PE file structure and function export table--Detailed and examples

PE file structure and function export table--Detailed and examples

With the Windows system upgrading from XP to Win7, Win8, from 32-bit upgrade to 64-bit, the PE file structure in the overall unchanged situation has undergone some small changes, on the one hand is the recommended application load address is not adopted, on the other hand, the export function ordinal is no longer simple ascending, But some sort of disorderly order. In this paper, the structure of the PE file is explained in detail, and then how to derive the function export table is introduced, and the whole process is illustrated by the Wininet.dll instance under the SysWoW64 directory. In the process of introduction, it is pointed out that the difference between Win7, WIN8 and other new systems is relative to XP.

Article Link: http://blog.csdn.net/typ2004/article/details/44227597

The first Part 1, DOS head

Dos Header total 64 bytes, the last double word represents the file address of PE header.

2. PE Head

The PE head in WinNT.h is composed of three parts

typedef struct _IMAGE_NT_HEADERS {    DWORD Signature;                         PE ASCII    image_file_header fileheader;            Standard head    image_optional_header32 optionalheader;  Optional head} image_nt_headers32, *pimage_nt_headers32;

The first part PE identification

is a PE identification of DOWRD size.

Part Two standard head

is a 20-byte PE standard header.

The concrete structure is

typedef struct _IMAGE_FILE_HEADER {    WORD machine    ;    WORD    numberofsections;                  Number of sections in PE    DWORD   timedatestamp;    DWORD   pointertosymboltable;    DWORD   Numberofsymbols;    WORD    Sizeofoptionalheader;              PE optional head length    WORD    characteristics;} Image_file_header, *pimage_file_header;

Part Three optional head

The third part is the PE optional head

Where 0x12ch's DWORD length ImageBase (0x63000000) is the recommended loading address for the program, this address may be used in XP systems, but this address is deprecated in systems such as Win7, Win8, and so on.

One of the 0x16ch DWORD long numberofrvaandsizes (0x00000010, usually this value) is the number of items in the following data directory structure.

Note: For 64-bit systems, the location of the numberofrvaandsizes in the file is 16 bytes behind the 32-bit system (4 values in the front Sizeofstackreserver are 64 bytes in the 8-bit system, 32 bytes in 4 bits).

After the 8*image_numberof_directory_entries (8*16) Size of the field is the Data directory field, defined the Export table, Import table, Resource table, exception table and other types of address and size (a total of 16 items address and size pairs). Where you can see the address at 0x170h 0x3d44 that is the virtual address of the exported table .

typedef struct _IMAGE_DATA_DIRECTORY {    DWORD   virtualaddress;                       Address    DWORD   Size;                                 Size} image_data_directory, *pimage_data_directory;

The specific structure of the PE optional head is

typedef struct _IMAGE_OPTIONAL_HEADER {////Standard fields.    WORD Magic;    BYTE majorlinkerversion;    BYTE minorlinkerversion;    DWORD Sizeofcode;    DWORD Sizeofinitializeddata;    DWORD Sizeofuninitializeddata;    DWORD Addressofentrypoint;    DWORD Baseofcode;    DWORD Baseofdata;    NT additional fields.    DWORD ImageBase;               DWORD sectionalignment;                  In-memory aligned granularity DWORD FileAlignment;    In the file, align the granularity of WORD majoroperatingsystemversion;    WORD minoroperatingsystemversion;    WORD majorimageversion;    WORD minorimageversion;    WORD majorsubsystemversion;    WORD minorsubsystemversion;    DWORD Win32versionvalue;    DWORD Sizeofimage;    DWORD sizeofheaders;    DWORD CheckSum;    WORD Subsystem;    WORD DllCharacteristics;    DWORD Sizeofstackreserve;    DWORD Sizeofstackcommit;    DWORD Sizeofheapreserve;    DWORD Sizeofheapcommit; DWORD Loaderflags;   DWORD numberofrvaandsizes; Image_data_directory datadirectory[image_numberof_directory_entries];} Image_optional_header32, *pimage_optional_header32;

3. Section table

The PE head is followed by the program record form.

typedef struct _IMAGE_SECTION_HEADER {    BYTE    name[image_sizeof_short_name];    Union {            DWORD   physicaladdress;            DWORD   virtualsize;    } Misc;    DWORD   virtualaddress;    DWORD   Sizeofrawdata;    DWORD   Pointertorawdata;    DWORD   pointertorelocations;    DWORD   pointertolinenumbers;    WORD    numberofrelocations;    WORD    numberoflinenumbers;    DWORD   characteristics;} Image_section_header, *pimage_section_header;

The information contained in this table is as follows:

Node name:. text
Virtual Size: 00180454
Virtual Offset: 00001000
Actual Size: 00180600
Actual offset: 00000400
File characteristics: 60000020
Node name:. orpc
Virtual Size: 0000009E
Virtual Offset: 00182000
Actual Size: 00000200
Actual offset: 00180a00
File characteristics: 60000020
Node name:. wpp_sf
Virtual Size: 00009e3f
Virtual Offset: 00183000
Actual Size: 0000a000
Actual offset: 00180c00
File characteristics: 60000020
Node name:. Data
Virtual Size: 0000755C
Virtual Offset: 0018d000
Actual Size: 00003E00
Actual offset: 0018ac00
File characteristics: C0000040
Node name:. idata
Virtual Size: 00002444
Virtual Offset: 00195000
Actual Size: 00002600
Actual offset: 0018ea00
File characteristics: 40000040
Node name:. didat
Virtual Size: 0000057C
Virtual Offset: 00198000
Actual Size: 00000600
Actual offset: 00191000
File characteristics: C0000040
Node name:. rsrc
Virtual Size: 0002be40
Virtual Offset: 00199000
Actual Size: 0002c000
Actual offset: 00191600
File characteristics: 40000040
Node name:. reloc
Virtual Size: 0000F8BC
Virtual Offset: 001c5000
Actual Size: 0000fa00
Actual offset: 001bd600
File characteristics: 42000040

4. Each section

After the section table is the sections, it is important to note that from the section table to the first section is filled directly with 0, the other sections are also filled with 0, the sections only need to align to the PE optional header file alignment granularity (in this case, 0x0200).

Part II

Function Export Table

1. Export Directory

It is known from above that 0X3D44 is the virtual address of the exported table , and its size is 0x255f.

Look at the virtual offset, virtual size of each section, and discover that the exported table is in the. Text section, the. Text section (virtual offset-actual offset) =0x0c00, so the actual offset of the exported table is 0x3d44-0x0c00=0x3144.

The specific structure of the exported directory is

typedef struct _IMAGE_EXPORT_DIRECTORY {    DWORD   characteristics;    DWORD   TimeDateStamp;    WORD    MajorVersion;    WORD    minorversion;    DWORD   Name;                   The file name string that points to the export table,    DWORD   Base;    DWORD   numberoffunctions;      The number of all exported functions    DWORD   numberofnames;          The number of functions exported as function name    DWORD   addressoffunctions;     Export function Address Table RVA from base of image    DWORD   addressofnames;         Export name Address Table RVA from base of image    DWORD   addressofnameordinals;  Export ordinal Address Table RVA from base of image} Image_export_directory, *pimage_export_directory;

From this structure, we can see that the number of exported functions is 0x0143, the number of functions exported by the function name is 0x0123, the address of the exported function Address table is 0x3d6c-0x0c00=0x316c, the address of the Export Function name Address table is 0x4278-0x0c00=0x3678, The Export ordinal table address is 0x4704-0x0c00=0x3b04.

2. Export Function Address Table

From the address 0x316c start traversal, 0x0fc6a0, 0X154D40, 0x154e30, 0x11c180, 0x11c600, 0X0FEF30, 0x081290 and so on, that is, the address list.

3. Export Function name Address Table

From the address 0x3678 start traversal, get 0x4956, 0x496c, 0x4980 and so on virtual offset, the corresponding actual offset for 0x3d56, 0x3d6c, 0x3d80, and so on, find the names of these locations string as follows.

4. Export Ordinal Address Table

Export ordinal addressofnameordinals points to the list address, where each ordinal, corresponding to the exported function name one by one, represents the function name corresponding to the function in the Export function list ordinal.

In this example, the first entry in the export order tables with the address 0x3b04 is 0x0006, which represents the appcachecheckmanifest corresponding function address, which is the subscript 6 (starting from 0), which is the address 0x081290.

5. Export the address of the function in memory

In an XP system, the Export function appcachecheckmanifest the address of the memory simply by adding the recommended program to the address ImageBase (the field of the optional head of the 1.2PE header).

However, in Win7, Win8 and other systems, the address of the exported function in memory should be added to the actual program load address. This address can be obtained using (DWORD) LoadLibrary (Dllfilepath).

Finish here ~ ~

PE file structure and function export table--Detailed and examples