PE file Format document

NT Head---Optional head---image_data_directory---image_directory_entry_resource--->

Image_section_header[] (Section Head/table)

......

Section n---->image_resource_directory_entry[]---image_resource_directory[]

-----------------0:dos Head

-----------------1:nt Head

typedef struct _IMAGE_NT_HEADERS {
DWORD Signature;//PE文件头标志 :"PE\0\0"。在开始DOS header的偏移3CH处所指向的地址开始
IMAGE_FILE_HEADER FileHeader; //PE文件物理分布的信息
IMAGE_OPTIONAL_HEADER32 OptionalHeader;//PE文件逻辑分布的信息
} IMAGE_NT_HEADERS32, *PIMAGE_NT_HEADERS32;

-----------------1.1: File headers

typedef struct _IMAGE_FILE_HEADER {
WORD Machine; //该文件运行所需要的CPU，对于Intel平台是14Ch
WORD NumberOfSections; //文件的节数目
DWORD TimeDateStamp; //文件创建日期和时间
DWORD PointerToSymbolTable; //用于调试
DWORD NumberOfSymbols; //符号表中符号个数
WORD SizeOfOptionalHeader; //OptionalHeader 结构大小
WORD Characteristics; //文件信息标记，区分文件是exe还是dll
} IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;

-----------------1.2: Optional head

typedef struct _IMAGE_OPTIONAL_HEADER {
WORD Magic; Sign Word (always 010BH)
BYTE majorlinkerversion; Connector version number
BYTE minorlinkerversion; //
DWORD Sizeofcode; Code Snippet Size
DWORD Sizeofinitializeddata; Size of data block initialized
DWORD sizeofuninitializeddata;//data block size not initialized
DWORD Addressofentrypoint; The RVA of the first instruction of the PE file that the PE loader is ready to run, to change the entire execution process, you can assign the value to the new RVA so that the new RVA command is executed first. (Many articles have introduced RVA, please go to understand)
DWORD Baseofcode; Code Snippet Start RVA
DWORD Baseofdata; Data segment Start RVA
DWORD ImageBase; The mount address of the PE file
DWORD sectionalignment; Block alignment
DWORD FileAlignment; File Block Alignment
The required operating system version number for WORD majoroperatingsystemversion;//
WORD minoroperatingsystemversion;//
WORD majorimageversion; User-defined version number
WORD minorimageversion; //
WORD majorsubsystemversion; Win32 Subsystem version. If the PE file is specially designed for Win32
WORD minorsubsystemversion; The subsystem version must be 4.0 otherwise the dialog will not have a 3-dimensional stereo
DWORD Win32versionvalue; Keep
DWORD Sizeofimage; Dimensions of the entire PE image body in memory
DWORD sizeofheaders; Size of all headers + section tables
DWORD CheckSum; Calibration and
WORD subsystem; NT is used to identify which subsystem the PE file belongs to
WORD DllCharacteristics; //
DWORD Sizeofstackreserve; //
DWORD Sizeofstackcommit; //
DWORD Sizeofheapreserve; //
DWORD Sizeofheapcommit; //
DWORD Loaderflags; //
DWORD numberofrvaandsizes; //
Image_data_directory datadirectory[image_numberof_directory_entries];//=16
} Image_optional_header32, *pimage_optional_header32;