PE文件格式偏移参考

在进行PE文件格式病毒分析的时候，经常要使用到PE文件格式的解析，尤其是对LoadPE形式的病毒的分析，经常要查看PE文件格式的偏移，特地从博客《PE文件格式的偏移参考》中转载收录一份，之前在网上也看到比较不错的有关PE文件偏移的博客，但忘了收录。在进行PE文件格式的病毒分析时，还会经常参考这篇博客《PE文件格式学习笔记》，博主关于PE文件格式的学习笔记写的不错，其他的参考书籍《加密与解密（第3版）》、《黑客免杀攻防》，顺便提一句《黑客免杀攻防》这本书关于PE文件格式的解析比较不错，但是错误也不少，整体来说这本书对于学习PC上的逆向分析和内核攻防还是很不错的。

Complete PE Offset Reference

While there is a lot of data and various parts of the structure are at varying positions there are still a lot of useful fixed and relative offsets that will help when disassembling/examining PE files. Resource information and the such like are omitted - there are good tools available to manipulate these e.g. ResHacker. The DOS Header   OFFSET SIZE NAME EXPLANATION 00 WORD e_magic Magic DOS signature MZ (4Dh 5Ah) 02 WORD e_cblp Bytes on last page of file 04 WORD e_cp Pages in file 06 WORD e_crlc Relocations 08 WORD e_cparhdr Size of header in paragraphs 0A WORD e_minalloc Minimum extra paragraphs needed 0C WORD e_maxalloc Maximum extra paragraphs needed 0E WORD e_ss Initial (relative) SS value 10 WORD e_sp Initial SP value 12 WORD e_csum Checksum 14 WORD e_ip Initial IP value 16 WORD e_cs Initial (relative) CS value 18 WORD e_lfarlc File address of relocation table 1A WORD e_ovno Overlay number 1C WORD e_res[4] Reserved words 24 WORD e_oemid OEM identifier (for e_oeminfo) 26 WORD e_oeminfo OEM information; e_oemid specific 28 WORD e_res2[10] Reserved words 3C DWORD e_lfanew Offset to start of PE header   The PE Header Offsets shown  are from the beginning of this section.   00 DWORD Signature PE Signature PE.. (50h 45h 00h 00h) 04 WORD Machine 014Ch = Intel 386, 014Dh = Intel 486, 014Eh = Intel 586, 0200h = Intel 64-bit, 0162h=MIPS 06 WORD NumberOfSections Number Of Sections 08 DWORD TimeDateStamp Date & time image was created by the linker 0C DWORD PointerToSymbolTable Zero or offset of COFF symbol table in older files 10 DWORD NumberOfSymbols Number of symbols in COFF symbol table 14 WORD SizeOfOptionalHeader Size of optional header in bytes (224 in 32bit exe) 16 WORD Characteristics see below 18 ********** START OF OPTIONAL HEADER ************************************** 18 WORD Magic 010Bh=32-bit executable image 020Bh=64-bit executable image 0107h=ROM image 1A BYTE MajorLinkerVersion Major version number of the linker 1B BYTE MinorLinkerVersion Minor version number of the linker 1C DWORD SizeOfCode size of code section or sum if multiple code sections 20 DWORD SizeOfInitializedData as above 24 DWORD SizeOfUninitializedData as above 28 DWORD AddressOfEntryPoint Start of code execution, optional for DLLs, zero when none present 2C DWORD BaseOfCode RVA of first byte of code when loaded into RAM 30 DWORD BaseOfData RVA of first byte of data when loaded into RAM 34 DWORD ImageBase Preferred load address 38 DWORD SectionAlignment   Alignment of sections when loaded in RAM 3C DWORD FileAlignment   Alignment of sections in file on disk 40 WORD MajorOperatingSystemVersion Major version no. of required operating system 42 WORD MinorOperatingSystemVersion Minor version no. of required operating system 44 WORD MajorImageVersion Major version number of the image 46 WORD MinorImageVersion Minor version number of the image 48 WORD MajorSubsystemVersion Major version number of the subsystem 4A WORD MinorSubsystemVersion Minor version number of the subsystem 4C DWORD Reserved1   50 DWORD SizeOfImage Amount of memory allocated by loader for image. Must be a multiple of SectionAlignment 54 DWORD SizeOfHeaders   Offset of first section, multiple of FileAlignment 58 DWORD CheckSum Image checksum (only required for kernel-mode drivers and some system DLLs). 5C WORD Subsystem 0002h=Windows GUI, 0003h=console 5E WORD DllCharacteristics 0001h=per-process library initialization 0002h=per-process library termination 0003h=per-thread library initialization 0004h=per-thread library termination 60 DWORD SizeOfStackReserve Number of bytes reserved for the stack 64 DWORD SizeOfStackCommit Number of bytes actually used for the stack 68 DWORD SizeOfHeapReserve Number of bytes to reserve for the local heap 6C DWORD SizeOfHeapCommit Number of bytes actually used for local heap 70 DWORD LoaderFlags This member is obsolete. 74 DWORD NumberOfRvaAndSizes Number of directory entries. 78 ********** START OF DATA DIRECTORY ************************************** 78 DWORD IMAGE_DATA_DIRECTORY0  RVA of Export Directory 7C DWORD   size of Export Directory 80 DWORD IMAGE_DATA_DIRECTORY1 RVA of Import Directory (array of IIDs) 84 DWORD   size of Import Directory (array of IIDs) 88 DWORD IMAGE_DATA_DIRECTORY2 RVA of Resource Directory 8C DWORD   size of Resource Directory 90 DWORD IMAGE_DATA_DIRECTORY3 RVA of Exception Directory 94 DWORD   size of Exception Directory 98 DWORD IMAGE_DATA_DIRECTORY4 Raw Offset of Security Directory 9C DWORD   size of Security Directory A0 DWORD IMAGE_DATA_DIRECTORY5 RVA of Base Relocation Directory A4 DWORD   size of Base Relocation Directory A8 DWORD IMAGE_DATA_DIRECTORY6 RVA of Debug Directory AC DWORD   size of Debug Directory B0 DWORD IMAGE_DATA_DIRECTORY7 RVA of Copyright Note B4 DWORD   size of Copyright Note B8 DWORD IMAGE_DATA_DIRECTORY8 RVA to be used as Global Pointer (IA-64 only) BC DWORD   Not used C0 DWORD IMAGE_DATA_DIRECTORY9 RVA of Thread Local Storage Directory C4 DWORD   size of Thread Local Storage Directory C8 DWORD IMAGE_DATA_DIRECTORY10 RVA of Load Configuration Directory CC DWORD   size of Load Configuration Directory D0 DWORD IMAGE_DATA_DIRECTORY11 RVA of Bound Import Directory D4 DWORD   size of Bound Import Directory D8 DWORD IMAGE_DATA_DIRECTORY12 RVA of first Import Address Table DC DWORD   total size of all Import Address Tables E0 DWORD IMAGE_DATA_DIRECTORY13 RVA of Delay Import Directory E4 DWORD   size of Delay Import Directory E8 DWORD IMAGE_DATA_DIRECTORY14 RVA of COM Header (top level info & metadata... EC DWORD   size of COM Header         ...in .NET executables) F0 DWORD ZERO (Reserved) Reserved F4 DWORD ZERO (Reserved) Reserved F8 ********** START OF SECTION TABLE *******Offsets shown from here******** 00 8 Bytes Name1 Name of first section header 08 DWORD misc (VirtualSize) Actual size of data in section 0C DWORD virtual address RVA where section begins in memory 10 DWORD SizeOfRawData  Size of data on disk (multiple of FileAlignment) 14 DWORD pointerToRawData  Raw offset of section on disk 18 DWORD pointerToRelocations Start of relocation entries for section, zero if none 1C DWORD PointerToLinenumbers Start of line-no. entries for section, zero if none 20 WORD NumberOfRelocations This value is zero for executable images. 22 WORD NumberOfLineNumbers Number of line-number entries for section. 24 DWORD Characteristics see end of page below 00 8 Bytes Name1 Name of second section header   ********** Repeats for rest of sections ************************************** The Export Table Offsets shown from beginning of table (given at offset 78 from start of PE header). The following 40 Bytes repeat for each export library (DLL whose functions are imported by the executable) and ends with one full of zeroes. OFFSET SIZE NAME EXPLANATION 00 DWORD Characteristics Set to zero (currently none defined) 04 DWORD TimeDateStamp often set to zero 08 WORD MajorVersion user-defined version number, otherwise zero 0A WORD MinorVersion as above 0C DWORD Name RVA of DLL name in null-terminated ASCII 10 DWORD Base First valid exported ordinal, normally=1 14 DWORD NumberOfFunctions Number of entries in EAT 18 DWORD NumberOfNames Number of entries in ENT 1C DWORD AddressOfFunctions RVA of EAT (export address table) 20 DWORD AddressOfNames RVA of ENT (export name table) 24 DWORD AddressOfNameOrdinals RVA of EOT (export ordinal table) The Import Table Offsets shown from beginning of table (given at offset 80 from start of PE header). The following 5 DWORDS repeat for each import library (DLL whose functions are imported by the executable) and ends with one full of zeroes. OFFSET SIZE NAME EXPLANATION 00 DWORD OriginalFirstThunk RVA to Image_Thunk_Data 04 DWORD TimeDateStamp zero unless bound against imported DLL 08 DWORD ForwarderChain pointer to 1st redirected function (or 0) 0C DWORD Name1 RVA to name in null-terminated ASCII 10 DWORD FirstThunk RVA to Image_Thunk_Data Image Characteristics Flags   FLAG EXPLANATION 0001 Relocation info stripped from file 0002 File is executable (no unresolved external references) 0004 Line numbers stripped from file 0008 Local symbols stripped from file 0010 Lets OS aggressively trim working set 0020 App can handle >2Gb addresses 0080 Low bytes of machine word are reversed 0100 requires 32-bit WORD machine 0200 Debugging info stripped from file into .DBG file 0400 If image is on removable media, copy and run from swap file 0800 If image is on a network, copy and run from swap file 1000 System file 2000 File is a DLL 4000 File should only be run on a single-processor machine 8000 High bytes of machine word are reversed Section Characteristics Flags   FLAG EXPLANATION 00000008 Section should not be padded to next boundary 00000020 Section contains code 00000040 Section contains initialised data (which will become initialised with real values before the file is launched) 00000080 Section contains uninitialised data (which will be initialised as 00 byte values before launch) 00000200 Section contains comments for the linker 00000800 Section contents will not become part of image 00001000 Section contents comdat (Common Block Data) 00008000 Section contents cannot be accessed relative to GP 00100000 to 00800000 Boundary alignment settings 01000000 Section contains extended relocations 02000000 Section can be discarded (e.g. .reloc) 04000000 Section is not cacheable 08000000 Section is pageable 10000000 Section is shareable 20000000 Section is executable 40000000 Section is readable 80000000 Section is writable