Location:
Search - pe dll
Search list
Description: 分析PE可执行文件,并可查看任意EXE文件所使用的DLL文件及包函的
涵数名或序数号,初学者程序打包时可以查看需要的DLL文件-analysis PE executable files and can check arbitrary EXE file used by the DLL files and 9.1.2 of the culvert, or several ordinal number, beginners process can be wrapped up View of DLL files
Platform: |
Size: 36250 |
Author: wkoji |
Hits:
Description: 查看DLL文件的VC代码-view vc code about DLL files
Platform: |
Size: 71243 |
Author: 请不要用公用帐号上载 |
Hits:
Description: bundle pe exe and dll with source
Platform: |
Size: 111613 |
Author: 小明 |
Hits:
Description: PE文件是windows(9598NT)目前采用的可执行文件格式。流行的CIH病毒就是通过改变PE文件的内容,并且保持文件大小不变,从而实现自己的功能。本程序通过分析PE文件格式,将可执行文件的文件定位表重新定位,指向用户编写的DLL,然后指令指针返回正常调用位置。在DLL中通过系统挂钩,实现了后台各种级别密码的截获功能-PE document windows (9598NT) of the executable file format. Popular CIH virus is through changes in PE content of the document, and to maintain the size of the same document, thus achieving its own functions. The procedures by analyzing PE file format, the executable files repositioning positioning table, prepared by the user at DLL, and then returned to normal indicators directive calling location. The DLL system by linking the background to achieve various levels of password function intercepted
Platform: |
Size: 112507 |
Author: 万惠华 |
Hits:
Description: 加密解密技术内幕
第1章 PE文件格式深入研究
1.1 PE文件格式格式纵览
1.1.1 区块(Section)
1.1.2 相对虚拟地址(Relative Virtual Addresses)
1.1.3 数据目录
1.1.4 输入函数(Importing Functions)
1.2 PE文件结构
1.2.1 The MS-DOS头部
1.2.2 IMAGE_NT_HEADERS头部
1.2.3 区块表(The Section Table)
1.2.4 各种块(Sections)的描述
1.2.5 输出表
1.2.6 输出转向(Export Forwarding)
1.2.7 输入表
1.2.8 绑定输入(Bound import)
1.2.9 延迟装入数据(Delayload Data)
1.2.10 资源
1.2.11 基址重定位(Base Relocations)
1.2.12 调试目录(DebugDirectory)
1.2.13 NET头部
1.2.14 TLS初始化
1.2.15 程序异常数据
第2章 PE分析工具编写
2.1 文件格式检查
2.2 FileHeader和OptionalHeader内容的读取
2.3 得到数据目录(Data Dircetory)信息
2.4 得到块表(SectionTable)信息
2.5 得到输出表(ExportTable)信息
2.6 得到输入表(ImportTable)信息
第3章 Win32 调试API
3.1 Win32调试API原理
3.1.1 调试相关函数简要说明
3.1.2 调试事件
3.1.3 如何在调试时创建并跟踪一个进程
3.1.4 最主要的循环体
3.1.5 如何处理调试事件
3.1.6 线程环境详解
3.1.7 如何在另一个进程中注入代码
3.2 利用调试API编写脱壳机
3.2.1 tElock 0.98脱壳简介
3.2.2 脱壳机的编写
3.3 利用调试API制作内存补丁
3.3.1 跨进程内存存取机制
3.3.2 Debug API机制
第4章 Windows下的异常处理
4.1 基本概念
4.1.1 Windows下的软件异常
4.1.2 未公开的可靠吗
4.2 结构化异常处理(SEH)
4.2.1 异常处理的基本过程
4.2.2 SEH的分类
4.2.3 相关API
4.2.4 SEH相关数据结构
4.3 异常处理程序设计
4.3.1 顶层(top-level)异常处理
4.3.2 线程异常处理
4.3.3 异常处理的堆栈展开(Stack unwind)
4.3.4 异常处理程序设计中的几个注意事项:
4.4 SEH的简单应用
4.4.1 Win9x下利用SEH进ring0
4.4.2 利用SEH实现对自身的单步自跟踪
4.4.3 其它应用
4.5 系统背后的秘密
4.6 VC是如何封装系统提供的SEH机制的
4.6.1 扩展的EXCEPTION_REGISTRATION级相关结构
4.6.2 数据结构组织
4.7 Windows XP下的向量化异常处理(VEH)
第5章 软件加密技术
5.1 反调试技术(Anti-Debug)
5.1.1 句柄检测
5.1.2 SoftICE后门指令
5.1.3 int68子类型
5.1.4 ICECream子类型
5.1.5 判断NTICE服务是否运行
5.1.6 INT 1 检测
5.1.7 利用UnhandledExceptionFilter检测
5.1.8 INT 41子类型
5.2 反跟踪技术(Anti-Trace)
5.2.1 断点检测
5.2.2 利用SEH反跟踪
5.2.3 SMC技术实现
5.3 反加载技术(Anti-Loader)
5.3.1 利用TEB检测
5.3.2 利用IsDebuggerPresent函数检测
5.3.3 检查父进程
5.4 反DUMP技术(Anti-Dump)
5.5 文件完整性检验
5.5.1 CRC校验实现
5.5.2 校验和(Checksum)
5.5.3 内存映像校验
5.6 反监视技术(Anti-Monitor)
5.6.1 窗口方法检测
5.6.2 句柄检测
5.7 反静态分析技术
5.7.1 扰乱汇编代码
5.7.2 花指令
5.7.3 信息隐藏
5.8 代码与数据结合技术
5.9 软件保护的若干忠告
第6章 加壳软件编写
6.1 外壳编写基础
6.1.1 判断文件是否是PE格式的EXE文件
6.1.2 文件基本数据的读入
6.1.3 额外数据保留
6.1.4 重定位数据的去除
6.1.5 文件的压缩
6.1.6 资源区块的处理
6.1.7 区块的融合
6.1.8 输入表的处理
6.1.9 外壳部分的编写
6.1.10 将外壳部分添加至原程序
6.1.10 小结
6.2 加壳程序综合运用的实例
6.2.1 程序简介
6.2.2 加壳子程序(WJQ_ShellBegin())
6.2.3 PE外壳程序
6.2.4 加进Anti技术
6.2.5 通过外壳修改被加壳PE
6.2.6 VC++调用汇编子程序
第7章 如何让壳与程序融为一体
7.1 序
7.1.1 为何需要壳和程序一体化
7.1.2 为阅读此章节需要的知识
7.1.3 基于此章节用的的例子程序说明
7.2 欺骗检查壳的工具
7.2.1 fi是如何检查壳的
7.2.2 欺骗fi
7.3 判断自己是否给脱壳了
7.3.1 判断文件尺寸
7.3.2 检查标记
7.3.3 外部检测(使用dll)
7.3.4 hook 相关的api(防止loader和调试api)
7.4 使用sdk把程序和壳溶为一体
7.4.1 sdk的意义
7.4.2 做一个带sdk的壳
7.5 后记:关于壳和程序的思考
第8章 Visual Basic 6 逆向工程
8.1 简介
8.2 P-code传奇
8.3 VB编译奥秘
8.4 VB与COM
8.5 VB可执行程序结构研究
8.6 VB程序事件解读
8.7 VB程序图形界面(GUI)解读
8.8 VB程序执行代码研究
8.9 我们的工具
8.10 VB程序保护篇
附录A 在Visual C++中使用内联汇编
附录B 在Visual Basic中使用汇编
Platform: |
Size: 1389111 |
Author: vachel |
Hits:
Description: PE文件是windows(9598NT)目前采用的可执行文件格式。流行的CIH病毒就是通过改变PE文件的内容,并且保持文件大小不变,从而实现自己的功能。本程序通过分析PE文件格式,将可执行文件的文件定位表重新定位,指向用户编写的DLL,然后指令指针返回正常调用位置。在DLL中通过系统挂钩,实现了后台各种级别密码的截获功能。-PE document windows (9598NT) of the executable file format. Popular CIH virus is through changes in PE content of the document, and to maintain the size of the same document, thus achieving its own functions. The procedures by analyzing PE file format, the executable files repositioning positioning table, prepared by the user at DLL, and then returned to normal indicators directive calling location. The DLL system by linking the background to achieve various levels of password function intercepted.
Platform: |
Size: 112640 |
Author: 王峰 |
Hits:
Description: PE文件是windows(9598NT)目前采用的可执行文件格式。流行的CIH病毒就是通过改变PE文件的内容,并且保持文件大小不变,从而实现自己的功能。本程序通过分析PE文件格式,将可执行文件的文件定位表重新定位,指向用户编写的DLL,然后指令指针返回正常调用位置。在DLL中通过系统挂钩,实现了后台各种级别密码的截获功能-PE document windows (9598NT) of the executable file format. Popular CIH virus is through changes in PE content of the document, and to maintain the size of the same document, thus achieving its own functions. The procedures by analyzing PE file format, the executable files repositioning positioning table, prepared by the user at DLL, and then returned to normal indicators directive calling location. The DLL system by linking the background to achieve various levels of password function intercepted
Platform: |
Size: 112640 |
Author: |
Hits:
Description: 分析PE可执行文件,并可查看任意EXE文件所使用的DLL文件及包函的
涵数名或序数号,初学者程序打包时可以查看需要的DLL文件-analysis PE executable files and can check arbitrary EXE file used by the DLL files and 9.1.2 of the culvert, or several ordinal number, beginners process can be wrapped up View of DLL files
Platform: |
Size: 35840 |
Author: |
Hits:
Description: 在exe文件引入表中挂接自定义的dll文件,可用于exe加密、制作插件等。。作者学习pe文件格式的成果,绝对原创!-exe files in the introduction of the table definition articulated since the dll file that can be used exe encryption, such as plug-in production. . Study author pe file formats the results absolute originality!
Platform: |
Size: 2048 |
Author: 倪玉龙 |
Hits:
Description: pe文件的读写与分析,写出EXE文件与DLL文件的各项参数如入口点等-pe document literacy and analysis, write EXE and DLL files documents of the various parameters such as entry points
Platform: |
Size: 51200 |
Author: 王海 |
Hits:
Description: PE文件格式学习
由于 Win32 的降临,微软对于 OBJ 和 EXE (DLL )格式做了全盘的改变。这些改变
建立在其它操作系统上的既成结果,使微软得以节省时间。改头换面的主要目的是为了
强化在不同平台之间的可移植性。COFF OBJ 格式在 Win32 诞生之前就存在了。PE 格
式则是 COFF 格式的延伸,使用于 Win32 平台上。
-PE file format of the study come as Win32, Microsoft OBJ and EXE (DLL) format so the overall change. These changes based on other operating systems on the results accomplished so Microsoft can save time. Giving the main purpose is to enhance the different platforms between portability. COFF OBJ format prior to the birth of the Win32 existence. PE format is an extension of COFF format, for use in Win32 platform.
Platform: |
Size: 219136 |
Author: sunpeng |
Hits:
Description: This article describes the customization of existing applications through the use of custom Dynamic-Link Libraries (DLLs) and the process of, what I have titled, Remote Library Loading. It also presents a small utility I developed to make this process easier I titled it the Remote Library Loader.
For the ideas here I give credit originally to Jeffrey Ricther in Programming Applications for Microsoft Windows with his "DLL Injection." The primary difference between our applications is that his works with running target processes, where mine also acts as a target process loader. In any case, much credit to him!-This article describes the customization of existing applications through the use of Miami tom Dynamic- Link Libraries (DLLs) and the proc ess of, and what I have titled, Remote Library Loading. It also presents a smal l utility I developed to make this process easie r I titled it the Remote Library Loader. For the i deas here I give credit to Jeffrey originally Ri cther in Programming Applications for Microso ft Windows with his "DLL Injection." The legs y difference between our applications is that h is works with running target processes, where mine also acts as a target process loader. In any case, much credit to him!
Platform: |
Size: 18432 |
Author: 李登煇 |
Hits:
Description: 这是一个Windows Console程序,可以PE文件中所有的资源一次性通通取出来,存放在以文件名命名的目录中,支持用通配符指定多个文件,并且,可以指定/s参数以搜索子目录。
This program enumerates and extracts resources in DLLs or EXEs,etc.
Syntax: EnumRes [/[e][s]] [filename ...]
/e To extract resources.
/s To search subdirectories.
/es To extract resources in including subdirectories.
Examples:
EnumRes C:\Windows\Explorer.exe
EnumRes /e C:\Windows\Explorer.exe
EnumRes /e C:\Windows\*.exe C:\Windows\*.dll
EnumRes /es C:\Windows\*.*-This a Windows Console procedures, PE can document all the one-time resources taken out none, in the document stored in the directory names, support the use of wildcards designated multiple files, and can specify/s parameter to search subdirectories. This program extracts resource and enumerates s in DLLs or EXEs, etc.. Syntax : EnumRes [/ [e] [s] ...] [filename]/e To extract resources./s To search subdirectories./es To including extract resources in subdirectorie s. Examples : EnumRes C : \ Windows \ Startup EnumRes/e C : \ Windows \ Startup EnumRes/e C : \ Windows \*. exe C : \ Windows \*. dll EnumRes/es C : \ Windows \*.*
Platform: |
Size: 4096 |
Author: 林宇 |
Hits:
Description: bundle pe exe and dll with source
Platform: |
Size: 111616 |
Author: 小明 |
Hits:
Description: 说明:
1 例子程序在 vc6.0 +windows xp 编译测试过
2 需要阅读者对程序进程空间,编译,pe结构有一定的理解
3 这里根据自己认识加上对其他资料整理而成,对dll 简单的介绍
-Description: 1 examples of procedures vc6.0+ Windows xp compile tested 2 need to read about the process of the space program, the compiler, pe a certain degree of understanding of the structure of 3 here, according to their own awareness coupled with other data from the simple dll Introduction
Platform: |
Size: 327680 |
Author: 周晓宇 |
Hits:
Description: 感染可执行文件加载Dll
pe add d-pe add dll
Platform: |
Size: 10240 |
Author: syk |
Hits:
Description: 解析pe文件,分析PE文件加载的dll模块,显示导出表和导入表-Pe file analysis to analyze export tables and import tables PE
Platform: |
Size: 13312 |
Author: 朱伯虎 |
Hits:
Description: 隐藏dll,断链与抹PE,,,,,,,,,(Hide DLL, break chain and wipe PE,,,,,,,,,)
Platform: |
Size: 502784 |
Author: 林夕实打实的
|
Hits:
Description: .版本 2
hFile = CreateFileA (strFileName, #GENERIC_READ, #FILE_SHARE_READ, 0, #OPEN_EXISTING, #FILE_ATTRIBUTE_NORMAL, 0)
.如果真 (hFile = -1)
返回 (假)
.如果真结束
pFileBuff = 0
nFileSize = GetFileSize (hFile, 0)
.如果真 (nFileSize = 0)
返回 (假)
.如果真结束
pFileBuff = VirtualAlloc (0, nFileSize, #MEM_COMMIT, #PAGE_EXECUTE_READWRITE)
dwReadSize = 0
.如果真 (ReadFile (hFile, pFileBuff, nFileSize, dwReadSize, 0) = 假)
返回 (假)
.如果真结束
pBase = pFileBuff
' 判断是否是PE
p强转数组 [1] = 强制转换 (pIDH, pFileBuff)
.如果真 (pIDH.e_magic ≠ 23117)
返回 (假)
.如果真结束
ptmp = pFileBuff + 读内存整数型 (-1, pFileBuff + 60)
p强转数组 [2] = 强制转换 (pINH, ptmp)
.如果真 (pINH.Signature ≠ 17744)
返回 (假)
.如果真结束
dwMemSize = nFileSize
pAllocMem = pFileBuff
强制转换 (pIDH, p强转数组 [1])
强制转换 (pINH, p强转数组 [2])
返回 (真)(Version 2
HFile = CreateFileA (strFileName, #GENERIC_READ, #FILE_SHARE_READ, 0, #OPEN_EXISTING, #FILE_ATTRIBUTE_NORMAL, 0)
If true (hFile = -1)
Return (false)
If it is over
PFileBuff = 0
NFileSize = GetFileSize (hFile, 0)
If true (nFileSize = 0)
Return (false)
If it is over
PFileBuff = VirtualAlloc (0, nFileSize, #MEM_COMMIT, #PAGE_EXECUTE_READWRITE)
DwReadSize = 0
If true (ReadFile (hFile, pFileBuff, nFileSize, dwReadSize, 0) = false)
Return (false)
If it is over
PBase = pFileBuff
'whether the judgment is PE
P strong turn array [1] = forced conversion (pIDH, pFileBuff)
If (pIDH.e_magic = 23117)
Return (false)
If it is over
PTMP = PFileBuff read memory integer type (-1, PFileBuff60)
P strong turn array [2] = forced conversion (pINH, PTMP)
If (pINH.Signature = 17744)
Return (false)
If it is over
DwMemSize = nFileSize
PAllocMem = pFileBuff
Forced conversion (pIDH, P strong turn array [1])
Forced conversion (pINH, P strong turn array [2])
Return to (true))
Platform: |
Size: 38912 |
Author: 额反反复复
|
Hits:
Description: 功能极为强大的可视化汉化集成工具,可直接浏览、修改软件资源,包括菜单、对话框、字符串表等; 另外,还具备有 W32DASM 软件的反编译能力和PEditor 软件的 PE 文件头编辑功能,可以更容易的分析源代码,修复损坏了的资源,可以处理 PE 格式的文件如:EXE、DLL、DRV、BPL、DPL、SYS、CPL、OCX、SCR 等 32 位可执行程序。该软件支持插件,你可以通过增加插件加强该软件的功能, 原公司在该工具中捆绑了 UPX 的脱壳插件、扫描器和反汇编器.,非常好用。(The powerful visualized Chinese integration tool can browse and modify software resources directly, including menus, dialog boxes, string tables, etc. In addition, it also has the decompilation ability of W32DASM software and the PE file header editing function of PEditor software, which makes it easier to analyze source code and repair damaged resources. It can handle 32-bit executable programs in PE format such as EXE, DLL, DRV, BPL, DPL, SYS, CPL, OCX, SCR, etc. The software supports plug-ins, you can strengthen the function of the software by adding plug-ins. The original company bundled UPX shell plug-ins, scanners and disassemblers in the tool. It is very useful.)
Platform: |
Size: 3436544 |
Author: perpear |
Hits: