[PE format Analysis] 4. IMAGE_FILE_HEADER, imagefileheader

[PE format Analysis] 4. IMAGE_FILE_HEADER, imagefileheader

The source code is as follows:

Typedef struct _ IMAGE_FILE_HEADER {+ 04 h WORD Machine; // running platform + 06 h WORD NumberOfSections; // number of file blocks + 08 h DWORD TimeDateStamp; // file creation date and time + 0Ch DWORD PointerToSymbolTable; // point to the symbol table (mainly used for debugging) + 10 h DWORD NumberOfSymbols; // Number of symbols in the symbol table (same as above) + 14 h WORD SizeOfOptionalHeader; // IMAGE_OPTIONAL_HEADER32 structure size + 16 h WORD Characteristics; // File Attribute} IMAGE_FILE_HEADER, * PIMAGE_FILE_HEADER;

Machine Field

Commonly used:

Macro definition	Platform and related significance	Value
IMAGE_FILE_MACHINE_I386	X86, Intel 386	0x014c
IMAGE_FILE_MACHINE_IA64	Intel Itanium, Intel 64	Zero x 0200
IMAGE_FILE_MACHINE_AMD64	X64, AMD64 (K8)	Zero x 8664

The optional values are as follows:

#define IMAGE_FILE_MACHINE_UNKNOWN           0#define IMAGE_FILE_MACHINE_I386              0x014c  // Intel 386.#define IMAGE_FILE_MACHINE_R3000             0x0162  // MIPS little-endian, 0x160 big-endian#define IMAGE_FILE_MACHINE_R4000             0x0166  // MIPS little-endian#define IMAGE_FILE_MACHINE_R10000            0x0168  // MIPS little-endian#define IMAGE_FILE_MACHINE_WCEMIPSV2         0x0169  // MIPS little-endian WCE v2#define IMAGE_FILE_MACHINE_ALPHA             0x0184  // Alpha_AXP#define IMAGE_FILE_MACHINE_SH3               0x01a2  // SH3 little-endian#define IMAGE_FILE_MACHINE_SH3DSP            0x01a3#define IMAGE_FILE_MACHINE_SH3E              0x01a4  // SH3E little-endian#define IMAGE_FILE_MACHINE_SH4               0x01a6  // SH4 little-endian#define IMAGE_FILE_MACHINE_SH5               0x01a8  // SH5#define IMAGE_FILE_MACHINE_ARM               0x01c0  // ARM Little-Endian#define IMAGE_FILE_MACHINE_THUMB             0x01c2  // ARM Thumb/Thumb-2 Little-Endian#define IMAGE_FILE_MACHINE_ARMNT             0x01c4  // ARM Thumb-2 Little-Endian#define IMAGE_FILE_MACHINE_AM33              0x01d3#define IMAGE_FILE_MACHINE_POWERPC           0x01F0  // IBM PowerPC Little-Endian#define IMAGE_FILE_MACHINE_POWERPCFP         0x01f1#define IMAGE_FILE_MACHINE_IA64              0x0200  // Intel 64#define IMAGE_FILE_MACHINE_MIPS16            0x0266  // MIPS#define IMAGE_FILE_MACHINE_ALPHA64           0x0284  // ALPHA64#define IMAGE_FILE_MACHINE_MIPSFPU           0x0366  // MIPS#define IMAGE_FILE_MACHINE_MIPSFPU16         0x0466  // MIPS#define IMAGE_FILE_MACHINE_AXP64             IMAGE_FILE_MACHINE_ALPHA64#define IMAGE_FILE_MACHINE_TRICORE           0x0520  // Infineon#define IMAGE_FILE_MACHINE_CEF               0x0CEF#define IMAGE_FILE_MACHINE_EBC               0x0EBC  // EFI Byte Code#define IMAGE_FILE_MACHINE_AMD64             0x8664  // AMD64 (K8)#define IMAGE_FILE_MACHINE_M32R              0x9041  // M32R little-endian#define IMAGE_FILE_MACHINE_CEE               0xC0EE

Instance image:

Another example:

NumberOfSections
Number of chunks in the pe file. It follows the structure.
TimeDateStamp
The file date timestamp refers to the time when the pe file is generated. Its value is the number of seconds since 16:00:00, January 1, December 31, 1969.
PointerToSymbolTable
The offset address of the Coff debug symbol table.
NumberOfSymbols
The number of symbols in the Coff symbol table. This field and the previous field are 0 in the release version program.
SizeOfOptionalHeader
The size of the IMAGE_OPTIONAL_HEADER32 structure (that is, the number of bytes). We will mention this structure. In fact, most of the important fields of the pe file are in the IMAGE_OPTIONAL_HEADER structure. (For 32-bit PE files, this value is usually 00E0h; for 64-bit PE32 + files, this value is usually 00F0h ).
Characteristics
This field describes some attributes of the pe file, such as whether it is executable or a dynamic Connection Library. The specific definitions are as follows:

# Define IMAGE_FILE_RELOCS_STRIPPED 0x0001 // The relocation information is removed, the file must be loaded with the previous base address # define IMAGE_FILE_EXECUTABLE_IMAGE 0x0002 // file executable # define IMAGE_FILE_LINE_NUMS_STRIPPED 0x0004 // The row number is removed # define limit 0x0008 // The symbol is removed # define worker 0x0010 // Agressively trim working set # define IMAGE_FILE_LARGE_ADDRESS_AWARE 0x0020 // The program can process addresses larger than 2 GB # define worker 0x0080 // Bytes of machine word are reversed. # define IMAGE_FILE_32BIT_MACHINE 0x0100 // 32-bit machine # define IMAGE_FILE_DEBUG_STRIPPED 0x0200 //. dbg file debugging information is removed # define IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP 0x0400 // if it is in mobile media, copy it to the swap file and run # define IMAGE_FILE_NET_RUN_FROM_SWAP 0x0800 // if it is in the network, run # define IMAGE_FILE_SYSTEM 0x1000 // System File # define IMAGE_FILE_DLL 0x2000 // The file is a dll # define IMAGE_FILE_UP_SYSTEM_ONLY 0x4000 // the file can only run in on a single processor # define IMAGE_FILE_BYTES_REVERSED_HI 0x8000 // Bytes of machine word are reversed.