PE file structure details

 

 

 

(Note: The leftmost part is the offset of the file header .) Image_dos_header struct {+ 0hworde_magic // magic dos signature MZ (4dh 5ah) DOS Executable File tag + 2 H word e_cblp // bytes on last page of file + 4 hword e_cp // pages in file + 6 hword e_crlc // relocations + 8 hword e_cparhdr // size of header in paragraphs + 0 ahword e_minalloc // minimun extra paragraphs needs + 0 chword e_maxalloc // maximun extra paragraphs needs + 0 ehword e_ss // intial (relative) SS value dos code initialization stack SS + 10 hword e_sp // intial sp value dos code initialization Stack pointer SP + 12 hword e_csum // checksum + 14 hword e_ip // intial IP value DOS code initialization command entry [pointer IP] + 16 hword e_cs // intial (relative) cs value dos code initial stack entry + 18 hword e_lfarlc // file address of relocation table + 1 ahword e_ovno // overlay number + 1 chword e_res [4] // reserved words + 24 hword e_oemid // OEM identifier (for e_oeminfo) + 26 hword e_oeminfo // OEM information; e_oemid specific + 29 hword e_res2 [10] // reserved words + 3 chdword e_lfanew // offset to start of PE Header pointing to PE File Header} image_dos_header ends

IMAGE_NT_HEADERS STRUCT {+0h       DWORDSignature  +4h       IMAGE_FILE_HEADER FileHeader +18h      IMAGE_OPTIONAL_HEADER32OptionalHeader   } IMAGE_NT_HEADERS ENDS

Image_file_header structure typedef struct _ image_file_header {+ 04 hword machine; // running platform + 06 h word numberofsections; // number of file blocks + 08 hdword timedatestamp; // file creation date and time + 0ch DWORD pointertosymboltable; // point to the symbol table (mainly used for debugging) + 10 h DWORD numberofsymbols; // Number of symbols in the symbol table (same as above) + 14 h word sizeofoptionalheader; // image_optional_header32 structure size + 16 h word characteristics; // File Attribute} image_file_header, * pimage_file_header;

Typedef struct _ image_optional_header {// standard fields. // + 18 h word magic; // flag, ROM image (0107 H), common executable file (010bh) + 1ah byte majorlinkerversion; // The main version of the linked program + 1bh byte minorlinkerversion; // The minor version of the linked program + 1ch DWORD sizeofcode; // the total size of all sections containing code + 20 h DWORD sizeofinitializeddata; // total size of all nodes with initialized Data + 24 h DWORD sizeofuninitializeddata; // size of all nodes with uninitialized data + 28 h DWORD addressofentrypoint; // program execution entry RVA + 2ch DWORD Ba Seofcode; // The starting RVA + 30 h DWORD baseofdata of the code block; // The starting RVA of the data block /// nt additional fields. the following fields are added to the NT structure. // + 34 h DWORD imagebase; // The preferred loading address of the program + 38 h dword sectionalignment; // The alignment size of the block in the memory + 3ch DWORD filealignment; // The alignment size of the block in the file + 40 h word majoroperatingsystemversion; // The primary version number of the minimum version number of the operating system + 42 h word minoroperatingsystemversion; // The minor version number of the Minimum operating system version + 44 h word majorimageversion; // The major version number that can be run on the operating system + 46 h word minorimageversion; // The minor version number that can run on the operating system + 48 h word majorsubsystemversion; // The major version number of the minimum subsystem version + 4ah word minorsubsystemversion is required; // The minor version number + 4ch DWORD win32versionvalue of the minimum subsystem version is required; // a field is not required for use by viruses. Generally, the value is 0 + 50 h DWORD sizeofimage; // The total size after the image is loaded into the memory + 54 h DWORD sizeofheaders; // all headers + block table size + 58 h DWORD checksum; // check the image and + 5ch word subsystem; // The expected subsystem of the executable file + 5eh word dllcharacteristics; // when the dllmain () function is called, the default value is 0 + 60 h DWORD sizeofstackreserve; // The stack size during initialization + 64 h DWORD sizeofstackcommit; // The stack size actually submitted during initialization + 68 h DWORD sizeofheapreserve; // The heap size retained during initialization + 6ch DWORD sizeofheapcommit; // The heap size actually submitted during initialization + 70 h DWORD loaderflags; // related to debugging, the default value is 0 + 74 h DWORD numberofrvaandsizes; // number of items in the data directory below. This field has been 16 + 78 h image_data_directory datadirectory since Windows NT was released [image_numberof_directory_entries]; // data directory table} image_optional_header32, * pimage_optional_header32;

Image_data_directory struct virtualaddress DWORD? ; Data start RVA isize DWORD? ; Data block length: image_data_directory ends

Typedef struct _ image_section_header {byte name [image_sizeof_short_name]; // The Table Name of the Section, as shown in ". text "// image_sizeof_short_name = 8 Union {DWORD physicaladdress; // the physical address DWORD virtualsize; // the actual length. The two values are in a joint structure and can be any of them, it is generally the last one} MISC; DWORD virtualaddress; // The RVA address of the section area DWORD sizeofrawdata; // the size of the aligned DWORD pointertorawdata in the file; // offset DWORD pointertorelocations in the file; // used in the OBJ file, offset DWORD pointertolinenumbers; // offset of the row number table (for debugging purposes) Word numberofrelocations; // used in the OBJ file, number of relocation items word numberoflinenumbers; // Number of row numbers in the row number table DWORD characteristics; // segment attributes such as readable, writable, and executable} image_section_header, * pimage_section_header;

IMAGE_IMPORT_DESCRIPTOR STRUCT     union         Characteristics           DWORD   ?         OriginalFirstThunk        DWORD   ?     ends     TimeDateStamp                 DWORD   ?     ForwarderChain                DWORD   ?     Name                          DWORD   ?     FirstThunk                    DWORD   ?IMAGE_IMPORT_DESCRIPTOR ENDS

Image_thunk_data struc Union U1 forwarderstring DWORD? ; Pointing to the RVA function dword of a redirection string? ; The memory address of the Input Function ordinal DWORD? ; Addressofdata DWORD? ; To image_import_by_name endsimage_thunk_data ends

IMAGE_IMPORT_BY_NAME STRUCT    Hint      WORD      ?     Name      BYTE      ?IMAGE_IMPORT_BY_NAME ENDS

Image_export_directory structcharacteristicsdword ?; Not used, always defined as 0 timedatestampdword? ; File generation time: majorversionword ?; Unused, always defined as 0 minorversionword ?; Not used, always defined as 0 namedword ?; Real Module name base dword ?; Base, plus the ordinal number is the index value of the function address array numberoffunctionsdword ?; Total number of exported functions numberofnamesdword ?; Total number of functions exported by name addressoffunctionsdword ?; Rvaaddressofnamesdword pointing to the output function address ?; Rvaaddressofnameordinalsdword pointing to the name of the output function ?; Rvaimage_export_directory ends pointing to the output function serial number

Image_base_relocation struc virtualaddress DWORD? ; What is the RVA address sizeofblock DWORD? ; The length of the relocation block is typeoffset word? ; Reset the array image_base_relocation ends

 

PE file structure details