Learning PE files

Reference: http://blog.csdn.net/huanjieshuijing/article/details/5874365

Http://lwglucky.blog.51cto.com/1228348/283812

Involved Data Structure

We can find the PE file header definition in the WINNT. h file:

Typedef struct _ image_nt_headers {
DWORD signature;

// PE Header flag: "PE/0/0 ". Start the address pointed to at the start dos header offset 3ch (to be studied and verified)

Image_file_header fileheader; // physical distribution of PE files
Image_optional_header32 optionalheader; // information about the Logical Distribution of PE files

} Image_nt_headers32, * pimage_nt_headers32;

 

Typedef struct _ image_file_header {
Word machine; // The CPU required for running the file, which is 14ch for the Intel Platform

Word numberofsections; // number of file sections

DWORD timedatestamp; // file creation date and time

DWORD pointertosymboltable; // used for debugging

DWORD numberofsymbols; // Number of symbols in the symbol table

Word sizeofoptionalheader; // size of the optionalheader Structure

Word characteristics; // mark the file information to identify whether the file is exe or DLL

} Image_file_header, * pimage_file_header;

 

Typedef struct _ image_optional_header {
//
// Standard fields.
//

Word magic; // flag (always 010bh)

Byte majorlinkerversion; // connector version

Byte minorlinkerversion;
DWORD sizeofcode; // code segment size

DWORD sizeofinitializeddata; // size of the initialized data block

DWORD sizeofuninitializeddata; // uninitialized data block size

DWORD addressofentrypoint;

 

RVA of the first instruction of the PE file to be run by the PE Loader. To change the entire execution process, you can specify this value to the new RVA, in this way, the commands at the new RVA are first executed. (In the past, many articles have introduced RVA. Please understand it first ).

DWORD baseofcode; // code segment start RVA

DWORD baseofdata; // The starting RVA of the Data Segment

//
// Nt additional fields.
//

DWORD imagebase; // address for loading PE files

DWORD sectionalignment; // block alignment

DWORD filealignment; // file block alignment

Word majoroperatingsystemversion; // required OS version

Word minoroperatingsystemversion;
Word majorimageversion; // The custom version number.

Word minorimageversion;

Word majorsubsystemversion; // Win32 subsystem version. If the PE file is specially designed for Win32

Word minorsubsystemversion; // This subsystem version must be 4.0. Otherwise, the dialog box will not have a three-dimensional stereoscopic effect.

DWORD win32versionvalue;
DWORD sizeofimage; // size of the entire PE image in memory

DWORD sizeofheaders; // size of all headers + section tables

DWORD checksum; // checksum

Word subsystem; // NT is used to identify the subsystem of the PE file.

Word dllcharacteristics;
DWORD sizeofstackreserve;
DWORD sizeofstackcommit;
DWORD sizeofheapreserve;
DWORD sizeofheapcommit;
DWORD loaderflags;
DWORD numberofrvaandsizes;
Image_data_directory datadirectory [image_numberof_directory_entries]; // image_data_directory structure array. Each structure provides an important data structure RVA, such as the introduction of address tables and other image_numberof_directory_entries = 16

} Image_optional_header32, * pimage_optional_header32;

 

Typedef struct _ image_data_directory {
DWORD virtualaddress; // The RVA address of the table

DWORD size; // size

} Image_data_directory, * pimage_data_directory;

 

The PE file header is followed by a section table, which is defined in winnt. h as follows:

Typedef struct _ image_section_header {
Byte name [image_sizeof_short_name]; // The name of the table, for example, ". Text" image_sizeof_short_name = 8

Union {
DWORD physicaladdress; // physical address
DWORD virtualsize; // the actual length.
} MISC;
DWORD virtualaddress; // RVA

DWORD sizeofrawdata; // physical length

DWORD pointertorawdata; // the offset of the section based on the file

DWORD pointertorelocations; // relocation offset

DWORD pointertolinenumbers; // offset of the row number table

Word numberofrelocations; // Number of relocation items

Word numberoflinenumbers; // Number of row number tables

DWORD characteristics; // section attributes

} Image_section_header, * pimage_section_header;