0x01 PE加載情況
0x02 DOS頭
typedef struct _IMAE_DOS_HEADER { //DOS .EXE header 位置
WORD e_magic; //Magic number; 0x00
WORD e_cblp; //Bytes on last page of file 0x02
WORD e_cp; //Pages in file 0x04
WORD e_crlc; //Relocations 0x06
WORD e_cparhdr; //Size of header in paragraphs 0x08
WORD e_minalloc; //Minimum extra paragraphs needed 0x0A
WORD e_maxalloc; //Maximum extra paragraphs needed 0x0C
WORD e_ss; //Initial (relative) SS value 0x0E
WORD e_sp; //Initial SP value 0x10
WORD e_csum; //Checksum 0x12
WORD e_ip; //Initial IP value 0x14
WORD e_cs; //Initial (relative) CS value 0x16
WORD e_lfarlc; //File address of relocation table 0x18
WORD e_ovno; //Overlay number 0x1A
WORD e_res[4]; //Reserved words 0x1C
WORD e_oemid; //OEM identifier (for e_oeminfo) 0x24
WORD e_oeminfo; //OEM information; e_oemid specific 0x26
WORD e_res2[10]; //Reserved words 0x28
LONG e_lfanew; //File address of new exe header 0x3C
} IMAGE_DOS-HEADER, *PIMAGE_DOS_HEADER;
0x03 DOS存根
DOS存根(stub)在DOS頭下方,是個可選項,且大小不固定(即使沒有DOS存根,文件也能正常運行).DOS存根由代碼與數(shù)據(jù)混合而成.
0x04 NT頭
typedef struct _IMAGE_DOS_HEADER
{
DWORD Signature; //PE Signature : 50450000("PE"00)
IMAGE_FILE_HEADER FileHeader; //文件頭結(jié)構(gòu)體
IMAGE_ OPTIONAL_HEADER32 OptionalHeader; //可選頭結(jié)構(gòu)體
} IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER32;
0x05 NT頭:文件頭
typedef struct _IMAGE_DOS_HEADER
{
WORD Machine; //每個CPU都擁有唯一的machine碼
WORD NumberOfSections; //節(jié)區(qū)數(shù)量,當(dāng)定義節(jié)區(qū)數(shù)與實際不同時會發(fā)生錯誤
DWORD TimeDateStamp;
DWORD PointerToSymbolTable;
DWORD NumberOfSymbols;
WORD SizeOfOptionalHeader; //IMAGE_OPTIONAL_HEADER32結(jié)構(gòu)體的大小,固定的
WORD Characteristics; //文件屬性,0x0002h為可執(zhí)行文件,0x2000h為DLL文件
} IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER32;
0x06 NT頭:可選頭
typedef struct _IMAGE_OPTIONAL_HEADER {
WORD Magic; //標(biāo)志字(32位時0x10Bh)
BYTE MajorLinkerVersion; //連接器版本號
BYTE MinorLinkerVersion; //
DWORD SizeOfCode; //代碼段大小
DWORD SizeOfInitializedData; //已初始化數(shù)據(jù)塊大小
DWORD SizeOfUninitializedData; //未初始化數(shù)據(jù)塊大小
DWORD AddressOfEntryPoint; //EP的RVA值,程序最先執(zhí)行代碼的地址
DWORD BaseOfCode; //代碼段起始RVA
DWORD BaseOfData; //數(shù)據(jù)段起始RVA
DWORD ImageBase; //PE文件的裝載地址
DWORD SectionAlignment; //塊對齊,節(jié)區(qū)在內(nèi)存中最小單位
DWORD FileAlignment; //文件塊對齊,節(jié)區(qū)在文件中的最小單位
WORD MajorOperatingSystemVersion;//所需操作系統(tǒng)版本號
WORD MinorOperatingSystemVersion;//
WORD MajorImageVersion; //用戶自定義版本號
WORD MinorImageVersion; //
WORD MajorSubsystemVersion; //win32子系統(tǒng)版本。若PE文件是專門為Win32設(shè)計的
WORD MinorSubsystemVersion; //該子系統(tǒng)版本必定是4.0否則對話框不會有3維立體感
DWORD Win32VersionValue; //保留
DWORD SizeOfImage; //內(nèi)存中整個PE映像體的尺寸
DWORD SizeOfHeaders; //所有頭+節(jié)表的大小,即整個PE頭的大小
DWORD CheckSum; //校驗和
WORD Subsystem; //NT用來識別PE文件屬于哪個子系統(tǒng)(系統(tǒng)驅(qū)動、GUI、CUI)
WORD DllCharacteristics; //
DWORD SizeOfStackReserve; //
DWORD SizeOfStackCommit; //
DWORD SizeOfHeapReserve; //
DWORD SizeOfHeapCommit; //
DWORD LoaderFlags; //
DWORD NumberOfRvaAndSizes; //指定DataDirectory數(shù)組的個數(shù)
IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
//IMAGE_DATA_DIRECTORY 結(jié)構(gòu)數(shù)組。每個結(jié)構(gòu)給出一個重要數(shù)據(jù)結(jié)構(gòu)的RVA,比如引入地址表等
} IMAGE_OPTIONAL_HEADER32, *PIMAGE_OPTIONAL_HEADER32;
0x07 節(jié)區(qū)頭
#define IMAGE_SIZEOF_SHORT_NAME 8
typedef struct _IMAGE_SECTION_HEADER{
BYTE Name[IMAGE_SIZEOF_SHORT_NAME]; // 8個字節(jié)的節(jié)區(qū)名稱
union {
DWORD PhysicalAddress;
DWORD VirtualSize; //內(nèi)存中節(jié)區(qū)的尺寸
} Misc;
DWORD VirtualAddress; // 內(nèi)存中節(jié)區(qū)的起始地址(RVA)
DWORD SizeOfRawData; // 磁盤中文件中節(jié)區(qū)所占大小
DWORD PointerToRawData; // 磁盤中文件的起始位置
DWORD PointerToRelocations; // 在OBJ文件中使用,重定位的偏移
DWORD PointerToLinenumbers; // 行號表的偏移(供調(diào)試使用地)
WORD NumberOfRelocations; // 在OBJ文件中使用,重定位項數(shù)目
WORD NumberOfLinenumbers; // 行號表中行號的數(shù)目
DWORD Characteristics; // 節(jié)屬性如可讀,可寫,可執(zhí)行等
} IMAGE_SECTION_HEADER, *PIMAGE_SECTION_HEADER;
