为什么我没有得到 "PE[=10=][=10=]"?
Why I didn't get the "PE\0\0"?
来自 PE 规范:
At location 0x3c, the stub has the file offset to the PE signature.
This information enables Windows to properly execute the image file,
even though it has an MS DOS stub. This file offset is placed at
location 0x3c during linking.
2.2. Signature (Image Only)
After the MS DOS stub, at the file offset specified at offset 0x3c, is a 4-byte signature that identifies the
file as a PE format image file. This signature is “PE[=22=][=22=]” (the
letters “P” and “E” followed by two null bytes).
我尝试读取这些字节:
using System;
using System.IO;
class Program {
const String fileName = @".\some_application.exe";
const Int64 peMarkerPosition = 0x3c;
static void Main(string[] args) {
using (FileStream fs = new FileStream(fileName, FileMode.Open,
FileAccess.Read)) {
Byte[] marker = new Byte[4];
fs.Position = peMarkerPosition;
fs.Read(marker, 0, marker.Length);
// Now I expect 'marker'has such bytes: "PE[=11=][=11=]".
fs.Close();
foreach (Byte b in marker) {
Console.Write(Convert.ToChar(b)); // But I see other values...
}
Console.WriteLine("\nPress any key for exit...");
Console.ReadKey();
}
}
}
但是marker变量有0x08、0x01、0x00和x0x00字节(第一个和第二个不是P和E 个字符)...为什么我会得到这样的结果?
PE header 本身并不从偏移量 0x3C 开始 - 相反,那里有一个指向 PE header 开始的指针(从文件开头开始的 32 位文件偏移量) .
来自 PE 规范:
At location
0x3c, the stub has the file offset to the PE signature. This information enables Windows to properly execute the image file, even though it has an MS DOS stub. This file offset is placed at location0x3cduring linking.2.2. Signature (Image Only)
After the MS DOS stub, at the file offset specified at offset0x3c, is a 4-byte signature that identifies the file as a PE format image file. This signature is “PE[=22=][=22=]” (the letters “P” and “E” followed by two null bytes).
我尝试读取这些字节:
using System;
using System.IO;
class Program {
const String fileName = @".\some_application.exe";
const Int64 peMarkerPosition = 0x3c;
static void Main(string[] args) {
using (FileStream fs = new FileStream(fileName, FileMode.Open,
FileAccess.Read)) {
Byte[] marker = new Byte[4];
fs.Position = peMarkerPosition;
fs.Read(marker, 0, marker.Length);
// Now I expect 'marker'has such bytes: "PE[=11=][=11=]".
fs.Close();
foreach (Byte b in marker) {
Console.Write(Convert.ToChar(b)); // But I see other values...
}
Console.WriteLine("\nPress any key for exit...");
Console.ReadKey();
}
}
}
但是marker变量有0x08、0x01、0x00和x0x00字节(第一个和第二个不是P和E 个字符)...为什么我会得到这样的结果?
PE header 本身并不从偏移量 0x3C 开始 - 相反,那里有一个指向 PE header 开始的指针(从文件开头开始的 32 位文件偏移量) .