PE file Format Analysis experience

Source: Internet
Author: User
Tags header reserved resource

PE file format recently it seems to be a buzz, because I am doing a program like this, simply to write their own ideas to share with everyone.

The PE file header is divided into two parts:

1:dos ' MZ ' HEADER

2:image_nt_headers

Where the image_nt_headers contains

PE Signature

Image_file_header

Image_optional_header (which contains the data direcotry)

The file header is followed by the

Section Table (array of image_section_headers)

There are already definitions in the Windows.pad of Delphi:

Timagedosheader;

Timagentheaders;

Timagesectionheader; {Size of TIm. Der is $28}

After you define the variables, hold down CTRL to see the specific items, and I don't say much about them.

and other such as timageresourcedirectory, but there is no definition in Delphi, look at other information, I give their structure here and a brief description:

The following is a description of the type of PEDump.exe I wrote:

Type
Pimage_resource_directory = ^timageresourcedirectory;
_image_resource_directory = Packed record
Characteristics:dword;
Timedatestamp:dword;
Majorversion:word;
Minorversion:word;
Numberofnamedentries:word;
Numberofidentries:word;
End
Timageresourcedirectory = _image_resource_directory;
{Resource directory's format description}
Pimage_resource_directory_entry = ^timageresourcedirectoryentry;
_image_resource_directory_entry = Packed record
Name:dword; {Nameoffset:31,nameisstring:1}
Id:word;
Offsettodata:dword; {Offsettodirectory:31,dataisdirectory:1}
End
Timageresourcedirectoryentry = _image_resource_directory_entry;
{Resource directory entry point format description}
pimage_resource_directory_string = ^timageresourcedirectorystring;
_image_resource_directory_string = Packed record
Length:word;
Namestring:char;
End
timageresourcedirectorystring = _image_resource_directory_string;
{Resource Directory name format description}
Pimage_resource_dir_string_u = ^timageresourcedirstringu;
_image_resource_dir_string_u = Packed record
Length:word;
Namestring:wchar;
End
Timageresourcedirstringu = _image_resource_dir_string_u;
{Format description of the resource directory name in Unicode form}
Pimage_resource_data_entry = ^timageresourcedataentry;
_image_resource_data_entry = Packed record
Offsettodata:dword;
Size:dword;
Codepage:dword;
Reserved:dword;
End
Timageresourcedataentry = _image_resource_data_entry;
{Resource Directory data entry point format description}
Const
image_resource_name_is_string = $80000000;
{The highest Test timageresourcedirectoryentry.name is set up,
is the remaining 31 digits pointing to the Image_resource_dir_string_u offset,
Otherwise, the remaining 31 bits are an integer ID. }
Image_resource_data_is_directory = $80000000;
{The highest Test timageresourcedirectoryentry.offsettodata is set up,
Indicates that the remaining 31 digits point to another image_resource_directory offset,
Otherwise, the remaining 31 bits point to the image_resource_data_entry offset. }
{The following is a description of the file property specific value constants}
{File Characteristics}
image_file_relocs_stripped = $0001; Relocation info stripped from file.
Image_file_executable_image = $0002; The File is executable.
image_file_line_nums_stripped = $0004; Line nunbers stripped from file.
image_file_local_syms_stripped = $0008; Local symbols stripped from file.
Image_file_aggresive_ws_trim = $0010; agressively Trim Working Set
Image_file_large_address_aware = $0020; APP can handle >2GB addresses
Image_file_bytes_reversed_lo = $0080; Bytes of machine Word are reversed.
Image_file_32bit_machine = $0100; Bit word machine.
image_file_debug_stripped = $0200;
debugging info stripped from file in. DBG file
Image_file_removable_run_from_swap = $0400;
If Image is on removable media, copy and run from the swap file.
Image_file_net_run_from_swap = $0800;
If Image is in Net, copy and run from the "swap" file.
Image_file_system = $1000; System File.
Image_file_dll = $2000; The File is a DLL.
Image_file_up_system_only = $4000; File should only is run on a up machine
Image_file_bytes_reversed_hi = $8000; Bytes of machine Word are reversed.
{The following is a specific description of the file header machine attribute value}
{Machine}
Image_file_machine_unknown = $;
image_file_machine_i386 = $014c; Intel 386.
image_file_machine_r3000 = $0162; MIPS Little-endian, $160 Big-endian
image_file_machine_r4000 = $0166; MIPS Little-endian
image_file_machine_r10000 = $0168; MIPS Little-endian
Image_file_machine_wcemipsv2 = $0169; MIPS Little-endian WCE v2
Image_file_machine_alpha = $0184; Alpha_axp
IMAGE_FILE_MACHINE_SH3 = $01A2; SH3 Little-endian
image_file_machine_sh3e = $01a4; sh3e Little-endian
Image_file_machine_sh4 = $01a6; SH4 Little-endian
Image_file_machine_sh5 = $01a8; SH5
Image_file_machine_arm = $01c0; ARM Little-endian
Image_file_machine_thumb = $01C2;
Image_file_machine_arm33 = $01d3;
Image_file_machine_powerpc = $01f0; IBM PowerPC Little-endian
Image_file_machine_ia64 = $0200; Intel 64
IMAGE_FILE_MACHINE_MIPS16 = $0266; Mips
Image_file_machine_alpha64 = $0284; ALPHA64
IMAGE_FILE_MACHINE_MIPSFPU = $0366; Mips
Image_file_machine_mipsfpu16 = $0466; Mips
Image_file_machine_axp64 Image_file_machine_alpha64
IMAGE_FILE_MACHINE_AMD64 = $0500; AMD K8
Image_file_machine_tricore = $0520; Infineon
IMAGE_FILE_MACHINE_CEF = $0CEF;
{The following is a specific description of the section's attribute value}
{Section Characteristics}
Image_scn_type_reg = $00000000; Reserved.
Image_scn_type_dsect = $00000001; Reserved.
Image_scn_type_noload = $00000002; Reserved.
Image_scn_type_group = $00000004; Reserved.
Image_scn_type_no_pad = $00000008; Reserved.
Image_scn_type_copy = $00000010; Reserved.
Image_scn_cnt_code = $00000020; section contains code.
Image_scn_cnt_initialized_data = $00000040; section contains initialized data.
Image_scn_cnt_uninitialized_data = $00000080; section contains uninitialized data.
Image_scn_lnk_other = $00000100; Reserved.
Image_scn_lnk_info = $00000200;
section contains comments or some the other type of information.
Image_scn_type_over = $00000400; Reserved.
Image_scn_lnk_remove = $00000800;
Section contents won't become part of image.
Image_scn_lnk_comdat = $00001000; Section contents comdat.
= $00002000; Reserved.
Image_scn_mem_protected-obsolete = $00004000;
Image_scn_no_defer_spec_exc = $00004000;
Reset speculative exceptions handling bits in the TLB entries for this section.
Image_scn_gprel = $00008000;
Section content can is accessed relative to GP
Image_scn_mem_fardata = $00008000;
Image_scn_mem_sysheap-obsolete = $00010000;
image_scn_mem_purgeable = $00020000;
Image_scn_mem_16bit = $00020000;
image_scn_mem_locked = $00040000;
Image_scn_mem_preload = $00080000;
Image_scn_align_1bytes = $00100000; //
Image_scn_align_2bytes = $00200000; //
Image_scn_align_4bytes = $00300000; //
Image_scn_align_8bytes = $00400000; //
Image_scn_align_16bytes = $00500000;
Default Alignment If no others are specified.
Image_scn_align_32bytes = $00600000; //
Image_scn_align_64bytes = $00700000; //
Image_scn_align_128bytes = $00800000; //
Image_scn_align_256bytes = $00900000; //
Image_scn_align_512bytes = $00a00000; //
Image_scn_align_1024bytes = $00b00000; //
Image_scn_align_2048bytes = $00c00000; //
Image_scn_align_4096bytes = $00d00000; //
Image_scn_align_8192bytes = $00e00000; //
unused = $00f00000;
Image_scn_align_mask = $00f00000;
IMAGE_SCN_LNK_NRELOC_OVFL = $01000000; section contains extended relocations.
image_scn_mem_discardable = $02000000; section can is discarded.
image_scn_mem_not_cached = $04000000; The section is not cachable.
image_scn_mem_not_paged = $08000000; The section is not pageable.
image_scn_mem_shared = $10000000; The section is shareable.
Image_scn_mem_execute = $20000000; The section is executable.
Image_scn_mem_read = $40000000; The section is readable.
Image_scn_mem_write = $80000000; The section is writeable.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.