PE file structure (1)

PE file structure (1)

Reference

Book: encryption and decryption

Video: Little Turtle decryption series video

EXE and DLL are all PE (portable execute) file structures. PE files use a flat address space. All code and data are merged to form a large structure. Let's take a look at two pictures to get a rough idea of the PE file structure.

Framework Structure of PE files

Through this figure (starting from below), we can know the approximate structure of the PE file. The PE file consists of the DOS header, PE File Header, block table, block, and debugging information. These structures are defined in the "image format" section in winnt. h.

Structure of PE file disk and memory image

This figure shows the structure of the PE file mapped to the memory. The structure of the PE file on the disk is different from the structure mapped to the memory. The structure of the PE file on the disk is basically the same as that mapped to the memory, and the basic layout is also the same. The dos header, PE Header, and block table address start with the same in disk and memory. However, because the disk alignment is different from the memory alignment, the window may not load the program at one time, which may lead to a different offset address between the subsequent block items and the beginning.

After the PE file is loaded into the memory by window, the version in the memory is module ). The starting address of the ing file is called the module handle (hmodule), which is the base address (imagebase) in the graph ). You can access other structures in the module.

The following describes the structure of the PE file:

MS-DOS head

The first byte of the PE file starts with a traditional MS-DOS header called image_dos_header.

(The following code can be found in winnt. H)

Typedef struct _ image_dos_header {word e_magic; // dos executable file mark "MZ" + 0 hword e_cblp; Word e_cp; Word e_crlc; Word e_cparhdr; Word e_minalloc; Word e_maxalloc; word e_ss; Word e_sp; Word e_csum; Word e_ip; Word e_cs; Word e_lfarlc; Word e_ovno; Word e_res [4]; Word e_oemid; Word e_oeminfo; Word e_res2 [10]; long e_lfanew; // point to the PE File Header, "pe", 0, 0 + 3ch} image_dos_header, * pimage_dos_header;

Among them, e_magic and e_lfanew are important. e_magic is "MZ", and the e_lfanew field is the relative offset (RVA) of the real PE file ).

Image 3

PE File Header

Then Dos Stub is followed by the PE Header, which is called image_nt_headers.

Typedef struct _ image_nt_headers {DWORD signature; // + 0 h PE File Header "pe" image_file_header fileheader; // + 4 h using optionalheader; // + 18 h} image_nt_headers32, * signature;

Image_file_header

Image_file_header: The image file header, which contains some basic information about the PE file. Sizeofoptionalheader specifies the size of image_optional_heade.

Typedef struct _ image_file_header {word machine; // + 04 H running platform word numberofsections; // + 06 h file section number DWORD timedatestamp; // + 08 h file creation time. This value is the number of seconds calculated since January 1, January 1, 1970 DWORD pointertosymboltable; // + 0ch points to the coff symbol table (for debugging) DWORD numberofsymbols; // + 10 h symbol table symbol count (for debugging) Word sizeofoptionalheader; // + 14 h image_optinal_header structure size 32-bit files are generally 00e0h, 64-bit files are generally 00f0hword characteristics; // + 16 h file attributes are obtained through several value operations. These flags are defined in winnt. image_file_xx in H. The EXE file is generally 010fh, And the DLL is generally 210eh} image_file_header, * pimage_file_header;

Image 4

Image_optional_header

Image_optional_header: the Optional image header. Although it is an optional structure, in fact, image_file_header is not enough. You need image_optional_header to define more data.

Typedef struct _ image_optional_header {word magic; byte majorlinkerversion; byte minorlinkerversion; DWORD sizeofcode; DWORD character; DWORD addressofentrypoint; // + 28 H program execution entry RVA, the DLL file is generally 0 DWORD baseofcode; DWORD baseofdata; DWORD imagebase; // + 34 h by default, the program loads the base address DWORD sectionalignment; // + the alignment value of the block in the 38 h memory, 32-bit is 1000 h (4 K) DWORD filealignment; // + the alignment of the block in the 3ch file, which is generally 200 h or 1000 hword versions; Word majorimageversion; Word minorimageversion; Word majorsubsystemversion; Word minorsubsystemversion; DWORD win32versionvalue; DWORD sizeofimage; DWORD sizeofheaders; DWORD checksum; Word subsystem; // indicate the enumerated values of the subsystem (User Interface Type) that the executable file expects. That is, do the program need a graphical interface. Word dllcharacteristics; DWORD sizeofstackreserve; DWORD sizeofstackcommit; DWORD sizeofheapreserve; DWORD sizeofheapcommit; DWORD loaderflags; DWORD keys; // + 74 h data directory table items. Always 16image_data_directory datadirectory [image_numberof_directory_entries]; // + 78 h data directory table. There are import tables, to-out tables, resource tables, etc.} image_optional_header32, * pimage_optional_header32;

Image_data_directory in image_optional_header is a data directory table. Defines the starting RVA and size of the import table, to the output table, and resource table.

Typedef struct _ image_data_directory {DWORD virtualaddress; // The starting rva dword size for fast data; // The length of the data block} image_data_directory, * pimage_data_directory;

Image 5

Through this picture, we can know that this program has no output table. The input form is actually RVA 543ch and the size is 3ch.

Block table

There is a block table between the PE file header and the original data. Generally, PE files must contain at least. Text and. Data blocks.

Typedef struct _ image_section_header {byte name [image_sizeof_short_name]; // block name. image_sizeof_short_name is 8 Union {DWORD physicaladdress; DWORD virtualsize; // actual block size (that is, the block size before alignment)} MISC; DWORD virtualaddress; // This block is loaded into the RVA in the memory. The first block defaults to 1000 h DWORD sizeofrawdata; // the size of the file after alignment in the disk DWORD pointertorawdata; // The offset DWORD pointertorelocations; DWORD pointertolinenumbers; Word numberofrelocations; word numberoflinenumbers; DWORD characteristics; // block attributes} image_section_header, * pimage_section_header;

PE file structure (1)