[PE Structural analysis] 6.image_section_header

The source code for Image_section_header is as follows:

struct _image_section_header {    BYTE name[image_sizeof_short_name];    // section table name, such as ". Text     " // image_sizeof_short_name=8     Union    {

        // The Physical address in the file

DWORD VirtualSize;     // true Length, these two values are a joint structure that can be used by either of them, typically taking the latter one

} Misc;    DWORD virtualaddress;           // RVA address for section area

DWORD Sizeofrawdata;           // dimensions after alignment in a file

DWORD Pointertorawdata;        // The offset in the file

DWORD pointertorelocations;    // used in obj files, relocation offset

DWORD pointertolinenumbers;    // offset of the row number table (for debugging purposes)

WORD numberofrelocations;      // used in obj files, number of relocation items

WORD numberoflinenumbers;      // number of row numbers in line number table

DWORD characteristics;         // section properties such as readable, writable, executable, etc.} Image_section_header, *pimage_section_header;

The table length of each chunk is 40 bytes.

* Indicates the fields that need attention, the most useful is Sizeofrawdata, pointertorawdata and characteristics fields.

Name *

The chunk name when this field is in. ( in a word: Name only, no use )

Requirements:

1. A UTF8 string of 8 bytes, if the chunk name exceeds 8 bytes, there is no final terminating flag "NULL".

2. The name of each chunk is unique and cannot have two chunks of that name.

3. Also, if the name is too long, you can use a slash (/) with an ASCII character to represent a 10-based address that represents the actual chunk name in the string table address.

Meaning: But the fact that the name of the section does not mean anything, just for the sake of viewing convenience (so the chunk containing the code is named ". Data "or the chunk that contains it is named". Code "is legal. ）。 When we want to read the required chunks from the PE file, we cannot use the name of the block as the standard and basis for locating. The correct approach is to follow the data catalog fields in the IMAGE_OPTIONAL_HEADER32 structure to locate them.

Other notes: Most block names habitually take a "." As the beginning (for example:. Text), this "." is not required. and the block name with a "$" in front of it will receive special treatment from the connector, the front with "$" the same name of the block will be merged at the time of loading, in the merged chunks, they are "$" after the characters in alphabetical order to merge.

Misc *

Shared body:

Physicaladdress	The address in the file.
Virtual Size	The total size of this section in memory that is read in bytes. If this value is greater than the Sizeofrawdata member, this section will be populated with 0. This value is valid only if the image is executable and the object file must be set to 0 o'clock.

Virtual Address *

This chunk is loaded into the in-memory RVA address. This address is aligned according to the memory page, so its value is always an integer multiple of the value of sectionalignment.

In Microsoft tools, the first fast default RVA is always 1000h. In obj, the field is not meaningful and is set to 0.

sizeofrawdata * * *

The size (in bytes) of the chunk in disk, which must be an integer multiple of the filealignment member in the Image_optional_header . If this value is less than Virtual Size, then the remaining bytes are populated with 0. If this section contains only uninitialized data, then the member is 0.

pointertorawdata * * *

The offset of the chunk on the disk. This value is the offset from the beginning of the file header.

pointertorelocations

This dude has no meaning in the exe file, which represents the offset value of the relocation information for this chunk in the obj file . (if it is not 0 in the obj file, it will point to an array of image_relocation structures)

pointertolinenumbers

The line number table in the file offset value, file debugging information, in our useless, chicken ribs.

numberofrelocations

This guy doesn't make sense in the EXE file, in the obj file, it's the number of redirects in this chunk in the relocation table.

numberoflinenumbers

The number of line numbers in the row number table of the block, chicken ribs.

Characteristics * * *

The properties of the chunk. The field is a bitwise flag indicating the properties of the chunk (such as code/data/readable/writable, etc.).

The following are defined in WinNT.h:

////Section characteristics.////Image_scn_type_reg 0x00000000//Reserved.//Image_scn_type_dsect 0x00000001//Reserved.//image_scn_type_noload 0x00000002//Reserved.//Image_scn_type_group 0x00000004//Reserved.#defineImage_scn_type_no_pad 0x00000008//Reserved.//image_scn_type_copy 0x00000010//Reserved.#defineImage_scn_cnt_code 0x00000020//Section contains code.#defineImage_scn_cnt_initialized_data 0x00000040//Section contains initialized data.#defineImage_scn_cnt_uninitialized_data 0x00000080// Section contains uninitialized data.#defineImage_scn_lnk_other 0x00000100//Reserved.#defineImage_scn_lnk_info 0x00000200//Section contains comments or some other type of information.//Image_scn_type_over 0x00000400//Reserved.#defineImage_scn_lnk_remove 0x00000800//Section contents won't become part of image.#defineImage_scn_lnk_comdat 0x00001000//Section contents comdat.//0x00002000//Reserved.//Image_scn_mem_protected-obsolete 0x00004000#defineImage_scn_no_defer_spec_exc 0x00004000//Reset Speculative exceptions handling bits in the TLB entries for this section.#defineImage_scn_gprel 0x00008000//Section content can is accessed relative to GP#defineImage_scn_mem_fardata 0x00008000//Image_scn_mem_sysheap-obsolete 0x00010000#defineImage_scn_mem_purgeable 0x00020000#defineImage_scn_mem_16bit 0x00020000#defineImage_scn_mem_locked 0x00040000#defineImage_scn_mem_preload 0x00080000#defineImage_scn_align_1bytes 0x00100000//#defineImage_scn_align_2bytes 0x00200000//#defineImage_scn_align_4bytes 0x00300000//#defineImage_scn_align_8bytes 0x00400000//#defineImage_scn_align_16bytes 0x00500000//Default Alignment If no others is specified.#defineImage_scn_align_32bytes 0x00600000//#defineImage_scn_align_64bytes 0x00700000//#defineImage_scn_align_128bytes 0x00800000//#defineImage_scn_align_256bytes 0x00900000//#defineImage_scn_align_512bytes 0x00a00000//#defineImage_scn_align_1024bytes 0x00b00000//#defineImage_scn_align_2048bytes 0x00c00000//#defineImage_scn_align_4096bytes 0x00d00000//#defineImage_scn_align_8192bytes 0x00e00000////Unused 0x00f00000#defineImage_scn_align_mask 0x00f00000#defineIMAGE_SCN_LNK_NRELOC_OVFL 0x01000000//Section contains extended relocations.#defineImage_scn_mem_discardable 0x02000000//Section can be discarded.#defineImage_scn_mem_not_cached 0x04000000//Section was not cachable.#defineImage_scn_mem_not_paged 0x08000000//Section was not pageable.#defineImage_scn_mem_shared 0x10000000//Section is shareable.#defineImage_scn_mem_execute 0x20000000//Section is executable.#defineImage_scn_mem_read 0x40000000//Section is readable.#defineImage_scn_mem_write 0x80000000//Section is writeable.////TLS characteristic Flags//#defineImage_scn_scale_index 0x00000001//Tls index is scaled

Translations of commonly used values:

Numerical	Meaning
Image_scn_cnt_code 0x00000020	The section contains executable code. Contains code, often set together with 0x10000000.
Image_scn_cnt_initialized_data 0x00000040	The section contains initialized data. The chunk contains the data to initialize.
Image_scn_cnt_uninitialized_data 0x00000080	The section contains uninitialized data. The chunk contains uninitialized data.
Image_scn_mem_discardable 0x02000000	The section can be discarded as needed. The chunk can be discarded, because once it is loaded, The process does not need it, typically as a relocation block.
Image_scn_mem_shared 0x10000000	The section can is shared in memory. The chunk is a shared chunk.
Image_scn_mem_execute 0x20000000	The section can be executed as code. The chunk can be executed. Usually when 0x00000020 is set Time, the flag is also set.
Image_scn_mem_read 0x40000000	The section can be read. The chunk is readable, and the chunks in the executable file always set the Sign.
Image_scn_mem_write 0x80000000	The section can is written to. The chunk is writable.

For

more information, please refer to the official documentation:

https://msdn.microsoft.com/en-us/library/windows/desktop/ms680341 (v=vs.85). aspx

Example:

[PE Structural analysis] 6.image_section_header