PE detailed IMAGE_OPTIONAL_HEADER32 structure definition is the function of each property (PE detailed 03)

Let's go on to the IMAGE_OPTIONAL_HEADER32 structure definition is the function of each property!

(Video tutorial: http://fishc.com/a/shipin/jiemixilie/)

Then let's talk about the image_optional_header structure, as the name means, this is an optional image header, an optional structure, but, actually, the image_file_header structure we've been explaining in the last lesson is far from enough to define the properties of the PE file. Therefore, these properties are defined in the Image_optional_header structure. Therefore, the two structures together, is a complete "PE file structure." Then we should come to the logical discussion of the definition of the IMAGE_OPTIONAL_HEADER32 structure: (What?) Structure will not, first look at the small turtle children's shoes "0 basic Introductory Learning C language" on the structure of the chapter Bar ~) typedef struct _IMAGE_OPTIONAL_HEADER
{
//
Standard fields.
//
+18h WORD Magic; Glyph, ROM image (0107h), normal executable (010Bh)
+1ah BYTE majorlinkerversion; Major version number of the linked program
+1BH BYTE minorlinkerversion; The minor version number of the linked program
+1ch DWORD Sizeofcode; Total size of all sections with code
+20h DWORD Sizeofinitializeddata; Total size of all sections with initialized data
+24h DWORD Sizeofuninitializeddata; The size of all sections with uninitialized data
+28h DWORD Addressofentrypoint; Program Execution Entry RVA
+2ch DWORD Baseofcode; The starting RVA of the chunk of the code
+30h DWORD Baseofdata; The starting RVA of the chunk of the data
//
NT additional fields. The following are the fields that are added to the NT structure.
//
+34h DWORD ImageBase; Preferred loading address of the program
+38h DWORD sectionalignment; The alignment size of the chunk in memory
+3ch DWORD filealignment; The alignment size of the chunks in the file
+40h WORD majoroperatingsystemversion; The major version number that requires the operating system minimum version number
+42H WORD minoroperatingsystemversion; The version number that requires the operating system minimum version number
+44h WORD majorimageversion; Major version number that can be run on the operating system
+46h WORD minorimageversion; Minor version number that can be run on the operating system
+48h WORD majorsubsystemversion; The major version number that requires the minimum subsystem version
+4ah WORD minorsubsystemversion; Minor version number required for minimum subsystem version
+4ch DWORD Win32versionvalue; A non-spurious field, usually 0 if not used by a virus
+50h DWORD Sizeofimage; Total size after image is loaded into memory
+54h DWORD sizeofheaders; Size of all Header + chunk tables
+58h DWORD CheckSum; The calibration of images and
+5ch WORD Subsystem; subsystem expected by executable file
+5eh WORD DllCharacteristics; When the DllMain () function is called, the default is 0
+60h DWORD Sizeofstackreserve; Stack size at initialization
+64h DWORD Sizeofstackcommit; The size of the stack actually committed at initialization
+68h DWORD Sizeofheapreserve; Heap size retained at initialization
+6ch DWORD Sizeofheapcommit; The actual committed heap size at the time of initialization
+70h DWORD loaderflags; For debugging, the default is 0
+74h DWORD numberofrvaandsizes; The number of items in the bottom data directory, which has been 16 since Windows NT was published//
+78h Image_data_directory Datadirectory[image_numberof_directory_entries];
Data Catalog Table
} Image_optional_header32, *pimage_optional_header32;

In fact, most of the fields in this structure are unimportant, and you can understand their meanings from the comments, and the turtle will explain the more important fields below. In addition, this thing must not go back ah, we have to take most of the time to change, rather than remember. Do not take notes, the article reproduced to your blog on the line (best note: The small turtle is handsome) Roar ^_^

Addressofentrypoint Field

Indicates the entry address at which the file was executed, which is an RVA address (the meaning of RVA is described in detail in the next section). If you attach a piece of code to an executable file and want the code to be executed first, you just point the portal address to the additional code.

ImageBase Field

Indicates the priority loading address of the file. This means that when the file is executed, Windows overrides the file in the address specified by the ImageBase field, if possible, and the file is loaded into the * * address only if the specified address has been used by the * * module. When the linker generates the executable file corresponding to this address to generate machine code, so when the file is loaded into this address does not need to relocate, the fastest loading, if the file is loaded to * * address, will have to relocate, so it is slower.

For EXE files, because each file always uses a separate virtual address space, the priority mount address is not likely to be occupied by the * * module, so exe always can be loaded according to this address, which also means that EXE files no longer need to relocate information. For DLL files, because multiple DLL files use the address space of the host EXE file, there is no guarantee that the priority Mount address is not used by the DLL, so the DLL file must contain the relocation information just in case. Therefore, in the characteristics field of the Image_file_header structure described earlier, the DLL file corresponds to a image_file_relocs_stripped bit that is always 0, while the exe file's flag bit is always 1.

When linking, you can customize the priority mount address by specifying the/base:address option for link.exe, and if you do not specify this option, the default priority mount address of the generic EXE file is set to 00400000h. The default priority mount address for DLL files is set to 10000000h.

Sectionalignment fields and FileAlignment fields

The Sectionalignment field specifies the unit of alignment after which the section is loaded into memory. That is, the address that each section is loaded must be an integer multiple of the value specified in this field. The FileAlignment field specifies the unit of alignment when the section is stored in a disk file.

subsystem field

Specifies the subsystem that uses the interface, which is evaluated as shown in table 17.3. This field determines how the system establishes the initial interface for the program, and the/subsystem:** option at link time Specifies the value of this field, which we already know in the previous section of programming: If you designate a subsystem as Windows CUI, the system automatically creates a console window for the program. When specified as a Windows GUI, the window must be created by the program itself.

The value and meaning of interface subsystem

Take value	Pre-defined values in Windows.inc	Meaning
0	Image_subsystem_unknown	Unknown sub-system
1	Image_subsystem_native	No subsystems required (such as drivers)
2	Image_subsystem_windows_gui	Windows graphical interface
3	Image_subsystem_windows_cui	Windows Console Interface
5	Image_subsystem_os2_cui	OS2 Console Interface
7	Image_subsystem_posix_cui	POSIX Console interface
8	Image_subsystem_native_windows	No subsystems required
9	Image_subsystem_windows_ce_gui	Windows CE graphical interface

DataDirectory Field

This field can be said to be one of the most important fields, which consists of 16 identical image_data_directory structures, although the data in the PE file is placed in different sections according to the page attributes that are loaded into memory, but the data in each section can be divided into export tables by usage , import tables, resources, relocation tables, and other data blocks, these 16 image_data_directory structures are used to define a number of different uses of data blocks (as shown in table 17.4). The definition of the image_data_directory structure is simple, and it simply points out the location and length of a certain data block.

Image_data_directory STRUCT

Virtualaddress DWORD? ; The starting RVA of the data

Isize DWORD? ; The length of the data block

Image_data_directory ENDS

Meaning of the Data Catalog list

Index	Predefined values for index values in Windows.inc	corresponding block of data
0	Image_directory_entry_export	Exporting tables
1	Image_directory_entry_import	Import Table
2	Image_directory_entry_resource	Resources
3	Image_directory_entry_exception	Exception (Specific information unknown)
4	Image_directory_entry_security	Safety (Details unknown)
5	Image_directory_entry_basereloc	Reposition Table
6	Image_directory_entry_debug	Debugging information
7	Image_directory_entry_architecture	Copyright information
8	Image_directory_entry_globalptr	Specific information unknown
9	Image_directory_entry_tls	Thread Local Storage
10	Image_directory_entry_load_config	Specific information unknown
11	Image_directory_entry_bound_import	Specific information unknown
12	Image_directory_entry_iat	Import function Address Table
13	Image_directory_entry_delay_import	Specific information unknown
14	Image_directory_entry_com_descriptor	Specific information unknown
15	Not used

When looking for specific data in a PE file, starting with these image_data_directory structures, such as accessing resources, the size and position of the resource data block must be obtained from the 3rd image_data_directory structure (index 2); If you want to see what API functions the PE file imports into which DLL files, you must first get the location and size of the imported table from the 2nd image_data_directory structure.

PE detailed IMAGE_OPTIONAL_HEADER32 structure definition is the function of each property (PE detailed 03)