PE file structure details

Turn: http://hi.baidu.com/cqulwq/blog/item/2be170d6dbb03d2906088b26.html

We all know that in Windows 9x, NT, and 2000, All executable files are based on a new file format portable designed by Microsoft.
Executable File
Format (portable execution body), that is, PE format. In some cases, we need to modify these executable files. The following text attempts to describe the PE file format in detail and
Modify.

PE file framework

Dos mz Header
Dos Stub
PE Header
Section Table
Section 1
Section 2
Section...
Section N

The above table shows the overall hierarchical distribution of the PE file structure. All PE files (or even 32-bit DLLs) must use a simple dos MZ
At the beginning of the header, there is the "MZ mark" of the executable file under DOS at the offset 0. With it, once the program is executed under DOS, DOS can identify this as an effective execution body, and then run closely following
Dos Stub after the MZ header. Followed by the Dos Stub is the PE Header. PE
The header is short for the pe-related structure image_nt_headers, which contains important fields used by many pe loaders. Executable files are stored in the operating system that supports the PE file structure.
When running, the PE Loader finds the start offset of the PE Header from the offset 3ch of the dos mz header. Therefore, the real file header PE Header is located directly without Dos Stub.

Knowledge: DoS
Stub is actually a valid exe. In an operating system that does not support the PE file format, it will simply display an error message, similar to the string "this program cannot
Run in DOS mode "or programmers can implement the complete dos code according to their own intentions. Usually DoS
Stub is automatically generated by the assembler/compiler. It is not very useful for us. It simply calls the 21h Service 9 to interrupt the string "this program cannot run ".
In DOS mode ".

The real content of a PE file is divided into blocks, which are called sections ). Each section is a piece of data with common attributes, such as the ". Text" section. What is the content of each section? Real
Files in the same PE format put the content with the same attributes in the same section, so you do not have to worry about ". text ",". data is named only for easy identification. If
In theory, you can write a file in PE format into any section and adjust its attributes.

The following Array Structure Section Table (Section Table) of PE Header ). Each structure contains the attributes, file offset, and virtual offset of the corresponding section. If the PE file contains five sections, there are five members in the array.

The above is the physical distribution of the PE file format. The following describes the main steps for loading a PE file:

1. the PE file is executed. The PE Loader checks the PE Header offset in the dos mz header. If it is found, it will jump to the PE Header.
2. the PE Loader checks the validity of the PE Header. If valid, it will jump to the end of the PE Header.
3. The section table that follows the PE Header is followed. The PE Loader reads the section information and maps these sections to the memory using the file ing method.
, And attach the specified section attribute in the section table.
4. After the PE file is mapped to the memory, the PE Loader will process the logic section similar to the import table in the PE file.

PE file header definition


We can find the PE file header definition in the WINNT. h file:
Typedef struct _ image_nt_headers {
DWORD signature;
// PE Header flag: "PE/0/0 ". Start at the address pointed to by the START dos header offset 3ch
Image_file_header fileheader; // physical distribution of PE files
Image_optional_header32 optionalheader; // information about the Logical Distribution of PE files
} Image_nt_headers32, * pimage_nt_headers32;
Typedef struct _ image_file_header {
Word machine; // The CPU required for running the file, which is 14ch for the Intel Platform
Word numberofsections; // number of file sections
DWORD timedatestamp; // file creation date and time
DWORD pointertosymboltable; // used for debugging
DWORD numberofsymbols; // Number of symbols in the symbol table
Word sizeofoptionalheader; // size of the optionalheader Structure
Word characteristics; // mark the file information to identify whether the file is exe or DLL
} Image_file_header, * pimage_file_header;
Typedef struct _ image_optional_header {
Word magic; // flag (always 010bh)
Byte majorlinkerversion; // connector version
Byte minorlinkerversion ;//
DWORD sizeofcode; // code segment size
DWORD sizeofinitializeddata; // size of the initialized data block
DWORD sizeofuninitializeddata; // uninitialized data block size
DWORD addressofentrypoint;

RVA of the first instruction of the PE file to be run by the PE Loader. To change the entire execution process, you can specify this value to the new RVA, in this way, the commands at the new RVA are first executed. (In the past, many articles have introduced RVA. Please understand it first ).

DWORD baseofcode; // code segment start RVA
DWORD baseofdata; // The starting RVA of the Data Segment
DWORD imagebase; // address for loading PE files
DWORD sectionalignment; // block alignment
DWORD filealignment; // file block alignment
Word majoroperatingsystemversion; // required OS version
Word minoroperatingsystemversion ;//
Word majorimageversion; // The custom version number.
Word minorimageversion ;//
Word majorsubsystemversion; // Win32 subsystem version. If the PE file is specially designed for Win32
Word minorsubsystemversion; // This subsystem version must be 4.0. Otherwise, the dialog box will not have a three-dimensional stereoscopic effect.
DWORD win32versionvalue; // Reserved
DWORD sizeofimage; // size of the entire PE image in memory
DWORD sizeofheaders; // size of all headers + section tables
DWORD checksum; // checksum
Word subsystem; // NT is used to identify the subsystem of the PE file.
Word dllcharacteristics ;//
DWORD sizeofstackreserve ;//
DWORD sizeofstackcommit ;//
DWORD sizeofheapreserve ;//
DWORD sizeofheapcommit ;//
DWORD loaderflags ;//
DWORD numberofrvaandsizes ;//
Image_data_directory datadirectory [image_numberof_directory_entries];
// Image_data_directory structure array. Each structure provides an important data structure RVA, such as the introduction of address tables.
} Image_optional_header32, * pimage_optional_header32;

Typedef struct _ image_data_directory {
DWORD virtualaddress; // The RVA address of the table
DWORD size; // size
} Image_data_directory, * pimage_data_directory;

The PE file header is followed by a section table, which is defined in winnt. h as follows:
Typedef struct _ image_section_header {
Byte name [image_sizeof_short_name]; // The Name Of The section table, such as ". Text"
Union {
DWORD physicaladdress; // physical address
DWORD virtualsize; // the actual length.
} MISC;
DWORD virtualaddress; // RVA
DWORD sizeofrawdata; // physical length
DWORD pointertorawdata; // the offset of the section based on the file
DWORD pointertorelocations; // relocation offset
DWORD pointertolinenumbers; // offset of the row number table
Word numberofrelocations; // Number of relocation items
Word numberoflinenumbers; // Number of row number tables
DWORD characteristics; // section attributes
} Image_section_header, * pimage_section_header;

The above structure is in winnt. h. For the PE file header definition, we need to use all the above structures to use C/C ++ for PE executable file operations, it describes in detail the structure of the PE file header.

Modify PE executable files
Now let's write a piece of code into any executable file in PE format. The Code is as follows:
-- Test. ASM --
. 386 P
. Model flat, stdcall
Option Casemap: None

Include/masm32/include/Windows. inc
Include/masm32/include/user32.inc
Includelib/masm32/lib/user32.lib

. Code

Start:
Invoke messageboxa, 0, 0, mb_iconinformation or mb_ OK
RET
End start
The above Code only shows a MessageBox box. After compilation, the binary code is as follows:
Unsigned char writeline [18] =;

Okay. Now let's take a look at how to write the code. When tdump.exe is used to display Executable File Information in PE format, the following description can be found:
Object table:
# Name should size RVA physsize phys off flags
--------------------------------------------------
01. Text collate ccc0 00001000 0000ce00 00000600 60000020 [CER]
02. Data 00004628 10000e000 00002c00 0000d400 c0000040 [irw]
03. rsrc 000003c8 00013000 00000400 00010000 40000040 [ir]

Key to section flags:
C-contains code
E-executable
I-contains initialized data
R-readable
W-writeable

The above description shows that the file contains three segments and the information of each segment. In fact, our code can write any segment. Here I select the ". Text" segment. The Code provided by the optical disk can obtain the header information of an executable file in PE format.

Because all addresses in PE files use the RVA address, some function calls and return addresses must be calculated.