|
00
|
DWORD
|
Signature
|
PE Signature PE.. (50h 45h 00h 00h)
|
|
04
|
WORD
|
Machine
|
014Ch = Intel 386, 014Dh = Intel 486, 014Eh = Intel 586, 0200h = Intel 64-bit, 0162h=MIPS
|
|
06
|
WORD
|
NumberOfSections
|
Number Of Sections
|
|
08
|
DWORD
|
TimeDateStamp
|
Date & time image was created by the linker
|
|
0C
|
DWORD
|
PointerToSymbolTable
|
Zero or offset of COFF symbol table in older files
|
|
10
|
DWORD
|
NumberOfSymbols
|
Number of symbols in COFF symbol table
|
|
14
|
WORD
|
SizeOfOptionalHeader
|
Size of optional header in bytes (224 in 32bit exe)
|
|
16
|
WORD
|
Characteristics
|
see below
|
|
18
|
**********
|
START OF OPTIONAL HEADER
|
**************************************
|
|
18
|
WORD
|
Magic
|
010Bh=32-bit executable image
020Bh=64-bit executable image
0107h=ROM image
|
|
1A
|
BYTE
|
MajorLinkerVersion
|
Major version number of the linker
|
|
1B
|
BYTE
|
MinorLinkerVersion
|
Minor version number of the linker
|
|
1C
|
DWORD
|
SizeOfCode
|
size of code section or sum if multiple code sections
|
|
20
|
DWORD
|
SizeOfInitializedData
|
as above
|
|
24
|
DWORD
|
SizeOfUninitializedData
|
as above
|
|
28
|
DWORD
|
AddressOfEntryPoint
|
Start of code execution, optional for DLLs, zero when none present
|
|
2C
|
DWORD
|
BaseOfCode
|
RVA of first byte of code when loaded into RAM
|
|
30
|
DWORD
|
BaseOfData
|
RVA of first byte of data when loaded into RAM
|
|
34
|
DWORD
|
ImageBase
|
Preferred load address
|
|
38
|
DWORD
|
SectionAlignment
|
Alignment of sections when loaded in RAM
|
|
3C
|
DWORD
|
FileAlignment
|
Alignment of sections in file on disk
|
|
40
|
WORD
|
MajorOperatingSystemVersion
|
Major version no. of required operating system
|
|
42
|
WORD
|
MinorOperatingSystemVersion
|
Minor version no. of required operating system
|
|
44
|
WORD
|
MajorImageVersion
|
Major version number of the image
|
|
46
|
WORD
|
MinorImageVersion
|
Minor version number of the image
|
|
48
|
WORD
|
MajorSubsystemVersion
|
Major version number of the subsystem
|
|
4A
|
WORD
|
MinorSubsystemVersion
|
Minor version number of the subsystem
|
|
4C
|
DWORD
|
Reserved1
|
|
|
50
|
DWORD
|
SizeOfImage
|
Amount of memory allocated by loader for image. Must be a multiple of SectionAlignment
|
|
54
|
DWORD
|
SizeOfHeaders
|
Offset of first section, multiple of FileAlignment
|
|
58
|
DWORD
|
CheckSum
|
Image checksum (only required for kernel-mode drivers and some system DLLs).
|
|
5C
|
WORD
|
Subsystem
|
0002h=Windows GUI, 0003h=console
|
|
5E
|
WORD
|
DllCharacteristics
|
0001h=per-process library initialization
0002h=per-process library termination
0003h=per-thread library initialization
0004h=per-thread library termination
|
|
60
|
DWORD
|
SizeOfStackReserve
|
Number of bytes reserved for the stack
|
|
64
|
DWORD
|
SizeOfStackCommit
|
Number of bytes actually used for the stack
|
|
68
|
DWORD
|
SizeOfHeapReserve
|
Number of bytes to reserve for the local heap
|
|
6C
|
DWORD
|
SizeOfHeapCommit
|
Number of bytes actually used for local heap
|
|
70
|
DWORD
|
LoaderFlags
|
This member is obsolete.
|
|
74
|
DWORD
|
NumberOfRvaAndSizes
|
Number of directory entries.
|
|
78
|
**********
|
START OF DATA DIRECTORY
|
**************************************
|
|
78
|
DWORD
|
IMAGE_DATA_DIRECTORY0
|
RVA of Export Directory
|
|
7C
|
DWORD
|
|
size of Export Directory
|
|
80
|
DWORD
|
IMAGE_DATA_DIRECTORY1
|
RVA of Import Directory (array of IIDs)
|
|
84
|
DWORD
|
|
size of Import Directory (array of IIDs)
|
|
88
|
DWORD
|
IMAGE_DATA_DIRECTORY2
|
RVA of Resource Directory
|
|
8C
|
DWORD
|
|
size of Resource Directory
|
|
90
|
DWORD
|
IMAGE_DATA_DIRECTORY3
|
RVA of Exception Directory
|
|
94
|
DWORD
|
|
size of Exception Directory
|
|
98
|
DWORD
|
IMAGE_DATA_DIRECTORY4
|
Raw Offset of Security Directory
|
|
9C
|
DWORD
|
|
size of Security Directory
|
|
A0
|
DWORD
|
IMAGE_DATA_DIRECTORY5
|
RVA of Base Relocation Directory
|
|
A4
|
DWORD
|
|
size of Base Relocation Directory
|
|
A8
|
DWORD
|
IMAGE_DATA_DIRECTORY6
|
RVA of Debug Directory
|
|
AC
|
DWORD
|
|
size of Debug Directory
|
|
B0
|
DWORD
|
IMAGE_DATA_DIRECTORY7
|