|
Offset
|
0 1 2 3 4 5 6 7 8 9 A B C D E F
|
|
|
00000000
00000010
00000020
00000030
|
4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00
B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 B0 00 00 00
|
MZ?..........
?......@.......
................
............?..
|
|
00000040
00000050
00000060
00000070
00000080
00000090
000000A0
|
0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68
69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F
74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20
6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00
5D 65 FD C8 19 04 93 9B 19 04 93 9B 19 04 93 9B
97 1B 80 9B 11 04 93 9B E5 24 81 9B 18 04 93 9B
52 69 63 68 19 04 93 9B 00 00 00 00 00 00 00 00
|
..?.???L?Th
is program canno
t be run in DOS
mode....$.......
]e..摏..摏..摏
?€?.摏?仜..摏
Rich..摏........
|
|
000000B0
000000C0
000000D0
000000E0
000000f0
00000100
00000110
00000120
00000130
00000140
00000150
00000160
00000170
00000180
00000190
000001A0
|
50 45 00 00 4C 01 03 00 3E FD 24 45 00 00 00 00
00 00 00 00 E0 00 0F 01 0B 01 05 0C 00 02 00 00
00 04 00 00 00 00 00 00 00 10 00 00 00 10 00 00
00 20 00 00 00 00 40 00 00 10 00 00 00 02 00 00
04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00
00 40 00 00 00 04 00 00 00 00 00 00 02 00 00 00
00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00
00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00
14 20 00 00 3C 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 20 00 00 14 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 2E 74 65 78 74 00 00 00
|
PE..L...>?E....
....?..........
................
. ....@.........
................
.@..............
................
................
. ..<...........
................
................
................
................
......... ......
................
.........text...
|
|
000001B0
000001C0
000001D0
000001E0
000001F0
00000200
00000210
…………
|
30 00 00 00 00 10 00 00 00 02 00 00 00 04 00 00
00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 E0
2E 72 64 61 74 61 00 00 A6 00 00 00 00 20 00 00
00 02 00 00 00 06 00 00 00 00 00 00 00 00 00 00
00 00 00 00 40 00 00 40 2E 64 61 74 61 00 00 00
42 00 00 00 00 30 00 00 00 02 00 00 00 08 00 00
00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0
節表
|
0...............
............ ..?
.rdata..?... ..
................
....@[email protected]...
B....0..........
............@..
|
|
00000400
…………
000009F0
|
節文件數據
|
|
|
|
DOS頭(DOS MZ header):它是一個IMAGE_DOS_HEADER結構,定義如下:
IMAGE_DOS_HEADER STRUCT ;64個字節
e_magic WORD ? ;DOS頭標記,其值固定爲5A4Dh
e_cblp WORD ?
e_cp WORD ?
e_crlc WORD ?
e_cparhdr WORD ?
e_minalloc WORD ?
e_maxalloc WORD ?
e_ss WORD ?
e_sp WORD ?
e_csum WORD ?
e_ip WORD ?
e_cs WORD ?
e_lfarlc WORD ?
e_ovno WORD ?
e_res WORD 4 dup(?)
e_oemid WORD ?
e_oeminfo WORD ?
e_res2 WORD 10 dup(?)
e_lfanew DWORD ? ;指向 PE header 的文件偏移量
IMAGE_DOS_HEADER ENDS
|
|
DOS代碼(DOS stub)
|
|
|
|
|
PE頭(PE header):它是一個IMAGE_NT_HEADERS 結構,定義如下:
IMAGE_NT_HEADERS STRUCT
Signature DWORD ? ;PE頭標記
FileHeader IMAGE_FILE_HEADER <> ;文件頭/20個字節
OptionalHeader IMAGE_OPTIONAL_HEADER32 <> ;任選頭
IMAGE_NT_HEADERS ENDS
|
|
文件頭(FileHeader):它是一個IMAGE_FILE_HEADER結構,定義如下:
IMAGE_FILE_HEADER STRUCT ;20個字節
Machine WORD ?
NumberOfSections WORD ? ;文件的節數目
TimeDateStamp DWORD ? ;文件創建日期和時間
PointerToSymbolTable DWORD ?
NumberOfSymbols DWORD ?
SizeOfOptionalHeader WORD ? ; 指示緊隨本結構之後的OptionalHeader 結構大小
Characteristics WORD ?; 關於文件信息的標記,比如文件是exe還是dll
IMAGE_FILE_HEADER ENDS
|
|
任選頭(OptionalHeader):它是一個IMAGE_OPTIONAL_HEADER32結構,定義如下:
IMAGE_OPTIONAL_HEADER32 STRUCT
Magic WORD ?
MajorLinkerVersion BYTE ?
MinorLinkerVersion BYTE ?
SizeOfCode DWORD ?
SizeOfInitializedData DWORD ?
SizeOfUninitializedData DWORD ?
AddressOfEntryPoint DWORD ?; PE裝載器準備運行的第一個指令的RVA
BaseOfCode DWORD ?
BaseOfData DWORD ?
ImageBase DWORD ?; PE文件的優先裝載地址(映像基址)
SectionAlignment DWORD ?; 內存中節對齊的粒度
FileAlignment DWORD ?; 文件中節對齊的粒度
MajorOperatingSystemVersion WORD ?
MinorOperatingSystemVersion WORD ?
MajorImageVersion WORD ?
MinorImageVersion WORD ?
MajorSubsystemVersion WORD ?
MinorSubsystemVersion WORD ?
Win32VersionValue DWORD ?
SizeOfImage DWORD ?; 內存中整個PE映像體的尺寸
SizeOfHeaders DWORD ?; 所有頭+節表的大小
CheckSum DWORD ?
Subsystem WORD ?; NT用來識別PE文件屬於哪個子系統
DllCharacteristics WORD ?
SizeOfStackReserve DWORD ?
SizeOfStackCommit DWORD ?
SizeOfHeapReserve DWORD ?
SizeOfHeapCommit DWORD ?
LoaderFlags DWORD ?
NumberOfRvaAndSizes DWORD ?
DataDirectory IMAGE_DATA_DIRECTORY 16 dup(<>);數據目錄
IMAGE_OPTIONAL_HEADER32 ENDS
|
|
數據目錄(DataDirectory):它是一個IMAGE_DATA_DIRECTORY結構,定義如下:
IMAGE_DATA_DIRECTORY STRUCT
VirtualAddress DWORD ?;指向 IMAGE_IMPORT_DESCRIPTOR 數組的RVA
isize DWORD ?
IMAGE_DATA_DIRECTORY ENDS
|
|
節表(Section table):它是一個IMAGE_SECTION_HEADER結構,定義如下
IMAGE_SECTION_HEADER STRUCT ;40個字節
Name1 db 8 dup(?) ;節名
union Misc
PhysicalAddress dd ?
VirtualSize dd ?
ends
VirtualAddress dd ?; 本節的RVA(相對虛擬地址)
SizeOfRawData dd ?; 經過文件對齊處理後節尺寸
PointerToRawData dd ?; 這是節基於文件的偏移量
PointerToRelocations dd ?
PointerToLinenumbers dd ?
NumberOfRelocations dw ?
NumberOfLinenumbers dw ?
Characteristics dd ?; 包含標記以指示節屬性
IMAGE_SECTION_HEADER ENDS: