论坛首页 开源情报交流区 阅读主题

[原创]Windows内核之exe文件section

252 浏览 0 回复
A
admin
楼主
主题: 1872
回复: 10138
注册于 2026-04-15
#1 楼主 2026-06-01 21:08:58
前言:本文基于ReactOS 0.4.15源码。
在创建section时,如果创建的是exe文件的section,会调用MmCreateImageSection函数。在这个函数内会执行StatusExeFmt = ExeFmtpCreateImageSection(FileObject, ImageSectionObject);所以看这个函数。
NTSTATUS
ExeFmtpCreateImageSection(PFILE_OBJECT FileObject,
                          PMM_IMAGE_SECTION_OBJECT ImageSectionObject)
    LARGE_INTEGER Offset;
    PVOID FileHeader;
    PVOID FileHeaderBuffer;
    ULONG FileHeaderSize;
    ULONG Flags;
    ULONG OldNrSegments;
    NTSTATUS Status;
    ULONG i;

     * Read the beginning of the file (2 pages). Should be enough to contain
     * all (or most) of the headers
    Offset.QuadPart = 0;

    Status = ExeFmtpReadFile (FileObject,
                              &Offset,
                              PAGE_SIZE * 2,
                              &FileHeader,
                              &FileHeaderBuffer,
                              &FileHeaderSize);

    if (!NT_SUCCESS(Status))
        return Status;

    if (FileHeaderSize == 0)
        ExFreePool(FileHeaderBuffer);
        return STATUS_UNSUCCESSFUL;

     * Look for a loader that can handle this executable
    for (i = 0; i < RTL_NUMBER_OF(ExeFmtpLoaders); ++ i)
        Flags = 0;

        Status = ExeFmtpLoaders[i](FileHeader,
                                   FileHeaderSize,
                                   FileObject,
                                   ImageSectionObject,
                                   &Flags,
                                   ExeFmtpReadFile,
                                   ExeFmtpAllocateSegments);

        if (!NT_SUCCESS(Status))
            if (ImageSectionObject->Segments)
                ExFreePool(ImageSectionObject->Segments);
                ImageSectionObject->Segments = NULL;

        if (Status != STATUS_ROS_EXEFMT_UNKNOWN_FORMAT)
            break;

    ExFreePoolWithTag(FileHeaderBuffer, 'rXmM');

     * No loader handled the format
    if (Status == STATUS_ROS_EXEFMT_UNKNOWN_FORMAT)
        Status = STATUS_INVALID_IMAGE_NOT_MZ;
        ASSERT(!NT_SUCCESS(Status));

    if (!NT_SUCCESS(Status))
        return Status;

    ASSERT(ImageSectionObject->Segments != NULL);
    ASSERT(ImageSectionObject->RefCount > 0);

     * Some defaults
    /* FIXME? are these values platform-dependent? */
    if (ImageSectionObject->ImageInformation.MaximumStackSize == 0)
        ImageSectionObject->ImageInformation.MaximumStackSize = 0x40000;

    if(ImageSectionObject->ImageInformation.CommittedStackSize == 0)
        ImageSectionObject->ImageInformation.CommittedStackSize = 0x1000;

    if(ImageSectionObject->BasedAddress == NULL)
        if(ImageSectionObject->ImageInformation.ImageCharacteristics & IMAGE_FILE_DLL)
            ImageSectionObject->BasedAddress = (PVOID)0x10000000;
        else


...(已截断)

---
来源: 看雪论坛
原文链接: https://bbs.kanxue.com/thread-290873.htm

暂无回复,快来抢沙发吧!

请登录后参与讨论

立即登录 注册账号