作者:真实的姜伯约_832 | 来源:互联网 | 2024-12-12 18:57
原作者:小甲鱼
(注:最左边是文件头的偏移量。)
IMAGE_DOS_HEADER STRUCT
{
+0h WORD e_magic // Magic DOS signature MZ(4Dh 5Ah) DOS可执行文件标记
+2h WORD e_cblp // Bytes on last page of file
+4h WORD e_cp // Pages in file
+6h WORD e_crlc // Relocations
+8h WORD e_cparhdr // Size of header in paragraphs
+0ah WORD e_minalloc // Minimun extra paragraphs needs
+0ch WORD e_maxalloc // Maximun extra paragraphs needs
+0eh WORD e_ss // intial(relative)SS value DOS代码的初始化堆栈SS
+10h WORD e_sp // intial SP value DOS代码的初始化堆栈指针SP
+12h WORD e_csum // Checksum
+14h WORD e_ip // intial IP value DOS代码的初始化指令入口[指针IP]
+16h WORD e_cs // intial(relative)CS value DOS代码的初始堆栈入口
+18h WORD e_lfarlc // File Address of relocation table
+1ah WORD e_ovno // Overlay number
+1ch WORD e_res[4] // Reserved words
+24h WORD e_oemid // OEM identifier(for e_oeminfo)
+26h WORD e_oeminfo // OEM information;e_oemid specific
+29h WORD e_res2[10] // Reserved words
+3ch DWORD e_lfanew // Offset to start of PE header 指向PE文件头
} IMAGE_DOS_HEADER ENDS
PE Header 是PE相关结构NT映像头(IMAGE_NT_HEADER)的简称,里边包含着许多PE装载器用到的重要字段。下边小甲鱼将为大家详细讲解哈~
首先是IMAGE_NT_HEADERS 结构的定义:(啥?结构不会,先看看小甲鱼童鞋的《零基础入门学习C语言》关于结构方面的章节吧~)
IMAGE_NT_HEADERS STRUCT
{
+0h DWORDSignature +4h IMAGE_FILE_HEADER FileHeader +18h IMAGE_OPTIONAL_HEADER32OptionalHeader } IMAGE_NT_HEADERS ENDS
Signature字段:
在一个有效的 PE 文件里,Signature 字段被设置为00004550h, ASCII 码字符是“PE00”。标志这 PE 文件头的开始。
“PE00” 字符串是 PE 文件头的开始,DOS 头部的 e_lfanew 字段正是指向这里。
如下图所示:
IMAGE_FILE_HEADER 结构
typedef struct _IMAGE_FILE_HEADER
{
+04h WORD Machine; // 运行平台
+06h WORD NumberOfSections; // 文件的区块数目
+08h DWORD TimeDateStamp; // 文件创建日期和时间
+0Ch DWORD PointerToSymbolTable; // 指向符号表(主要用于调试)
+10h DWORD NumberOfSymbols; // 符号表中符号个数(同上)
+14h WORD SizeOfOptionalHeader; // IMAGE_OPTIONAL_HEADER32 结构大小
+16h WORD Characteristics; // 文件属性
} IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;
该结构如下图所示:
下边,小甲鱼童鞋为大家详细解释各个成员的含义和用法:
(1)Machine:可执行文件的目标CPU类型。
Value |
Meaning |
IMAGE_FILE_MACHINE_I386
0x014c
|
x86 |
IMAGE_FILE_MACHINE_IA64
0×0200
|
Intel Itanium |
IMAGE_FILE_MACHINE_AMD64
0×8664
|
x64 |
(2)NumberOfSection: 区块的数目。(注:区块表是紧跟在 IMAGE_NT_HEADERS 后边的)
(3)TimeDataStamp: 表明文件是何时被创建的。
这个值是自1970年1月1日以来用格林威治时间(GMT)计算的秒数,这个值是比文件系统(FILESYSTEM)的日期时间更加精确的指示器。如
何将这个值翻译请看:传送门
提示:VC的话可以用_ctime 函数或者 gmtime 函数。
(4)PointerToSymbolTable: COFF 符号表的文件偏移位置,现在基本没用了。
(5)NumberOfSymbols: 如果有COFF 符号表,它代表其中的符号数目,COFF符号是一个大小固定的结构,如果想找到COFF 符号表的结束位置,则需要这个变量。
(6)SizeOfOptionalHeader: 紧跟着IMAGE_FILE_HEADER 后边的数据结构(IMAGE_OPTIONAL_HEADER)的大小。(对于32位PE文件,这个值通常是00E0h;对于64位PE32+文件,这个值是00F0h )。
(7)Characteristics: 文件属性,有选择的通过几个值可以运算得到。( 这些标志的有效值是定义于 winnt.h 内的 IMAGE_FILE_** 的值,具体含义见下表。
普通的EXE文件这个字段的值一般是 0100h,DLL文件这个字段的值一般是 210Eh。)小甲鱼温馨提示:多种属性可以通过 “或运算” 使得同时拥有!
The characteristics of the image. This member can be one or more of the following values.
Value |
Meaning |
IMAGE_FILE_RELOCS_STRIPPED
0×0001
|
Relocation information was stripped from the file. The file must be loaded at its preferredbase address. If the base address is notavailable, the loader reports an error. |
IMAGE_FILE_EXECUTABLE_IMAGE
0×0002
|
The file is executable (there are no unresolved external references). |
IMAGE_FILE_LINE_NUMS_STRIPPED
0×0004
|
COFF line numbers were stripped from the file. |
IMAGE_FILE_LOCAL_SYMS_STRIPPED
0×0008
|
COFF symbol table entries were stripped from file. |
IMAGE_FILE_AGGRESIVE_WS_TRIM
0×0010
|
Aggressively trim the working set. This value is obsolete as of Windows 2000. |
IMAGE_FILE_LARGE_ADDRESS_AWARE
0×0020
|
The application can handle addresses larger than 2 GB. |
IMAGE_FILE_BYTES_REVERSED_LO
0×0080
|
The bytes of the word are reversed. This flag is obsolete. |
IMAGE_FILE_32BIT_MACHINE
0×0100
|
The computer supports 32-bit words. |
IMAGE_FILE_DEBUG_STRIPPED
0×0200
|
Debugging information was removed and stored separately in another file. |
IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP
0×0400
|
If the image is on removable media, copy it toand run it from the swap file. |
IMAGE_FILE_NET_RUN_FROM_SWAP
0×0800
|
If the image is on the network, copy it to and run it from the swap file. |
IMAGE_FILE_SYSTEM
0×1000
|
The image is a system file. |
IMAGE_FILE_DLL
0×2000
|
The image is a DLL file. While it is an executable file, it cannot be run directly. |
IMAGE_FILE_UP_SYSTEM_ONLY
0×4000
|
The file should be run only on a uniprocessor computer. |
IMAGE_FILE_BYTES_REVERSED_HI
0×8000
|
来源: >
京公网安备 11010802041100号