如何从页眉和/或页脚确定 PE 可执行文件的大小 [英] How to determine the size of an PE executable file from headers and or footers

问题描述

假设您有一个数据流或一个字节块要雕刻，您如何确定可执行文件的大小?

PE 可执行文件格式中有许多头文件，但是我使用哪些头文件部分来确定(如果可能)可执行文件的总长度?

这是文件格式的图片.

解决方案

如果PE文件格式正确，计算可以简化为(伪代码):

size = IMAGE_NT_HEADERS.OptionalHeader.SizeOfHeaders在 section_headers 中 foreach section_header:大小 += section_header.SizeOfRawData

地点:

• SizeOfHeaders 是
  • SizeOfRawData 每个部分:
    • .text: 0x15400
    • .data: 0x800
    • .idata: 0x1A00
    • .rsrc: 0x19C00
    • .reloc: 0x1600

  (注意:SizeOfRawData在下图中被称为Raw Size):

  总结一切:

  <预><代码>>>>size_of_headers = 0x400>>>sec_sizes = [0x15400, 0x800, 0x1a00, 0x19c00, 0x1600]>>>size_of_headers + sum(sec_sizes)207872>>>

  总大小:207872 字节.

  验证:

  注意:上面的计算没有考虑PE是否形成不良或是否有覆盖.

  Assuming you have a stream of data or a block of bytes you want to carve, how can you determine the size of the executables?

  There are numerous headers inside the PE executable format, but what header sections do I use to determine (if possible) the total length of the executable?

  Here is a picture of the file format.

  解决方案

  If the PE file is well formed, the calculation can be simplified as (pseudo-code):

  size = IMAGE_NT_HEADERS.OptionalHeader.SizeOfHeaders
  
  foreach section_header in section_headers:
      size += section_header.SizeOfRawData
  

  Where:

  • SizeOfHeaders is a member of IMAGE_OPTIONAL_HEADER structure.
  • (IMAGE_OPTIONAL_HEADER structure is part of IMAGE_NT_HEADERS)

  SizeOfHeaders field gives the length of all the headers (note: including the 16-bit stub).

  • Each section header is an IMAGE_SECTION_HEADER structure
  • SizeOfRawData field gives the length of each section on disk.

  ---

  Example with notepad (Windows 10):

  • SizeOfHeaders : 0x400
  • SizeOfRawDataof each sections :
    • .text: 0x15400
    • .data: 0x800
    • .idata: 0x1A00
    • .rsrc: 0x19C00
    • .reloc: 0x1600

  (note: SizeOfRawData is called Raw Size in the below picture):

  Sum everything:

  >>> size_of_headers = 0x400
  >>> sec_sizes = [0x15400, 0x800, 0x1a00, 0x19c00, 0x1600]
  >>> size_of_headers + sum(sec_sizes)
  207872
  >>> 
  

  Total size: 207872 bytes.

  Verification:

  Note: the above calculation doesn't take into account if the PE is badly formed or if there is an overlay.

  这篇关于如何从页眉和/或页脚确定 PE 可执行文件的大小的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！