PE 文件结构简介

Peering Inside the PE: A Tour of the Win32 Portable Executable File Format

原文链接：https://msdn.microsoft.com/en-us/library/ms809762.aspx

本篇博客为上面文章的总结。

Dynamically loaded:

The loader uses the memory-mapped file mechanism to map the appropriate pieces of the file into the virtual address space.

For Win32, all the memory used by the module for code, data, resources, import tables, export tables, and other required module data structures is in one contiguous block of memory.

INF: Executable-File Header Format

http://benoit.papillault.free.fr/c/disc2/exefmt.txt

MS-DOS Header:

• To look up the real header for executable formats (Relative offset, RVA)
• 加壳后会发生变化
• 4D5A90000300000004000000FFFF0000B800000000000000400000000000000000000000000000000000000000000000000000000000000000000000C80000000E1FBA0E00B409CD21B8014CCD21546869732070726F6772616D2063616E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0A2400000000000000

MS-DOS Stub:

• Tiny program prints out to the effect of "This program cannot be run inMS-DOS Mode"
• 不支持 Win32 的系统中，erroe message

PE Header:

• Structure of type IMAGE_NT_HEADERS (defined in WINNT.H)

DWORD Signature;

 

IMAGE_FILE_HEADER FileHeader; //most basic information about the file

//additional information beyong standard IMAFE_FILE_HEADER

IMAGE_OPTIONAL_HEADER OptionalHeader;

Section Table: (IMAGE_SECTION_HEADERs)

• Each array stores an address where the file's raw data has been mapped into memory
• Any code or data that might be needed gets its own section.

Sections:

• .text: code
• .data: initialized data
• .bss: uninitlized static and global variables
• .CRT: utilized  by he MS C/C++ run-time libraries
• .rsrc: all the resources for the module
• .data: functions & data that the module imports from the DLLs
• .edata: list of the functions and data that the PE file exports for other module
• .reloc: a table of base relocations