;代碼頁一般為0DWORDReserved;保留IMAGE_RESOURCE_DATA_ENTRY；*PIMAGE_RESOURCE_DATA_ENTRY;t源數(shù)據(jù)入口（16個(gè)字節(jié)）IMAGE_RESOURCE_DATA_ENTRY（一般是第三層）該結(jié)構(gòu)描述了資源數(shù)據(jù)的位置和人小例子解析第一層：資源類型打開資源塊資源目錄結(jié)構(gòu)（1個(gè)）0

12、123456789ABCDBFOffset0021260080DO000D502327丈0000OD000000DA00AAH1O£21AstructIMAGERESOURCE_DIRECTORYCharacteristics;TimeDateStamp;MajorVersion;MinorVersion;ratorxDGDWORDDWORDWORDWORDWORDWORD由此可見有10中資源類型資源目錄入口結(jié)構(gòu)（10個(gè)）0+0X0A=108*10一共占80個(gè)字節(jié)/0x00000000/0x3C272350/OxOO/OxOONumberOfNamedEntries;NumberOf

13、ldEntries;/OxOO/OxOAEl0000006000008002000000A80000800300000068010080050000008001008006000000A00100800A00000048020080OC000000EO020080OE0000002803008010000000400300SOIS000000580300SO作為ID使用0021261000212620002126300021264000212650DWORDDWORD；當(dāng)最咼位為0,structIMAGERESOURCE_DIRECTORY_ENTRYName;/ID=0x01光標(biāo)Offset

14、ToData;子目錄偏移地址=0x80000060struct_IMAGE_RESOURCE_DIRECTORY_ENTRYDWORDName;/ID=0x02位圖DWORDOffsetToData;子目錄偏移地址=0x800000A8；struct_IMAGE_RESOURCE_DIRECTORY_ENTRYDWORDName;/ID=0x03圖標(biāo)DWORDOffsetToData;子目錄偏移地址=0x80000168；struct_IMAGE_RESOURCE_DIRECTORY_ENTRYDWORDName;/ID=0x05對(duì)話框DWORDOffsetToData;子目錄偏移地址=0x8

15、0000180；struct_IMAGE_RESOURCE_DIRECTORY_ENTRYDWORDName;/ID=0x06字符串DWORDOffsetToData;子目錄偏移地址=0x80000AlA0；struct_IMAGE_RESOURCE_DIRECTORY_ENTRYDWORDName;/ID=OxOA未格式資源DWORDOffsetToData;子目錄偏移地址=0x80000248；struct_IMAGE_RESOURCE_DIRECTORY_ENTRYDWORDName;/ID=OxOC光標(biāo)組DWORDOffsetToData;子目錄偏移地址=0x800002E0；stru

16、ct_IMAGE_RESOURCE_DIRECTORY_ENTRYDWORDName;/ID=OxOE圖標(biāo)組DWORDOffsetToData;子目錄偏移地址=0x80000328；struct_IMAGE_RESOURCE_DIRECTORY_ENTRYDWORDName;/ID=0X10版本信息DWORDOffsetToData;子目錄偏移地址=0x80000340；struct_IMAGE_RESOURCE_DIRECTORY_ENTRYDWORDName;/ID=0X1824DWORDOffsetToData;子目錄偏移地址=0x80000358;與PEeditor查看到一致資息框表式

17、組組信標(biāo)圖標(biāo)話串格標(biāo)標(biāo)本光位圖對(duì)亠子無光囹版24田田田田田EE田田田志:9第二層：資源名稱以索引圖標(biāo)資源為例struct_IMAGE_RESOURCE_DIRECTORY_ENTRYDWORDName;/ID=0x03圖標(biāo)DWORDOffsetToData;子目錄偏移地址=0x80000168；UUUUDUULIUUZ1DUUUJUUU«iOUUUUdU.U£UU<iUUiUiUiUi<tUirrsrc000350000028200000034C0000212600400000401k-nnmh門仃仃nn*?P7nnnnnn1Qnn仃仃9/172仃仃£

18、仃仃仃仃仃/1n找到第二層所在文件地址二0x212600+0x00000168=0x212768DWORDCharacteristics;/0x00000000DWORDTimeDateStamp;WORDMajorVersion;WORDMinorVersion;/0x3C272350/0x00/0x0000212760FA10008010060080000000005023273C?PF0021277000000000000001000100000028060080(structJMAGE_RESOURCE_DIRECTORYWORDNumberOfNamedEntries;/0x00WO

19、RDNumberOfldEntries;/OxOl下面有一個(gè)資源目錄入口結(jié)構(gòu)struct_IMAGE_RESOURCE_DIRECTORY_ENTRYDWORDName;資源的名稱0x01DWORDOffsetToData;子目錄偏移地址=0x80000628；Name字段當(dāng)最高位位0,作為ID使用struct_IMAGE_RESOURCE_DIR_STRING_UWORDLength;/ID=0X01光標(biāo)WCHARNameString1;/子目錄偏移地址=0x80000628第三層：代碼頁編號(hào)struct_IMAGE_RESOURCE_DIRECTORY_ENTRYDWORDName;資源的

20、名稱0x01DWORDOffsetToData;子目錄偏移地址=0x80000628；找到第三層所在文件地址=0x212600+0x00000628=0x212C2800212C2009040000800C000000000005023273C00212C3000000000000001000408000090OC0000structMAGE_RESOURCE_DIRECTORYDWORDCharacteristics;/0X00DWORDTimeDateStamp;/0X3C272350WORDMajorVersion;/OxOOWORDMinorVersion;/0x00WORDNumbe

21、rOfNamedEntries;/OxOOWORDNumberOfldEntries;/OxOl下面有一個(gè)資源目錄入口結(jié)構(gòu).|struct_IMAGE_RESOURCE_DIRECTORY_ENTRYDWORDName;代碼頁編號(hào)804DWORDOffsetToData;/資源數(shù)據(jù)偏移地址0x0C90；資源數(shù)據(jù)入門結(jié)構(gòu)地址=0x212600+0X00000C90=0x21329000213290B0572800E80200000000000000000000me?=0X2857B0=0X2E8struct_IMAGE_RESOURCE_DATA_ENTRYDWORDOffsetToData;資

22、源數(shù)據(jù)的RVADWORDSize;資源數(shù)據(jù)的長度雖eXeScoprC:U5crsAdmini5trator0esktoplS®習(xí)NPES£SKS55?I境mcuisp.E«?文件(F)«：Ej擺埶Q測(cè)Si少縛DWORDCodePage;代碼頁一般為0DWORDReserved;保留文件資源數(shù)據(jù)地址=0x212600+(0X2857B00x282000)=0x215DB0一直到0X216098共Ox2E8個(gè)字節(jié)I.<覽？.00215DD000215DE000215DF000215E0O00215E1000215E2000215E3000215E400

23、0215E5000215E6000215E7000215E8000215E9000215EA000215EB000215EC000215EDO00215EE000215EFO00215F0O00215F1000215F2000215F3000215F4000215F5000215F6000215F7000215F8000215F9000215FA000215FBO00000000000000000000000000008000008000000080800080000000800080008080000080808000cococo000000FF0000FF000000FFFF00FF000

24、000FF00FF00FFFF0000FFFFFF00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000999900000000000000000000000000000099990000000000000000000000000000099999900000000000000000000000000999

25、999000000000000000000009000099999999990000000000000000099009999999999999000000000000000999999999999999999999990000000000999999999999999999999000000000000999999999999000099990000000000000099999999999990000000000000000000999999999999990000000000000000099999999999999900000000000000009999999999999999900

26、00000000000009999999999999999900000000000000009999999999999999000000000000000099999999999999990000000000000000009999999999999990000000000000000090999999999990000000000000000000099999999999900000000000000000000009999999999999900000000000000000000999999990000000000000000000000O-O-4rUfll內(nèi)逼這遣負(fù)晝嘗遺書疊嘗晝晝疊晝

27、疊骨畳晝栩9-999999-ffi90柜I遺f:遂買II一買|1一1一遣f一疊f一買f:一梅使用eXeScope進(jìn)行驗(yàn)證9.匿Bffis?!?櫃.!櫃翻1?櫃櫃。9.1115（2爍車3-田白框昌期1A1圉話?5撐標(biāo)標(biāo)He?KiG-s-e-EB-E-e-KI點(diǎn)擊試圖二進(jìn)制bS立面石中ro筋EeE仔4k"坦忍eXeScopeC:LIsersAdministratarDe«ldopSS習(xí)NS'PEl資源l資潦J?muuisp.“e彌(F)徧輯(E：舷(Q)視圖Mm（H）邇拆記錄居KKa£箍睜姉ailg圖標(biāo)標(biāo)N$.wcr剖岀入源位弟字皿洗周自偵IP頭uf導(dǎo):3&#

28、174;-a-®?曰®s)_£+-.主：it=00215DB0r犬小二02E8刪止+04-14243+4+5+6+7怡杓4A+B+C+B+E4-FCO215BB0:28COCDOD2000000040CD0D00010004CO215BC0：00OOCOOO00020000ooCOOO000000noCO215ID0：00co03OD00000000co030D000000doCO215BE0:008003OD0080800080030D00800080CO215BF0:808003OD80308000co0JCO000000FFCO215EO0：00FF03OD00Ff?F00FF030D00Ff00FFCO21SE10:FFFF03ODFFFF7F00co030D000000OOCO215E20：00OO03OD00000000oo030D000000OOC0215130:00co03OD00000000co030D000000OOCO215E40:00co03OD00000000co030D000000OOCO215E