
                         PE    
                        ===========================

                              (x) 2001 Z0MBiE
                           http://z0mbie.host.sk

             ,    
    PE .

             . ,    
     ,   --    .      :
             ,  . 
  .

       PE ,   CALC.EXE.


     1.    PE      ,  WORD,  
 pe_numofobjects,   PE   +06.

     :       ,   (win9x) 
   ,          ,    
 ,        PE     - .
 ,          ,    
   win32  api-.     ,    
  kernel@int21   BFF712B9.

     :      WORD pe_numofobjects  DWORD pe_datetime
 (  +08),     .    WORD' 
 ,           pe_datetime      
 pe_numofobjects  DWORD.


     2.     PE     (== ,
 object  table),    (, object entry)   
 .    ,      ,  pe_numofobjects .
   PE        0F8h . ,
   ,   WORD  +14h,  18h,  
   PE .

         object entry (   ):

oe_struc                struc
oe_name                 db      8 dup (?);00 01 02 03 04 05 06 07
oe_virtsize             dd      ?       ; 08 09 0a 0b
oe_virtrva              dd      ?       ; 0c 0d 0e 0f  need objectalign
oe_physsize             dd      ?       ; 10 11 12 13
oe_physoffs             dd      ?       ; 14 15 16 17  need filealign
oe_xxx                  dd      ?       ; for obj file
                        dd      ?       ; --//--
                        dd      ?       ; --//--
oe_flags                dd      ?        ; 24 25 26 27
; ---- total size == 0x28 ---------
oe_struc                ends

             :       
 ___         .  
 ?    ,        
               :
    pe_filealign,     pe_objectalign.

          (     (rva)  )
  .
     :           ,      
              
 .    CIH.

       pe_filealign    pe_objectalign  (DWORD',  +3Ch  +39h)
       ,      pe_filealign    512  (), 
 pe_objectalign  4096 (  ).

            : ( C)

#define ALIGN(x,y)      (((x)+(y)-1)&(~((y)-1)))

     // oe= 
     // i= 
     oe[i].oe_physsize = ALIGN(oe[i].oe_physsize, pe->pe_filealign);
     oe[i].oe_virtsize = ALIGN(oe[i].oe_virtsize, pe->pe_objectalign);

       asm':

     ; esi=PE-
     ; edi=  
     ; 1.   
     mov eax, [esi].pe_filealign
     dec eax
     add [edi].oe_physsize, eax
     not eax
     and [edi].oe_physsize, eax
     ; 2.   
     mov eax, [esi].pe_objectalign
     dec eax
     add [edi].oe_virtsize, eax
     not eax
     and [edi].oe_virtsize, eax

       ,  ,        == 0. 
       watcom.      ,    .    
         ?        
    objectalign.

           ,        
   ,          
     ,       - .  
        ;       
  .      ,     .

     :                ,     
      ; ""  "" 
   .


     3.      PE      ?  ,    PE
       (       ) 
     .  ,
         ,      
 , , , ,    
 .

            < >  < >.
       --    ,          . 
     --    ,     . 
          DB ?,    
   .     
  .     :

                       

   +--------+                       +--------+
   |MZxxxxxx| <----  ----> |MZxxxxxx|
   +--------+                       |00000000|<--alignment
   |xxxxxxxx|                       +--------+
   |xxxxxxxx| <---- c#1 -----> |xxxxxxxx|\~~~~~~~\
   |xxxxxxxx|                       |xxxxxxxx| }-.   \
   +--------+                       |xxxxxxxx|/     }- 
   | ...    |             .  /|00000000|    /   
                          ~~~\|00000000| _______/
                                    +--------+
                                    | ...    |

     ,   :

     -      .  , 
 .    filealign == objectalign.
     -      .  ,    
  .
     -       .      
      alignment.  ,          
 ,      (    )  
         --     .
               
 ""    ,    .

     Alignment --       . 
       :    -- (A)   ,  (B)
       ;     ,   (C)  
      pe_objectalign.    (A)  (B) 
                 . , 
    physsize=512,      virtsize=100,   
 physsize=512,  virtsize=4096,    (A) alignment=3584, 
     (B) alignment=412.     --  ,   -- 
 .       ,       /
 .

     ,        ""   .  
        ,        .
   ,        64k,  
      .


     4.     

     ImageBase --    ,     PE . 
                   PE
   ImageBase  (DWORD,    +34h).     64k, 
      ;    
       .
        --  DLL,       , 
         ImageBase,     
     (==,  ).         
 ,      .   ,  PE DLL', 
       PUSH OFFSET/RETN  JMP.

     ImageSize (DWORD,  +50h) --    ,  
         ,      (rva)
    +    .   
 pe_objectalign.

     BaseOfCode --  RVA   ,    
 object table  .
     BaseOfData --   ,  ,   .
     SizeOfCode --  ,      
                   .   
     SizeOfInitData  &  SizeOfUninitData  --    ,   
   -.      ,    .

     pe_subsystem  (WORD   +5Ch) --  2  GUI , 
 3      .     ,  
    .


     5. 

             
    .
             .
              PE   ,  pe checksum 
  .

                 pe_objectalign,        
 pe_objectalign  ,       ,   
 ,  ,    .

             DWORD=00000001h,      - 
 '.dbg',    .     .

         ,     , ,  
 ,    ,       ,    
 .

     ,      NT'      --    , 
      .


     6. ,       .

        -    : alredy-infected, subsystem=2/3, ...
        -    
        -  overlay       
        -      
        -    
              
        -  imagesize  --objectalign  
        -  

         : win9X.Examplo


     7.     PE :

         -   
                  - 
                  - 
         -   
         -   ,  
         -     .reloc (  )
         -   
         -   /  - ( ) ,
              ( );
             ,    ,
              
         -         ,
              
         -          
         -      ""  
              
         -          

                                   * * *
