PE基础迁移如何建立? [英] How are PE Base Relocations build up?

问题描述

我目前在了解如何建立PE Base重定位方面遇到困难.

I'm currently having trouble understanding how PE Base Relocations are build up.

我知道可能会有一个以上的重定位，我也知道为什么这样做以及如何进行，但我只是不以编程方式了解它:

I understand there can be more then one relocation, I understand also why and how this is done, but I just don't understand it programmatically:

以下哪一项是正确的(在WinNT.h中为IMAGE_BASE_RELOCATION)?

Which of the following is true (IMAGE_BASE_RELOCATION in WinNT.h)?

// Base relocation #1
DWORD   VirtualAddress;
DWORD   SizeOfBlock; // size of current relocation
WORD    TypeOffset[1];
// Base relocation #2
DWORD   VirtualAddress;
DWORD   SizeOfBlock; // size of current relocation
WORD    TypeOffset[1];
// Base relocation #3
DWORD   VirtualAddress;
DWORD   SizeOfBlock; // size of current relocation
WORD    TypeOffset[1];

或

DWORD   VirtualAddress;
DWORD   SizeOfBlock; // size of all relocations
WORD    TypeOffset[1]; // relocation #1
WORD    TypeOffset[1]; // relocation #2
WORD    TypeOffset[1]; // relocation #3

还是都不正确?我该如何以编程方式遍历所有基本重定位?

Or are both incorrect? How must I loop through all base relocations programmatically?

当前我有这段代码，在某处似乎不正确:

Currently I have this code, seems to be incorrect somewhere:

DWORD baseRelocationSize = imageNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size;
            unsigned int baseRelocationCount = baseRelocationSize / sizeof(IMAGE_BASE_RELOCATION);
            DWORD baseDelta = (DWORD_PTR)moduleBase - (DWORD_PTR)imageNtHeaders->OptionalHeader.ImageBase;

            IMAGE_BASE_RELOCATION* baseRelocation = (IMAGE_BASE_RELOCATION*)((DWORD_PTR)moduleBase + (DWORD_PTR)imageNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress);

            for(unsigned int i = 0; i != baseRelocationCount; ++i)
            {
                unsigned int entryCount = (baseRelocation->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) / sizeof(WORD);

                for(unsigned int j = 0; j != entryCount; ++j)
                {
                    WORD* entry = (WORD*)((DWORD_PTR)baseRelocation + (DWORD_PTR)sizeof(IMAGE_BASE_RELOCATION));
                    if((*entry >> 12) & IMAGE_REL_BASED_HIGHLOW)
                    {
                        DWORD* pdw = (PDWORD)((DWORD_PTR)moduleBase + (DWORD_PTR)baseRelocation->VirtualAddress + ((*entry) & 0xfff));
                        (*pdw) += baseDelta;
                    }

                    entry++;
                }

                baseRelocation += baseRelocation->SizeOfBlock;
            } 

推荐答案

您所选择的两个选项均未完全正确/正确.

Neither options you indicated entirely correct/true.

关于如何在PE文件中注入代码显示实际的IMAGE_BASE_RELOCATION结构为:

This excellent tutorial on How to inject code in a PE file shows that the actual IMAGE_BASE_RELOCATION structure is:

typedef struct _IMAGE_BASE_RELOCATION {
  DWORD   VirtualAddress;
  DWORD   SizeOfBlock;
} IMAGE_BASE_RELOCATION, *PIMAGE_BASE_RELOCATION;

此 Microsoft便携式可执行和公用对象文件格式规范描述了该结构. SizeOfBlock-8实际上指示在VirtualAddress和SizeOfBlock之后跟随多少WORD TypeOffset.

Section 5.2 of this Microsoft Portable Executable and Common Object File Format Specification describe the structure. The SizeOfBlock-8 actually indicates how many WORD TypeOffset follow after the VirtualAddress and SizeOfBlock.

我想您也会对本教程的表7感兴趣，该表显示了重定位​​表中块的结构.我将在此处复制粘贴表格以供快速参考.

I think you would also be interested in Table 7 of the tutorial, which shows the structure of the blocks from the relocation table. I'll copy-paste the table here for quick-reference.

这篇关于PE基础迁移如何建立?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！