用Winhex软件解析PE文件

打开user32.dll

3C H 处为PE头位置：０x F8
DOS头部分：

转到 F8处

PE文件标志（4H字节）： 00 00 45 50

映像文件头（14H字节）：

NumberOfSections : 00 06 –> 6
SizeOfOptionalHeader: 00 E0 –> 224

可选映像头：
部分

SizeOfCode(可执行代码长度): 00 08 30 00
AddressOfEntryPoint(代码入口RVA): 00 01 58 A0
ImageBase(相对PE头偏移 34): 6B A8 00 00
SectionAlignment: 00 00 10 00
FileAlignment: 00 00 02 00

SizeOfImage: 00 15 30 00
NumberOfRvaAndSizes: 00 00 00 10
DataDirectory : 00 00 24 E4

PS： 01 70起８字节为导出表描述部分前四个字节为 00 00 24 E4

SectionTable(节表)：

从PE映像文件末尾 01 10偏移 00 E0(SizeOfOptionalHeader) –> 01 F0

Name: .text
VirtualSize: 00 08 2E 9C
VirtualAddress(内存对齐后地址): 00 00 10 00
SizeOfRawData(文件对齐后尺寸): 00 08 30 00
PointerToRawData(文件对齐处位置): 00 00 04 00

Name: .data
VirtualSize: 00 00 10 3A
VirtualAddress(内存对齐后地址): 00 08 40 00
SizeOfRawData(文件对齐后尺寸): 00 00 10 00
PointerToRawData(文件对齐处位置): 00 08 34 00

Name: .idata
VirtualSize: 00 00 2D 72
VirtualAddress(内存对齐后地址): 00 08 60 00
SizeOfRawData(文件对齐后尺寸): 00 00 2E 00
PointerToRawData(文件对齐处位置): 00 08 44 00

Name: .didat
VirtualSize: 00 00 00 4C
VirtualAddress(内存对齐后地址): 00 08 90 00
SizeOfRawData(文件对齐后尺寸): 00 00 02 00
PointerToRawData(文件对齐处位置): 00 08 72 00

Name: .rsrc
VirtualSize: 00 0C 3E 18
VirtualAddress(内存对齐后地址): 00 08 A0 00
SizeOfRawData(文件对齐后尺寸): 00 0C 40 00
PointerToRawData(文件对齐处位置): 00 08 74 00

Name: .reloc
VirtualSize: 00 00 4D E8
VirtualAddress(内存对齐后地址): 00 14 E0 00
SizeOfRawData(文件对齐后尺寸): 00 00 4E 00
PointerToRawData(文件对齐处位置): 00 14 B4 00

Export(导出表）:

RVA: 00 00 24 E4　（从之前可选头部分关于导出表描述部分读取）
Offset = 00 00 24 E4 - 00 00 10 00 + 00 00 04 00 = 00 00 18 E4

减数为第一个节表 .text的VirtualAddress（ 00 00 10 00），之后加上的是PointerToRawData（ 00 00 04 00)

Name: 00 00 4A 98 –> 3E 98

AddressOfFunction: 00 00 25 0C –> 19 0C

00 05 9A 90
00 03 61 60
00 03 61 80
00 02 44 D0
00 01 E4 50
．．．．．
AddressofName: 00 00 35 A4 –> 29 A4

00 00 4A A3 –> 3E A4 –> “ActivateKeyboardLayout”
00 00 4A BA –> 3E BA–> “AddChipboardFormatListener”
00 00 4A D5 –> 3E D5 –> “AdjustWindowRect”
00 00 4A E6 –> 3E E6 –> “AdjustWindowRectEx”
00 00 4A F9 –> 3E F9 –> “AlignRects”
．．．．．
AddressofOrdinals: 00 00 43 9C –> 37 9C

00 01
00 02
00 03
00 04
00 05
．．．．．