| Offset | 0 1 2 3 4 5 6 7 8 9 A B C D E F |
|
| 00000000 00000010 00000020 00000030 | 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 B0 00 00 00 | MZ?.......... ?......@....... ................ ............?.. |
| 00000040 00000050 00000060 00000070 00000080 00000090 000000A 0 | 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 5D 65 FD C8 19 04 93 9B 19 04 93 9B 19 04 93 9B 97 1B 80 9B 11 04 93 9B E5 24 81 9B 18 04 93 9B 52 69 63 68 19 04 93 9B 00 00 00 00 00 00 00 00 | ..?.???L?Th is program canno t be run in DOS mode....$....... ]e..摏..摏..摏 ?€?.摏?仜..摏 Rich..摏........ |
| 000000B0 000000C 0 000000D0 000000E0 000000f 0 00000100 00000110 00000120 00000130 00000140 00000150 00000160 00000170 00000180 00000190 000001A 0 | 50 45 00 00 4C 01 03 00 3E FD 24 45 00 00 00 00 00 00 00 00 E0 00 0F 01 0B 01 05 0C 00 02 00 00 00 04 00 00 00 00 00 00 00 10 00 00 00 10 00 00 00 20 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 00 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 14 20 00 00 3C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2E 74 65 78 74 00 00 00 | PE..L...>?E.... ....?.......... ................ . ....@......... ................ .@.............. ................ ................ . ..<........... ................ ................ ................ ................ ......... ...... ................ .........text... |
| 000001B0 000001C 0 000001D0 000001E0 000001F 0 00000200 00000210 ………… | 30 00 00 00 00 10 00 00 00 02 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 E0 2E 72 64 61 74 61 00 00 A 6 00 00 00 00 20 00 00 00 02 00 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2E 64 61 74 61 00 00 00 42 00 00 00 00 30 00 00 00 02 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C 0 节表 | 0............... ............ ..? .rdata..?... .. ................ ....@..@.data... B....0.......... ............@.. |
| 00000400 ………… 000009F 0 |
节文件数据 |
|
|
|
DOS头(DOS MZ header):它是一个IMAGE_DOS_HEADER结构,定义如下:
IMAGE_DOS_HEADER STRUCT ;64个字节
e_magic WORD ? ;DOS头标记,其值固定为 5A 4Dh
e_cblp WORD ?
e_cp WORD ?
e_crlc WORD ?
e_cparhdr WORD ?
e_minalloc WORD ?
e_maxalloc WORD ?
e_ss WORD ?
e_sp WORD ?
e_csum WORD ?
e_ip WORD ?
e_cs WORD ?
e_lfarlc WORD ?
e_ovno WORD ?
e_res WORD 4 dup(?)
e_oemid WORD ?
e_oeminfo WORD ?
e_res2 WORD 10 dup(?)
e_lfanew DWORD ? ;指向 PE header 的文件偏移量
IMAGE_DOS_HEADER ENDS
|
|
DOS代码(DOS stub)
|
|
|
|
|
PE头(PE header):它是一个IMAGE_NT_HEADERS 结构,定义如下:
IMAGE_NT_HEADERS STRUCT
Signature DWORD ? ;PE头标记
FileHeader IMAGE_FILE_HEADER <> ;文件头/20个字节
OptionalHeader IMAGE_OPTIONAL_HEADER32 <> ;任选头
IMAGE_NT_HEADERS ENDS
|
|
文件头(FileHeader):它是一个IMAGE_FILE_HEADER结构,定义如下:
IMAGE_FILE_HEADER STRUCT ;20个字节
Machine WORD ?
NumberOfSections WORD ? ;文件的节数目
TimeDateStamp DWORD ? ;文件创建日期和时间
PointerToSymbolTable DWORD ?
NumberOfSymbols DWORD ?
SizeOfOptionalHeader WORD ? ; 指示紧随本结构之后的OptionalHeader 结构大小
Characteristics WORD ?; 关于文件信息的标记,比如文件是exe还是dll
IMAGE_FILE_HEADER ENDS
|
|
任选头(OptionalHeader):它是一个IMAGE_OPTIONAL_HEADER32结构,定义如下:
IMAGE_OPTIONAL_HEADER32 STRUCT
Magic WORD ?
MajorLinkerVersion BYTE ?
MinorLinkerVersion BYTE ?
SizeOfCode DWORD ?
SizeOfInitializedData DWORD ?
SizeOfUninitializedData DWORD ?
AddressOfEntryPoint DWORD ?; PE装载器准备运行的第一个指令的RVA
BaseOfCode DWORD ?
BaseOfData DWORD ?
ImageBase DWORD ?; PE文件的优先装载地址(映像基址)
SectionAlignment DWORD ?; 内存中节对齐的粒度
FileAlignment DWORD ?; 文件中节对齐的粒度
MajorOperatingSystemVersion WORD ?
MinorOperatingSystemVersion WORD ?
MajorImageVersion WORD ?
MinorImageVersion WORD ?
MajorSubsystemVersion WORD ?
MinorSubsystemVersion WORD ?
Win32VersionValue DWORD ?
SizeOfImage DWORD ?; 内存中整个PE映像体的尺寸
SizeOfHeaders DWORD ?; 所有头+节表的大小
CheckSum DWORD ?
Subsystem WORD ?; NT用来识别PE文件属于哪个子系统
DllCharacteristics WORD ?
SizeOfStackReserve DWORD ?
SizeOfStackCommit DWORD ?
SizeOfHeapReserve DWORD ?
SizeOfHeapCommit DWORD ?
LoaderFlags DWORD ?
NumberOfRvaAndSizes DWORD ?
DataDirectory IMAGE_DATA_DIRECTORY 16 dup(<>);数据目录
IMAGE_OPTIONAL_HEADER32 ENDS
|
|
数据目录(DataDirectory):它是一个IMAGE_DATA_DIRECTORY结构,定义如下:
IMAGE_DATA_DIRECTORY STRUCT
VirtualAddress DWORD ?;指向 IMAGE_IMPORT_DESCRIPTOR 数组的RVA
isize DWORD ?
IMAGE_DATA_DIRECTORY ENDS
|
|
节表(Section table):它是一个IMAGE_SECTION_HEADER结构,定义如下
IMAGE_SECTION_HEADER STRUCT ;40个字节
Name1 db 8 dup(?) ;节名
union Misc
PhysicalAddress dd ?
VirtualSize dd ?
ends
VirtualAddress dd ?; 本节的RVA(相对虚拟地址)
SizeOfRawData dd ?; 经过文件对齐处理后节尺寸
PointerToRawData dd ?; 这是节基于文件的偏移量
PointerToRelocations dd ?
PointerToLinenumbers dd ?
NumberOfRelocations dw ?
NumberOfLinenumbers dw ?
Characteristics dd ?; 包含标记以指示节属性
IMAGE_SECTION_HEADER ENDS:
1万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
