PE file Structure detailed

1, positioning standard PE head

Dos stub length is not fixed, so DOS header is not a fixed-size data structure. The DOS head is located in the starting position of the PE, and the position of the standard PE head after the DOS head is e_lfanew by the field.

The value of the E_lfanew field is a relative offset, and the base address of the DOS MZ header is required for absolute positioning.

The absolute position of the PE head is:

Pe_start = DOS MZ Base Address +image_dos_header.e_lfanew

2. PE File structure

The most important part of the 32-bit system is the PE header and PE data area.

The PE file under 32-bit system is divided into: dos MZ head, DOS Stub, PE header, section table and section content.

Section table is the directory of all sections in PE, each directory of the bytecode is the section content, section content according to the directory of the pointer to the address, respectively, the section of the bytecode in the file space to form a complete PE file, PE file

The head equals the DOS head plus the PE head.

3. pe File Head parsing

DOS MZ head Image_dos_header:

The most important of these members are e_magic members and e_lfanew members.

DOS MZ head below is the DOS Stub. The entire DOS stub is a block of bytes, and its contents are different from the linker used when linking, and there is no related structure in PE.

PE Head Identification Signature:

After the DOS stub is the PE head identification SIGNATURE,PE header information has a four-byte identifier that is located in the position pointed to by the pointer image_dos_header.elfanew. Its contents are fixed, corresponding to the ASCII code

The string "Pe\0\0".

Standard PE head Image_file_header:

The standard PE head image_file_header is positioned behind the PE head, which is located at the elfanew value of +4. The 20 bytes starting from this location are the contents of the data Structure standard PE header image_file_header. (The knot

Known as the standard Universal object file format in Microsoft's official documentation)

This section records the global properties of the PE file, including the PE file running platform, the PE file type (EXE Or DLL?). ), information such as the total number of sections that exist in the file.

This part uses: To judge the file type, obtains the total amount of the section in the PE file, as the node area information in the traversal operation Cycle times.

Extended PE head IMAGE_OPTIONAL_HEADER32

Stores the entry address when the file is executed, the default base address after the file is loaded into memory by the operating system, and information about its units in disk and memory.

PE head Iamge_nt_header:

This section is a generalized PE header, with a size of 456 bytes in a standard PE file

Image_nt_header is the sum of the three parts above, and signature, Image_file_header and Image_optional_header.

The detailed definition of the structure is as follows:

Data Catalog Item Image_data_directory

The last field of the Image_optional_header structure the DataDirectory field defines the directory information for all the different types of data that appear in the PE file.

such as importing tables, exporting tables, resources, and repositioning tables. In memory, the data is organized by the operating system in pages and assigned different access properties. In the file, the data is also organized in different categories

stored in the file at the specified location.

This structure is used to describe the location and size of different categories of data in the file (and memory).

The data types defined in the data catalog are always the same, and each data structure is defined in PE using the structure of the dataset item image_data_directory.

The structure is defined as follows:

The total data Catalog is composed of 16 identical image_data_directory structures in a row.

Section table Item Image_section_header:

The section table, which is located after Image_nt_header, consists of several section table entries (Image_section_header), each of which records information about a particular section in PE, such as the section's properties, the section size,

File and in-memory start location, etc.

The number of sections in the section table is defined by the Numberofsection member in field Image_file_header.

The data structure of the section table is defined as follows:

4, PE head image_nt_header field

1.image_nt_header. Signature

+0000h, double word. PE file identification, defined as 00004550h.

If you change any of these bytes, the operating system will not be able to recognize the file as the correct PE file. The program can still run in a DOS environment because the DOS header portion of the file is not compromised.

2.image_nt_header. Fileheader:

+0004H, structure. The structure points to image_file_header.

3.image_nt_header. Optionalheader:

+0018H, structure. This points to Image_optional_header32. It is all unique header information for the operating system image file.

5, the standard PE head image_file_header field

4.image_file_header. Machine:

+0004H, Word. Specifies the platform to run for the PE file.

5.image_file_header. Numberofsections:

+0006H, Word. The total number of sections that exist in the file.

In an XP system, there can be 0 sections, but the value cannot be less than 1, nor more than 96, and if the value is set to 0, the operating system will indicate that it is not a valid WIN32 program when loaded.

If you want to add or delete a section in PE, you must change the value here.

This value cannot be more than the number of nodes that exist in the actual memory, and there is no error when loading.

6.image_file_header. TimeDateStamp:

+0008h, double word. The timestamp the compiler created for this file. The low 32-bit storage value is the total number of seconds from 00:00 January 1, 1970 to the creation time.

This value can be arbitrarily modified, without affecting the operation of the program.

7.image_file_header. Pointertosymboltable:

+000ch, double word. COFF the file offset of the symbol table.

If the COFF symbol table does not exist, this value is 0. For image files, this value is 0.

8.image_file_header. Numberofsymbols:

+0010h, double word. The number of elements in the symbol table.

Because the string table follows the symbol table, you can locate the string table based on this value.

In the image file, this value is 0 and is used primarily for debugging.

9.iamge_file_header. Sizeofoptionalheader:

+0014H, Word. Specifies the length of the structure Image_optional_header32.

By default, this value is 00e0h, and if it is a 64-bit PE file, the structure default size is 00f0h.

10.image_file_header. Characteristics:
+0016H, Word. The File Property flag field, which has different data bits that define different file attributes. This is a very important field, and the different definitions will affect how the system loads the files.
For the normal executable PE file, the value of this field is generally 010fh, for the DLL file, the value of this field is 210ch.
The 1th bit is 1 o'clock, indicating that the image file is legal and can be run. If this flag is not set, a linker error occurs.
The 10th bit is 1 o'clock, and if the image file is on Removable storage media, the loader will fully load it and copy it to the memory swap file.
The 11th bit is 1 o'clock, and if the image file is on the network, the loader will also fully load it and copy it to the memory swap file.
When the 13th bit is 1 o'clock, it indicates that the image file is a dynamic-link library. Such a file is always considered an executable file.
The executable's flag bit is set to 010FH, that is, No. 0, 1, 2, 3, 8 bits are set to 1, which identifies the file as an executable file, does not contain the relocation information, does not contain the symbolic information and the behavior information, the file only on the 32-bit platform is shipped
Yes.
6. Extend the field of PE header Iamge_optional_header32
11.image_optional_header32. Magic:
+0018h, Word. Magic Word, description of the file type, if it is 010BH, then the file is PE32;
If 0107h, it is a ROM image, and if 020BH, the file is pe32+, which is the PE file under 64 bits.
12.image_optiongal_header32. Majorlinkerversion
13.image_optional_header32. Minorlinkerversion:
+001ah, Word. Both fields are byte-type, specifying the version number of the link, with no effect on execution.
14.iamge_optional_header32. Sizeofcode:
+001ch, double word. The sum of all code sections, in bytes, that is based on the size of the file alignment, not the memory-aligned size.
15.image_optional_header32. Sizeofinitializeddata:
+0020h, double word. The total size of all sections that contain data that has already been initialized.
16.image_optional_header32. Sizeofuninitializeddata:
+0024h, double word. The total size of all sections that contain uninitialized data.
The data is not initialized and does not occupy space in the file, but after it is loaded into memory, the PE loader assigns the data the appropriate size of the virtual address space.
17.image_optional_header32. Addressofentrypoint:
+0028h, double word. The field value is an RVA that records how many bytes the start code is from the starting position after the PE is loaded.
If a piece of code is attached to an executable file, and you want the code to be executed first, you will typically modify the value here to point to the location of your code.
For a generic program image, it is the start address.
For device driver files, it is the address of the initialization function. The entry point is optional for the DLL, and if no entry point exists, the field value must be set to 0.
18.image_optional_header32. Baseofcode:
+002CH, double word. The starting RVA of the Code section, which indicates that the image is loaded into memory at the beginning of the code section relative to the offset address of the Yu Ying base address. In general, the Code section immediately follows the PE header, and the section name is usually ". Text".
19.image_optional_header32. Baseofdata:
+0030h, double word. The starting RVA of the data section, which represents the offset address of the data section at the beginning of the node relative to the base address of the image when it is loaded into memory. In general, the data section is at the end of the file, and the section name is usually ". Data".
20.image_optional_header32. ImageBase:
+0034H, double word. This field indicates the priority mount address of the PE image. Is the RVA in the Addressofentrypoint after the program is loaded into memory.
The linker generates the machine code corresponding to this address when it generates the executable file.
If the operating system also loads the machine code into memory according to this address, then many of the location information in the instruction does not need to be modified, so it will run faster.
For EXE files, each file uses a separate virtual address hole home. Therefore, the loaded address is usually not occupied by other modules. EXE files can always be loaded in this address, which means that the EXE file after the entry does not need to be relocated.
When linking, you can use the parameter ". Base" to specify the priority mount address, if not specified, the linker default mount EXE address is 0x00400000. The default priority mount address is 0x1000000 relative to the DLL file. Integration with multiple DLL files, loading addresses can conflict, and the PE loader adjusts the values.
This value can be defined by itself, but the value must not exceed the bounds, and the obtained value has to be in the process space, which must be an integer multiple of 64K.
21.image_optional_header32. Sectionalignment:
+0038H, double word. The alignment granularity of the in-memory section. This field specifies the unit of alignment after which the section is loaded into memory.
The value of sectionalignment must be greater than or equal to filealignment value.
22.image_optional_header32. FileAlignment:
+003CH, double word. The alignment granularity of the sections in the file. The sections in the file are aligned to improve the efficiency of file loading from disk.
All file systems that Windows XP uses to organize hard disks are based on clusters (allocation units), and each cluster contains several physical sectors. A sector is the smallest unit of physical access to a disk. The larger the cluster, the greater the capacity of the disk to store information, but the longer the event is spent accessing it.
Typically, Windows chooses to format the partition with a 152-byte cluster size, up to 4KB.
23.image_optional_header32. Majoroperatingsystemversion:
24.image_optional_header32. Minoroperatingsystemversion:
+0040h. Both of these fields are words, with a total of two characters. Identifies the version number of the operating system, with the major and minor version numbers.
25.image_optional_header32. Majorimageversion:
26.image_optional_header32. Minorimageversion:
+0044H, double word. Version number of this PE file image.
27.image_optional_header32. Majorsubsystemversion
28.image_optional_header32. Minorsubsystemversion
+0048h, double word. The version number of the subsystem that is required to run.
29.image_optional_header32. Win32versionvalue:
+004CH, double word. The value of the subsystem version, temporarily reserved for unused, must be set to 0.
30.image_optional_header32. Sizeofimage:
+0050H, double word. The mapping size of the entire PE file in memory.
It must be guaranteed that its value is an integer multiple of sectionalignment.
31.image_optional_header32. Sizeofheaders:
+0054H, double word. The size of all Header + Section tables is aligned according to the alignment granularity.
32.image_optional_header32. Checksum
+0058h, double word. Test and, in most PE files, this value is 0, but in some kernel-mode drivers and system DLLs, the value must be correct.
33.image_optional_header32. Subsystem
+005ch, Word. Specifies the subsystem that uses the interface. The values are as follows:
34.image_optional_header32. Dllcharateristics
+005eh, Word. DLL file properties. is a flag, not for DLL files, but for all PE files.
35.image_optional_header32. Sizeofstackreserve:
+0060H, double word. The size of the stack is preserved when initializing. This field represents the amount of virtual memory reserved for stack two of the initial thread. The default value for this field is 0x100000 (1MB).
36.image_optional_header32. Sizeofstackcommit:
+0064H, double word. The size of the stack that was actually committed when initialized.
Ensure that the initial thread stack actually occupies the size of the memory space, which is submitted by the system.
37.image_optional_header32. Sizeofheapreserve:
+0068h, double word. Initializes the size of the reserved heap. To preserve the virtual memory used by the initial process heap, the handle to the heap can be obtained through the GETPROCESSHEAP function. Each process will have at least one default process heap, which is created at the start of the process and will never be deleted during the lifetime of the process. The default value is 1MB.
38.image_optional_header32. Sizeofheapcommit:
+006CH, double word. The commit heap size is also involved when initializing. The memory space used by the heap that is set at process initialization, with a default value of 1 pages.
39.image_optional_header32. Loaderflags:
+0070H, double word. Load flags.
40.image_optional_header32. Numberofrvaandszie:
+0074H, double word. Defines the number of data directory structures, typically 00000010h, or 16.
This field is determined by sizeofoptionalheaders and is preferable to 2~16 in practical applications.
41.image_optional_header32. DataDirectory:
+0078H, structure.
It is arranged linearly by 16 image_data_directory structures. Defines the location and size of the different categories of data in the PE file in 16.
7. Fields of Data Catalog item Image_data_directory
42.image_data_directory. Virtualaddress:
+0000h, double word. This field records the starting RVA for a specific data type. For different data structures, the field contains different data meanings.
43.image_data_directory.isize:
+0004H, double word. This field records the length of a particular type of data block.
8. Section Table Item Image_section_header
44.iamge_section_header. Name1
+0000h,8 bytes. The name of the section is usually identified by an ASCII string that ends with "\". The content is self-defined.
45.image_section_header. Misc:
+0008h, double word.
46.image_section_header. Virtualaddress
+000ch, double word. The RVA address of the section area.
47.image_section_header. Sizeofrawdata
+0010h, double word. The size of the section after the file is aligned.
48.image_section_header. Pointertorawdata:
+0014h, double word. The offset of the section start data in the file.
49.image_section_header. Pointertorelocations:
+0018h, double word. Used in the "obj" file, pointing to a pointer to the relocation table.
50.image_section_header. Pointertolinenumbers
+001ch, double word. The position of the line number table.
51.image_section_header. Numberofrelocations
+0020H, Word. The number of relocated tables. (used in the obj file)
52.image_section_header. Numberoflinenumbers
+0022H, Word. The number of line numbers in the row number table.
53.image_section_header. Characteristics:
+0024h, double word. The properties of the section.
The field belongs to the section's Property label field, where different data bits represent different properties. It is defined as follows:

PE file Structure detailed