PE結構各欄位偏移參考

whatday發表於2013-04-24

The Dos Header

OFFSET

SIZE

NAME

EXPLANATION

00

Word

e_magic

Magic DOS signature MZ (4Dh 5Ah)

02

WORD

e_cblp

Bytes on last page of file

04

WORD

e_cp

Pages in file

06

WORD

e_crlc

Relocations

08

WORD

e_cparhdr

Size of header in paragraphs

0A

WORD

e_minalloc

Minimum extra paragraphs needed

0C

WORD

e_maxalloc

Maximum extra paragraphs needed

0E

WORD

e_ss

Initial (relative) SS value

10

WORD

e_sp

Initial SP value

12

WORD

e_csum

Checksum

14

WORD

e_ip

Initial IP value

16

WORD

e_cs

Initial (relative) CS value

18

WORD

e_lfarlc

File address of relocation table

1A

WORD

e_ovno

Overlay number

1C

WORD

e_res[4]

Reserved words

24

WORD

e_oemid

OEM identifIEr (for e_oeminfo)

26

WORD

e_oeminfo

OEM information; e_oemid specific

28

WORD

e_res2[10]

Reserved words

3C

DWORD

e_lfanew

Offset to start of PE header

 

typedef struct _IMAGE_DOS_HEADER {      // DOS .EXE header
    WORD   e_magic;                     // Magic number
    WORD   e_cblp;                      // Bytes on last page of file
    WORD   e_cp;                        // Pages in file
    WORD   e_crlc;                      // Relocations
    WORD   e_cparhdr;                   // Size of header in paragraphs
    WORD   e_minalloc;                  // Minimum extra paragraphs needed
    WORD   e_maxalloc;                  // Maximum extra paragraphs needed
    WORD   e_ss;                        // Initial (relative) SS value
    WORD   e_sp;                        // Initial SP value
    WORD   e_csum;                      // Checksum
    WORD   e_ip;                        // Initial IP value
    WORD   e_cs;                        // Initial (relative) CS value
    WORD   e_lfarlc;                    // File address of relocation table
    WORD   e_ovno;                      // Overlay number
    WORD   e_res[4];                    // Reserved words
    WORD   e_oemid;                     // OEM identifier (for e_oeminfo)
    WORD   e_oeminfo;                   // OEM information; e_oemid specific
    WORD   e_res2[10];                  // Reserved words
    LONG   e_lfanew;                    // File address of new exe header
  } IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER;

The PE Header

Offsets shown are from the beginning of this section.

0 DWORD Signature PE Signature PE.. (50h 45h 00h 00h)
4 WORD Machine 014Ch = Intel 386, 014Dh = Intel 486, 014Eh = Intel 586, 0200h = Intel 64-bit, 0162h=MIPS
6 WORD NumberOfSections Number Of Sections
8 DWORD TimeDateStamp Date & time image was created by the linker
0C DWORD PointerToSymbolTable Zero or offset of COFF symbol table in older files
10 DWORD NumberOfSymbols Number of symbols in COFF symbol table
14 WORD SizeOfOptionalHeader Size of optional header in bytes (224 in 32bit exe)
16 WORD Characteristics see below
18 ********** START OF OPTIONAL HEADER **************************************
18 0 WORD Magic 010Bh=32-bit executable image
020Bh=64-bit executable image
0107h=ROM image
1A 2 BYTE MajorLinkerVersion Major version number of the linker
1B 3 BYTE MinorLinkerVersion Minor version number of the linker
1C 4 DWORD SizeOfCode size of code section or sum if multiple code sections
20 8 DWORD SizeOfInitializedData as above
24 C DWORD SizeOfUninitializedData as above
28 10 DWORD AddressOfEntryPoint Start of code execution, optional for DLLs, zero when none present
2C 14 DWORD BaseOfCode RVA of first byte of code when loaded into RAM
30 18 DWORD BaseOfData RVA of first byte of data when loaded into RAM
34 1C DWORD ImageBase Preferred load address
38 20 DWORD SectionAlignment Alignment of sections when loaded in RAM
3C 24 DWORD FileAlignment Alignment of sections in file on disk
40 28 WORD MajorOperatingSystemVersion Major version no. of required operating system
42 2A WORD MinorOperatingSystemVersion Minor version no. of required operating system
44 2C WORD MajorImageVersion Major version number of the image
46 2E WORD MinorImageVersion Minor version number of the image
48 30 WORD MajorSubsystemVersion Major version number of the subsystem
4A 32 WORD MinorSubsystemVersion Minor version number of the subsystem
4C 34 DWORD - Reserved1
50 38 DWORD SizeOfImage Amount of memory allocated by loader for image. Must be a multiple of SectionAlignment
54 3C DWORD SizeOfHeaders Offset of first section, multiple of FileAlignment
58 40 DWORD CheckSum Image checksum (only required for kernel-mode drivers and some system DLLs).
5C 44 WORD Subsystem 0002h=Windows GUI, 0003h=console
5E 46 WORD DllCharacteristics 0001h=per-process library initialization
0002h=per-process library termination
0003h=per-thread library initialization
0004h=per-thread library termination
60 48 DWORD SizeOfStackReserve Number of bytes reserved for the stack
64 4C DWORD SizeOfStackCommit Number of bytes actually used for the stack
68 50 DWORD SizeOfHeapReserve Number of bytes to reserve for the local heap
6C 54 DWORD SizeOfHeapCommit Number of bytes actually used for local heap
70 58 DWORD LoaderFlags This member is obsolete.
74 5C DWORD NumberOfRvaAndSizes Number of Directory entries.
78 ********** START OF DATADIRECTORY **************************************
78 0 DWORD IMAGE_DATA_DIRECTORY0 RVA of Export Directory
7C 4 DWORD - size of Export Directory
80 8 DWORD IMAGE_DATA_DIRECTORY1 RVA of Import Directory (array of IIDs)
84 C DWORD - size of Import Directory (array of IIDs)
88 10 DWORD IMAGE_DATA_DIRECTORY2 RVA of Resource Directory
8C 14 DWORD - size of Resource Directory
90 18 DWORD IMAGE_DATA_DIRECTORY3 RVA of Exception Directory
94 1C DWORD - size of Exception Directory
98 20 DWORD IMAGE_DATA_DIRECTORY4 Raw Offset of Security Directory
9C 24 DWORD - size of Security Directory
A0 28 DWORD IMAGE_DATA_DIRECTORY5 RVA of Base Relocation Directory
A4 2C DWORD - size of Base Relocation Directory
A8 30 DWORD IMAGE_DATA_DIRECTORY6 RVA of Debug Directory
AC 34 DWORD - size of Debug Directory
B0 38 DWORD IMAGE_DATA_DIRECTORY7 RVA of Copyright Note
B4 3C DWORD - size of Copyright Note
B8 40 DWORD IMAGE_DATA_DIRECTORY8 RVA to be used as Global Pointer (IA-64 only)
BC 44 DWORD - Not used
C0 48 DWORD IMAGE_DATA_DIRECTORY9 RVA of Thread Local Storage Directory
C4 4C DWORD - size of Thread Local Storage Directory
C8 50 DWORD IMAGE_DATA_DIRECTORY10 RVA of Load Configuration Directory
CC 54 DWORD - size of Load Configuration Directory
D0 58 DWORD IMAGE_DATA_DIRECTORY11 RVA of Bound Import Directory
D4 5C DWORD - size of Bound Import Directory
D8 60 DWORD IMAGE_DATA_DIRECTORY12 RVA of first Import Address Table
DC 64 DWORD - total size of all Import Address Tables
E0 68 DWORD IMAGE_DATA_DIRECTORY13 RVA of Delay Import Directory
E4 6C DWORD - size of Delay Import Directory
E8 70 DWORD IMAGE_DATA_DIRECTORY14 RVA of COM Header (top level info & metadata...
EC 74 DWORD - size of COM Header     ...in .NET executables)
F0 78 DWORD ZERO (Reserved) Reserved
F4 7C DWORD ZERO (Reserved) Reserved
F8 ********** START OF SECTION TABLE *******Offsets shown from here********
0 8 Bytes Name1 Name of first section header
8 DWORD misc (VirtualSize) Actual size of data in section
0C DWORD virtual address RVA where section begins in memory
10 DWORD SizeOfRawData Size of data on disk (multiple of FileAlignment)
14 DWORD pointerToRawData Raw offset of section on disk
18 DWORD pointerToRelocations Start of relocation entries for section, zero if none
1C DWORD PointerToLinenumbers Start of line-no. entries for section, zero if none
20 WORD NumberOfRelocations This value is zero for executable images.
22 WORD NumberOfLineNumbers Number of line-number entries for section.
24 DWORD Characteristics see end of page below
0 8 Bytes Name1 Name of second section header
********** Repeats for rest of sections ************************************** 

typedef struct _IMAGE_OPTIONAL_HEADER {
  WORD                 Magic;
  BYTE                 MajorLinkerVersion;
  BYTE                 MinorLinkerVersion;
  DWORD                SizeOfCode;
  DWORD                SizeOfInitializedData;
  DWORD                SizeOfUninitializedData;
  DWORD                AddressOfEntryPoint;
  DWORD                BaseOfCode;
  DWORD                BaseOfData;
  DWORD                ImageBase;
  DWORD                SectionAlignment;
  DWORD                FileAlignment;
  WORD                 MajorOperatingSystemVersion;
  WORD                 MinorOperatingSystemVersion;
  WORD                 MajorImageVersion;
  WORD                 MinorImageVersion;
  WORD                 MajorSubsystemVersion;
  WORD                 MinorSubsystemVersion;
  DWORD                Win32VersionValue;
  DWORD                SizeOfImage;
  DWORD                SizeOfHeaders;
  DWORD                CheckSum;
  WORD                 Subsystem;
  WORD                 DllCharacteristics;
  DWORD                SizeOfStackReserve;
  DWORD                SizeOfStackCommit;
  DWORD                SizeOfHeapReserve;
  DWORD                SizeOfHeapCommit;
  DWORD                LoaderFlags;
  DWORD                NumberOfRvaAndSizes;
  IMAGE_DATA_DIRECTORY DataDirectory[16];
} IMAGE_OPTIONAL_HEADER, *PIMAGE_OPTIONAL_HEADER;
typedef struct _IMAGE_DATA_DIRECTORY {
  DWORD VirtualAddress;
  DWORD Size;
} IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY;


The Export Table

  Offsets shown from beginning of table (given at offset 78 from start of PE header). The following 40 Bytes repeat for each export library (DLL whose functions are imported by the executable) and ends with one full of zeroes.

OFFSET SIZE NAME EXPLANATION 
0 DWORD Characteristics Set to zero (currently none defined)
4 DWORD TimeDateStamp often set to zero 
8 WORD MajorVersion user-defined version number, otherwise zero
0A WORD MinorVersion as above
0C DWORD Name RVA of DLL name in null-terminated ASCII
10 DWORD Base First valid exported ordinal, normally=1 
14 DWORD NumberOfFunctions Number of entries in EAT
18 DWORD NumberOfNames Number of entries in ENT
1C DWORD AddressOfFunctions RVA of EAT (export address table)
20 DWORD AddressOfNames RVA of ENT (export name table)
24 DWORD AddressOfNameOrdinals RVA of EOT (export ordinal table)  

typedef struct _IMAGE_EXPORT_DIRECTORY {
    DWORD   Characteristics;
    DWORD   TimeDateStamp;
    WORD    MajorVersion;
    WORD    MinorVersion;
    DWORD   Name;
    DWORD   Base;
    DWORD   NumberOfFunctions;
    DWORD   NumberOfNames;
    DWORD   AddressOfFunctions;     // RVA from base of image
    DWORD   AddressOfNames;         // RVA from base of image
    DWORD   AddressOfNameOrdinals;  // RVA from base of image
} IMAGE_EXPORT_DIRECTORY, *PIMAGE_EXPORT_DIRECTORY;


The Import Table

  Offsets shown from beginning of table (given at offset 80 from start of PE header). The following 5 DWORDS repeat for each import library (DLL whose functions are imported by the executable) and ends with one full of zeroes.
OFFSET  SIZE  NAME EXPLANATION
0 DWORD  Characteristics\OriginalFirstThunk  RVA to Image_Thunk_Data 
4 DWORD  TimeDateStamp zero unless bound against imported DLL 
8 DWORD  ForwarderChain pointer to 1st redirected function (or 0) 
0C  DWORD  Name1 RVA to name in null-terminated ASCII
10 DWORD  FirstThunk RVA to Image_Thunk_Data


TLS目錄結構IMAGE_TLS_DIRECTORY32

OFFSET SIZE NAME EXPLANATION 
0 DWORD StartAddressOfRawData TLS模板的起始地址
4 DWORD EndAddressOfRawData TLS模板的結束地址
8 DWORD AddressOfIndex TLS索引的位置
0C DWORD AddressOfCallBacks TLS回撥函式陣列指標
10 DWORD SizeOfZeroFill 填充0的個數
14 DWORD Characteristics 保留


節表項IMAGE_SECTION_HEADER

OFFSET SIZE NAME EXPLANATION 
0 8位元組 Name1 8個位元組節名
8 DWORD PhysicalAddress/VirtualSize 節區的尺寸
0C DWORD VirtualAddress 節區的RVA地址
10 DWORD SizeOfRawData 在檔案中對齊後的尺寸
14 DWORD PointerToRawData 在檔案中的偏移
18 DWORD PointerToRelocations 在OBJ檔案中使用
1C DWORD PointerToLinenumbers 行號表的位置(供除錯用)
20 DWORD NumberOfRelocations 在OBJ檔案中使用
22 WORD NumberOfLinenumbers 行號表中行號的數量
24 DWORD Characteristics 節的屬性 
typedef struct _SECTION_IMAGE_INFORMATION
{
     PVOID TransferAddress;
     ULONG ZeroBits;
     ULONG MaximumStackSize;
     ULONG CommittedStackSize;
     ULONG SubSystemType;
     union
     {
          struct
          {
               WORD SubSystemMinorVersion;
               WORD SubSystemMajorVersion;
          };
          ULONG SubSystemVersion;
     };
     ULONG GpValue;
     WORD ImageCharacteristics;
     WORD DllCharacteristics;
     WORD Machine;
     UCHAR ImageContainsCode;
     UCHAR ImageFlags;
     ULONG ComPlusNativeReady: 1;
     ULONG ComPlusILOnly: 1;
     ULONG ImageDynamicallyRelocated: 1;
     ULONG Reserved: 5;
     ULONG LoaderFlags;
     ULONG ImageFileSize;
     ULONG CheckSum;
} SECTION_IMAGE_INFORMATION, *PSECTION_IMAGE_INFORMATION;


Image Characteristics Flags

FLAG   EXPLANATION                                                 
1 Relocation info stripped from file                          
2 File is executable (no unresolved external references)      
4 Line numbers stripped from file                             
8 Local symbols stripped from file                            
10 Lets OS aggressively trim working set                       
20 App can handle >2Gb addresses                               
80 Low bytes of machine word are reversed                      
100 requires 32-bit WORD machine                                
200 Debugging info stripped from file into .DBG file            
400 If image is on removable media, copy and run from swap file 
800 If image is on a network, copy and run from swap file       
1000 System file                                                 
2000 File is a DLL                                               
4000 File should only be run on a single-processor machine       
8000 High bytes of machine word are reversed                     


Section Characteristics Flags

FLAG EXPLANATION                                                                                                   
8 Section should not be padded to next boundary                                                                 
20 Section contains code                                                                                         
40 Section contains initialised data (which will become initialised with real values before the file is launched)
80 Section contains uninitialised data (which will be initialised as 00 byte values before launch)               
200 Section contains comments for the linker                                                                      
800 Section contents will not become part of image                                                                
1000 Section contents comdat (Common Block Data)                                                                   
8000 Section contents cannot be accessed relative to GP                                                            
00100000 to 00800000     Boundary alignment settings                                                                                   
1000000 Section contains extended relocations                                                                         
2000000 Section can be discarded (e.g. .reloc)                                                                        
4000000 Section is not cacheable                                                                                      
8000000 Section is pageable                                                                                           
10000000 Section is shareable                                                                                          
20000000 Section is executable                                                                                         
40000000 Section is readable                                                                                           
80000000 Section is writable                                                                                           


相關文章