| DOS头 | 总共40H | 开始是一个下面的结构
重点关注off 3c, e_lfanew, 它指向PE头部 | (1) |
| stub | 40H? | DOS头+stub填充物总共大小为80H, 参照DosHeadArray数组 | (2) |
| 另一个 填充字段 | 不关心大小 | 填充N个PRODITEM | (3) |
| PE头部 +PE可选头 (可选头中包括16个目录条目) | 从DOS头3C对应的四字节文件偏移开始 总大小为78h+80h=F8h | Off 0 为特征字PE00 占4个字节, 所以下面的偏移从04h算
78h的偏移开始存放16个IMAGE_DATA_DIRECTORY,每个8字节 共占16*8=128=80H | (4)(5) |
| 顺序存放各个section段头信息 | 每一个section段头信息大小都是40=28h
总共大小为28h*n(n个段) | 下面就是段头信息结构, 28h
| (6)(7) |
上面几个合起来按照512 对齐? 所以一般大小都是400h=2*512 , 除非proditem特别多。。。??
来看下面的例子: 0-3FH (1)的红框代表Dos头
(2)的红框代表stub
(3).为另一填充字段
(4)为什么从B0开始, 因为OFF 3C存放的是00 00 00 B0, 所以(4)的绿色下划线代表 PE标记4字节 和PE头部和除去目录表大小的可选头 一共78H
也就是绿色最后的128h-B0h=78H
(5)的蓝紫色下划线代表16个目录条目,大小为80h, 1A8H-128H=80H
(6)的黑色下划线代表.text的段头信息,刚开始的Name .text明码显示已经很明显了, 大小为28h
(7)的咖啡色代表.rdata的段头信息, 开始的.rdata也很明显了,咖啡色下划线少画了8字节。。。
同理.data段头部信息也是28h
后面从220h到400h之间都是0填充,以对齐与最小扇区512(200h),
这个exe dump出来如下, 比较发现和上面可以完全对应
Microsoft (R) COFF/PE Dumper Version 14.24.28316.0
Copyright (C) Microsoft Corporation. All rights reserved.
Dump of file helloworld.exe
PE signature found
File Type: EXECUTABLE IMAGE
FILE HEADER VALUES
14C machine (x86)
3 number of sections
4C119FE5 time date stamp Fri Jun 11 10:31:01 2010
0 file pointer to symbol table
0 number of symbols
E0 size of optional header
10F characteristics
Relocations stripped
Executable
Line numbers stripped
Symbols stripped
32 bit word machine
OPTIONAL HEADER VALUES
10B magic # (PE32)
5.12 linker version
200 size of code
400 size of initialized data
0 size of uninitialized data
1000 entry point (00401000)
1000 base of code
2000 base of data
400000 image base (00400000 to 00403FFF)
1000 section alignment
200 file alignment
4.00 operating system version
0.00 image version
4.00 subsystem version
0 Win32 version
4000 size of image
400 size of headers
0 checksum
2 subsystem (Windows GUI)
0 DLL characteristics
100000 size of stack reserve
1000 size of stack commit
100000 size of heap reserve
1000 size of heap commit
0 loader flags
10 number of directories
0 [ 0] RVA [size] of Export Directory
2010 [ 3C] RVA [size] of Import Directory
0 [ 0] RVA [size] of Resource Directory
0 [ 0] RVA [size] of Exception Directory
0 [ 0] RVA [size] of Certificates Directory
0 [ 0] RVA [size] of Base Relocation Directory
0 [ 0] RVA [size] of Debug Directory
0 [ 0] RVA [size] of Architecture Directory
0 [ 0] RVA [size] of Global Pointer Directory
0 [ 0] RVA [size] of Thread Storage Directory
0 [ 0] RVA [size] of Load Configuration Directory
0 [ 0] RVA [size] of Bound Import Directory
2000 [ 10] RVA [size] of Import Address Table Directory
0 [ 0] RVA [size] of Delay Import Directory
0 [ 0] RVA [size] of COM Descriptor Directory
0 [ 0] RVA [size] of Reserved Directory
SECTION HEADER #1
.text name
24 virtual size
1000 virtual address (00401000 to 00401023)
200 size of raw data
400 file pointer to raw data (00000400 to 000005FF)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
60000020 flags
Code
Execute Read
SECTION HEADER #2
.rdata name
92 virtual size
2000 virtual address (00402000 to 00402091)
200 size of raw data
600 file pointer to raw data (00000600 to 000007FF)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
40000040 flags
Initialized Data
Read Only
SECTION HEADER #3
.data name
D virtual size
3000 virtual address (00403000 to 0040300C)
200 size of raw data
800 file pointer to raw data (00000800 to 000009FF)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
C0000040 flags
Initialized Data
Read Write
Summary
1000 .data
1000 .rdata
1000 .text
5656
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
