源代码如下:

typedef struct _IMAGE_BASE_RELOCATION {
    DWORD   VirtualAddress;
    DWORD   SizeOfBlock;
//  WORD    TypeOffset[1];
} IMAGE_BASE_RELOCATION;
typedef IMAGE_BASE_RELOCATION UNALIGNED * PIMAGE_BASE_RELOCATION;

重定位表是一个数组,这几个数组的分寸记载在 _IMAGE_OPTIONAL_HEADER 的

.DataDirect‌​ory[IMAGE_DIRECTORY_E‌​NTRY_BASERELOC].Size 成员中

布局图如下,图片中 0 和 000 都意味16进制数,转变成二进制是  0000 和 0000
0000 0000:

奥门新萄京网站 1

各种成分的尺寸都记载在 SizeOfBlock 中,那么些因素是由 二个
_IMAGE_BASE_RELOCATION 布局体和叁个TypeOffset 数组组成的。TypeOffset
数组的各种元素占2个字节,个中,高4位是偏移类型(type),低十二位表示必要重一直的地点(Offset),即,它与
VirtualAddress 相加便是指向 PE 影象中需求改良的极度代码的途乐VA。

偏移类型的意义如下:

Constant

Value

Description

IMAGE_REL_BASED_ABSOLUTE

  0

The base relocation is skipped. This type can be used to pad a block.

IMAGE_REL_BASED_HIGH

  1

The base relocation adds the high 16 bits of the difference to the 16bit field at offset. The 16-bit field represents the high value of a 32-bit word.

IMAGE_REL_BASED_LOW

  2

The base relocation adds the low 16 bits of the difference to the 16-bit field at offset. The 16-bit field represents the low half of a 32-bit word.

IMAGE_REL_BASED_HIGHLOW

  3

The base relocation applies all 32 bits of the difference to the 32-bit field at offset.

IMAGE_REL_BASED_HIGHADJ

  4

The base relocation adds the high 16 bits of the difference to the 16-bit field at offset. The 16-bit field represents the high value of a 32-bit word. The low 16 bits of the 32-bit value are stored in the 16-bit word that follows this base relocation. This means that this base relocation occupies two slots.

IMAGE_REL_BASED_MIPS_JMPADDR

  5

The relocation interpretation is dependent on the machine type.

When the machine type is MIPS, the base relocation applies to a MIPS jump instruction.

IMAGE_REL_BASED_ARM_MOV32

  5

This relocation is meaningfull only when the machine type is ARM or Thumb. The base relocation applies the 32-bit address of a symbol across a consecutive MOVW/MOVT instruction pair.

IMAGE_REL_BASED_RISCV_HIGH20

  5

This relocation is only meaningful when the machine type is RISC-V. The base relocation applies to the high 20 bits of a 32-bit absolute address.

 

  6

Reserved, must be zero.

IMAGE_REL_BASED_THUMB_MOV32

  7

This relocation is meaningful only when the machine type is Thumb. The base relocation applies the 32-bit address of a symbol to a consecutive MOVW/MOVT instruction pair.

IMAGE_REL_BASED_RISCV_LOW12I

  7

This relocation is only meaningful when the machine type is RISC-V. The base relocation applies to the low 12 bits of a 32-bit absolute address formed in RISC-V I-type instruction format.

IMAGE_REL_BASED_RISCV_LOW12S

  8

This relocation is only meaningful when the machine type is RISC-V. The base relocation applies to the low 12 bits of a 32-bit absolute address formed in RISC-V S-type instruction format.

IMAGE_REL_BASED_MIPS_JMPADDR16

  9

The relocation is only meaningful when the machine type is MIPS. The base relocation applies to a MIPS16 jump instruction.

IMAGE_REL_BASED_DIR64

10

The base relocation applies the difference to the 64-bit field at offset.

任何中文翻译:

常量 描述
IMAGE_REL_BASED_ABSOLUTE       0x0 使块按照32位对齐,位置为0。
IMAGE_REL_BASED_HIGH 0x1 高16位必须应用于偏移量所指高字16位。
IMAGE_REL_BASED_LOW 0x2 低16位必须应用于偏移量所指低字16位。
IMAGE_REL_BASED_HIGHLOW 0x3 全部32位应用于所有32位。
IMAGE_REL_BASED_HIGHADJ 0x4 需要32位,高16位位于偏移量,低16位位于下一个偏移量数组元素,组合为一个带符号数,加上32位的一个数,然后加上8000然后把高16位保存在偏移量的16位域内。

例子:

解析遍布的dll:在QQ中的 zlib.dll 文件 (在QQ安装目录下的bin文件夹中):

首先找到重定位表,这里运用工具:

奥门新萄京网站 2

找到数据:

奥门新萄京网站 3

VirtualAddress 为 0x1000,SizeOfBlock 为 0x64。第一个条目为
0x338C,高中二年级个人为 0x3,offset为 0x38C,即偏移地址为 0x138C (由 0x1000 +
0x38C得来)应用于此地址上全部30个人。展开C32Asm反汇编查看:

奥门新萄京网站 4

Author

发表评论

电子邮件地址不会被公开。 必填项已用*标注