PE文件-PE文件格式

来源：互联网发布：linux 目录树命令编辑：程序博客网时间：2024/04/28 19:44

在研究之前首先拜读了来自网络的多篇文档,首先根据分析结果附图两张：

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

以下内容摘自网络:

PE 的意思就是 Portable Executable（可移植的执行体）。它是 Win32环境自身所带的执行体文件格式。它的一些特性继承自 Unix的 Coff (common object file format)文件格式。"portable executable"（可移植的执行体）意味着此文件格式是跨win32平台的 : 即使Windows运行在非Intel的CPU上，任何win32平台的PE装载器都能识别和使用该文件格式。当然，移植到不同的CPU上PE执行体必然得有一些改变。所有 win32执行体 (除了VxD和16位的Dll)都使用PE文件格式，包括NT的内核模式驱动程序（kernel mode drivers）。因而研究PE文件格式给了我们洞悉Windows结构的良机。

本教程就让我们浏览一下 PE文件格式的概要。

DOS MZ headerDOS stubPE headerSection tableSection 1Section 2Section ...Section n

上图是 PE文件结构的总体层次分布。所有 PE文件(甚至32位的 DLLs) 必须以一个简单的 DOS MZ header 开始。我们通常对此结构没有太大兴趣。有了它，一旦程序在DOS下执行，DOS就能识别出这是有效的执行体，然后运行紧随 MZ header 之后的 DOS stub。DOS stub实际上是个有效的 EXE，在不支持 PE文件格式的操作系统中，它将简单显示一个错误提示，类似于字符串 "This program requires Windows" 或者程序员可根据自己的意图实现完整的 DOS代码。通常我们也不对 DOS stub 太感兴趣: 因为大多数情况下它是由汇编器/编译器自动生成。通常，它简单调用中断21h服务9来显示字符串"This program cannot run in DOS mode"。

紧接着 DOS stub 的是 PE header。 PE header 是PE相关结构 IMAGE_NT_HEADERS 的简称，其中包含了许多PE装载器用到的重要域。当我们更加深入研究PE文件格式后，将对这些重要域耳目能详。执行体在支持PE文件结构的操作系统中执行时，PE装载器将从 DOS MZ header 中找到 PE header 的起始偏移量。因而跳过了 DOS stub 直接定位到真正的文件头 PE header。

PE文件的真正内容划分成块，称之为sections（节）。每节是一块拥有共同属性的数据，比如代码/数据、读/写等。我们可以把PE文件想象成一逻辑磁盘，PE header 是磁盘的boot扇区，而sections就是各种文件，每种文件自然就有不同属性如只读、系统、隐藏、文档等等。 值得我们注意的是 ---- 节的划分是基于各组数据的共同属性: 而不是逻辑概念。重要的不是数据/代码是如何使用的，如果PE文件中的数据/代码拥有相同属性，它们就能被归入同一节中。不必关心节中类似于"data", "code"或其他的逻辑概念: 如果数据和代码拥有相同属性，它们就可以被归入同一个节中。（译者注：节名称仅仅是个区别不同节的符号而已，类似"data", "code"的命名只为了便于识别，惟有节的属性设置决定了节的特性和功能）如果某块数据想付为只读属性，就可以将该块数据放入置为只读的节中，当PE装载器映射节内容时，它会检查相关节属性并置对应内存块为指定属性。

如果我们将PE文件格式视为一逻辑磁盘，PE header是boot扇区而sections是各种文件，但我们仍缺乏足够信息来定位磁盘上的不同文件，譬如，什么是PE文件格式中等价于目录的东东？别急，那就是 PE header 接下来的数组结构 section table（节表）。 每个结构包含对应节的属性、文件偏移量、虚拟偏移量等。如果PE文件里有5个节，那么此结构数组内就有5个成员。因此，我们便可以把节表视为逻辑磁盘中的根目录，每个数组成员等价于根目录中目录项。

以上就是PE文件格式的物理分布，下面将总结一下装载一PE文件的主要步骤:

当PE文件被执行，PE装载器检查 DOS MZ header 里的 PE header 偏移量。如果找到，则跳转到 PE header。
PE装载器检查 PE header 的有效性。如果有效，就跳转到PE header的尾部。
紧跟 PE header 的是节表。PE装载器读取其中的节信息，并采用文件映射方法将这些节映射到内存，同时付上节表里指定的节属性。
PE文件映射入内存后，PE装载器将处理PE文件中类似 import table（引入表）逻辑部分。

上述步骤是基于本人观察后的简述，显然还有一些不够精确的地方，但基本明晰了执行体被处理的过程。

根据上文分析,我们可以通过OD来应证PE结构组成,我用OD来加载本机一个程序navicat.exe,观察PE Header:

以下是上图中提到的DOS MZ HEADER,真实类型是结构:IMAGE_DOS_HEADER

00400000    4D 5A       ASCII "MZ"           ; DOS EXE Signature00400002    5000        DW 0050              ;  DOS_PartPag = 50 (80.)00400004    0200        DW 0002              ;  DOS_PageCnt = 200400006    0000        DW 0000              ;  DOS_ReloCnt = 000400008    0400        DW 0004              ;  DOS_HdrSize = 40040000A    0F00        DW 000F              ;  DOS_MinMem = F (15.)0040000C    FFFF        DW FFFF              ;  DOS_MaxMem = FFFF (65535.)0040000E    0000        DW 0000              ;  DOS_ReloSS = 000400010    B800        DW 00B8              ;  DOS_ExeSP = B800400012    0000        DW 0000              ;  DOS_ChkSum = 000400014    0000        DW 0000              ;  DOS_ExeIP = 000400016    0000        DW 0000              ;  DOS_ReloCS = 000400018    4000        DW 0040              ;  DOS_TablOff = 400040001A    1A00        DW 001A              ;  DOS_Overlay = 1A0040001C    00          DB 000040001D    00          DB 000040001E    00          DB 000040001F    00          DB 0000400020    00          DB 0000400021    00          DB 0000400022    00          DB 0000400023    00          DB 0000400024    00          DB 0000400025    00          DB 0000400026    00          DB 0000400027    00          DB 0000400028    00          DB 0000400029    00          DB 000040002A    00          DB 000040002B    00          DB 000040002C    00          DB 000040002D    00          DB 000040002E    00          DB 000040002F    00          DB 0000400030    00          DB 0000400031    00          DB 0000400032    00          DB 0000400033    00          DB 0000400034    00          DB 0000400035    00          DB 0000400036    00          DB 0000400037    00          DB 0000400038    00          DB 0000400039    00          DB 000040003A    00          DB 000040003B    00          DB 000040003C    00010000    DD 00000100          ; Offset to PE signature

以下是DOS STUB[我们似乎看不到什么数据]:

 00400040    BA          DB BA00400041    10          DB 1000400042    00          DB 0000400043    0E          DB 0E00400044    1F          DB 1F00400045    B4          DB B400400046    09          DB 0900400047    CD          DB CD00400048    21          DB 2100400049    B8          DB B80040004A    01          DB 010040004B    4C          DB 4C0040004C    CD          DB CD0040004D    21          DB 210040004E    90          DB 900040004F    90          DB 9000400050    54          DB 5400400051    68          DB 6800400052    69          DB 6900400053    73          DB 7300400054    20          DB 2000400055    70          DB 7000400056    72          DB 7200400057    6F          DB 6F00400058    67          DB 6700400059    72          DB 720040005A    61          DB 610040005B    6D          DB 6D0040005C    20          DB 200040005D    6D          DB 6D0040005E    75          DB 750040005F    73          DB 7300400060    74          DB 7400400061    20          DB 2000400062    62          DB 6200400063    65          DB 6500400064    20          DB 2000400065    72          DB 7200400066    75          DB 7500400067    6E          DB 6E00400068    20          DB 2000400069    75          DB 750040006A    6E          DB 6E0040006B    64          DB 640040006C    65          DB 650040006D    72          DB 720040006E    20          DB 200040006F    57          DB 5700400070    69          DB 6900400071    6E          DB 6E00400072    33          DB 3300400073    32          DB 3200400074    0D          DB 0D00400075    0A          DB 0A00400076    24          DB 2400400077    37          DB 3700400078    00          DB 0000400079    00          DB 000040007A    00          DB 000040007B    00          DB 000040007C    00          DB 000040007D    00          DB 000040007E    00          DB 000040007F    00          DB 0000400080    00          DB 0000400081    00          DB 0000400082    00          DB 0000400083    00          DB 0000400084    00          DB 0000400085    00          DB 0000400086    00          DB 0000400087    00          DB 0000400088    00          DB 0000400089    00          DB 000040008A    00          DB 000040008B    00          DB 000040008C    00          DB 000040008D    00          DB 000040008E    00          DB 000040008F    00          DB 0000400090    00          DB 0000400091    00          DB 0000400092    00          DB 0000400093    00          DB 0000400094    00          DB 0000400095    00          DB 0000400096    00          DB 0000400097    00          DB 0000400098    00          DB 0000400099    00          DB 000040009A    00          DB 000040009B    00          DB 000040009C    00          DB 000040009D    00          DB 000040009E    00          DB 000040009F    00          DB 00004000A0    00          DB 00004000A1    00          DB 00004000A2    00          DB 00004000A3    00          DB 00004000A4    00          DB 00004000A5    00          DB 00004000A6    00          DB 00004000A7    00          DB 00004000A8    00          DB 00004000A9    00          DB 00004000AA    00          DB 00004000AB    00          DB 00004000AC    00          DB 00004000AD    00          DB 00004000AE    00          DB 00004000AF    00          DB 00004000B0    00          DB 00004000B1    00          DB 00004000B2    00          DB 00004000B3    00          DB 00004000B4    00          DB 00004000B5    00          DB 00004000B6    00          DB 00004000B7    00          DB 00004000B8    00          DB 00004000B9    00          DB 00004000BA    00          DB 00004000BB    00          DB 00004000BC    00          DB 00004000BD    00          DB 00004000BE    00          DB 00004000BF    00          DB 00004000C0    00          DB 00004000C1    00          DB 00004000C2    00          DB 00004000C3    00          DB 00004000C4    00          DB 00004000C5    00          DB 00004000C6    00          DB 00004000C7    00          DB 00004000C8    00          DB 00004000C9    00          DB 00004000CA    00          DB 00004000CB    00          DB 00004000CC    00          DB 00004000CD    00          DB 00004000CE    00          DB 00004000CF    00          DB 00004000D0    00          DB 00004000D1    00          DB 00004000D2    00          DB 00004000D3    00          DB 00004000D4    00          DB 00004000D5    00          DB 00004000D6    00          DB 00004000D7    00          DB 00004000D8    00          DB 00004000D9    00          DB 00004000DA    00          DB 00004000DB    00          DB 00004000DC    00          DB 00004000DD    00          DB 00004000DE    00          DB 00004000DF    00          DB 00004000E0    00          DB 00004000E1    00          DB 00004000E2    00          DB 00004000E3    00          DB 00004000E4    00          DB 00004000E5    00          DB 00004000E6    00          DB 00004000E7    00          DB 00004000E8    00          DB 00004000E9    00          DB 00004000EA    00          DB 00004000EB    00          DB 00004000EC    00          DB 00004000ED    00          DB 00004000EE    00          DB 00004000EF    00          DB 00004000F0    00          DB 00004000F1    00          DB 00004000F2    00          DB 00004000F3    00          DB 00004000F4    00          DB 00004000F5    00          DB 00004000F6    00          DB 00004000F7    00          DB 00004000F8    00          DB 00004000F9    00          DB 00004000FA    00          DB 00004000FB    00          DB 00004000FC    00          DB 00004000FD    00          DB 00004000FE    00          DB 00004000FF    00          DB 00

 把DOS STUB转换成ASCII再看：

00400040  ?.???L?悙This program mus00400060  t be run under Win32..$7........00400080  ................................004000A0  ................................004000C0  ................................004000E0  ................................

以下是PE HEADER、PE OPTIONAL HEADER[包含DataDirectory]：

00400100    50 45 00 00>ASCII "PE"           ; PE signature (PE)00400104    4C01        DW 014C              ; Machine = IMAGE_FILE_MACHINE_I38600400106    0800        DW 0008              ;  NumberOfSections = 800400108    195E422A    DD 2A425E19          ;  TimeDateStamp = 2A425E190040010C    00000000    DD 00000000          ;  PointerToSymbolTable = 000400110    00000000    DD 00000000          ;  NumberOfSymbols = 000400114    E000        DW 00E0              ;  SizeOfOptionalHeader = E0 (224.)00400116    8E81        DW 818E              ;  Characteristics = EXECUTABLE_IMAGE|32BIT_MACHINE|LINE_NUMS_STRIPPED|LOCAL_SYMS_STRIPPED|BYTES_REVERSED_LO|BYTES_REVERSED_HI00400118    0B01        DW 010B              ; MagicNumber = PE320040011A    02          DB 02                ;  MajorLinkerVersion = 20040011B    19          DB 19                ;  MinorLinkerVersion = 19 (25.)0040011C    001E6D00    DD 006D1E00          ;  SizeOfCode = 6D1E00 (7151104.)00400120    00863100    DD 00318600          ;  SizeOfInitializedData = 318600 (3245568.)00400124    00000000    DD 00000000          ;  SizeOfUninitializedData = 000400128    D42C6D00    DD 006D2CD4          ;  AddressOfEntryPoint = 6D2CD40040012C    00100000    DD 00001000          ;  BaseOfCode = 100000400130    00306D00    DD 006D3000          ;  BaseOfData = 6D300000400134    00004000    DD 00400000          ; ImageBase = 40000000400138    00100000    DD 00001000          ;  SectionAlignment = 10000040013C    00020000    DD 00000200          ;  FileAlignment = 20000400140    0400        DW 0004              ;  MajorOSVersion = 400400142    0000        DW 0000              ;  MinorOSVersion = 000400144    0000        DW 0000              ;  MajorImageVersion = 000400146    0000        DW 0000              ;  MinorImageVersion = 000400148    0400        DW 0004              ;  MajorSubsystemVersion = 40040014A    0000        DW 0000              ;  MinorSubsystemVersion = 00040014C    00000000    DD 00000000          ;  Reserved00400150    00809F00    DD 009F8000          ;  SizeOfImage = 9F8000 (10452992.)00400154    00040000    DD 00000400          ;  SizeOfHeaders = 400 (1024.)00400158    00000000    DD 00000000          ;  CheckSum = 00040015C    0200        DW 0002              ;  Subsystem = IMAGE_SUBSYSTEM_WINDOWS_GUI0040015E    0000        DW 0000              ;  DLLCharacteristics = 000400160    00001000    DD 00100000          ;  SizeOfStackReserve = 100000 (1048576.)00400164    00400000    DD 00004000          ;  SizeOfStackCommit = 4000 (16384.)00400168    00001000    DD 00100000          ;  SizeOfHeapReserve = 100000 (1048576.)0040016C    00100000    DD 00001000          ;  SizeOfHeapCommit = 1000 (4096.)00400170    00000000    DD 00000000          ;  LoaderFlags = 000400174    10000000    DD 00000010          ;  NumberOfRvaAndSizes = 10 (16.)00400178    00000000    DD 00000000          ;  Export Table address = 00040017C    00000000    DD 00000000          ;  Export Table size = 000400180    00506F00    DD 006F5000          ;  Import Table address = 6F500000400184    2A3F0000    DD 00003F2A          ;  Import Table size = 3F2A (16170.)00400188    00A07700    DD 0077A000          ;  Resource Table address = 77A0000040018C    00E02700    DD 0027E000          ;  Resource Table size = 27E000 (2613248.)00400190    00000000    DD 00000000          ;  Exception Table address = 000400194    00000000    DD 00000000          ;  Exception Table size = 000400198    00000000    DD 00000000          ;  Certificate File pointer = 00040019C    00000000    DD 00000000          ;  Certificate Table size = 0004001A0    00B06F00    DD 006FB000          ;  Relocation Table address = 6FB000004001A4    0CEC0700    DD 0007EC0C          ;  Relocation Table size = 7EC0C (519180.)004001A8    00000000    DD 00000000          ;  Debug Data address = 0004001AC    00000000    DD 00000000          ;  Debug Data size = 0004001B0    00000000    DD 00000000          ;  Architecture Data address = 0004001B4    00000000    DD 00000000          ;  Architecture Data size = 0004001B8    00000000    DD 00000000          ;  Global Ptr address = 0004001BC    00000000    DD 00000000          ;  Must be 0004001C0    00A06F00    DD 006FA000          ;  TLS Table address = 6FA000004001C4    18000000    DD 00000018          ;  TLS Table size = 18 (24.)004001C8    00000000    DD 00000000          ;  Load Config Table address = 0004001CC    00000000    DD 00000000          ;  Load Config Table size = 0004001D0    00000000    DD 00000000          ;  Bound Import Table address = 0004001D4    00000000    DD 00000000          ;  Bound Import Table size = 0004001D8    00000000    DD 00000000          ;  Import Address Table address = 0004001DC    00000000    DD 00000000          ;  Import Address Table size = 0004001E0    00000000    DD 00000000          ;  Delay Import Descriptor address = 0004001E4    00000000    DD 00000000          ;  Delay Import Descriptor size = 0004001E8    00000000    DD 00000000          ;  COM+ Runtime Header address = 0004001EC    00000000    DD 00000000          ;  Import Address Table size = 0004001F0    00000000    DD 00000000          ;  Reserved004001F4    00000000    DD 00000000          ;  Reserved

 PE HEADER、PE OPTIONAL HEADER都属于IMAGE_NT_HEADERS结构的成员：

typedef struct _IMAGE_NT_HEADERS {    DWORD Signature;    IMAGE_FILE_HEADER FileHeader;    IMAGE_OPTIONAL_HEADER32 OptionalHeader;} IMAGE_NT_HEADERS32, *PIMAGE_NT_HEADERS32;

IMAGE_FILE_HEADER结构定义如下:

typedef struct _IMAGE_FILE_HEADER {    WORD    Machine;    WORD    NumberOfSections;    DWORD   TimeDateStamp;    DWORD   PointerToSymbolTable;    DWORD   NumberOfSymbols;    WORD    SizeOfOptionalHeader;    WORD    Characteristics;} IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;
 
IMAGE_OPTIONAL_HEADER32 结构定义如下：
typedef struct _IMAGE_OPTIONAL_HEADER {    //    // Standard fields.    //    WORD    Magic;    BYTE    MajorLinkerVersion;    BYTE    MinorLinkerVersion;    DWORD   SizeOfCode;    DWORD   SizeOfInitializedData;    DWORD   SizeOfUninitializedData;    DWORD   AddressOfEntryPoint;    DWORD   BaseOfCode;    DWORD   BaseOfData;    //    // NT additional fields.    //    DWORD   ImageBase;    DWORD   SectionAlignment;    DWORD   FileAlignment;    WORD    MajorOperatingSystemVersion;    WORD    MinorOperatingSystemVersion;    WORD    MajorImageVersion;    WORD    MinorImageVersion;    WORD    MajorSubsystemVersion;    WORD    MinorSubsystemVersion;    DWORD   Win32VersionValue;    DWORD   SizeOfImage;    DWORD   SizeOfHeaders;    DWORD   CheckSum;    WORD    Subsystem;    WORD    DllCharacteristics;    DWORD   SizeOfStackReserve;    DWORD   SizeOfStackCommit;    DWORD   SizeOfHeapReserve;    DWORD   SizeOfHeapCommit;    DWORD   LoaderFlags;    DWORD   NumberOfRvaAndSizes;    IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];} IMAGE_OPTIONAL_HEADER32, *PIMAGE_OPTIONAL_HEADER32;
我们可以看出IMAGE_OPTIONAL_HEADER的最后一个成员就是一个DataDirectory结构的数组
 
以下是节表数据：
004001F8    43 4F 44 45>ASCII "CODE"         ; SECTION00400200    FC1D6D00    DD 006D1DFC          ;  VirtualSize = 6D1DFC (7151100.)00400204    00100000    DD 00001000          ;  VirtualAddress = 100000400208    001E6D00    DD 006D1E00          ;  SizeOfRawData = 6D1E00 (7151104.)0040020C    00040000    DD 00000400          ;  PointerToRawData = 40000400210    00000000    DD 00000000          ;  PointerToRelocations = 000400214    00000000    DD 00000000          ;  PointerToLineNumbers = 000400218    0000        DW 0000              ;  NumberOfRelocations = 00040021A    0000        DW 0000              ;  NumberOfLineNumbers = 00040021C    20000060    DD 60000020          ;  Characteristics = CODE|EXECUTE|READ00400220    44 41 54 41>ASCII "DATA"         ; SECTION00400228    84740100    DD 00017484          ;  VirtualSize = 17484 (95364.)0040022C    00306D00    DD 006D3000          ;  VirtualAddress = 6D300000400230    00760100    DD 00017600          ;  SizeOfRawData = 17600 (95744.)00400234    00226D00    DD 006D2200          ;  PointerToRawData = 6D220000400238    00000000    DD 00000000          ;  PointerToRelocations = 00040023C    00000000    DD 00000000          ;  PointerToLineNumbers = 000400240    0000        DW 0000              ;  NumberOfRelocations = 000400242    0000        DW 0000              ;  NumberOfLineNumbers = 000400244    400000C0    DD C0000040          ;  Characteristics = INITIALIZED_DATA|READ|WRITE00400248    42 53 53 00>ASCII "BSS"          ; SECTION00400250    F9930000    DD 000093F9          ;  VirtualSize = 93F9 (37881.)00400254    00B06E00    DD 006EB000          ;  VirtualAddress = 6EB00000400258    00000000    DD 00000000          ;  SizeOfRawData = 00040025C    00000000    DD 00000000          ;  PointerToRawData = 000400260    00000000    DD 00000000          ;  PointerToRelocations = 000400264    00000000    DD 00000000          ;  PointerToLineNumbers = 000400268    0000        DW 0000              ;  NumberOfRelocations = 00040026A    0000        DW 0000              ;  NumberOfLineNumbers = 00040026C    000000C0    DD C0000000          ;  Characteristics = READ|WRITE00400270    2E 69 64 61>ASCII ".idata"       ; SECTION00400278    2A3F0000    DD 00003F2A          ;  VirtualSize = 3F2A (16170.)0040027C    00506F00    DD 006F5000          ;  VirtualAddress = 6F500000400280    00400000    DD 00004000          ;  SizeOfRawData = 4000 (16384.)00400284    00986E00    DD 006E9800          ;  PointerToRawData = 6E980000400288    00000000    DD 00000000          ;  PointerToRelocations = 00040028C    00000000    DD 00000000          ;  PointerToLineNumbers = 000400290    0000        DW 0000              ;  NumberOfRelocations = 000400292    0000        DW 0000              ;  NumberOfLineNumbers = 000400294    400000C0    DD C0000040          ;  Characteristics = INITIALIZED_DATA|READ|WRITE00400298    2E 74 6C 73>ASCII ".tls"         ; SECTION004002A0    54000000    DD 00000054          ;  VirtualSize = 54 (84.)004002A4    00906F00    DD 006F9000          ;  VirtualAddress = 6F9000004002A8    00000000    DD 00000000          ;  SizeOfRawData = 0004002AC    00000000    DD 00000000          ;  PointerToRawData = 0004002B0    00000000    DD 00000000          ;  PointerToRelocations = 0004002B4    00000000    DD 00000000          ;  PointerToLineNumbers = 0004002B8    0000        DW 0000              ;  NumberOfRelocations = 0004002BA    0000        DW 0000              ;  NumberOfLineNumbers = 0004002BC    000000C0    DD C0000000          ;  Characteristics = READ|WRITE004002C0    2E 72 64 61>ASCII ".rdata"       ; SECTION004002C8    18000000    DD 00000018          ;  VirtualSize = 18 (24.)004002CC    00A06F00    DD 006FA000          ;  VirtualAddress = 6FA000004002D0    00020000    DD 00000200          ;  SizeOfRawData = 200 (512.)004002D4    00D86E00    DD 006ED800          ;  PointerToRawData = 6ED800004002D8    00000000    DD 00000000          ;  PointerToRelocations = 0004002DC    00000000    DD 00000000          ;  PointerToLineNumbers = 0004002E0    0000        DW 0000              ;  NumberOfRelocations = 0004002E2    0000        DW 0000              ;  NumberOfLineNumbers = 0004002E4    40000050    DD 50000040          ;  Characteristics = INITIALIZED_DATA|SHARED|READ004002E8    2E 72 65 6C>ASCII ".reloc"       ; SECTION004002F0    0CEC0700    DD 0007EC0C          ;  VirtualSize = 7EC0C (519180.)004002F4    00B06F00    DD 006FB000          ;  VirtualAddress = 6FB000004002F8    00EE0700    DD 0007EE00          ;  SizeOfRawData = 7EE00 (519680.)004002FC    00DA6E00    DD 006EDA00          ;  PointerToRawData = 6EDA0000400300    00000000    DD 00000000          ;  PointerToRelocations = 000400304    00000000    DD 00000000          ;  PointerToLineNumbers = 000400308    0000        DW 0000              ;  NumberOfRelocations = 00040030A    0000        DW 0000              ;  NumberOfLineNumbers = 00040030C    40000050    DD 50000040          ;  Characteristics = INITIALIZED_DATA|SHARED|READ00400310    2E 72 73 72>ASCII ".rsrc"        ; SECTION00400318    00E02700    DD 0027E000          ;  VirtualSize = 27E000 (2613248.)0040031C    00A07700    DD 0077A000          ;  VirtualAddress = 77A00000400320    00E02700    DD 0027E000          ;  SizeOfRawData = 27E000 (2613248.)00400324    00C87600    DD 0076C800          ;  PointerToRawData = 76C80000400328    00000000    DD 00000000          ;  PointerToRelocations = 00040032C    00000000    DD 00000000          ;  PointerToLineNumbers = 000400330    0000        DW 0000              ;  NumberOfRelocations = 000400332    0000        DW 0000              ;  NumberOfLineNumbers = 000400334    40000050    DD 50000040          ;  Characteristics = INITIALIZED_DATA|SHARED|READ00400338    00          DB 0000400339    00          DB 00