PE结构各字段偏移参考

 

PE结构各字段偏移参考

header image import alignment linker file

Complete PE Offset Reference

While there is a lot of data and various parts of the structure are at varying positions there are still a lot of useful fixed and relative offsets that will help when disassembling/examining PE files. Resource information and the such like are omitted - there are good tools available to manipulate these e.g. ResHacker. The DOS Header   OFFSET SIZE NAME EXPLANATION 00 WORD e_magic Magic DOS signature MZ (4Dh 5Ah)判断 02 WORD e_cblp Bytes on last page of file 04 WORD e_cp Pages in file 06 WORD e_crlc Relocations 08 WORD e_cparhdr Size of header in paragraphs 0A WORD e_minalloc Minimum extra paragraphs needed 0C WORD e_maxalloc Maximum extra paragraphs needed 0E WORD e_ss Initial (relative) SS value 10 WORD e_sp Initial SP value 12 WORD e_csum Checksum 14 WORD e_ip Initial IP value 16 WORD e_cs Initial (relative) CS value 18 WORD e_lfarlc File address of relocation table 1A WORD e_ovno Overlay number 1C WORD e_res[4] Reserved words 24 WORD e_oemid OEM identifier (for e_oeminfo) 26 WORD e_oeminfo OEM information; e_oemid specific 28 WORD e_res2[10] Reserved words 3C DWORD e_lfanew Offset to start of PE header PEHeader的偏移量 DOS Stub 如果在DoS下执行PE文件，此段中保存的字符串“This program can’t  run in DOS Mode”如果在windows下执行PE文件，根据Dos Header的最后一个域e_lfanew所给的偏移量跳过DosStub，直接跳到PEHeader   The PE Header Offsets shown  are from the beginning of this section. Add=DosHeader+DosHeader->e_lfanew; 00 ********** IMAGE_FILE_HEADER File 头的开始 ************************************** 00 DWORD Signature PE文件标号，其他的文件不是此标号 PE Signature PE.. (50h 45h 00h 00h) 04 WORD Machine  机器类型 014Ch = Intel 386, 014Dh = Intel 486, 014Eh = Intel 586, 0200h = Intel 64-bit, 0162h=MIPS 06 WORD NumberOfSections 文件中节的数目 Number Of Sections 08 DWORD TimeDateStamp 文件创建时间 Date & time image was created by the linker 0C DWORD PointerToSymbolTable 用于调试，COFF符号表的文件偏移 Zero or offset of COFF symbol table in older files 10 DWORD NumberOfSymbols 用于调试，COFF符号表中的符号数 Number of symbols in COFF symbol table 14 WORD SizeOfOptionalHeader OptionalHeader结构的大小，必须为有效值 Size of optional header in bytes (224 in 32bit exe) 16 WORD Characteristics 文件信息（dll/exe） see below 18 ********** START OF OPTIONAL HEADER Optional的开始 ************************************** 18 WORD Magic 机器类型的签名 010Bh=32-bit executable image 020Bh=64-bit executable image 0107h=ROM image 1A BYTE MajorLinkerVersion 同下（点前和点后） 生成此文件的连接器的版本号，这个数是十进制数，例如：2.23 Major version number of the linker 1B BYTE MinorLinkerVersion Minor version number of the linker 1C DWORD SizeOfCode 所有的代码节的总大小 size of code section or sum if multiple code sections 20 DWORD SizeOfInitializedData 已初始化的数据节的大小（不包含代码节）（数据段） as above 24 DWORD SizeOfUninitializedData 未初始化数据节的大小（.Bbs） as above 28 DWORD AddressOfEntryPoint 加载器首先执行的RVA，此地址通常是在.TEXT节中 Start of code execution, optional for DLLs, zero when none present 2C DWORD BaseOfCode 代码节的启始RVA RVA of first byte of code when loaded into RAM 30 DWORD BaseOfData 数据节的启始RVA RVA of first byte of data when loaded into RAM 34 DWORD ImageBase PE文件首选的被装在的内存地址，（0x400000） Preferred load address 38 DWORD SectionAlignment  内存内节的对齐粒度，因为页的原因 一般为0x1000 Alignment of sections when loaded in RAM 3C DWORD FileAlignment  文件内节的对齐粒度。根据扇区的大小 一般为0x200 Alignment of sections in file on disk 40 WORD MajorOperatingSystemVersion 不定，要运行的最小的操作系统版本号   Major version no. of required operating system 42 WORD MinorOperatingSystemVersion Minor version no. of required operating system 44 WORD MajorImageVersion 用户定义域，通过连接器设定 Major version number of the image 46 WORD MinorImageVersion Minor version number of the image 48 WORD MajorSubsystemVersion Win32子系统版本，三维效果 Major version number of the subsystem 4A WORD MinorSubsystemVersion Minor version number of the subsystem 4C DWORD Reserved1 保留值  0   50 DWORD SizeOfImage 内存中整个PE文件映射的尺寸（粒度的整数倍） Amount of memory allocated by loader for image. Must be a multiple of SectionAlignment 54 DWORD SizeOfHeaders  所有头+节表的大小 （此值作为PE文件第一节的文件偏移量） Offset of first section, multiple of FileAlignment 58 DWORD CheckSum 文件的CRC校验和   常被忽略 0 Image checksum (only required for kernel-mode drivers and some system DLLs). 5C WORD Subsystem NT用来识别PE文件属于那个子系统（窗口的和控制台） 0002h=Windows GUI, 0003h=console 5E WORD DllCharacteristics 指定在哪种情况下调用DLL的初始化函数  常为0 0001h=per-process library initialization 0002h=per-process library termination 0003h=per-thread library initialization 0004h=per-thread library termination 60 DWORD SizeOfStackReserve 位初始的线程堆栈所保留的虚拟内存的数量 （0x100000）字节1MB Number of bytes reserved for the stack 64 DWORD SizeOfStackCommit 为初始的线程堆栈提交的内存的数量 （0x1000）字节（一个页） Number of bytes actually used for the stack 68 DWORD SizeOfHeapReserve 保留给最初的process heap 的虚拟内存数量 Number of bytes to reserve for the local heap 6C DWORD SizeOfHeapCommit 一开始即被提交（committed）给process heap 的内存数量。 Number of bytes actually used for local heap 70 DWORD LoaderFlags   This member is obsolete. 74 DWORD NumberOfRvaAndSizes   Number of directory entries. 78 ********** START OF DATA DIRECTORY IMAGE_DATA_D IRECTORY 结构数组。每个结构给出一个重要数据结构的RVA，比如引入地址表等（一共有16个结构，每个结构对应一个section，以00结尾）。 ************************************** 78 DWORD IMAGE_DATA_DIRECTORY0 地址RVA RVA of Export Directory 7C DWORD   大小 size of Export Directory 80 DWORD IMAGE_DATA_DIRECTORY1 引入表的RVA，指向一个引入表的数组的首地址，数组以全0结尾 RVA of Import Directory (array of IIDs) 84 DWORD   Size size of Import Directory (array of IIDs) 88 DWORD IMAGE_DATA_DIRECTORY2   RVA of Resource Directory 8C DWORD     size of Resource Directory 90 DWORD IMAGE_DATA_DIRECTORY3   RVA of Exception Directory 94 DWORD     size of Exception Directory 98 DWORD IMAGE_DATA_DIRECTORY4   Raw Offset of Security Directory 9C DWORD     size of Security Directory A0 DWORD IMAGE_DATA_DIRECTORY5   RVA of Base Relocation Directory A4 DWORD     size of Base Relocation Directory A8 DWORD IMAGE_DATA_DIRECTORY6   RVA of Debug Directory AC DWORD     size of Debug Directory B0 DWORD IMAGE_DATA_DIRECTORY7   RVA of Copyright Note B4 DWORD     size of Copyright Note B8 DWORD IMAGE_DATA_DIRECTORY8   RVA to be used as Global Pointer (IA-64 only) BC DWORD     Not used C0 DWORD IMAGE_DATA_DIRECTORY9   RVA of Thread Local Storage Directory C4 DWORD     size of Thread Local Storage Directory C8 DWORD IMAGE_DATA_DIRECTORY10   RVA of Load Configuration Directory CC DWORD     size of Load Configuration Directory D0 DWORD IMAGE_DATA_DIRECTORY11   RVA of Bound Import Directory D4 DWORD     size of Bound Import Directory D8 DWORD IMAGE_DATA_DIRECTORY12   RVA of first Import Address Table DC DWORD     total size of all Import Address Tables E0 DWORD IMAGE_DATA_DIRECTORY13   RVA of Delay Import Directory E4 DWORD     size of Delay Import Directory E8 DWORD IMAGE_DATA_DIRECTORY14   RVA of COM Header (top level info & metadata... EC DWORD     size of COM Header         ...in .NET executables) F0 DWORD ZERO (Reserved)   Reserved F4 DWORD ZERO (Reserved)   Reserved F8 ********** START OF SECTION TABLE 节表 *******Offsets shown from here******** 00 8 Bytes Name1 记住节名仅仅是个标记而已，不是ascii码 Name of first section header 08 DWORD misc (VirtualSize)   Actual size of data in section 0C DWORD virtual address 本节的RVA（相对虚拟地址），PE装载器将节映射至内存时会读取本值，因此如果域值是1000h，而PE文件装在地址400000h处，那么本节就被载到401000h RVA where section begins in memory 10 DWORD SizeOfRawData 经过文件对齐处理后节尺寸，PE装载器提取本域值了解需映射入内存的节字节数。 （译者注: 假设一个文件的文件对齐尺寸是0x200，如果前面的 VirtualSize域指示本节长度是0x388字节，则本域值为0x400，表示本节是0x400字节长）。 Size of data on disk (multiple of FileAlignment) 14 DWORD pointerToRawData 这是节基于文件的偏移量，PE装载器通过本域值找到节数据在文件中的位置。 Raw offset of section on disk 18 DWORD pointerToRelocations   Start of relocation entries for section, zero if none 1C DWORD PointerToLinenumbers   Start of line-no. entries for section, zero if none 20 WORD NumberOfRelocations   This value is zero for executable images. 22 WORD NumberOfLineNumbers   Number of line-number entries for section. 24 DWORD Characteristics 包含标记以指示节属性，比如节是否含有可执行代码、初始化数据、未初始数据，是否可写、可读等。 see end of page below 00 8 Bytes Name1 下一节的开始 Name of second section header   ********** Repeats for rest of sections 循环 知道节结束为止 **************************************   The Export Table （导出表） Offsets shown from beginning of table (given at offset 78 from start of PE header). The following 40 Bytes repeat for each export library (DLL whose functions are imported by the executable) and ends with one full of zeroes. OFFSET SIZE NAME 意义 EXPLANATION 00 DWORD Characteristics   Set to zero (currently none defined) 04 DWORD TimeDateStamp   often set to zero 08 WORD MajorVersion   user-defined version number, otherwise zero 0A WORD MinorVersion   as above 0C DWORD Name 模块的真实名称。本域是必须的，因为文件名可能会改变。这种情况下，PE装载器将使用这个内部名字。 RVA of DLL name in null-terminated ASCII 10 DWORD Base 基数，加上序数就是函数地址数组的索引值了。 First valid exported ordinal, normally=1 14 DWORD NumberOfFunctions 模块引出的函数/符号总数。 Number of entries in EAT 18 DWORD NumberOfNames 通过名字引出的函数/符号数目。该值不是模块引出的函数/符号总数，这是由上面的NumberOfFunctions给出。本域可以为0，表示模块可能仅仅通过序数引出。如果模块根本不引出任何函数/符号，那么数据目录中引出表的RVA为0。 Number of entries in ENT 1C DWORD AddressOfFunctions 模块中有一个指向所有函数/符号的RVAs数组，本域就是指向该RVAs数组的RVA。简言之，模块中所有函数的RVAs都保存在一个数组里，本域就指向这个数组的首地址。 RVA of EAT (export address table) 20 DWORD AddressOfNames 类似上个域，模块中有一个指向所有函数名的RVAs数组，本域就是指向该RVAs数组的RVA。 RVA of ENT (export name table) 24 DWORD AddressOfNameOrdinals RVA，指向包含上述 AddressOfNames数组中相关函数之序数的16位数组。 RVA of EOT (export ordinal table) The Import Table （引入表） Offsets shown from beginning of table (given at offset 80 from start of PE header). The following 5 DWORDS repeat for each import library (DLL whose functions are imported by the executable) and ends with one full of zeroes. IMAGE_IMPORT_DESCRIPTOR STRUCT    union      Characteristics dd ?      OriginalFirstThunk dd ?    ends    TimeDateStamp dd ?    ForwarderChain dd ?    Name1 dd ?    FirstThunk dd ?  IMAGE_IMPORT_DESCRIPTOR ENDS OFFSET SIZE NAME   EXPLANATION 00 DWORD OriginalFirstThunk   RVA to Image_Thunk_Data 04 DWORD TimeDateStamp   zero unless bound against imported DLL 08 DWORD ForwarderChain   pointer to 1st redirected function (or 0) 0C DWORD Name1   RVA to name in null-terminated ASCII 10 DWORD FirstThunk   RVA to Image_Thunk_Data Image Characteristics Flags FLAG EXPLANATION 0001 Relocation info stripped from file 0002 File is executable (no unresolved external references) 0004 Line numbers stripped from file 0008 Local symbols stripped from file 0010 Lets OS aggressively trim working set 0020 App can handle >2Gb addresses 0080 Low bytes of machine word are reversed 0100 requires 32-bit WORD machine 0200 Debugging info stripped from file into .DBG file 0400 If image is on removable media, copy and run from swap file 0800 If image is on a network, copy and run from swap file 1000 System file 2000 File is a DLL 4000 File should only be run on a single-processor machine 8000 High bytes of machine word are reversed Section Characteristics Flags FLAG EXPLANATION 00000008 Section should not be padded to next boundary 00000020 Section contains code 00000040 Section contains initialised data (which will become initialised with real values before the file is launched) 00000080 Section contains uninitialised data (which will be initialised as 00 byte values before launch) 00000200 Section contains comments for the linker 00000800 Section contents will not become part of image 00001000 Section contents comdat (Common Block Data) 00008000 Section contents cannot be accessed relative to GP 00100000 to 00800000 Boundary alignment settings 01000000 Section contains extended relocations 02000000 Section can be discarded (e.g. .reloc) 04000000 Section is not cacheable 08000000 Section is pageable 10000000 Section is shareable 20000000 Section is executable 40000000 Section is readable 80000000 Section is writable