在PE文件结构中的区块表中的IMAGE_SECTION_HEADER结构体中有一个Characteristics属性,这个属性规定了区块的属性,该属性可以设置下面这些字段:
0x00000000
Reserved.
0x00000001
Reserved.
0x00000002
Reserved.
0x00000004
Reserved.
IMAGE_SCN_TYPE_NO_PAD0x00000008
The section should not be padded to the next boundary. This flag is obsolete and is replaced by IMAGE_SCN_ALIGN_1BYTES.
0x00000010
Reserved.
IMAGE_SCN_CNT_CODE0x00000020
The section contains executable code.
IMAGE_SCN_CNT_INITIALIZED_DATA0x00000040
The section contains initialized data.
IMAGE_SCN_CNT_UNINITIALIZED_DATA0x00000080
The section contains uninitialized data.
IMAGE_SCN_LNK_OTHER0x00000100
Reserved.
IMAGE_SCN_LNK_INFO0x00000200
The section contains comments or other information. This is valid only for object files.
0x00000400
Reserved.
IMAGE_SCN_LNK_REMOVE0x00000800
The section will not become part of the image. This is valid only for object files.
IMAGE_SCN_LNK_COMDAT0x00001000
The section contains COMDAT data. This is valid only for object files.
0x00002000
Reserved.
IMAGE_SCN_NO_DEFER_SPEC_EXC0x00004000
Reset speculative exceptions handling bits in the TLB entries for this section.
IMAGE_SCN_GPREL0x00008000
The section contains data referenced through the global pointer.
0x00010000
Reserved.
IMAGE_SCN_MEM_PURGEABLE0x00020000
Reserved.
IMAGE_SCN_MEM_LOCKED0x00040000
Reserved.
IMAGE_SCN_MEM_PRELOAD0x00080000
Reserved.
IMAGE_SCN_ALIGN_1BYTES0x00100000
Align data on a 1-byte boundary. This is valid only for object files.
IMAGE_SCN_ALIGN_2BYTES0x00200000
Align data on a 2-byte boundary. This is valid only for object files.
IMAGE_SCN_ALIGN_4BYTES0x00300000
Align data on a 4-byte boundary. This is valid only for object files.
IMAGE_SCN_ALIGN_8BYTES0x00400000
Align data on a 8-byte boundary. This is valid only for object files.
IMAGE_SCN_ALIGN_16BYTES0x00500000
Align data on a 16-byte boundary. This is valid only for object files.
IMAGE_SCN_ALIGN_32BYTES0x00600000
Align data on a 32-byte boundary. This is valid only for object files.
IMAGE_SCN_ALIGN_64BYTES0x00700000
Align data on a 64-byte boundary. This is valid only for object files.
IMAGE_SCN_ALIGN_128BYTES0x00800000
Align data on a 128-byte boundary. This is valid only for object files.
IMAGE_SCN_ALIGN_256BYTES0x00900000
Align data on a 256-byte boundary. This is valid only for object files.
IMAGE_SCN_ALIGN_512BYTES0x00A00000
Align data on a 512-byte boundary. This is valid only for object files.
IMAGE_SCN_ALIGN_1024BYTES0x00B00000
Align data on a 1024-byte boundary. This is valid only for object files.
IMAGE_SCN_ALIGN_2048BYTES0x00C00000
Align data on a 2048-byte boundary. This is valid only for object files.
IMAGE_SCN_ALIGN_4096BYTES0x00D00000
Align data on a 4096-byte boundary. This is valid only for object files.
IMAGE_SCN_ALIGN_8192BYTES0x00E00000
Align data on a 8192-byte boundary. This is valid only for object files.
IMAGE_SCN_LNK_NRELOC_OVFL0x01000000
The section contains extended relocations. The count of relocations for the section exceeds the 16 bits that is reserved for it in the section header. If theNumberOfRelocationsfield in the section header is 0xffff, the actual relocation count is stored in theVirtualAddressfield of the first relocation. It is an error if IMAGE_SCN_LNK_NRELOC_OVFL is set and there are fewer than 0xffff relocations in the section.
IMAGE_SCN_MEM_DISCARDABLE0x02000000
The section can be discarded as needed.
IMAGE_SCN_MEM_NOT_CACHED0x04000000
The section cannot be cached.
IMAGE_SCN_MEM_NOT_PAGED0x08000000
The section cannot be paged.
IMAGE_SCN_MEM_SHARED0x10000000
The section can be shared in memory.
IMAGE_SCN_MEM_EXECUTE0x20000000
The section can be executed as code.
IMAGE_SCN_MEM_READ0x40000000
The section can be read.
IMAGE_SCN_MEM_WRITE0x80000000
The section can be written to.
这些标志字段通过或运算可以叠加。
比如
IMAGE_SCN_MEM_READ规定了可读权限
IMAGE_SCN_MEM_WRITE规定了可写权限
然后我在打开PE文件的时候使用了CreateFile这个函数,这个函数定义如下:
HANDLE CreateFile( LPCTSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile);
HANDLE CreateFile(
作为一个新手,怎么也想不明白这个问题。后来问了学长,终于揭开了我的疑惑:
首先在Chracteristics属性中规定的区块权限是在磁盘上的PE文件映射到了内存以后,如果要对内存中的PE区块进行可读可写等区块操作,这个时候就要用到这个Chracteristics属性了。
而在磁盘中的PE文件其实不过是一堆二进制数据。大家都知道在linux里面的话一切都是文件。把这个概念引申过来,那么在磁盘上PE文件和记事本的.txt其实是没有本质上的区别的,因为在计算机硬盘里存的就是一堆二进制代码的0和1.所以我们在CreateFile的时候在形参里面首先规定这个文件的读写权限,就可以对这个文件进行相应的操作了。
其实这个问题想明白了是很简单的。-_-|||简单的说,就是Chracteristics属性规定了在内存中的读写权限,而CreateFile形参中的dwDesiredAccess规定了打开文件以后在磁盘中的读写权限。
你在无垠的海边第一次听到了自己心跳的声音,
