Analysis of PE file structure

Everyone knows how important it is to understand the structure of the executable, as in DOS, as well as under Windows. If you want to encrypt programs, write viruses, and so on, understand the PE file structure must be indispensable. We may also see a lot of information in this respect, but they are theoretically illustrative and seldom see the operation of a specific document. Here, I'll use file 4 in the previous "series 4". EXE as an example to analyze the PE file format, due to the time relationship, it is impossible to write a very perfect, if feasible, and then slowly fill.

===============================================================
For this file, the red box divides the file into 4 parts, and the contents of each section are:
ⅰ-file header;
ⅱ-code snippet;. Text section
ⅲ-introduction table; Rdata section
ⅳ-data section;

It can be seen that each part has a large amount of garbage data, with a green fork to mark.

Let's take a look at the overall structure of the file: (to combine the PE profiler)
----------------------------------------------------------
1, Image_dos_ HEADER
Although you are a program under Windows, it is certainly not the result of the idea that other people will take it to DOS. The file header and DOS under the executable file header is basically the same, so you can also think it is a standard DOS EXE file, but the result of the program execution is to display an error message: This programs cannot be run in DOS mode, meaning that this is the program under Windows, to Windows use it!
The last element of the structure, E_lfanew, indicates the location of the PE file header, is an important data.
For this example, the element is at a location where the file offset is 3C, and the value is 000000b0.
2, DOS execution of the program section
3, DOS execution error message
4, garbage data
-----------------------------------------------------------
is the PE file header, it is a image_nt_headers struct structure
5, PE file tag, db ' pe ', 0,0
6, is a image_file_header structure
7, is a Image_ The Optional_header structure
8, is a image_data_directory structure array, a total of 16 items
9, is a image_section_header structure data, the number of items by the structure 6 Numberofsections OK.
In this case, at the offset B6, the value is 0003
-------------------------------------------------------------
10, the code part of the program, The contents of the. Text section
-------------------------------------------------------------
Below are the contents of the. Rdata section, Note that the pointer value here is "virtual address", which is the address at the time of memory execution.

11, IDA (Import Address table) is used to store the value of the function. This part of the content is overwritten when the loader executes the file, and the function in the calling DLL in the program is passed here to the true location of the function.
12, is a image_import_descriptor structure array, how to set the number of items?
To put it this way, if you're going to call a function in n dynamic-link libraries in your program, the number of items is n+1, and the total data in the last structure is 0, representing the end.
The program in this example calls only functions in Kernell32.dll, so there are two such constructs here.
13, is a IMAGE_THUNK_DATA structure array, the structure is actually a DWORD value, each DWORD value indicates a IMAGE_IMPORT_BY_NAME structure, the reaction program to call the function name. The last DWORD value is 0, which indicates the end.
14, data, by 12, 13 of the content specified.

==============================================================
The following is the use of UltraEdit open 4.exe after the catch map (processing)

If there is no picture below, click here, may also want to refresh.

==============================================================
The following is a w32dasm disassembly of the 4.exe after the detailed content for reference:
Disassembly of File:4.exe
Code offset = 00000400, code size = 00000200; offset in file is 400H, size 200H (adjusted)
Data offset = 00000800, data size = 00000200, offset in file is 800H, size 200H (adjusted)

Number of Objects = 0003 (dec), Imagebase = 00400000h; section is 3, base address is 400000H

Section attribute mark after the offset of the relative virtual address in the file is adjusted
Object01:. Text rva:00001000 offset:00000400 size:00000200 flags:60000020
Object02:. Rdata rva:00002000 offset:00000600 size:00000200 flags:40000040
Object03:. Data rva:00003000 offset:00000800 size:00000200 flags:c0000040

+++++++++++++++++++ Imported Functions ++++++++++++++++++
Number of imported Modules = 1 (decimal); program calls only functions in one DLL

Import Module 001:kernel32.dll

+++++++++++++++++++ IMPORT MODULE DETAILS +++++++++++++++

Import Module 001:kernel32.dll

addr:00002064 hint (013D) name:getstdhandle; three functions in Kernel32 will be called
addr:00002074 hint (02b9) name:writefile; The value given by this Addr is not the real address of the function
addr:00002048 hint (0075) name:exitprocess; The loader modifies these three values at execution time

+++++++++++++++++++ ASSEMBLY CODE LISTING ++++++++++++++++++
Start of Code in Object. Text **************
Program Entry point = 00401000 (4.exe File offset:00001600)

* Possible stringdata Ref from Data Obj-> "How are you!"
|

Program Entry Point ********
: 00401000 6800304000 Push 00403000
: 00401005 e80e000000 Call 00401018
: 0040100A 6a00 Push 00000000

* Reference to:kernel32. ExitProcess, ord:0075h
|
: 0040100C E801000000 Call 00401012
: 00401011 CC int 03

* Referenced by a call to address:
|:0 040100C
|

* Reference to:kernel32. ExitProcess, ord:0075h
|
: 00401012 FF2508204000 Jmp dword ptr [00402008]

* Referenced by a call to address:
|:0 0401005
|
: 00401018 Push EBP
: 00401019 8BEC mov ebp, esp
: 0040101B 83c4f4 add ESP, FFFFFFF4
: 0040101E 6af5 Push FFFFFFF5

* Reference to:kernel32. GetStdHandle, ORD:013DH
|
: 00401020 E863000000 Call 00401088
: 00401025 8945FC mov dword ptr [ebp-04], eax
: 00401028 FF7508 push [ebp+08]
: 0040102B E820000000 Call 00401050
: 00401030 8945F4 mov dword ptr [ebp-0c], eax
: 00401033 6a00 Push 00000000
: 00401035 8d45f8 Lea eax, DWORD ptr [ebp-08]
: 00401038 push EAX
: 00401039 ff75f4 push [ebp-0c]
: 0040103C FF7508 push [ebp+08]
: 0040103F FF75FC push [ebp-04]

* Reference to:kernel32. WriteFile, ord:02b9h
|
: 00401042 E847000000 Call 0040108E
: 00401047 8B45F8 mov eax, DWORD ptr [ebp-08]
: 0040104A C9 Leave
: 0040104B C20400 ret 0004

: 0040104E CC int 03
: 0040104F CC int 03

* Referenced by a call to address:
|:0 040102B
|
: 00401050 Push EBP
: 00401051 8BEC mov ebp, esp
: 00401053 push EBX
: 00401054 8b4508 mov eax, DWORD ptr [ebp+08]
: 00401057 8d5003 Lea edx, DWORD ptr [eax+03]

* Referenced by a (U) nconditional or (C) onditional Jump at address:
|:0 040106F (C)
|
: 0040105A 8B18 mov ebx, DWORD ptr [EAX]
: 0040105C 83c004 add eax, 00000004
: 0040105F 8d8bfffefefe Lea ecx, DWORD ptr [Ebx+fefefeff]
: 00401065 f7d3 not ebx
: 00401067 23CB and ECX, ebx
: 00401069 81E180808080 and ECX, 80808080
: 0040106F 74E9 JE 0040105A
: 00401071 f7c180800000 test ecx, 00008080
: 00401077 7506 jne 0040107F
: 00401079 c1e910 shr ecx, 10
: 0040107C 83c002 add eax, 00000002

* Referenced by a (U) nconditional or (C) onditional Jump at address:
|:0 0401077 (C)
|
: 0040107F d0e1 SHL cl, 1
: 00401081 1bc2 sbb eax, edx
: 00401083 5B pop ebx
: 00401084 C9 Leave
: 00401085 C20400 ret 0004

* Referenced by a call to address:
|:0 0401020
|

* Reference to:kernel32. GetStdHandle, ORD:013DH
|
: 00401088 FF2500204000 Jmp dword ptr [00402000]; go to the corresponding function in Ida table

* Reference to:kernel32. WriteFile, ord:02b9h
|
: 0040108E FF2504204000 Jmp dword ptr [00402004]

==============================================================
The following is the PE file analysis design to the structure, from the Windows.inc file for reference:

Image_dos_header STRUCT
E_magic WORD?
E_CBLP WORD?
E_CP WORD?
E_CRLC WORD?
E_cparhdr WORD?
E_minalloc WORD?
E_maxalloc WORD?
E_ss WORD?
E_SP WORD?
E_csum WORD?
E_ip WORD?
E_cs WORD?
E_LFARLC WORD?
E_ovno WORD?
E_res WORD 4 dup (?)
E_oemid WORD?
E_oeminfo WORD?
E_res2 WORD dup (?)
E_lfanew DWORD?
Image_dos_header ENDS

Image_nt_headers STRUCT
Signature DWORD?
Fileheader Image_file_header <>
Optionalheader Image_optional_header32 <>
Image_nt_headers ENDS

Image_file_header STRUCT
Machine WORD?
Numberofsections WORD?
TimeDateStamp DWORD?
Pointertosymboltable DWORD?
Numberofsymbols DWORD?
Sizeofoptionalheader WORD?
Characteristics WORD?
Image_file_header ENDS

Image_numberof_directory_entries equ 16

Image_optional_header32 STRUCT
Magic WORD?
Majorlinkerversion BYTE?
Minorlinkerversion BYTE?
Sizeofcode DWORD?
Sizeofinitializeddata DWORD?
Sizeofuninitializeddata DWORD?
Addressofentrypoint DWORD?
Baseofcode DWORD?
Baseofdata DWORD?
ImageBase DWORD?
Sectionalignment DWORD?
FileAlignment DWORD?
Majoroperatingsystemversion WORD?
Minoroperatingsystemversion WORD?
Majorimageversion WORD?
Minorimageversion WORD?
Majorsubsystemversion WORD?
Minorsubsystemversion WORD?
Win32versionvalue DWORD?
Sizeofimage DWORD?
Sizeofheaders DWORD?
CheckSum DWORD?
Subsystem WORD?
DllCharacteristics WORD?
Sizeofstackreserve DWORD?
Sizeofstackcommit DWORD?
Sizeofheapreserve DWORD?
Sizeofheapcommit DWORD?
Loaderflags DWORD?
Numberofrvaandsizes DWORD?
DataDirectory image_data_directory image_numberof_directory_entries DUP (<>)
Image_optional_header32 ENDS

Image_optional_header equ

Image_data_directory STRUCT
Virtualaddress DWORD?
Isize DWORD?
Image_data_directory ENDS

Image_sizeof_short_name equ 8

Image_section_header STRUCT
NAME1 db Image_sizeof_short_name dup (?)
Union Misc
Physicaladdress DD?
VirtualSize DD?
Ends
Virtualaddress DD?
Sizeofrawdata DD?
Pointertorawdata DD?
Pointertorelocations DD?
Pointertolinenumbers DD?
Numberofrelocations DW?
Numberoflinenumbers DW?
Characteristics DD?
Image_section_header ENDS

Image_import_descriptor STRUCT
Union
Characteristics DD?
Originalfirstthunk DD?
Ends
TimeDateStamp DD?
Forwarderchain DD?
NAME1 DD?
Firstthunk DD?
Image_import_descriptor ENDS

Image_import_by_name STRUCT
Hint DW?
NAME1 db?
Image_import_by_name ENDS

Image_thunk_data32 STRUCT
Union U1
forwarderstring DD?
Function DD?
Ordinal DD?
Addressofdata DD?
Ends
Image_thunk_data32 ENDS

Image_thunk_data EQU