概述:上次用java生成exe文件。那如何解析exe文件呢?0.0
首先我们要了解exe文件里面有什么。用360压缩解压一下。
-
.data:
- 存储程序中的初始化的全局和静态变量。在程序运行之前,这些变量会被赋予特定的初始值。
-
.pdata (Procedure Data):
- 包含有关程序中函数或异常处理程序的信息。这对于调试和异常处理非常重要。
-
.rdata (Read-Only Data):
- 存储只读数据,如常量、字符串等。这些数据在程序运行期间不应被修改。
-
.reloc (Relocation):
- 包含需要在运行时进行修正的信息。当可执行文件被加载到内存中的不同地址时,这些修正会调整程序中的地址引用。
-
.rodata (Read-Only Data):
- 类似于.rdata,存储只读的数据。通常包含程序中的只读常量、字符串等。
-
.svm_hea (SVM Header):
- 这个名称不是标准的Windows PE文件节,可能是某些特定用途的自定义标记。通常,PE文件不包含此类节。可能是某些特定工具或库生成的文件才会包含这样的节。
-
.text:
- 存储程序的机器代码,即实际的可执行指令。这是程序的主要执行代码区域。
objdump解析exe文件
objdump --help
Usage: objdump <option(s)> <file(s)>Display information from object <file(s)>.At least one of the following switches must be given:-a, --archive-headers Display archive header information-f, --file-headers Display the contents of the overall file header-p, --private-headers Display object format specific file header contents-P, --private=OPT,OPT... Display object format specific contents-h, --[section-]headers Display the contents of the section headers-x, --all-headers Display the contents of all headers-d, --disassemble Display assembler contents of executable sections-D, --disassemble-all Display assembler contents of all sections--disassemble=<sym> Display assembler contents from <sym>-S, --source Intermix source code with disassembly--source-comment[=<txt>] Prefix lines of source code with <txt>-s, --full-contents Display the full contents of all sections requested-g, --debugging Display debug information in object file-e, --debugging-tags Display debug information using ctags style-G, --stabs Display (in raw form) any STABS info in the file-W, --dwarf[a/=abbrev, A/=addr, r/=aranges, c/=cu_index, L/=decodedline,f/=frames, F/=frames-interp, g/=gdb_index, i/=info, o/=loc,m/=macro, p/=pubnames, t/=pubtypes, R/=Ranges, l/=rawline,s/=str, O/=str-offsets, u/=trace_abbrev, T/=trace_aranges,U/=trace_info]Display the contents of DWARF debug sections-Wk,--dwarf=links Display the contents of sections that link toseparate debuginfo files-WK,--dwarf=follow-linksFollow links to separate debug info files (default)-WN,--dwarf=no-follow-linksDo not follow links to separate debug info files-L, --process-links Display the contents of non-debug sections inseparate debuginfo files. (Implies -WK)--ctf[=SECTION] Display CTF info from SECTION, (default `.ctf')--sframe[=SECTION] Display SFrame info from SECTION, (default '.sframe')-t, --syms Display the contents of the symbol table(s)-T, --dynamic-syms Display the contents of the dynamic symbol table-r, --reloc Display the relocation entries in the file-R, --dynamic-reloc Display the dynamic relocation entries in the file@<file> Read options from <file>-v, --version Display this program's version number-i, --info List object formats and architectures supported-H, --help Display this informationThe following switches are optional:-b, --target=BFDNAME Specify the target object format as BFDNAME-m, --architecture=MACHINE Specify the target architecture as MACHINE-j, --section=NAME Only display information for section NAME-M, --disassembler-options=OPT Pass text OPT on to the disassembler-EB --endian=big Assume big endian format when disassembling-EL --endian=little Assume little endian format when disassembling--file-start-context Include context from start of file (with -S)-I, --include=DIR Add DIR to search list for source files-l, --line-numbers Include line numbers and filenames in output-F, --file-offsets Include file offsets when displaying information-C, --demangle[=STYLE] Decode mangled/processed symbol namesSTYLE can be "none", "auto", "gnu-v3","java", "gnat", "dlang", "rust"--recurse-limit Enable a limit on recursion whilst demangling(default)--no-recurse-limit Disable a limit on recursion whilst demangling-w, --wide Format output for more than 80 columns-U[d|l|i|x|e|h] Controls the display of UTF-8 unicode characters--unicode=[default|locale|invalid|hex|escape|highlight]-z, --disassemble-zeroes Do not skip blocks of zeroes when disassembling--start-address=ADDR Only process data whose address is >= ADDR--stop-address=ADDR Only process data whose address is < ADDR--no-addresses Do not print address alongside disassembly--prefix-addresses Print complete address alongside disassembly--[no-]show-raw-insn Display hex alongside symbolic disassembly--insn-width=WIDTH Display WIDTH bytes on a single line for -d--adjust-vma=OFFSET Add OFFSET to all displayed section addresses--show-all-symbols When disassembling, display all symbols at a given address--special-syms Include special symbols in symbol dumps--inlines Print all inlines for source line (with -l)--prefix=PREFIX Add PREFIX to absolute paths for -S--prefix-strip=LEVEL Strip initial directory names for -S--dwarf-depth=N Do not display DIEs at depth N or greater--dwarf-start=N Display DIEs starting at offset N--dwarf-check Make additional dwarf consistency checks.--ctf-parent=NAME Use CTF archive member NAME as the CTF parent--visualize-jumps Visualize jumps by drawing ASCII art lines--visualize-jumps=color Use colors in the ASCII art--visualize-jumps=extended-colorUse extended 8-bit color codes--visualize-jumps=off Disable jump visualization--disassembler-color=off Disable disassembler color output. (default)--disassembler-color=terminal Enable disassembler color output if displaying on a terminal.--disassembler-color=on Enable disassembler color output.--disassembler-color=extended Use 8-bit colors in disassembler output.objdump: supported targets: pe-x86-64 pei-x86-64 pe-bigobj-x86-64 elf64-x86-64 pe-i386 pei-i386 elf32-i386 elf32-iamcu pdb elf64-little elf64-big elf32-little elf32-big srec symbolsrec verilog tekhex binary ihex plugin
objdump: supported architectures: i386 i386:x86-64 i386:x64-32 i8086 i386:intel i386:x86-64:intel i386:x64-32:intel iamcu iamcu:intelThe following i386/x86-64 specific disassembler options are supported for use
with the -M switch (multiple options should be separated by commas):x86-64 Disassemble in 64bit modei386 Disassemble in 32bit modei8086 Disassemble in 16bit modeatt Display instruction in AT&T syntaxintel Display instruction in Intel syntaxatt-mnemonicDisplay instruction in AT&T mnemonicintel-mnemonicDisplay instruction in Intel mnemonicaddr64 Assume 64bit address sizeaddr32 Assume 32bit address sizeaddr16 Assume 16bit address sizedata32 Assume 32bit data sizedata16 Assume 16bit data sizesuffix Always display instruction suffix in AT&T syntaxamd64 Display instruction in AMD64 ISAintel64 Display instruction in Intel64 ISA
Report bugs to <https://sourceware.org/bugzilla/>.-a:显示归档头信息-f:显示整个文件头信息-p:显示对象格式特定的文件头内容-P:显示对象格式特定的内容-h:显示节头信息-x:显示所有节头信息-d:显示可执行段的汇编代码-D:显示所有可执行段的汇编代码--disassemble=<sym>:显示指定符号的汇编代码-S:将源代码与反汇编代码混合在一起-s:显示完整内容-g:显示调试信息-e:使用ctags风格的调试信息-G:显示DWARF调试信息-w:格式化输出以适应80列以上宽度--unicode=[default|locale|invalid|hex|escape|highlight]:控制显示UTF-8 Unicode字符的方式--start-address=ADDR:只处理地址大于等于ADDR的数据--stop-address=ADDR:只处理地址小于ADDR的数据--no-addresses:不打印地址信息--prefix-addresses:在反汇编时打印完整的地址信息--insn-width=WIDTH:在反汇编时,每行显示WIDTH个字节--adjust-vma=OFFSET:将所有显示的节地址加上OFFSET--show-all-symbols:在反汇编时,显示给定地址的所有符号--special-syms:在符号转储中包含特殊符号--inlines:在源行上打印所有内联函数--prefix=PREFIX:为-S选项添加前缀--prefix-strip=LEVEL:为-S选项删除初始目录名--dwarf-depth=N:不显示深度大于或等于N的DIEs--dwarf-start=N:显示从偏移量N开始的DIEs--dwarf-check:进行额外的dwarf一致性检查--ctf-parent=NAME:使用CTF存档成员NAME作为CTF父级--visualize-jumps:通过绘制ASCII艺术线条可视化跳转--visualize-jumps=color:使用颜色在ASCII艺术中显示跳转--visualize-jumps=extended-color:使用扩展的8位颜色代码显示跳转--visualize-jumps=off:禁用跳转可视化--disassembler-color=off:禁用反汇编器颜色输出(默认)--disassembler-color=terminal:如果显示在终端上,则启用反汇编器颜色输出--disassembler-color=on:启用反汇编器颜色输出--disassembler-color=extended:在反汇编器输出中使用8位颜色
标准用法就是objdump <-options> 可执行文件
例如:objdump -d main.exe 显示可执行段的汇编代码
执行 objdump -h main.exe 显示节头信息
- Idx Name:内存段的索引名。
- Size:内存段的大小,以字节为单位。
- VMA:虚拟内存地址,这是在进程空间中分配给该内存段的地址。
- LMA:加载内存地址,这是在文件或磁盘上分配给该内存段的地址。
- File off:文件偏移量,这是在文件中相对于文件开始的位置。
- Algn:对齐方式,表示内存段的地址需要满足的对齐要求。例如,2**4表示地址必须是4字节对齐的。
- CONTENTS, ALLOC, LOAD, READONLY, CODE/DATA:这些是内存段的属性,描述了内存段的类型和用途。例如,CONTENTS表示该内存段包含数据;ALLOC表示该内存段由操作系统分配;LOAD表示该内存段可以被加载到进程的地址空间;READONLY表示该内存段的内容不能被修改;CODE表示该内存段包含可执行代码;DATA表示该内存段包含数据。
执行 objdump -s main.exe 显示完整内容
还在往下走,数量有点大。
![[晓理紫]每日论文分享(有中文摘要,源码或项目地址)--具身智能、强化学习](https://img-blog.csdnimg.cn/direct/1910c28099c144b8bf0225aa78f7a43c.jpeg#pic_center)
