Executable file refers to the file that can be loaded and executed by the operating system.In different operating system environments, executable programs are presented in different ways.
Under the Windows operating system, executable programs can be. exe files,. sys files,. com files and other types of files.
asNotepadprogramnotepad.exe ,This kindprogramUsually used to process or assist in processing other files.For example, myfile.txt can be opened by double clicking notepad.exeNotepadProgram to edit.
We can do one thing. We can write the order and specific things to do in the mybat.bat file, and then run it to execute the events to be done.
It can be understood as: such files can be "run alone", or understood as "live" files!
If it is described with a common example: clothes, shoes, etc. are ordinary files, then people are executable files!People can make clothes, but clothes must be made by people.Cloth should also be processed into clothes by people!
script
Announce
edit
Not allExecutive fileThey only contain information that can be read by computers.withscripting language All script files written can beExecutive file, and the information contained therein can be read by humans, most of which are saved in ASCII text.The reason is that scripting language does not need to go throughcompilerPrecompiled, you canLiteral translator(such as Perl, Python, Shell)
development process
Announce
edit
In DOS, the steps to generate an executable file are relatively simplecompilertakesource programCompile asObj file, reuseLinkerLink the obj file into an exe file, and develop it in different languagesprocessAll the same.
The contents in the DOS executable file aresource programWritten incodeAnd data definition.The only exception is the exe file with overlay, which appends some custom data to the basic exe file. The length of the executable part is determined byFile HeaderThe length in offset 0002h and 0004h is given. The part from this length to the actual length of the file is the Overlay part.In this way, even if the size of an exe file with overlay is much larger than 640 KB, it can run in DOS becauseoperating systemLoad only the real executable, and thenprogramRead the data of the covered part yourself.Some packagingSoftwareThe extremely large self extracting package generated uses this structure. The executable part isUnpackcodeThe coverage part is the compressed data.DOS does not specify the data format of the executable file coverage, which is organized by programmers in their own way.If the programmer wants, he can put these data in another file separately.
Win32 executables are called PE files.The basic structure of the PE file is very different from that of the DOS executable file.It takesprogramThe different parts ofNodal region(Section), where a section area can be used to place various resources, such as menus, dialog boxesbitmap 、cursor, icons, sounds, etc.Although the resource part can be understood as the "overlay" part of the DOS executable, the format of the resource is fixed because it is a standard and very important part of the Win32 executable.So it is the same as DOSSoftwareDevelopment ofprocessCompared with the development of Win32 software, there is one more creationresource fileStep of.
To use MASM32software packageFor example, in the process of developing software with Win32 assembly, the work that the programmer needs to do is divided into creationcodeAnd creating resources, as shown in Figure 2.1.
codePart of the development work is the same as the steps of writing code under DOS.For programmerstext editorWriting an assemblysource code(*. asm file).And Csource codeSimilarly, the asm file can also use the include statement to contain the header file of data definition and function declaration. The header file of Win32 assembly generally uses inc as the extension.Most include files arecompilersoftware packageFor example, the Windows.inc file provided with the MASM32 software package defines many parameters anddata structureOther inc files are Win32 API function declarations in different DLLs.Finally, the asm file is assembledcompilerCompile to an object file with obj extension.
resource fileCan include dialog boxesShortcut key、menu, string, version information, and some graphic resources.resource fileThe source file of“script”The extension of the file is generally rcgrammarDifferent types of resources are definedScript fileFinally, resourcescompilerCompile into resource file *. res.resourcesScript fileMany predefined values are also used, sosoftware packageIn general, the resource header file is also included for the source file to import.MASM32software packageThe resource header file in is Resource. h.
stayresource fileDifferent types of resources are recorded in different ways.The dialog resource only records the defined values, such as the size and location of the dialog box, and does not really store the dialog boxscreenPixels on.The size, location and other information are not available until Windows finally explains themscreenIs drawn as a pixel on;menu, stringShortcut keyEtctextComposition;Graphics resources are really composed of pixelsscriptIs defined as a file name by the resourcecompilerImport from a disk file.The graphic files supported by Windows in resources are bmpBitmap file, cur cursor file and icoIcon file, these drawing files can be processed with other drawingsSoftwareBuild.In addition, wav sound files can also be used in resources.The method of creating resources is described in detail in Chapter 5.
Compile wellDestination file*. obj andresource file*After. res, the last step is to useLinkerLink them into executable files.The function library is used when linking.In DOS environmentprogrammingThe function library used isStatic library。Static librarySome have been compiledcodemodular.When the user is in thesource programWhen a function is used in,LinkerFrom the library file, select theBinary codeTake it out and combine it with the obj file to generate the final exe file.However, in the Win32 environment, most of the publicFunction encapsulationstayDLL fileMiddle, withdynamic linkForUser programCall.At this time, the library file only needs to contain the location information of the function in the DLL, and no longer needs to haveBinary codepart.Therefore, when linking, only the location information in the library file is taken out and put into the final executable file.The Win32 library file that only contains location information is calledImport Library。
Antivirus
Announce
edit
Virus detection and removal
File virus
staycomputer virusMost of them are file type.The so-called file type virus refers to that such virus parasitizes on the executable file and spreads by relying on the executable file.MathematicallyprocessIn fact, it is the reverse process of virus infection.Through detection, (jump, decoding), we have obtained all the virus bodiescodeThe data used to restore the virus must be in the virus. As long as these data are found, the file can be recovered according to certain programs or methods, that is, the virus can be removed.
Boot virus
There are also many kinds of such viruses. The first virus found in China, the "small ball" virus, is the guiding virus, which occupiesfloppy diskOr the firsta sector, beforeoperating systemGet rightcomputerControl, affect the I/O access speed of the system, and interfere with the normal operation of the system;Such viruses can be removed by address method, relative method, logical method, coverage method and special method.
Memory detoxification
Because the live virus in the memory will interfere with the anti-virusSoftwareTherefore, almost all anti-virus software designers should consider memory detoxification.The new memory detoxification technology is to find the location of viruses in memory and reconstruct some of themcodeTo disable its propagation function.
Unknown virus detection
Through the analysis of a large number of viruses, we can grasp the commonness of viruses, classify them according to their development and derivation laws, and summarize the common virusescode(These codes are the root of the existence, spread and attack of viruses). The weighted statistical values of these codes contained in the file are used as the basis for detecting unknown virusesfile formatKnowledge analysis start code, through a certain degree ofDisassemblyAnd prediction jump, and report the unknown virus based on the comprehensive results.This method is based on the unique virus description language, which has the characteristics of accurate description and low false alarm rate.
Package file virus
packageprogramAre some commonTool software, which can wrap executable files and reduce disk sizeSpace occupiedTo speed up the operation.But after a virus is wrapped, the virus will be protected, making all kinds of anti-virusSoftwareCannot find.When an executable file that has been wrapped and contains a virus is executed, the virus will spread everywhere, using anti-virusSoftwareAfter the virus is removed, the virus in the wrapped executable file remains, which is more harmful.Through uniqueUnpackThe wrapping module can check the wrapped virus without destroying the wrapped executable without virus.
Compression tool
There are often some files processed by the compression tool on the disk, which can save disk space and facilitate confidentiality and portability.However, if someone unintentionally compresses a virus infected file with a compression tool, then general anti-virusSoftwareCan't get the virus fromCompressed fileAs found indecompression Algorithms and process processing can eradicate this virus.
Network virus prevention
For stand-alone virus prevention, use the above technologies or use anti-virus with corresponding functionsSoftwareBasic guaranteecomputer systemBe free from viruses.Compared with the protection of stand-alone viruses,Network virusThe prevention and control of network virus is more difficultNetwork managementintegrate.The biggest advantage of network anti-virus is the management function of the network. If the management function is not added, it is difficult to complete the task of network anti-virus. Only the combination of management and prevention can ensure the good operation of the system.
The management function is to manage allnetwork equipment And operations: from the HubSwitch. Server to PC, including access to floppy disks, information exchange on local area networks, and connection with the Internet.
Generally speaking,computer virusThe prevention and cure of is to improveoperating systemandApplication softwareBut under the network environment, we should take new preventive measures accordingly.In the network environment, the virus spreads quickly, and it is difficult to remove it with a single anti-virus productNetwork virus, must be suitable for LANWANA full range of anti-virus products.