跳转到
样本内容:静态分析信息-PE文件格式
PE文件的全称是Portable Executable,意为可移植的可执行的文件,常见的EXE、DLL、OCX、SYS、COM都是PE文件,PE文件是微软Windows操作系统上的程序文件(可能是间接被执行,如DLL)。
一、基本信息
| 中文名称 | pe文件 | 翻译 | 可移植的执行体 |
|---|---|---|---|
| 外文名称 | Portable Executable | 操作系统 | Windows |
| 全称 | Portable Executable |
二、文件结构
PE文件的内容概要,具体详情可参考微软的标准化文档。
[《PE格式》]s://docs.microsoft.com/zh-cn/windows/win32/debug/pe-format “《PE格式》")
1、编译器名称
文件编译器相关信息,包括编译器名称和具体版本内容。
2、文件头
文件头部标记了PE文件的众多可执行内容的规范。
(1)编译时间
文件编译完成的时间。
(2)节长度
节列表的长度。
(3)节
文件节的详情列表。
(4)导入函数
引用外部方法的列表。
(5)导出函数
外部可调用的方法列表。
(6)资源文件
文件所用到的资源文件列表。
3、附加数据
文件被附件上的内容。
4、调试信息
文件的调试内容。
三、完整样例结构
"pe_info": {
"debug": [
{
"codeview": {
"age": 1,
"guid": "e48addf6-fd27-4a9c-815c-bf60afa7566a",
"name": "E:\\987.pdb",
"offset": 1531904,
"signature": "RSDS",
"timestamp": "Thu May 28 05:53:24 2020"
},
"fpo": {
"functions": 6
},
"misc": {
"datatype": 4,
"length": 123,
"unicode": 455,
"data": "e48addf6",
"reserved": "bf60afa7566a"
},
"offset": 1409712,
"reserved10": {
"value": "4a9c"
},
"size": 23,
"timedatestamp": "Thu May 28 05:53:24 2020",
"type": 11,
"type_str": "11"
},
{
"codeview": {
"age": 1,
"guid": "ff8addf6-fd27-4a9c-815c-bf60afa7566a",
"name": "E:\\223.pdb",
"offset": 1531452,
"signature": "RSBC",
"timestamp": "Thu May 28 06:53:24 2020"
},
"fpo": {
"functions": 3
},
"misc": {
"datatype": 7,
"length": 342,
"unicode": 458,
"data": "ff543e48addf6",
"reserved": "123bf60afa7566a"
},
"offset": 1809712,
"reserved10": {
"value": "4a9ccc"
},
"size": 22,
"timedatestamp": "Thu May 28 08:53:24 2020",
"type": 12,
"type_str": "12"
}
],
"resource_details": [
{
"lang": "NEUTRAL",
"entropy": 3.280435800552368,
"chi2": 73067.6875,
"filetype": "Data",
"sha256": "0f324c98411b92240e50d33e6461c41768c91b5a6c0e31b851aa748e5cb4d2de",
"type": "RT_VERSION"
},
{
"lang": "NEUTRAL",
"entropy": 5.00111722946167,
"chi2": 4719.86083984375,
"filetype": "Data",
"sha256": "539dc26a14b6277e87348594ab7d6e932d16aabb18612d77f29fe421a9f1d46a",
"type": "RT_MANIFEST"
}
],
"resource_types": {
"RT_MANIFEST": 1,
"RT_VERSION": 1
},
"imphash": "f34d5f2d4577ed6d9ceec516c1f5a744",
"machine_type": 332,
"entry_point": 1521402,
"exports": [
"ssl",
"new_buffer_ssl_connect",
"new_ssl",
"new_ssl_connect",
"ssl_copy_session_id",
"ssl_shutdown",
"client_method",
"method"
],
"sections": [
{
"name": ".text",
"chi2": 8871587.0,
"virtual_address": 8192,
"flags": "rx",
"raw_size": 1513472,
"entropy": 7.12,
"virtual_size": 1513216,
"md5": "d297bf8053549f4e5b9d5383e82cbf4f"
},
{
"name": ".rsrc",
"chi2": 70549.48,
"virtual_address": 1523712,
"flags": "r",
"raw_size": 1536,
"entropy": 4.2,
"virtual_size": 1532,
"md5": "dca00ebf31869168eca0a658265f21ef"
},
{
"name": ".reloc",
"chi2": 128015.0,
"virtual_address": 1531904,
"flags": "r",
"raw_size": 512,
"entropy": 0.1,
"virtual_size": 12,
"md5": "2bb97931c61781d8f754f070c78493a4"
}
],
"import_list": [
{
"library_name": "mscoree.dll",
"imported_functions": [
"_CorExeMain"
]
},
{
"library_name": "mscoree1.dll",
"imported_functions": [
"_CorExeMain1",
"_CorExeMain2"
]
}
],
"compile_timestamp": 1615245593,
"compiler_name": "VB.NET",
"compiler_version": "C#",
"overlay": {
"chi2": 164886880.0,
"entropy": 0.0,
"filetype": "ASCII text",
"md5": "26195dcf5b5ea5905dc5c154b5858527",
"offset": 219648,
"size": 646613
},
"resource_langs": {
"NEUTRAL": 14,
"Chinese": 2312
},
"rich_pe_header_hash": "d4158cd98500b254e9850958ec58457e",
"compiler_product_versions": [
"1039",
"1038"
],
"main_icon_crc": "2356bce0",
"authentihash": "a67c8c551025a684511bd5932b5ad7575b352653135326587054532d5e58ab2b"
}