IMAGE_DATA_DIRECTORY (資料目錄表)結構如下:
[地址(RAW)范圍:0x00000168 - 0x000001e7] [長度:80h] [資料目錄表(16項,每個成員占8位元組).]
------------------------------------------------------------
[成員] [地址(RAW)] [偏移量] [資料:RVA] [大小] [說明] [結構]
Export Table: 0x00000168 [e_lfanew+0x078] 0x00000000 0x00000000 [ 匯出表 ] [IMAGE_DIRECTORY_ENTRY_EXPORT]
Import Table: 0x00000170 [e_lfanew+0x080] 0x0001A390 0x00000118 [ 匯入表 ] [IMAGE_DIRECTORY_ENTRY_IMPORT]
Resources Table: 0x00000178 [e_lfanew+0x088] 0x0001C000 0x00019AF0 [ 資源 ] [IMAGE_DIRECTORY_ENTRY_RESOURCE]
Exception Table: 0x00000180 [e_lfanew+0x090] 0x00000000 0x00000000 [ 例外 ] [IMAGE_DIRECTORY_ENTRY_EXCEPTION]
Security Table: 0x00000188 [e_lfanew+0x098] 0x00000000 0x00000000 [安全證書] [IMAGE_DIRECTORY_ENTRY_SECURITY]
Base relocation Table: 0x00000190 [e_lfanew+0x0A0] 0x00036000 0x000014F4 [重定位表] [IMAGE_DIRECTORY_ENTRY_BASERELOC]
Debug: 0x00000198 [e_lfanew+0x0A8] 0x00016E30 0x00000038 [除錯資訊] [IMAGE_DIRECTORY_ENTRY_DEBUG]
Architecture(Copyrught): 0x000001a0 [e_lfanew+0x0B0] 0x00000000 0x00000000 [著作權所有] [IMAGE_DIRECTORY_ENTRY_ARCHITECTURE(IMAGE_DIRECTORY_ENTRY_COPYRIGHT)]
Global Ptr: 0x000001a8 [e_lfanew+0x0B8] 0x00000000 0x00000000 [全域指標] [IMAGE_DIRECTORY_ENTRY_GLOBALPTR]
Tread local storage(TLS): 0x000001b0 [e_lfanew+0x0C0] 0x00000000 0x00000000 [ TLS 表 ] [IMAGE_DIRECTORY_ENTRY_TLS]
Load configuration: 0x000001b8 [e_lfanew+0x0C8] 0x000011A0 0x0000005C [加載配置] [IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG]
Bound Import: 0x000001c0 [e_lfanew+0x0D0] 0x00000000 0x00000000 [系結匯入] [IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT]
Import Address Table(IAT): 0x000001c8 [e_lfanew+0x0D8] 0x0001A000 0x0000038C [ IAT 表 ] [IMAGE_DIRECTORY_ENTRY_IAT]
Delay Import: 0x000001d0 [e_lfanew+0x0E0] 0x00000000 0x00000000 [延遲匯入] [IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT]
COM descriptor: 0x000001d8 [e_lfanew+0x0E8] 0x00000000 0x00000000 [ COM ] [IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR]
保留: 0x000001e0 [e_lfanew+0x0F0] 0x00000000 0x00000000 [ 保留 ] [NULL]
------------------------------------------------------------
------------------------------------------------------------
[成員] [地址(RAW)] [資料:RVA] [說明]
Name: 0x000001e8 [.text] [名稱,長度:8位(16位元組)的ASCII碼.]
VirtualSize: 0x000001f0 00015E90 [V(VS),記憶體中大小(對齊前的長度).]
VirtualAddress: 0x000001f4 00001000 [V(VO),記憶體中偏移(該塊的RVA).]
SizeOfRawData: 0x000001f8 00016000 [R(RS),檔案中大小(對齊后的長度).]
PointerToRawData: 0x000001fc 00000400 [R(RO),檔案中偏移.]
PointerToRelocation: 0x00000200 00000000 [在OBJ檔案中使用,重定位的偏移.]
PointerToLinenumbers: 0x00000204 00000000 [行號表的偏移,提供除錯.]
NumberOfRelocations: 0x00000206 0000 [在OBJ檔案中使用,重定位項數目.]
NumberOfLinenumbers: 0x00000208 0000 [行號表中行號的數目.]
Characteristics: 0x0000020c 60000020 [標志(塊屬性):20000000h 40000000h 00000020h ]
------------------------------------------------------------
[成員] [地址(RAW)] [資料:RVA] [說明]
Name: 0x00000210 [.data] [名稱,長度:8位(16位元組)的ASCII碼.]
VirtualSize: 0x00000218 00002308 [V(VS),記憶體中大小(對齊前的長度).]
VirtualAddress: 0x0000021c 00017000 [V(VO),記憶體中偏移(該塊的RVA).]
SizeOfRawData: 0x00000220 00001200 [R(RS),檔案中大小(對齊后的長度).]
PointerToRawData: 0x00000224 00016400 [R(RO),檔案中偏移.]
PointerToRelocation: 0x00000228 00000000 [在OBJ檔案中使用,重定位的偏移.]
PointerToLinenumbers: 0x0000022c 00000000 [行號表的偏移,提供除錯.]
NumberOfRelocations: 0x0000022e 0000 [在OBJ檔案中使用,重定位項數目.]
NumberOfLinenumbers: 0x00000230 0000 [行號表中行號的數目.]
Characteristics: 0x00000234 C0000040 [標志(塊屬性):40000000h 80000000h 00000040h ]
------------------------------------------------------------
查看notepadPE中的匯入地址表時RVA是0x01A390,而根據raw-rva的計算公式算出來raw時0x019790,然而在0x19790偏移處找到的并不是INT對應的偏移,然而我用WIN7的記事本卻可以找到對應的偏移,這難道是win8.1的問題么?
uj5u.com熱心網友回復:
沒有具體研究過這些東西,你看看電腦是不是有類似于EMET的軟體對其保護轉載請註明出處,本文鏈接:https://www.uj5u.com/caozuo/125339.html
標籤:Windows客戶端使用
上一篇:Top命令你最少要了解到這個程度