PE File Header

It is mainly the PE file header. To see "encryption and decryption"

// A small part of the PE file format, from "encryption and decryption"-view snow
Typedef struct_ Image_dos_header{// Dos. EXE Header
+ 0 h word e_magic; // magic number
+ 2 H word e_cblp; // bytes on last page of File
+ 4 h word e_cp; // pages in file
+ 6 h word e_crlc; // relocations
+ 8 h word e_cparhdr; // size of header in paragraphs
+ Ah word e_minalloc; // minimum extra paragraphs needed
+ CH word e_maxalloc; // maximum extra paragraphs needed
+ Eh word e_ss; // initial (relative) SS value
+ 10 h word e_sp; // initial sp value
+ 12 h word e_csum; // checksum
+ 14 h word e_ip; // initial IP value
+ 16 h word e_cs; // initial (relative) Cs value
+ 18 h word e_lfarlc; // file address of relocation table
+ 1ah word e_ovno; // overlay number
Word e_res [4]; // Reserved Words
Word e_oemid; // OEM identifier (for e_oeminfo)
Word e_oeminfo; // OEM information; e_oemid specific
Word e_res2 [10]; // Reserved Words
+ 3ch long e_lfanew; // file address of New EXE header file address
} Image_dos_header, * pimage_dos_header;

The most useful field for PE files is the e_lfanew field, which indicates the real PE File Header, which occupies 4 bytes,
Located in the file start offset 3ch bytes.

PE file header. The PE Loader will find the start offset of the PE Header from the e_lfanew field of the dos mz header and jump to the real
.

The data structure of image_nt_headers is as follows (the number on the left is the offset from the PE file header)

Typedef struct_ Image_nt_headers{
DWORD signature;
Image_file_header fileheader;
Image_optional_header32 optionalheader;
} Image_nt_headers32, * pimage_nt_headers32;

1. the string "Pe \ 0 \ 0" is the beginning of the PE file header. 5045, you can directly find the string 'pe', or hexadecimal 5045.
PE Header.

2. Image File Header (image_file_header)
The beginning of the PE file header is then the image file header. The image file header contains these items, such as the CPU type, number of blocks, and time and date.
Mark, coff symbol pointer, debugging information, number of symbols, etc.
Because the hexadecimal low is in front, all 4c01 is actually 014ch, indicating the Intel i386 series CPU.

Or list all members of the image_nt_headers structure.
; PE File Header Structure Definition
Image_nt_headers struc
; --------------- PE File ID "pe"
+ 0 h signature DWORD? ; PE File Identifier 'pe'
; --------------- Image File Header (image_file_header)
+ 04 H Machine word? ; Running platform
+ 06 h numberofsections word? ; Number of blocks
+ 08 h timedatestamp DWORD? ; File creation date and time
+ 0ch pointertosymboltable DWORD? ; Pointing to the symbol table (for testing)
+ 10 h numberofsymbols DWORD? ; Number of symbols in the symbol table (for debugging)
+ 14 h sizeofoptionalheader word? ; Image_optional_header32 structure size
+ 16 h characteristics word? ; File attributes
; --------------- Optional image header (image_optional_header32)
+ 18 h magic word? ; Flag (always 010bh)
+ 1ah majorlinkerversion byte? ; Linker version number
+ 1bh minorlinkerversion byte? ;
+ 1ch sizeofcode DWORD? ; Code segment size
+ 20 h sizeofinitializedata DWORD? ; Size of initialized data blocks
+ 24 h sizeofofuninitlaizedata DWORD? ; Data block size not initialized
+ 28 h addressofentrypoint DWORD? ; Program execution entry RVA, the relative virtual address of the program execution entry, this is good
+ 2ch baseofcode DWORD? ; Code segment starts RVA
+ 30 h baseofdata DWORD? ; Data Segment start RVA
+ 34 h imagebase DWORD? The base address RVA that the program loads by default.
+ 38 H sectionalignment DWORD? ; Block alignment granularity in memory
+ 3ch filealighment DWORD? ; The granularity of the Clipper in the file
+ 40 h majoroperatingsystemversion word? ; Main version number of the Operating System
+ 42 h minoroperatingsystemversion word? ; Minor version number of the Operating System
+ 44 h majorimageversion word? ; User-Defined version number
+ 46 h minorimageversion word? ; User-Defined version number
+ 48 h majorsubsystemversion word? ; Required auto-System Version Number
+ 4ah minorsubsystemversion word? ;
+ 4ch reserved DWORD? ; Reserved
+ 50 h sizeofimage DWORD? ; PE image size in memory
+ 54 h sizeofheaders DWORD? ; Size of the first part + block table
+ 58 h checksum DWORD? ; Checksum
+ 5ch subsystem word? ; File Subsystem
+ 5eh dllcharacteristics word?
+ 60 h sizeofstackreserve DWORD? ; Size of the initialized stack
+ 64 h sizeofstackcommit DWORD? ; Initialize the size of the actually submitted Stack
+ 68 h sizeofheapreserve DWORD? ; Heap size retained during initialization
+ 6ch sizeofheapcommit DWORD? The size of the heap actually submitted during initialization.
+ 70 h loaderflags DWORD?
+ 74 h numberofrvaandsizes DWORD? ; Number of data directory structures
Datadirectory image_data_directory 16 DUP (<0>); Data Directory table
Image_nt_headers ends

Section Table)

The Section Table is actually a structure array next to the PE Header. The number of members of this array is
The value of the numberofsections field in the header (image_file_header) structure is determined. The table structure is also named image_section_header.

# Define image_sizeof_short_name 8

Typedef struct _ image_section_header {

Byte name [image_sizeof_short_name]; // The name of the table, for example, ". Text"

Union {

DWORD physicaladdress; // physical address

DWORD virtualsize; // the actual length.

} MISC;

DWORD virtualaddress; // RVA

DWORD sizeofrawdata; // physical length

DWORD pointertorawdata; // the offset of the section based on the file

DWORD pointertorelocations; // relocation offset

DWORD pointertolinenumbers; // offset of the row number table

Word numberofrelocations; // Number of relocation items

Word numberoflinenumbers; // Number of row number tables

DWORD characteristics; // section attributes

} Image_section_header, * pimage_section_header;

Likewise, not all Members are very useful. We only care about those really important.

Field	Meanings
Name1	In fact, the domain name is "name", but "name" has been used as a keyword by MASM, so we can only use "name1" instead. The node name length cannot exceed 8 bytes. Remember that the node name is only a flag. You can select any name or even leave it empty. NameNoAn asciiz string, so the end of null is not required.
Virtualaddress	The RVA (relative virtual address) in this section ). The PE Loader will read this value when ing the section to the memory. Therefore, if the Domain value is 1000 h and the PE file is packed at 401000 H, this section will be loaded to H.
Sizeofrawdata	After file alignment, the PE Loader extracts the local value to understand the number of bytes to be mapped into the memory. Assume that the size of an object is 0x200.VirtualsizeThe field indicates that the length of this section is 0x400, indicating that the length of this section is 0 x bytes ).
Pointertorawdata	This section is based on the file offset. The PE Loader uses this field value to locate the position of the section data in the file.
Characteristics	Include tags to indicate the attributes of a section, such as whether the section contains executable code, initialization data, non-initial data, or whether it is writable or readable.

Now we know the image_section_header structure. Let's simulate the PE Loader's work:

1. Read the numberofsections field of image_file_header to know the number of file sections.
2. The sizeofheaders field value is used as the file offset of the section table, and this is used to locate the section table.
3. Check the Member values by traversing the entire structure array.
4. For each structure, we read the value of the pointertorawdata field and locate the file offset. Then read the sizeofrawdata Domain value to determine the number of bytes mapped to the memory. Add the virtualaddress Domain value and the imagebase Domain value to the virtual address starting from the node. Then you are ready to map the section to the memory and set the attribute based on the characteristics Domain value.
5. Traverse the entire array until all sections have been processed.

Note that we do not use the node name: this is not important.

Framework Structure of PE files: DOS header-> PE file header-> section table-> section-> debugging information
I have to admire the wonderful design.