我们写一个很简单的.Net的Console的Application.
>>dumpbin -all ConsoleApplication1.exe>c:\b.txt
>>notepad c:\b.txt
去掉二进制代码之后,我们得到下面的结构和结果:
Dump of file ConsoleApplication1.exe
PE signature found
File Type: EXECUTABLE IMAGE FILE HEADER VALUES
14C machine (x86)
3 number of sections
47216963 time date stamp Fri Oct 26 12:13:23 2007
0 file pointer to symbol table
0 number of symbols
E0 size of optional header
10E characteristics
Executable
Line numbers stripped
Symbols stripped
32 bit word machine
OPTIONAL HEADER VALUES
10B magic # (PE32)
8.00 linker version
1000 size of code
2000 size of initialized data
0 size of uninitialized data
27BE entry point (004027BE)
2000 base of code
4000 base of data
400000 image base (00400000 to 00407FFF)
2000 section alignment
1000 file alignment
4.00 operating system version
0.00 image version
4.00 subsystem version
0 Win32 version
8000 size of image
1000 size of headers
0 checksum
3 subsystem (Windows CUI)
400 DLL characteristics
No structured exception handler
100000 size of stack reserve
1000 size of stack commit
100000 size of heap reserve
1000 size of heap commit
0 loader flags
10 number of directories
0 [ 0] RVA [size] of Export Directory
2770 [ 4B] RVA [size] of Import Directory
4000 [ 390] RVA [size] of Resource Directory
0 [ 0] RVA [size] of Exception Directory
0 [ 0] RVA [size] of Certificates Directory
6000 [ C] RVA [size] of Base Relocation Directory
26EC [ 1C] RVA [size] of Debug Directory
0 [ 0] RVA [size] of Architecture Directory
0 [ 0] RVA [size] of Global Pointer Directory
0 [ 0] RVA [size] of Thread Storage Directory
0 [ 0] RVA [size] of Load Configuration Directory
0 [ 0] RVA [size] of Bound Import Directory
2000 [ 8] RVA [size] of Import Address Table Directory
0 [ 0] RVA [size] of Delay Import Directory
2008 [ 48] RVA [size] of COM Descriptor Directory
0 [ 0] RVA [size] of Reserved Directory
SECTION HEADER #1
.text name
7C4 virtual size
2000 virtual address (00402000 to 004027C3)
1000 size of raw data
1000 file pointer to raw data (00001000 to 00001FFF)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
60000020 flags
Code
Execute Read
Debug Directories
Time Type Size RVA Pointer
-------- ------ -------- -------- --------
47216963 cv 65 00002708 1708 Format: RSDS, {5AD83DC1-5587-401A-ADE6-2DE784E28C8C}, 4,
G:\Projects\TestWinApp\ConsoleApplication1\obj\Debug\ConsoleApplication1.pdb
clr Header:
48 cb
2.05 runtime version
20A4 [ 648] RVA [size] of MetaData Directory
1 flags
6000001 entry point token
0 [ 0] RVA [size] of Resources Directory
0 [ 0] RVA [size] of StrongNameSignature Directory
0 [ 0] RVA [size] of CodeManagerTable Directory
0 [ 0] RVA [size] of VTableFixups Directory
0 [ 0] RVA [size] of ExportAddressTableJumps Directory
0 [ 0] RVA [size] of ManagedNativeHeader Directory
Section contains the following imports:
mscoree.dll
402000 Import Address Table
402798 Import Name Table
0 time date stamp
0 Index of first forwarder reference
0 _CorExeMain
SECTION HEADER #2
.rsrc name
390 virtual size
4000 virtual address (00404000 to 0040438F)
1000 size of raw data
2000 file pointer to raw data (00002000 to 00002FFF)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
40000040 flags
Initialized Data
Read Only
SECTION HEADER #3
.reloc name
C virtual size
6000 virtual address (00406000 to 0040600B)
1000 size of raw data
3000 file pointer to raw data (00003000 to 00003FFF)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
42000040 flags
Initialized Data
Discardable
Read Only
RAW DATA #3
BASE RELOCATIONS #3
2000 RVA, C SizeOfBlock
7C0 HIGHLOW 00402000
0 ABS
Summary
2000 .reloc
2000 .rsrc
2000 .text
标住出一些重要的部分,就不做分析了,因为我也不是每行都十分明白含义..
简明的标识了.Net修了了的PE文件格式包含的一些特别的东西,大家特别注意下那个CLR header.
>>dumpbin -all ConsoleApplication1.exe>c:\b.txt
>>notepad c:\b.txt
去掉二进制代码之后,我们得到下面的结构和结果:
Dump of file ConsoleApplication1.exe
PE signature found
File Type: EXECUTABLE IMAGE FILE HEADER VALUES
14C machine (x86)
3 number of sections
47216963 time date stamp Fri Oct 26 12:13:23 2007
0 file pointer to symbol table
0 number of symbols
E0 size of optional header
10E characteristics
Executable
Line numbers stripped
Symbols stripped
32 bit word machine
OPTIONAL HEADER VALUES
10B magic # (PE32)
8.00 linker version
1000 size of code
2000 size of initialized data
0 size of uninitialized data
27BE entry point (004027BE)
2000 base of code
4000 base of data
400000 image base (00400000 to 00407FFF)
2000 section alignment
1000 file alignment
4.00 operating system version
0.00 image version
4.00 subsystem version
0 Win32 version
8000 size of image
1000 size of headers
0 checksum
3 subsystem (Windows CUI)
400 DLL characteristics
No structured exception handler
100000 size of stack reserve
1000 size of stack commit
100000 size of heap reserve
1000 size of heap commit
0 loader flags
10 number of directories
0 [ 0] RVA [size] of Export Directory
2770 [ 4B] RVA [size] of Import Directory
4000 [ 390] RVA [size] of Resource Directory
0 [ 0] RVA [size] of Exception Directory
0 [ 0] RVA [size] of Certificates Directory
6000 [ C] RVA [size] of Base Relocation Directory
26EC [ 1C] RVA [size] of Debug Directory
0 [ 0] RVA [size] of Architecture Directory
0 [ 0] RVA [size] of Global Pointer Directory
0 [ 0] RVA [size] of Thread Storage Directory
0 [ 0] RVA [size] of Load Configuration Directory
0 [ 0] RVA [size] of Bound Import Directory
2000 [ 8] RVA [size] of Import Address Table Directory
0 [ 0] RVA [size] of Delay Import Directory
2008 [ 48] RVA [size] of COM Descriptor Directory
0 [ 0] RVA [size] of Reserved Directory
SECTION HEADER #1
.text name
7C4 virtual size
2000 virtual address (00402000 to 004027C3)
1000 size of raw data
1000 file pointer to raw data (00001000 to 00001FFF)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
60000020 flags
Code
Execute Read
Debug Directories
Time Type Size RVA Pointer
-------- ------ -------- -------- --------
47216963 cv 65 00002708 1708 Format: RSDS, {5AD83DC1-5587-401A-ADE6-2DE784E28C8C}, 4,
G:\Projects\TestWinApp\ConsoleApplication1\obj\Debug\ConsoleApplication1.pdb
clr Header:
48 cb
2.05 runtime version
20A4 [ 648] RVA [size] of MetaData Directory
1 flags
6000001 entry point token
0 [ 0] RVA [size] of Resources Directory
0 [ 0] RVA [size] of StrongNameSignature Directory
0 [ 0] RVA [size] of CodeManagerTable Directory
0 [ 0] RVA [size] of VTableFixups Directory
0 [ 0] RVA [size] of ExportAddressTableJumps Directory
0 [ 0] RVA [size] of ManagedNativeHeader Directory
Section contains the following imports:
mscoree.dll
402000 Import Address Table
402798 Import Name Table
0 time date stamp
0 Index of first forwarder reference
0 _CorExeMain
SECTION HEADER #2
.rsrc name
390 virtual size
4000 virtual address (00404000 to 0040438F)
1000 size of raw data
2000 file pointer to raw data (00002000 to 00002FFF)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
40000040 flags
Initialized Data
Read Only
SECTION HEADER #3
.reloc name
C virtual size
6000 virtual address (00406000 to 0040600B)
1000 size of raw data
3000 file pointer to raw data (00003000 to 00003FFF)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
42000040 flags
Initialized Data
Discardable
Read Only
RAW DATA #3
BASE RELOCATIONS #3
2000 RVA, C SizeOfBlock
7C0 HIGHLOW 00402000
0 ABS
Summary
2000 .reloc
2000 .rsrc
2000 .text
标住出一些重要的部分,就不做分析了,因为我也不是每行都十分明白含义..简明的标识了.Net修了了的PE文件格式包含的一些特别的东西,大家特别注意下那个CLR header.
添加至收藏夹