[PE Structure Analysis] 6. IMAGE_SECTION_HEADER, imagesectionheader

[PE Structure Analysis] 6. IMAGE_SECTION_HEADER, imagesectionheader

The source code of IMAGE_SECTION_HEADER is as follows:

Typedef struct _ IMAGE_SECTION_HEADER {BYTE Name [IMAGE_SIZEOF_SHORT_NAME]; // section table Name, such as ". text" // IMAGE_SIZEOF_SHORT_NAME = 8 union {

DWORD PhysicalAddress; // physical address in the file

DWORD VirtualSize; // the actual length. The two values are a joint structure. You can use either of them. Generally, the last one is used.

} Misc; DWORD VirtualAddress; // RVA address of the Section

DWORD SizeOfRawData; // size after alignment in the file

DWORD PointerToRawData; // offset in the file

DWORD PointerToRelocations; // used in the OBJ file, relocated offset

DWORD PointerToLinenumbers; // offset of the row number table (for debugging)

WORD NumberOfRelocations; // used in the OBJ file, number of relocation items

WORD NumberOfLinenumbers; // Number of row numbers in the row number table

DWORD Characteristics; // segment attributes such as readable, writable, and executable} IMAGE_SECTION_HEADER, * PIMAGE_SECTION_HEADER;

Each block table occupies 40 bytes.

* Indicates the fields that need attention. The most useful is SizeOfRawData,PointerToRawData and Characteristics fields.

Name *

The Time Zone name of this field. (One sentence:The name is useless.)

Requirements:

1. utf8 string consisting of 8 bytes. If the block name exceeds 8 bytes, there is no final termination mark "NULL ".

2. Each block name is unique and cannot have two blocks with the same name.

3. If the name is too long, you can add the ASCII character to the slash (/) to indicate a 10-digit address. This address indicates the address of the real block name in the string table.

Meaning: in fact, the name of a section does not represent any meaning. It is only for convenience (so the block containing the Code is named ". data, or name the block containing Data as ". the Code is valid .). When we want to read the required block from the PE file, the block name cannot be used as the standard and basis for positioning. The correct method is to combine the data directory fields in the IMAGE_OPTIONAL_HEADER32 structure for locating.

Other note: Most block names often start with a "." (for example,. text). This "." is not required. In addition, the block name with "$" on the front side will get special treatment from the connector, and the block with the same name with "$" on the front side will be merged during loading, in the merged blocks, they are merged in alphabetical order of the characters after "$.

Misc *

Shared body:

PhysicalAddress	The address in the file.
Virtual Size	The total size in the READ memory, in bytes. If this value is greater than the SizeOfRawData Member, this section will be filled with 0. This value is valid only when the executable image and the object file must be set to 0.

Virtual Address *

The RVA address of the block loaded into the memory. The address is aligned according to the memory page, so its value is always an integer multiple of the value of SectionAlignment.

In Microsoft tools, RVA is 1000 h by default. In OBJ, this field is meaningless and set to 0.

SizeOfRawData ***

The size of the block in the disk (in bytes), which must beIMAGE_OPTIONAL_HEADERMediumFileAlignmentInteger multiple of the members. If this value is lessVirtual Size, Then the remaining bytes are filled with 0. If this section only contains uninitialized data, the Member is 0.

PointerToRawData ***

The offset of the block in the disk. This value is the offset starting from the file header.

PointerToRelocations

This guy has no meaning in the EXE file,In the OBJ file, it indicates the Offset Value of the block relocation information.. (If it is not zero in the OBJ file, it will point to an array in the IMAGE_RELOCATION structure)

PointerToLinenumbers

The offset value of the row number table in the file and the debugging information of the file are useless.

NumberOfRelocations

This guy has no meaning in the EXE file,In the OBJ file, it is the number of localizations of the current block in the relocation table.Again.

NumberOfLinenumbers

The number of row numbers in the row number table.

Characteristics ***

Attribute of the block. This field indicates the attributes of a block (such as code, Data, readable, and writable) by bit.

The definition in winnt. h is as follows:

//// Section characteristics.////      IMAGE_SCN_TYPE_REG                   0x00000000  // Reserved.//      IMAGE_SCN_TYPE_DSECT                 0x00000001  // Reserved.//      IMAGE_SCN_TYPE_NOLOAD                0x00000002  // Reserved.//      IMAGE_SCN_TYPE_GROUP                 0x00000004  // Reserved.#define IMAGE_SCN_TYPE_NO_PAD                0x00000008  // Reserved.//      IMAGE_SCN_TYPE_COPY                  0x00000010  // Reserved.#define IMAGE_SCN_CNT_CODE                   0x00000020  // Section contains code.#define IMAGE_SCN_CNT_INITIALIZED_DATA       0x00000040  // Section contains initialized data.#define IMAGE_SCN_CNT_UNINITIALIZED_DATA     0x00000080  // Section contains uninitialized data.#define IMAGE_SCN_LNK_OTHER                  0x00000100  // Reserved.#define IMAGE_SCN_LNK_INFO                   0x00000200  // Section contains comments or some other type of information.//      IMAGE_SCN_TYPE_OVER                  0x00000400  // Reserved.#define IMAGE_SCN_LNK_REMOVE                 0x00000800  // Section contents will not become part of image.#define IMAGE_SCN_LNK_COMDAT                 0x00001000  // Section contents comdat.//                                           0x00002000  // Reserved.//      IMAGE_SCN_MEM_PROTECTED - Obsolete   0x00004000#define IMAGE_SCN_NO_DEFER_SPEC_EXC          0x00004000  // Reset speculative exceptions handling bits in the TLB entries for this section.#define IMAGE_SCN_GPREL                      0x00008000  // Section content can be accessed relative to GP#define IMAGE_SCN_MEM_FARDATA                0x00008000//      IMAGE_SCN_MEM_SYSHEAP  - Obsolete    0x00010000#define IMAGE_SCN_MEM_PURGEABLE              0x00020000#define IMAGE_SCN_MEM_16BIT                  0x00020000#define IMAGE_SCN_MEM_LOCKED                 0x00040000#define IMAGE_SCN_MEM_PRELOAD                0x00080000#define IMAGE_SCN_ALIGN_1BYTES               0x00100000  //#define IMAGE_SCN_ALIGN_2BYTES               0x00200000  //#define IMAGE_SCN_ALIGN_4BYTES               0x00300000  //#define IMAGE_SCN_ALIGN_8BYTES               0x00400000  //#define IMAGE_SCN_ALIGN_16BYTES              0x00500000  // Default alignment if no others are specified.#define IMAGE_SCN_ALIGN_32BYTES              0x00600000  //#define IMAGE_SCN_ALIGN_64BYTES              0x00700000  //#define IMAGE_SCN_ALIGN_128BYTES             0x00800000  //#define IMAGE_SCN_ALIGN_256BYTES             0x00900000  //#define IMAGE_SCN_ALIGN_512BYTES             0x00A00000  //#define IMAGE_SCN_ALIGN_1024BYTES            0x00B00000  //#define IMAGE_SCN_ALIGN_2048BYTES            0x00C00000  //#define IMAGE_SCN_ALIGN_4096BYTES            0x00D00000  //#define IMAGE_SCN_ALIGN_8192BYTES            0x00E00000  //// Unused                                    0x00F00000#define IMAGE_SCN_ALIGN_MASK                 0x00F00000#define IMAGE_SCN_LNK_NRELOC_OVFL            0x01000000  // Section contains extended relocations.#define IMAGE_SCN_MEM_DISCARDABLE            0x02000000  // Section can be discarded.#define IMAGE_SCN_MEM_NOT_CACHED             0x04000000  // Section is not cachable.#define IMAGE_SCN_MEM_NOT_PAGED              0x08000000  // Section is not pageable.#define IMAGE_SCN_MEM_SHARED                 0x10000000  // Section is shareable.#define IMAGE_SCN_MEM_EXECUTE                0x20000000  // Section is executable.#define IMAGE_SCN_MEM_READ                   0x40000000  // Section is readable.#define IMAGE_SCN_MEM_WRITE                  0x80000000  // Section is writeable.//// TLS Characteristic Flags//#define IMAGE_SCN_SCALE_INDEX                0x00000001  // Tls index is scaled

Translation of common values:

Value	Description
IMAGE_SCN_CNT_CODE Zero x 00000020	The section contains executable code. Contains code, which is often set together with 0x0000000.
IMAGE_SCN_CNT_INITIALIZED_DATA Zero x 00000040	The section contains initialized data. This block contains the initialized data.
IMAGE_SCN_CNT_UNINITIALIZED_DATA Zero x 00000080	The section contains uninitialized data. This block contains uninitialized data.
IMAGE_SCN_MEM_DISCARDABLE Zero x 02000000	The section can be discarded as needed. This block can be discarded because once it is loaded, The process does not need it anymore, such as relocating blocks.
IMAGE_SCN_MEM_SHARED Zero x 10000000	The section can be shared in memory. This block is a shared block.
IMAGE_SCN_MEM_EXECUTE Zero x 20000000	The section can be executed as code. This block can be executed. Usually when 0x00000020 is set This flag is also set.
IMAGE_SCN_MEM_READ Zero x 40000000	The section can be read. This block is readable, and the block in the executable file is always set to this Flag.
IMAGE_SCN_MEM_WRITE Zero x 80000000	The section can be written. This block can be written.

For more information, see the official documentation:

Https://msdn.microsoft.com/en-us/library/windows/desktop/ms680341 (v = vs.85). aspx

Example: