Search

3장 연습문제

1. 수동으로 헤더 검사하기

root@DESKTOP-2HBCL3H:/mnt/c/Users/WP/Documents# xxd hello.exe | head -n 30 00000000: 4d5a 9000 0300 0000 0400 0000 ffff 0000 MZ.............. 00000010: b800 0000 0000 0000 4000 0000 0000 0000 ........@....... 00000020: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000030: 0000 0000 0000 0000 0000 0000 e800 0000 ................ 00000040: 0e1f ba0e 00b4 09cd 21b8 014c cd21 5468 ........!..L.!Th 00000050: 6973 2070 726f 6772 616d 2063 616e 6e6f is program canno 00000060: 7420 6265 2072 756e 2069 6e20 444f 5320 t be run in DOS 00000070: 6d6f 6465 2e0d 0d0a 2400 0000 0000 0000 mode....$....... 00000080: bbfb 548a ff9a 3ad9 ff9a 3ad9 ff9a 3ad9 ..T...:...:...:. 00000090: adef 3bd8 fc9a 3ad9 adef 3fd8 e69a 3ad9 ..;...:...?...:. 000000a0: adef 3ed8 f29a 3ad9 ebf1 3bd8 fb9a 3ad9 ..>...:...;...:. 000000b0: ff9a 3bd9 bb9a 3ad9 a9ef 3ed8 fe9a 3ad9 ..;...:...>...:. 000000c0: a9ef c5d9 fe9a 3ad9 a9ef 38d8 fe9a 3ad9 ......:...8...:. 000000d0: 5269 6368 ff9a 3ad9 0000 0000 0000 0000 Rich..:......... 000000e0: 0000 0000 0000 0000 5045 0000 4c01 0900 ........PE..L... 000000f0: cd9c f260 0000 0000 0000 0000 e000 0201 ...`............ 00000100: 0b01 0e1d 0056 0000 0046 0000 0000 0000 .....V...F...... 00000110: 2310 0100 0010 0000 0010 0000 0000 4000 #.............@. 00000120: 0010 0000 0002 0000 0600 0000 0000 0000 ................ 00000130: 0600 0000 0000 0000 0000 0200 0004 0000 ................ 00000140: 0000 0000 0300 4081 0000 1000 0010 0000 ......@......... 00000150: 0000 1000 0010 0000 0000 0000 1000 0000 ................ 00000160: 0000 0000 0000 0000 c4b1 0100 5000 0000 ............P... 00000170: 00e0 0100 3c04 0000 0000 0000 0000 0000 ....<........... 00000180: 0000 0000 0000 0000 00f0 0100 9c03 0000 ................ 00000190: f884 0100 3800 0000 0000 0000 0000 0000 ....8........... 000001a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 000001b0: 3085 0100 4000 0000 0000 0000 0000 0000 0...@........... 000001c0: 00b0 0100 c401 0000 0000 0000 0000 0000 ................ 000001d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
C
복사
1.
Line 1 (0x00~0x0f)
00000000: 4d5a 9000 0300 0000 0400 0000 ffff 0000 MZ.............. e_magic e_cblp e_cp _crlc e_cparhdf e_minalloc e_maxalloc e_ss
C
복사
2.
Line 2 (0x10~0x1f)
00000010: b800 0000 0000 0000 4000 0000 0000 0000 ........@....... e_sp e_csum e_ip e_cs e_lfarlc e_ovno e_res[0] e_res[1]
C
복사
3.
Line 3 (0x20~0x2f)
00000020: 0000 0000 0000 0000 0000 0000 0000 0000 ................ e_res[2] e_res[3] e_oemid e_oeminfo e_res2[0] e_res2[1] e_res2[2] e_res2[3]
C
복사
4.
Line 4 (0x30~0x3f)
00000030: 0000 0000 0000 0000 0000 0000 e800 0000 ................ e_res2[4] e_res2[5] e_res2[6] e_res2[7] e_res2[8] e_res2[9] e_lfanew;
C
복사
5.
PE Header Signature (0xe8~0xeb)
0000000e8: 5045 0000 Signature
C
복사
6.
IMAGE_FILE_HEADER Line1 (0xec~0xef)
000000ec: 4c01 0900 ........PE..L... Machine NumberOfSection Sections: Idx Name Size VMA LMA File off Algn 0 .textbss 00010000 00401000 00401000 00000000 2**2 ALLOC, LOAD, CODE 1 .text 000055b7 00411000 00411000 00000400 2**2 CONTENTS, ALLOC, LOAD, READONLY, CODE 2 .rdata 00002281 00417000 00417000 00005a00 2**2 CONTENTS, ALLOC, LOAD, READONLY, DATA 3 .data 00000200 0041a000 0041a000 00007e00 2**2 CONTENTS, ALLOC, LOAD, DATA 4 .idata 00000ade 0041b000 0041b000 00008000 2**2 CONTENTS, ALLOC, LOAD, READONLY, DATA 5 .msvcjmc 00000104 0041c000 0041c000 00008c00 2**2 CONTENTS, ALLOC, LOAD, DATA 6 .00cfg 00000109 0041d000 0041d000 00008e00 2**2 CONTENTS, ALLOC, LOAD, READONLY, DATA 7 .rsrc 0000043c 0041e000 0041e000 00009000 2**2 CONTENTS, ALLOC, LOAD, READONLY, DATA 8 .reloc 00000584 0041f000 0041f000 00009600 2**2 CONTENTS, ALLOC, LOAD, READONLY, DATA SYMBOL TABLE: no symbols
C
복사
7.
IMAGE_FILE_HEADER Line2 (0xf0~0xff)
000000f0: cd9c f260 0000 0000 0000 0000 e000 0201 ...`............ TimeStamp PointerOfSymbolTable NumberOfSymbol SizeOfOptionalHeader Characteristics Characteristic: 0102 / IMAGE_FILE_32BIT_MACHINE, IMAGE_FILE_EXECUTEABLE_IMAGE
C
복사
8.
IMAGE_OPTIONAL_HEADER64 Line1 (0x100~0x10f)
00000100: 0b01 0e 1d 0056 0000 0046 0000 0000 0000 .....V...F...... Magic MajorLinkerVersion MinorLinkerVersion SizeOfCode SizeOfInitializedData SizeOfUninitializedData AddressOfEntryPoint
C
복사
9.
IMAGE_OPTIONAL_HEADER64 Line2 (0x110~0x11f)
00000110: 2310 0100 0010 0000 0010 0000 0000 4000 #.............@. BaseOfCode ImageBase SectionAlignment
C
복사
10.
IMAGE_OPTIONAL_HEADER64 Line3 (0x120~0x12f)
00000120: 0010 0000 0002 0000 0600 0000 0000 0000 ................ MajorOperationSystemVersion MinorOperationSystemVersion MajorImageVersion MinorImageVersion MajorSubsystemVersion MinorSubsystemVersion Win32VersionValue
C
복사
11.
IMAGE_OPTIONAL_HEADER64 Line4 (0x130~0x13f)
00000130: 0600 0000 0000 0000 0000 0200 0004 0000 ................ SizeofImage SizeOfHeaders Checksum Subsystem DllCharacteristics
C
복사
12.
IMAGE_OPTIONAL_HEADER64 Line5~7 (0x140~0x168)
00000140: 0000 0000 0300 4081 0000 1000 0010 0000 ......@......... SizeOfStackReserve SizeOfStackCommit 00000150: 0000 1000 0010 0000 0000 0000 1000 0000 ................ SizeOfHeapReserve SizeofHeapCommit 00000160: 0000 0000 0000 0000 LoaderFlags NumberOfRvaAndSizes
C
복사

2. 디스크 저장 시와 메모리 적재 시의 차이

..? readelf가 PE바이너리를 못읽는데 어떻게...

3. PE vs ELF

objdump로는 PE 파일의 경우 .text 섹션만 확인이 가능하며, 이후의 섹션은 확인되지 않음. (PDB심볼을 추가해도 동일)
1.
코드와 데이터 부분이 어떻게 다른가?
a.
ELF파일의 경우 최소한의 코드(메인, 사용자 정의 외 필수적인 함수만 존재함)
b.
PE파일의 경우 상당히 많은 코드(메인, 사용자 정의 외 작성자가 모르는 상당히 많은 함수)
2.
ELF용 바이너리 컴파일러와 PE용 바이너리 컴파일러가 사용하는 코드 또는 데이터 패턴을 구분할 수 있는가?
a.
ELF파일
함수가 끝나는 부분에 align이 필요한 경우 align이 들어감. (Align용 어셈블리가 따로 존재하는듯함)
데이터의 경우 유저가 사용하는 데이터만 존재함.
b.
PE파일
Align이 필요한 경우 CC(int3)로 Align을 맞춤
데이터의 경우 유저가 입력하지 않은 데이터 상당량 존재.