typedef struct _IMAGE_NT_HEADERS64 { DWORD Signature; IMAGE_FILE_HEADER FileHeader; IMAGE_OPTIONAL_HEADER64 OptionalHeader; } IMAGE_NT_HEADERS64, PIMAGE_NT_HEADERS64; typedef struct _IMAGE_NT_HEADERS { DWORD Signature; IMAGE_FILE_HEADER FileHeader; IMAGE_OPTIONAL_HEADER32 OptionalHeader; } IMAGE_NT_HEADERS32, PIMAGE_NT_HEADERS32;
Signature
define IMAGE_NT_SIGNATURE 0x00004550 // PE00
IMAGE_FILE_HEADER
文件头/PE标准头
可以用来判断文件是exe或dll文件 有多少节区
typedef struct _IMAGE_FILE_HEADER {
WORD Machine;
WORD NumberOfSections; //节区数量 最大96字节
DWORD TimeDateStamp; //创建时间
DWORD PointerToSymbolTable; //指向符号表 用于调试
DWORD NumberOfSymbols; //符号表中的符号数
WORD SizeOfOptionalHeader; //可选头大小 32位 E0 64位 F0
WORD Characteristics; //文件属性 exe 010f dll 210e
} IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;
IMAGE_FILE_HEADER.Characteristics的常用属性:
#define IMAGE_FILE_RELOCS_STRIPPED 0x0001 // 不需要重定位
#define IMAGE_FILE_EXECUTABLE_IMAGE 0x0002 // File is executable (i.e. no unresolved externel references). 可执行文件
#define IMAGE_FILE_LINE_NUMS_STRIPPED 0x0004 // Line nunbers stripped from file. 没有行号
#define IMAGE_FILE_LOCAL_SYMS_STRIPPED 0x0008 // Local symbols stripped from file. 没有本地符号
#define IMAGE_FILE_32BIT_MACHINE 0x0100 // 32 bit word machine#define IMAGE_FILE_SYSTEM 0x1000 // System File.
#define IMAGE_FILE_DLL 0x2000 // File is a DLL.
010f
0100 + 1 + 2 + 4 + 8
IMAGE_OPTIONAL_HEADER
可选头
32位 e0 224个字节
64位 f0
//
// Optional header format.
//
e0h, 224d
typedef struct _IMAGE_OPTIONAL_HEADER { // // Standard fields. //
WORD Magic; //相对IMAGE_NT_HEADERS偏移 0018h 魔术字 107h = ROM Image 10Bh = EXE Image 20Bh = PE32+BYTE MajorLinkerVersion; // 001Ah 连接器版本号 (对执行没有任何影响)BYTE MinorLinkerVersion; // 001BhDWORD SizeOfCode; // 001Ch 所有含代码的节的大小(按照文件对齐,判断某节是否含代码,使用节属性是否包含IMAGE_SCN_CNT_CODE属性判断,而不是通过IMAGE_SCN_CNT_EXECUTE)DWORD SizeOfInitializedData; // 0020h 所有含有初始化数据的节的大小DWORD SizeOfUninitializedData; // 0024h 所有含未初始化数据的节的大小(被定义为未初始化,不占用文件空间,加载入内存后为其分配空间)DWORD AddressOfEntryPoint; // 0028h 程序执行入口RVA(距离PE加载后地址的距离,对于病毒和加密程序,都会修改该值,从而获得程序的控制权,对于DLL如果没有入口函数,那么是0,对于驱动该值是初始化的函数的地址)DWORD BaseOfCode; // 002Ch 代码的节的起始RVA(一般情况下跟在PE头部的后面)DWORD BaseOfData; // 0030h 数据的节的起始RVA//// NT additional fields.//DWORD ImageBase; // 0034h 程序的建议装载地址DWORD SectionAlignment; // 0038h 内存中的节的对齐值 0x1000 4096DWORD FileAlignment; // 003Ch 文件中的节的对齐值 0x1000 0x200 512 一个扇区WORD MajorOperatingSystemVersion; // 0040h 操作系统版本号WORD MinorOperatingSystemVersion; // 0042hWORD MajorImageVersion; // 0044h 该PE的版本号WORD MinorImageVersion; // 0046hWORD MajorSubsystemVersion; // 0048h 所需子系统的版本号WORD MinorSubsystemVersion; // 004AhDWORD Win32VersionValue; // 004Ch 未使用,必须未0DWORD SizeOfImage; // 0050h 内存中的整个PE文件映像大小(按照内存对齐)DWORD SizeOfHeaders; // 0054h 所有头+节表的大小DWORD CheckSum; // 0058h 校验和(一般EXE文件为0,而DLL和SYS文件则必须是正确的值)WORD Subsystem; // 005Ch 文件子系统WORD DllCharacteristics; // 005Eh DLL文件特性DWORD SizeOfStackReserve; // 0060h 初始化时保留的栈大小(默认1M)DWORD SizeOfStackCommit; // 0064h 初始化时实际提交的栈大小(默认4K)DWORD SizeOfHeapReserve; // 0068h 初始化时保留的堆大小(默认1M)DWORD SizeOfHeapCommit; // 006Ch 初始化时实际提交的堆大小(默认4K)DWORD LoaderFlags; // 0070h 加载标志一般为0DWORD NumberOfRvaAndSizes; // 0074h 数据目录的数量IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES]; // 0078h 数据目录数组} IMAGE_OPTIONAL_HEADER32, *PIMAGE_OPTIONAL_HEADER32;
#define IMAGE_NT_OPTIONAL_HDR32_MAGIC 0x10b
//
// Directory format.
//
typedef struct _IMAGE_DATA_DIRECTORY {
DWORD VirtualAddress;
DWORD Size;
} IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY;
#define IMAGE_NUMBEROF_DIRECTORY_ENTRIES 16
0 Export table address and size 78h~7Ch 导出表地址和大小
1 Import table address and size 80h~84h 导入表地址和大小
2 Resource table address and size 88h~8Ch 资源表地址和大小
3 Exception table address and size 90h~94h 异常表地址和大小
4 Certificate table address and size 98h~9Ch 属性证书数据地址和大小
5 Base relocation table address and size A0h~A4h 基地址重定位表地址和大小
6 Debugging information starting address and size A8h~ACh 调试信息地址和大小
7 Architecture-specific data B0h~B4h 预留为0
8 Global pointer register relative virtual address B8h~BCh 指向全局指针寄存器的值
9 Thread local storage(TLS) table address and size C0h~C4h 线程局部存储地址和大小
10 Load configuration table address and size C8h~CCh 加载配置表地址和大小
11 Bound import table address and size D0h~D4h 绑定导入表地址和大小
12 Import address table address and size D8h~DCh 导入函数地址表地址和大小
13 Delay import descriptor address and size E0h~E4h 延迟导入表地址和大小
14 CLR Runtime Header address and size E8h~ECh CLR运行时头部数据地址和小大
15 Reserved F0h~F4h 系统保留
// Subsystem Values
#define IMAGE_SUBSYSTEM_UNKNOWN 0 // Unknown subsystem.
#define IMAGE_SUBSYSTEM_NATIVE 1 // Image doesn’t require a subsystem.
#define IMAGE_SUBSYSTEM_WINDOWS_GUI 2 // Image runs in the Windows GUI subsystem.
#define IMAGE_SUBSYSTEM_WINDOWS_CUI 3 // Image runs in the Windows character subsystem.
#define IMAGE_SUBSYSTEM_OS2_CUI 5 // image runs in the OS/2 character subsystem.
#define IMAGE_SUBSYSTEM_POSIX_CUI 7 // image runs in the Posix character subsystem.
#define IMAGE_SUBSYSTEM_NATIVE_WINDOWS 8 // image is a native Win9x driver.
#define IMAGE_SUBSYSTEM_WINDOWS_CE_GUI 9 // Image runs in the Windows CE subsystem.
#define IMAGE_SUBSYSTEM_EFI_APPLICATION 10 //
#define IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER 11 //
#define IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER 12 //
#define IMAGE_SUBSYSTEM_EFI_ROM 13
#define IMAGE_SUBSYSTEM_XBOX 14
#define IMAGE_SUBSYSTEM_WINDOWS_BOOT_APPLICATION 16
// DllCharacteristics Entries
// IMAGE_LIBRARY_PROCESS_INIT 0x0001 // Reserved.
// IMAGE_LIBRARY_PROCESS_TERM 0x0002 // Reserved.
// IMAGE_LIBRARY_THREAD_INIT 0x0004 // Reserved.
// IMAGE_LIBRARY_THREAD_TERM 0x0008 // Reserved.
#define IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA 0x0020 // Image can handle a high entropy 64-bit virtual address space.
#define IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE 0x0040 // DLL can move.
#define IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY 0x0080 // Code Integrity Image
#define IMAGE_DLLCHARACTERISTICS_NX_COMPAT 0x0100 // Image is NX compatible
#define IMAGE_DLLCHARACTERISTICS_NO_ISOLATION 0x0200 // Image understands isolation and doesn’t want it
#define IMAGE_DLLCHARACTERISTICS_NO_SEH 0x0400 // Image does not use SEH. No SE handler may reside in this image
#define IMAGE_DLLCHARACTERISTICS_NO_BIND 0x0800 // Do not bind this image.
#define IMAGE_DLLCHARACTERISTICS_APPCONTAINER 0x1000 // Image should execute in an AppContainer
#define IMAGE_DLLCHARACTERISTICS_WDM_DRIVER 0x2000 // Driver uses WDM model
// 0x4000 // Reserved.
#define IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE 0x8000
// Directory Entries
#define IMAGE_DIRECTORY_ENTRY_EXPORT 0 // Export Directory
#define IMAGE_DIRECTORY_ENTRY_IMPORT 1 // Import Directory
#define IMAGE_DIRECTORY_ENTRY_RESOURCE 2 // Resource Directory
#define IMAGE_DIRECTORY_ENTRY_EXCEPTION 3 // Exception Directory
#define IMAGE_DIRECTORY_ENTRY_SECURITY 4 // Security Directory
#define IMAGE_DIRECTORY_ENTRY_BASERELOC 5 // Base Relocation Table
#define IMAGE_DIRECTORY_ENTRY_DEBUG 6 // Debug Directory
// IMAGE_DIRECTORY_ENTRY_COPYRIGHT 7 // (X86 usage)
#define IMAGE_DIRECTORY_ENTRY_ARCHITECTURE 7 // Architecture Specific Data
#define IMAGE_DIRECTORY_ENTRY_GLOBALPTR 8 // RVA of GP
#define IMAGE_DIRECTORY_ENTRY_TLS 9 // TLS Directory
#define IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 10 // Load Configuration Directory
#define IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 11 // Bound Import Directory in headers
#define IMAGE_DIRECTORY_ENTRY_IAT 12 // Import Address Table
#define IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 13 // Delay Load Import Descriptors
#define IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 14 // COM Runtime descriptor
若有收获,就点个赞吧
0 人点赞
