About the modification of the PE executable file

Under Windows 9x, NT, 2000, all executables are a new file format based on Microsoft design, portable executable file formats (portable executables), or PE format. There are times when we need to modify these executables, and the following text attempts to describe in detail the format of the PE file and the modification of the PE format file.

1, PE file frame structure

DOS MZ header
DOS stub
PE header
Section table
Section 1
Section 2
Section ...
Section n

The above table is the overall hierarchical distribution of the PE file structure. All PE files (even 32-bit DLLs) must start with a simple DOS MZ header, at offset 0 there is DOS under the executable file "MZ flag", with it, once the program in DOS, DOS can recognize this is a valid execution body, and then run immediately after the MZ header After the DOS stub. A DOS stub is actually a valid EXE, and in an operating system that does not support the PE file format, it will simply display an error prompt, similar to the string "This program cannot run in DOS mode" or the programmer can implement the complete DOS code according to their own intent 。 Usually the DOS stub is automatically generated by the assembler/compiler and is not very useful to us, it simply invokes the Interrupt 21h service 9来 display string "This program cannot run in DOS mode".

The DOS stub is followed by the PE header. PE header is the abbreviation of PE-related structure image_nt_headers, which contains many important fields of PE loader. When the executable is executed in an operating system that supports the PE file structure, the PE loader will find the starting offset of the PE header from the offset 3CH of the DOS MZ header. Thus skipping the DOS stub directly positioned to the real header of the file head PE.

The real content of the PE file is divided into blocks, called sections (section). Each section is a piece of data that has a common attribute, such as the ". Text" section, so what is the content of each section? In fact, the files in the PE format put content with the same attributes into the same section, instead of having to care for names like ". Text", ". Data", which is named just to make it easy to identify, all, if we modify the file in PE format, we can theoretically write to any section, and adjust the properties of this section.