PE file format recently it seems to be a buzz, because I am doing a program like this, simply to write their own ideas to share with everyone.
The PE file header is divided into two parts:
1:dos ' MZ ' HEADER
2:image_nt_headers
Where the image_nt_headers contains
PE Signature
Image_file_header
Image_optional_header (which contains the data direcotry)
The file header is followed by the
Section Table (array of image_section_headers)
There are already definitions in the Windows.pad of Delphi:
Timagedosheader;
Timagentheaders;
Timagesectionheader; {Size of TIm. Der is $28}
After you define the variables, hold down CTRL to see the specific items, and I don't say much about them.
and other such as timageresourcedirectory, but there is no definition in Delphi, look at other information, I give their structure here and a brief description:
The following is a description of the type of PEDump.exe I wrote:
Type
Pimage_resource_directory = ^timageresourcedirectory;
_image_resource_directory = Packed record
Characteristics:dword;
Timedatestamp:dword;
Majorversion:word;
Minorversion:word;
Numberofnamedentries:word;
Numberofidentries:word;
End
Timageresourcedirectory = _image_resource_directory;
{Resource directory's format description}
Pimage_resource_directory_entry = ^timageresourcedirectoryentry;
_image_resource_directory_entry = Packed record
Name:dword; {Nameoffset:31,nameisstring:1}
Id:word;
Offsettodata:dword; {Offsettodirectory:31,dataisdirectory:1}
End
Timageresourcedirectoryentry = _image_resource_directory_entry;
{Resource directory entry point format description}
pimage_resource_directory_string = ^timageresourcedirectorystring;
_image_resource_directory_string = Packed record
Length:word;
Namestring:char;
End
timageresourcedirectorystring = _image_resource_directory_string;
{Resource Directory name format description}
Pimage_resource_dir_string_u = ^timageresourcedirstringu;
_image_resource_dir_string_u = Packed record
Length:word;
Namestring:wchar;
End
Timageresourcedirstringu = _image_resource_dir_string_u;
{Format description of the resource directory name in Unicode form}
Pimage_resource_data_entry = ^timageresourcedataentry;
_image_resource_data_entry = Packed record
Offsettodata:dword;
Size:dword;
Codepage:dword;
Reserved:dword;
End
Timageresourcedataentry = _image_resource_data_entry;
{Resource Directory data entry point format description}
Const
image_resource_name_is_string = $80000000;
{The highest Test timageresourcedirectoryentry.name is set up,
is the remaining 31 digits pointing to the Image_resource_dir_string_u offset,
Otherwise, the remaining 31 bits are an integer ID. }
Image_resource_data_is_directory = $80000000;
{The highest Test timageresourcedirectoryentry.offsettodata is set up,
Indicates that the remaining 31 digits point to another image_resource_directory offset,
Otherwise, the remaining 31 bits point to the image_resource_data_entry offset. }
{The following is a description of the file property specific value constants}
{File Characteristics}
image_file_relocs_stripped = $0001; Relocation info stripped from file.
Image_file_executable_image = $0002; The File is executable.
image_file_line_nums_stripped = $0004; Line nunbers stripped from file.
image_file_local_syms_stripped = $0008; Local symbols stripped from file.
Image_file_aggresive_ws_trim = $0010; agressively Trim Working Set
Image_file_large_address_aware = $0020; APP can handle >2GB addresses
Image_file_bytes_reversed_lo = $0080; Bytes of machine Word are reversed.
Image_file_32bit_machine = $0100; Bit word machine.
image_file_debug_stripped = $0200;
debugging info stripped from file in. DBG file
Image_file_removable_run_from_swap = $0400;
If Image is on removable media, copy and run from the swap file.
Image_file_net_run_from_swap = $0800;
If Image is in Net, copy and run from the "swap" file.
Image_file_system = $1000; System File.
Image_file_dll = $2000; The File is a DLL.
Image_file_up_system_only = $4000; File should only is run on a up machine
Image_file_bytes_reversed_hi = $8000; Bytes of machine Word are reversed.
{The following is a specific description of the file header machine attribute value}
{Machine}
Image_file_machine_unknown = $;
image_file_machine_i386 = $014c; Intel 386.
image_file_machine_r3000 = $0162; MIPS Little-endian, $160 Big-endian
image_file_machine_r4000 = $0166; MIPS Little-endian
image_file_machine_r10000 = $0168; MIPS Little-endian
Image_file_machine_wcemipsv2 = $0169; MIPS Little-endian WCE v2
Image_file_machine_alpha = $0184; Alpha_axp
IMAGE_FILE_MACHINE_SH3 = $01A2; SH3 Little-endian
image_file_machine_sh3e = $01a4; sh3e Little-endian
Image_file_machine_sh4 = $01a6; SH4 Little-endian
Image_file_machine_sh5 = $01a8; SH5
Image_file_machine_arm = $01c0; ARM Little-endian
Image_file_machine_thumb = $01C2;
Image_file_machine_arm33 = $01d3;
Image_file_machine_powerpc = $01f0; IBM PowerPC Little-endian
Image_file_machine_ia64 = $0200; Intel 64
IMAGE_FILE_MACHINE_MIPS16 = $0266; Mips
Image_file_machine_alpha64 = $0284; ALPHA64
IMAGE_FILE_MACHINE_MIPSFPU = $0366; Mips
Image_file_machine_mipsfpu16 = $0466; Mips
Image_file_machine_axp64 Image_file_machine_alpha64
IMAGE_FILE_MACHINE_AMD64 = $0500; AMD K8
Image_file_machine_tricore = $0520; Infineon
IMAGE_FILE_MACHINE_CEF = $0CEF;
{The following is a specific description of the section's attribute value}
{Section Characteristics}
Image_scn_type_reg = $00000000; Reserved.
Image_scn_type_dsect = $00000001; Reserved.
Image_scn_type_noload = $00000002; Reserved.
Image_scn_type_group = $00000004; Reserved.
Image_scn_type_no_pad = $00000008; Reserved.
Image_scn_type_copy = $00000010; Reserved.
Image_scn_cnt_code = $00000020; section contains code.
Image_scn_cnt_initialized_data = $00000040; section contains initialized data.
Image_scn_cnt_uninitialized_data = $00000080; section contains uninitialized data.
Image_scn_lnk_other = $00000100; Reserved.
Image_scn_lnk_info = $00000200;
section contains comments or some the other type of information.
Image_scn_type_over = $00000400; Reserved.
Image_scn_lnk_remove = $00000800;
Section contents won't become part of image.
Image_scn_lnk_comdat = $00001000; Section contents comdat.
= $00002000; Reserved.
Image_scn_mem_protected-obsolete = $00004000;
Image_scn_no_defer_spec_exc = $00004000;
Reset speculative exceptions handling bits in the TLB entries for this section.
Image_scn_gprel = $00008000;
Section content can is accessed relative to GP
Image_scn_mem_fardata = $00008000;
Image_scn_mem_sysheap-obsolete = $00010000;
image_scn_mem_purgeable = $00020000;
Image_scn_mem_16bit = $00020000;
image_scn_mem_locked = $00040000;
Image_scn_mem_preload = $00080000;
Image_scn_align_1bytes = $00100000; //
Image_scn_align_2bytes = $00200000; //
Image_scn_align_4bytes = $00300000; //
Image_scn_align_8bytes = $00400000; //
Image_scn_align_16bytes = $00500000;
Default Alignment If no others are specified.
Image_scn_align_32bytes = $00600000; //
Image_scn_align_64bytes = $00700000; //
Image_scn_align_128bytes = $00800000; //
Image_scn_align_256bytes = $00900000; //
Image_scn_align_512bytes = $00a00000; //
Image_scn_align_1024bytes = $00b00000; //
Image_scn_align_2048bytes = $00c00000; //
Image_scn_align_4096bytes = $00d00000; //
Image_scn_align_8192bytes = $00e00000; //
unused = $00f00000;
Image_scn_align_mask = $00f00000;
IMAGE_SCN_LNK_NRELOC_OVFL = $01000000; section contains extended relocations.
image_scn_mem_discardable = $02000000; section can is discarded.
image_scn_mem_not_cached = $04000000; The section is not cachable.
image_scn_mem_not_paged = $08000000; The section is not pageable.
image_scn_mem_shared = $10000000; The section is shareable.
Image_scn_mem_execute = $20000000; The section is executable.
Image_scn_mem_read = $40000000; The section is readable.
Image_scn_mem_write = $80000000; The section is writeable.