Detailed description of PE file structure and pe Structure

Detailed description of PE file structure and pe Structure

1. Positioning of standard PE Headers

The DOS Stub length is not fixed, so the DOS header is not a fixed data structure. The DOS header is located at the start position of the PE, and the standard PE Header is located at the end through the DOS header through the field e_lfanew.

The value of the e_lfanew field is a relative offset. The base address of the dos mz header must be added to absolute positioning.

That is, the absolute position of the PE Header is:

PE_start = dos mz base address + IMAGE_DOS_HEADER.e_lfanew

2. PE file structure

In a 32-bit system, the most important part is the PE Header and PE data zone.

PE files in a 32-bit system are divided into dos mz header, DOS Stub, PE Header, section table, and section content.

The section table is the directory of all sections in PE. the bytecode of each directory is the section content. The section content is directed to the address according to the pointer in the directory, separate the section bytecode in the file space to form a complete PE file, PE File

The header is equal to the DOS header and the PE Header.

3. PE File Header Parsing

Dos mz header IMAGE_DOS_HEADER:

The most important members are e_magic and e_lfanew.

DOS Stub is under the dos mz header. The entire DOS Stub is a byte block. Its content varies with the connector used during the link, and the PE does not have the corresponding structure.

PE Header ID Signature:

After DOS Stub, the PE Header ID is Signature. The PE Header information contains a four-byte ID, which is located at the position pointed to by IMAGE_DOS_HEADER.elfanew. The content is fixed and corresponds to the ASCII code.

The string "PE \ 0 \ 0 ".

Standard PE Header IMAGE_FILE_HEADER:

The standard PE Header IMAGE_FILE_HEADER is behind the PE Header identifier, that is, the position of elfanew value + 4. The 20 bytes starting from this position are the content of the data structure standard PE Header IMAGE_FILE_HEADER. (This knot

Is known as the standard common object file format in Microsoft official documentation)

This part records the global attributes of the PE file, including the Platform for running the PE file, the PE file type (EXE Or DLL ?), The total number of sections in the file.

This part is used to determine the file type and obtain the total number of segments in the PE file. It is used as the number of cycles when the section information is traversed.

Extended PE Header IMAGE_OPTIONAL_HEADER32

The entry address when the storage file is executed, the default base address after the file is loaded into the memory by the operating system, and the Unit of the Section in the disk and memory.

PE Header IAMGE_NT_HEADER:

This part is a PE Header in a broad sense. It is 456 bytes in the standard PE file.

IMAGE_NT_HEADER is the sum of the preceding three parts, as well as Signature, IMAGE_FILE_HEADER, and IMAGE_OPTIONAL_HEADER.

The structure is defined as follows:

Data directory item IMAGE_DATA_DIRECTORY

The last field of the IMAGE_OPTIONAL_HEADER structure, DataDirectory, defines the directory information of all different types of data in the PE file.

Such as importing tables, exporting tables, resources, and relocating tables. In the memory, the data is organized by the operating system in pages and assigned different access attributes. In files, the data is also organized according to different categories.

They are stored in the specified location of the file respectively.

This structure is used to describe the location and size of different types of data in files (and memory.

The data types defined in the data directory are always the same. In PE, the data structure of the data directory item IMAGE_DATA_DIRECTORY is used to define each data structure.

The structure is defined as follows:

A total of 16 identical IMAGE_DATA_DIRECTORY Data Directories are arranged consecutively.

Section Table item IMAGE_SECTION_HEADER:

The Section Table is located behind IMAGE_NT_HEADER and consists of multiple section table items (IMAGE_SECTION_HEADER). Each section table item records information related to a specific section in PE, such as the section attributes, the section size, in

File and memory start position.

The number of sections in the section table is defined by the NumberOfSection member in the IMAGE_FILE_HEADER field.

The data structure of the Section Table is defined as follows:

4. The IMAGE_NT_HEADER field of the PE Header

1. IMAGE_NT_HEADER.Signature

+ 0000 h, double-character. PE File ID, which is defined as 00004550 h.

If you change any of these bytes, the operating system cannot identify the file as a correct PE file. Because the DOS header of the file is not damaged, the program can still run in the DOS environment.

2. IMAGE_NT_HEADER.FileHeader:

+ 0004 h, structure. This structure points to IMAGE_FILE_HEADER.

3. IMAGE_NT_HEADER.OptionalHeader:

+ 0018 h, structure. This points to IMAGE_OPTIONAL_HEADER32. It is the unique header information of the operating system image file.

5. Fields of the standard PE Header IMAGE_FILE_HEADER

4. IMAGE_FILE_HEADER.Machine:

+ 0004 h, single word. Platform for running PE files.

5. IMAGE_FILE_HEADER.NumberOfSections:

+ 0006 h, single word. Total number of sections in the file.

In the XP system, there can be 0 sections, but the value cannot be less than 1 or greater than 96. If you set this value to 0, when loading, the operating system prompts that the Win32 program is not a valid one.

To add or delete a section in a PE, you must change the value here.

This value cannot be more than or less than the actual memory. Otherwise, an error occurs during loading.

6. IMAGE_FILE_HEADER.TimeDateStamp:

+ 0008 h, double-character. The timestamp when the compiler creates this file. The value of low 32-bit storage is the total number of seconds from on January 1, January 1, 1970 to the creation time.

This value can be modified without affecting the running of the program.

7. IMAGE_FILE_HEADER.PointerToSymbolTable:

+ 000Ch, double-character. The file offset of the COFF symbol table.

If the COFF symbol table does not exist, this value is 0. For image files, this value is 0.

8. IMAGE_FILE_HEADER.NumberOfSymbols:

+ 0010 h, double-character. Number of elements in the symbol table.

Because the string table follows the symbol table, you can locate the string table based on this value.

In the image file, the value is 0, which is mainly used for debugging.

9. IAMGE_FILE_HEADER.SizeOfOptionalHeader:

+ 0014 h, single word. Specify the length of IMAGE_OPTIONAL_HEADER32.

By default, this value is 00e0h. If it is a 64-bit PE file, the default size of this structure is 00F0h.

10. IMAGE_FILE_HEADER.Characteristics:

+ 0016 h, single word. The file attribute flag field. Different data bits define different file attributes. This is a very important field. Different definitions will affect how the System Loads files.

For normal executable PE files, the value of this field is generally 010fh. For DLL files, the value of this field is 210ch.

If the 1st-bit value is 1, the image file is valid and can be run. If this flag is not set, a linker error occurs.

When the 10th-bit value is 1, if the image file is on a removable storage medium, the loader will fully load it and copy it To the memory swap file.

When the 11th-bit value is 1, if the image file is on the network, the loader will fully load it and copy it To the memory swap file.

When the 13th-bit value is 1, the image file is a dynamic link library. Such files are generally considered executable files.

The flag of the executable file is set to 010fh, that is, the 0th, 1, 2, 3, and 8 bits are set to 1, respectively. The file is marked as an executable file without any relocation information, the file is only available on 32-bit platforms.

Line.

6. Extend the IAMGE_OPTIONAL_HEADER32 field of the PE Header.

11. IMAGE_OPTIONAL_HEADER32.Magic:

+ 0018 h, single word. Magic word, indicating the file type. If it is 010BH, it indicates that the file is PE32;

If it is 0107 h, it indicates the ROM image; if it is 020BH, it indicates the file is PE32 +, that is, the PE file under 64-bit.

12. IMAGE_OPTIONGAL_HEADER32.MajorLinkerVersion

13. IMAGE_OPTIONAL_HEADER32.MinorLinkerVersion:

+ 001ah, single word. Both fields are in the byte type. specifying the link version does not affect the execution.

14. IAMGE_OPTIONAL_HEADER32.SizeOfCode:

+ 001ch, double-character. The sum of all code sections (in bytes). The size is based on the size after file alignment, not the size after memory alignment.

15. IMAGE_OPTIONAL_HEADER32.SizeOfInitializedData:

+ 0020 h, double-character. The total size of all segments that contain initialized data.

16. IMAGE_OPTIONAL_HEADER32.SizeOfUninitializedData:

+ 0024 h, double-character. The total size of all nodes that contain uninitialized data.

The data is not initialized and does not occupy space in the file. However, after the data is loaded into the memory, the PE Loader allocates a virtual address space of the appropriate size for the data.

17. IMAGE_OPTIONAL_HEADER32.AddressOfEntryPoint:

+ 0028 h, double-character. The value of this field is an RVA, which records the number of bytes between the startup code and the start position after the PE is loaded.

If you attach a piece of your code to an executable file and want the code to be executed first, modify the value here to point it to the position of your code.

For general program images, it is the startup address.

For the device driver file, it is the address of the initialization function. The entry point is optional for DLL. If there is no entry point, this field value must be set to 0.

18. IMAGE_OPTIONAL_HEADER32.BaseOfCode:

+ 002Ch, double-character. The starting RVA of the Code Section, indicating the offset from the beginning of the image base address when the image is loaded into the memory. Generally, the Code section is followed by the PE Header, and the section name is usually

". Text ".

19. IMAGE_OPTIONAL_HEADER32.BaseOfData:

+ 0030 h, double-character. The starting RVA of the data section, indicating the offset of the beginning of the data section relative to the base address of the image when the image is loaded into the memory. Generally, the data section is located at the end of the file, and the section name is usually ". data ".

20. IMAGE_OPTIONAL_HEADER32.ImageBase:

+ 0034 h, double-character. This field specifies the priority Mount address of the PE image. It is the RVA after the program in AddressOfEntryPoint is loaded into the memory.

When the linker generates an executable file, it generates a machine code corresponding to this address.

If the operating system loads the machine code to the memory according to this address, you do not need to modify many location information in the command, so the running speed will be faster.

For EXE files, each file uses an independent virtual address. Therefore, the loaded address is usually not occupied by other modules. The EXE file is always loaded according to this address, which means that the loaded EXE file does not need

Relocated.

When linking, you can use the parameter ". base" to specify the priority load address. If this parameter is not specified, the default address for the linker to mount the EXE is 0X00400000. Compared with DLL files, the default preferred address is

0X1000000. When multiple DLL files are used for integration, the loading address may conflict, and the PE Loader will adjust the value.

You can define this value by yourself, but the value cannot exceed the boundary. The obtained value must be an integer multiple of 64 K in the process space.

21. IMAGE_OPTIONAL_HEADER32.SectionAlignment:

+ 0038 h, double-character. The granularity of the segments in the memory. This field specifies the alignment unit after the node is loaded into memory.

The SectionAlignment value must be greater than or equal to the FileAlignment value.

22. IMAGE_OPTIONAL_HEADER32.FileAlignment:

+ 003ch, double-character. FILE Section alignment granularity. FILE Section alignment is used to improve the efficiency of file loading from disk.

Windows XP organizes all the file systems on the hard disk based on clusters (Allocation units). Each cluster contains several physical sectors. The slice is the minimum unit for Disk Physical access. The larger the cluster, the larger the disk storage information,

The longer the event is to be accessed.

Generally, Windows uses a 152-byte cluster size to format the partition, up to 4 kb.

23. IMAGE_OPTIONAL_HEADER32.MajorOperatingSystemVersion:

24. IMAGE_OPTIONAL_HEADER32.MinorOperatingSystemVersion:

+ 0040 h. The preceding two fields are all single words, with a total of double words. Identifies the version number of the operating system, which is divided into the main version number and the minor version number.

25. IMAGE_OPTIONAL_HEADER32.MajorImageVersion:

26. IMAGE_OPTIONAL_HEADER32.MinorImageVersion:

+ 0044 h, double-character. The version number of the PE file image.

27. IMAGE_OPTIONAL_HEADER32.MajorSubsystemVersion

28. IMAGE_OPTIONAL_HEADER32.MinorSubsystemVersion

+ 0048 h, double-character. The version number of the subsystem required for running.

29. IMAGE_OPTIONAL_HEADER32.Win32VersionValue:

+ 004ch, double-character. The value of the subsystem version. It is not used for the moment and must be set to 0.

30. IMAGE_OPTIONAL_HEADER32.SizeOfImage:

+ 0050 h, double-character. The ing size of the entire PE file in the memory.

Make sure that its value is an integer multiple of SectionAlignment.

31. IMAGE_OPTIONAL_HEADER32.SizeOfHeaders:

+ 0054 h, double-character. Size of all headers and section tables after alignment granularity.

32. IMAGE_OPTIONAL_HEADER32.Checksum

+ 0058 h, double-character. Check that in most PE files, this value is 0, but in some kernel-mode drivers and system DLL, This value must be correct.

33. IMAGE_OPTIONAL_HEADER32.Subsystem

+ 005ch, single word. Specify the sub-system that uses the interface. The values are as follows:

34. IMAGE_OPTIONAL_HEADER32.DllCharateristics

+ 005eh, single word. DLL file attributes. Is a flag, not for DLL files, but for all PE files.

35. IMAGE_OPTIONAL_HEADER32.SizeOfStackReserve:

+ 0060 h, double-character. The size of the stack is retained during initialization. This field indicates the number of virtual memory retained by stack 2 of the initial thread. The default value of this field is 0x100000 (1 MB ).

36. IMAGE_OPTIONAL_HEADER32.SizeOfStackCommit:

+ 0064 h, double-character. The size of the stack actually submitted during initialization.

Ensure the size of memory space actually occupied by the stack of the initial thread. It is submitted by the system.

37. IMAGE_OPTIONAL_HEADER32.SizeOfHeapReserve:

+ 0068 h, double-character. Size of the heap retained during initialization. The virtual memory used by the initial process heap is retained. The heap handle can be obtained through the GetProcessHeap function. Each process has only one default process heap.

A process is created when it is started and will never be deleted during its lifecycle. The default value is 1 MB.

38. IMAGE_OPTIONAL_HEADER32.SizeOfHeapCommit:

+ 006ch, double-character. The heap size involved during initialization. The memory occupied by the heap set during process initialization. The default value is 1 page.

39. IMAGE_OPTIONAL_HEADER32.LoaderFlags:

+ 0070 h, double-character. Load flag.

40. IMAGE_OPTIONAL_HEADER32.NumberOfRvaAndSzie:

+ 0074 h, double-character. Defines the number of data directory structures, generally 00000010 h, that is, 16.

This field is determined by SizeOfOptionalHeaders. It can be 2 ~ 16.

41. IMAGE_OPTIONAL_HEADER32.DataDirectory:

+ 0078 h, structure.

It is linearly arranged by 16 IMAGE_DATA_DIRECTORY structures. Defines the location and size of data of different classes in PE file 16.

7. The IMAGE_DATA_DIRECTORY field of the data directory item

42. IMAGE_DATA_DIRECTORY.VirtualAddress:

+ 0000 h, double-character. This field records the starting RVA of a specific data type. For different data structures, this field contains different data meanings.

43. IMAGE_DATA_DIRECTORY.isize:

+ 0004 h, double-character. This field records the length of a specific type of data block.

8. IMAGE_SECTION_HEADER

44. IAMGE_SECTION_HEADER.Name1

+ 0000 h, 8 bytes. The section name is usually identified by an ASCII string ending with "\ 0. The content can be customized.

45. IMAGE_SECTION_HEADER.Misc:

+ 0008 h, double-character.

46. IMAGE_SECTION_HEADER.VirtualAddress

+ 000ch, double-character. The RVA address of the Section.

47. IMAGE_SECTION_HEADER.SizeOfRawData

+ 0010 h, double-character. The size of the section after the file is aligned.

48. IMAGE_SECTION_HEADER.PointerToRawData:

+ 0014 h, double-character. Offset of the Start data of the Section in the file.

49. IMAGE_SECTION_HEADER.PointerToRelocations:

+ 0018 h, double-character. Used in the "obj" file to point to the pointer to the relocation table.

50. IMAGE_SECTION_HEADER.PointerToLinenumbers

+ 001ch, double-character. The position of the row number table.

51. IMAGE_SECTION_HEADER.NumberOfRelocations

+ 0020 h, single word. Number of relocated tables. (Used in the OBJ file)

52. IMAGE_SECTION_HEADER.NumberOfLinenumbers

+ 0022 h, single word. Number of row numbers in the row number table.

53. IMAGE_SECTION_HEADER.Characteristics:

+ 0024 h, double-character. Section.

This field belongs to the attribute flag field of the section. Different data bits indicate different attributes. The specific definition is as follows: