当前位置：网站首页>PE file-

from DOS Head to head is PE The first part , The nodal regions under them are collectively called PE body . Offset is used in the file , Use in memory VA To show the position . When the file is loaded into memory , The size of the section 、 The position will change . The content of the file can be divided into code 、 data 、 Resource section , Keep separately .

Each section header defines the size of each section in file or memory 、 Location 、 Properties, etc . PE There is a region between the head and the tail of each section , Become NULL fill

3. VA & VRA

VA The absolute address of the virtual memory of the process ,VRA A relative address starting from a reference position （PE Most of the internal information in the header is in PVA The form ）

4. PE head

(1) DOS head

stay PE Add a... To the front of the header IMAGE_DOS_HEADER Structure , To extend existing DOS EXE head

(2) DOS stub

stay DOS Under the head , from Code and data It's a mixture of

(3) NT head

IMAGE_NT_HEADER The structure consists of three members ： Signature structure 、 The file header 、 Optional head

(4) NT head ： The file header

That represents the general attributes of the file IMAGE_FILE_HEADER Structure , Yes 4 An important member ：

Machine： Every CPU Have a unique Machine code
NumberOfSections： Used to indicate the number of sections in the file
SizeOfOptionalHeader： Used to indicate IMAGE_OPTIONAL_HEADER The length of the structure
Characteristics: This field is used to identify the attributes of the file , Whether the file is in a runnable form , Is it DLL Documents and other information , With bit OR Combine forms

(5) NT head ： Optional head

IMAGE_OPTIONAL_HEADER yes PE The largest of the head structures

Magic：IMAGE_OPTIONAL_HEADER32 When the structure is ,Magic Code for 10B.IMAGE_OPTIONAL_HEADER64 When the structure is ,Magic Code for 20B
AddressOfEntryPoint： hold EP Of RVA value
ImageBase：PE When a file is loaded into large memory ,ImageBase Indicates the preferred loading address of the file
SectionAlignment,FileAlignment： The former specifies the minimum unit of the section in memory , The latter specifies the minimum unit of the section in the disk file
SizeOflmage： load PE When a file is in memory ,SizeFlmage It specifies PE Image The amount of space occupied in virtual memory
SizeOfHeaders： Used to point out the whole PE The size of the head
Subsystem： Its value is used to distinguish the system driver file from the ordinary executable file
NumberOfPvaAndSizes： Used to specify DataDiretory The number of arrays
DataDiretory： By IMAGE_DATA_HEADER An array of structures , Each item of the array has a defined value

(6) Section head

PE The file format stores data with similar attributes in a file called “ Nodal region ” The place of , Then you need to record the attributes of each section in the section header .

The section head is made up of IMAGE_SECTION_HEADER An array of structures , Each structure corresponds to a section

4. RVA to RAW

PE When the file is loaded into memory , Each section should be able to accurately complete the mapping between memory address and file offset , The method is as follows ：

lookup PVA In the festival area
Calculate the file offset using a simple formula

5. IAT

IAT The saved content is the same as windows The core process of the operating system 、 Memory 、DLL Structure, etc

(1) DLL

load DLL The way ：

Explicit links ： Program usage DLL Time to load , Free memory after use
Implicit linking ： The program is loaded at the beginning DLL, Release the occupied memory when the program terminates

(2) IMAGE_IMPORT_DESCRIPTOR

It is often necessary to import multiple libraries when executing a common program , There are as many libraries as you import IMAGE_IMPORT_DESCRIPTOR Structure , These structures form an array , And the structure array ends with NULL The end of the structure