【转】PE文件格式 - [Windows]

PE格式概貌,以下只是PE格式的大致结构

  +---------------+   
  |   DOS   MZ   header   |     
  +---------------+   
  |   DOS   stub             |   
  +---------------+     
  |   PE   header           |   
  +---------------+   
  |   Section   table   |   
  +---------------+     
  |   Section   1           |   
  +---------------+   
  |   Section   2           |   
  +---------------+     
  |   Section   ...       |   
  +---------------+   
  |   Section   n           |   
  +---------------+    


  1)   DOS   MZ   header   
  这一模块有64个字节(大都如此),我们所关心的是开始和结尾的四个字节.   
  开始的四个字节是 16BIT的标志位IMAGE_DOS_HEADER   4D   5A(ASC2码就是'MZ') 
  最后的四个字节是 从文件起始到PE header模块的偏移量.    


  2)   DOS   STUB   
  这一模块没有什么好说的.实际上是个有效的EXE,在不支持 PE文件格式的操作系统中,   
  它将简单显示一个错误提示,类似于字符串   "This program requires Windows"     

  
  3)   PE   header   
  这一模块比较重要.包含很多重要的信息(如:支持在什么样的机器上运行,有多少section   
  是EXE还是DLL等.这个模块的起始地址可由DOS MZ header模块的的最后四个字节读出。   
  如读到的是 E0  00  00  00则此模块的起始地址是0000000E,这样PE LOADER可根据此地址跳过   
  DOS  STUB直接定位到此模块。 

  4)   section table   
  PE格式真正的内容都是以section为单位的,section  table是一个结构数组,该数组中成员的   
  个数就是该文件的SECTION个数,由PE  header模块读出。每个SECTION对应一个结构其   
  包含对应节的属性、文件偏移量、虚拟偏移量等。   
    
  5)   以下就是各个SECTION的内容了 比如:

.text section 其中包含着代码,所有 OBJ 文件中的代码都被合并到这个section 里。

.data section 中为所有已初始化的数据以及静态的数据;

.bss section 里装的是未初始化的数据;

.rdata section 里包含字符串和常量之类的只读数据还有其它只读结构,如 debug directory(.pdb 文件的路径,见下文dumpbin /headers xxx.exe文件内容、 Thread Local Storage (TLS) directory 等等,

.edata section 里保存着从 DLL 中 exported 的函数的信息;(用dumpbin查找了几个DLL,发现竟然没有.edata section,通过查看export directory 发现,export信息被放在了.rdata section。见此文章评论

.idata section 则保存着从可执行文件/DLL 中的 imported 函数的信息。

.rsrc section 包含着各种资源的数据,比如菜单和对话框。

.reloc section 保存着加载程序时所需的重定位信息。
    
 了解了大概的模块让我们看看PE LOADER的装载顺序:.当PE文件被执行,PE装载器检查DOS MZ header 里的PE header 偏移量。 如果找到,则跳转到PE header。PE装载器检查 PE header 的有效性。如果有效,就跳转到PE header的尾部。紧跟PE header 的是节表。PE装载器读取其中的节信息,并采用文件映射方法将这些节映射到内存,同时付上节表里指定的节属性。PE文件映射入内存后,PE装载器将处理PE文件中类似 import  table(引入表)逻辑部分。

版权声明:转载时请以超链接形式标明文章原始出处和作者信息及本声明
http://cjbskysea.blogbus.com/logs/74906879.html

具体数据结构:

1.Image DOS HeaderDOS Stub是为了兼容DOS系统

typedef struct _IMAGE_DOS_HEADER {      // DOS .EXE header

    WORD   e_magic;                     // Magic number ‘M’’Z’

    WORD   e_cblp;                      // Bytes on last page of file

    WORD   e_cp;                        // Pages in file

    WORD   e_crlc;                      // Relocations

    WORD   e_cparhdr;                   // Size of header in paragraphs

    WORD   e_minalloc;                  // Minimum extra paragraphs needed

    WORD   e_maxalloc;                  // Maximum extra paragraphs needed

    WORD   e_ss;                        // Initial (relative) SS value

    WORD   e_sp;                        // Initial SP value

    WORD   e_csum;                      // Checksum

    WORD   e_ip;                        // Initial IP value

    WORD   e_cs;                        // Initial (relative) CS value

    WORD   e_lfarlc;                    // File address of relocation table

    WORD   e_ovno;                      // Overlay number

    WORD   e_res[4];                    // Reserved words

    WORD   e_oemid;                     // OEM identifier (for e_oeminfo)

    WORD   e_oeminfo;                   // OEM information; e_oemid specific

    WORD   e_res2[10];                  // Reserved words

    LONG   e_lfanew;                    // File address of new exe header

  } IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER;

a) e_ipe_cs指向DOS StubDOS StubDOS下运行的一小段代码,输出”This programme cannot be run in DOS”,然后退出程序。

b)  windows有用参数为e_lfanew,标识了IMAGE_NT_HEADERSPE文件中的偏移。

2.PE File HeaderPE文件的真正文件头

typedef struct _IMAGE_NT_HEADERS {

    DWORD Signature;//0x00004550à’P’ ‘E’ ‘\0’ ‘\0’

    IMAGE_FILE_HEADER FileHeader;

    IMAGE_OPTIONAL_HEADER32 OptionalHeader;

} IMAGE_NT_HEADERS32, *PIMAGE_NT_HEADERS32;

a)Image Header

typedef struct _IMAGE_FILE_HEADER {

    WORD    Machine;

    WORD    NumberOfSections;

    DWORD   TimeDateStamp;

    DWORD   PointerToSymbolTable;

    DWORD   NumberOfSymbols;

    WORD    SizeOfOptionalHeader;

    WORD    Characteristics;

} IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;

b) Image Optional Header

typedef struct _IMAGE_OPTIONAL_HEADER {

    //

    // Standard fields.

    //

 

    WORD    Magic;

    BYTE    MajorLinkerVersion;

    BYTE    MinorLinkerVersion;

    DWORD   SizeOfCode;

    DWORD   SizeOfInitializedData;

    DWORD   SizeOfUninitializedData;

    DWORD   AddressOfEntryPoint;

    DWORD   BaseOfCode;

    DWORD   BaseOfData;

 

    //

    // NT additional fields.

    //

 

    DWORD   ImageBase;//Preferred address of the first byte of the image when it is loaded in memory.  The default value for DLLs is 0x10000000. The default value for applications is 0x00400000.

    DWORD   SectionAlignment;

    DWORD   FileAlignment;

    WORD    MajorOperatingSystemVersion;

    WORD    MinorOperatingSystemVersion;

    WORD    MajorImageVersion;

    WORD    MinorImageVersion;

    WORD    MajorSubsystemVersion;

    WORD    MinorSubsystemVersion;

    DWORD   Win32VersionValue;

    DWORD   SizeOfImage;

    DWORD   SizeOfHeaders;

    DWORD   CheckSum;

    WORD    Subsystem;

    WORD    DllCharacteristics;

    DWORD   SizeOfStackReserve;

    DWORD   SizeOfStackCommit;

    DWORD   SizeOfHeapReserve;

    DWORD   SizeOfHeapCommit;

    DWORD   LoaderFlags;

    DWORD   NumberOfRvaAndSizes;

    IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];

} IMAGE_OPTIONAL_HEADER32, *PIMAGE_OPTIONAL_HEADER32;

 

typedef struct _IMAGE_DATA_DIRECTORY {

    DWORD   VirtualAddress;

    DWORD   Size;

} IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY;

3.Section Table:保存各段的基本信息

typedef struct _IMAGE_SECTION_HEADER {

    BYTE    Name[IMAGE_SIZEOF_SHORT_NAME];

    union {

            DWORD   PhysicalAddress;

            DWORD   VirtualSize;

    } Misc;

    DWORD   VirtualAddress;

    DWORD   SizeOfRawData;

    DWORD   PointerToRawData;

    DWORD   PointerToRelocations;

    DWORD   PointerToLinenumbers;

    WORD    NumberOfRelocations;

    WORD    NumberOfLinenumbers;

    DWORD   Characteristics;

} IMAGE_SECTION_HEADER, *PIMAGE_SECTION_HEADER;

4. 各段具体内容

5.dumpbin /headers xxx.exe

Microsoft (R) COFF/PE Dumper Version 8.00.50727.762
Copyright (C) Microsoft Corporation.  All rights reserved.


Dump of file 4.exe

PE signature found

File Type: EXECUTABLE IMAGE

FILE HEADER VALUES
             14C machine (x86)
               6 number of sections
        4E3F472D time date stamp Mon Aug 08 10:17:17 2011
               0 file pointer to symbol table
               0 number of symbols
              E0 size of optional header
             103 characteristics
                   Relocations stripped
                   Executable
                   32 bit word machine

OPTIONAL HEADER VALUES
             10B magic # (PE32)
            8.00 linker version
           58000 size of code
           16000 size of initialized data
               0 size of uninitialized data
           2BD8E entry point (0042BD8E) @ILT+3465(_main)
            1000 base of code
            1000 base of data
          400000 image base (00400000 to 00498FFF)
            1000 section alignment
            1000 file alignment
            4.00 operating system version
            0.00 image version
            4.00 subsystem version
               0 Win32 version
           99000 size of image
            1000 size of headers
               0 checksum
               3 subsystem (Windows CUI)
               0 DLL characteristics
          100000 size of stack reserve
            1000 size of stack commit
          100000 size of heap reserve
            1000 size of heap commit
               0 loader flags
              10 number of directories
               0 [       0] RVA [size] of Export Directory
           97000 [      28] RVA [size] of Import Directory
           98000 [     C09] RVA [size] of Resource Directory
               0 [       0] RVA [size] of Exception Directory
               0 [       0] RVA [size] of Certificates Directory
               0 [       0] RVA [size] of Base Relocation Directory
           83C50 [      1C] RVA [size] of Debug Directory
               0 [       0] RVA [size] of Architecture Directory
               0 [       0] RVA [size] of Global Pointer Directory
               0 [       0] RVA [size] of Thread Storage Directory
               0 [       0] RVA [size] of Load Configuration Directory
               0 [       0] RVA [size] of Bound Import Directory
           97210 [     1E8] RVA [size] of Import Address Table Directory
               0 [       0] RVA [size] of Delay Import Directory
               0 [       0] RVA [size] of COM Descriptor Directory
               0 [       0] RVA [size] of Reserved Directory


SECTION HEADER #1
.textbss name
   29AED virtual size
    1000 virtual address (00401000 to 0042AAEC)
       0 size of raw data
       0 file pointer to raw data
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
E00000A0 flags
         Code
         Uninitialized Data
         Execute Read Write

SECTION HEADER #2
   .text name
   57748 virtual size
   2B000 virtual address (0042B000 to 00482747)
   58000 size of raw data
    1000 file pointer to raw data (00001000 to 00058FFF)
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
60000020 flags
         Code
         Execute Read

SECTION HEADER #3
  .rdata name
    FAE1 virtual size
   83000 virtual address (00483000 to 00492AE0)
   10000 size of raw data
   59000 file pointer to raw data (00059000 to 00068FFF)
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
40000040 flags
         Initialized Data
         Read Only

  Debug Directories

        Time Type       Size      RVA  Pointer
    -------- ------ -------- -------- --------
    4E3F472A cv           2D 00090F18    66F18    Format: RSDS, {220901B2-E313-4B36-8F2F-DAA133F4CA37}, 2, e:\tmp\4\debug\4.pdb

SECTION HEADER #4
   .data name
    3914 virtual size
   93000 virtual address (00493000 to 00496913)
    2000 size of raw data
   69000 file pointer to raw data (00069000 to 0006AFFF)
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
C0000040 flags
         Initialized Data
         Read Write

SECTION HEADER #5
  .idata name
     C64 virtual size
   97000 virtual address (00497000 to 00497C63)
    1000 size of raw data
   6B000 file pointer to raw data (0006B000 to 0006BFFF)
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
C0000040 flags
         Initialized Data
         Read Write

SECTION HEADER #6
   .rsrc name
     C09 virtual size
   98000 virtual address (00498000 to 00498C08)
    1000 size of raw data
   6C000 file pointer to raw data (0006C000 to 0006CFFF)
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
40000040 flags
         Initialized Data
         Read Only

  Summary

        4000 .data
        1000 .idata
       10000 .rdata
        1000 .rsrc
       58000 .text
       2A000 .textbss

  


  


  

 

 

  



posted @ 2011-08-01 11:25  iThinking  阅读(689)  评论(0编辑  收藏  举报