The Dos Header
typedef struct _IMAGE_DOS_HEADER { // DOS .EXE header
WORD e_magic; // Magic number
WORD e_cblp; // Bytes on last page of file
WORD e_cp; // Pages in file
WORD e_crlc; // Relocations
WORD e_cparhdr; // Size of header in paragraphs
WORD e_minalloc; // Minimum extra paragraphs needed
WORD e_maxalloc; // Maximum extra paragraphs needed
WORD e_ss; // Initial (relative) SS value
WORD e_sp; // Initial SP value
WORD e_csum; // Checksum
WORD e_ip; // Initial IP value
WORD e_cs; // Initial (relative) CS value
WORD e_lfarlc; // File address of relocation table
WORD e_ovno; // Overlay number
WORD e_res[4]; // Reserved words
WORD e_oemid; // OEM identifier (for e_oeminfo)
WORD e_oeminfo; // OEM information; e_oemid specific
WORD e_res2[10]; // Reserved words
LONG e_lfanew; // File address of new exe header
} IMAGE_DOS_HEADER,*PIMAGE_DOS_HEADER;
The PE Header
Offsets shown are from the beginning of this section.
0 | DWORD | Signature | PE Signature PE.. (50h 45h 00h 00h) | |
4 | WORD | Machine | 014Ch = Intel 386,014Dh = Intel 486,014Eh = Intel 586,0200h = Intel 64-bit,0162h=MIPS | |
6 | WORD | NumberOfSections | Number Of Sections | |
8 | DWORD | TimeDateStamp | Date & time image was created by the linker | |
0C | DWORD | PointerToSymbolTable | Zero or offset of COFF symbol table in older files | |
10 | DWORD | NumberOfSymbols | Number of symbols in COFF symbol table | |
14 | WORD | SizeOfOptionalHeader | Size of optional header in bytes (224 in 32bit exe) | |
16 | WORD | characteristics | see below | |
18 | ********** | START OF OPTIONAL HEADER | ************************************** | |
18 | 0 | WORD | Magic | 010Bh=32-bit executable image |
020Bh=64-bit executable image | ||||
0107h=ROM image | ||||
1A | 2 | BYTE | MajorLinkerVersion | Major version number of the linker |
1B | 3 | BYTE | MinorLinkerVersion | Minor version number of the linker |
1C | 4 | DWORD | SizeOfCode | size of code section or sum if multiple code sections |
20 | 8 | DWORD | SizeOfInitializedData | as above |
24 | C | DWORD | SizeOfUninitializedData | as above |
28 | 10 | DWORD | AddressOfEntryPoint | Start of code execution,optional for DLLs,zero when none present |
2C | 14 | DWORD | BaSEOfCode | RVA of first byte of code when loaded into RAM |
30 | 18 | DWORD | BaSEOfData | RVA of first byte of data when loaded into RAM |
34 | 1C | DWORD | ImageBase | Preferred load address |
38 | 20 | DWORD | SectionAlignment | Alignment of sections when loaded in RAM |
3C | 24 | DWORD | FileAlignment | Alignment of sections in file on disk |
40 | 28 | WORD | MajorOperatingSystemVersion | Major version no. of required operating system |
42 | 2A | WORD | MinorOperatingSystemVersion | Minor version no. of required operating system |
44 | 2C | WORD | MajorImageVersion | Major version number of the image |
46 | 2E | WORD | MinorImageVersion | Minor version number of the image |
48 | 30 | WORD | MajorSubsystemVersion | Major version number of the subsystem |
4A | 32 | WORD | MinorSubsystemVersion | Minor version number of the subsystem |
4C | 34 | DWORD | - | Reserved1 |
50 | 38 | DWORD | SizeOfImage | Amount of memory allocated by loader for image. Must be a multiple of SectionAlignment |
54 | 3C | DWORD | SizeOfheaders | Offset of first section,multiple of FileAlignment |
58 | 40 | DWORD | CheckSum | Image checksum (only required for kernel-mode drivers and some system DLLs). |
5C | 44 | WORD | Subsystem | 0002h=Windows GUI,0003h=console |
5E | 46 | WORD | Dllcharacteristics | 0001h=per-process library initialization |
0002h=per-process library termination | ||||
0003h=per-thread library initialization | ||||
0004h=per-thread library termination | ||||
60 | 48 | DWORD | SizeOfStackReserve | Number of bytes reserved for the stack |
64 | 4C | DWORD | SizeOfStackCommit | Number of bytes actually used for the stack |
68 | 50 | DWORD | SizeOfheapReserve | Number of bytes to reserve for the local heap |
6C | 54 | DWORD | SizeOfheapCommit | Number of bytes actually used for local heap |
70 | 58 | DWORD | LoaderFlags | This member is obsolete. |
74 | 5C | DWORD | NumberOfRvaAndSizes | Number of Directory entries. |
78 | ********** | START OF DATADIRECTORY | ************************************** | |
78 | 0 | DWORD | IMAGE_data_dirECTORY0 | RVA of Export Directory |
7C | 4 | DWORD | - | size of Export Directory |
80 | 8 | DWORD | IMAGE_data_dirECTORY1 | RVA of Import Directory (array of IIDs) |
84 | C | DWORD | - | size of Import Directory (array of IIDs) |
88 | 10 | DWORD | IMAGE_data_dirECTORY2 | RVA of Resource Directory |
8C | 14 | DWORD | - | size of Resource Directory |
90 | 18 | DWORD | IMAGE_data_dirECTORY3 | RVA of Exception Directory |
94 | 1C | DWORD | - | size of Exception Directory |
98 | 20 | DWORD | IMAGE_data_dirECTORY4 | Raw Offset of Security Directory |
9C | 24 | DWORD | - | size of Security Directory |
A0 | 28 | DWORD | IMAGE_data_dirECTORY5 | RVA of Base Relocation Directory |
A4 | 2C | DWORD | - | size of Base Relocation Directory |
A8 | 30 | DWORD | IMAGE_data_dirECTORY6 | RVA of Debug Directory |
AC | 34 | DWORD | - | size of Debug Directory |
B0 | 38 | DWORD | IMAGE_data_dirECTORY7 | RVA of copyright Note |
B4 | 3C | DWORD | - | size of copyright Note |
B8 | 40 | DWORD | IMAGE_data_dirECTORY8 | RVA to be used as Global Pointer (IA-64 only) |
BC | 44 | DWORD | - | Not used |
C0 | 48 | DWORD | IMAGE_data_dirECTORY9 | RVA of Thread Local Storage Directory |
C4 | 4C | DWORD | - | size of Thread Local Storage Directory |
C8 | 50 | DWORD | IMAGE_data_dirECTORY10 | RVA of Load Configuration Directory |
CC | 54 | DWORD | - | size of Load Configuration Directory |
D0 | 58 | DWORD | IMAGE_data_dirECTORY11 | RVA of Bound Import Directory |
D4 | 5C | DWORD | - | size of Bound Import Directory |
D8 | 60 | DWORD | IMAGE_data_dirECTORY12 | RVA of first Import Address Table |
DC | 64 | DWORD | - | total size of all Import Address Tables |
E0 | 68 | DWORD | IMAGE_data_dirECTORY13 | RVA of Delay Import Directory |
E4 | 6C | DWORD | - | size of Delay Import Directory |
E8 | 70 | DWORD | IMAGE_data_dirECTORY14 | RVA of COM Header (top level info & Metadata... |
EC | 74 | DWORD | - | size of COM Header ...in .NET executables) |
F0 | 78 | DWORD | ZERO (Reserved) | Reserved |
F4 | 7C | DWORD | ZERO (Reserved) | Reserved |
F8 | ********** | START OF SECTION TABLE | *******Offsets shown from here******** | |
0 | 8 Bytes | Name1 | Name of first section header | |
8 | DWORD | misc (VirtualSize) | Actual size of data in section | |
0C | DWORD | virtual address | RVA where section begins in memory | |
10 | DWORD | SizeOfRawData | Size of data on disk (multiple of FileAlignment) | |
14 | DWORD | pointerToRawData | Raw offset of section on disk | |
18 | DWORD | pointerToRelocations | Start of relocation entries for section,zero if none | |
1C | DWORD | PointerToLinenumbers | Start of line-no. entries for section,zero if none | |
20 | WORD | NumberOfRelocations | This value is zero for executable images. | |
22 | WORD | NumberOfLineNumbers | Number of line-number entries for section. | |
24 | DWORD | characteristics | see end of page below | |
0 | 8 Bytes | Name1 | Name of second section header | |
********** | Repeats for rest of sections | ************************************** |
typedef struct _IMAGE_OPTIONAL_HEADER {
WORD Magic;
BYTE MajorLinkerVersion;
BYTE MinorLinkerVersion;
DWORD SizeOfCode;
DWORD SizeOfInitializedData;
DWORD SizeOfUninitializedData;
DWORD AddressOfEntryPoint;
DWORD BaSEOfCode;
DWORD BaSEOfData;
DWORD ImageBase;
DWORD SectionAlignment;
DWORD FileAlignment;
WORD MajorOperatingSystemVersion;
WORD MinorOperatingSystemVersion;
WORD MajorImageVersion;
WORD MinorImageVersion;
WORD MajorSubsystemVersion;
WORD MinorSubsystemVersion;
DWORD Win32VersionValue;
DWORD SizeOfImage;
DWORD SizeOfheaders;
DWORD CheckSum;
WORD Subsystem;
WORD Dllcharacteristics;
DWORD SizeOfStackReserve;
DWORD SizeOfStackCommit;
DWORD SizeOfheapReserve;
DWORD SizeOfheapCommit;
DWORD LoaderFlags;
DWORD NumberOfRvaAndSizes;
IMAGE_data_dirECTORY DataDirectory[16];
} IMAGE_OPTIONAL_HEADER,*PIMAGE_OPTIONAL_HEADER;
typedef struct _IMAGE_data_dirECTORY {
DWORD VirtualAddress;
DWORD Size;
} IMAGE_data_dirECTORY,*PIMAGE_data_dirECTORY;
The Export Table
Offsets shown from beginning of table (given at offset 78 from start of PE header). The following 40 Bytes repeat for each export library (DLL whose functions are imported by the executable) and ends with one full of zeroes.
OFFSET | SIZE | NAME | EXPLANATION |
0 | DWORD | characteristics | Set to zero (currently none defined) |
4 | DWORD | TimeDateStamp | often set to zero |
8 | WORD | MajorVersion | user-defined version number,otherwise zero |
0A | WORD | MinorVersion | as above |
0C | DWORD | Name | RVA of DLL name in null-terminated ASCII |
10 | DWORD | Base | First valid exported ordinal,normally=1 |
14 | DWORD | NumberOfFunctions | Number of entries in EAT |
18 | DWORD | NumberOfNames | Number of entries in ENT |
1C | DWORD | AddressOfFunctions | RVA of EAT (export address table) |
20 | DWORD | AddressOfNames | RVA of ENT (export name table) |
24 | DWORD | AddressOfNameordinals | RVA of EOT (export ordinal table) |
typedef struct _IMAGE_EXPORT_DIRECTORY {
DWORD characteristics;
DWORD TimeDateStamp;
WORD MajorVersion;
WORD MinorVersion;
DWORD Name;
DWORD Base;
DWORD NumberOfFunctions;
DWORD NumberOfNames;
DWORD AddressOfFunctions; // RVA from base of image
DWORD AddressOfNames; // RVA from base of image
DWORD AddressOfNameordinals; // RVA from base of image
} IMAGE_EXPORT_DIRECTORY,*PIMAGE_EXPORT_DIRECTORY;
The Import Table
OFFSET | SIZE | NAME | EXPLANATION |
0 | DWORD | characteristics\OriginalFirstThunk | RVA to Image_Thunk_Data |
4 | DWORD | TimeDateStamp | zero unless bound against imported DLL |
8 | DWORD | ForwarderChain | pointer to 1st redirected function (or 0) |
0C | DWORD | Name1 | RVA to name in null-terminated ASCII |
10 | DWORD | FirstThunk | RVA to Image_Thunk_Data |
TLS目录结构IMAGE_TLS_DIRECTORY32
OFFSET | SIZE | NAME | EXPLANATION |
0 | DWORD | StartAddressOfRawData | TLS模板的起始地址 |
4 | DWORD | EndAddressOfRawData | TLS模板的结束地址 |
8 | DWORD | AddressOfIndex | TLS索引的位置 |
0C | DWORD | AddressOfCallBacks | TLS回调函数数组指针 |
10 | DWORD | SizeOfZeroFill | 填充0的个数 |
14 | DWORD | characteristics | 保留 |
节表项IMAGE_SECTION_HEADER
OFFSET | SIZE | NAME | EXPLANATION |
0 | 8字节 | Name1 | 8个字节节名 |
8 | DWORD | PhysicalAddress/VirtualSize | 节区的尺寸 |
0C | DWORD | VirtualAddress | 节区的RVA地址 |
10 | DWORD | SizeOfRawData | 在文件中对齐后的尺寸 |
14 | DWORD | PointerToRawData | 在文件中的偏移 |
18 | DWORD | PointerToRelocations | 在OBJ文件中使用 |
1C | DWORD | PointerToLinenumbers | 行号表的位置(供调试用) |
20 | DWORD | NumberOfRelocations | 在OBJ文件中使用 |
22 | WORD | NumberOfLinenumbers | 行号表中行号的数量 |
24 | DWORD | characteristics | 节的属性 |
typedef struct _SECTION_IMAGE_informatION
{
PVOID TransferAddress;
ULONG ZeroBits;
ULONG MaximumStackSize;
ULONG CommittedStackSize;
ULONG SubSystemType;
union
{
struct
{
WORD SubSystemMinorVersion;
WORD SubSystemMajorVersion;
};
ULONG SubSystemVersion;
};
ULONG GpValue;
WORD Imagecharacteristics;
WORD Dllcharacteristics;
WORD Machine;
UCHAR ImageContainsCode;
UCHAR ImageFlags;
ULONG ComPlusNativeReady: 1;
ULONG ComPlusILOnly: 1;
ULONG ImageDynamicallyRelocated: 1;
ULONG Reserved: 5;
ULONG LoaderFlags;
ULONG ImageFileSize;
ULONG CheckSum;
} SECTION_IMAGE_informatION,*PSECTION_IMAGE_informatION;
Image characteristics Flags
FLAG | EXPLANATION |
1 | Relocation info stripped from file |
2 | File is executable (no unresolved external references) |
4 | Line numbers stripped from file |
8 | Local symbols stripped from file |
10 | Lets OS aggressively trim working set |
20 | App can handle >2Gb addresses |
80 | Low bytes of machine word are reversed |
100 | requires 32-bit WORD machine |
200 | Debugging info stripped from file into .DBG file |
400 | If image is on removable media,copy and run from swap file |
800 | If image is on a network,copy and run from swap file |
1000 | System file |
2000 | File is a DLL |
4000 | File should only be run on a single-processor machine |
8000 | High bytes of machine word are reversed |
Section characteristics Flags
FLAG | EXPLANATION |
8 | Section should not be padded to next boundary |
20 | Section contains code |
40 | Section contains initialised data (which will become initialised with real values before the file is launched) |
80 | Section contains uninitialised data (which will be initialised as 00 byte values before launch) |
200 | Section contains comments for the linker |
800 | Section contents will not become part of image |
1000 | Section contents comdat (Common Block Data) |
8000 | Section contents cannot be accessed relative to GP |
00100000 to 00800000 | Boundary alignment settings |
1000000 | Section contains extended relocations |
2000000 | Section can be discarded (e.g. .reloc) |
4000000 | Section is not cacheable |
8000000 | Section is pageable |
10000000 | Section is shareable |
20000000 | Section is executable |
40000000 | Section is readable |
80000000 | Section is writable |