[PE Structure Analysis] 5. IMAGE_OPTIONAL_HEADER, imageoptionalheader

[PE Structure Analysis] 5. IMAGE_OPTIONAL_HEADER, imageoptionalheader

The source code of the struct is as follows:

Typedef struct _ IMAGE_OPTIONAL_HEADER {// Standard fields. // + 18 h WORD Magic; // flag, ROM image (0107 h), common executable file (010Bh) + 1Ah BYTE MajorLinkerVersion; // The main version of the linked program + 1Bh BYTE MinorLinkerVersion; // The minor version of the linked program + 1Ch DWORD SizeOfCode; // the total size of all sections containing code + 20 h DWORD SizeOfInitializedData; // total size of all nodes with initialized Data + 24 h DWORD SizeOfUninitializedData; // size of all nodes with uninitialized data+ 28 h DWORD AddressOfEntryPoint; // program execution entry RVA *** (required )***+ 2Ch DWORD BaseOfCode; // code block start RVA + 30 h DWORD BaseOfData; // data block start RVA // NT additional fields. the following fields are added to the NT structure. //+ 34 h DWORD ImageBase; // The preferred address of the program. *** (required )***+ 38 h DWORD SectionAlignment; // alignment size of blocks in the memory *** (required) *** + 3Ch DWORD FileAlignment; // The alignment size of the block in the file *** (required )***+ 40 h WORD MajorOperatingSystemVersion; // The primary version number of the minimum version number of the operating system + 42 h WORD MinorOperatingSystemVersion; // The minor version number of the minimum version number of the operating system + 44 h WORD MajorImageVersion; // The main version number that can run on the operating system + 46 h WORD MinorImageVersion; // The minor version number that can run on the operating system + 48 h WORD MajorSubsystemVersion; // The primary version number of the lowest subsystem version + 4Ah WORD MinorSubsystemVersion; // The minor version number of the lowest subsystem version + 4Ch DWORD Win32VersionValue; // No field is required, if it is not used by viruses, it is generally 0 + 50 h DWORD SizeOfImage; // The total size after the image is loaded into the memory + 54 h DWORD SizeOfHeaders; // all headers + block table size + 58 h DWORD CheckSum; // check and+ 5Ch WORD Subsystem; // The Subsystem expected by the executable file *** (required )***+ 5Eh WORD DllCharacteristics; // when the DllMain () function is called, the default value is 0 + 60 h DWORD SizeOfStackReserve; // The stack size during initialization + 64 h DWORD SizeOfStackCommit; // The size of the stack actually submitted during initialization + 68 h DWORD SizeOfHeapReserve; // The heap size retained during initialization + 6 ch DWORD SizeOfHeapCommit; // The size of the heap actually submitted during initialization + 70 h DWORD LoaderFlags; // related to debugging. The default value is 0 + 74 h DWORD NumberOfRvaAndSizes. // The number of items in the data directory below, this field has been 16 since Windows NT was released+78 h IMAGE_DATA_DIRECTORY DataDirectory [IMAGE_NUMBEROF_DIRECTORY_ENTRIES]; // data directory table *** (important) *** winNT is released to win10, and IMAGE_NUMBEROF_DIRECTORY_ENTRIES is always 16} IMAGE_OPTIONAL_HEADER32, * PIMAGE_OPTIONAL_HEADER32;

AddressOfEntryPoint * ** (Required )***

The address where the program starts execution. This is an RVA (relative virtual address ). For the exe file, here is the startup code; For the dll file, here is the address of libMain. If you attach a piece of code to an executable file and want the code to be executed first, you only need to point this entry address to the additional code. When shelling, the first thing is to find the entry point, which is the value.

ImageBase * ** (Required )***

PE file priority load address. That is to say, when the file is executed, if possible (the current address is not used), Windows preferentially loads the file to the address specified by the ImageBase field.

For an EXE file, because each file always uses an independent virtual address space, it is impossible for the ** module to take up the priority Mount address.EXE can always load according to this address.

This also means that the EXE file no longer needs to be relocated.

For DLL files, because multiple DLL files use the address space of the host EXE file, the priority loading address cannot be used by the ** DLL, therefore, the DLL file must contain relocation information, just in case.

Therefore, in the Characteristics field of the IMAGE_FILE_HEADER structure described above, the IMAGE_FILE_RELOCS_STRIPPED bit of the DLL file is always 0, while the flag bit of the EXE file is always 1.

If not specified, the default dll file is 0x10000000. The default exe file is 0x00400000, but it is 0x00010000 on Windows CE platform.This value must be a multiple of 64 K bytes!

SectionAlignment * ** (Required )***

The alignment unit of the block in the memory area. The block is always aligned to an integer multiple of this value. This field must be greater than or equal to FileAlignment. The default value is the size of the system page. The 32-bit cpu is usually 0x1000 (hexadecimal), that is, 4096, that is, 4 kb. 64-bit cpu is usually 8 KB
FileAlignment* ** (Required )***

The alignment unit of the block in the pe file, in bytes. This value must be twice the power of 2, but must be in the range of 512 and 64 K (closed range [521, 64*1024 =65536]). If SectionAlignment is smaller than the system page size, the SectionAlignment size is the same as that of FileAlignment. In pe files, the default value is 521 bytes (200 KB), that is, 0 x (hexadecimal ).

Subsystem * ** (Required )***

Subsystem type used on the pe file user interface. Definition:

# Define IMAGE_SUBSYSTEM_UNKNOWN 0 // unknown subsystem # define IMAGE_SUBSYSTEM_NATIVE 1 // do not need subsystems (such as drivers) # define IMAGE_SUBSYSTEM_WINDOWS_GUI 2 // Windows GUI subsystem # define IMAGE_SUBSYSTEM_WINDOWS_CUI 3 // Windows console subsystem # define runtime 5 // OS/2 console subsystem # define IMAGE_SUBSYSTEM_POSIX_CUI 7 // Posix console subsystem # define IMAGE_SUBSYSTEM_NATIVE_WINDOWS 8 // The image is a native Win9x driver # define IMAGE_SUBSYSTEM_WINDOWS_CE_GUI 9 // GUI for Windows CE

For example, when compiling a program in Visual Studio 2015, you can set the link options in the graphic interface:

For more information, see:

Microsoft official documentation: https://msdn.microsoft.com/en-us/library/windows/desktop/ms680339 (v = vs.85). aspx

DataDirectory * ** (Required and important )***

This field can be said to be one of the most important fields. It consists of 16 identical IMAGE_DATA_DIRECTORY structures. Its structure is as follows:

typedef struct _IMAGE_DATA_DIRECTORY {

DWORD VirtualAddress; // relative virtual address

DWORD Size; // data block Size

} IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY;

This defines the position and size of a block.

Although the data in the PE file is classified according to the page attributes after the memory is loaded and placed in different sections, however, the data in each section can be divided into exported tables, imported tables, resources, relocated tables, and other data blocks by purpose, the 16 IMAGE_DATA_DIRECTORY structures are used to define data blocks for different purposes (as shown in the following table ). The definition of IMAGE_DATA_DIRECTORY structure is simple. It only specifies the location and length of a data block.

# Define defaults 0 // export table # define IMAGE_DIRECTORY_ENTRY_IMPORT 1 // import table # define IMAGE_DIRECTORY_ENTRY_RESOURCE 2 // resource table # define IMAGE_DIRECTORY_ENTRY_EXCEPTION 3 // exception table (details) # define IMAGE_DIRECTORY_ENTRY_SECURITY 4 // Security table (for details) # define partition 5 // relocation table # define IMAGE_DIRECTORY_ENTRY_DEBUG 6 // debug table // IMAGE_DIRECTORY_ENTRY_COPYRIGHT 7 // (X86 usage) copyright # define IMAGE_DIRECTORY_ENTRY_ARCHITECTURE 7 // copyright # define IMAGE_DIRECTORY_ENTRY_GLOBALPTR 8 // RVA of GP (details are not available) # define IMAGE_DIRECTORY_ENTRY_TLS 9 // TLS Directory (thread location storage, details) # define IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 10 // Load Configuration Directory (unknown) # define IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 11 // Bound Import Directory in headers (unknown) # define IMAGE_DIRECTORY_ENTRY_IAT 12 // Import the function Address Table # define IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 13 // Delay Load Import Descriptors (unknown) # define Runtime 14 // COM Runtime descriptor (unknown)