资源结构详解

1、5PE之资源文件结构详解由DOS头结构0X3C地值指向PE头地址Offset0123456789ABCDEF000000004D5A5000020000000400OF00FFIT0000MZP.0000001058DO00000D00co0040001A000000DO007翹00000020000000000000000000000000000000000000003000DO000000000000000000000002DO0000000040BA10000EIFB4gCD21B2014CCD2190909999J90000005054686973207072GF6772616D206

2、D7573Thisprcgroinmus0000006074206265207275GE2075GE6465722057tberununderW00000070696E33320DOA2437000000000000DO00in32$70000008000000000000000000000000000000000nnrinnnonnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn托BP台0*3A由图知PE头地址为0X2000000020000000210nnnnn?2n504500004C010800F8D200000000E0000E030B01nn3nncnnnnnnnnn

3、nR4454B00000000PEL?製(050000301B000nnnnnnmnnnnn巾由PE头地址+0x88定位到数据目录表的第三项资源项IMAGE_DIRECTORY_ENTRY_RESOURCE该结构包含8个字节前四个字节存储资源的RVA0x282000后四个字节存储资源的SIZE0x34c00000002700000028000000290000000001000000000902700C7300000000000000000000000DO27006447000000202800004C03000000000000000000?dG'？(L查看文件节表知道资源位于rsr

4、c块中data30033030001B400000057BD0O01B2AO030C00C40tlsOOOJ1OTO00277000000300300020A800C0C000400003IODO00278000000302300020AAOOS0C00C40.idataDOO34ODO00279000000332300020XCOO40C00C40.edataDOO35O3O00271000000349300020DEOO40C00C40(.rsrc0OO35OJOcuzezoouOO34UJOOOZIZBOO40C00C40i-clccOOOIAODO002B700000019230002

5、47200S0C00C40去壮乂佢占土臼打七迸強泾彳旦壬友診抠C：IJsersiXdministratorD|C00C15E4C04C00C0Icoocioco文件:节数:旳间IKZO付r由此计算出文件偏移=0x212600+(0x282000-0x282000)=0x212600跳转带资源块中资源目录结构中的每一个节点都是由IMAGE_RESOURCE_DIRECTORY结构和紧随其后的数个IMAGE_RESOURCE_DIRECTORT_ENTRY结构组成这两种结构组成一个目录块一般为三层:第一层资源类型，第二层是资源名，第三层是资源代码页资源目录结构（16个字节，4个字段）typedef

6、structMAGE_RESOURCE_DIRECTORYDWORDCharacteristics;DWORDTimeDateStamp;WORDMajorVersion;WORDMinorVersion;/理论上是资源的属性标志，但是通常为0资源建立的时间主版本次版本WORDNumberOfNamedEntries;使用名字的资源条目的个数WORDNumberOfldEntries;使用ID数字资源条目的个数/IMAGE_RESOURCE_DIRECTORY_ENTRYDirectoryEntries;IMAGE_RESOURCE_DIRECTORY*PIMAGE_RESOURCE_DIRE

7、CTORY;斥】号尢标Q朮絆2光妹冲文|一F3*200号殖取第三层目汞淡谭代囲炙-IMAGEJiESOURSEJJIBE=nv<AGEJtESOURCE二"IMAGEJtESOURn：矣一层口朮床200東单（中文祥200味单（英又E5第二层目永淡湛ID先扮2FE文作头教tea亲第3灵A2个细目04（谿覃C2E3絆200号孩草目录NumberOfNamedEntries（以字符串命名的资源数量）和NumberOfldEntries（以整型数字来命名的资源数量）两个字段说明了本目录中目录项的数量，两者加起来即为后面紧跟的IMAGE_RESOURCE_DIRECTORY_ENTRY的

8、数目资源目录入口结构（8个字节，2个字段）紧跟着资源目录结构后的就是资源目录入II结构，此结构长度为8个字节typedefstructJMAGE_RESOURCE_DIRECTORY_ENTRYunionstructDWORDNameOffset:31;DWORDNamelsString:l;DWORDName;目录项的名字字符串指针或IDWORDId;；unionDWORDOffsetToData;资源数据偏移地址或子目录偏移地址structDWORDOffsetToDirectory:31;DWORDDatalsDirectory:l;IMAGE_RESOURCE_DIRECTORY_EN

9、TRX*PIMAGE_RESOURCE_DIRECTORY_ENTRY;(l)Name字段:定义目录项的名字或者id作为指针时:该指针是从资源区块开始地方算起的偏移量当结构用于第一层目录时，定义的是资源类型当结构用于第二层目录时，定义的是资源的名称当结构用于第三层目录时，定义的是代码页编号当最高位位0,作为ID使用，范W0-16之间，表示系统预定义的类型0x01:光标0x05:对话框0x09:加速键OxOE:图标组0x02:位图0x06:字符串0x0A:未格式资源0x10:版本信息0x03:图标0x07:字体目录0x0B:消息表0x04:菜单0x08:字头0x0C:光标组当最高位为1时，字段的

10、低位作为指针使用，资源名称字符串是使用的UNICODE编码，这个指针并不指向字符串，而是指向一个IMAGE_RESOURCE_DIR_STRING_U结构typedefstructMAGE_RESOURCE_DIR_STRING_UWORDLength;字符串的长度WCHARNameString1;/UNICODE字符串，字对其的，长度可变IMAGE_RESOURCE_DIR_STRING_U,忡IMAGE_RESOURCE_DIR_STRING_U;(2).OffsetToData字段该字段是一个指针，当最高位为1,低位数据指向下一目录块的起始地址为0时，指针指向IMAGE_RESOURCE

11、_DATA_ENTRY结构作为指针时:该指针是从资源区块开始地方算起的偏移量typedefstructJMAGE_RESOURCE_DATA_ENTRYDWORDOffsetToData;资源数据的RVADWORDSize;资源数据的长度DWORDCodePage;代码页一般为0DWORDReserved;保留IMAGE_RESOURCE_DATA_ENTRY；*PIMAGE_RESOURCE_DATA_ENTRY;t源数据入口（16个字节）IMAGE_RESOURCE_DATA_ENTRY（一般是第三层）该结构描述了资源数据的位置和人小例子解析第一层：资源类型打开资源块资源目录结构（1个）0

12、123456789ABCDBFOffset0021260080DO000D502327丈0000OD000000DA00AAH1O£21AstructIMAGERESOURCE_DIRECTORYCharacteristics;TimeDateStamp;MajorVersion;MinorVersion;ratorxDGDWORDDWORDWORDWORDWORDWORD由此可见有10中资源类型资源目录入口结构（10个）0+0X0A=108*10一共占80个字节/0x00000000/0x3C272350/OxOO/OxOONumberOfNamedEntries;NumberOf

13、ldEntries;/OxOO/OxOAEl0000006000008002000000A80000800300000068010080050000008001008006000000A00100800A00000048020080OC000000EO020080OE0000002803008010000000400300SOIS000000580300SO作为ID使用0021261000212620002126300021264000212650DWORDDWORD；当最咼位为0,structIMAGERESOURCE_DIRECTORY_ENTRYName;/ID=0x01光标Offset

14、ToData;子目录偏移地址=0x80000060struct_IMAGE_RESOURCE_DIRECTORY_ENTRYDWORDName;/ID=0x02位图DWORDOffsetToData;子目录偏移地址=0x800000A8；struct_IMAGE_RESOURCE_DIRECTORY_ENTRYDWORDName;/ID=0x03图标DWORDOffsetToData;子目录偏移地址=0x80000168；struct_IMAGE_RESOURCE_DIRECTORY_ENTRYDWORDName;/ID=0x05对话框DWORDOffsetToData;子目录偏移地址=0x8

15、0000180；struct_IMAGE_RESOURCE_DIRECTORY_ENTRYDWORDName;/ID=0x06字符串DWORDOffsetToData;子目录偏移地址=0x80000AlA0；struct_IMAGE_RESOURCE_DIRECTORY_ENTRYDWORDName;/ID=OxOA未格式资源DWORDOffsetToData;子目录偏移地址=0x80000248；struct_IMAGE_RESOURCE_DIRECTORY_ENTRYDWORDName;/ID=OxOC光标组DWORDOffsetToData;子目录偏移地址=0x800002E0；stru

16、ct_IMAGE_RESOURCE_DIRECTORY_ENTRYDWORDName;/ID=OxOE图标组DWORDOffsetToData;子目录偏移地址=0x80000328；struct_IMAGE_RESOURCE_DIRECTORY_ENTRYDWORDName;/ID=0X10版本信息DWORDOffsetToData;子目录偏移地址=0x80000340；struct_IMAGE_RESOURCE_DIRECTORY_ENTRYDWORDName;/ID=0X1824DWORDOffsetToData;子目录偏移地址=0x80000358;与PEeditor查看到一致资息框表式

17、组组信标图标话串格标标本光位图对亠子无光囹版24田田田田田EE田田田志:9第二层：资源名称以索引图标资源为例struct_IMAGE_RESOURCE_DIRECTORY_ENTRYDWORDName;/ID=0x03图标DWORDOffsetToData;子目录偏移地址=0x80000168；UUUUDUULIUUZ1DUUUJUUU«iOUUUUdU.U£UU<iUUiUiUiUi<tUirrsrc000350000028200000034C0000212600400000401k-nnmh门仃仃nn*?P7nnnnnn1Qnn仃仃9/172仃仃£

18、仃仃仃仃仃/1n找到第二层所在文件地址二0x212600+0x00000168=0x212768DWORDCharacteristics;/0x00000000DWORDTimeDateStamp;WORDMajorVersion;WORDMinorVersion;/0x3C272350/0x00/0x0000212760FA10008010060080000000005023273C?PF0021277000000000000001000100000028060080(structJMAGE_RESOURCE_DIRECTORYWORDNumberOfNamedEntries;/0x00WO

19、RDNumberOfldEntries;/OxOl下面有一个资源目录入口结构struct_IMAGE_RESOURCE_DIRECTORY_ENTRYDWORDName;资源的名称0x01DWORDOffsetToData;子目录偏移地址=0x80000628；Name字段当最高位位0,作为ID使用struct_IMAGE_RESOURCE_DIR_STRING_UWORDLength;/ID=0X01光标WCHARNameString1;/子目录偏移地址=0x80000628第三层：代码页编号struct_IMAGE_RESOURCE_DIRECTORY_ENTRYDWORDName;资源的

20、名称0x01DWORDOffsetToData;子目录偏移地址=0x80000628；找到第三层所在文件地址=0x212600+0x00000628=0x212C2800212C2009040000800C000000000005023273C00212C3000000000000001000408000090OC0000structMAGE_RESOURCE_DIRECTORYDWORDCharacteristics;/0X00DWORDTimeDateStamp;/0X3C272350WORDMajorVersion;/OxOOWORDMinorVersion;/0x00WORDNumbe

21、rOfNamedEntries;/OxOOWORDNumberOfldEntries;/OxOl下面有一个资源目录入口结构.|struct_IMAGE_RESOURCE_DIRECTORY_ENTRYDWORDName;代码页编号804DWORDOffsetToData;/资源数据偏移地址0x0C90；资源数据入门结构地址=0x212600+0X00000C90=0x21329000213290B0572800E80200000000000000000000me?=0X2857B0=0X2E8struct_IMAGE_RESOURCE_DATA_ENTRYDWORDOffsetToData;资

22、源数据的RVADWORDSize;资源数据的长度虽eXeScoprC:U5crsAdmini5trator0esktoplS®习NPES£SKS55?I境mcuisp.E«?文件(F)«：Ej摆埶Q测Si少缚DWORDCodePage;代码页一般为0DWORDReserved;保留文件资源数据地址=0x212600+(0X2857B00x282000)=0x215DB0一直到0X216098共Ox2E8个字节I.<览？.00215DD000215DE000215DF000215E0O00215E1000215E2000215E3000215E400

23、0215E5000215E6000215E7000215E8000215E9000215EA000215EB000215EC000215EDO00215EE000215EFO00215F0O00215F1000215F2000215F3000215F4000215F5000215F6000215F7000215F8000215F9000215FA000215FBO00000000000000000000000000008000008000000080800080000000800080008080000080808000cococo000000FF0000FF000000FFFF00FF000

24、000FF00FF00FFFF0000FFFFFF00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000999900000000000000000000000000000099990000000000000000000000000000099999900000000000000000000000000999

25、999000000000000000000009000099999999990000000000000000099009999999999999000000000000000999999999999999999999990000000000999999999999999999999000000000000999999999999000099990000000000000099999999999990000000000000000000999999999999990000000000000000099999999999999900000000000000009999999999999999900

26、00000000000009999999999999999900000000000000009999999999999999000000000000000099999999999999990000000000000000009999999999999990000000000000000090999999999990000000000000000000099999999999900000000000000000000009999999999999900000000000000000000999999990000000000000000000000O-O-4rUfll內逼這遣負晝嘗遺書叠嘗晝晝叠晝

27、叠骨畳晝栩9-999999-ffi90柜I遺f:遂買II一買|1一1一遣f一叠f一買f:一梅使用eXeScope进行验证9.匿Bffis?!?櫃.!櫃翻1?櫃櫃。9.1115（2烁車3-田白框昌期1A1圉话?5撐标标He?KiG-s-e-EB-E-e-KI点击试图二进制bS立面石中ro筋EeE仔4k"坦忍eXeScopeC:LIsersAdministratarDe«ldopSS习NS'PEl资源l资潦J?muuisp.“e彌(F)徧辑(E：舷(Q)视图Mm（H）邇拆记录居KKa£箍睜姉ailg图标标N$.wcr剖岀入源位弟字皿洗周自侦IP头uf导:3&#

28、174;-a-®?曰®s)_£+-.主：it=00215DB0r犬小二02E8删止+04-14243+4+5+6+7怡杓4A+B+C+B+E4-FCO215BB0:28COCDOD2000000040CD0D00010004CO215BC0：00OOCOOO00020000ooCOOO000000noCO215ID0：00co03OD00000000co030D000000doCO215BE0:008003OD0080800080030D00800080CO215BF0:808003OD80308000co0JCO000000FFCO215EO0：00FF03OD00Ff?F00FF030D00Ff00FFCO21SE10:FFFF03ODFFFF7F00co030D000000OOCO215E20：00OO03OD00000000oo030D000000OOC0215130:00co03OD00000000co030D000000OOCO215E40:00co03OD00000000co030D000000OOCO215E