PE文件结构

PE头

typedef struct _IMAGE_NT_HEADERS {
  DWORD                 Signature;  PE头标识 为固定的ascii码 PE\0\0
  IMAGE_FILE_HEADER     FileHeader;  标准PE头
  IMAGE_OPTIONAL_HEADER OptionalHeader;  扩展PE头
} IMAGE_NT_HEADERS, *PIMAGE_NT_HEADERS;

标准PE头结构

typedef struct _IMAGE_FILE_HEADER {
  WORD  Machine;  PE文件运行的平台类型
  WORD  NumberOfSections;  文件中"节"的数量
  DWORD TimeDateStamp;
  DWORD PointerToSymbolTable;
  DWORD NumberOfSymbols;
  WORD  SizeOfOptionalHeader;  扩展PE头的长度
  WORD  Characteristics;   文件属性 如:DLL文件, EXE文件等
} IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;

Characteristics属性位的含义

扩展PE头结构

typedef struct _IMAGE_OPTIONAL_HEADER {
  WORD                 Magic;  魔术字,说明文件的类型 10bH表示32位的PE文件  20bH表示64位的PE文件  107H表示ROM映像
  BYTE                 MajorLinkerVersion;
  BYTE                 MinorLinkerVersion;
  DWORD                SizeOfCode;
  DWORD                SizeOfInitializedData;
  DWORD                SizeOfUninitializedData;
  DWORD                AddressOfEntryPoint;
  DWORD                BaseOfCode;
  DWORD                BaseOfData;
  DWORD                ImageBase;
  DWORD                SectionAlignment;
  DWORD                FileAlignment;
  WORD                 MajorOperatingSystemVersion;
  WORD                 MinorOperatingSystemVersion;
  WORD                 MajorImageVersion;
  WORD                 MinorImageVersion;
  WORD                 MajorSubsystemVersion;
  WORD                 MinorSubsystemVersion;
  DWORD                Win32VersionValue;
  DWORD                SizeOfImage;
  DWORD                SizeOfHeaders;
  DWORD                CheckSum;
  WORD                 Subsystem;
  WORD                 DllCharacteristics;
  DWORD                SizeOfStackReserve;
  DWORD                SizeOfStackCommit;
  DWORD                SizeOfHeapReserve;
  DWORD                SizeOfHeapCommit;
  DWORD                LoaderFlags;
  DWORD                NumberOfRvaAndSizes;
  IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
} IMAGE_OPTIONAL_HEADER, *PIMAGE_OPTIONAL_HEADER;