PE結構各欄位偏移參考

The Dos Header

OFFSET	SIZE	NAME	EXPLANATION
00	Word	e_magic	Magic DOS signature MZ (4Dh 5Ah)
02	WORD	e_cblp	Bytes on last page of file
04	WORD	e_cp	Pages in file
06	WORD	e_crlc	Relocations
08	WORD	e_cparhdr	Size of header in paragraphs
0A	WORD	e_minalloc	Minimum extra paragraphs needed
0C	WORD	e_maxalloc	Maximum extra paragraphs needed
0E	WORD	e_ss	Initial (relative) SS value
10	WORD	e_sp	Initial SP value
12	WORD	e_csum	Checksum
14	WORD	e_ip	Initial IP value
16	WORD	e_cs	Initial (relative) CS value
18	WORD	e_lfarlc	File address of relocation table
1A	WORD	e_ovno	Overlay number
1C	WORD	e_res[4]	Reserved words
24	WORD	e_oemid	OEM identifIEr (for e_oeminfo)
26	WORD	e_oeminfo	OEM information; e_oemid specific
28	WORD	e_res2[10]	Reserved words
3C	DWORD	e_lfanew	Offset to start of PE header

typedef struct _IMAGE_DOS_HEADER {      // DOS .EXE header
    WORD   e_magic;                     // Magic number
    WORD   e_cblp;                      // Bytes on last page of file
    WORD   e_cp;                        // Pages in file
    WORD   e_crlc;                      // Relocations
    WORD   e_cparhdr;                   // Size of header in paragraphs
    WORD   e_minalloc;                  // Minimum extra paragraphs needed
    WORD   e_maxalloc;                  // Maximum extra paragraphs needed
    WORD   e_ss;                        // Initial (relative) SS value
    WORD   e_sp;                        // Initial SP value
    WORD   e_csum;                      // Checksum
    WORD   e_ip;                        // Initial IP value
    WORD   e_cs;                        // Initial (relative) CS value
    WORD   e_lfarlc;                    // File address of relocation table
    WORD   e_ovno;                      // Overlay number
    WORD   e_res[4];                    // Reserved words
    WORD   e_oemid;                     // OEM identifier (for e_oeminfo)
    WORD   e_oeminfo;                   // OEM information; e_oemid specific
    WORD   e_res2[10];                  // Reserved words
    LONG   e_lfanew;                    // File address of new exe header
  } IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER;

The PE Header

Offsets shown　are from the beginning of this section.

0		DWORD	Signature	PE Signature PE.. (50h 45h 00h 00h)
4		WORD	Machine	014Ch = Intel 386, 014Dh = Intel 486, 014Eh = Intel 586, 0200h = Intel 64-bit, 0162h=MIPS
6		WORD	NumberOfSections	Number Of Sections
8		DWORD	TimeDateStamp	Date & time image was created by the linker
0C		DWORD	PointerToSymbolTable	Zero or offset of COFF symbol table in older files
10		DWORD	NumberOfSymbols	Number of symbols in COFF symbol table
14		WORD	SizeOfOptionalHeader	Size of optional header in bytes (224 in 32bit exe)
16		WORD	Characteristics	see below
18	**********		START OF OPTIONAL HEADER	**************************************
18	0	WORD	Magic	010Bh=32-bit executable image
				020Bh=64-bit executable image
				0107h=ROM image
1A	2	BYTE	MajorLinkerVersion	Major version number of the linker
1B	3	BYTE	MinorLinkerVersion	Minor version number of the linker
1C	4	DWORD	SizeOfCode	size of code section or sum if multiple code sections
20	8	DWORD	SizeOfInitializedData	as above
24	C	DWORD	SizeOfUninitializedData	as above
28	10	DWORD	AddressOfEntryPoint	Start of code execution, optional for DLLs, zero when none present
2C	14	DWORD	BaseOfCode	RVA of first byte of code when loaded into RAM
30	18	DWORD	BaseOfData	RVA of first byte of data when loaded into RAM
34	1C	DWORD	ImageBase	Preferred load address
38	20	DWORD	SectionAlignment	Alignment of sections when loaded in RAM
3C	24	DWORD	FileAlignment	Alignment of sections in file on disk
40	28	WORD	MajorOperatingSystemVersion	Major version no. of required operating system
42	2A	WORD	MinorOperatingSystemVersion	Minor version no. of required operating system
44	2C	WORD	MajorImageVersion	Major version number of the image
46	2E	WORD	MinorImageVersion	Minor version number of the image
48	30	WORD	MajorSubsystemVersion	Major version number of the subsystem
4A	32	WORD	MinorSubsystemVersion	Minor version number of the subsystem
4C	34	DWORD	-	Reserved1
50	38	DWORD	SizeOfImage	Amount of memory allocated by loader for image. Must be a multiple of SectionAlignment
54	3C	DWORD	SizeOfHeaders	Offset of first section, multiple of FileAlignment
58	40	DWORD	CheckSum	Image checksum (only required for kernel-mode drivers and some system DLLs).
5C	44	WORD	Subsystem	0002h=Windows GUI, 0003h=console
5E	46	WORD	DllCharacteristics	0001h=per-process library initialization
				0002h=per-process library termination
				0003h=per-thread library initialization
				0004h=per-thread library termination
60	48	DWORD	SizeOfStackReserve	Number of bytes reserved for the stack
64	4C	DWORD	SizeOfStackCommit	Number of bytes actually used for the stack
68	50	DWORD	SizeOfHeapReserve	Number of bytes to reserve for the local heap
6C	54	DWORD	SizeOfHeapCommit	Number of bytes actually used for local heap
70	58	DWORD	LoaderFlags	This member is obsolete.
74	5C	DWORD	NumberOfRvaAndSizes	Number of Directory entries.
78	**********		START OF DATADIRECTORY	**************************************
78	0	DWORD	IMAGE_DATA_DIRECTORY0	RVA of Export Directory
7C	4	DWORD	-	size of Export Directory
80	8	DWORD	IMAGE_DATA_DIRECTORY1	RVA of Import Directory (array of IIDs)
84	C	DWORD	-	size of Import Directory (array of IIDs)
88	10	DWORD	IMAGE_DATA_DIRECTORY2	RVA of Resource Directory
8C	14	DWORD	-	size of Resource Directory
90	18	DWORD	IMAGE_DATA_DIRECTORY3	RVA of Exception Directory
94	1C	DWORD	-	size of Exception Directory
98	20	DWORD	IMAGE_DATA_DIRECTORY4	Raw Offset of Security Directory
9C	24	DWORD	-	size of Security Directory
A0	28	DWORD	IMAGE_DATA_DIRECTORY5	RVA of Base Relocation Directory
A4	2C	DWORD	-	size of Base Relocation Directory
A8	30	DWORD	IMAGE_DATA_DIRECTORY6	RVA of Debug Directory
AC	34	DWORD	-	size of Debug Directory
B0	38	DWORD	IMAGE_DATA_DIRECTORY7	RVA of Copyright Note
B4	3C	DWORD	-	size of Copyright Note
B8	40	DWORD	IMAGE_DATA_DIRECTORY8	RVA to be used as Global Pointer (IA-64 only)
BC	44	DWORD	-	Not used
C0	48	DWORD	IMAGE_DATA_DIRECTORY9	RVA of Thread Local Storage Directory
C4	4C	DWORD	-	size of Thread Local Storage Directory
C8	50	DWORD	IMAGE_DATA_DIRECTORY10	RVA of Load Configuration Directory
CC	54	DWORD	-	size of Load Configuration Directory
D0	58	DWORD	IMAGE_DATA_DIRECTORY11	RVA of Bound Import Directory
D4	5C	DWORD	-	size of Bound Import Directory
D8	60	DWORD	IMAGE_DATA_DIRECTORY12	RVA of first Import Address Table
DC	64	DWORD	-	total size of all Import Address Tables
E0	68	DWORD	IMAGE_DATA_DIRECTORY13	RVA of Delay Import Directory
E4	6C	DWORD	-	size of Delay Import Directory
E8	70	DWORD	IMAGE_DATA_DIRECTORY14	RVA of COM Header (top level info & metadata...
EC	74	DWORD	-	size of COM Header　　　　 ...in .NET executables)
F0	78	DWORD	ZERO (Reserved)	Reserved
F4	7C	DWORD	ZERO (Reserved)	Reserved
F8	**********		START OF SECTION TABLE	*******Offsets shown from here********
0		8 Bytes	Name1	Name of first section header
8		DWORD	misc (VirtualSize)	Actual size of data in section
0C		DWORD	virtual address	RVA where section begins in memory
10		DWORD	SizeOfRawData	Size of data on disk (multiple of FileAlignment)
14		DWORD	pointerToRawData	Raw offset of section on disk
18		DWORD	pointerToRelocations	Start of relocation entries for section, zero if none
1C		DWORD	PointerToLinenumbers	Start of line-no. entries for section, zero if none
20		WORD	NumberOfRelocations	This value is zero for executable images.
22		WORD	NumberOfLineNumbers	Number of line-number entries for section.
24		DWORD	Characteristics	see end of page below
0		8 Bytes	Name1	Name of second section header
**********			Repeats for rest of sections	**************************************

typedef struct _IMAGE_OPTIONAL_HEADER {
  WORD                 Magic;
  BYTE                 MajorLinkerVersion;
  BYTE                 MinorLinkerVersion;
  DWORD                SizeOfCode;
  DWORD                SizeOfInitializedData;
  DWORD                SizeOfUninitializedData;
  DWORD                AddressOfEntryPoint;
  DWORD                BaseOfCode;
  DWORD                BaseOfData;
  DWORD                ImageBase;
  DWORD                SectionAlignment;
  DWORD                FileAlignment;
  WORD                 MajorOperatingSystemVersion;
  WORD                 MinorOperatingSystemVersion;
  WORD                 MajorImageVersion;
  WORD                 MinorImageVersion;
  WORD                 MajorSubsystemVersion;
  WORD                 MinorSubsystemVersion;
  DWORD                Win32VersionValue;
  DWORD                SizeOfImage;
  DWORD                SizeOfHeaders;
  DWORD                CheckSum;
  WORD                 Subsystem;
  WORD                 DllCharacteristics;
  DWORD                SizeOfStackReserve;
  DWORD                SizeOfStackCommit;
  DWORD                SizeOfHeapReserve;
  DWORD                SizeOfHeapCommit;
  DWORD                LoaderFlags;
  DWORD                NumberOfRvaAndSizes;
  IMAGE_DATA_DIRECTORY DataDirectory[16];
} IMAGE_OPTIONAL_HEADER, *PIMAGE_OPTIONAL_HEADER;

typedef struct _IMAGE_DATA_DIRECTORY {
  DWORD VirtualAddress;
  DWORD Size;
} IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY;

The Export Table

　　Offsets shown from beginning of table (given at offset 78 from start of PE header). The following 40 Bytes repeat for each export library (DLL whose functions are imported by the executable) and ends with one full of zeroes.

OFFSET	SIZE	NAME	EXPLANATION
0	DWORD	Characteristics	Set to zero (currently none defined)
4	DWORD	TimeDateStamp	often set to zero
8	WORD	MajorVersion	user-defined version number, otherwise zero
0A	WORD	MinorVersion	as above
0C	DWORD	Name	RVA of DLL name in null-terminated ASCII
10	DWORD	Base	First valid exported ordinal, normally=1
14	DWORD	NumberOfFunctions	Number of entries in EAT
18	DWORD	NumberOfNames	Number of entries in ENT
1C	DWORD	AddressOfFunctions	RVA of EAT (export address table)
20	DWORD	AddressOfNames	RVA of ENT (export name table)
24	DWORD	AddressOfNameOrdinals	RVA of EOT (export ordinal table)

typedef struct _IMAGE_EXPORT_DIRECTORY {
    DWORD   Characteristics;
    DWORD   TimeDateStamp;
    WORD    MajorVersion;
    WORD    MinorVersion;
    DWORD   Name;
    DWORD   Base;
    DWORD   NumberOfFunctions;
    DWORD   NumberOfNames;
    DWORD   AddressOfFunctions;     // RVA from base of image
    DWORD   AddressOfNames;         // RVA from base of image
    DWORD   AddressOfNameOrdinals;  // RVA from base of image
} IMAGE_EXPORT_DIRECTORY, *PIMAGE_EXPORT_DIRECTORY;

The Import Table

　　Offsets shown from beginning of table (given at offset 80 from start of PE header). The following 5 DWORDS repeat for each import library (DLL whose functions are imported by the executable) and ends with one full of zeroes.

OFFSET	SIZE	NAME	EXPLANATION
0	DWORD	Characteristics\OriginalFirstThunk	RVA to Image_Thunk_Data
4	DWORD	TimeDateStamp	zero unless bound against imported DLL
8	DWORD	ForwarderChain	pointer to 1st redirected function (or 0)
0C	DWORD	Name1	RVA to name in null-terminated ASCII
10	DWORD	FirstThunk	RVA to Image_Thunk_Data

TLS目錄結構IMAGE_TLS_DIRECTORY32

OFFSET	SIZE	NAME	EXPLANATION
0	DWORD	StartAddressOfRawData	TLS模板的起始地址
4	DWORD	EndAddressOfRawData	TLS模板的結束地址
8	DWORD	AddressOfIndex	TLS索引的位置
0C	DWORD	AddressOfCallBacks	TLS回撥函式陣列指標
10	DWORD	SizeOfZeroFill	填充0的個數
14	DWORD	Characteristics	保留

節表項IMAGE_SECTION_HEADER

OFFSET	SIZE	NAME	EXPLANATION
0	8位元組	Name1	8個位元組節名
8	DWORD	PhysicalAddress/VirtualSize	節區的尺寸
0C	DWORD	VirtualAddress	節區的RVA地址
10	DWORD	SizeOfRawData	在檔案中對齊後的尺寸
14	DWORD	PointerToRawData	在檔案中的偏移
18	DWORD	PointerToRelocations	在OBJ檔案中使用
1C	DWORD	PointerToLinenumbers	行號表的位置(供除錯用)
20	DWORD	NumberOfRelocations	在OBJ檔案中使用
22	WORD	NumberOfLinenumbers	行號表中行號的數量
24	DWORD	Characteristics	節的屬性

typedef struct _SECTION_IMAGE_INFORMATION
{
     PVOID TransferAddress;
     ULONG ZeroBits;
     ULONG MaximumStackSize;
     ULONG CommittedStackSize;
     ULONG SubSystemType;
     union
     {
          struct
          {
               WORD SubSystemMinorVersion;
               WORD SubSystemMajorVersion;
          };
          ULONG SubSystemVersion;
     };
     ULONG GpValue;
     WORD ImageCharacteristics;
     WORD DllCharacteristics;
     WORD Machine;
     UCHAR ImageContainsCode;
     UCHAR ImageFlags;
     ULONG ComPlusNativeReady: 1;
     ULONG ComPlusILOnly: 1;
     ULONG ImageDynamicallyRelocated: 1;
     ULONG Reserved: 5;
     ULONG LoaderFlags;
     ULONG ImageFileSize;
     ULONG CheckSum;
} SECTION_IMAGE_INFORMATION, *PSECTION_IMAGE_INFORMATION;

Image Characteristics Flags

FLAG	EXPLANATION
1	Relocation info stripped from file
2	File is executable (no unresolved external references)
4	Line numbers stripped from file
8	Local symbols stripped from file
10	Lets OS aggressively trim working set
20	App can handle >2Gb addresses
80	Low bytes of machine word are reversed
100	requires 32-bit WORD machine
200	Debugging info stripped from file into .DBG file
400	If image is on removable media, copy and run from swap file
800	If image is on a network, copy and run from swap file
1000	System file
2000	File is a DLL
4000	File should only be run on a single-processor machine
8000	High bytes of machine word are reversed

Section Characteristics Flags

FLAG	EXPLANATION
8	Section should not be padded to next boundary
20	Section contains code
40	Section contains initialised data (which will become initialised with real values before the file is launched)
80	Section contains uninitialised data (which will be initialised as 00 byte values before launch)
200	Section contains comments for the linker
800	Section contents will not become part of image
1000	Section contents comdat (Common Block Data)
8000	Section contents cannot be accessed relative to GP
00100000 to 00800000	Boundary alignment settings
1000000	Section contains extended relocations
2000000	Section can be discarded (e.g. .reloc)
4000000	Section is not cacheable
8000000	Section is pageable
10000000	Section is shareable
20000000	Section is executable
40000000	Section is readable
80000000	Section is writable