{"id":16,"date":"2025-12-21T22:18:11","date_gmt":"2025-12-21T14:18:11","guid":{"rendered":"http:\/\/8.210.123.186\/?p=16"},"modified":"2025-12-22T19:24:45","modified_gmt":"2025-12-22T11:24:45","slug":"pe-elf%e5%ad%a6%e4%b9%a0","status":"publish","type":"post","link":"http:\/\/8.210.123.186\/index.php\/2025\/12\/21\/pe-elf%e5%ad%a6%e4%b9%a0\/","title":{"rendered":"PE\/ELF\u5b66\u4e60"},"content":{"rendered":"\n

PE<\/h1>\n\n\n\n

\u5e38\u89c1\u540e\u7f00<\/h2>\n\n\n\n
    \n
  1. .exe\uff0c\u53ef\u6267\u884c\u7a0b\u5e8f\uff0c\u5e38\u89c1pe\u6587\u4ef6\u7c7b\u578b\uff0c\u5305\u542b\u7a0b\u5e8f\u5165\u53e3\u70b9\u548c\u5b8c\u6574\u6267\u884c\u903b\u8f91<\/li>\n\n\n\n
  2. .dll\uff0c\u52a8\u6001\u94fe\u63a5\u5e93\uff0c\u63d0\u4f9b\u53ef\u88ab\u591a\u4e2a\u7a0b\u5e8f\u5171\u4eab\u7684\u51fd\u6570\u548c\u8d44\u6e90\uff0c\u65e0\u6cd5\u76f4\u63a5\u8fd0\u884c<\/li>\n\n\n\n
  3. .sys,\u7cfb\u7edf\u9a71\u52a8\u7a0b\u5e8f\uff0c\u8fd0\u884c\u4e8e\u5185\u6838\u6001\uff0c\u7528\u4e8e\u786c\u4ef6\u4ea4\u4e92\u6216\u7cfb\u7edf\u7ea7\u529f\u80fd<\/li>\n\n\n\n
  4. .ocx,activex\u63a7\u4ef6\uff0c\u5f53\u7279\u6b8adll<\/li>\n\n\n\n
  5. .scr\uff0c\u5c4f\u5e55\u4fdd\u62a4\u7a0b\u5e8f\uff0c\u6539\u540e\u7f00exe<\/li>\n\n\n\n
  6. .cpl,\u63a7\u5236\u9762\u677f\u5c0f\u7a0b\u5e8f\uff0c\u7cfb\u7edf\u914d\u7f6e\u754c\u9762\uff0c\u5f53dll<\/li>\n\n\n\n
  7. .efi\uff0c\u53ef\u6269\u5c55\u56fa\u4ef6\u63a5\u53e3\u6587\u4ef6\uff0c\u7528\u4e8eUEFI\u56fa\u4ef6\u542f\u52a8\uff0cPE\u6269\u5c55<\/li>\n<\/ol>\n\n\n\n

    PE\u6587\u4ef6\u7684\u4e24\u79cd\u72b6\u6001<\/h2>\n\n\n\n

    pe\u6587\u4ef6\u5206\u4e3a\u8fd0\u884c\u6001\u548c\u975e\u8fd0\u884c\u6001<\/p>\n\n\n\n

      \n
    • \u975e\u8fd0\u884c\u6001\uff1a\u5f53\u4e00\u4e2ape\u6587\u4ef6\u5c1a\u672a\u88ab\u8fd0\u884c\u65f6\uff0c\u6570\u636e\u5b58\u50a8\u5728\u78c1\u76d8\u4e2d<\/li>\n\n\n\n
    • \u8fd0\u884c\u6001\uff1a\u5f53\u4e00\u4e2ape\u6587\u4ef6\u88ab\u6253\u5f00\u540e\uff0cpe\u6587\u4ef6\u76f8\u5173\u6570\u636e\u5c06\u88ab\u88c5\u5728\u5230\u5185\u5b58\u4e2d<\/li>\n<\/ul>\n\n\n\n

      \u6587\u4ef6\u7ed3\u6784<\/h2>\n\n\n\n

      \u57fa\u4e8ecoff\uff08Common Object File Format\uff09\u6269\u5c55\uff0c\u6587\u4ef6\u5934\u52a0\u8282\u533a<\/p>\n\n\n\n

      PE \u6587\u4ef6\u7ed3\u6784\u6982\u89c8\u8868\uff0832\u4f4d PE32\uff09<\/h3>\n\n\n\n
      \u7ed3\u6784\u540d\u79f0<\/th>\u5bf9\u5e94 C \u6570\u636e\u7ed3\u6784<\/th>\u9ed8\u8ba4\u5360\u7528\u7a7a\u95f4 (\u5b57\u8282)<\/th>\u5907\u6ce8<\/th><\/tr><\/thead>
      DOS MZ \u5934<\/strong><\/td>_IMAGE_DOS_HEADER<\/code><\/td>64<\/strong><\/td>\u56fa\u5b9a\u5927\u5c0f (0x40)<\/td><\/tr>
      DOS Stub<\/strong><\/td>(\u65e0\u56fa\u5b9a\u7ed3\u6784)<\/td>\u4e0d\u56fa\u5b9a<\/strong><\/td>\u4ec5\u7528\u4e8e DOS \u63d0\u793a\uff0c\u5982\u679c\u4e0d\u8fd0\u884c\u5728 DOS \u4e0b\u53ef\u5ffd\u7565<\/td><\/tr>
      PE \u6587\u4ef6\u5934 (\u603b)<\/strong><\/td>_IMAGE_NT_HEADERS<\/code><\/td>248<\/strong><\/td>\u5305\u542b\u4ee5\u4e0b\u4e09\u90e8\u5206 (4 + 20 + 224)<\/td><\/tr>
      \u251c\u2500\u2500 PE \u7b7e\u540d<\/strong><\/td>Signature<\/code> (DWORD)<\/td>4<\/td>\u503c\u4e3a PE\\0\\0<\/code> (0x00004550)<\/td><\/tr>
      \u251c\u2500\u2500 \u6807\u51c6 PE \u5934<\/strong><\/td>_IMAGE_FILE_HEADER<\/code><\/td>20<\/td>\u5305\u542b\u673a\u5668\u7c7b\u578b\u3001\u8282\u6570\u91cf\u7b49\u57fa\u7840\u4fe1\u606f<\/td><\/tr>
      \u2514\u2500\u2500 \u6269\u5c55 PE \u5934<\/strong><\/td>_IMAGE_OPTIONAL_HEADER<\/code><\/td>224<\/td>\u6ce8\uff1a<\/strong> 64\u4f4d\u7a0b\u5e8f\u6b64\u5904\u4e3a 240 \u5b57\u8282<\/td><\/tr>
      \u8282\u8868 (Section Table)<\/strong><\/td>_IMAGE_SECTION_HEADER<\/code><\/td>40<\/strong><\/td>\u6bcf\u4e2a\u8282\u8868\u9879<\/strong>\u7684\u5927\u5c0f\u3002\u603b\u5927\u5c0f = 40 \u00d7 \u8282\u6570\u91cf<\/td><\/tr>
      \u8282\u6570\u636e (Sections)<\/strong><\/td>(\u65e0\u7279\u5b9a\u7ed3\u6784\u4f53)<\/td>\u4e0d\u56fa\u5b9a<\/strong><\/td>\u5b9e\u9645\u7684\u4ee3\u7801\u3001\u6570\u636e\u3001\u8d44\u6e90\u7b49\uff0c\u5927\u5c0f\u7531\u8282\u8868\u51b3\u5b9a<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

      DOS\u5934\u90e8<\/h3>\n\n\n\n

      \u53ef\u4ee5\u5f80\u91cc\u9762\u585e\u4e1c\u897f\uff0c\u4e5f\u4e0d\u4f1a\u5f71\u54cd\u540e\u9762\u7684pe\u7ed3\u6784\uff0cDOS Header\u56fa\u5b9a64\u5b57\u8282\uff0c\u517c\u5bb9dos\u7cfb\u7edf\u6267\u884c\uff0c\u4e00\u4e2amz\u5f00\u5934\uff0c4D 5A 90 00\uff0c\u8fd8\u6709\u4e2aDOS Stub\uff0c\u5927\u5c0f\u4e0d\u56fa\u5b9a\uff0c\u901a\u5e38\u4f1a\u586b\u6ee1\u5230128\u5b57\u8282
      \u5173\u952e\u5b57\u6bb5\uff1a<\/p>\n\n\n\n

        \n
      • e_magic\uff1ados\u7b7e\u540d\uff0c\u56fa\u5b9a\u4e3a0x5A4D\uff08\u5b57\u7b26\u4e32MZ\uff09<\/li>\n\n\n\n
      • e_lfanew\uff1ape\u6587\u4ef6\u5934\u504f\u79fb\u91cf\uff0832\u4f4d\u621664\u4f4d\uff09\uff0cdos\u5934\u8fc7\u6e21\u5230pe\u5934\u5173\u952e\u6307\u9488
        \u5b9a\u4e49\u7684\u7ed3\u6784\u4f53\u4f4d\u4e3a\uff0c\u5b9a\u4e49\u4e8ewinnt.h<\/li>\n<\/ul>\n\n\n\n
        typedef struct _IMAGE_DOS_HEADER {      \/\/ DOS .EXE \u5934\u90e8\u7ed3\u6784\u4f53\n\n    \/\/ --- \u6838\u5fc3\u6807\u8bc6 ---\n    WORD   e_magic;                     \/\/ [0x00] \u9b54\u6570 (Magic number)\uff0c\u56fa\u5b9a\u4e3a \"MZ\"\n\n    \/\/ --- DOS \u7a0b\u5e8f\u52a0\u8f7d\u4fe1\u606f (\u73b0\u4ee3 Windows \u901a\u5e38\u5ffd\u7565) ---\n    WORD   e_cblp;                      \/\/ [0x02] \u6587\u4ef6\u6700\u540e\u4e00\u9875\u7684\u5b57\u8282\u6570\n    WORD   e_cp;                        \/\/ [0x04] \u6587\u4ef6\u603b\u9875\u6570\n    WORD   e_crlc;                      \/\/ [0x06] \u91cd\u5b9a\u4f4d\u9879\u7684\u6570\u91cf\n    WORD   e_cparhdr;                   \/\/ [0x08] \u5934\u90e8\u5927\u5c0f (\u4ee5\u6bb5\/Paragraph\u4e3a\u5355\u4f4d)\n    WORD   e_minalloc;                  \/\/ [0x0A] \u6240\u9700\u7684\u6700\u5c0f\u9644\u52a0\u6bb5\u6570\n    WORD   e_maxalloc;                  \/\/ [0x0C] \u6240\u9700\u7684\u6700\u5927\u9644\u52a0\u6bb5\u6570\n    WORD   e_ss;                        \/\/ [0x0E] \u521d\u59cb SS (\u5806\u6808\u6bb5) \u76f8\u5bf9\u503c\n    WORD   e_sp;                        \/\/ [0x10] \u521d\u59cb SP (\u5806\u6808\u6307\u9488) \u503c\n    WORD   e_csum;                      \/\/ [0x12] \u6821\u9a8c\u548c\n    WORD   e_ip;                        \/\/ [0x14] \u521d\u59cb IP (\u6307\u4ee4\u6307\u9488) \u503c\n    WORD   e_cs;                        \/\/ [0x16] \u521d\u59cb CS (\u4ee3\u7801\u6bb5) \u76f8\u5bf9\u503c\n    WORD   e_lfarlc;                    \/\/ [0x18] \u91cd\u5b9a\u4f4d\u8868\u5728\u6587\u4ef6\u4e2d\u7684\u5730\u5740\n    WORD   e_ovno;                      \/\/ [0x1A] \u8986\u76d6\u53f7 (Overlay number)\n\n    \/\/ --- \u4fdd\u7559\u53ca OEM \u5b57\u6bb5 ---\n    WORD   e_res[4];                    \/\/ [0x1C] \u4fdd\u7559\u5b57\u6bb5 (4\u4e2a\u5b57)\n    WORD   e_oemid;                     \/\/ [0x24] OEM \u6807\u8bc6\u7b26 (\u7528\u4e8e e_oeminfo)\n    WORD   e_oeminfo;                   \/\/ [0x26] OEM \u4fe1\u606f (\u5177\u4f53\u7531 e_oemid \u5b9a\u4e49)\n    WORD   e_res2[10];                  \/\/ [0x28] \u4fdd\u7559\u5b57\u6bb5 (10\u4e2a\u5b57)\n\n    \/\/ --- PE \u5934\u90e8\u6307\u9488 (\u6838\u5fc3\u5b57\u6bb5) ---\n    LONG   e_lfanew;                    \/\/ [0x3C] \u65b0 EXE \u5934\u90e8 (PE Header) \u7684\u6587\u4ef6\u5730\u5740\n\n} IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER;<\/code><\/pre>\n\n\n\n
        \u7ed3\u6784\u4f53\u5b9a\u4e49<\/p>\n\n\n\n
        typedef struct _IMAGE_DOS_HEADER {\n    WORD   e_magic;      \/\/ 0x00: \u9b54\u6570 \"MZ\" (4D 5A)\n    WORD   e_cblp;       \/\/ 0x02\n    \/\/ ......\n    LONG   e_lfanew;     \/\/ 0x3C: \u6307\u5411 PE \u5934\u7684\u504f\u79fb\u91cf (\u8fd9\u662f\u7ed3\u6784\u4f53\u7684\u6700\u540e\u4e00\u4e2a\u6210\u5458)\n} IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER;<\/code><\/pre>\n\n\n\n
        \u8fd8\u6709\u81ea\u5199\u4ee3\u7801\u8bfb\u53d6dos mz\u5934\u5417\uff0c\u5413\u54ed\u4e86<\/p>\n\n\n\n
        \/\/ PE.cpp : Defines the entry point for the console application.\n\/\/\n\n#include \"stdafx.h\"\n\n#include <malloc.h>\n#include <windows.h>\n\nint main(int argc, char* argv[])\n{\n    \/\/\u521b\u5efaDOS\u5bf9\u5e94\u7684\u7ed3\u6784\u4f53\u6307\u9488\n        _IMAGE_DOS_HEADER* dos;\n    \/\/\u8bfb\u53d6\u6587\u4ef6\uff0c\u8fd4\u56de\u6587\u4ef6\u53e5\u67c4\n        HANDLE hFile = CreateFileA(\"C:\\\\Documents and Settings\\\\Administrator\\\\\u684c\u9762\\\\dbghelp.dll\",GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,0,0);\n    \/\/\u6839\u636e\u6587\u4ef6\u53e5\u67c4\u521b\u5efa\u6620\u5c04\n        HANDLE hMap = CreateFileMappingA(hFile,NULL,PAGE_READONLY,0,0,0);\n    \/\/\u6620\u5c04\u5185\u5bb9\n        LPVOID pFile = MapViewOfFile(hMap,FILE_MAP_READ,0,0,0);\n    \/\/\u7c7b\u578b\u8f6c\u6362\uff0c\u7528\u7ed3\u6784\u4f53\u7684\u65b9\u5f0f\u6765\u8bfb\u53d6\n        dos=(_IMAGE_DOS_HEADER*)pFile;\n    \/\/\u8f93\u51fa\u7ed3\u6784\u4f53\u7684\u7b2c\u4e00\u4e2a\u6210\u5458\uff0c\u4ee5\u5341\u516d\u8fdb\u5236\u8f93\u51fa\n        printf(\"%X\\n\",dos->e_magic);\n        return 0;\n}<\/code><\/pre>\n\n\n\n
        PE\u5934<\/h3>\n\n\n\n
        \u524d\u56db\u4e2a\u5b57\u8282 50 45 00 00pe\u6807\u8bc6,20\u4e2a\u5b57\u8282\u6807\u51c6pe\u5934\uff0c\u6269\u5c55pe\u5934\u770b\u7ed3\u6784\u4f53\uff0c\u6709\u54ea\u4e9b\uff0c\u7136\u540e\u4e4b\u540e\u6587\u4ef6\u5bf9\u9f50\u4e4b\u540e\u7684\u5927\u5c0f\uff0c\u5934\u7684\u5927\u5c0f\u4e00\u5b9a\u662f\u6587\u4ef6\u500d\u6570
        32\u4f4d\u7ed3\u6784\u4f53<\/p>\n\n\n\n
        typedef struct _IMAGE_NT_HEADERS {\n    DWORD Signature;                            \/\/PE\u6587\u4ef6\u5934\u6807\u8bc6\n    IMAGE_FILE_HEADER FileHeader;               \/\/\u6807\u51c6PE\u5934\n    IMAGE_OPTIONAL_HEADER32 OptionalHeader;     \/\/\u6269\u5c55PE\u5934 32\u4f4d\n} IMAGE_NT_HEADERS32, *PIMAGE_NT_HEADERS32;<\/code><\/pre>\n\n\n\n
        64\u4f4d\u7ed3\u6784\u4f53<\/p>\n\n\n\n
        typedef struct _IMAGE_NT_HEADERS64 {\n    DWORD Signature;                            \/\/PE\u6587\u4ef6\u5934\u6807\u8bc6\n    IMAGE_FILE_HEADER FileHeader;               \/\/\u6807\u51c6PE\u5934 \n    IMAGE_OPTIONAL_HEADER64 OptionalHeader;     \/\/\u6269\u5c55PE\u5934 64\u4f4d\n} IMAGE_NT_HEADERS64, *PIMAGE_NT_HEADERS64;<\/code><\/pre>\n\n\n\n
        PE\u7b7e\u540d<\/h4>\n\n\n\n
        \u7c7b\u578b\u4e3adword\uff0c\u5b58\u50a8\u5728signature\u53d8\u91cf\u4e2d<\/p>\n\n\n\n
        \u6807\u51c6PE\u5934\uff08IMAGE_FILE_HEADER\uff09\uff08\u53c8\u79f0coff\u6587\u4ef6\u5934\uff09<\/h4>\n\n\n\n
        \u7ed3\u6784\u4f53<\/p>\n\n\n\n
        typedef struct _IMAGE_FILE_HEADER {\n    WORD    Machine;\/\/\u53ef\u4ee5\u8fd0\u884c\u5728\u4ec0\u4e48\u6837\u7684CPU\u4e0a\uff0c\u5982\u679c\u5b83\u7684\u503c\u4e3a0x0\u5219\u8868\u793a\u53ef\u4ee5\u8fd0\u884c\u5728\u4efb\u610f\u7684CPU\u4e0a\uff0c\u652f\u6301\u5728Intel 386\u4ee5\u53ca\u540e\u7eed\u7684\u578b\u53f7CPU\u8fd0\u884c\u5219\u503c\u4e3a0x14c\uff0c\u652f\u630164\u4f4d\u7684CPU\u578b\u53f7\u5219\u503c\u4e3a0x8664\u3002\u6570\u636e\u5bbd\u5ea6word2\u5b57\u8282\uff0c\u7a0b\u5e8f\u652f\u6301\u7684cpu\n    WORD    NumberOfSections;\/\/\u8868\u793a\u8282\u7684\u6570\u91cf\uff0c\u4e5f\u5c31\u662f\u8282\u8868\u4e2d\u6709\u51e0\u4e2a\u7ed3\u6784\u4f53\uff0cword2\u5b57\u8282\uff0c\u4e0d\u5927\u4e8e96\n    DWORD   TimeDateStamp;\/\/\u7f16\u8bd1\u5668\u586b\u5199\u7684\u65f6\u95f4\u6233 \u4e0e\u6587\u4ef6\u5c5e\u6027\u91cc\u9762(\u521b\u5efa\u65f6\u95f4\u3001\u4fee\u6539\u65f6\u95f4)\u65e0\u5173\uff0cdword4\u5b57\u8282\n    DWORD   PointerToSymbolTable;\/\/\u8c03\u8bd5\u76f8\u5173\uff0c\u6307\u5411\u7b26\u53f7\u8868\uff0cdword4\u5b57\u8282\n    DWORD   NumberOfSymbols;\/\/\u8c03\u8bd5\u76f8\u5173\uff0c\u7b26\u53f7\u8868\u4e2d\u7684\u7b26\u53f7\u4e2a\u6570\uff0cdword4\u5b57\u8282\n    WORD    SizeOfOptionalHeader;\/\/\u53ef\u9009PE\u5934\u7684\u5927\u5c0f(32\u4f4dPE\u6587\u4ef6\uff1a0xE0  64\u4f4dPE\u6587\u4ef6\uff1a0xF0)word2\u5b57\u8282\n    WORD    Characteristics;\/\/\u6587\u4ef6\u5c5e\u6027\uff0c\u6570\u636e\u4f4d\u62fc\u63a5\u800c\u6210\uff0cword2\u5b57\u8282\n} IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;<\/code><\/pre>\n\n\n\n
        Machine<\/h5>\n\n\n\n
        IMAGE_FILE_MACHINE \u5e38\u91cf\u5bf9\u7167\u8868<\/p>\n\n\n\n
        \u8fd4\u56de\u7684\u5e38\u91cf (Constant)<\/th>Value (Hex)<\/th>\u8bf4\u660e (Description)<\/th><\/tr><\/thead>
        IMAGE_FILE_MACHINE_UNKNOWN<\/code><\/td>0x0<\/code><\/td>\u5047\u5b9a\u6b64\u5b57\u6bb5\u7684\u5185\u5bb9\u9002\u7528\u4e8e\u4efb\u4f55\u8ba1\u7b97\u673a\u7c7b\u578b<\/td><\/tr>
        IMAGE_FILE_MACHINE_AM33<\/code><\/td>0x1d3<\/code><\/td>\u677e\u7530 (Matsushita) AM33<\/td><\/tr>
        IMAGE_FILE_MACHINE_AMD64<\/code><\/td>0x8664<\/code><\/td>x64 (AMD64 \u6216 Intel 64)<\/strong><\/td><\/tr>
        IMAGE_FILE_MACHINE_ARM<\/code><\/td>0x1c0<\/code><\/td>ARM \u5c0f\u7aef\u5e8f (Little Endian)<\/td><\/tr>
        IMAGE_FILE_MACHINE_ARM64<\/code><\/td>0xaa64<\/code><\/td>ARM64 \u5c0f\u7aef\u5e8f (Little Endian)<\/td><\/tr>
        IMAGE_FILE_MACHINE_ARMNT<\/code><\/td>0x1c4<\/code><\/td>ARM Thumb-2 \u5c0f\u7aef\u5e8f (Little Endian)<\/td><\/tr>
        IMAGE_FILE_MACHINE_EBC<\/code><\/td>0xebc<\/code><\/td>EFI \u5b57\u8282\u4ee3\u7801 (EFI Byte Code)<\/td><\/tr>
        IMAGE_FILE_MACHINE_I386<\/code><\/td>0x14c<\/code><\/td>Intel 386 \u6216\u66f4\u9ad8\u7248\u672c\u7684\u5904\u7406\u5668 (x86 32\u4f4d)<\/strong><\/td><\/tr>
        IMAGE_FILE_MACHINE_IA64<\/code><\/td>0x200<\/code><\/td>Intel Itanium \u5904\u7406\u5668\u7cfb\u5217<\/td><\/tr>
        IMAGE_FILE_MACHINE_LOONGARCH32<\/code><\/td>0x6232<\/code><\/td>LoongArch 32 \u4f4d\u5904\u7406\u5668\u7cfb\u5217 (\u9f99\u82af)<\/td><\/tr>
        IMAGE_FILE_MACHINE_LOONGARCH64<\/code><\/td>0x6264<\/code><\/td>LoongArch 64 \u4f4d\u5904\u7406\u5668\u7cfb\u5217 (\u9f99\u82af)<\/td><\/tr>
        IMAGE_FILE_MACHINE_M32R<\/code><\/td>0x9041<\/code><\/td>\u4e09\u83f1 M32R \u5c0f\u7aef\u5e8f<\/td><\/tr>
        IMAGE_FILE_MACHINE_MIPS16<\/code><\/td>0x266<\/code><\/td>MIPS16<\/td><\/tr>
        IMAGE_FILE_MACHINE_MIPSFPU<\/code><\/td>0x366<\/code><\/td>\u4f7f\u7528 FPU \u7684 MIPS<\/td><\/tr>
        IMAGE_FILE_MACHINE_MIPSFPU16<\/code><\/td>0x466<\/code><\/td>\u5177\u6709 FPU \u7684 MIPS16<\/td><\/tr>
        IMAGE_FILE_MACHINE_POWERPC<\/code><\/td>0x1f0<\/code><\/td>PowerPC \u5c0f\u7aef\u5e8f<\/td><\/tr>
        IMAGE_FILE_MACHINE_POWERPCFP<\/code><\/td>0x1f1<\/code><\/td>\u652f\u6301\u6d6e\u70b9\u8fd0\u7b97\u7684 PowerPC<\/td><\/tr>
        IMAGE_FILE_MACHINE_R4000<\/code><\/td>0x166<\/code><\/td>MIPS \u5c0f\u7aef\u5e8f (\u901a\u5e38\u6307 R4000)<\/td><\/tr>
        IMAGE_FILE_MACHINE_RISCV32<\/code><\/td>0x5032<\/code><\/td>RISC-V 32 \u4f4d\u5730\u5740\u7a7a\u95f4<\/td><\/tr>
        IMAGE_FILE_MACHINE_RISCV64<\/code><\/td>0x5064<\/code><\/td>RISC-V 64 \u4f4d\u5730\u5740\u7a7a\u95f4<\/td><\/tr>
        IMAGE_FILE_MACHINE_RISCV128<\/code><\/td>0x5128<\/code><\/td>RISC-V 128 \u4f4d\u5730\u5740\u7a7a\u95f4<\/td><\/tr>
        IMAGE_FILE_MACHINE_SH3<\/code><\/td>0x1a2<\/code><\/td>Hitachi SH3<\/td><\/tr>
        IMAGE_FILE_MACHINE_SH3DSP<\/code><\/td>0x1a3<\/code><\/td>Hitachi SH3 DSP<\/td><\/tr>
        IMAGE_FILE_MACHINE_SH4<\/code><\/td>0x1a6<\/code><\/td>Hitachi SH4<\/td><\/tr>
        IMAGE_FILE_MACHINE_SH5<\/code><\/td>0x1a8<\/code><\/td>Hitachi SH5<\/td><\/tr>
        IMAGE_FILE_MACHINE_THUMB<\/code><\/td>0x1c2<\/code><\/td>Thumb<\/td><\/tr>
        IMAGE_FILE_MACHINE_WCEMIPSV2<\/code><\/td>0x169<\/code><\/td>MIPS \u5c0f\u7aef WCE v2<\/td><\/tr>
        \u5e38\u89c1\uff1a<\/td><\/td><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
          \n
        1. 0x014C (I386)\uff1a\u4ee3\u8868 32\u4f4d\u7a0b\u5e8f\u3002<\/li>\n\n\n\n
        2. 0x8664 (AMD64)\uff1a\u4ee3\u8868 64\u4f4d \u7a0b\u5e8f\u3002<\/li>\n<\/ol>\n\n\n\n
          NumberOfSections<\/h5>\n\n\n\n
          machine\u540e\u9762\u7684\u4e24\u4e2a\u5b57\u8282\uff0c\u8bf4\u660e\u533a\u6bb5\u6570\u91cf
          \u533a\u6bb5\uff1a\u64cd\u4f5c\u7cfb\u7edf\u52a0\u8f7d\u7a0b\u5e8f\u65f6\uff0c\u6839\u636e\u5185\u5b58\u5c5e\u6027\uff08\u6743\u9650\uff09\u6765\u7ba1\u7406\uff0c\u5e38\u89c1\u533a\u6bb5<\/p>\n\n\n\n
            \n
          • .text\u6216.code\uff0c\u6307\u4ee4\u4ee3\u7801\uff0c\u53ef\u8bfb\uff0c\u53ef\u6267\u884c<\/li>\n\n\n\n
          • .data\uff0c\u5df2\u7ecf\u521d\u59cb\u5316\u7684\u5168\u5c40\u53d8\u91cf\uff0c\u53ef\u8bfb\uff0c\u53ef\u5199<\/li>\n\n\n\n
          • .rdata\u6216.idata\uff0c\u5b58\u653e\u5e38\u91cf\uff08const\u6216\u8005\u5b57\u7b26\u4e32\uff09\uff0c\u5bfc\u5165\u8868\uff08\u8c03\u7528\u4e86\u54ea\u4e9bapi\uff09\uff0c\u53ea\u8bfb<\/li>\n\n\n\n
          • .rsrc\uff0c\u5b58\u653e\u7684\u7a0b\u5e8f\u7684ui\u8d44\u6e90\uff0c\u53ea\u8bfb<\/li>\n\n\n\n
          • .reloc\uff0c\u91cd\u5b9a\u4f4d\uff0c\u5982\u679c\u7a0b\u5e8f\u4e0d\u80fd\u5728\u9884\u671f\u7684\u5185\u5b58\u5730\u5740\uff08\u57fa\u5740\uff09\u52a0\u8f7d\uff0c\u8981\u4fee\u6b63\u65f6\u7528\u7684\u6570\u636e\uff0c\u6bd4\u5982\u5f00\u542f\u4e86ASLR\uff08\u968f\u673a\u57fa\u5740\u7684\uff09\u7684\u7a0b\u5e8f\u8981\u7528<\/li>\n<\/ul>\n\n\n\n
            SizeOfOptionalHeader<\/h5>\n\n\n\n
            \u8868\u793a\u53ef\u9009\u6807\u5934\u5927\u5c0f\uff0c\u53ef\u6267\u884c\u6587\u4ef6\u5fc5\u9700
            \u8f6c\u6362\u4e3a\u5341\u8fdb\u5236\u5c31\u662f\u5927\u5c0f,SizeOfOptionalHeader\u53d8\u91cf\u4e2d\u7684\u6570\u636e\u5bf9\u4e8e32\u4f4dPE\u6587\u4ef6\u901a\u5e38\u4e3a00E0h\uff0c\u5bf9\u4e8e64\u4f4dPE\u6587\u4ef6\u901a\u5e38\u4e3a00F0h\u3002\u8fd9\u91cc\u7684h\u662f\u7528\u6765\u8868\u793a\u8fd9\u4e2a\u6570\u636e\u4e3a16\u8fdb\u5236\u3002\u4e0a\u56fe\u6211\u4eec\u53ef\u4ee5\u770b\u5230SizeOfOptionalHeader\u53d8\u91cf\u5f53\u4e2d\u7684\u6570\u636e\u4e3a00 E0\uff0c\u6269\u5c55PE\u5934\u5927\u5c0f\u4e3a224\uff0c\u6587\u4ef6\u4e3a32\u4f4dPE\u6587\u4ef6\u3002<\/p>\n\n\n\n
            Characteristics<\/h5>\n\n\n\n
            \u770b\u6700\u540e\u4e24\u4e2a\u5b57\u8282\uff0c\u8f6c\u6362\u4e3a\u4e8c\u8fdb\u5236\uff0c\u7136\u540e\u5bf9\u5e94\u76841\u7684\u542b\u4e49\u5728\u4e0b\u8868
            IMAGE_FILE_HEADER – Characteristics \u5b57\u6bb5\u8be6\u89e3<\/p>\n\n\n\n
            \u6570\u636e\u4f4d (Bit)<\/th>\u5e38\u91cf\u7b26\u53f7 (Constant)<\/th>\u4e3a 1 \u65f6\u7684\u542b\u4e49<\/th><\/tr><\/thead>
            0<\/strong><\/td>IMAGE_FILE_RELOCS_STRIPPED<\/code><\/td>\u6587\u4ef6\u4e2d\u4e0d\u5b58\u5728\u91cd\u5b9a\u4f4d\u4fe1\u606f<\/td><\/tr>
            1<\/strong><\/td>IMAGE_FILE_EXECUTABLE_IMAGE<\/code><\/td>\u6587\u4ef6\u662f\u53ef\u6267\u884c\u7684<\/td><\/tr>
            2<\/strong><\/td>IMAGE_FILE_LINE_NUMS_STRIPPED<\/code><\/td>\u4e0d\u5b58\u5728\u884c\u4fe1\u606f<\/td><\/tr>
            3<\/strong><\/td>IMAGE_FILE_LOCAL_SYMS_STRIPPED<\/code><\/td>\u4e0d\u5b58\u5728\u7b26\u53f7\u4fe1\u606f<\/td><\/tr>
            4<\/strong><\/td>IMAGE_FILE_AGGRESSIVE_WS_TRIM<\/code><\/td>\u8c03\u6574\u5de5\u4f5c\u96c6<\/td><\/tr>
            5<\/strong><\/td>IMAGE_FILE_LARGE_ADDRESS_AWARE<\/code><\/td>\u5e94\u7528\u7a0b\u5e8f\u53ef\u5904\u7406\u5927\u4e8e 2GB \u7684\u5730\u5740<\/td><\/tr>
            6<\/strong><\/td>(\u4fdd\u7559)<\/td>\u6b64\u6807\u5fd7\u4fdd\u7559<\/td><\/tr>
            7<\/strong><\/td>IMAGE_FILE_BYTES_REVERSED_LO<\/code><\/td>\u5c0f\u5c3e\u65b9\u5f0f (Little Endian)<\/td><\/tr>
            8<\/strong><\/td>IMAGE_FILE_32BIT_MACHINE<\/code><\/td>\u53ea\u5728 32 \u4f4d\u5e73\u53f0\u4e0a\u8fd0\u884c<\/td><\/tr>
            9<\/strong><\/td>IMAGE_FILE_DEBUG_STRIPPED<\/code><\/td>\u4e0d\u5305\u542b\u8c03\u8bd5\u4fe1\u606f<\/td><\/tr>
            10<\/strong><\/td>IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP<\/code><\/td>\u4e0d\u80fd\u4ece\u53ef\u79fb\u52a8\u76d8\u8fd0\u884c (\u9700\u590d\u5236\u5230\u4ea4\u6362\u6587\u4ef6)<\/td><\/tr>
            11<\/strong><\/td>IMAGE_FILE_NET_RUN_FROM_SWAP<\/code><\/td>\u4e0d\u80fd\u4ece\u7f51\u7edc\u8fd0\u884c (\u9700\u590d\u5236\u5230\u4ea4\u6362\u6587\u4ef6)<\/td><\/tr>
            12<\/strong><\/td>IMAGE_FILE_SYSTEM<\/code><\/td>\u7cfb\u7edf\u6587\u4ef6\uff08\u5982\u9a71\u52a8\u7a0b\u5e8f\uff09\uff0c\u4e0d\u80fd\u76f4\u63a5\u8fd0\u884c<\/td><\/tr>
            13<\/strong><\/td>IMAGE_FILE_DLL<\/code><\/td>\u8fd9\u662f\u4e00\u4e2a DLL \u6587\u4ef6<\/td><\/tr>
            14<\/strong><\/td>IMAGE_FILE_UP_SYSTEM_ONLY<\/code><\/td>\u6587\u4ef6\u4e0d\u80fd\u5728\u591a\u5904\u7406\u5668\u8ba1\u7b97\u673a\u4e0a\u8fd0\u884c<\/td><\/tr>
            15<\/strong><\/td>IMAGE_FILE_BYTES_REVERSED_HI<\/code><\/td>\u5927\u5c3e\u65b9\u5f0f (Big Endian)<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
            \u6269\u5c55PE\u5934<\/h4>\n\n\n\n
            \u6807\u51c6PE\u5934\u4e2d\u7684SizeOfOptionalHeader\u7528\u4e8e\u6807\u8bc6\u6269\u5c55PE\u5934\u7684\u5927\u5c0f\uff0c\u5927\u5c0f\u4e0d\u56fa\u5b9a\uff0c\u6bcf\u4e2ape\u6587\u4ef6\u90fd\u6709\u4e00\u4e2a\u6269\u5c55pe\u5934\uff0c\u7528\u4e8e\u5411\u52a0\u8f7d\u7a0b\u5e8f\u63d0\u4f9b\u4fe1\u606f
            \u6709\u6807\u5934magic\u7f16\u53f7\u4fdd\u8bc1\u683c\u5f0f\u517c\u5bb9\u6027\uff0c\u53ef\u9009\u7684\u6807\u5934magic\u7528\u4e8e\u786e\u5b9ape\u6587\u4ef6\u662fpe32\u8fd8\u662fre32+\u53ef\u6267\u884c\u6587\u4ef6
            \u53ef\u9009\u6807\u5934\uff0c\u6bcf\u4e2a\u6620\u50cf\u6587\u4ef6\u90fd\u6709\u4e00\u4e2a\u7528\u4e8e\u5411\u52a0\u8f7d\u7a0b\u5e8f\u63d0\u4f9b\u4fe1\u606f\u7684\u53ef\u9009\u6807\u5934\u3002 \u6b64\u6807\u5934\u662f\u53ef\u9009\u6807\u5934\uff0c\u56e0\u4e3a\u67d0\u4e9b\u6587\u4ef6\uff08\u7279\u522b\u662f\u5bf9\u8c61\u6587\u4ef6\uff09\u6ca1\u6709\u6b64\u6807\u5934\u3002 \u5bf9\u4e8e\u6620\u50cf\u6587\u4ef6\uff0c\u6b64\u6807\u5934\u662f\u5fc5\u9700\u7684\u3002 \u5bf9\u8c61\u6587\u4ef6\u53ef\u4ee5\u5177\u6709\u53ef\u9009\u6807\u5934\uff0c\u4f46\u901a\u5e38\u6b64\u6807\u5934\u5728\u5bf9\u8c61\u6587\u4ef6\u4e2d\u6ca1\u6709\u51fd\u6570\uff0c\u53ea\u662f\u4e3a\u4e86\u589e\u52a0\u5176\u5927\u5c0f\u3002\u53ef\u9009\u6807\u5934\u7684\u5927\u5c0f\u4e0d\u662f\u56fa\u5b9a\u7684\u3002 COFF \u6807\u5934\u4e2d\u7684 SizeOfOptionalHeader \u5b57\u6bb5\u5fc5\u987b\u7528\u4e8e\u9a8c\u8bc1\u5bf9\u7279\u5b9a\u6570\u636e\u76ee\u5f55\u7684\u6587\u4ef6\u7684\u63a2\u6d4b\u662f\u5426\u672a\u8d85\u51fa SizeOfOptionalHeader\u3002
            \u8fd8\u5e94\u8be5\u4f7f\u7528\u53ef\u9009\u6807\u5934\u7684 NumberOfRvaAndSizes \u5b57\u6bb5\u6765\u786e\u4fdd\u5bf9\u7279\u5b9a\u6570\u636e\u76ee\u5f55\u6761\u76ee\u7684\u63a2\u6d4b\u4e0d\u4f1a\u8d85\u51fa\u53ef\u9009\u6807\u5934\u3002<\/p>\n\n\n\n
            \u53ef\u9009\u6807\u5934\u5e7b\u6570\u786e\u5b9a\u6620\u50cf\u662f PE32 \u8fd8\u662f PE32+ \u53ef\u6267\u884c\u6587\u4ef6\u3002<\/p>\n\n\n\n
            \u6620\u5c04\uff1a<\/p>\n\n\n\n
              \n
            1. \u5750\u6807\u7cfb\u53d8\u5316\uff0c\u504f\u79fb\u53d8\u6210\u5730\u5740\uff08FOA\u53d8\u6210VA\uff09\uff0cfoa\uff0c\u76f8\u5bf9\u4e8e\u6587\u4ef6\u5f00\u5934\u7684\u8ddd\u79bb\uff0c\u865a\u62df\u5730\u5740 (VA) = \u57fa\u5740 (Image Base) + RVA\uff0c\u56e0\u4e3acpu\u6267\u884c\u6307\u4ee4\u9700\u8981\u5185\u5b58\u4e2d\u7684\u7edd\u5bf9\u5730\u5740<\/li>\n\n\n\n
            2. \u8d4b\u4e88\u6743\u9650\uff0c\u6620\u5c04text\u6bb5\u6216\u8005data\u6bb5\u8fd9\u4e9b\uff0c\u8ba9\u4ed6\u4eec\u53d8\u5f97\u4e0d\u53ef\u5199\u4e4b\u7c7b\u7684<\/li>\n\n\n\n
            3. \u52a8\u6001\u4fee\u6b63\uff0c\u91cd\u5b9a\u4f4d\uff0c\u627e\u5230\u8c03\u7528\u4e1c\u897f\u7684\u771f\u5b9e\u5730\u5740<\/li>\n<\/ol>\n\n\n\n
              1. 32\u4f4d\u4e0e64\u4f4d\u7ed3\u6784\u4f53\u5bf9\u6bd4<\/h5>\n\n\n\n
              64\u4f4d\u76f8\u6bd4\u4e8e32\u4f4d\u533a\u522b\u5e76\u4e0d\u5927\uff0c\u4e3b\u8981\u662f\u5220\u53bb\u4e86\u4e00\u4e2a\u6210\u5458\uff08BaseOfData\uff09\uff0c\u4ee5\u53ca\u4e94\u4e2a\u6210\u5458\u7684\u6570\u636e\u7c7b\u578b\u7531 DWORD<\/code> \u53d8\u4e3a ULONGLONG<\/code>\u3002<\/p>\n\n\n\n
              \u6210\u5458<\/th>32\u4f4d\u7c7b\u578b<\/th>64\u4f4d\u7c7b\u578b<\/th>\u8bf4\u660e<\/th><\/tr><\/thead>
              BaseOfData<\/strong><\/td>DWORD<\/td>\u65e0\u6b64\u6210\u5458<\/strong><\/td>\u6570\u636e\u6bb5\u57fa\u5740\uff0864\u4f4d\u79fb\u9664\uff09<\/td><\/tr>
              ImageBase<\/strong><\/td>DWORD<\/td>ULONGLONG<\/strong><\/td>\u5185\u5b58\u955c\u50cf\u57fa\u5740<\/td><\/tr>
              SizeOfStackReserve<\/strong><\/td>DWORD<\/td>ULONGLONG<\/strong><\/td>\u6808\u4fdd\u7559\u5927\u5c0f<\/td><\/tr>
              SizeOfStackCommit<\/strong><\/td>DWORD<\/td>ULONGLONG<\/strong><\/td>\u6808\u63d0\u4ea4\u5927\u5c0f<\/td><\/tr>
              SizeOfHeapReserve<\/strong><\/td>DWORD<\/td>ULONGLONG<\/strong><\/td>\u5806\u4fdd\u7559\u5927\u5c0f<\/td><\/tr>
              SizeOfHeapCommit<\/strong><\/td>DWORD<\/td>ULONGLONG<\/strong><\/td>\u5806\u63d0\u4ea4\u5927\u5c0f<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
              \n
              \u6ce8<\/strong>\uff1a\u56e0\u533a\u522b\u4e0d\u660e\u663e\uff0c\u4ee5\u4e0b\u5206\u6790\u4ee5 32\u4f4d\u7ed3\u6784\u4f53<\/strong> \u4e3a\u4f8b\u3002<\/p>\n<\/blockquote>\n\n\n\n
              \n\n\n\n
              32\u4f4d\u6269\u5c55 PE \u5934\u6210\u5458\u6982\u89c8<\/h2>\n\n\n\n
              \u6269\u5c55 PE \u5934\u6210\u5458\u8f83\u591a\uff0c\u52a0\u7c97\u662f\u91cd\u70b9<\/p>\n\n\n\n
              \u6210\u5458<\/th>\u6570\u636e\u5bbd\u5ea6<\/th>\u8bf4\u660e<\/th><\/tr><\/thead>
              Magic<\/strong><\/td>WORD (2\u5b57\u8282)<\/td>\u955c\u50cf\u6587\u4ef6\u7684\u72b6\u6001\uff0c\u53ef\u7528\u4e8e\u5224\u65ad\u7a0b\u5e8f\u662f32\u4f4d\u8fd8\u662f64\u4f4d<\/td><\/tr>
              MajorLinkerVersion<\/td>BYTE (1\u5b57\u8282)<\/td>\u94fe\u63a5\u5668\u7684\u4e3b\u8981\u7248\u672c\u53f7<\/td><\/tr>
              MinorLinkerVersion<\/td>BYTE (1\u5b57\u8282)<\/td>\u94fe\u63a5\u5668\u7684\u6b21\u8981\u7248\u672c\u53f7<\/td><\/tr>
              SizeOfCode<\/td>DWORD (4\u5b57\u8282)<\/td>\u4ee3\u7801\u6bb5\u7684\u5927\u5c0f<\/td><\/tr>
              SizeOfInitializedData<\/td>DWORD (4\u5b57\u8282)<\/td>\u521d\u59cb\u5316\u6570\u636e\u6bb5\u7684\u5927\u5c0f<\/td><\/tr>
              SizeOfUninitializedData<\/td>DWORD (4\u5b57\u8282)<\/td>\u672a\u521d\u59cb\u5316\u6570\u636e\u6bb5\u7684\u5927\u5c0f<\/td><\/tr>
              AddressOfEntryPoint<\/strong><\/td>DWORD (4\u5b57\u8282)<\/td>\u7a0b\u5e8f\u5165\u53e3 (OEP)<\/td><\/tr>
              BaseOfCode<\/td>DWORD (4\u5b57\u8282)<\/td>\u4ee3\u7801\u5f00\u59cb\u7684\u57fa\u5740<\/td><\/tr>
              BaseOfData<\/strong><\/td>DWORD (4\u5b57\u8282)<\/td>\u6570\u636e\u5f00\u59cb\u7684\u57fa\u5740<\/td><\/tr>
              ImageBase<\/strong><\/td>DWORD (4\u5b57\u8282)<\/td>\u5185\u5b58\u955c\u50cf\u57fa\u5740<\/td><\/tr>
              SectionAlignment<\/strong><\/td>DWORD (4\u5b57\u8282)<\/td>\u5185\u5b58\u5bf9\u9f50<\/td><\/tr>
              FileAlignment<\/strong><\/td>WORD (2\u5b57\u8282)<\/td>\u6587\u4ef6\u5bf9\u9f50<\/td><\/tr>
              MajorOperatingSystemVersion<\/td>WORD (2\u5b57\u8282)<\/td>\u6807\u8bc6\u64cd\u4f5c\u7cfb\u7edf\u7248\u672c\u53f7 (\u4e3b)<\/td><\/tr>
              MinorOperatingSystemVersion<\/td>WORD (2\u5b57\u8282)<\/td>\u6807\u8bc6\u64cd\u4f5c\u7cfb\u7edf\u7248\u672c\u53f7 (\u6b21)<\/td><\/tr>
              MajorImageVersion<\/td>WORD (2\u5b57\u8282)<\/td>PE\u6587\u4ef6\u81ea\u8eab\u7684\u7248\u672c\u53f7 (\u4e3b)<\/td><\/tr>
              MinorImageVersion<\/td>WORD (2\u5b57\u8282)<\/td>PE\u6587\u4ef6\u81ea\u8eab\u7684\u7248\u672c\u53f7 (\u6b21)<\/td><\/tr>
              MajorSubsystemVersion<\/td>WORD (2\u5b57\u8282)<\/td>\u8fd0\u884c\u6240\u9700\u5b50\u7cfb\u7edf\u7248\u672c\u53f7 (\u4e3b)<\/td><\/tr>
              MinorSubsystemVersion<\/td>WORD (2\u5b57\u8282)<\/td>\u8fd0\u884c\u6240\u9700\u5b50\u7cfb\u7edf\u7248\u672c\u53f7 (\u6b21)<\/td><\/tr>
              Win32VersionValue<\/td>DWORD (4\u5b57\u8282)<\/td>\u5b50\u7cfb\u7edf\u7248\u672c\u7684\u503c\uff0c\u5fc5\u987b\u4e3a0<\/td><\/tr>
              SizeOfImage<\/strong><\/td>DWORD (4\u5b57\u8282)<\/td>Image\u5927\u5c0f (\u5185\u5b58\u4e2d)<\/td><\/tr>
              SizeOfHeaders<\/strong><\/td>DWORD (4\u5b57\u8282)<\/td>\u6240\u6709\u5934+\u8282\u8868\u6309\u7167\u6587\u4ef6\u5bf9\u9f50\u540e\u7684\u5927\u5c0f<\/td><\/tr>
              CheckSum<\/td>DWORD (4\u5b57\u8282)<\/td>\u6821\u9a8c\u548c<\/td><\/tr>
              Subsystem<\/td>WORD (2\u5b57\u8282)<\/td>\u5b50\u7cfb\u7edf\u7c7b\u578b<\/td><\/tr>
              DllCharacteristics<\/td>WORD (2\u5b57\u8282)<\/td>\u6587\u4ef6\u7279\u6027 (\u4e0d\u53ea\u662f\u9488\u5bf9DLL)<\/td><\/tr>
              SizeOfStackReserve<\/td>DWORD (4\u5b57\u8282)<\/td>\u521d\u59cb\u5316\u65f6\u4fdd\u7559\u7684\u6808\u5927\u5c0f<\/td><\/tr>
              SizeOfStackCommit<\/td>DWORD (4\u5b57\u8282)<\/td>\u521d\u59cb\u5316\u65f6\u5b9e\u9645\u63d0\u4ea4\u7684\u6808\u5927\u5c0f<\/td><\/tr>
              SizeOfHeapReserve<\/td>DWORD (4\u5b57\u8282)<\/td>\u521d\u59cb\u5316\u65f6\u4fdd\u7559\u7684\u5806\u5927\u5c0f<\/td><\/tr>
              SizeOfHeapCommit<\/td>DWORD (4\u5b57\u8282)<\/td>\u521d\u59cb\u5316\u65f6\u5b9e\u9645\u63d0\u4ea4\u7684\u5806\u5927\u5c0f<\/td><\/tr>
              LoaderFlags<\/td>DWORD (4\u5b57\u8282)<\/td>\u8c03\u8bd5\u76f8\u5173 (\u5df2\u8fc7\u65f6)<\/td><\/tr>
              NumberOfRvaAndSizes<\/td>DWORD (4\u5b57\u8282)<\/td>\u76ee\u5f55\u9879\u6570\u76ee<\/td><\/tr>
              DataDirectory[16]<\/strong><\/td>\u7ed3\u6784\u4f53\u6570\u7ec4<\/td>\u6570\u636e\u76ee\u5f55\u8868\uff0c\u6307\u5411\u5bfc\u51fa\u8868\u3001\u5bfc\u5165\u8868\u7b49<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
              Magic<\/h5>\n\n\n\n
              \u955c\u50cf\u6587\u4ef6\u7684\u72b6\u6001\uff0c\u7528\u4e8e\u533a\u5206 PE \u6587\u4ef6\u7684\u7c7b\u578b\u3002<\/p>\n\n\n\n
              \u5b8f\u5b9a\u4e49<\/th>\u503c<\/th>\u542b\u4e49<\/th><\/tr><\/thead>
              IMAGE_NT_OPTIONAL_HDR32_MAGIC<\/td>0x10b<\/strong><\/td>32\u4f4d\u53ef\u6267\u884c\u6620\u50cf<\/td><\/tr>
              IMAGE_NT_OPTIONAL_HDR64_MAGIC<\/td>0x20b<\/strong><\/td>64\u4f4d\u53ef\u6267\u884c\u6620\u50cf<\/td><\/tr>
              IMAGE_ROM_OPTIONAL_HDR_MAGIC<\/td>0x107<\/strong><\/td>ROM \u955c\u50cf<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
              \u7248\u672c\u53f7\u4e0e\u6bb5\u5927\u5c0f<\/h5>\n\n\n\n
                \n
              • MajorLinkerVersion \/ MinorLinkerVersion<\/strong>: \u94fe\u63a5\u5668\u7248\u672c\u53f7\u3002<\/li>\n\n\n\n
              • SizeOfCode \/ SizeOfInitializedData \/ SizeOfUninitializedData<\/strong>: \u5206\u522b\u4e3a\u4ee3\u7801\u6bb5\u3001\u521d\u59cb\u5316\u6570\u636e\u6bb5\u3001\u672a\u521d\u59cb\u5316\u6570\u636e\u6bb5\u7684\u5927\u5c0f\u3002
                \u8fd9\u4e9b\u503c\u662f\u6587\u4ef6\u5bf9\u9f50\u540e\u7684\u5927\u5c0f\uff0c\u7531\u7f16\u8bd1\u5668\u586b\u5199\uff0c\u4e0d\u4e00\u5b9a\u51c6\u786e<\/li>\n<\/ul>\n\n\n\n
                AddressOfEntryPoint (OEP)<\/h5>\n\n\n\n
                  \n
                • \u6307\u5411\u5165\u53e3\u70b9\u51fd\u6570\u7684\u6307\u9488\uff0c\u662f\u76f8\u5bf9\u4e8e ImageBase \u7684\u504f\u79fb\uff08RVA\uff09\u3002<\/li>\n\n\n\n
                • \u5bf9\u4e8e\u53ef\u6267\u884c\u6587\u4ef6\uff1a\u7a0b\u5e8f\u7684\u8d77\u59cb\u6267\u884c\u5730\u5740\u3002<\/li>\n\n\n\n
                • \u5bf9\u4e8e\u9a71\u52a8\u7a0b\u5e8f\uff1a\u521d\u59cb\u5316\u51fd\u6570\u7684\u5730\u5740\u3002<\/li>\n\n\n\n
                • \u5bf9\u4e8e DLL\uff1a\u53ef\u9009\uff0c\u82e5\u65e0\u5165\u53e3\u70b9\u5219\u4e3a 0\u3002<\/li>\n<\/ul>\n\n\n\n
                  BaseOfCode \/ BaseOfData<\/h5>\n\n\n\n
                    \n
                  • \u6307\u5411\u4ee3\u7801\u6bb5\/\u6570\u636e\u6bb5\u5f00\u5934\u7684\u6307\u9488\uff08RVA\uff09\u3002
                    \u6ce8: \u7f16\u8bd1\u5668\u586b\u5199\uff0c\u4e0d\u4e00\u5b9a\u51c6\u786e<\/strong>\u3002<\/li>\n<\/ul>\n\n\n\n
                    ImageBase<\/h5>\n\n\n\n
                    Image (PE\u6587\u4ef6) \u8f7d\u5165\u5185\u5b58\u65f6\u7b2c\u4e00\u4e2a\u5b57\u8282\u7684\u9996\u9009\u5730\u5740\uff08\u57fa\u5740\uff09\u3002\u8be5\u503c\u901a\u5e38\u662f 64K \u7684\u500d\u6570\u3002<\/p>\n\n\n\n
                    \u6587\u4ef6\u7c7b\u578b<\/th>\u9ed8\u8ba4\u503c<\/th><\/tr><\/thead>
                    DLL<\/strong><\/td>0x10000000<\/code><\/td><\/tr>
                    \u5e94\u7528\u7a0b\u5e8f (EXE)<\/strong><\/td>0x00400000<\/code><\/td><\/tr>
                    Windows CE<\/strong><\/td>0x00010000<\/code><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
                    Alignment (\u5bf9\u9f50)<\/h5>\n\n\n\n
                      \n
                    • SectionAlignment<\/strong>: \u5185\u5b58\u4e2d\u7684\u8282\u5bf9\u9f50\u5927\u5c0f\u3002\u9ed8\u8ba4\u662f\u7cfb\u7edf\u9875\u9762\u5927\u5c0f\u3002<\/li>\n\n\n\n
                    • FileAlignment<\/strong>: \u6587\u4ef6\u4e2d\u7684\u8282\u5bf9\u9f50\u5927\u5c0f\u3002\u901a\u5e38\u4e3a 512 (0x200) \u5230 64K \u4e4b\u95f4\u76842\u7684\u5e42\u3002
                      \u89c4\u5219: SectionAlignment<\/code> \u5fc5\u987b\u5927\u4e8e\u6216\u7b49\u4e8e FileAlignment<\/code>\u3002<\/li>\n<\/ul>\n\n\n\n
                      SizeOfImage<\/h5>\n\n\n\n
                        \n
                      • \u5185\u5b58\u4e2d\u6574\u4e2a PE \u6587\u4ef6\u7684\u6620\u5c04\u5c3a\u5bf8\u3002<\/li>\n\n\n\n
                      • \u5927\u5c0f\u5305\u62ec\u6240\u6709\u5934\u548c\u8282\u3002<\/li>\n\n\n\n
                      • \u5fc5\u987b\u662f SectionAlignment<\/code> \u7684\u6574\u6570\u500d\u3002<\/li>\n<\/ul>\n\n\n\n
                        SizeOfHeaders<\/h5>\n\n\n\n
                          \n
                        • \u6240\u6709\u5934 + \u8282\u8868\u6309\u7167 \u6587\u4ef6\u5bf9\u9f50<\/strong> \u540e\u7684\u5927\u5c0f\u3002<\/li>\n\n\n\n
                        • \u8ba1\u7b97\u516c\u5f0f<\/strong>:
                          text SizeOfHeaders = Align( e_lfanew (DOS\u5934\u6307\u5411PE\u5934\u7684\u504f\u79fb) + 4 (PE\u7b7e\u540d Signature) + sizeof(IMAGE_FILE_HEADER) + sizeof(IMAGE_OPTIONAL_HEADER) + sizeof(IMAGE_SECTION_HEADER) * \u8282\u6570\u91cf, FileAlignment )<\/code><\/li>\n<\/ul>\n\n\n\n
                          CheckSum<\/h5>\n\n\n\n
                          PE \u6587\u4ef6\u6821\u9a8c\u548c\u3002\u5173\u952e\u7cfb\u7edf\u8fdb\u7a0b\u3001\u9a71\u52a8\u7a0b\u5e8f\u3001\u5f15\u5bfc\u65f6\u52a0\u8f7d\u7684 DLL \u4f1a\u8fdb\u884c\u9a8c\u8bc1\u3002<\/p>\n\n\n\n
                          Subsystem<\/h5>\n\n\n\n
                          \u8fd0\u884c\u6b64\u6620\u50cf\u6240\u9700\u7684\u5b50\u7cfb\u7edf\u3002<\/p>\n\n\n\n
                          \u5b8f\u5b9a\u4e49<\/th>\u503c<\/th>\u542b\u4e49<\/th><\/tr><\/thead>
                          IMAGE_SUBSYSTEM_UNKNOWN<\/td>0<\/td>\u672a\u77e5\u7684\u5b50\u7cfb\u7edf<\/td><\/tr>
                          IMAGE_SUBSYSTEM_NATIVE<\/td>1<\/td>\u4e0d\u9700\u8981\u5b50\u7cfb\u7edf (\u9a71\u52a8\/\u672c\u673a\u7cfb\u7edf\u8fdb\u7a0b)<\/td><\/tr>
                          IMAGE_SUBSYSTEM_WINDOWS_GUI<\/strong><\/td>2<\/strong><\/td>Windows \u56fe\u5f62\u7528\u6237\u754c\u9762 (GUI)<\/strong><\/td><\/tr>
                          IMAGE_SUBSYSTEM_WINDOWS_CUI<\/strong><\/td>3<\/strong><\/td>Windows \u5b57\u7b26\u6a21\u5f0f (\u63a7\u5236\u53f0)<\/strong><\/td><\/tr>
                          IMAGE_SUBSYSTEM_OS2_CUI<\/td>5<\/td>OS\/2 CUI \u5b50\u7cfb\u7edf<\/td><\/tr>
                          IMAGE_SUBSYSTEM_POSIX_CUI<\/td>7<\/td>POSIX CUI \u5b50\u7cfb\u7edf<\/td><\/tr>
                          IMAGE_SUBSYSTEM_WINDOWS_CE_GUI<\/td>9<\/td>Windows CE \u7cfb\u7edf<\/td><\/tr>
                          IMAGE_SUBSYSTEM_EFI_APPLICATION<\/td>10<\/td>EFI \u5e94\u7528\u7a0b\u5e8f<\/td><\/tr>
                          IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER<\/td>11<\/td>EFI \u5f15\u5bfc\u670d\u52a1\u9a71\u52a8<\/td><\/tr>
                          IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER<\/td>12<\/td>EFI \u8fd0\u884c\u65f6\u670d\u52a1\u9a71\u52a8<\/td><\/tr>
                          IMAGE_SUBSYSTEM_EFI_ROM<\/td>13<\/td>EFI ROM \u955c\u50cf<\/td><\/tr>
                          IMAGE_SUBSYSTEM_XBOX<\/td>14<\/td>Xbox \u7cfb\u7edf<\/td><\/tr>
                          IMAGE_SUBSYSTEM_WINDOWS_BOOT_APPLICATION<\/td>16<\/td>\u542f\u52a8\u5e94\u7528\u7a0b\u5e8f<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
                          DllCharacteristics<\/h5>\n\n\n\n
                          \u5b9a\u4e49\u4e86 Image \u7684 DLL \u7279\u6027\uff08\u4e5f\u53ef\u7528\u4e8e EXE\uff09\u3002<\/p>\n\n\n\n
                          \u5b8f\u5b9a\u4e49<\/th>\u503c<\/th>\u542b\u4e49<\/th><\/tr><\/thead>
                          (Reserved)<\/td>0x0001 – 0x0008<\/td>\u4fdd\u7559\uff0c\u5fc5\u987b\u4e3a 0<\/td><\/tr>
                          IMAGE_DLL_CHARACTERISTICS_HIGH_ENTROPY_VA<\/td>0x0020<\/td>64\u4f4d\u5730\u5740\u7a7a\u95f4 ASLR (\u9ad8\u71b5)<\/td><\/tr>
                          IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE<\/strong><\/td>0x0040<\/strong><\/td>\u652f\u6301 ASLR (\u52a0\u8f7d\u65f6\u91cd\u5b9a\u4f4d)<\/strong><\/td><\/tr>
                          IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY<\/td>0x0080<\/td>\u5f3a\u5236\u4ee3\u7801\u5b8c\u6574\u6027\u68c0\u67e5<\/td><\/tr>
                          IMAGE_DLLCHARACTERISTICS_NX_COMPAT<\/strong><\/td>0x0100<\/strong><\/td>\u652f\u6301 DEP (\u6570\u636e\u6267\u884c\u4fdd\u62a4)<\/strong><\/td><\/tr>
                          IMAGE_DLLCHARACTERISTICS_NO_ISOLATION<\/td>0x0200<\/td>\u4e0d\u5e94\u88ab\u9694\u79bb<\/td><\/tr>
                          IMAGE_DLLCHARACTERISTICS_NO_SEH<\/td>0x0400<\/td>\u4e0d\u4f7f\u7528\u7ed3\u6784\u5316\u5f02\u5e38\u5904\u7406 (SEH)<\/td><\/tr>
                          IMAGE_DLLCHARACTERISTICS_NO_BIND<\/td>0x0800<\/td>\u4e0d\u8981\u7ed1\u5b9a\u6620\u50cf<\/td><\/tr>
                          IMAGE_DLL_CHARACTERISTICS_APPCONTAINER<\/td>0x1000<\/td>\u5728 AppContainer \u4e2d\u6267\u884c<\/td><\/tr>
                          IMAGE_DLLCHARACTERISTICS_WDM_DRIVER<\/td>0x2000<\/td>WDM \u9a71\u52a8<\/td><\/tr>
                          IMAGE_DLL_CHARACTERISTICS_GUARD_CF<\/td>0x4000<\/td>\u652f\u6301\u63a7\u5236\u6d41\u4fdd\u62a4 (CFG)<\/td><\/tr>
                          IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE<\/td>0x8000<\/td>\u7ec8\u7aef\u670d\u52a1\u5668\u611f\u77e5<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
                          \u6808\u4e0e\u5806<\/h5>\n\n\n\n
                            \n
                          • SizeOfStackReserve<\/strong>: \u521d\u59cb\u5316\u4fdd\u7559\u7684\u6808\u5927\u5c0f\u3002<\/li>\n\n\n\n
                          • SizeOfStackCommit<\/strong>: \u521d\u59cb\u5316\u5b9e\u9645\u63d0\u4ea4\u7684\u6808\u5927\u5c0f\u3002<\/li>\n\n\n\n
                          • SizeOfHeapReserve<\/strong>: \u521d\u59cb\u5316\u4fdd\u7559\u7684\u5806\u5927\u5c0f\u3002<\/li>\n\n\n\n
                          • SizeOfHeapCommit<\/strong>: \u521d\u59cb\u5316\u5b9e\u9645\u63d0\u4ea4\u7684\u5806\u5927\u5c0f\u3002<\/li>\n<\/ul>\n\n\n\n
                            DataDirectory (\u6570\u636e\u76ee\u5f55)<\/h5>\n\n\n\n
                            \u6307\u5411\u6570\u636e\u76ee\u5f55\u4e2d\u7b2c\u4e00\u4e2a IMAGE_DATA_DIRECTORY<\/code> \u7ed3\u6784\u7684\u6307\u9488\u3002\u6bcf\u4e2a\u6761\u76ee\u5305\u542b\u5730\u5740\uff08RVA\uff09\u548c\u5927\u5c0f\u3002<\/p>\n\n\n\n
                            \u7d22\u5f15<\/th>\u5b8f\u5b9a\u4e49<\/th>\u542b\u4e49<\/th><\/tr><\/thead>
                            0<\/strong><\/td>IMAGE_DIRECTORY_ENTRY_EXPORT<\/strong><\/td>\u5bfc\u51fa\u8868<\/strong><\/td><\/tr>
                            1<\/strong><\/td>IMAGE_DIRECTORY_ENTRY_IMPORT<\/strong><\/td>\u5bfc\u5165\u8868<\/strong><\/td><\/tr>
                            2<\/strong><\/td>IMAGE_DIRECTORY_ENTRY_RESOURCE<\/strong><\/td>\u8d44\u6e90\u8868<\/strong><\/td><\/tr>
                            3<\/td>IMAGE_DIRECTORY_ENTRY_EXCEPTION<\/td>\u5f02\u5e38\u8868<\/td><\/tr>
                            4<\/td>IMAGE_DIRECTORY_ENTRY_SECURITY<\/td>\u5b89\u5168\u8868<\/td><\/tr>
                            5<\/strong><\/td>IMAGE_DIRECTORY_ENTRY_BASERELOC<\/strong><\/td>\u57fa\u5730\u5740\u91cd\u5b9a\u4f4d\u8868<\/strong><\/td><\/tr>
                            6<\/td>IMAGE_DIRECTORY_ENTRY_DEBUG<\/td>\u8c03\u8bd5\u8868<\/td><\/tr>
                            7<\/td>IMAGE_DIRECTORY_ENTRY_ARCHITECTURE<\/td>\u67b6\u6784\u6570\u636e (\u4fdd\u75590)<\/td><\/tr>
                            8<\/td>IMAGE_DIRECTORY_ENTRY_GLOBALPTR<\/td>\u5168\u5c40\u6307\u9488 RVA<\/td><\/tr>
                            9<\/strong><\/td>IMAGE_DIRECTORY_ENTRY_TLS<\/strong><\/td>TLS \u8868 (\u7ebf\u7a0b\u672c\u5730\u5b58\u50a8)<\/strong><\/td><\/tr>
                            10<\/td>IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG<\/td>\u52a0\u8f7d\u914d\u7f6e\u8868<\/td><\/tr>
                            11<\/td>IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT<\/td>\u7ed1\u5b9a\u5bfc\u5165\u8868<\/td><\/tr>
                            12<\/strong><\/td>IMAGE_DIRECTORY_ENTRY_IAT<\/strong><\/td>\u5bfc\u5165\u5730\u5740\u8868 (IAT)<\/strong><\/td><\/tr>
                            13<\/td>IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT<\/td>\u5ef6\u8fdf\u5bfc\u5165\u8868<\/td><\/tr>
                            14<\/td>IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR<\/td>COM \u63cf\u8ff0\u7b26\u8868 (.NET)<\/td><\/tr>
                            15<\/td>(Reserved)<\/td>\u4fdd\u7559<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
                            \u8282\u8868<\/h3>\n\n\n\n
                            \u63cf\u8ff0\u6570\u636e\u5757\uff0c\u4e0a\u6587pe\u6587\u4ef6\u4ece\u78c1\u76d8\u6620\u5c04\u5230\u5185\u5b58\u4e2d\uff0c\u8282\u8868\u63cf\u8ff0\u8fd9\u79cd\u6620\u5c04\u5173\u7cfb\uff0c\u8282\u8868\u7684\u6bcf\u4e00\u884c\u5b9e\u9645\u4e0a\u662f\u4e00\u4e2a\u8282\u6807\u9898\u3002 \u6b64\u8868\u7d27\u8ddf\u53ef\u9009\u6807\u5934\uff08\u5982\u679c\u6709\uff09\u3002\u56e0\u4e3a\u6587\u4ef6\u5934\u4e0d\u5305\u542b\u6307\u5411\u8282\u8868\u7684\u76f4\u63a5\u6307\u9488\u3002\u8282\u8868\u7684\u4f4d\u7f6e\u662f\u901a\u8fc7\u8ba1\u7b97\u6807\u5934\u540e\u7b2c\u4e00\u4e2a\u5b57\u8282\u7684\u4f4d\u7f6e\u6765\u786e\u5b9a\u7684\u3002\u8282\u8868\u4e2d\u7684\u6761\u76ee\u6570\u7531\u6587\u4ef6\u6807\u5934\u4e2d\u7684 NumberOfSections \u5b57\u6bb5\u63d0\u4f9b\u3002 \u8282\u8868\u4e2d\u7684\u6761\u76ee\u4ece 1 (1) \u5f00\u59cb\u7f16\u53f7\u3002 \u4ee3\u7801\u548c\u6570\u636e\u5185\u5b58\u90e8\u5206\u6761\u76ee\u6309\u94fe\u63a5\u5668\u9009\u62e9\u7684\u987a\u5e8f\u6392\u5217\u3002
                            \u8282\u7684va\u5fc5\u987b\u7531\u94fe\u63a5\u5668\u5206\u914d\u4ee5\u4fbf\u4e8e\u6309\u5347\u5e8f\u548c\u76f8\u90bb\uff0c\u5fc5\u987b\u662f\u53ef\u9009\u6807\u5934\u4e2d SectionAlignment \u503c\u7684\u500d\u6570\u3002<\/p>\n\n\n\n
                            Offset<\/th>\u5927\u5c0f<\/th>\u5b57\u6bb5<\/th>\u8bf4\u660e<\/th><\/tr><\/thead>
                            0<\/td>8<\/td>\u540d\u79f0<\/td>\u4e00\u4e2a 8 \u5b57\u8282\u3001null \u586b\u5145\u7684 UTF-8 \u7f16\u7801\u5b57\u7b26\u4e32\u3002\u5982\u679c\u5b57\u7b26\u4e32\u957f\u5ea6\u6b63\u597d\u4e3a 8 \u4e2a\u5b57\u7b26\uff0c\u5219\u4e0d\u5b58\u5728\u7ec8\u6b62 null\u3002\u5bf9\u4e8e\u8f83\u957f\u7684\u540d\u79f0\uff0c\u6b64\u5b57\u6bb5\u5305\u542b\u659c\u6760 (\/)\uff0c\u540e\u8ddf\u5341\u8fdb\u5236\u6570\u7684 ASCII \u8868\u793a\u5f62\u5f0f\uff0c\u8be5\u6570\u5b57\u662f\u5b57\u7b26\u4e32\u8868\u4e2d\u7684\u504f\u79fb\u91cf\u3002\u53ef\u6267\u884c\u6620\u50cf\u4e0d\u4f7f\u7528\u5b57\u7b26\u4e32\u8868\uff0c\u5e76\u4e14\u4e0d\u652f\u6301\u957f\u5ea6\u8d85\u8fc7 8 \u4e2a\u5b57\u7b26\u7684\u8282\u540d\u79f0\u3002\u5982\u679c\u5bf9\u8c61\u6587\u4ef6\u4e2d\u7684\u957f\u540d\u79f0\u88ab\u53d1\u9001\u5230\u53ef\u6267\u884c\u6587\u4ef6\uff0c\u5219\u4f1a\u622a\u65ad\u5b83\u4eec\u3002<\/td><\/tr>
                            8<\/td>4<\/td>VirtualSize<\/td>\u52a0\u8f7d\u5230\u5185\u5b58\u4e2d\u7684\u8282\u7684\u603b\u5927\u5c0f\u3002\u5982\u679c\u6b64\u503c\u5927\u4e8e SizeOfRawData\uff0c\u5219\u8282\u4e3a\u96f6\u586b\u5145\u3002\u6b64\u5b57\u6bb5\u4ec5\u5bf9\u53ef\u6267\u884c\u6620\u50cf\u6709\u6548\uff0c\u5e94\u5c06\u5bf9\u8c61\u6587\u4ef6\u8bbe\u7f6e\u4e3a\u96f6\u3002<\/td><\/tr>
                            12<\/td>4<\/td>VirtualAddress<\/td>\u5bf9\u4e8e\u53ef\u6267\u884c\u6620\u50cf\uff0c\u662f\u90e8\u5206\u52a0\u8f7d\u5230\u5185\u5b58\u4e2d\u65f6\u76f8\u5bf9\u4e8e\u6620\u50cf\u5e93\u7684\u7b2c\u4e00\u4e2a\u5b57\u8282\u7684\u5730\u5740\u3002\u5bf9\u4e8e\u5bf9\u8c61\u6587\u4ef6\uff0c\u6b64\u5b57\u6bb5\u662f\u5e94\u7528\u91cd\u5b9a\u4f4d\u524d\u7b2c\u4e00\u4e2a\u5b57\u8282\u7684\u5730\u5740;\u4e3a\u7b80\u5355\u8d77\u89c1\uff0c\u7f16\u8bd1\u5668\u5e94\u5c06\u6b64\u8bbe\u7f6e\u4e3a\u96f6\u3002\u5426\u5219\uff0c\u5b83\u662f\u5728\u91cd\u5b9a\u4f4d\u671f\u95f4\u4ece\u504f\u79fb\u91cf\u4e2d\u51cf\u53bb\u7684\u4efb\u610f\u503c\u3002<\/td><\/tr>
                            16<\/td>4<\/td>SizeOfRawData<\/td>) \u5bf9\u8c61\u6587\u4ef6 (\u8282\u7684\u5927\u5c0f\uff0c\u6216\u56fe\u50cf\u6587\u4ef6) \u78c1\u76d8 (\u4e0a\u521d\u59cb\u5316\u6570\u636e\u7684\u5927\u5c0f\u3002\u5bf9\u4e8e\u53ef\u6267\u884c\u6620\u50cf\uff0c\u8fd9\u5fc5\u987b\u662f\u53ef\u9009\u6807\u5934\u4e2d\u7684 FileAlignment \u7684\u500d\u6570\u3002\u5982\u679c\u5c0f\u4e8e VirtualSize\uff0c\u5219\u90e8\u5206\u7684\u5176\u4f59\u90e8\u5206\u4e3a\u96f6\u586b\u5145\u3002\u7531\u4e8e SizeOfRawData \u5b57\u6bb5\u662f\u820d\u5165\u7684\uff0c\u4f46 VirtualSize \u5b57\u6bb5\u4e0d\u662f\uff0c\u56e0\u6b64 SizeOfRawData \u4e5f\u53ef\u80fd\u5927\u4e8e VirtualSize\u3002\u5982\u679c\u8282\u4ec5\u5305\u542b\u672a\u521d\u59cb\u5316\u7684\u6570\u636e\uff0c\u5219\u6b64\u5b57\u6bb5\u5e94\u4e3a\u96f6\u3002<\/td><\/tr>
                            20<\/td>4<\/td>PointerToRawData<\/td>\u6307\u5411 COFF \u6587\u4ef6\u4e2d\u8282\u7684\u7b2c\u4e00\u9875\u7684\u6587\u4ef6\u6307\u9488\u3002\u5bf9\u4e8e\u53ef\u6267\u884c\u6620\u50cf\uff0c\u8fd9\u5fc5\u987b\u662f\u53ef\u9009\u6807\u5934\u4e2d\u7684 FileAlignment \u7684\u500d\u6570\u3002\u5bf9\u4e8e\u5bf9\u8c61\u6587\u4ef6\uff0c\u503c\u5e94\u5728 4 \u5b57\u8282\u8fb9\u754c\u4e0a\u5bf9\u9f50\uff0c\u4ee5\u83b7\u5f97\u6700\u4f73\u6027\u80fd\u3002\u5982\u679c\u8282\u4ec5\u5305\u542b\u672a\u521d\u59cb\u5316\u7684\u6570\u636e\uff0c\u5219\u6b64\u5b57\u6bb5\u5e94\u4e3a\u96f6\u3002<\/td><\/tr>
                            24<\/td>4<\/td>PointerToRelocations<\/td>\u6307\u5411\u8282\u91cd\u5b9a\u4f4d\u6761\u76ee\u5f00\u5934\u7684\u6587\u4ef6\u6307\u9488\u3002\u5bf9\u4e8e\u53ef\u6267\u884c\u6620\u50cf\uff0c\u5982\u679c\u6ca1\u6709\u4efb\u4f55\u91cd\u5b9a\u4f4d\uff0c\u5219\u8bbe\u7f6e\u4e3a\u96f6\u3002<\/td><\/tr>
                            28<\/td>4<\/td>PointerToLinenumbers<\/td>\u6307\u5411\u8282\u7684\u884c\u53f7\u6761\u76ee\u5f00\u5934\u7684\u6587\u4ef6\u6307\u9488\u3002\u5982\u679c\u6ca1\u6709 COFF \u884c\u53f7\uff0c\u5219\u6b64\u503c\u8bbe\u7f6e\u4e3a\u96f6\u3002\u6620\u50cf\u7684\u6b64\u503c\u5e94\u4e3a\u96f6\uff0c\u56e0\u4e3a COFF \u8c03\u8bd5\u4fe1\u606f\u5df2\u5f03\u7528\u3002<\/td><\/tr>
                            32<\/td>2<\/td>NumberOfRelocations<\/td>\u8282\u7684\u91cd\u5b9a\u4f4d\u6761\u76ee\u6570\u3002\u5bf9\u4e8e\u53ef\u6267\u884c\u6620\u50cf\uff0c\u6b64\u503c\u8bbe\u7f6e\u4e3a\u96f6\u3002<\/td><\/tr>
                            34<\/td>2<\/td>NumberOfLinenumbers<\/td>\u8282\u7684\u884c\u53f7\u6761\u76ee\u6570\u3002\u6620\u50cf\u7684\u6b64\u503c\u5e94\u4e3a\u96f6\uff0c\u56e0\u4e3a COFF \u8c03\u8bd5\u4fe1\u606f\u5df2\u5f03\u7528\u3002<\/td><\/tr>
                            36<\/td>4<\/td>\u7279\u5f81<\/td>\u63cf\u8ff0\u90e8\u5206\u7279\u5f81\u7684\u6807\u5fd7\u3002\u6709\u5173\u8be6\u7ec6\u4fe1\u606f\uff0c\u8bf7\u53c2\u9605 \u8282\u6807\u5fd7\u3002<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
                            VA\u548cFOA\u8f6c\u6362<\/h2>\n\n\n\n
                              \n
                            • VA\uff1a\u5728\u5185\u5b58\u4e2d\u7684\u865a\u62df\u5730\u5740<\/li>\n\n\n\n
                            • RVA\uff1a\u76f8\u5bf9\u865a\u62df\u5730\u5740<\/li>\n\n\n\n
                            • FOA\uff1a\u6587\u4ef6\u504f\u79fb\u5730\u5740<\/li>\n<\/ul>\n\n\n\n
                              \u6d41\u7a0b<\/h3>\n\n\n\n
                              va\u5230foa<\/h4>\n\n\n\n
                                \n
                              1. \u5f97\u5230PVA\u7684\u503c\uff1aRVA = VA – ImageBase<\/li>\n\n\n\n
                              2. \u5224\u65adRVA\u662f\u5426\u5904\u4e8ePE\u6587\u4ef6\u5934\u4e2d<\/li>\n\n\n\n
                              3. \u5728\u6587\u4ef6\u5934\u4e2d\u5219FOA=RVA\uff0c\u4e0d\u5728\u5219\u5224\u65adRVA\u4f4d\u4e8e\u54ea\u4e2a\u8282\uff0c\u5dee\u503c = RVA – \u8282.VirtualAddress(RVA)\uff0cFOA = \u8282.PointerToRawData + \u5dee\u503c
                                \u4ee3\u7801\u5b9e\u73b0<\/li>\n<\/ol>\n\n\n\n
                                \/\/ PE.cpp : Defines the entry point for the console application.\n\/\/\n#include <stdio.h>\n#include <malloc.h>\n#include <windows.h>\n#include <winnt.h>\n#include <math.h>\n\/\/\u5728VC6\u8fd9\u4e2a\u6bd4\u8f83\u65e7\u7684\u73af\u5883\u91cc\uff0c\u6ca1\u6709\u5b9a\u4e4964\u4f4d\u7684\u8fd9\u4e2a\u5b8f\uff0c\u9700\u8981\u81ea\u5df1\u5b9a\u4e49\uff0c\u5728VS2019\u4e2d\u65e0\u9700\u81ea\u5df1\u5b9a\u4e49\n#define IMAGE_FILE_MACHINE_AMD64  0x8664\n\n\/\/VA\u8f6cFOA 32\u4f4d\n\/\/\u7b2c\u4e00\u4e2a\u53c2\u6570\u4e3a\u8981\u8f6c\u6362\u7684\u5728\u5185\u5b58\u4e2d\u7684\u5730\u5740\uff1aVA\n\/\/\u7b2c\u4e8c\u4e2a\u53c2\u6570\u4e3a\u6307\u5411dos\u5934\u7684\u6307\u9488\n\/\/\u7b2c\u4e09\u4e2a\u53c2\u6570\u4e3a\u6307\u5411nt\u5934\u7684\u6307\u9488\n\/\/\u7b2c\u56db\u4e2a\u53c2\u6570\u4e3a\u5b58\u50a8\u6307\u5411\u8282\u6307\u9488\u7684\u6570\u7ec4\nUINT VaToFoa32(UINT va, _IMAGE_DOS_HEADER *dos,_IMAGE_NT_HEADERS* nt, _IMAGE_SECTION_HEADER** sectionArr) {\n    \/\/\u5f97\u5230RVA\u7684\u503c\uff1aRVA = VA - ImageBase\n    UINT rva = va - nt->OptionalHeader.ImageBase;\n    \/\/\u8f93\u51farva\n    printf(\"rva:%X\\n\", rva);\n    \/\/\u627e\u5230PE\u6587\u4ef6\u5934\u540e\u7684\u5730\u5740 = PE\u6587\u4ef6\u5934\u9996\u5730\u5740+PE\u6587\u4ef6\u5934\u5927\u5c0f\n    UINT PeEnd = (UINT)dos->e_lfanew+sizeof(_IMAGE_NT_HEADERS);\n    \/\/\u8f93\u51faPeEnd\n    printf(\"PeEnd:%X\\n\", PeEnd);\n    \/\/\u5224\u65adrva\u662f\u5426\u4f4d\u4e8ePE\u6587\u4ef6\u5934\u4e2d\n    if (rva < PeEnd) {\n        \/\/\u5982\u679crva\u4f4d\u4e8ePE\u6587\u4ef6\u5934\u4e2d\uff0c\u5219foa==rva\uff0c\u76f4\u63a5\u8fd4\u56derva\u5373\u53ef\n        printf(\"foa:%X\\n\", rva);        \n        return rva;\n    }\n    else {\n        \/\/\u5982\u679crva\u5728PE\u6587\u4ef6\u5934\u5916\n        \/\/\u5224\u65adrva\u5c5e\u4e8e\u54ea\u4e2a\u8282\n        int i;\n        for (i = 0; i < nt->FileHeader.NumberOfSections; i++) {\n            \/\/\u8ba1\u7b97\u5185\u5b58\u5bf9\u9f50\u540e\u8282\u7684\u5927\u5c0f\n            UINT SizeInMemory = ceil((double)max((UINT)sectionArr[i]->Misc.VirtualSize ,(UINT)sectionArr[i]->SizeOfRawData ) \/ (double)nt->OptionalHeader.SectionAlignment)* nt->OptionalHeader.SectionAlignment;\n\n            if (rva >= sectionArr[i]->VirtualAddress && rva < (sectionArr[i]->VirtualAddress + SizeInMemory)) {\n                \/\/\u627e\u5230\u6240\u5c5e\u7684\u8282\n                \/\/\u8f93\u51fa\u5185\u5b58\u5bf9\u9f50\u540e\u7684\u8282\u7684\u5927\u5c0f\n                printf(\"SizeInMemory:%X\\n\", SizeInMemory);\n                break;\n            }\n        }\n        if (i >= nt->FileHeader.NumberOfSections) {\n            \/\/\u672a\u627e\u5230\n            printf(\"\u6ca1\u6709\u627e\u5230\u5339\u914d\u7684\u8282\\n\");\n            return -1;\n        }\n        else {\n            \/\/\u8ba1\u7b97\u5dee\u503c= RVA - \u8282.VirtualAddress\n            int offset = rva - sectionArr[i]->VirtualAddress;\n            \/\/FOA = \u8282.PointerToRawData + \u5dee\u503c\n            int foa = sectionArr[i]->PointerToRawData + offset;\n            printf(\"foa:%X\\n\", foa);\n            return foa;\n        }\n\n    }\n\n}\n\n\/\/VA\u8f6cFOA 64\u4f4d\n\/\/\u7b2c\u4e00\u4e2a\u53c2\u6570\u4e3a\u8981\u8f6c\u6362\u7684\u5728\u5185\u5b58\u4e2d\u7684\u5730\u5740\uff1aVA\n\/\/\u7b2c\u4e8c\u4e2a\u53c2\u6570\u4e3a\u6307\u5411dos\u5934\u7684\u6307\u9488\n\/\/\u7b2c\u4e09\u4e2a\u53c2\u6570\u4e3a\u6307\u5411nt\u5934\u7684\u6307\u9488\n\/\/\u7b2c\u56db\u4e2a\u53c2\u6570\u4e3a\u5b58\u50a8\u6307\u5411\u8282\u6307\u9488\u7684\u6570\u7ec4\nUINT VaToFoa64(UINT va, _IMAGE_DOS_HEADER* dos, _IMAGE_NT_HEADERS64* nt, _IMAGE_SECTION_HEADER** sectionArr) {\n    \/\/\u5f97\u5230RVA\u7684\u503c\uff1aRVA = VA - ImageBase\n    UINT rva = va - nt->OptionalHeader.ImageBase;\n    \/\/\u8f93\u51farva\n    printf(\"rva:%X\\n\", rva);\n    \/\/\u627e\u5230PE\u6587\u4ef6\u5934\u540e\u7684\u5730\u5740 = PE\u6587\u4ef6\u5934\u9996\u5730\u5740+PE\u6587\u4ef6\u5934\u5927\u5c0f\n    UINT PeEnd = (UINT)dos->e_lfanew + sizeof(_IMAGE_NT_HEADERS64);\n    \/\/\u8f93\u51faPeEnd\n    printf(\"PeEnd:%X\\n\", PeEnd);\n    \/\/\u5224\u65adrva\u662f\u5426\u4f4d\u4e8ePE\u6587\u4ef6\u5934\u4e2d\n    if (rva < PeEnd) {\n        \/\/\u5982\u679crva\u4f4d\u4e8ePE\u6587\u4ef6\u5934\u4e2d\uff0c\u5219foa==rva\uff0c\u76f4\u63a5\u8fd4\u56derva\u5373\u53ef\n        printf(\"foa:%X\\n\", rva);\n        return rva;\n    }\n    else {\n        \/\/\u5982\u679crva\u5728PE\u6587\u4ef6\u5934\u5916\n        \/\/\u5224\u65adrva\u5c5e\u4e8e\u54ea\u4e2a\u8282\n        int i;\n        for (i = 0; i < nt->FileHeader.NumberOfSections; i++) {\n            \/\/\u8ba1\u7b97\u5185\u5b58\u5bf9\u9f50\u540e\u8282\u7684\u5927\u5c0f\n            UINT SizeInMemory = ceil((double)max((UINT)sectionArr[i]->Misc.VirtualSize ,(UINT)sectionArr[i]->SizeOfRawData ) \/ (double)nt->OptionalHeader.SectionAlignment)* nt->OptionalHeader.SectionAlignment;\n\n            if (rva >= sectionArr[i]->VirtualAddress && rva < (sectionArr[i]->VirtualAddress + SizeInMemory)) {\n                \/\/\u627e\u5230\u6240\u5c5e\u7684\u8282\n                \/\/\u8f93\u51fa\u5185\u5b58\u5bf9\u9f50\u540e\u7684\u8282\u7684\u5927\u5c0f\n                printf(\"SizeInMemory:%X\\n\", SizeInMemory);\n                break;\n            }\n        }\n        if (i >= nt->FileHeader.NumberOfSections) {\n            \/\/\u672a\u627e\u5230\n            printf(\"\u6ca1\u6709\u627e\u5230\u5339\u914d\u7684\u8282\\n\");\n            return -1;\n        }\n        else {\n            \/\/\u8ba1\u7b97\u5dee\u503c= RVA - \u8282.VirtualAddress\n            int offset = rva - sectionArr[i]->VirtualAddress;\n            \/\/FOA = \u8282.PointerToRawData + \u5dee\u503c\n            int foa = sectionArr[i]->PointerToRawData + offset;\n            printf(\"foa:%X\\n\", foa);\n            return foa;\n        }\n\n    }\n\n}\nint main(int argc, char* argv[])\n{\n    \/\/\u521b\u5efaDOS\u5bf9\u5e94\u7684\u7ed3\u6784\u4f53\u6307\u9488\n    _IMAGE_DOS_HEADER* dos;\n    \/\/\u8bfb\u53d6\u6587\u4ef6\uff0c\u8fd4\u56de\u6587\u4ef6\u53e5\u67c4\n    HANDLE hFile = CreateFileA(\"C:\\\\Users\\\\lyl610abc\\\\Desktop\\\\GlobalVariety.exe\", GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, 0);\n    \/\/\u6839\u636e\u6587\u4ef6\u53e5\u67c4\u521b\u5efa\u6620\u5c04\n    HANDLE hMap = CreateFileMappingA(hFile, NULL, PAGE_READONLY, 0, 0, 0);\n    \/\/\u6620\u5c04\u5185\u5bb9\n    LPVOID pFile = MapViewOfFile(hMap, FILE_MAP_READ, 0, 0, 0);\n    \/\/\u7c7b\u578b\u8f6c\u6362\uff0c\u7528\u7ed3\u6784\u4f53\u7684\u65b9\u5f0f\u6765\u8bfb\u53d6\n    dos = (_IMAGE_DOS_HEADER*)pFile;\n    \/\/\u8f93\u51fados->e_magic\uff0c\u4ee5\u5341\u516d\u8fdb\u5236\u8f93\u51fa\n    printf(\"dos->e_magic:%X\\n\", dos->e_magic);\n\n    \/\/\u521b\u5efa\u6307\u5411PE\u6587\u4ef6\u5934\u6807\u5fd7\u7684\u6307\u9488\n    DWORD* peId;\n    \/\/\u8ba9PE\u6587\u4ef6\u5934\u6807\u5fd7\u6307\u9488\u6307\u5411\u5176\u5bf9\u5e94\u7684\u5730\u5740=DOS\u9996\u5730\u5740+\u504f\u79fb\n    peId = (DWORD*)((UINT)dos + dos->e_lfanew);\n    \/\/\u8f93\u51faPE\u6587\u4ef6\u5934\u6807\u5fd7\uff0c\u5176\u503c\u5e94\u4e3a4550\uff0c\u5426\u5219\u4e0d\u662fPE\u6587\u4ef6\n    printf(\"peId:%X\\n\", *peId);\n\n    \/\/\u521b\u5efa\u6307\u5411\u53ef\u9009PE\u5934\u7684\u7b2c\u4e00\u4e2a\u6210\u5458magic\u7684\u6307\u9488\n    WORD* magic;\n    \/\/\u8ba9magic\u6307\u9488\u6307\u5411\u5176\u5bf9\u5e94\u7684\u5730\u5740=PE\u6587\u4ef6\u5934\u6807\u5fd7\u5730\u5740+PE\u6587\u4ef6\u5934\u6807\u5fd7\u5927\u5c0f+\u6807\u51c6PE\u5934\u5927\u5c0f\n    magic = (WORD*)((UINT)peId + sizeof(DWORD) + sizeof(_IMAGE_FILE_HEADER));\n    \/\/\u8f93\u51famagic\uff0c\u5176\u503c\u4e3a0x10b\u4ee3\u886832\u4f4d\u7a0b\u5e8f\uff0c\u5176\u503c\u4e3a0x20b\u4ee3\u886864\u4f4d\u7a0b\u5e8f\n    printf(\"magic:%X\\n\", *magic);\n    \/\/\u6839\u636emagic\u5224\u65ad\u4e3a32\u4f4d\u7a0b\u5e8f\u8fd8\u662f64\u4f4d\u7a0b\u5e8f\n    switch (*magic) {\n    case IMAGE_NT_OPTIONAL_HDR32_MAGIC:\n    {\n        printf(\"32\u4f4d\u7a0b\u5e8f\\n\");\n        \/\/\u786e\u5b9a\u4e3a32\u4f4d\u7a0b\u5e8f\u540e\uff0c\u5c31\u53ef\u4ee5\u4f7f\u7528_IMAGE_NT_HEADERS\u6765\u63a5\u6536\u6570\u636e\u4e86\n        \/\/\u521b\u5efa\u6307\u5411PE\u6587\u4ef6\u5934\u7684\u6307\u9488\n        _IMAGE_NT_HEADERS* nt;\n        \/\/\u8ba9PE\u6587\u4ef6\u5934\u6307\u9488\u6307\u5411\u5176\u5bf9\u5e94\u7684\u5730\u5740\n        nt = (_IMAGE_NT_HEADERS*)peId;\n        printf(\"Machine:%X\\n\", nt->FileHeader.Machine);\n        printf(\"Magic:%X\\n\", nt->OptionalHeader.Magic);\n\n        \/\/\u521b\u5efa\u4e00\u4e2a\u6307\u9488\u6570\u7ec4\uff0c\u8be5\u6307\u9488\u6570\u7ec4\u7528\u6765\u5b58\u50a8\u6240\u6709\u7684\u8282\u8868\u6307\u9488\n        \/\/\u8fd9\u91cc\u76f8\u5f53\u4e8e_IMAGE_SECTION_HEADER* sectionArr[nt->FileHeader.NumberOfSections],\u58f0\u660e\u4e86\u4e00\u4e2a\u52a8\u6001\u6570\u7ec4\n        _IMAGE_SECTION_HEADER** sectionArr = (_IMAGE_SECTION_HEADER**) malloc(sizeof(_IMAGE_SECTION_HEADER*) * nt->FileHeader.NumberOfSections);\n\n        \/\/\u521b\u5efa\u6307\u5411\u5757\u8868\u7684\u6307\u9488\n        _IMAGE_SECTION_HEADER* sectionHeader;\n        \/\/\u8ba9\u5757\u8868\u7684\u6307\u9488\u6307\u5411\u5176\u5bf9\u5e94\u7684\u5730\u5740\n        sectionHeader = (_IMAGE_SECTION_HEADER*)((UINT)nt + sizeof(_IMAGE_NT_HEADERS));\n        \/\/\u8ba1\u6570\uff0c\u7528\u6765\u8ba1\u7b97\u5757\u8868\u5730\u5740\n        int cnt = 0;\n        \/\/\u6bd4\u8f83 \u8ba1\u6570 \u548c \u5757\u8868\u7684\u4e2a\u6570\uff0c\u5373\u904d\u5386\u6240\u6709\u5757\u8868\n        while(cnt< nt->FileHeader.NumberOfSections){\n            \/\/\u521b\u5efa\u6307\u5411\u5757\u8868\u7684\u6307\u9488\n            _IMAGE_SECTION_HEADER* section;\n            \/\/\u8ba9\u5757\u8868\u7684\u6307\u9488\u6307\u5411\u5176\u5bf9\u5e94\u7684\u5730\u5740=\u7b2c\u4e00\u4e2a\u5757\u8868\u5730\u5740+\u8ba1\u6570*\u5757\u8868\u7684\u5927\u5c0f\n            section = (_IMAGE_SECTION_HEADER*)((UINT)sectionHeader + sizeof(_IMAGE_SECTION_HEADER)*cnt);\n            \/\/\u5c06\u5f97\u5230\u7684\u5757\u8868\u6307\u9488\u5b58\u5165\u6570\u7ec4\n            sectionArr[cnt++] = section;\n            \/\/\u8f93\u51fa\u5757\u8868\u540d\u79f0\n            printf(\"%s\\n\", section->Name);\n        }\n\n        VaToFoa32(0x4198B0,dos, nt, sectionArr);\n\n        break;\n    }\n\n    case IMAGE_NT_OPTIONAL_HDR64_MAGIC:\n    {\n        printf(\"64\u4f4d\u7a0b\u5e8f\\n\");\n        \/\/\u786e\u5b9a\u4e3a64\u4f4d\u7a0b\u5e8f\u540e\uff0c\u5c31\u53ef\u4ee5\u4f7f\u7528_IMAGE_NT_HEADERS64\u6765\u63a5\u6536\u6570\u636e\u4e86\n        \/\/\u521b\u5efa\u6307\u5411PE\u6587\u4ef6\u5934\u7684\u6307\u9488\n        _IMAGE_NT_HEADERS64* nt;\n        nt = (_IMAGE_NT_HEADERS64*)peId;\n        printf(\"Machine:%X\\n\", nt->FileHeader.Machine);\n        printf(\"Magic:%X\\n\", nt->OptionalHeader.Magic);\n\n        \/\/\u521b\u5efa\u4e00\u4e2a\u6307\u9488\u6570\u7ec4\uff0c\u8be5\u6307\u9488\u6570\u7ec4\u7528\u6765\u5b58\u50a8\u6240\u6709\u7684\u8282\u8868\u6307\u9488\n        \/\/\u8fd9\u91cc\u76f8\u5f53\u4e8e_IMAGE_SECTION_HEADER* sectionArr[nt->FileHeader.NumberOfSections],\u58f0\u660e\u4e86\u4e00\u4e2a\u52a8\u6001\u6570\u7ec4\n        _IMAGE_SECTION_HEADER** sectionArr = (_IMAGE_SECTION_HEADER**)malloc(sizeof(_IMAGE_SECTION_HEADER*) * nt->FileHeader.NumberOfSections);\n\n        \/\/\u521b\u5efa\u6307\u5411\u5757\u8868\u7684\u6307\u9488\n        _IMAGE_SECTION_HEADER* sectionHeader;\n        \/\/\u8ba9\u5757\u8868\u7684\u6307\u9488\u6307\u5411\u5176\u5bf9\u5e94\u7684\u5730\u5740\uff0c\u533a\u522b\u5728\u4e8e\u8fd9\u91cc\u52a0\u4e0a\u7684\u504f\u79fb\u4e3a_IMAGE_NT_HEADERS64\n        sectionHeader = (_IMAGE_SECTION_HEADER*)((UINT)nt + sizeof(_IMAGE_NT_HEADERS64));\n        \/\/\u8ba1\u6570\uff0c\u7528\u6765\u8ba1\u7b97\u5757\u8868\u5730\u5740\n        int cnt = 0;\n        \/\/\u6bd4\u8f83 \u8ba1\u6570 \u548c \u5757\u8868\u7684\u4e2a\u6570\uff0c\u5373\u904d\u5386\u6240\u6709\u5757\u8868\n        while (cnt < nt->FileHeader.NumberOfSections) {\n            \/\/\u521b\u5efa\u6307\u5411\u5757\u8868\u7684\u6307\u9488\n            _IMAGE_SECTION_HEADER* section;\n            \/\/\u8ba9\u5757\u8868\u7684\u6307\u9488\u6307\u5411\u5176\u5bf9\u5e94\u7684\u5730\u5740=\u7b2c\u4e00\u4e2a\u5757\u8868\u5730\u5740+\u8ba1\u6570*\u5757\u8868\u7684\u5927\u5c0f\n            section = (_IMAGE_SECTION_HEADER*)((UINT)sectionHeader + sizeof(_IMAGE_SECTION_HEADER) * cnt);\n            \/\/\u5c06\u5f97\u5230\u7684\u5757\u8868\u6307\u9488\u5b58\u5165\u6570\u7ec4\n            sectionArr[cnt++] = section;\n            \/\/\u8f93\u51fa\u5757\u8868\u540d\u79f0\n            printf(\"%s\\n\", section->Name);\n        }\n        break;\n    }\n\n    default:\n    {\n        printf(\"error!\\n\");\n        break;\n    }\n\n    }\n    return 0;\n}<\/code><\/pre>\n\n\n\n
                                foa\u5230va<\/h4>\n\n\n\n
                                  \n
                                1. \u5224\u65adfoa\u662f\u5426\u4f4d\u4e8epe\u6587\u4ef6\u5934\u4e2d<\/li>\n\n\n\n
                                2. \u662f\u5219\uff0cfoa=rva\uff0c\u4e0d\u662f\u5219\u5224\u65ad\u4f4d\u4e8e\u54ea\u4e2a\u8282\uff0c\u5dee\u503c =  FOA – \u8282.PointerToRawData \uff0cRVA = \u5dee\u503c + \u8282.VirtualAddress(RVA)<\/li>\n\n\n\n
                                3. VA = ImageBase + RVA
                                  \u4ee3\u7801\u5b9e\u73b0<\/li>\n<\/ol>\n\n\n\n
                                  \/\/ PE.cpp : Defines the entry point for the console application.\n\/\/\n#include <stdio.h>\n#include <malloc.h>\n#include <windows.h>\n#include <winnt.h>\n#include <math.h>\n\/\/\u5728VC6\u8fd9\u4e2a\u6bd4\u8f83\u65e7\u7684\u73af\u5883\u91cc\uff0c\u6ca1\u6709\u5b9a\u4e4964\u4f4d\u7684\u8fd9\u4e2a\u5b8f\uff0c\u9700\u8981\u81ea\u5df1\u5b9a\u4e49\uff0c\u5728VS2019\u4e2d\u65e0\u9700\u81ea\u5df1\u5b9a\u4e49\n#define IMAGE_FILE_MACHINE_AMD64  0x8664\n\n\/\/VA\u8f6cFOA 32\u4f4d\n\/\/\u7b2c\u4e00\u4e2a\u53c2\u6570\u4e3a\u8981\u8f6c\u6362\u7684\u5728\u5185\u5b58\u4e2d\u7684\u5730\u5740\uff1aVA\n\/\/\u7b2c\u4e8c\u4e2a\u53c2\u6570\u4e3a\u6307\u5411dos\u5934\u7684\u6307\u9488\n\/\/\u7b2c\u4e09\u4e2a\u53c2\u6570\u4e3a\u6307\u5411nt\u5934\u7684\u6307\u9488\n\/\/\u7b2c\u56db\u4e2a\u53c2\u6570\u4e3a\u5b58\u50a8\u6307\u5411\u8282\u6307\u9488\u7684\u6570\u7ec4\nUINT VaToFoa32(UINT va, _IMAGE_DOS_HEADER *dos,_IMAGE_NT_HEADERS* nt, _IMAGE_SECTION_HEADER** sectionArr) {\n    \/\/\u5f97\u5230RVA\u7684\u503c\uff1aRVA = VA - ImageBase\n    UINT rva = va - nt->OptionalHeader.ImageBase;\n    \/\/\u8f93\u51farva\n    printf(\"rva:%X\\n\", rva);\n    \/\/\u627e\u5230PE\u6587\u4ef6\u5934\u540e\u7684\u5730\u5740 = PE\u6587\u4ef6\u5934\u9996\u5730\u5740+PE\u6587\u4ef6\u5934\u5927\u5c0f\n    UINT PeEnd = (UINT)dos->e_lfanew+sizeof(_IMAGE_NT_HEADERS);\n    \/\/\u8f93\u51faPeEnd\n    printf(\"PeEnd:%X\\n\", PeEnd);\n    \/\/\u5224\u65adrva\u662f\u5426\u4f4d\u4e8ePE\u6587\u4ef6\u5934\u4e2d\n    if (rva < PeEnd) {\n        \/\/\u5982\u679crva\u4f4d\u4e8ePE\u6587\u4ef6\u5934\u4e2d\uff0c\u5219foa==rva\uff0c\u76f4\u63a5\u8fd4\u56derva\u5373\u53ef\n        printf(\"foa:%X\\n\", rva);        \n        return rva;\n    }\n    else {\n        \/\/\u5982\u679crva\u5728PE\u6587\u4ef6\u5934\u5916\n        \/\/\u5224\u65adrva\u5c5e\u4e8e\u54ea\u4e2a\u8282\n        int i;\n        for (i = 0; i < nt->FileHeader.NumberOfSections; i++) {\n            \/\/\u8ba1\u7b97\u5185\u5b58\u5bf9\u9f50\u540e\u8282\u7684\u5927\u5c0f\n            UINT SizeInMemory = ceil((double)max((UINT)sectionArr[i]->Misc.VirtualSize ,(UINT)sectionArr[i]->SizeOfRawData ) \/ (double)nt->OptionalHeader.SectionAlignment)* nt->OptionalHeader.SectionAlignment;\n\n            if (rva >= sectionArr[i]->VirtualAddress && rva < (sectionArr[i]->VirtualAddress + SizeInMemory)) {\n                \/\/\u627e\u5230\u6240\u5c5e\u7684\u8282\n                \/\/\u8f93\u51fa\u5185\u5b58\u5bf9\u9f50\u540e\u7684\u8282\u7684\u5927\u5c0f\n                printf(\"SizeInMemory:%X\\n\", SizeInMemory);\n                break;\n            }\n        }\n        if (i >= nt->FileHeader.NumberOfSections) {\n            \/\/\u672a\u627e\u5230\n            printf(\"\u6ca1\u6709\u627e\u5230\u5339\u914d\u7684\u8282\\n\");\n            return -1;\n        }\n        else {\n            \/\/\u8ba1\u7b97\u5dee\u503c= RVA - \u8282.VirtualAddress\n            UINT offset = rva - sectionArr[i]->VirtualAddress;\n            \/\/FOA = \u8282.PointerToRawData + \u5dee\u503c\n            UINT foa = sectionArr[i]->PointerToRawData + offset;\n            printf(\"foa:%X\\n\", foa);\n            return foa;\n        }\n\n    }\n\n}\n\n\/\/VA\u8f6cFOA 64\u4f4d\n\/\/\u7b2c\u4e00\u4e2a\u53c2\u6570\u4e3a\u8981\u8f6c\u6362\u7684\u5728\u5185\u5b58\u4e2d\u7684\u5730\u5740\uff1aVA\n\/\/\u7b2c\u4e8c\u4e2a\u53c2\u6570\u4e3a\u6307\u5411dos\u5934\u7684\u6307\u9488\n\/\/\u7b2c\u4e09\u4e2a\u53c2\u6570\u4e3a\u6307\u5411nt\u5934\u7684\u6307\u9488\n\/\/\u7b2c\u56db\u4e2a\u53c2\u6570\u4e3a\u5b58\u50a8\u6307\u5411\u8282\u6307\u9488\u7684\u6570\u7ec4\nUINT VaToFoa64(UINT va, _IMAGE_DOS_HEADER* dos, _IMAGE_NT_HEADERS64* nt, _IMAGE_SECTION_HEADER** sectionArr) {\n    \/\/\u5f97\u5230RVA\u7684\u503c\uff1aRVA = VA - ImageBase\n    UINT rva = va - nt->OptionalHeader.ImageBase;\n    \/\/\u8f93\u51farva\n    printf(\"rva:%X\\n\", rva);\n    \/\/\u627e\u5230PE\u6587\u4ef6\u5934\u540e\u7684\u5730\u5740 = PE\u6587\u4ef6\u5934\u9996\u5730\u5740+PE\u6587\u4ef6\u5934\u5927\u5c0f\n    UINT PeEnd = (UINT)dos->e_lfanew + sizeof(_IMAGE_NT_HEADERS64);\n    \/\/\u8f93\u51faPeEnd\n    printf(\"PeEnd:%X\\n\", PeEnd);\n    \/\/\u5224\u65adrva\u662f\u5426\u4f4d\u4e8ePE\u6587\u4ef6\u5934\u4e2d\n    if (rva < PeEnd) {\n        \/\/\u5982\u679crva\u4f4d\u4e8ePE\u6587\u4ef6\u5934\u4e2d\uff0c\u5219foa==rva\uff0c\u76f4\u63a5\u8fd4\u56derva\u5373\u53ef\n        printf(\"foa:%X\\n\", rva);\n        return rva;\n    }\n    else {\n        \/\/\u5982\u679crva\u5728PE\u6587\u4ef6\u5934\u5916\n        \/\/\u5224\u65adrva\u5c5e\u4e8e\u54ea\u4e2a\u8282\n        int i;\n        for (i = 0; i < nt->FileHeader.NumberOfSections; i++) {\n            \/\/\u8ba1\u7b97\u5185\u5b58\u5bf9\u9f50\u540e\u8282\u7684\u5927\u5c0f\n            UINT SizeInMemory = ceil((double)max((UINT)sectionArr[i]->Misc.VirtualSize ,(UINT)sectionArr[i]->SizeOfRawData ) \/ (double)nt->OptionalHeader.SectionAlignment)* nt->OptionalHeader.SectionAlignment;           \n            if (rva >= sectionArr[i]->VirtualAddress && rva < (sectionArr[i]->VirtualAddress + SizeInMemory)) {\n                \/\/\u627e\u5230\u6240\u5c5e\u7684\u8282\n                \/\/\u8f93\u51fa\u5185\u5b58\u5bf9\u9f50\u540e\u7684\u8282\u7684\u5927\u5c0f\n                printf(\"SizeInMemory:%X\\n\", SizeInMemory);\n                break;\n            }\n        }\n        if (i >= nt->FileHeader.NumberOfSections) {\n            \/\/\u672a\u627e\u5230\n            printf(\"\u6ca1\u6709\u627e\u5230\u5339\u914d\u7684\u8282\\n\");\n            return -1;\n        }\n        else {\n            \/\/\u8ba1\u7b97\u5dee\u503c= RVA - \u8282.VirtualAddress\n            UINT offset = rva - sectionArr[i]->VirtualAddress;\n            \/\/FOA = \u8282.PointerToRawData + \u5dee\u503c\n            UINT foa = sectionArr[i]->PointerToRawData + offset;\n            printf(\"foa:%X\\n\", foa);\n            return foa;\n        }\n\n    }\n\n}\n\n\/\/FOA\u8f6cVA 32\u4f4d\n\/\/\u7b2c\u4e00\u4e2a\u53c2\u6570\u4e3a\u8981\u8f6c\u6362\u7684\u5728\u6587\u4ef6\u4e2d\u7684\u5730\u5740\uff1aVA\n\/\/\u7b2c\u4e8c\u4e2a\u53c2\u6570\u4e3a\u6307\u5411dos\u5934\u7684\u6307\u9488\n\/\/\u7b2c\u4e09\u4e2a\u53c2\u6570\u4e3a\u6307\u5411nt\u5934\u7684\u6307\u9488\n\/\/\u7b2c\u56db\u4e2a\u53c2\u6570\u4e3a\u5b58\u50a8\u6307\u5411\u8282\u6307\u9488\u7684\u6570\u7ec4\nUINT FoaToVa32(UINT foa, _IMAGE_DOS_HEADER* dos, _IMAGE_NT_HEADERS* nt, _IMAGE_SECTION_HEADER** sectionArr) {\n    \/\/\u627e\u5230PE\u6587\u4ef6\u5934\u540e\u7684\u5730\u5740 = PE\u6587\u4ef6\u5934\u9996\u5730\u5740+PE\u6587\u4ef6\u5934\u5927\u5c0f\n    UINT PeEnd = (UINT)dos->e_lfanew + sizeof(_IMAGE_NT_HEADERS);\n    \/\/\u5224\u65adFOA\u662f\u5426\u4f4d\u4e8ePE\u6587\u4ef6\u5934\u4e2d\n    if (foa < PeEnd) {\n        \/\/\u5982\u679cfoa\u4f4d\u4e8ePE\u6587\u4ef6\u5934\u4e2d\uff0c\u5219foa==rva\uff0c\u76f4\u63a5\u8fd4\u56defoa+ImageBase\u5373\u53ef\n        printf(\"va:%X\\n\", foa+nt->OptionalHeader.ImageBase);\n        return foa + nt->OptionalHeader.ImageBase;\n    }\n    else {\n        \/\/\u5982\u679cfoa\u5728PE\u6587\u4ef6\u5934\u5916\n        \/\/\u5224\u65adfoa\u5c5e\u4e8e\u54ea\u4e2a\u8282\n        int i;\n        for (i = 0; i < nt->FileHeader.NumberOfSections; i++) {\n\n            if (foa >= sectionArr[i]->PointerToRawData && foa < (sectionArr[i]->PointerToRawData + sectionArr[i]->SizeOfRawData)) {\n                \/\/\u627e\u5230\u6240\u5c5e\u7684\u8282                \n                break;\n            }\n        }\n        if (i >= nt->FileHeader.NumberOfSections) {\n            \/\/\u672a\u627e\u5230\n            printf(\"\u6ca1\u6709\u627e\u5230\u5339\u914d\u7684\u8282\\n\");\n            return -1;\n        }\n        else {\n            \/\/\u8ba1\u7b97\u5dee\u503c= FOA - \u8282.PointerToRawData \n            UINT offset = foa - sectionArr[i]->PointerToRawData;\n            \/\/RVA = \u5dee\u503c + \u8282.VirtualAddress(RVA)\n            UINT rva =  offset+ sectionArr[i]->VirtualAddress;\n            printf(\"va:%X\\n\", rva + nt->OptionalHeader.ImageBase);\n            return rva + nt->OptionalHeader.ImageBase;\n        }\n    }\n    return 0;\n}\n\n\/\/FOA\u8f6cVA 64\u4f4d\n\/\/\u7b2c\u4e00\u4e2a\u53c2\u6570\u4e3a\u8981\u8f6c\u6362\u7684\u5728\u6587\u4ef6\u4e2d\u7684\u5730\u5740\uff1aVA\n\/\/\u7b2c\u4e8c\u4e2a\u53c2\u6570\u4e3a\u6307\u5411dos\u5934\u7684\u6307\u9488\n\/\/\u7b2c\u4e09\u4e2a\u53c2\u6570\u4e3a\u6307\u5411nt\u5934\u7684\u6307\u9488\n\/\/\u7b2c\u56db\u4e2a\u53c2\u6570\u4e3a\u5b58\u50a8\u6307\u5411\u8282\u6307\u9488\u7684\u6570\u7ec4\nUINT FoaToVa64(UINT foa, _IMAGE_DOS_HEADER* dos, _IMAGE_NT_HEADERS64* nt, _IMAGE_SECTION_HEADER** sectionArr) {\n    \/\/\u627e\u5230PE\u6587\u4ef6\u5934\u540e\u7684\u5730\u5740 = PE\u6587\u4ef6\u5934\u9996\u5730\u5740+PE\u6587\u4ef6\u5934\u5927\u5c0f\n    UINT PeEnd = (UINT)dos->e_lfanew + sizeof(_IMAGE_NT_HEADERS64);\n    \/\/\u5224\u65adFOA\u662f\u5426\u4f4d\u4e8ePE\u6587\u4ef6\u5934\u4e2d\n    if (foa < PeEnd) {\n        \/\/\u5982\u679cfoa\u4f4d\u4e8ePE\u6587\u4ef6\u5934\u4e2d\uff0c\u5219foa==rva\uff0c\u76f4\u63a5\u8fd4\u56defoa+ImageBase\u5373\u53ef\n        printf(\"va:%X\\n\", foa + nt->OptionalHeader.ImageBase);\n        return foa + nt->OptionalHeader.ImageBase;\n    }\n    else {\n        \/\/\u5982\u679cfoa\u5728PE\u6587\u4ef6\u5934\u5916\n        \/\/\u5224\u65adfoa\u5c5e\u4e8e\u54ea\u4e2a\u8282\n        int i;\n        for (i = 0; i < nt->FileHeader.NumberOfSections; i++) {\n\n            if (foa >= sectionArr[i]->PointerToRawData && foa < (sectionArr[i]->PointerToRawData + sectionArr[i]->SizeOfRawData)) {\n                \/\/\u627e\u5230\u6240\u5c5e\u7684\u8282                \n                break;\n            }\n        }\n        if (i >= nt->FileHeader.NumberOfSections) {\n            \/\/\u672a\u627e\u5230\n            printf(\"\u6ca1\u6709\u627e\u5230\u5339\u914d\u7684\u8282\\n\");\n            return -1;\n        }\n        else {\n            \/\/\u8ba1\u7b97\u5dee\u503c= FOA - \u8282.PointerToRawData \n            UINT offset = foa - sectionArr[i]->PointerToRawData;\n            \/\/RVA = \u5dee\u503c + \u8282.VirtualAddress(RVA)\n            UINT rva = offset + sectionArr[i]->VirtualAddress;\n            printf(\"va:%X\\n\", rva + nt->OptionalHeader.ImageBase);\n            return rva + nt->OptionalHeader.ImageBase;\n        }\n    }\n    return 0;\n}\n\nint main(int argc, char* argv[])\n{\n    \/\/\u521b\u5efaDOS\u5bf9\u5e94\u7684\u7ed3\u6784\u4f53\u6307\u9488\n    _IMAGE_DOS_HEADER* dos;\n    \/\/\u8bfb\u53d6\u6587\u4ef6\uff0c\u8fd4\u56de\u6587\u4ef6\u53e5\u67c4\n    HANDLE hFile = CreateFileA(\"C:\\\\Users\\\\sixonezero\\\\Desktop\\\\GlobalVariety.exe\", GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, 0);\n    \/\/\u6839\u636e\u6587\u4ef6\u53e5\u67c4\u521b\u5efa\u6620\u5c04\n    HANDLE hMap = CreateFileMappingA(hFile, NULL, PAGE_READONLY, 0, 0, 0);\n    \/\/\u6620\u5c04\u5185\u5bb9\n    LPVOID pFile = MapViewOfFile(hMap, FILE_MAP_READ, 0, 0, 0);\n    \/\/\u7c7b\u578b\u8f6c\u6362\uff0c\u7528\u7ed3\u6784\u4f53\u7684\u65b9\u5f0f\u6765\u8bfb\u53d6\n    dos = (_IMAGE_DOS_HEADER*)pFile;\n    \/\/\u8f93\u51fados->e_magic\uff0c\u4ee5\u5341\u516d\u8fdb\u5236\u8f93\u51fa\n    printf(\"dos->e_magic:%X\\n\", dos->e_magic);\n\n    \/\/\u521b\u5efa\u6307\u5411PE\u6587\u4ef6\u5934\u6807\u5fd7\u7684\u6307\u9488\n    DWORD* peId;\n    \/\/\u8ba9PE\u6587\u4ef6\u5934\u6807\u5fd7\u6307\u9488\u6307\u5411\u5176\u5bf9\u5e94\u7684\u5730\u5740=DOS\u9996\u5730\u5740+\u504f\u79fb\n    peId = (DWORD*)((UINT)dos + dos->e_lfanew);\n    \/\/\u8f93\u51faPE\u6587\u4ef6\u5934\u6807\u5fd7\uff0c\u5176\u503c\u5e94\u4e3a4550\uff0c\u5426\u5219\u4e0d\u662fPE\u6587\u4ef6\n    printf(\"peId:%X\\n\", *peId);\n\n    \/\/\u521b\u5efa\u6307\u5411\u53ef\u9009PE\u5934\u7684\u7b2c\u4e00\u4e2a\u6210\u5458magic\u7684\u6307\u9488\n    WORD* magic;\n    \/\/\u8ba9magic\u6307\u9488\u6307\u5411\u5176\u5bf9\u5e94\u7684\u5730\u5740=PE\u6587\u4ef6\u5934\u6807\u5fd7\u5730\u5740+PE\u6587\u4ef6\u5934\u6807\u5fd7\u5927\u5c0f+\u6807\u51c6PE\u5934\u5927\u5c0f\n    magic = (WORD*)((UINT)peId + sizeof(DWORD) + sizeof(_IMAGE_FILE_HEADER));\n    \/\/\u8f93\u51famagic\uff0c\u5176\u503c\u4e3a0x10b\u4ee3\u886832\u4f4d\u7a0b\u5e8f\uff0c\u5176\u503c\u4e3a0x20b\u4ee3\u886864\u4f4d\u7a0b\u5e8f\n    printf(\"magic:%X\\n\", *magic);\n    \/\/\u6839\u636emagic\u5224\u65ad\u4e3a32\u4f4d\u7a0b\u5e8f\u8fd8\u662f64\u4f4d\u7a0b\u5e8f\n    switch (*magic) {\n    case IMAGE_NT_OPTIONAL_HDR32_MAGIC:\n    {\n        printf(\"32\u4f4d\u7a0b\u5e8f\\n\");\n        \/\/\u786e\u5b9a\u4e3a32\u4f4d\u7a0b\u5e8f\u540e\uff0c\u5c31\u53ef\u4ee5\u4f7f\u7528_IMAGE_NT_HEADERS\u6765\u63a5\u6536\u6570\u636e\u4e86\n        \/\/\u521b\u5efa\u6307\u5411PE\u6587\u4ef6\u5934\u7684\u6307\u9488\n        _IMAGE_NT_HEADERS* nt;\n        \/\/\u8ba9PE\u6587\u4ef6\u5934\u6307\u9488\u6307\u5411\u5176\u5bf9\u5e94\u7684\u5730\u5740\n        nt = (_IMAGE_NT_HEADERS*)peId;\n        printf(\"Machine:%X\\n\", nt->FileHeader.Machine);\n        printf(\"Magic:%X\\n\", nt->OptionalHeader.Magic);\n\n        \/\/\u521b\u5efa\u4e00\u4e2a\u6307\u9488\u6570\u7ec4\uff0c\u8be5\u6307\u9488\u6570\u7ec4\u7528\u6765\u5b58\u50a8\u6240\u6709\u7684\u8282\u8868\u6307\u9488\n        \/\/\u8fd9\u91cc\u76f8\u5f53\u4e8e_IMAGE_SECTION_HEADER* sectionArr[nt->FileHeader.NumberOfSections],\u58f0\u660e\u4e86\u4e00\u4e2a\u52a8\u6001\u6570\u7ec4\n        _IMAGE_SECTION_HEADER** sectionArr = (_IMAGE_SECTION_HEADER**) malloc(sizeof(_IMAGE_SECTION_HEADER*) * nt->FileHeader.NumberOfSections);\n\n        \/\/\u521b\u5efa\u6307\u5411\u5757\u8868\u7684\u6307\u9488\n        _IMAGE_SECTION_HEADER* sectionHeader;\n        \/\/\u8ba9\u5757\u8868\u7684\u6307\u9488\u6307\u5411\u5176\u5bf9\u5e94\u7684\u5730\u5740\n        sectionHeader = (_IMAGE_SECTION_HEADER*)((UINT)nt + sizeof(_IMAGE_NT_HEADERS));\n        \/\/\u8ba1\u6570\uff0c\u7528\u6765\u8ba1\u7b97\u5757\u8868\u5730\u5740\n        int cnt = 0;\n        \/\/\u6bd4\u8f83 \u8ba1\u6570 \u548c \u5757\u8868\u7684\u4e2a\u6570\uff0c\u5373\u904d\u5386\u6240\u6709\u5757\u8868\n        while(cnt< nt->FileHeader.NumberOfSections){\n            \/\/\u521b\u5efa\u6307\u5411\u5757\u8868\u7684\u6307\u9488\n            _IMAGE_SECTION_HEADER* section;\n            \/\/\u8ba9\u5757\u8868\u7684\u6307\u9488\u6307\u5411\u5176\u5bf9\u5e94\u7684\u5730\u5740=\u7b2c\u4e00\u4e2a\u5757\u8868\u5730\u5740+\u8ba1\u6570*\u5757\u8868\u7684\u5927\u5c0f\n            section = (_IMAGE_SECTION_HEADER*)((UINT)sectionHeader + sizeof(_IMAGE_SECTION_HEADER)*cnt);\n            \/\/\u5c06\u5f97\u5230\u7684\u5757\u8868\u6307\u9488\u5b58\u5165\u6570\u7ec4\n            sectionArr[cnt++] = section;\n            \/\/\u8f93\u51fa\u5757\u8868\u540d\u79f0\n            printf(\"%s\\n\", section->Name);\n        }\n\n        VaToFoa32(0x4198B0,dos, nt, sectionArr);\n        FoaToVa32(0x176B0, dos, nt, sectionArr);\n\n        break;\n    }\n\n    case IMAGE_NT_OPTIONAL_HDR64_MAGIC:\n    {\n        printf(\"64\u4f4d\u7a0b\u5e8f\\n\");\n        \/\/\u786e\u5b9a\u4e3a64\u4f4d\u7a0b\u5e8f\u540e\uff0c\u5c31\u53ef\u4ee5\u4f7f\u7528_IMAGE_NT_HEADERS64\u6765\u63a5\u6536\u6570\u636e\u4e86\n        \/\/\u521b\u5efa\u6307\u5411PE\u6587\u4ef6\u5934\u7684\u6307\u9488\n        _IMAGE_NT_HEADERS64* nt;\n        nt = (_IMAGE_NT_HEADERS64*)peId;\n        printf(\"Machine:%X\\n\", nt->FileHeader.Machine);\n        printf(\"Magic:%X\\n\", nt->OptionalHeader.Magic);\n\n        \/\/\u521b\u5efa\u4e00\u4e2a\u6307\u9488\u6570\u7ec4\uff0c\u8be5\u6307\u9488\u6570\u7ec4\u7528\u6765\u5b58\u50a8\u6240\u6709\u7684\u8282\u8868\u6307\u9488\n        \/\/\u8fd9\u91cc\u76f8\u5f53\u4e8e_IMAGE_SECTION_HEADER* sectionArr[nt->FileHeader.NumberOfSections],\u58f0\u660e\u4e86\u4e00\u4e2a\u52a8\u6001\u6570\u7ec4\n        _IMAGE_SECTION_HEADER** sectionArr = (_IMAGE_SECTION_HEADER**)malloc(sizeof(_IMAGE_SECTION_HEADER*) * nt->FileHeader.NumberOfSections);\n\n        \/\/\u521b\u5efa\u6307\u5411\u5757\u8868\u7684\u6307\u9488\n        _IMAGE_SECTION_HEADER* sectionHeader;\n        \/\/\u8ba9\u5757\u8868\u7684\u6307\u9488\u6307\u5411\u5176\u5bf9\u5e94\u7684\u5730\u5740\uff0c\u533a\u522b\u5728\u4e8e\u8fd9\u91cc\u52a0\u4e0a\u7684\u504f\u79fb\u4e3a_IMAGE_NT_HEADERS64\n        sectionHeader = (_IMAGE_SECTION_HEADER*)((UINT)nt + sizeof(_IMAGE_NT_HEADERS64));\n        \/\/\u8ba1\u6570\uff0c\u7528\u6765\u8ba1\u7b97\u5757\u8868\u5730\u5740\n        int cnt = 0;\n        \/\/\u6bd4\u8f83 \u8ba1\u6570 \u548c \u5757\u8868\u7684\u4e2a\u6570\uff0c\u5373\u904d\u5386\u6240\u6709\u5757\u8868\n        while (cnt < nt->FileHeader.NumberOfSections) {\n            \/\/\u521b\u5efa\u6307\u5411\u5757\u8868\u7684\u6307\u9488\n            _IMAGE_SECTION_HEADER* section;\n            \/\/\u8ba9\u5757\u8868\u7684\u6307\u9488\u6307\u5411\u5176\u5bf9\u5e94\u7684\u5730\u5740=\u7b2c\u4e00\u4e2a\u5757\u8868\u5730\u5740+\u8ba1\u6570*\u5757\u8868\u7684\u5927\u5c0f\n            section = (_IMAGE_SECTION_HEADER*)((UINT)sectionHeader + sizeof(_IMAGE_SECTION_HEADER) * cnt);\n            \/\/\u5c06\u5f97\u5230\u7684\u5757\u8868\u6307\u9488\u5b58\u5165\u6570\u7ec4\n            sectionArr[cnt++] = section;\n            \/\/\u8f93\u51fa\u5757\u8868\u540d\u79f0\n            printf(\"%s\\n\", section->Name);\n        }\n        VaToFoa32(0x4198B0,dos, nt, sectionArr);\n        FoaToVa32(0x176B0, dos, nt, sectionArr);\n        break;\n    }\n\n    default:\n    {\n        printf(\"error!\\n\");\n        break;\n    }\n\n    }\n    return 0;\n}<\/code><\/pre>\n\n\n\n
                                  RVA\u548cFOA\u4e4b\u95f4\u7684\u5dee\u5f02\u5f52\u6839\u7ed3\u5e95\u5c31\u662f\u5728\u4e8e\u6587\u4ef6\u5bf9\u9f50\u548c\u5185\u5b58\u5bf9\u9f50\u7684\u5dee\u5f02\u4e0a<\/p>\n\n\n\n
                                  \u524d\u9762\u8865\u5145<\/h2>\n\n\n\n
                                  \u5173\u4e8e\u6b63\u7740\u8bfb\u548c\u5012\u7740\u8bfb<\/h3>\n\n\n\n
                                  \u8ba1\u7b97\u673a\u4f7f\u7528\u5c0f\u7aef\u5e8f\u53ef\u4ee5\u52a0\u5feb\u8fd0\u884c\u901f\u5ea6\uff0c\u6240\u4ee5\u8ba1\u7b97\u673a\u7528\u4e8e\u8ba1\u7b97\uff0c\u5bfb\u5740\uff0c\u5224\u65ad\u5927\u5c0f\u7684\u6570\u636e\u90fd\u8981\u5012\u7740\u770b\uff0c\u5305\u62ec\u5730\u5740\u3001\u504f\u79fb\u91cf\u3001\u5927\u5c0f\u3001\u8ba1\u6570\u3001\u6807\u5fd7\u4f4d\u3001\u7279\u5f81\u503c\u3002\u4ece\u53f3\u5f80\u5de6\uff0c\u9ad8\u5730\u5740\u5f80\u4f4e\u5730\u5740
                                  \u672c\u8eab\u7684\u5b57\u8282\u6570\u7ec4\u5f62\u5f0f\u5b58\u5728\u7684\u6570\u636e\uff0c\u8bbe\u8ba1\u7ed9\u4eba\u770b\u7684\u540d\u5b57\uff08\u6bd4\u5982text\u90a3\u4e9b\uff09\uff0c\u8981\u6b63\u7740\u8bfb
                                  \u4f46\u662fmz\u548cpe\u7684\u6807\u5fd7\uff0c\u672c\u8d28\u662f\u6570\u636e\uff0c\u4f46\u88ab\u8bbe\u8ba1\u6210\u4e86\u5b57\u7b26\u4e32\u5f62\u5f0f
                                  \u5728hex\u7f16\u8f91\u5668\u91cc\u6b63\u7740\u663e\u793a\uff0c\u4ee3\u7801\u91cc\u548c\u5206\u6790\u6570\u636e\u65f6\u5f97\u5012\u7740\u5199<\/p>\n\n\n\n
                                  \u5173\u4e8e\u5bf9\u8c61\u548c\u6620\u50cf<\/h3>\n\n\n\n
                                  \u5bf9\u8c61\u6587\u4ef6\uff0c\u5e38\u89c1\u540e\u7f00obj\uff0c\u5c31\u662f\u7f16\u8bd1c\u6216\u8005cpp\u6587\u4ef6\u65f6\u751f\u6210\u7684o\uff0c\u4e0d\u9700\u8981\u88ab\u6267\u884c\uff0c\u53ea\u662f\u534a\u6210\u54c1\uff0c\u76f4\u63a5\u4ee5coff\u6587\u4ef6\u5934\u5f00\u59cb\uff0c\u6ca1\u6709ms dos\u5934
                                  \u6620\u50cf\u6587\u4ef6\uff0c\u5e38\u89c1\u540e\u7f00\uff0cexe\uff0cdll\uff0csys\uff0c\u94fe\u63a5\u5668linker\u4ea7\u7269\uff0c\u662f\u6210\u54c1\uff0c\u5c06\u591a\u4e2aobj\u6587\u4ef6\u548c\u5e93\u6587\u4ef6lib\u62fc\u88c5\u5728\u4e00\u8d77\u5f62\u6210\u6700\u7ec8\u6587\u4ef6\uff08\u6620\u50cf\u89e3\u91ca\uff0c\u7ed3\u6784\u88ab\u8bbe\u8ba1\u4e3a\u53ef\u4ee5\u76f4\u63a5\u6620\u5c04\u5230\u5185\u5b58\u4e0a\u8fd0\u884c\uff0c\u5728\u78c1\u76d8\u6837\u5b50\u548c\u52a0\u8f7d\u5230\u5185\u5b58\u4e2d\u5f88\u60f3\uff0c\u4e3a\u4e86\u517c\u5bb9\uff0c\u5fc5\u987b\u4ee5msdos\u5934\u548c\u5b58\u6839\u5f00\u59cb\uff0c\u7136\u540e\u662fpe\u7b7e\u540d\uff0c\u7136\u540e\u662fcoff\u6587\u4ef6\u5934\uff09
                                  \u4e24\u8005\u5e03\u5c40\u533a\u522b
                                  \u5bf9\u8c61\u6587\u4ef6<\/p>\n\n\n\n
                                  [ COFF \u6587\u4ef6\u5934 ] <--- \u6587\u4ef6\u76f4\u63a5\u4ece\u8fd9\u91cc\u5f00\u59cb (\u504f\u79fb\u91cf 0)\n[ \u8282\u8868 ]\n[ \u539f\u59cb\u6570\u636e... ]<\/code><\/pre>\n\n\n\n
                                  \u6620\u50cf\u6587\u4ef6<\/p>\n\n\n\n
                                  [ MS-DOS \u5934 ]\n[ MS-DOS \u5b58\u6839 ]\n[ PE \u7b7e\u540d ]\n[ COFF \u6587\u4ef6\u5934 ] <--- \u8fd9\u91cc\u624d\u662f COFF \u5934\uff0c\u7ed3\u6784\u4e0e\u4e0a\u9762\u4e00\u6837\uff0c\u4f46\u4f4d\u7f6e\u9760\u540e\n[ \u53ef\u9009\u5934 (Optional Header) ] <--- \u6620\u50cf\u6587\u4ef6\u7279\u6709\n[ \u8282\u8868 ]\n[ \u539f\u59cb\u6570\u636e... ]<\/code><\/pre>\n\n\n\n
                                  \u5173\u4e8edos<\/h3>\n\n\n\n
                                  \u5934\u548c\u5b58\u6839\uff0c\u5934\u6307\u5143\u6570\u636e\uff0c\u63cf\u8ff0\u6587\u4ef6\u7684\u4f5c\u7528\uff0c\u7ed3\u6784\u5316\u6570\u636e\uff0c\u544a\u8bc9window\u7cfb\u7edf\uff08\u52a0\u8f7d\u5668\uff09\u5904\u7406\u6587\u4ef6\u7684\u65b9\u5f0f\uff0c\u63cf\u8ff0\u6587\u4ef6\u6570\u636e\u7ed3\u6784\uff0c\u5b58\u6839\uff08stub\uff09\u662f\u4e00\u6bb5\u53ef\u4ee5\u6267\u884c\u7684\u673a\u5668\u7801\uff0c\u517c\u5bb9\u6027\u5904\u7406\uff0cms ods stub\u662f\u4e00\u4e2a\u5b8c\u6574\u768416\u4f4ddos\u7a0b\u5e8f\uff0c\u5b58\u50a8\u5728pe\u6587\u4ef6\u7684\u5934\u90e8
                                  dos\uff0c\u78c1\u76d8\u64cd\u4f5c\u7cfb\u7edf
                                  stub\u4f5c\u7528\uff0c\u9632\u62a5\u9519\uff0c\u5c31\u662f\u6bd4\u598216\u4f4d\u7cfb\u7edf\u8bc6\u522b\u4e0d\u4e86\uff0c\u5c31\u76f4\u63a5\u901a\u8fc7stub\u7ec8\u6b62\u7a0b\u5e8f\uff0c\u4f46\u662fwindow\uff0cdos\u5934\u90a3\u91cc\u6709\u504f\u79fb\u91cf\uff0c\u5c31\u4f1a\u8df3\u8fc7\u8fd9\u4e2astub<\/p>\n\n\n\n
                                  \u4e00\u4e9b\u96f6\u788e\u6982\u5ff5<\/h3>\n\n\n\n
                                  \u540d\u79f0<\/th>\u63cf\u8ff0<\/th><\/tr><\/thead>
                                  \u5c5e\u6027\u8bc1\u4e66<\/strong><\/td>\u7528\u4e8e\u5c06\u53ef\u9a8c\u8bc1\u58f0\u660e\u4e0e\u6620\u50cf\u5173\u8054\u7684\u8bc1\u4e66\u3002\u8bb8\u591a\u4e0d\u540c\u7684\u53ef\u9a8c\u8bc1\u58f0\u660e\u53ef\u4ee5\u4e0e\u6587\u4ef6\u76f8\u5173\u8054\uff1b\u5176\u4e2d\u6700\u6709\u7528\u7684\u4e00\u4e2a\u58f0\u660e\u662f\u8f6f\u4ef6\u5236\u9020\u5546\u7684\u58f0\u660e\uff0c\u6b64\u58f0\u660e\u6307\u793a\u6620\u50cf\u7684\u6d88\u606f\u6458\u8981\u5e94\u8be5\u662f\u4ec0\u4e48\u3002\u6d88\u606f\u6458\u8981\u7c7b\u4f3c\u4e8e\u68c0\u9a8c\u548c\uff0c\u53ea\u662f\u5f88\u96be\u4f2a\u9020\u3002\u56e0\u6b64\uff0c\u5f88\u96be\u4fee\u6539\u6587\u4ef6\u4ee5\u4f7f\u5176\u5177\u6709\u4e0e\u539f\u59cb\u6587\u4ef6\u76f8\u540c\u7684\u6d88\u606f\u6458\u8981\u3002\u53ef\u4ee5\u4f7f\u7528\u516c\u94a5\u6216\u79c1\u94a5\u52a0\u5bc6\u65b9\u6848\u6765\u9a8c\u8bc1\u58f0\u660e\u662f\u5426\u662f\u7531\u5236\u9020\u5546\u53d1\u51fa\u7684\u3002\u672c\u6587\u6863\u63cf\u8ff0\u4e86\u6709\u5173\u5c5e\u6027\u8bc1\u4e66\u7684\u8be6\u7ec6\u4fe1\u606f\uff0c\u4f46\u4e0d\u5141\u8bb8\u5c06\u5176\u63d2\u5165\u5230\u56fe\u50cf\u6587\u4ef6\u4e2d\u3002<\/td><\/tr>
                                  \u65e5\u671f\/\u65f6\u95f4\u6233<\/strong><\/td>\u5728 PE \u6216 COFF \u6587\u4ef6\u4e2d\u7684\u591a\u4e2a\u4f4d\u7f6e\u7528\u4e8e\u4e0d\u540c\u76ee\u7684\u7684\u6233\u8bb0\u3002\u5728\u5927\u591a\u6570\u60c5\u51b5\u4e0b\uff0c\u6bcf\u4e2a\u6233\u8bb0\u7684\u683c\u5f0f\u4e0e C \u8fd0\u884c\u65f6\u5e93\u4e2d\u7684\u65f6\u95f4\u51fd\u6570\u4f7f\u7528\u7684\u683c\u5f0f\u76f8\u540c\u3002\u6709\u5173\u5f02\u5e38\uff0c\u8bf7\u53c2\u89c1\u8c03\u8bd5\u7c7b\u578b\u4e2d IMAGE_DEBUG_TYPE_REPRO \u7684\u8bf4\u660e\u3002\u5982\u679c\u6233\u8bb0\u503c\u4e3a 0 \u6216 0xFFFFFFFF\uff0c\u5219\u5b83\u4e0d\u8868\u793a\u5b9e\u9645\u6216\u6709\u610f\u4e49\u7684\u65e5\u671f\/\u65f6\u95f4\u6233\u3002<\/td><\/tr>
                                  \u6587\u4ef6\u6307\u9488<\/strong><\/td>\u94fe\u63a5\u5668\uff08\u5bf9\u4e8e\u76ee\u6807\u6587\u4ef6\uff09\u6216\u52a0\u8f7d\u5668\uff08\u5bf9\u4e8e\u6620\u50cf\u6587\u4ef6\uff09\u5904\u7406\u4e4b\u524d\u6587\u4ef6\u672c\u8eab\u4e2d\u9879\u7684\u4f4d\u7f6e\u3002\u6362\u53e5\u8bdd\u8bf4\uff0c\u8fd9\u662f\u5b58\u50a8\u5728\u78c1\u76d8\u4e0a\u7684\u6587\u4ef6\u5185\u7684\u4f4d\u7f6e\u3002<\/td><\/tr>
                                  \u94fe\u63a5\u5668<\/strong><\/td>\u968f Microsoft Visual Studio \u4e00\u8d77\u63d0\u4f9b\u7684\u94fe\u63a5\u5668\u5f15\u7528\u3002<\/td><\/tr>
                                  \u5bf9\u8c61\u6587\u4ef6<\/strong><\/td>\u4f5c\u4e3a\u94fe\u63a5\u5668\u8f93\u5165\u63d0\u4f9b\u7684\u6587\u4ef6\u3002\u94fe\u63a5\u5668\u751f\u6210\u4e00\u4e2a\u6620\u50cf\u6587\u4ef6\uff0c\u800c\u6b64\u6620\u50cf\u6587\u4ef6\u53c8\u7528\u4f5c\u52a0\u8f7d\u5668\u7684\u8f93\u5165\u3002\u672f\u8bed\u201c\u76ee\u6807\u6587\u4ef6\u201d\u5e76\u4e0d\u4e00\u5b9a\u610f\u5473\u7740\u4e0e\u9762\u5411\u5bf9\u8c61\u7684\u7f16\u7a0b\u6709\u4efb\u4f55\u8054\u7cfb\u3002<\/td><\/tr>
                                  \u5df2\u4fdd\u7559\uff0c\u5fc5\u987b\u4e3a 0<\/strong><\/td>\u5b57\u6bb5\u7684\u63cf\u8ff0\uff0c\u6307\u793a\u8be5\u5b57\u6bb5\u7684\u503c\u5bf9\u4e8e\u751f\u6210\u5668\u6765\u8bf4\u5fc5\u987b\u4e3a\u96f6\uff0c\u800c\u4f7f\u7528\u8005\u5fc5\u987b\u5ffd\u7565\u8be5\u5b57\u6bb5\u3002<\/td><\/tr>
                                  \u76f8\u5bf9\u865a\u62df\u5730\u5740 (RVA)<\/strong><\/td>\u5728\u6620\u50cf\u6587\u4ef6\u4e2d\uff0c\u8fd9\u662f\u9879\u76ee\u52a0\u8f7d\u5230\u5185\u5b58\u5e76\u4ece\u4e2d\u51cf\u53bb\u6620\u50cf\u6587\u4ef6\u57fa\u5730\u5740\u540e\u7684\u5730\u5740\u3002\u9879\u76ee\u7684 RVA \u51e0\u4e4e\u603b\u662f\u4e0e\u5176\u5728\u78c1\u76d8\u4e0a\u6587\u4ef6\u4e2d\u7684\u4f4d\u7f6e\uff08\u6587\u4ef6\u6307\u9488\uff09\u4e0d\u540c\u3002
                                  \u5728\u76ee\u6807\u6587\u4ef6\u4e2d\uff0cRVA \u7684\u610f\u4e49\u4e0d\u5927\uff0c\u56e0\u4e3a\u672a\u5206\u914d\u5185\u5b58\u4f4d\u7f6e\u3002\u5728\u8fd9\u79cd\u60c5\u51b5\u4e0b\uff0cRVA \u5c06\u662f\u4e00\u4e2a\u6bb5\u5185\u7684\u5730\u5740\uff08\u6b64\u8868\u540e\u9762\u5c06\u8fdb\u884c\u63cf\u8ff0\uff09\uff0c\u7a0d\u540e\u5728\u94fe\u63a5\u671f\u95f4\u4f1a\u5bf9\u6b64\u5730\u5740\u5e94\u7528\u91cd\u5b9a\u4f4d\u3002\u4e3a\u7b80\u5355\u8d77\u89c1\uff0c\u7f16\u8bd1\u5668\u5e94\u53ea\u5c06\u6bcf\u4e2a\u90e8\u5206\u4e2d\u7684\u7b2c\u4e00\u4e2a RVA \u8bbe\u7f6e\u4e3a\u96f6\u3002<\/td><\/tr>
                                  \u90e8\u5206<\/strong><\/td>PE \u6216 COFF \u6587\u4ef6\u4e2d\u4ee3\u7801\u6216\u6570\u636e\u7684\u57fa\u672c\u5355\u4f4d\u3002\u4f8b\u5982\uff0c\u76ee\u6807\u6587\u4ef6\u4e2d\u7684\u6240\u6709\u4ee3\u7801\u90fd\u53ef\u4ee5\u7ec4\u5408\u5728\u5355\u4e2a\u90e8\u5206\u4e2d\uff0c\u6216\u8005\uff08\u53d6\u51b3\u4e8e\u7f16\u8bd1\u5668\u884c\u4e3a\uff09\u6bcf\u4e2a\u51fd\u6570\u90fd\u53ef\u4ee5\u5360\u7528\u81ea\u5df1\u7684\u90e8\u5206\u3002\u90e8\u5206\u8d8a\u591a\uff0c\u6587\u4ef6\u5f00\u9500\u5c31\u8d8a\u5927\uff0c\u4f46\u94fe\u63a5\u5668\u80fd\u591f\u66f4\u6709\u9009\u62e9\u6027\u5730\u94fe\u63a5\u4ee3\u7801\u3002\u4e00\u4e2a\u90e8\u5206\u7c7b\u4f3c\u4e8e Intel 8086 \u4f53\u7cfb\u7ed3\u6784\u4e2d\u7684\u6bb5\u3002\u4e00\u4e2a\u90e8\u5206\u4e2d\u7684\u6240\u6709\u539f\u59cb\u6570\u636e\u90fd\u5fc5\u987b\u8fde\u7eed\u52a0\u8f7d\u3002\u6b64\u5916\uff0c\u6620\u50cf\u6587\u4ef6\u53ef\u4ee5\u5305\u542b\u591a\u4e2a\u5177\u6709\u7279\u6b8a\u7528\u9014\u7684\u90e8\u5206\uff0c\u4f8b\u5982 .tls \u6216 .reloc \u3002<\/td><\/tr>
                                  \u865a\u62df\u5730\u5740 (VA)<\/strong><\/td>\u4e0e RVA \u76f8\u540c\uff0c\u53ea\u4e0d\u8fc7\u4e0d\u51cf\u53bb\u6620\u50cf\u6587\u4ef6\u7684\u57fa\u5740\u3002\u8be5\u5730\u5740\u79f0\u4e3a VA\uff0c\u56e0\u4e3a Windows \u4f1a\u4e3a\u6bcf\u4e2a\u8fdb\u7a0b\u521b\u5efa\u4e00\u4e2a\u72ec\u7acb\u4e8e\u7269\u7406\u5185\u5b58\u7684\u4e0d\u540c VA \u7a7a\u95f4\u3002\u5bf9\u4e8e\u51e0\u4e4e\u6240\u6709\u76ee\u7684\uff0cVA \u5e94\u53ea\u88ab\u89c6\u4e3a\u4e00\u4e2a\u5730\u5740\u3002VA \u4e0d\u5982 RVA \u90a3\u4e48\u53ef\u9884\u6d4b\uff0c\u56e0\u4e3a\u52a0\u8f7d\u5668\u53ef\u80fd\u4e0d\u4f1a\u5728\u5176\u9996\u9009\u4f4d\u7f6e\u52a0\u8f7d\u6620\u50cf\u3002<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
                                  \u82f1\u6587\u672f\u8bed<\/th>\u4e2d\u6587\u672f\u8bed<\/th>\u63cf\u8ff0<\/th><\/tr><\/thead>
                                  Virtual Address (VA)<\/strong><\/td>\u865a\u62df\u5730\u5740<\/td>\u8fdb\u7a0b\u865a\u62df\u5185\u5b58\u7a7a\u95f4\u4e2d\u7684\u7edd\u5bf9\u5730\u5740\u3002<\/td><\/tr>
                                  Relative Virtual Address (RVA)<\/strong><\/td>\u76f8\u5bf9\u865a\u62df\u5730\u5740<\/td>\u5185\u5b58\u5730\u5740\u76f8\u5bf9\u4e8e\u6a21\u5757\u57fa\u5740\u7684\u504f\u79fb\u3002<\/td><\/tr>
                                  File Pointer<\/strong><\/td>\u6587\u4ef6\u6307\u9488<\/td>\u6587\u4ef6\u5728\u78c1\u76d8\u4e0a\u7684\u7269\u7406\u504f\u79fb\u4f4d\u7f6e\u3002<\/td><\/tr>
                                  Section<\/strong><\/td>\u8282 \/ \u6bb5<\/td>\u4ee3\u7801\u6216\u6570\u636e\u7684\u903b\u8f91\u5206\u7ec4\uff0c\u5177\u6709\u76f8\u540c\u7684\u5185\u5b58\u5c5e\u6027\uff08\u5982\u53ea\u8bfb\u3001\u53ef\u6267\u884c\uff09\u3002<\/td><\/tr>
                                  Data Directory<\/strong><\/td>\u6570\u636e\u76ee\u5f55<\/td>\u4f4d\u4e8e\u53ef\u9009\u5934\u672b\u5c3e\u7684\u6570\u7ec4\uff0c\u6307\u5411\u5404\u79cd\u8868\uff08\u5bfc\u5165\u3001\u5bfc\u51fa\u3001\u8d44\u6e90\u7b49\uff09\u3002<\/td><\/tr>
                                  Thunk<\/strong><\/td>\u8f6c\u6362\u5c42 \/ \u6869\u4ee3\u7801<\/td>\u8fd9\u91cc\u901a\u5e38\u6307\u5bfc\u5165\u5730\u5740\u8868 (IAT) \u4e2d\u7684\u9879\u3002<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
                                  ELF<\/h1>\n\n\n\n
                                  \u6bd4\u8d77PE\uff0cELF\u5206\u4e86section\u7ed9\u7f16\u8bd1\u5668\u548csegment\u7ed9\u52a0\u8f7d\u5668\uff0c\u5904\u7406\u5916\u90e8\u51fd\u6570\u7684\u65f6\u5019\u8c03\u7528\u4e86GOT\/PLT\uff08\u5ef6\u8fdf\u7ed1\u5b9a\uff09\uff0cPE\u5219\u7528\u7684IAT
                                  elf\u683c\u5f0f\u7531system v\u6807\u51c6\u5b9a\u4e49\uff0c\u8bbe\u8ba1\u66f4\u7075\u6d3b\uff0c\u652f\u6301\u53ef\u6267\u884c\u6587\u4ef6\uff0c\u5171\u4eab\u5e93\uff0c\u76ee\u6807\u6587\u4ef6\u7b49\u591a\u79cd\u7c7b\u578b
                                  \u5e38\u89c1\u540e\u7f00<\/p>\n\n\n\n
                                    \n
                                  1. \u65e0\u540e\u7f00\u6216.bin\uff0c\u53ef\u6267\u884c\u6587\u4ef6\u5982\/bin\/ls\u3001\/usr\/bin\/python3\uff0c\u901a\u5e38\u65e0\u540e\u7f00<\/li>\n\n\n\n
                                  2. .so\uff0c\u5171\u4eab\u5bf9\u8c61\uff0c\u7c7b\u4f3cwindows\u7684dll\uff0c\u63d0\u4f9b\u52a8\u6001\u94fe\u63a5\u529f\u80fd<\/li>\n\n\n\n
                                  3. .a,\u9759\u6001\u94fe\u63a5\u5e93\uff0c\u5305\u542b\u591a\u4e2a\u76ee\u6807\u6587\u4ef6\u5f52\u6863\uff0c\u7f16\u8bd1\u65f6\u4f1a\u88ab\u5b8c\u6574\u5d4c\u5165\u53ef\u6267\u884c\u6587\u4ef6<\/li>\n\n\n\n
                                  4. .o,\u76ee\u6807\u6587\u4ef6\uff0c\u7f16\u8bd1\u5668\u8f93\u51fa\u7684\u4e2d\u95f4\u6587\u4ef6\uff0c\u8981\u94fe\u63a5\u5668\u5904\u7406\u540e\u751f\u6210\u53ef\u6267\u884c\u6587\u4ef6<\/li>\n\n\n\n
                                  5. .ko\uff0c\u5185\u6838\u6a21\u5757\uff0clinux\u5185\u6838\u7684\u9a71\u52a8\u7a0b\u5e8f\uff0c\u8fd0\u884c\u4e8e\u5185\u6838\u7a7a\u95f4\uff0c\u76f8\u5f53\u4e8ewindow\u91cc\u9762\u7684.sys\uff08\u9a71\u52a8\u7a0b\u5e8f\uff09\uff0c\u8fd0\u884c\u5728ring 0(\u6700\u9ad8\u6743\u9650)\uff0c\u6bd4\u8d77\u666e\u901aelf\uff0cko\u9a71\u52a8\u6ca1\u6709main\uff0c\u53ea\u6709module_init()\uff08\u63d2\u5165\u6a21\u5757\u65f6\u6267\u884c\uff09\u548c\u5bf9\u5e94\u7684exit\uff0c\u4f1a\u770b\u5230\u5927\u91cf\u91cd\u5b9a\u4f4d\u8868\uff0c\u56e0\u4e3a\u8981\u88ab\u201c\u94fe\u63a5\u201d\u8fdb\u5185\u6838<\/li>\n\n\n\n
                                  6. .mod\uff0c\u90e8\u5206\u7cfb\u7edf\u7684\u6a21\u5757\u6587\u4ef6\uff0c\u5982\u65e9\u671funix\u529f\u80fd\u7c7b\u4f3cko\uff0c\u5305\u542b\u4e86\u6a21\u5757\u7684\u7248\u672c\u4fe1\u606f\uff08Version Magic\uff09\u548c\u7b26\u53f7\u4f9d\u8d56\u5173\u7cfb\u3002<\/li>\n<\/ol>\n\n\n\n
                                    \u7ed3\u6784<\/h2>\n\n\n\n
                                    \u533a\u57df\u4f4d\u7f6e<\/th>\u7ec4\u4ef6\u540d\u79f0 (\u4e2d\u6587)<\/th>\u82f1\u6587\u5bf9\u5e94<\/th>\u8bf4\u660e<\/th><\/tr><\/thead>
                                    \u9876\u90e8<\/strong><\/td>ELF \u6587\u4ef6\u5934<\/strong><\/td>ELF Header<\/td>\u6587\u4ef6\u7684\u603b\u7d22\u5f15\uff0c\u5305\u542b\u9b54\u6570\u3001\u7248\u672c\u7b49\u3002<\/td><\/tr>
                                    \u4e0a\u90e8<\/strong><\/td>\u7a0b\u5e8f\u5934\u90e8\u8868<\/strong><\/td>Program Header Table<\/td>\u63cf\u8ff0\u6bb5\uff08Segment\uff09\u4fe1\u606f\uff0c\u7528\u4e8e\u6267\u884c\u89c6\u56fe\u3002<\/td><\/tr>
                                    \u4e2d\u90e8<\/strong><\/td>.text<\/strong><\/td>Code Section<\/td>\u4ee3\u7801\u8282\uff08\u6307\u4ee4\uff09\u3002<\/td><\/tr>
                                    \u4e2d\u90e8<\/strong><\/td>.data<\/strong><\/td>Data Section<\/td>\u6570\u636e\u8282\uff08\u5df2\u521d\u59cb\u5316\u5168\u5c40\u53d8\u91cf\uff09\u3002<\/td><\/tr>
                                    \u4e2d\u90e8<\/strong><\/td>.bss<\/strong><\/td>BSS Section<\/td>\u672a\u521d\u59cb\u5316\u6570\u636e\u8282\u3002<\/td><\/tr>
                                    \u4e2d\u90e8<\/strong><\/td>.symtab<\/strong><\/td>Symbol Table<\/td>\u7b26\u53f7\u8868\uff08\u51fd\u6570\u540d\u3001\u53d8\u91cf\u540d\uff09\u3002<\/td><\/tr>
                                    \u4e2d\u90e8<\/strong><\/td>.debug<\/strong><\/td>Debug Info<\/td>\u8c03\u8bd5\u4fe1\u606f\u3002<\/td><\/tr>
                                    \u4e2d\u90e8<\/strong><\/td>.line<\/strong><\/td>Line Number Table<\/td>\u884c\u53f7\u8868\uff08\u6e90\u7801\u884c\u53f7\u5bf9\u5e94\uff09\u3002<\/td><\/tr>
                                    \u4e2d\u90e8<\/strong><\/td>\u2026<\/strong><\/td>Others<\/td>\u5176\u4ed6\u5404\u7c7b\u8282\u3002<\/td><\/tr>
                                    \u5e95\u90e8<\/strong><\/td>\u8282\u533a\u5934\u90e8\u8868<\/strong><\/td>Section Header Table<\/td>\u63cf\u8ff0\u8282\uff08Section\uff09\u4fe1\u606f\uff0c\u94fe\u63a5\u89c6\u56fe\u7684\u6838\u5fc3\uff0c\u8bb0\u5f55\u4e86\u4e0a\u9762\u6240\u6709\u8282\u7684\u4f4d\u7f6e\u3002<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
                                    ELF\u5934\u90e8<\/h3>\n\n\n\n
                                    \u6587\u4ef6\u8d77\u59cb\u4f4d\u7f6e\uff0c\u56fa\u5b9a\u5927\u5c0f\uff0832\u4f4d\u4e3a52\u5b57\u8282\uff0c64\u4f4d\u4f4d64\u5b57\u8282\uff09
                                    \u7ed3\u6784\u4f53<\/p>\n\n\n\n
                                    #define EI_NIDENT 16\ntypedef struct {\n    unsigned char e_ident[EI_NIDENT];  \/\/ ELF\u6807\u8bc6\u7b26\n    Elf32_Half    e_type;             \/\/ \u6587\u4ef6\u7c7b\u578b\n    Elf32_Half    e_machine;          \/\/ \u76ee\u6807\u67b6\u6784\n    Elf32_Word    e_version;          \/\/ ELF\u7248\u672c\n    Elf32_Addr    e_entry;            \/\/ \u7a0b\u5e8f\u5165\u53e3\u70b9\n    Elf32_Off     e_phoff;            \/\/ \u7a0b\u5e8f\u5934\u8868\u504f\u79fb\n    Elf32_Off     e_shoff;            \/\/ \u8282\u5934\u8868\u504f\u79fb\n    Elf32_Word    e_flags;            \/\/ \u5904\u7406\u5668\u7279\u5b9a\u6807\u5fd7\n    Elf32_Half    e_ehsize;           \/\/ ELF\u5934\u90e8\u5927\u5c0f\n    Elf32_Half    e_phentsize;        \/\/ \u7a0b\u5e8f\u5934\u8868\u9879\u5927\u5c0f\n    Elf32_Half    e_phnum;            \/\/ \u7a0b\u5e8f\u5934\u8868\u9879\u6570\u91cf\n    Elf32_Half    e_shentsize;        \/\/ \u8282\u5934\u8868\u9879\u5927\u5c0f\n    Elf32_Half    e_shnum;            \/\/ \u8282\u5934\u8868\u9879\u6570\u91cf\n    Elf32_Half    e_shstrndx;         \/\/ \u8282\u540d\u79f0\u5b57\u7b26\u4e32\u8868\u7d22\u5f15\n} Elf32_Ehdr;<\/code><\/pre>\n\n\n\n
                                    \u5176\u4e2d\uff0ce_ident\u5b57\u6bb5\u7684\u524d4\u4e2a\u5b57\u8282\u56fa\u5b9a\u4e3a0x7f\u3001’E’\u3001’L’\u3001’F’\uff0c\u8fd9\u662fELF\u6587\u4ef6\u7684\u9b54\u6570\u6807\u8bc6\u3002<\/p>\n\n\n\n
                                    \u7a0b\u5e8f\u5934\u8868\uff08Program Header Table\uff09<\/h3>\n\n\n\n
                                    \u63cf\u8ff0\u6bb5\uff08segment\uff09\u4fe1\u606f\uff0c\u7528\u4e8e\u7a0b\u5e8f\u52a0\u8f7d\u548c\u6267\u884c
                                    \u7ed3\u6784\u4f53<\/p>\n\n\n\n
                                    typedef struct {\n    Elf32_Word p_type;    \/\/ \u6bb5\u7c7b\u578b\n    Elf32_Off  p_offset;  \/\/ \u6bb5\u5728\u6587\u4ef6\u4e2d\u7684\u504f\u79fb\n    Elf32_Addr p_vaddr;   \/\/ \u6bb5\u5728\u5185\u5b58\u4e2d\u7684\u865a\u62df\u5730\u5740\n    Elf32_Addr p_paddr;   \/\/ \u7269\u7406\u5730\u5740(\u901a\u5e38\u4e0e\u865a\u62df\u5730\u5740\u76f8\u540c)\n    Elf32_Word p_filesz;  \/\/ \u6bb5\u5728\u6587\u4ef6\u4e2d\u7684\u5927\u5c0f\n    Elf32_Word p_memsz;   \/\/ \u6bb5\u5728\u5185\u5b58\u4e2d\u7684\u5927\u5c0f\n    Elf32_Word p_flags;   \/\/ \u6bb5\u6807\u5fd7(\u8bfb\/\u5199\/\u6267\u884c)\n    Elf32_Word p_align;   \/\/ \u6bb5\u5bf9\u9f50\u65b9\u5f0f\n} Elf32_Phdr;<\/code><\/pre>\n\n\n\n
                                    \u8282\u5934\u8868\uff08Section Header Table\uff09<\/h3>\n\n\n\n
                                    \u63cf\u8ff0\u8282\u7684\u4fe1\u606f\uff08section\uff09\uff0c\u4e3b\u8981\u7528\u4e8e\u94fe\u63a5\u548c\u8c03\u8bd5<\/p>\n\n\n\n
                                    typedef struct {\n    Elf32_Word sh_name;      \/\/ \u8282\u540d\u79f0(\u5b57\u7b26\u4e32\u8868\u7d22\u5f15)\n    Elf32_Word sh_type;      \/\/ \u8282\u7c7b\u578b\n    Elf32_Word sh_flags;     \/\/ \u8282\u6807\u5fd7\n    Elf32_Addr sh_addr;      \/\/ \u8282\u5728\u5185\u5b58\u4e2d\u7684\u5730\u5740\n    Elf32_Off  sh_offset;    \/\/ \u8282\u5728\u6587\u4ef6\u4e2d\u7684\u504f\u79fb\n    Elf32_Word sh_size;      \/\/ \u8282\u5927\u5c0f\n    Elf32_Word sh_link;      \/\/ \u94fe\u63a5\u5230\u5176\u4ed6\u8282\u7684\u7d22\u5f15\n    Elf32_Word sh_info;      \/\/ \u9644\u52a0\u4fe1\u606f\n    Elf32_Word sh_addralign; \/\/ \u8282\u5bf9\u9f50\u65b9\u5f0f\n    Elf32_Word sh_entsize;   \/\/ \u6761\u76ee\u5927\u5c0f(\u5982\u679c\u6709)\n} Elf32_Shdr;<\/code><\/pre>\n\n\n\n
                                    \u8282<\/h3>\n\n\n\n
                                    \u8282\u5b58\u50a8\u5b9e\u9645\u5185\u5bb9\uff0c\u5e38\u89c1\u8282\u6709\uff1a<\/p>\n\n\n\n