打造最小的PE文件
(bkbll#cnhonker.net 2005-9-18 9:01)
一. 前言.
最近在鼓捣windows下PE文件格式, 在达到既定目标后, 对生成最小PE文件产生了兴趣, 恰好
看到 watercloud(watercloud_at_xfocus.org)在近2年前写过一篇文章<<手工打造微型Win32
可执行文件>>(
http://www.xfocus.net/articles/200302/482.html), 我也依葫芦画瓢,打造
一下我认为最小的PE文件,由于是初次接触PE格式,如有差错,敬请斧正.
本文所有程序均在win2k sp4 cn和windows xp sp1 cn上测试通过.
二. PE文件格式,结构
在winnt.h中,有PE各种结构的定义,这里就不一一列举, 仅将相关结构名列举如下:
IMAGE_DOS_HEADER,IMAGE_NT_HEADERS,IMAGE_FILE_HEADER,IMAGE_OPTIONAL_HEADER,
IMAGE_DATA_DIRECTORY,IMAGE_SECTION_HEADER,IMAGE_IMPORT_DESCRIPTOR
因为目标是打造最小的PE文件,所以仅用到一个IMPORT表.
PE整个文件框架大致如下:
| IMAGE_DOS_HEADER |
| Signature |
| IMAGE_NT_HEADER | -> | IMAGE_FILE_HEADER |
| IMAGE_OPTIONAL_HEADER | ->
| IMAGE_DATA_DIRECTORY |
......
| IMAGE_SECTION_HEADER |
........
| 代码段 |
三. 不一样的地方
watercloud 的PE已经比较小了,但还有几个地方我处理的不大一样:
1. WindowsXP 可以允许PE section为1个. 试验系统是xp sp1 cn
2. 文件对齐 windows是规定是2的幂, 当然可以比0x200小.
当然,除了上面2点以外,我还有用到一种比较巧妙的技巧.
运行PE文件,会在屏幕上打印Hello,world信息.
四. 打造过程.
1. 过程一:
最开始我们按照PE结构和顺序一步步填充结构,看能有多大:
我们先选取对齐值为0x20.
这里我们选MAGE_OPTIONAL_HEADER.DataDirectory个数为16个(所有都用上),但
只用到IMPORT table.
这个过程没有什么技巧,因为只用到一个section,文件对齐又小了很多,最终大小为
496字节, 其中我们的汇编代码占了47字节.
00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000000h: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 ; MZ?........??..
00000010h: B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ; ?......@.......
00000020h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00000030h: 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 ; ............@...
00000040h: 50 45 00 00 4C 01 01 00 00 00 00 00 00 00 00 00 ; PE..L...........
00000050h: 00 00 00 00 E0 00 0F 01 0B 01 06 00 00 00 00 00 ; ....?..........
00000060h: 00 00 00 00 00 00 00 00 B4 01 00 00 00 00 00 00 ; ........?......
00000070h: 00 00 00 00 00 00 40 00 10 00 00 00 10 00 00 00 ; ......@.........
00000080h: 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 ; ................
00000090h: 00 10 00 00 00 00 00 00 00 00 00 00 03 00 00 00 ; ................
000000a0h: 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 ; ................
000000b0h: 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ; ................
000000c0h: 60 01 00 00 28 00 00 00 00 00 00 00 00 00 00 00 ; `...(...........
000000d0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
000000e0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
000000f0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00000100h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00000110h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00000120h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00000130h: 00 00 00 00 00 00 00 00 2E 74 65 78 74 00 00 00 ; .........text...
00000140h: 00 08 00 00 60 01 00 00 00 08 00 00 60 01 00 00 ; ....`.......`...
00000150h: 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 E0 ; ............ ..?
00000160h: 88 01 00 00 00 00 00 00 00 00 00 00 98 01 00 00 ; ?..........?..
00000170h: 90 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ?..............
00000180h: 00 00 00 00 00 00 00 00 A8 01 00 00 00 00 00 00 ; ........?......
00000190h: A8 01 00 00 00 00 00 00 6B 65 72 6E 65 6C 33 32 ; ?......kernel32
000001a0h: 2E 64 6C 6C 00 00 00 00 00 00 57 72 69 74 65 46 ; .dll......WriteF
000001b0h: 69 6C 65 00 8B 43 10 8B 40 1C 33 D2 52 68 72 6C ; ile.婥.婡.3襌hrl
000001c0h: 64 0A 68 6F 2C 77 6F 68 68 65 6C 6C 8B CC 52 54 ; d.ho,wohhell嬏RT
000001d0h: 6A 0C 51 50 68 90 01 00 00 58 03 43 08 FF 10 83 ; j.QPh?..X.C.?.?
000001e0h: C4 10 C3 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ??............
2. 过程二:
压缩一下 IMAGE_OPTIONAL_HEADER 的DataDirectory,因为只用到import表,所以
IMAGE_OPTIONAL_HEADER 的 NumberOfRvaAndSizes 可以为 2 , 这样就减少了0x70字节,
最终大小为384字节, 47字节为我们的汇编代码,因为这个没什么技巧,和前面差不多,所
以不贴出文件内容了.
3. 过程三:
对比一下,我们发现 IMAGE_DOS_HEADER 的0x40大小结构,除了 e_magic 和 e_lfanew
两个结构外,其他对我们的mini-pe 似乎没什么影响,那么这个结构没用的部分可不可以
利用起来呢? 答案是肯定的, 我决定将 IMAGE_NT_HEADERS 和 IMAGE_DOS_HEADER 重叠
起来, 但是因为 e_lfanew 是标记IMAGE_NT_HEADERS 偏移的唯一值, 所以这个值不能被
覆盖, 同时因为两个头部重叠了,所以 e_lfanew 所在的文件偏移位置在 IMAGE_NT_HEADERS
结构中应该是个可以被忽略的结构.
我们来分析一下 IMAGE_NT_HEADERS 的头0x40大小的结构:
typedef struct _IMAGE_NT_HEADERS
{
DWORD Signature; //+0
IMAGE_FILE_HEADER FileHeader;
IMAGE_OPTIONAL_HEADER OptionalHeader;
} IMAGE_NT_HEADERS, *PIMAGE_NT_HEADERS;
typedef struct _IMAGE_FILE_HEADER
{
WORD Machine; //+4
WORD NumberOfSections; //+6
DWORD TimeDateStamp; //+8
DWORD PointerToSymbolTable; //+12
DWORD NumberOfSymbols; //+16
WORD SizeOfOptionalHeader; //+20
WORD Characteristics; //+22
} IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;
typedef struct _IMAGE_OPTIONAL_HEADER
{
WORD Magic; //+24
BYTE MajorLinkerVersion; //+26
BYTE MinorLinkerVersion; //+27
DWORD SizeOfCode; //+28
DWORD SizeOfInitializedData; //+32
DWORD SizeOfUninitializedData; //+36
DWORD AddressOfEntryPoint; //+40
DWORD BaseOfCode; //+44
DWORD BaseOfData; //+48
DWORD ImageBase; //+52
DWORD SectionAlignment; //+56
DWORD FileAlignment; //+60
WORD MajorOperatingSystemVersion; //+64
..........
}
e_lfanew 是在 IMAGE_DOS_HEADER 的0x3c = 60 处, 我们从56除往回找可以被覆盖
又没什么用处的结构, 好像最近一个就只有 BaseOfData 了. 也就是说 e_lfanew =
60 - 48 = 12 = 0xc.
重叠后的 IMAGE_DOS_HEADER 和 IMAGE_FILE_HEADER 结构图如下:
WORD e_magic; //+0
WORD e_cblp; //+2
WORD e_cp; //+4
WORD e_crlc; //+6
WORD e_cparhdr; //+8
WORD e_minalloc; //+10
WORD e_maxalloc; WORD e_ss; //+12 IMAGE_NT_HEADERS.Signature //+0
WORD e_sp; //+16 IMAGE_FILE_HEADER.Machine //+4
WORD e_csum; //+18 IMAGE_FILE_HEADER.NumberOfSections//+6
WORD e_ip; WORD e_cs; //+20 IMAGE_FILE_HEADER.TimeDateStamp //+8
WORD e_lfarlc; WORD e_ovno; //+24 IMAGE_FILE_HEADER.PointerToSymbolTable
WORD e_res[4]; //+28 IMAGE_FILE_HEADER. NumberOfSymbols
//+32 IMAGE_FILE_HEADER.SizeOfOptionalHeader
//+34 IMAGE_FILE_HEADER.Characteristics
WORD e_oemid; //+36 IMAGE_OPTIONAL_HEADER.Magic
WORD e_oeminfo; //+38 IMAGE_OPTIONAL_HEADER.MajorLinkerVersion
//+39 IMAGE_OPTIONAL_HEADER.MinorLinkerVersion
WORD e_res2[10]; //+40 IMAGE_OPTIONAL_HEADER.SizeOfCode
//+44 IMAGE_OPTIONAL_HEADER.SizeOfInitializedData
//+48 IMAGE_OPTIONAL_HEADER.SizeOfUninitializedData
//+52 IMAGE_OPTIONAL_HEADER.AddressOfEntryPoint
//+56 IMAGE_OPTIONAL_HEADER.BaseOfCode;
LONG e_lfanew; //+60 IMAGE_OPTIONAL_HEADER.BaseOfData;//+48
//+64 IMAGE_OPTIONAL_HEADER.ImageBase
这样光重叠这部分就可以省下一点空间,最终大小为336字节,其中47字节为我们的汇编代码.
文件内容:
00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000000h: 4D 5A 90 00 03 00 00 00 04 00 00 00 50 45 00 00 ; MZ?........PE..
00000010h: 4C 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 ; L...............
00000020h: 70 00 0F 01 0B 01 06 00 00 00 00 00 00 00 00 00 ; p...............
00000030h: 00 00 00 00 14 01 00 00 00 00 00 00 0C 00 00 00 ; ................
00000040h: 00 00 40 00 10 00 00 00 10 00 00 00 04 00 00 00 ; ..@.............
00000050h: 00 00 00 00 04 00 00 00 00 00 00 00 00 10 00 00 ; ................
00000060h: 00 00 00 00 00 00 00 00 03 00 00 00 00 00 10 00 ; ................
00000070h: 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 ; ................
00000080h: 02 00 00 00 00 00 00 00 00 00 00 00 C0 00 00 00 ; ............?..
00000090h: 28 00 00 00 2E 74 65 78 74 00 00 00 00 08 00 00 ; (....text.......
000000a0h: C0 00 00 00 00 08 00 00 C0 00 00 00 00 00 00 00 ; ?......?......
000000b0h: 00 00 00 00 00 00 00 00 20 00 00 E0 00 00 00 00 ; ........ ..?...
000000c0h: E8 00 00 00 00 00 00 00 00 00 00 00 F8 00 00 00 ; ?..........?..
000000d0h: F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ?..............
000000e0h: 00 00 00 00 00 00 00 00 08 01 00 00 00 00 00 00 ; ................
000000f0h: 08 01 00 00 00 00 00 00 6B 65 72 6E 65 6C 33 32 ; ........kernel32
00000100h: 2E 64 6C 6C 00 00 00 00 00 00 57 72 69 74 65 46 ; .dll......WriteF
00000110h: 69 6C 65 00 8B 43 10 8B 40 1C 33 D2 52 68 72 6C ; ile.婥.婡.3襌hrl
00000120h: 64 0A 68 6F 2C 77 6F 68 68 65 6C 6C 8B CC 52 54 ; d.ho,wohhell嬏RT
00000130h: 6A 0C 51 50 68 F0 00 00 00 58 03 43 08 FF 10 83 ; j.QPh?..X.C.?.?
00000140h: C4 10 C3 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ??............
4. 过程四.
现在已经小很多了,我们在前这几个结构 IMAGE_DOS_HEADER,IMAGE_NT_HEADERS
和IMAGE_SECTION_HEADER 上,可以重叠的不多了, 那么剩下就只有IMPORT表的描述了.
在前面我们用的import表的描述是这样的结构:
import descriptor(PEDataDir->Size) bytes
OriginalFirstThunk + 0x0000 //8 bytes
FirstThunk(IAT) + 0x0000 //8 bytes
"kernel32.dll"+0x0 //12+4 = 16 bytes
0x00 +iatfunction1("WriteFile")// 2 + 10 = 12 bytes
这样就占了 PEDataDir->Size + 8 + 8 + 16 + 12字节,好像比较大哦,那我们就对它动手吧.
我们看看能不能把它整合到已有的结构里面去.
先调整唯一的section的内容:
IMAGE_SECTION_HEADER.VirtualAddress = 0x00;
IMAGE_SECTION_HEADER.PointerToRawData = 0x00;
这样,整个文件结构以及偏移地址就都可以使用了.
import descriptor 所需要的最小大小是 sizeof(IMAGE_IMPORT_DESCRIPTOR) *2,
其中要求最后4字节内容为0
我们对比搜寻结构,发现 IMAGE_OPTIONAL_HEADER 结构从DllCharacteristics开始满足我们的要求,
import descriptor 指向这里:
WORD DllCharacteristics;
DWORD SizeOfStackReserve;
DWORD SizeOfStackCommit;
DWORD SizeOfHeapReserve;
DWORD SizeOfHeapCommit;
DWORD LoaderFlags;
DWORD NumberOfRvaAndSizes;
IMAGE_DATA_DIRECTORY DataDirectory[0];
因为刚好第一个DataDirectory内容都是0,满足我们的要求.
剩下的就需要找一个8字节大小的空间,要求第一个4字节改变不会影响程序运行(这里用来保存第
一个IAT的地址),第二个4字节内容为0. 这里用来存放 IMAGE_IMPORT_DESCRIPTOR 的 OriginalFirstThunk
和 FirstThunk ,根据需求来看,这两个地址显然可以相等.
很幸运的是 IMAGE_IMPORT_DESCRIPTOR 自己的结构就满足这样的要求:
typedef struct _IMAGE_IMPORT_DESCRIPTOR
{
union
{
DWORD Characteristics;
DWORD OriginalFirstThunk;
};
DWORD TimeDateStamp;
DWORD ForwarderChain;
DWORD Name;
DWORD FirstThunk;
} IMAGE_IMPORT_DESCRIPTOR;
当ForwarderChain为0的时候,TimeDateStamp偏移就可以用来存放我们需要的IAT地址.
OK,现在还剩下两个地方没有解决:dll名字以及导入函数的名字.
和上面一样,我们还是到已有的结构里面去找可以填充的空间:
Dll名字存放要求很简单,后面有一个'\0'结尾,然后填充内容不影响程序运行.
IMAGE_SECTION_HEADER好像可以满足我们的要求:
DWORD PointerToRelocations;
DWORD PointerToLinenumbers;
WORD NumberOfRelocations;
WORD NumberOfLinenumbers;
DWORD Characteristics;
一共有12字节存放我们的dll名字,同时Characteristics还有后1为可以供存放,所以一
共有13字节,保存"Kernel32.dll"刚刚好.
IMAGE_FILE_HEADER 结构也有12字节空间:
DWORD TimeDateStamp; //+8 可以随便填
DWORD PointerToSymbolTable; //+12
DWORD NumberOfSymbols; //+16
我们就在这里容纳我们的函数名就可以了.
这样整个 IMAGE_IMPORT_DESCRIPTOR 结构和import表其他内容就被我们拆散整合到
已有的结构里面去了.
接着我们再优化一下shellcode, 使用msvcrt.dll的printf来输出信息.
这样,经过精心裁减后,整个PE文件大小为224字节,其中汇编代码占了28字节.
最终结果:
00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000000h: 4D 5A 90 00 03 00 00 00 04 00 00 00 50 45 00 00 ; MZ?........PE..
00000010h: 4C 01 01 00 00 00 70 72 69 6E 74 66 00 00 00 00 ; L.....printf....
00000020h: 70 00 0F 01 0B 01 06 00 00 00 00 00 00 00 00 00 ; p...............
00000030h: 00 00 00 00 C0 00 00 00 00 00 00 00 0C 00 00 00 ; ....?..........
00000040h: 00 00 40 00 10 00 00 00 10 00 00 00 04 00 00 00 ; ..@.............
00000050h: 00 00 00 00 04 00 00 00 00 00 00 00 00 10 00 00 ; ................
00000060h: 00 00 00 00 00 00 00 00 03 00 6E 00 00 00 14 00 ; ..........n.....
00000070h: 00 00 00 00 00 00 AC 00 00 00 6E 00 00 00 00 00 ; ......?..n.....
00000080h: 02 00 00 00 00 00 00 00 00 00 00 00 6A 00 00 00 ; ............j...
00000090h: 14 00 00 00 2E 74 65 78 74 00 00 00 00 08 00 00 ; .....text.......
000000a0h: 00 00 00 00 00 08 00 00 00 00 00 00 6D 73 76 63 ; ............msvc
000000b0h: 72 74 2E 64 6C 6C 00 00 20 00 10 E0 00 00 00 00 ; rt.dll.. ..?...
000000c0h: 50 68 72 6C 64 0A 68 6F 2C 77 6F 68 68 65 6C 6C ; Phrld.ho,wohhell
000000d0h: 54 B0 6E 03 43 08 FF 10 83 C4 14 C3 00 00 00 00 ; T皀.C.?.兡.?...
注意,这个PE文件是不能直接被windbg(6.3.0017.0)调试器直接启动的,要想调试
代码可以在汇编代码前加上int 3(0xcc)来调试.
5.过程五:
最后,来考虑一下我们文件的对齐IMAGE_OPTIONAL_HEADER.SectionAlignment和
IMAGE_OPTIONAL_HEADER.FileAlignment, 既然要求是2的幂,那么我们完全可以
用2的0次方即1来做我们的alignment.
最终生成的EXE又瘦身了,大小仅为216字节,其中包括28字节的汇编代码
00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000000h: 4D 5A 90 00 03 00 00 00 04 00 00 00 50 45 00 00 ; MZ?........PE..
00000010h: 4C 01 01 00 00 00 70 72 69 6E 74 66 00 00 00 00 ; L.....printf....
00000020h: 70 00 0F 01 0B 01 06 00 00 00 00 00 00 00 00 00 ; p...............
00000030h: 00 00 00 00 BC 00 00 00 00 00 00 00 0C 00 00 00 ; ....?..........
00000040h: 00 00 40 00 01 00 00 00 01 00 00 00 04 00 00 00 ; ..@.............
00000050h: 00 00 00 00 04 00 00 00 00 00 00 00 00 10 00 00 ; ................
00000060h: 00 00 00 00 00 00 00 00 03 00 6E 00 00 00 14 00 ; ..........n.....
00000070h: 00 00 00 00 00 00 AC 00 00 00 6E 00 00 00 00 00 ; ......?..n.....
00000080h: 02 00 00 00 00 00 00 00 00 00 00 00 6A 00 00 00 ; ............j...
00000090h: 14 00 00 00 2E 74 65 78 74 00 00 00 00 08 00 00 ; .....text.......
000000a0h: 00 00 00 00 00 08 00 00 00 00 00 00 6D 73 76 63 ; ............msvc
000000b0h: 72 74 2E 64 6C 6C 00 00 20 00 10 E0 50 68 72 6C ; rt.dll.. ..郟hrl
000000c0h: 64 0A 68 6F 2C 77 6F 68 68 65 6C 6C 54 B0 6E 03 ; d.ho,wohhellT皀.
000000d0h: 43 08 FF 10 83 C4 14 C3 ; C.?.兡.?
五. 后记.
理论上来说,后面的汇编代码部分可以用任意自己的代码来填充,只要获得了kernel32.dll
的GetProcAddress函数的地址,那书写自己控制的代码并不是问题,而代码长度部分可以由
IMAGE_SECTION_HEADER的SizeOfRawData来控制. 我没有试过,不过相信用188字节的PE头结构
写出的PE文件一定很cool. PE头还可以减小吗?你想,你能.
最后祝大家中秋快乐!
六.参考.
1.MSDN.
2.winnt.h
3.watercloud<<手工打造微型Win32可执行文件>>
http://www.xfocus.net/articles/200302/482.html