PIMAGE_NT_HEADERS 显示不同的值
PIMAGE_NT_HEADERS Showing different Values
所以当我将我的程序弹出到 CFF 资源管理器时,我目前正在尝试在本地映射我的挂起线程,它说 PIMAGE_NT_HEADERS 的值为 00004550:
然而,当我尝试自己映射时,我的值是 00400080:
typedef struct pe {
PIMAGE_DOS_HEADER peDH;
PIMAGE_NT_HEADERS peNH;
} pe;
PE.peDH = (PIMAGE_DOS_HEADER)imgBase;
PE.peNH = (PIMAGE_NT_HEADERS)((u_char*)PE.peDH + PE.peDH->e_lfanew);
printf("[?] - NT Headers section is located at: 0x%x\n", PE.peNH);
it says that the value of PIMAGE_NT_HEADERS is 00004550
不,不是。仔细再看一遍。它实际上说 IMAGE_NT_HEADERS 结构的 Signature 字段是 00004550。但是你不是在打印 Signature,而是在打印 PIMAGE_NT_HEADERS 指针本身。不是一回事。
将您的打印改为:
printf("[?] - NT Headers Signature is: 0x%08x\n", PE.peNH->Signature);
所以当我将我的程序弹出到 CFF 资源管理器时,我目前正在尝试在本地映射我的挂起线程,它说 PIMAGE_NT_HEADERS 的值为 00004550:
然而,当我尝试自己映射时,我的值是 00400080:
typedef struct pe {
PIMAGE_DOS_HEADER peDH;
PIMAGE_NT_HEADERS peNH;
} pe;
PE.peDH = (PIMAGE_DOS_HEADER)imgBase;
PE.peNH = (PIMAGE_NT_HEADERS)((u_char*)PE.peDH + PE.peDH->e_lfanew);
printf("[?] - NT Headers section is located at: 0x%x\n", PE.peNH);
it says that the value of PIMAGE_NT_HEADERS is 00004550
不,不是。仔细再看一遍。它实际上说 IMAGE_NT_HEADERS 结构的 Signature 字段是 00004550。但是你不是在打印 Signature,而是在打印 PIMAGE_NT_HEADERS 指针本身。不是一回事。
将您的打印改为:
printf("[?] - NT Headers Signature is: 0x%08x\n", PE.peNH->Signature);