基础C++教学⮱⮱003【COFF再探】2019-11-17

2019-11-20  本文已影响0人  平知

←↑→↓↖↙↗↘↕⏤
unicode=Geometric Shapes
▶ 仅仅个别字不同的时候的对比标识

◉ 着重强调

  ◆ 1、
  ◆ 2、
  ◆ 3、

Miscellaneous Symbols


Dingbats
✍ 重点记忆,个人总结的点,或者知识。
✎✎

章节号 内容            
1图片格式(png) 宽度大于620px,保持高宽比减低为620px
1-1 应用
1-1-1 方法

  相关资料:
  1、DOCU_001.HTM
  2、https://en.wikipedia.org/wiki/COFF

第1章节  COFF Symbol Table

  The COFF symbolic debugging information consists of symbolic (string) names for program functions and variables, and line number information, used for setting breakpoints and tracing execution.
  先前的COFF header如下:

C:\Users\lo\Desktop\New Folder\1\1>dumpbin /HEADERs main.oo
Microsoft (R) COFF/PE Dumper Version 10.00.30319.01
Copyright (C) Microsoft Corporation.  All rights reserved.
Dump of file main.oo
PE signature found
File Type: EXECUTABLE IMAGE
FILE HEADER VALUES
             14C machine (x86)
              10 number of sections
               0 time date stamp Thu Jan 01 08:00:00 1970
           CD200 file pointer to symbol table
            3A0C number of symbols
              E0 size of optional header
             107 characteristics
                   Relocations stripped
                   Executable
                   Line numbers stripped
                   32 bit word machine

  其中有两行信息未实证分析:

CD200 file pointer to symbol table
3A0C number of symbols

  根据微软文档:
  The symbol table is an array of records, each 18 bytes long.
  symbol table 是一个record的数组,每个record18个字节长。

  Each record is either a standard or auxiliary symbol-table record.
  每条记录(record),即可以只含有标准的字段,又可以同时含有标准字段和辅助字段。

  A standard record defines a symbol or name and has the following format.
  标准字段定义如下表:

A standard record definition:

| Offset | Size | Field              | Description                                                  |
| 0      | 8    | Name (*)           | The name of the symbol, represented by a union of three structures. An array of 8 bytes is used if the name is not more than 8 bytes long. For more information, see [Symbol Name Representation](https://www.bing.com/search?q=Symbol+Name+Representation). |
| 8      | 4    | Value              | The value that is associated with the symbol. The interpretation of this field depends on SectionNumber and StorageClass. A typical meaning is the relocatable address. |
| 12     | 2    | SectionNumber      | The signed integer that identifies the section, using a one-based index into the section table. Some values have special meaning, as defined in section 5.4.2, "Section Number Values." |
| 14     | 2    | Type               | A number that represents type. Microsoft tools set this field to 0x20 (function) or 0x0 (not a function). For more information, see [Type Representation](https://docs.microsoft.com/en-us/windows/win32/debug/pe-format#type-representation). |
| 16     | 1    | StorageClass       | An enumerated value that represents storage class. For more information, see [Storage Class](https://docs.microsoft.com/en-us/windows/win32/debug/pe-format#storage-class). |
| 17     | 1    | NumberOfAuxSymbols | The number of auxiliary symbol table entries that follow this record. |

  知道了字段构成,现在根据dumpbin的输出(使用/symbols选项,仅截取第一条信息)来具体分析一下文件:

C:\Users\lo\Desktop\New Folder\1\1>dumpbin /symbols main.oo
Microsoft (R) COFF/PE Dumper Version 10.00.30319.01
Copyright (C) Microsoft Corporation.  All rights reserved.
Dump of file main.oo
File Type: EXECUTABLE IMAGE
COFF SYMBOL TABLE
000 00000011 DEBUG  notype       Filename     | .file

  由前述分析,可知symbol table起始位置位于CD200,下面使用winhex来查看文件:



  这里出现了一个问题,dumpbin出来的信息,似乎和定义以及文件内存放的顺序不一致。
  知识点:LSB(Least Significant Bit)是“最低有效位”。MSB(Most Significant Bit)是“最高有效位”
  经分析,对应关系如下:

  这里要着重注意NumberOfAuxSymbols字段的值,为1,表示后面还跟有一个auxiliary symbol-table record。这里要继续查阅auxiliary symbol-table record的具体格式是什么:
  Auxiliary symbol table records always follow, and apply to, some standard symbol table record. An auxiliary record can have any format that the tools can recognize, but 18 bytes must be allocated for them so that symbol table is maintained as an array of regular size. Currently, Microsoft tools recognize auxiliary formats for the following kinds of records: function definitions, function begin and end symbols (.bf and .ef), weak externals, file names, and section definitions.

  The traditional COFF design also includes auxiliary-record formats for arrays and structures. Microsoft tools do not use these, but instead place that symbolic information in Visual C++ debug format in the debug sections.

  根据Storage Class的不同,auxiliary symbol-table record具体分为5种:

Auxiliary Format 1: Function Definitions

A symbol table record marks the beginning of a function definition if it has all of the following: 
a storage class of EXTERNAL (2), a Type value that indicates it is a function (0x20), and a section number that is greater than zero. 
Note that a symbol table record that has a section number of UNDEFINED (0) does not define the function and does not have an auxiliary record. 
Function-definition symbol records are followed by an auxiliary record in the format described below:

| Offset | Size | Field                 | Description                                                  |
| 0      | 4    | TagIndex              | The symbol-table index of the corresponding .bf (begin function) symbol record. |
| 4      | 4    | TotalSize             | The size of the executable code for the function itself. If the function is in its own section, the SizeOfRawData in the section header is greater or equal to this field, depending on alignment considerations. |
| 8      | 4    | PointerToLinenumber   | The file offset of the first COFF line-number entry for the function, or zero if none exists. For more information, see [COFF Line Numbers (Deprecated)](https://docs.microsoft.com/en-us/windows/win32/debug/pe-format#coff-line-numbers-deprecated). |
| 12     | 4    | PointerToNextFunction | The symbol-table index of the record for the next function. If the function is the last in the symbol table, this field is set to zero. |
| 16     | 2    | Unused                |                                                              |
Auxiliary Format 2: .bf and .ef Symbols

For each function definition in the symbol table, three items describe the beginning, ending, and number of lines. Each of these symbols has storage class FUNCTION (101):
A symbol record named .bf (begin function). The Value field is unused.
A symbol record named .lf (lines in function). The Value field gives the number of lines in the function.
A symbol record named .ef (end of function). The Value field has the same number as the Total Size field in the function-definition symbol record.
The .bf and .ef symbol records (but not .lf records) are followed by an auxiliary record with the following format:

| Offset | Size | Field                             | Description                                                  |
| 0      | 4    | Unused                            |                                                              |
| 4      | 2    | Linenumber                        | The actual ordinal line number (1, 2, 3, and so on) within the source file, corresponding to the .bf or .ef record. |
| 6      | 6    | Unused                            |                                                              |
| 12     | 4    | PointerToNextFunction ( .bf only) | The symbol-table index of the next .bf symbol record. If the function is the last in the symbol table, this field is set to zero. It is not used for .ef records. |
| 16     | 2    | Unused                            |                                                              |
 Auxiliary Format 3: Weak Externals

"Weak externals" are a mechanism for object files that allows flexibility at link time. 
A module can contain an unresolved external symbol (sym1), but it can also include an auxiliary record that indicates that if sym1 is not present at link time, 
another external symbol (sym2) is used to resolve references instead.

If a definition of sym1 is linked, then an external reference to the symbol is resolved normally.
 If a definition of sym1 is not linked, then all references to the weak external for sym1 refer to sym2 instead. The external symbol, sym2, must always be linked; 
typically, it is defined in the module that contains the weak reference to sym1.

Weak externals are represented by a symbol table record with EXTERNAL storage class, UNDEF section number, and a value of zero. 
The weak-external symbol record is followed by an auxiliary record with the following format:

Note that the Characteristics field is not defined in WINNT.H; instead, the Total Size field is used.

| Offset | Size | Field           | Description                                                  |
| 0      | 4    | TagIndex        | The symbol-table index of sym2, the symbol to be linked if sym1 is not found. |
| 4      | 4    | Characteristics | A value of IMAGE_WEAK_EXTERN_SEARCH_NOLIBRARY indicates that no library search for sym1 should be performed. A value of IMAGE_WEAK_EXTERN_SEARCH_LIBRARY indicates that a library search for sym1 should be performed. A value of IMAGE_WEAK_EXTERN_SEARCH_ALIAS indicates that sym1 is an alias for sym2. |
| 8      | 10   | Unused          |                                                              |
 Auxiliary Format 4: Files

This format follows a symbol-table record with storage class FILE (103). 
The symbol name itself should be .file, 
and the auxiliary record that follows it gives the name of a source-code file.

| Offset | Size | Field     | Description                                                  |
| 0      | 18   | File Name | An ANSI string that gives the name of the source file. This is padded with nulls if it is less than the maximum length. |
 Auxiliary Format 5: Section Definitions

This format follows a symbol-table record that defines a section. 
Such a record has a symbol name that is the name of a section (such as .text or .drectve) and has storage class STATIC (3). 
The auxiliary record provides information about the section to which it refers. 
Thus, it duplicates some of the information in the section header.

| Offset | Size | Field               | Description                                                  |
| 0      | 4    | Length              | The size of section data; the same as SizeOfRawData in the section header. |
| 4      | 2    | NumberOfRelocations | The number of relocation entries for the section.            |
| 6      | 2    | NumberOfLinenumbers | The number of line-number entries for the section.           |
| 8      | 4    | CheckSum            | The checksum for communal data. It is applicable if the IMAGE_SCN_LNK_COMDAT flag is set in the section header. For more information, see [COMDAT Sections (Object Only)](https://docs.microsoft.com/en-us/windows/win32/debug/pe-format#comdat-sections-object-only). |
| 12     | 2    | Number              | One-based index into the section table for the associated section. This is used when the COMDAT selection setting is 5. |
| 14     | 1    | Selection           | The COMDAT selection number. This is applicable if the section is a COMDAT section. |
| 15     | 3    | Unused              |                                                              |

  根据分析的Storage Class的值为0x67=103来判断,这里的Auxiliary Format应该是类型4: Files。
  它是一个18个字节长度的ANSI字符串,表示文件的名字。下面具体来分析:



  对比dumpbin的输出来看:

COFF SYMBOL TABLE
000 00000011 DEBUG  notype       Filename     | .file
    crt1.c
002 00000000 SECT1  notype ()    Static       | ___mingw_CRTStartup
    tag index 00000000 size 00000000 lines 00000000 next function 00000000
004 00000110 SECT1  notype ()    Static       | __gnu_exception_handler@4
005 00000280 SECT1  notype ()    External     | _mainCRTStartup
006 000002A0 SECT1  notype ()    External     | _WinMainCRTStartup
007 000002C0 SECT1  notype ()    External     | _atexit
008 000002D0 SECT1  notype ()    External     | __onexit
009 00000000 SECT1  notype       Static       | .text

  因为第一个record是标准record,字段齐全,所以能显示出多个分段的信息(即00000011、DEBUG、notype 、Filename 、| .file等)。第二行显示的是Auxiliary record,而这个record只是一个字符串,所以看上去像是有部分信息缺失了。

  OK,现在需要着重分析上列结果的第三和第四行了:

002 00000000 SECT1  notype ()    Static       | ___mingw_CRTStartup
    tag index 00000000 size 00000000 lines 00000000 next function 00000000

  根据前述理论,上面这2个record应该是紧接着crt1.c字符串之后,且总长度为18+18=36字节的。



  Name字段,值为:
  但是对比dumpbin的结果,为什么这里看到的Name字段内容不一致?
002 00000000 SECT1  notype ()    Static       | ___mingw_CRTStartup
    tag index 00000000 size 00000000 lines 00000000 next function 00000000

  原来问题在这里:
   Symbol Name Representation
  The ShortName field in a symbol table consists of 8 bytes that contain the name itself, if it is not more than 8 bytes long, or the ShortName field gives an offset into thestring table. To determine whether the name itself or an offset is given, test the first 4 bytes for equality to zero.
  如果Name内容的编码本身不大于8个字节,就直接存在这个字段中。如果8个字节存储不下,就要存储到string table中。
  存储到string table中的时候,Name字段的前4字节要设置为0,后4字节为Name内容在string table的偏移量。
By convention, the names are treated as zero-terminated UTF-8 encoded strings.

| Offset | Size | Field     | Description                                                  |
| 0      | 8    | ShortName | An array of 8 bytes. This array is padded with nulls on the right if the name is less than 8 bytes long. |
| 0      | 4    | Zeroes    | A field that is set to all zeros if the name is longer than 8 bytes. |
| 4      | 4    | Offset    | An offset into the string table.                             |

  那么问题来了,string table去哪里找?
  Immediately following the COFF symbol table is the COFF string table. The position of this table is found by taking the symbol table address in the COFF header and adding the number of symbols multiplied by the size of a symbol.
  string table是紧接在 COFF symbol table之后的,要找到string table必须要自己计算。

  At the beginning of the COFF string table are 4 bytes that contain the total size (in bytes) of the rest of the string table. This size includes the size field itself, so that the value in this location would be 4 if no strings were present.
  string table的起始的4个字段是这个table的总长度。

  起始点为:0xCD200

  symbols数量为:0x3A0C=14860
  每个symbol为:18个字节
  symbol table的总大小为:14860x18=267480=0x414D8

  所以string table起始点为:0x414D8+0xCD200=0x10E6D8   所以string table总大小为:0x0006F712。
  顺便求出string table结尾为:0x10E6D8+0x0006F712=0x17DDEA

  言归正传,因为string table起始点为:0x414D8+0xCD200=0x10E6D8
  又因为name偏移量为:0x74
  所以最终地址为0x10E6D8+0x74=0x10E74C



  对比dumpbin的结果:

002 00000000 SECT1  notype ()    Static       | ___mingw_CRTStartup

  Following the size are null-terminated strings that are pointed to by symbols in the COFF symbol table.
  string table内存的字符串都是以0结尾的,所有定位这些字符串只要有开头,结尾遇到0就自动识别并结束了。



  Value字段,值为:


  SectionNumber字段,值为:
SECTION HEADER #1
   .text name
   B6BA0 virtual size
    1000 virtual address (00401000 to 004B7B9F)
   B6C00 size of raw data
     400 file pointer to raw data (00000400 to 000B6FFF)
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
60500060 flags
         Code
         Initialized Data
         RESERVED - UNKNOWN
         RESERVED - UNKNOWN
         Execute Read

  表示这个符号属于.text这个section。
  如果Section Number Values值为以下的值,则代表其有特殊意义:

| Constant            | Value | Description                                                  |
| IMAGE_SYM_UNDEFINED | 0     | The symbol record is not yet assigned a section. A value of zero indicates that a reference to an external symbol is defined elsewhere. A value of non-zero is a common symbol with a size that is specified by the value. |
| IMAGE_SYM_ABSOLUTE  | -1    | The symbol has an absolute (non-relocatable) value and is not an address. |
| IMAGE_SYM_DEBUG     | -2    | The symbol provides general type or debugging information but does not correspond to a section. Microsoft tools use this setting along with .file records (storage class FILE). |



  Type字段,值为:


  The Type field of a symbol table entry contains 2 bytes, where each byte represents type information. The LSB represents the simple (base) data type, and the MSB represents the complex type, if any:
  百度翻译如下(这里让我非常疑惑):符号表项的类型字段包含2个字节,每个字节表示类型信息。LSB表示简单(基本)数据类型,MSB表示复杂类型(如果有):
  其中,The LSB(最低有效位) represents the simple (base) data type:
| Constant              | Value | Description                                                  |
| IMAGE_SYM_TYPE_NULL   | 0     | No type information or unknown base type. Microsoft tools use this setting |
| IMAGE_SYM_TYPE_VOID   | 1     | No valid type; used with void pointers and functions         |
| IMAGE_SYM_TYPE_CHAR   | 2     | A character (signed byte)                                    |
| IMAGE_SYM_TYPE_SHORT  | 3     | A 2-byte signed integer                                      |
| IMAGE_SYM_TYPE_INT    | 4     | A natural integer type (normally 4 bytes in Windows)         |
| IMAGE_SYM_TYPE_LONG   | 5     | A 4-byte signed integer                                      |
| IMAGE_SYM_TYPE_FLOAT  | 6     | A 4-byte floating-point number                               |
| IMAGE_SYM_TYPE_DOUBLE | 7     | An 8-byte floating-point number                              |
| IMAGE_SYM_TYPE_STRUCT | 8     | A structure                                                  |
| IMAGE_SYM_TYPE_UNION  | 9     | A union                                                      |
| IMAGE_SYM_TYPE_ENUM   | 10    | An enumerated type                                           |
| IMAGE_SYM_TYPE_MOE    | 11    | A member of enumeration (a specific value)                   |
| IMAGE_SYM_TYPE_BYTE   | 12    | A byte; unsigned 1-byte integer                              |
| IMAGE_SYM_TYPE_WORD   | 13    | A word; unsigned 2-byte integer                              |
| IMAGE_SYM_TYPE_UINT   | 14    | An unsigned integer of natural size (normally, 4 bytes)      |
| IMAGE_SYM_TYPE_DWORD  | 15    | An unsigned 4-byte integer                                   |

  The MSB (最高有效位)represents the complex type:

| Constant                 | Value | Description                                              |
| IMAGE_SYM_DTYPE_NULL     | 0     | No derived type; the symbol is a simple scalar variable. |
| IMAGE_SYM_DTYPE_POINTER  | 1     | The symbol is a pointer to base type.                    |
| IMAGE_SYM_DTYPE_FUNCTION | 2     | The symbol is a function that returns a base type.       |
| IMAGE_SYM_DTYPE_ARRAY    | 3     | The symbol is an array of base type.                     |

  这里概念比较混乱,先用dumpbin的内容来分析:

COFF SYMBOL TABLE

000 00000011 DEBUG  notype       Filename     | .file

    crt1.c
002 00000000 SECT1  notype ()    Static       | ___mingw_CRTStartup

    tag index 00000000 size 00000000 lines 00000000 next function 00000000

  首先,整个Type看作一个整体:


  然后,把2个字节拆分成4个4bit,依次标注汉字一、二、三、四:

  把数字在文件的中排序转换为正常的排序(intel为小端字节序,所以上图的三、四代表数据的高位,转换后要放到前面):

  高位为0,等同于没有高位,则上图等价于:

  就现在的数据结构来说,很明显能区分出MSB和LSB:

  如何验证?
  方法:利用二进制修改软件,直接修改main.oo文件中对应的字段,然后用dumpbin输出信息进行验证。这里纯粹是为了验证理论,所以不考虑文件被二进制修改后能不能运行的问题。

  直接把刚才的20改为32。由前面分析可知,3的位置代表MSB,2的位置代表LSB,按照官方文档的说明,MSB=3=ARRAY=[],LSB=2=CHAR,现在dumpbin试试:

  那之后的两个4bit应该如何定性?简单,直接填入数据分析即可(直接填入13):

  看dump的输出:

  仅从字面分析,增加出来的是2个MSB对应的类型,则说明,后面的2个4bit也是MSB类型,根据这个,可以把之前的图完善如下:

  切换回文件顺序:

  这里令人挠头的 LSB、MSB终于有了清晰的脉络。   StorageClass字段,值为:

  StorageClass字段定义:
  The StorageClass field of the symbol table indicates what kind of definition a symbol represents. The following table shows possible values. Note that the StorageClass field is an unsigned 1-byte integer. The special value -1 should therefore be taken to mean its unsigned equivalent, 0xFF.
  Although the traditional COFF format uses many storage-class values, Microsoft tools rely on Visual C++ debug format for most symbolic information and generally use only four storage-class values: EXTERNAL (2), STATIC (3), FUNCTION (101), and STATIC (103). Except in the second column heading below, "Value" should be taken to mean the Value field of the symbol record (whose interpretation depends on the number found as the storage class).

| Constant                         | Value     | Description/interpretation of the Value field                |
| IMAGE_SYM_CLASS_END_OF_FUNCTION  | -1 (0xFF) | A special symbol that represents the end of function, for debugging purposes. |
| IMAGE_SYM_CLASS_NULL             | 0         | No assigned storage class.                                   |
| IMAGE_SYM_CLASS_AUTOMATIC        | 1         | The automatic (stack) variable. The Value field specifies the stack frame offset. |
| IMAGE_SYM_CLASS_EXTERNAL         | 2         | A value that Microsoft tools use for external symbols. The Value field indicates the size if the section number is IMAGE_SYM_UNDEFINED (0). If the section number is not zero, then the Value field specifies the offset within the section. |
| IMAGE_SYM_CLASS_STATIC           | 3         | The offset of the symbol within the section. If the Value field is zero, then the symbol represents a section name. |
| IMAGE_SYM_CLASS_REGISTER         | 4         | A register variable. The Value field specifies the register number. |
| IMAGE_SYM_CLASS_EXTERNAL_DEF     | 5         | A symbol that is defined externally.                         |
| IMAGE_SYM_CLASS_LABEL            | 6         | A code label that is defined within the module. The Value field specifies the offset of the symbol within the section. |
| IMAGE_SYM_CLASS_UNDEFINED_LABEL  | 7         | A reference to a code label that is not defined.             |
| IMAGE_SYM_CLASS_MEMBER_OF_STRUCT | 8         | The structure member. The Value field specifies the n th member. |
| IMAGE_SYM_CLASS_ARGUMENT         | 9         | A formal argument (parameter) of a function. The Value field specifies the n th argument. |
| IMAGE_SYM_CLASS_STRUCT_TAG       | 10        | The structure tag-name entry.                                |
| IMAGE_SYM_CLASS_MEMBER_OF_UNION  | 11        | A union member. The Value field specifies the n th member.   |
| IMAGE_SYM_CLASS_UNION_TAG        | 12        | The Union tag-name entry.                                    |
| IMAGE_SYM_CLASS_TYPE_DEFINITION  | 13        | A Typedef entry.                                             |
| IMAGE_SYM_CLASS_UNDEFINED_STATIC | 14        | A static data declaration.                                   |
| IMAGE_SYM_CLASS_ENUM_TAG         | 15        | An enumerated type tagname entry.                            |
| IMAGE_SYM_CLASS_MEMBER_OF_ENUM   | 16        | A member of an enumeration. The Value field specifies the n th member. |
| IMAGE_SYM_CLASS_REGISTER_PARAM   | 17        | A register parameter.                                        |
| IMAGE_SYM_CLASS_BIT_FIELD        | 18        | A bit-field reference. The Value field specifies the n th bit in the bit field. |
| IMAGE_SYM_CLASS_BLOCK            | 100       | A .bb (beginning of block) or .eb (end of block) record. The Value field is the relocatable address of the code location. |
| IMAGE_SYM_CLASS_FUNCTION         | 101       | A value that Microsoft tools use for symbol records that define the extent of a function: begin function (.bf ), end function ( .ef ), and lines in function ( .lf ). For .lf records, the Value field gives the number of source lines in the function. For .ef records, the Value field gives the size of the function code. |
| IMAGE_SYM_CLASS_END_OF_STRUCT    | 102       | An end-of-structure entry.                                   |
| IMAGE_SYM_CLASS_FILE             | 103       | A value that Microsoft tools, as well as traditional COFF format, use for the source-file symbol record. The symbol is followed by auxiliary records that name the file. |
| IMAGE_SYM_CLASS_SECTION          | 104       | A definition of a section (Microsoft tools use STATIC storage class instead). |
| IMAGE_SYM_CLASS_WEAK_EXTERNAL    | 105       | A weak external. For more information, see [Auxiliary Format 3: Weak Externals](https://docs.microsoft.com/en-us/windows/win32/debug/pe-format#auxiliary-format-3-weak-externals). |
| IMAGE_SYM_CLASS_CLR_TOKEN        | 107       | A CLR token symbol. The name is an ASCII string that consists of the hexadecimal value of the token. For more information, see [CLR Token Definition (Object Only)](https://docs.microsoft.com/en-us/windows/win32/debug/pe-format#clr-token-definition-object-only). |

  现在分析这个A symbol table record的Auxiliary record:

  002 00000000 SECT1  notype ()    Static       | ___mingw_CRTStartup
    tag index 00000000 size 00000000 lines 00000000 next function 00000000

  仅从外在格式来看,符合 Auxiliary Format 1: Function Definitions的定义:
  A symbol table record marks the beginning of a function definition if it has all of the following: a storage class of EXTERNAL (2), a Type value that indicates it is a function (0x20), and a section number that is greater than zero. Note that a symbol table record that has a section number of UNDEFINED (0) does not define the function and does not have an auxiliary record. Function-definition symbol records are followed by an auxiliary record in the format described below:
  但是根据定义,record要表示一个函数定义,需要storage class是 EXTERNAL (2),但这里明显dump出来的是Static(3),也不作深究,暂无法深究。后有类似,综合考虑定义和实际的dump结果综合考虑。

Auxiliary Format 1: Function Definitions

| Offset | Size | Field                 | Description                                                  |
| 0      | 4    | TagIndex              | The symbol-table index of the corresponding .bf (begin function) symbol record. |
| 4      | 4    | TotalSize             | The size of the executable code for the function itself. If the function is in its own section, the SizeOfRawData in the section header is greater or equal to this field, depending on alignment considerations. |
| 8      | 4    | PointerToLinenumber   | The file offset of the first COFF line-number entry for the function, or zero if none exists. For more information, see [COFF Line Numbers (Deprecated)](https://docs.microsoft.com/en-us/windows/win32/debug/pe-format#coff-line-numbers-deprecated). |
| 12     | 4    | PointerToNextFunction | The symbol-table index of the record for the next function. If the function is the last in the symbol table, this field is set to zero. |
| 16     | 2    | Unused                |                                                              |

  接下来考虑第九、第十行,这是先前未分析过的类型:

C:\Users\lo\Desktop\New Folder\1\1>dumpbin /symbols main.oo
Microsoft (R) COFF/PE Dumper Version 10.00.30319.01
Copyright (C) Microsoft Corporation.  All rights reserved.


Dump of file main.oo

File Type: EXECUTABLE IMAGE

COFF SYMBOL TABLE
000 00000011 DEBUG  notype       Filename     | .file
    crt1.c
002 00000000 SECT1  notype ()    Static       | ___mingw_CRTStartup
    tag index 00000000 size 00000000 lines 00000000 next function 00000000
004 00000110 SECT1  notype ()    Static       | __gnu_exception_handler@4
005 00000280 SECT1  notype ()    External     | _mainCRTStartup
006 000002A0 SECT1  notype ()    External     | _WinMainCRTStartup
007 000002C0 SECT1  notype ()    External     | _atexit
008 000002D0 SECT1  notype ()    External     | __onexit
009 00000000 SECT1  notype       Static       | .text
    Section length  2D7, #relocs   26, #linenums    0, checksum        0

  首先定位record。
  symbol table的起始点为:0xCD200
  前面有9个record(编号从0开始),每个record为18字节:共0xA2
  相加:0xCD200+0xA2=0xCD2A2



  首先明确这个record有1个Auxiliary,并且从dump观察符合

Auxiliary Format 5: Section Definitions

| Offset | Size | Field               | Description                                                  |
| 0      | 4    | Length              | The size of section data; the same as SizeOfRawData in the section header. |
| 4      | 2    | NumberOfRelocations | The number of relocation entries for the section.            |
| 6      | 2    | NumberOfLinenumbers | The number of line-number entries for the section.           |
| 8      | 4    | CheckSum            | The checksum for communal data. It is applicable if the IMAGE_SCN_LNK_COMDAT flag is set in the section header. For more information, see [COMDAT Sections (Object Only)](https://docs.microsoft.com/en-us/windows/win32/debug/pe-format#comdat-sections-object-only). |
| 12     | 2    | Number              | One-based index into the section table for the associated section. This is used when the COMDAT selection setting is 5. |
| 14     | 1    | Selection           | The COMDAT selection number. This is applicable if the section is a COMDAT section. |
| 15     | 3    | Unused              |                                                              |

  This format follows a symbol-table record that defines a section. Such a record has a symbol name that is the name of a section (such as .text or .drectve) and has storage class STATIC (3). The auxiliary record provides information about the section to which it refers. Thus, it duplicates some of the information in the section header.
  按照文档说明,满足这样的Auxiliary record,有3个条件:
  ◆ 1、symbol name为段名字
  ◆ 2、storage class为STATIC (3)
  ◆ 3、symbol value为0


009 00000000 SECT1  notype       Static       | .text
    Section length  2D7, #relocs   26, #linenums    0, checksum        0











代码

第3章节 

  3-1-1. 导言—用户管理—用户的分类及介绍
  3-2-1. 导言—用户管理—用户的分类及介绍
上一篇下一篇

猜你喜欢

热点阅读