Dos头标志
#define IMAGE_DOS_SIGNATURE 0x4D5A // MZ
Dos_MZ头
typedef struct _IMAGE_DOS_HEADER { // DOS .EXE header+00h WORD e_magic; // Magic number(需要被设置值0x5A4D,ASCII值为“MZ”)WORD e_cblp; // Bytes on last page of fileWORD e_cp; // Pages in fileWORD e_crlc; // RelocationsWORD e_cparhdr; // Size of header in paragraphsWORD e_minalloc; // Minimum extra paragraphs neededWORD e_maxalloc; // Maximum extra paragraphs neededWORD e_ss; // Initial (relative) SS valueWORD e_sp; // Initial SP valueWORD e_csum; // ChecksumWORD e_ip; // Initial IP valueWORD e_cs; // Initial (relative) CS valueWORD e_lfarlc; // File address of relocation tableWORD e_ovno; // Overlay numberWORD e_res[4]; // Reserved wordsWORD e_oemid; // OEM identifier (for e_oeminfo)WORD e_oeminfo; // OEM information; e_oemid specificWORD e_res2[10]; // Reserved words+3Ch LONG e_lfanew; // File address of new exe header(指出PE头的文件偏移)} IMAGE_DOS_HEADER, * PIMAGE_DOS_HEADER;
NT头
typedef struct _IMAGE_NT_HEADERS {+00h DWORD Signature; //此字段被设置为0x00004550,ASCII码是“PE00”+04h IMAGE_FILE_HEADER FileHeader; //一个IMAGE_FILE_HEADER结构+18h IMAGE_OPTIONAL_HEADER32 OptionalHeader; //一个IMAGE_OPTIONAL_HEADER 结构} IMAGE_NT_HEADERS32, *PIMAGE_NT_HEADERS32;
NT头标志
#define IMAGE_NT_SIGNATURE 0x00004550 // PE00
文件头
typedef struct _IMAGE_FILE_HEADER {+04h WORD Machine;+06h WORD NumberOfSections; //区块的数量+08h DWORD TimeDateStamp;+0Ch DWORD PointerToSymbolTable;+10h DWORD NumberOfSymbols;+14h WORD SizeOfOptionalHeader; //跟在此结构后面的数据的大小,即IMAGE_OPTIONAL_HEADER的大小+18h WORD Characteristics;} IMAGE_FILE_HEADER, * PIMAGE_FILE_HEADER;
扩展头
typedef struct _IMAGE_OPTIONAL_HEADER {WORD Magic; //32位PE文件0x010B,64位PE文件0x020BBYTE MajorLinkerVersion;BYTE MinorLinkerVersion;DWORD SizeOfCode;DWORD SizeOfInitializedData;DWORD SizeOfUninitializedData;+28h DWORD AddressOfEntryPoint; //程序执行入口RVA (入口点,也称OEP)DWORD BaseOfCode; //代码区块的起始RVADWORD BaseOfData; //数据区块的起始RVA+34h DWORD ImageBase; //默认加载基址(如果没有加载到这个地址,会发生重定位)+38h DWORD SectionAlignment; //块对齐数,映射到内存中的区段对齐,一般为0x1000+3Ch DWORD FileAlignment; //文件对齐数,一般是0x200WORD MajorOperatingSystemVersion;WORD MinorOperatingSystemVersion;WORD MajorImageVersion;WORD MinorImageVersion;WORD MajorSubsystemVersion;WORD MinorSubsystemVersion;DWORD Win32VersionValue;+50h DWORD SizeOfImage; //映像装入内存后的总大小+54h DWORD SizeOfHeaders; //MS-DOS头部+PE+区块表的总大小(一般为0x400)5chDWORD CheckSum; //映像的校验和WORD Subsystem;+5Eh WORD DllCharacteristics; //Dll特征的标志(其含有控制随机基址字段)DWORD SizeOfStackReserve;DWORD SizeOfStackCommit;DWORD SizeOfHeapReserve;DWORD SizeOfHeapCommit;DWORD LoaderFlags;DWORD NumberOfRvaAndSizes; //数据目录表的个数+78h IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES]; //数据目录表} IMAGE_OPTIONAL_HEADER32, * PIMAGE_OPTIONAL_HEADER32;
数据目录表
#define IMAGE_DIRECTORY_ENTRY_EXPORT 0 // 导出表#define IMAGE_DIRECTORY_ENTRY_IMPORT 1 // 导入表#define IMAGE_DIRECTORY_ENTRY_RESOURCE 2 // 资源#define IMAGE_DIRECTORY_ENTRY_EXCEPTION 3 // 异常#define IMAGE_DIRECTORY_ENTRY_SECURITY 4 // 安全#define IMAGE_DIRECTORY_ENTRY_BASERELOC 5 // 重定位表#define IMAGE_DIRECTORY_ENTRY_DEBUG 6 // 调试信息// IMAGE_DIRECTORY_ENTRY_COPYRIGHT 7 // (X86 usage)#define IMAGE_DIRECTORY_ENTRY_ARCHITECTURE 7 // 版权信息#define IMAGE_DIRECTORY_ENTRY_GLOBALPTR 8 // RVA of GP#define IMAGE_DIRECTORY_ENTRY_TLS 9 // TLS Directory#define IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 10 // Load Configuration Directory#define IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 11 // Bound Import Directory in headers#define IMAGE_DIRECTORY_ENTRY_IAT 12 // 导入函数地址表#define IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 13 // Delay Load Import Descriptors#define IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 14 // COM Runtime descriptor
typedef struct _IMAGE_DATA_DIRECTORY {DWORD VirtualAddress; //数据的RVADWORD Size; //数据的大小} IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY;
导入表
typedef struct _IMAGE_IMPORT_DESCRIPTOR {union {DWORD Characteristics; // 0 for terminating null import descriptorDWORD OriginalFirstThunk; // RVA to original unbound IAT (PIMAGE_THUNK_DATA)} DUMMYUNIONNAME;DWORD TimeDateStamp; // 0 if not bound,// -1 if bound, and real date\time stamp// in IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT (new BIND)// O.W. date/time stamp of DLL bound to (Old BIND)DWORD ForwarderChain; // -1 if no forwardersDWORD Name;DWORD FirstThunk; // RVA to IAT (if bound this IAT has actual addresses)} IMAGE_IMPORT_DESCRIPTOR;
导出表
typedef struct _IMAGE_EXPORT_DIRECTORY {DWORD Characteristics;DWORD TimeDateStamp;WORD MajorVersion;WORD MinorVersion;DWORD Name;DWORD Base;DWORD NumberOfFunctions;DWORD NumberOfNames;DWORD AddressOfFunctions; // RVA from base of imageDWORD AddressOfNames; // RVA from base of imageDWORD AddressOfNameOrdinals; // RVA from base of image} IMAGE_EXPORT_DIRECTORY, *PIMAGE_EXPORT_DIRECTORY;
资源表
typedef struct _IMAGE_RESOURCE_DIRECTORY {DWORD Characteristics;DWORD TimeDateStamp;WORD MajorVersion;WORD MinorVersion;WORD NumberOfNamedEntries;WORD NumberOfIdEntries;// IMAGE_RESOURCE_DIRECTORY_ENTRY DirectoryEntries[];} IMAGE_RESOURCE_DIRECTORY, *PIMAGE_RESOURCE_DIRECTORY;
重定位表
0000 0000 ...
调试表
typedef struct _IMAGE_DEBUG_DIRECTORY {DWORD Characteristics;DWORD TimeDateStamp;WORD MajorVersion;WORD MinorVersion;DWORD Type;DWORD SizeOfData;DWORD AddressOfRawData;DWORD PointerToRawData;} IMAGE_DEBUG_DIRECTORY, *PIMAGE_DEBUG_DIRECTORY;
区段表
typedef struct _IMAGE_SECTION_HEADER {BYTE Name[IMAGE_SIZEOF_SHORT_NAME]; //块名union {DWORD PhysicalAddress; //始终为NULLDWORD VirtualSize; //指出实际的、被使用的区块的大小} Misc; //(也就是区块数据没有对齐处理前的实际大小)DWORD VirtualAddress; //该块装载到内存中的RVADWORD SizeOfRawData; //该块在磁盘文件中所占的大小DWORD PointerToRawData; //该块在磁盘文件中的偏移DWORD PointerToRelocations;DWORD PointerToLinenumbers;WORD NumberOfRelocations; //由PointerToRelocations指向的重定位的数目WORD NumberOfLinenumbers;DWORD Characteristics; //块属性} IMAGE_SECTION_HEADER, *PIMAGE_SECTION_HEADER;
若有收获,就点个赞吧
0 人点赞
