lib文件研究(一)
本帖最后由 元始天尊 于 2015-3-21 15:16 编辑现在有2个构想:
1.支持所有pe格式字节码转换为静态lib格式,以实现无dll运行,反逆向,反调试
2.在1的基础上实现lib字节码优化,链接时优化
今天研究了下lib文件格式,已经有初步成果,大家来看看吧:
手动构造obj文件格式代码(mfc+stl):
#define CODEALIGN 16
#define TYPE_FUNCTION 0x20
void MakeObj()
{
std::vector<BYTE> filedata;
IMAGE_FILE_HEADER objheader;
int symbolnum = 0;
//加入文件头
memset(&objheader, 0, sizeof(objheader));
filedata.insert(filedata.end(), (BYTE*)&objheader, (BYTE*)(&objheader + 1));
//加入10个.text段
int secnum = 10;
int offsetraw = 0;//后置数据偏移
int offsetsymbol = 4;//符号字串偏移,之前有字串数DWORD
symbolnum = secnum;
std::vector<BYTE> rawdata;//储存各个section指向的数据
std::vector<BYTE> symbolinfo;//存储COFF Symbol Table
std::vector<BYTE> functors;//存储符号名数组
for (int i = 0; i < secnum; i++)
{
IMAGE_SECTION_HEADER textsec;
//构造int _cdecl func?(void);字节码
BYTE code = { 0xB8, 0x00, 0x00, 0x00, 0x00, 0xC3, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90 };
*(int*)(code + 1) = i;//构造 return i; 语句;
rawdata.insert(rawdata.end(), code, code + CODEALIGN);
memset(&textsec, 0, sizeof(textsec));
memcpy(textsec.Name, ".text", sizeof(".text"));
textsec.SizeOfRawData = ((sizeof(code) - 1) / CODEALIGN + 1) * CODEALIGN;
textsec.PointerToRawData = sizeof(IMAGE_FILE_HEADER) + secnum * sizeof(IMAGE_SECTION_HEADER) + offsetraw;
textsec.Characteristics = IMAGE_SCN_CNT_CODE | IMAGE_SCN_ALIGN_16BYTES | IMAGE_SCN_MEM_EXECUTE | IMAGE_SCN_MEM_READ;
filedata.insert(filedata.end(), (BYTE*)&textsec, (BYTE*)(&textsec + 1));
offsetraw += CODEALIGN;
//构造symboltable和section关联
IMAGE_SYMBOL symbol;
std::ostringstream os;
os << "?func" << i << "@@YAHN@Z";//构造符号
std::string temp(os.str());
functors.insert(functors.end(),temp.c_str(),temp.c_str()+temp.size()+1);
memset(&symbol, 0, sizeof(symbol));
symbol.N.LongName = offsetsymbol;
symbol.SectionNumber = i + 1;
symbol.Type = TYPE_FUNCTION;
symbol.StorageClass = IMAGE_SYM_CLASS_EXTERNAL;
symbolinfo.insert(symbolinfo.end(), (BYTE*)&symbol,(BYTE*)(&symbol+1));
offsetsymbol += temp.size()+1;
}
filedata.insert(filedata.end(), rawdata.begin(), rawdata.end());
//更新头部
IMAGE_FILE_HEADER* pobjheader=(IMAGE_FILE_HEADER*)filedata.data();
pobjheader->Machine = IMAGE_FILE_MACHINE_I386;
pobjheader->NumberOfSections = secnum;
pobjheader->PointerToSymbolTable = filedata.size();//计算符号表偏移
pobjheader->NumberOfSymbols = symbolnum;
//加入符号表
filedata.insert(filedata.end(), symbolinfo.begin(), symbolinfo.end());
//加入符号名数组个数
int strsize = functors.size() + 4;
filedata.insert(filedata.end(), (BYTE*)&strsize, (BYTE*)(&strsize + 1));
//加入符号名数组
filedata.insert(filedata.end(), functors.begin(), functors.end());
DWORD writenum;
auto_handle<HANDLE> handle(CreateFile("test.obj", GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL));
WriteFile(handle, filedata.data(), filedata.size(), &writenum, NULL);
//lib test.obj /out:test.lib 得到lib
//#pragma comment(lib,"test.lib")包含lib
}
该段代码是我根据coff规范研究得到,够早了10个int func?(double)放在obj中
得到obj以后,用lib test.obj /out:test.lib 得到lib
将该lib用于要链接的工程里,如下:
#pragma comment(lib,"test.lib")
#define DEF(i) int __cdecl func##i(double)
DEF(0);
DEF(1);
DEF(2);
DEF(3);
DEF(4);
DEF(5);
DEF(6);
DEF(7);
DEF(8);
DEF(9);
typedef int(__cdecl* FUNCARRAY)(double);
FUNCARRAY fa[] = { func0, func1, func2, func3, func4, func5, func6, func7, func8, func9 };
int _tmain(int argc, _TCHAR* argv[])
{
for (int i = 0; i < 10;i++)
std::cout << fa(0.0)<<std::endl;
return 0;
}
winhex obj结构:
Offset 01234567 89ABCDEF
00000000 4C 01 0A 00 00 00 00 0044 02 00 00 0A 00 00 00 L D
00000010 00 00 00 00 2E 74 65 7874 00 00 00 00 00 00 00 .text
00000020 00 00 00 00 10 00 00 00A4 01 00 00 00 00 00 00 ?
00000030 00 00 00 00 00 00 00 0020 00 50 60 2E 74 65 78 P`.tex
00000040 74 00 00 00 00 00 00 0000 00 00 00 10 00 00 00 t
00000050 B4 01 00 00 00 00 00 0000 00 00 00 00 00 00 00 ?
00000060 20 00 50 60 2E 74 65 7874 00 00 00 00 00 00 00 P`.text
00000070 00 00 00 00 10 00 00 00C4 01 00 00 00 00 00 00 ?
00000080 00 00 00 00 00 00 00 0020 00 50 60 2E 74 65 78 P`.tex
00000090 74 00 00 00 00 00 00 0000 00 00 00 10 00 00 00 t
000000A0 D4 01 00 00 00 00 00 0000 00 00 00 00 00 00 00 ?
000000B0 20 00 50 60 2E 74 65 7874 00 00 00 00 00 00 00 P`.text
000000C0 00 00 00 00 10 00 00 00E4 01 00 00 00 00 00 00 ?
000000D0 00 00 00 00 00 00 00 0020 00 50 60 2E 74 65 78 P`.tex
000000E0 74 00 00 00 00 00 00 0000 00 00 00 10 00 00 00 t
000000F0 F4 01 00 00 00 00 00 0000 00 00 00 00 00 00 00 ?
00000100 20 00 50 60 2E 74 65 7874 00 00 00 00 00 00 00 P`.text
00000110 00 00 00 00 10 00 00 0004 02 00 00 00 00 00 00
00000120 00 00 00 00 00 00 00 0020 00 50 60 2E 74 65 78 P`.tex
00000130 74 00 00 00 00 00 00 0000 00 00 00 10 00 00 00 t
00000140 14 02 00 00 00 00 00 0000 00 00 00 00 00 00 00
00000150 20 00 50 60 2E 74 65 7874 00 00 00 00 00 00 00 P`.text
00000160 00 00 00 00 10 00 00 0024 02 00 00 00 00 00 00 $
00000170 00 00 00 00 00 00 00 0020 00 50 60 2E 74 65 78 P`.tex
00000180 74 00 00 00 00 00 00 0000 00 00 00 10 00 00 00 t
00000190 34 02 00 00 00 00 00 0000 00 00 00 00 00 00 00 4
000001A0 20 00 50 60 B8 00 00 0000 C3 90 90 90 90 90 90 P`? ?
000001B0 90 90 90 90 B8 01 00 0000 C3 90 90 90 90 90 90 ? ?
000001C0 90 90 90 90 B8 02 00 0000 C3 90 90 90 90 90 90 ? ?
000001D0 90 90 90 90 B8 03 00 0000 C3 90 90 90 90 90 90 ? ?
000001E0 90 90 90 90 B8 04 00 0000 C3 90 90 90 90 90 90 ? ?
000001F0 90 90 90 90 B8 05 00 0000 C3 90 90 90 90 90 90 ? ?
00000200 90 90 90 90 B8 06 00 0000 C3 90 90 90 90 90 90 ? ?
00000210 90 90 90 90 B8 07 00 0000 C3 90 90 90 90 90 90 ? ?
00000220 90 90 90 90 B8 08 00 0000 C3 90 90 90 90 90 90 ? ?
00000230 90 90 90 90 B8 09 00 0000 C3 90 90 90 90 90 90 ? ?
00000240 90 90 90 90 00 00 00 0004 00 00 00 00 00 00 00
00000250 01 00 20 00 02 00 00 0000 00 13 00 00 00 00 00
00000260 00 00 02 00 20 00 02 0000 00 00 00 22 00 00 00 "
00000270 00 00 00 00 03 00 20 0002 00 00 00 00 00 31 00 1
00000280 00 00 00 00 00 00 04 0020 00 02 00 00 00 00 00
00000290 40 00 00 00 00 00 00 0005 00 20 00 02 00 00 00 @
000002A0 00 00 4F 00 00 00 00 0000 00 06 00 20 00 02 00 O
000002B0 00 00 00 00 5E 00 00 0000 00 00 00 07 00 20 00 ^
000002C0 02 00 00 00 00 00 6D 0000 00 00 00 00 00 08 00 m
000002D0 20 00 02 00 00 00 00 007C 00 00 00 00 00 00 00 |
000002E0 09 00 20 00 02 00 00 0000 00 8B 00 00 00 00 00 ?
000002F0 00 00 0A 00 20 00 02 009A 00 00 00 3F 66 75 6E ??fun
00000300 63 30 40 40 59 41 48 4E40 5A 00 3F 66 75 6E 63 c0@@YAHN@Z ?func
00000310 31 40 40 59 41 48 4E 405A 00 3F 66 75 6E 63 32 1@@YAHN@Z ?func2
00000320 40 40 59 41 48 4E 40 5A00 3F 66 75 6E 63 33 40 @@YAHN@Z ?func3@
00000330 40 59 41 48 4E 40 5A 003F 66 75 6E 63 34 40 40 @YAHN@Z ?func4@@
00000340 59 41 48 4E 40 5A 00 3F66 75 6E 63 35 40 40 59 YAHN@Z ?func5@@Y
00000350 41 48 4E 40 5A 00 3F 6675 6E 63 36 40 40 59 41 AHN@Z ?func6@@YA
00000360 48 4E 40 5A 00 3F 66 756E 63 37 40 40 59 41 48 HN@Z ?func7@@YAH
00000370 4E 40 5A 00 3F 66 75 6E63 38 40 40 59 41 48 4E N@Z ?func8@@YAHN
00000380 40 5A 00 3F 66 75 6E 6339 40 40 59 41 48 4E 40 @Z ?func9@@YAHN@
00000390 5A 00 Z
dumpbin /all结果:
Microsoft (R) COFF/PE Dumper Version 8.00.50727.42
Copyright (C) Microsoft Corporation.All rights reserved.
Dump of file D:\Projects\peExtractor\peExtractor\test.obj
File Type: COFF OBJECT
FILE HEADER VALUES
14C machine (x86)
A number of sections
0 time date stamp Thu Jan 01 08:00:00 1970
244 file pointer to symbol table
A number of symbols
0 size of optional header
0 characteristics
SECTION HEADER #1
.text name
0 physical address
0 virtual address
10 size of raw data
1A4 file pointer to raw data (000001A4 to 000001B3)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
60500020 flags
Code
16 byte align
Execute Read
RAW DATA #1
00000000: B8 00 00 00 00 C3 90 90 90 90 90 90 90 90 90 90?....?..........
SECTION HEADER #2
.text name
0 physical address
0 virtual address
10 size of raw data
1B4 file pointer to raw data (000001B4 to 000001C3)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
60500020 flags
Code
16 byte align
Execute Read
RAW DATA #2
00000000: B8 01 00 00 00 C3 90 90 90 90 90 90 90 90 90 90?....?..........
SECTION HEADER #3
.text name
0 physical address
0 virtual address
10 size of raw data
1C4 file pointer to raw data (000001C4 to 000001D3)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
60500020 flags
Code
16 byte align
Execute Read
RAW DATA #3
00000000: B8 02 00 00 00 C3 90 90 90 90 90 90 90 90 90 90?....?..........
SECTION HEADER #4
.text name
0 physical address
0 virtual address
10 size of raw data
1D4 file pointer to raw data (000001D4 to 000001E3)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
60500020 flags
Code
16 byte align
Execute Read
RAW DATA #4
00000000: B8 03 00 00 00 C3 90 90 90 90 90 90 90 90 90 90?....?..........
SECTION HEADER #5
.text name
0 physical address
0 virtual address
10 size of raw data
1E4 file pointer to raw data (000001E4 to 000001F3)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
60500020 flags
Code
16 byte align
Execute Read
RAW DATA #5
00000000: B8 04 00 00 00 C3 90 90 90 90 90 90 90 90 90 90?....?..........
SECTION HEADER #6
.text name
0 physical address
0 virtual address
10 size of raw data
1F4 file pointer to raw data (000001F4 to 00000203)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
60500020 flags
Code
16 byte align
Execute Read
RAW DATA #6
00000000: B8 05 00 00 00 C3 90 90 90 90 90 90 90 90 90 90?....?..........
SECTION HEADER #7
.text name
0 physical address
0 virtual address
10 size of raw data
204 file pointer to raw data (00000204 to 00000213)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
60500020 flags
Code
16 byte align
Execute Read
RAW DATA #7
00000000: B8 06 00 00 00 C3 90 90 90 90 90 90 90 90 90 90?....?..........
SECTION HEADER #8
.text name
0 physical address
0 virtual address
10 size of raw data
214 file pointer to raw data (00000214 to 00000223)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
60500020 flags
Code
16 byte align
Execute Read
RAW DATA #8
00000000: B8 07 00 00 00 C3 90 90 90 90 90 90 90 90 90 90?....?..........
SECTION HEADER #9
.text name
0 physical address
0 virtual address
10 size of raw data
224 file pointer to raw data (00000224 to 00000233)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
60500020 flags
Code
16 byte align
Execute Read
RAW DATA #9
00000000: B8 08 00 00 00 C3 90 90 90 90 90 90 90 90 90 90?....?..........
SECTION HEADER #A
.text name
0 physical address
0 virtual address
10 size of raw data
234 file pointer to raw data (00000234 to 00000243)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
60500020 flags
Code
16 byte align
Execute Read
RAW DATA #A
00000000: B8 09 00 00 00 C3 90 90 90 90 90 90 90 90 90 90?....?..........
COFF SYMBOL TABLE
000 00000000 SECT1notype () External | ?func0@@YAHN@Z (int __cdecl func0(double))
001 00000000 SECT2notype () External | ?func1@@YAHN@Z (int __cdecl func1(double))
002 00000000 SECT3notype () External | ?func2@@YAHN@Z (int __cdecl func2(double))
003 00000000 SECT4notype () External | ?func3@@YAHN@Z (int __cdecl func3(double))
004 00000000 SECT5notype () External | ?func4@@YAHN@Z (int __cdecl func4(double))
005 00000000 SECT6notype () External | ?func5@@YAHN@Z (int __cdecl func5(double))
006 00000000 SECT7notype () External | ?func6@@YAHN@Z (int __cdecl func6(double))
007 00000000 SECT8notype () External | ?func7@@YAHN@Z (int __cdecl func7(double))
008 00000000 SECT9notype () External | ?func8@@YAHN@Z (int __cdecl func8(double))
009 00000000 SECTAnotype () External | ?func9@@YAHN@Z (int __cdecl func9(double))
String Table Size = 0x9A bytes
Summary
A0 .text
结果:
0
1
2
3
4
5
6
7
8
9
符合预期。。。
lib也能这样搞??
页:
[1]