SSCLI下的可执行文件格式分析(1)

SSCLI下的可执行文件格式分析(Draft)

记得MSDN上某篇介绍Windows PE文件格式的超级经典权威文章开篇说道“一个操作系统的可执行文件格式在很多方面是这个系统的一面镜子。虽然学习一个可执行文件格式通常不是一个程序员的首要任务,但是你可以从这其中学到大量的知识。”最近在研究SSCLI的源代码,有些无从下手,抱着“柿子先拣软的捏”的想法,想先从.NET平台下的可执行文件入手,然后可以更进一步到Class Loader,到内存中的Object Layout,到美国人开玩笑说的JIT Happens,到Garbage Collection……
参考的东西有Google,Shared Sourced CLI Essential,Inside Microsoft.NET IL Assembler,SSCLI Source Code……
使用的工具是用来调试代码的Windbg,用来查看代码交叉链接的Source Insight,用来看二进制的UltraEdit,用来进制转换和算加减法的Windows自带计算器,用来临时记录东西的Notepad,用来字数统计和打字的Word,用来编写测试代码的Visual Studio.net 2003,用来喝水的杯子……

首先写个简单的C#程序,Hello.cs,内容如下:
public class Echo
{
private string toEcho = null;

public string EchoString
{
get
{
return toEcho;
}
set
{
toEcho = value;
}
}

public string DoEcho()
{
if ( this.toEcho == null)
{
throw new System.Exception(“Echo empty”);
}
return toEcho;
}
}

public class Hello
{
public static void Main(string[] args)
{
Echo e = new Echo();

e.EchoString = “Hello world”;
System.Console.WriteLine(“Echo: {0}”, e.DoEcho());
}
}

然后用命令行编译:
D:\rotor\sscli>csc Hello.cs /debug+
成功后生成Hello.exe,这个就是我们的主要研究对象,先用UltrEdit打开它熟悉熟悉。结果,突然发现UltraEdit却不能把二进制数据Copy, Paste出来(或许是我没找到)。哎,不管怎么说也是吃这碗饭的,自己动手,丰衣足食。打开Visual C++,输入下面的程序,编译,运行,想要的东西就跑到C:\a.txt里面去了。

include

int main(int argc, char** argv)
{
FILE * fp = fopen(“Hello.exe”, “rb”);
FILE * fout = fopen(“c:\a.txt”, “w”);

if ( NULL == fp || NULL == fout)
{
goto finish;// goto, I’m lovin’ it.
}

unsigned char buf;
unsigned int addr = 0;

while(1)
{
fprintf(fout, “%08X: “, addr);// print address

for (int i = 0; i <= 0xF; i++)
{
// read a byte once
int ret = (int)fread(&buf, 1, 1, fp);

if (ret == 1)
{
fprintf(fout, “%02X”, buf);// print content

if(i == 0x7)
fprintf(fout, “-“, buf);
else
fprintf(fout, ” “, buf);
}
else
{
goto finish;
}
}

fprintf(fout, “\r\n”);
addr += 0x10;
}

finish:
fcloseall();
return 0;
}

Hello.exe还是有点令人眼花潦乱的,为了自己分析和读者查看都方便,已经把相应的地方作了注释,标了颜色。如下所示:

00000000: 4D 5A/90 00/03 00/00 00-04 00/00 00/FF FF/00 00 IMAGE_DOS_HEADER
00000010: B8 00/00 00/00 00/00 00-40 00/00 00/00 00 00 00
00000020: 00 00 00 00/00 00/00 00-00 00 00 00 00 00 00 00
00000030: 00 00 00 00 00 00 00 00-00 00 00 00/80 00 00 00
00000040: 0E 1F BA 0E 00 B4 09 CD-21 B8 01 4C CD 21 54 68
00000050: 69 73 20 70 72 6F 67 72-61 6D 20 63 61 6E 6E 6F
00000060: 74 20 62 65 20 72 75 6E-20 69 6E 20 44 4F 53 20
00000070: 6D 6F 64 65 2E 0D 0D 0A-24 00 00 00 00 00 00 00
00000080: 50 45 00 00/4C 01/02 00-E2 2D FE 41/00 00 00 00 IMAGE_FILE_HEADER
00000090: 00 00 00 00/E0 00/0E 01-0B 01/06/00/00 06 00 00/IMAGE_OPTIONAL_HEADER32
000000A0: 00 02 00 00/00 00 00 00/CE 24 00 00/00 20 00 00/
000000B0: 00 40 00 00/00 00 40 00/00 20 00 00/00 02 00 00/
000000C0: 04 00/00 00/00 00/00 00/04 00/00 00/00 00 00 00/
000000D0: 00 60 00 00/00 02 00 00/00 00 00 00/03 00/00 00/
000000E0: 00 00 10 00/00 10 00 00/00 00 10 00/00 10 00 00
000000F0: 00 00 00 00/10 00 00 00/00 00 00 00 00 00 00 00 IMAGE_DATA_DIRECTORY
00000100: 78 24 00 00 53 00 00 00-00 00 00 00 00 00 00 00
00000110: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00
00000120: 00 40 00 00 0C 00 00 00-08 21 00 00 1C 00 00 00
00000130: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00
00000140: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00
00000150: 00 00 00 00 00 00 00 00-00 20 00 00 08 00 00 00
00000160: 00 00 00 00 00 00 00 00-08 20 00 00 48 00 00 00
00000170: 00 00 00 00 00 00 00 00-2E 74 65 78 74 00 00 00/IMAGE_SECTION_HEADER
00000180: D4 04 00 00/00 20 00 00/00 06 00 00/00 02 00 00/
00000190: 00 00 00 00/00 00 00 00/00 00/00 00/20 00 00 60||
000001A0: 2E 72 65 6C 6F 63 00 00-0C 00 00 00 00 40 00 00
000001B0: 00 02 00 00 00 08 00 00-00 00 00 00 00 00 00 00
000001C0: 00 00 00 00 40 00 00 42-00 00 00 00 00 00 00 00
000001D0: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00

00
000001E0: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00
000001F0: 00 00 00 00 00 00 00 00-00&

nbsp;00 00 00 00 00 00 00
00000200: B0 24 00 00 00 00 00 00-48 00 00 00/02 00/00 00/IMAGE_COR20_HEADER
00000210: 48 21 00 00/30 03 00 00/01 00 00 00/05 00 00 06/
00000220: 00 00 00 00/00 00 00 00/00 00 00 00/00 00 00 00/
00000230: 00 00 00 00/00 00 00 00/00 00 00 00/00 00 00 00/
00000240: 00 00 00 00/00 00 00 00/00 00 00 00/00 00 00 00/
00000250: 13 30 01 00 0B 00 00 00-01 00 00 11 02 7B 01 00
00000260: 00 04 0A 2B 00 06 2A 00-13 30 02 00 08 00 00 00
00000270: 00 00 00 00 02 03 7D 01-00 00 04 2A 13 30 02 00
00000280: 1E 00 00 00 01 00 00 11-02 7B 01 00 00 04 2D 0B
00000290: 72 01 00 00 70 73 02 00-00 0A 7A 02 7B 01 00 00
000002A0: 04 0A 2B 00 06 2A 00 00-13 30 02 00 0E 00 00 00
000002B0: 00 00 00 00 02 14 7D 01-00 00 04 02 28 03 00 00
000002C0: 0A 2A 00 00 13 30 02 00-22 00 00 00 02 00 00 11
000002D0: 73 04 00 00 06 0A 06 72-17 00 00 70 6F 02 00 00
000002E0: 06 72 2F 00 00 70 06 6F-03 00 00 06 28 04 00 00
000002F0: 0A 2A 00 00 13 30 01 00-07 00 00 00 00 00 00 00
00000300: 02 28 03 00 00 0A 2A 00-00 00 00 00 E2 2D FE 41
00000310: 00 00 00 00 02 00 00 00-22 00 00 00 24 21 00 00
00000320: 24 03 00 00 52 53 44 53-B6 E5 02 9E EF 8A 06 4D
00000330: 82 E8 0E 9B 45 49 97 16-01 00 00 00 68 65 6C 6C
00000340: 6F 2E 70 64 62 00 00 00-42 53 4A 42/01 00/01 00/STORAGESIGNATURE
00000350: 00 00 00 00/08 00 00 00/76 31 2E 30 2E 30 00 00||
00000360: 00/00/05 00|68 00 00 00/68 01 00 00/23 7E 00 00| STORAGEHEADER
00000370: D0 01 00 00/CC 00 00 00/23 53 74 72 69 6E 67 73
00000380: 00 00 00 00|9C 02 00 00/44 00 00 00/23 55 53 00|
00000390: E0 02 00 00/10 00 00 00/23 47 55 49 44 00 00 00|
000003A0: F0 02 00 00/40 00 00 00/23 42 6C 6F 62 00 00 00|
000003B0: 00 00 00 00/01/00/00/01/57 15 A2 01 09 00 00 00/CMiniMdSchemaBase
000003C0: 00 FA 01 33 00 02 00 00|01 00 00 00 04 00 00 00
000003D0: 03 00 00 00 01 00 00 00-06 00 00 00 02 00 00 00
000003E0: 04 00 00 00 01 00 00 00-02 00 00 00 01 00 00 00
000003F0: 01 00 00 00 02 00 00 00-01 00 00 00 01 00 00 00|
00000400: 00 00 0A 00 01 00 00 00-00 00|06 00 24 00 1D 00
00000410: 06 00 8B 00 78 00 06 00-AB 00 1D 00 06 00 BA 00
00000420: 1D 00|00 00 00 00 01 00-00 00 00 00 01 00 01 00
00000430: 01 00 10 00 2B 00 00 00-05 00 01 00 01 00 01 00
00000440: 10 00 30 00 00 00 05 00-02 00 05 00 01 00 36 00
00000450: 0A 00 50 20 00 00 00 00-86 08 3D 00 0D 00 01 00
00000460: 68 20 00 00 00 00 86 08-4C 00 11 00 01 00 7C 20/
00000470: 00 00 00 00 86 00 5B 00-0D 00 02 00 A8 20 00 00
00000480: 00 00 86 18 62 00 16 00-02 00 C4 20 00 00 00 00
00000490: 96 00 73 00 1E 00 02 00-F4 20 00 00 00 00 86 18
000004A0: 62 00 16 00 03 00 00 00-01 00 A5 00 00 00 01 00
000004B0: B5 00 11 00 62 00 24 00-19 00 62 00 11 00 09 00
000004C0: 62 00 16 00 21 00 C2 00-2E 00 2E 00 0B 00 39 00
000004D0: 2A 00 34 00 02 00 01 00-00 00 68 00 1A 00 02 00
000004E0: 01 00 03 00 01 00 02 00-03 00 04 80 00 00 00 00
000004F0: 00 00 00 00 00 00 00 00-00 00 00 00 9F 00 00 00
00000500: 01 00 00 00 E4 0C 00 00-00 00 00 00 01 00 14 00
00000510: 00 00 00 00 00 00 00 00-00 3C 4D 6F 64 75 6C 65 #Strings
00000520: 3E 00 68 65 6C 6C 6F 2E-65 78 65 00 6D 73 63 6F
00000530: 72 6C 69 62 00 53 79 73-74 65 6D 00 4F 62 6A 65
00000540: 63 74 00 45 63 68 6F 00-48 65 6C 6C 6F 00 74 6F
00000550: 45 63 68 6F 00 67 65 74-5F 45 63 68 6F 53 74 72
00000560: 69 6E 67 00 73 65 74 5F-45 63 68 6F 53 74 72 69
00000570: 6E 67 00 44 6F 45 63 68-6F 00 2E 63 74 6F 72 00
00000580: 45 63 68 6F 53 74 72 69-6E 67 00 4D 61 69 6E 00
00000590: 53 79 73&n

bsp;74 65 6D 2E 44-69 61 67 6E 6F 73 74 69
000005A0:

63 73 00 44 65 62 75 67-67 61 62 6C 65 41 74 74
000005B0: 72 69 62 75 74 65 00 68-65 6C 6C 6F 00 76 61 6C
000005C0: 75 65 00 45 78 63 65 70-74 69 6F 6E 00 61 72 67
000005D0: 73 00 43 6F 6E 73 6F 6C-65 00 57 72 69 74 65 4C
000005E0: 69 6E 65 00 00 15 45 00-63 00 68 00 6F 00 20 00 #US
000005F0: 65 00 6D 00 70 00 74 00-79 00 00 17 48 00 65 00
00000600: 6C 00 6C 00 6F 00 20 00-77 00 6F 00 72 00 6C 00
00000610: 64 00 00 13 45 00 63 00-68 00 6F 00 3A 00 20 00
00000620: 7B 00 30 00 7D 00 00 00-AB 51 E1 6B FF E2 10 3D #GUID
00000630: 5C A8 7B 77 DA 98 42 6C-00 08 B7 7A 5C 56 19 34 #Blob
00000640: E0 89 02 06 0E 03 20 00-0E 04 20 01 01 0E 03 20
00000650: 00 01 03 28 00 0E 05 00-01 01 1D 0E 05 20 02 01
00000660: 02 02 03 07 01 0E 05 00-02 01 0E 1C 04 07 01 12
00000670: 08 06 01 00 01 01 00 00-A0 24 00 00 00 00 00 00
00000680: 00 00 00 00 BE 24 00 00-00 20 00 00 00 00 00 00
00000690: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00
000006A0: B0 24 00 00 00 00 00 00-00 00 00 00 00 00 00 00
000006B0: 00 00 5F 43 6F 72 45 78-65 4D 61 69 6E 00 6D 73
000006C0: 63 6F 72 65 65 2E 64 6C-6C 00 00 00 00 00 FF 25
000006D0: 00 20 40 00 00 00 00 00-00 00 00 00 00 00 00 00
000006E0: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00
000006F0: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00
00000700: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00
00000710: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00
00000720: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00
00000730: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00
00000740: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00
00000750: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00
00000760: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00
00000770: 00&nbsp …