PE文件结构的一些相关定义
2010-11-05 21:38
288 查看
IMAGE_PE_FILE {
IMAGE_DOS_HEADER image_dos_header{
WORD e_magic;
WORD e_cblp;
WORD e_cp;
WORD e_crlc;
WORD e_cparhdr;
WORD e_minalloc;
WORD e_maxalloc;
WORD e_ss;
WORD e_sp;
WORD e_csum;
WORD e_ip;
WORD e_cs;
WORD e_lfarlc;
WORD e_ovno;
WORD e_res[4];
WORD e_oemid;
WORD e_oeminfo;
WORD e_res2[10];
LONG e_lfanew; }
IMAGE_NT_HEADER image_nt_header{
DWORD Signature;
IMAGE_FILE_HEADER FileHeader;
IMAGE_OPTIONAL_HEADER32 OptionalHeader; }
IMAGE_SECTION_HEADER image_section_header{
BYTE Name[IMAGE_SIZEOF_SHORT_NAME];
union {
DWORD PhysicalAddress;
DWORD VirtualSize;
} Misc;
DWORD VirtualAddress;
DWORD SizeOfRawData;
DWORD PointerToRawData;
DWORD PointerToRelocations;
DWORD PointerToLinenumbers;
WORD NumberOfRelocations;
WORD NumberOfLinenumbers;
DWORD Characteristics; }
} /*PE FILE END*/
typedef struct _IMAGE_FILE_HEADER {
WORD Machine;
WORD NumberOfSections;
DWORD TimeDateStamp;
DWORD PointerToSymbolTable;
DWORD NumberOfSymbols;
WORD SizeOfOptionalHeader;
WORD Characteristics;
} IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;
typedef struct _IMAGE_OPTIONAL_HEADER {
WORD Magic;
BYTE MajorLinkerVersion;
BYTE MinorLinkerVersion;
DWORD SizeOfCode;
DWORD SizeOfInitializedData;
DWORD SizeOfUninitializedData;
DWORD AddressOfEntryPoint;
DWORD BaseOfCode;
DWORD BaseOfData;
DWORD ImageBase;
DWORD SectionAlignment;
DWORD FileAlignment;
WORD MajorOperatingSystemVersion;
WORD MinorOperatingSystemVersion;
WORD MajorImageVersion;
WORD MinorImageVersion;
WORD MajorSubsystemVersion;
WORD MinorSubsystemVersion;
DWORD Win32VersionValue;
DWORD SizeOfImage;
DWORD SizeOfHeaders;
DWORD CheckSum;
WORD Subsystem;
WORD DllCharacteristics;
DWORD SizeOfStackReserve;
DWORD SizeOfStackCommit;
DWORD SizeOfHeapReserve;
DWORD SizeOfHeapCommit;
DWORD LoaderFlags;
DWORD NumberOfRvaAndSizes;
IMAGE_DATA_DIRECTORY DataDirectory[16];
/*其实就是
16
个
IMAGE_DATA_DIRECTORY*/
} IMAGE_OPTIONAL_HEADER, *PIMAGE_OPTIONAL_HEADER;
typedef struct _IMAGE_DATA_DIRECTORY {
DWORD VirtualAddress;
DWORD Size;
} IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY;
PEFile.image_nt_header.OptionalHeader.DataDirectory
--------------------------------->
//指向的索引
//
指向的结构
DataDirectory[0].VirtualAddress--->IMAGE_EXPORT_DIRECTORY export_directory;
DataDirectory[1].VirtualAddress--->IMAGE_IMPORT_DESCRIPTOR import_descriptor;
DataDirectory[2].VirtualAddress--->IMAGE_RESOURCE_DIRECTORY resource_directory;
DataDirectory[3].VirtualAddress--->IMAGE_EXCEPTION_DIRECTORY exception_directory;
//DataDirectory[4].VirtualAddress--->IMAGE_EXPORT_DIRECTORY export_directory;
DataDirectory[5].VirtualAddress--->IMAGE_BASE_RELOCATION base_relocation;
DataDirectory[6].VirtualAddress--->IMAGE_DEBUG_DIRECTORY debug_directory;
//DataDirectory[7].VirtualAddress--->IMAGE_EXPORT_DIRECTORY export_directory;
//DataDirectory[8].VirtualAddress--->IMAGE_EXPORT_DIRECTORY export_directory;
DataDirectory[9].VirtualAddress--->IMAGE_TLS_DIRECTORY tls_directory;
//DataDirectory[10].VirtualAddress--->IMAGE_EXPORT_DIRECTORY export_directory;
DataDirectory[11].VirtualAddress--->IMAGE_BOUND_IMPORT_DESCRIPTOR bound_import_descriptor;
//DataDirectory[12].VirtualAddress--->IMAGE_EXPORT_DIRECTORY export_directory;
//DataDirectory[13].VirtualAddress--->IMAGE_EXPORT_DIRECTORY export_directory;
//DataDirectory[14].VirtualAddress--->IMAGE_EXPORT_DIRECTORY export_directory;
//DataDirectory[15].VirtualAddress--->IMAGE_EXPORT_DIRECTORY export_directory;
#define IMAGE_DIRECTORY_ENTRY_EXPORT
0
#define IMAGE_DIRECTORY_ENTRY_IMPORT
1
#define IMAGE_DIRECTORY_ENTRY_RESOURCE
2
#define IMAGE_DIRECTORY_ENTRY_EXCEPTION
3
#define IMAGE_DIRECTORY_ENTRY_SECURITY
4
#define IMAGE_DIRECTORY_ENTRY_BASERELOC
5
#define IMAGE_DIRECTORY_ENTRY_DEBUG
6
#define IMAGE_DIRECTORY_ENTRY_COPYRIGHT
7
#define IMAGE_DIRECTORY_ENTRY_ARCHITECTURE
7
#define IMAGE_DIRECTORY_ENTRY_GLOBALPTR
8
#define IMAGE_DIRECTORY_ENTRY_TLS
9
#define IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
10
#define IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT
11
#define IMAGE_DIRECTORY_ENTRY_IAT
12
#define IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT
13
#define IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
14
注:Section Name(Define by Microsoft)
.text 默认代码区块
.data 默认读
/
写数据块
.rdata 默认只读数据块
.idata 输入表
.edata 输出表
.rsrc 资源
.bss 未初始化数据
.crt 用于支持
C++
运行时所添加数据
(CRT)
.tls TLS数据
.reloc 可执行文件的基址重定位
.sdata 相对于全局指针的可被定位的
"
短的
"
读
/
写数据
.srdata 相对于全局指针的可被定位的
"
短的
"
只读数据
.pdata 异常表
.debug$S OBJ文件
CodeView
格式符号
.debug$T OBJ文件
CodeView
格式的类型记录
.debug$P 预编译头
.drectve 链接命令
.didat 延迟装入数据
NT头
---
可选头
---IMAGE_DATA_DIRECTORY---IMAGE_DIRECTORY_ENTRY_RESOURCE--->
IMAGE_SECTION_HEADER[](节头
/
表
)
……
节n---->IMAGE_RESOURCE_DIRECTORY_ENTRY[]---IMAGE_RESOURCE_DIRECTORY[]
-----------------0:DOS头
-----------------1:NT头
typedef struct _IMAGE_NT_HEADERS {
DWORD Signature;//PE文件头标志
:"PE/0/0"
。在开始
DOS header
的偏移
3CH
处所指向的地址开始
IMAGE_FILE_HEADER FileHeader; //PE文件物理分布的信息
IMAGE_OPTIONAL_HEADER32 OptionalHeader;//PE文件逻辑分布的信息
} IMAGE_NT_HEADERS32, *PIMAGE_NT_HEADERS32;
-----------------1.1:文件头
typedef struct _IMAGE_FILE_HEADER {
WORD Machine; //该文件运行所需要的
CPU
,对于
Intel
平台是
14Ch
WORD NumberOfSections; //文件的节数目
DWORD TimeDateStamp; //文件创建日期和时间
DWORD PointerToSymbolTable; //用于调试
DWORD NumberOfSymbols; //符号表中符号个数
WORD SizeOfOptionalHeader; //OptionalHeader 结构大小
WORD Characteristics; //文件信息标记,区分文件是
exe
还是
dll
} IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;
-----------------1.2:可选头
typedef struct _IMAGE_OPTIONAL_HEADER {
WORD Magic; //标志字
(
总是
010bh)
BYTE MajorLinkerVersion; //连接器版本号
BYTE MinorLinkerVersion; //
DWORD SizeOfCode; //代码段大小
DWORD SizeOfInitializedData; //已初始化数据块大小
DWORD SizeOfUninitializedData;//未初始化数据块大小
DWORD AddressOfEntryPoint; //PE装载器准备运行的
PE
文件的第一个指令的
RVA
,若要改变整个执行的流程,可以将该值指定到新的
RVA
,这样新
RVA
处的指令首先被执行。(许多文章都有介绍
RVA
,请去了解)
DWORD BaseOfCode; //代码段起始
RVA
DWORD BaseOfData; //数据段起始
RVA
DWORD ImageBase; //PE文件的装载地址
DWORD SectionAlignment; //块对齐
DWORD FileAlignment; //文件块对齐
WORD MajorOperatingSystemVersion;//所需操作系统版本号
WORD MinorOperatingSystemVersion;//
WORD MajorImageVersion; //用户自定义版本号
WORD MinorImageVersion; //
WORD MajorSubsystemVersion; //win32子系统版本。若
PE
文件是专门为
Win32
设计的
WORD MinorSubsystemVersion; //该子系统版本必定是
4.0
否则对话框不会有
3
维立体感
DWORD Win32VersionValue; //保留
DWORD SizeOfImage; //内存中整个
PE
映像体的尺寸
DWORD SizeOfHeaders; //所有头 节表的大小
DWORD CheckSum; //校验和
WORD Subsystem; //NT用来识别
PE
文件属于哪个子系统
WORD DllCharacteristics; //
DWORD SizeOfStackReserve; //
DWORD SizeOfStackCommit; //
DWORD SizeOfHeapReserve; //
DWORD SizeOfHeapCommit; //
DWORD LoaderFlags; //
DWORD NumberOfRvaAndSizes; //
IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];//=16
} IMAGE_OPTIONAL_HEADER32, *PIMAGE_OPTIONAL_HEADER32;
-----------------1.2.1:数据目录?
typedef struct _IMAGE_DATA_DIRECTORY {
DWORD VirtualAddress; //表的
RVA
地址
DWORD Size; //大小
} IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY;
-----------------1.2.2数据入口
// Directory Entries
#define IMAGE_DIRECTORY_ENTRY_EXPORT 0 // Export Directory
#define IMAGE_DIRECTORY_ENTRY_IMPORT 1 // Import Directory
#define IMAGE_DIRECTORY_ENTRY_RESOURCE 2 // Resource Directory
#define IMAGE_DIRECTORY_ENTRY_EXCEPTION 3 // Exception Directory
#define IMAGE_DIRECTORY_ENTRY_SECURITY 4 // Security Directory
#define IMAGE_DIRECTORY_ENTRY_BASERELOC 5 // Base Relocation Table
#define IMAGE_DIRECTORY_ENTRY_DEBUG 6 // Debug Directory
// IMAGE_DIRECTORY_ENTRY_COPYRIGHT 7 // (X86 usage)
#define IMAGE_DIRECTORY_ENTRY_ARCHITECTURE 7 // Architecture Specific Data
#define IMAGE_DIRECTORY_ENTRY_GLOBALPTR 8 // RVA of GP
#define IMAGE_DIRECTORY_ENTRY_TLS 9 // TLS Directory
#define IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 10 // Load Configuration Directory
// 本文转自
C Builder
研究
- http://www.ccrun.com/article.asp?i=350&d=80huo6
#define IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 11 // Bound Import Directory in headers
#define IMAGE_DIRECTORY_ENTRY_IAT 12 // Import Address Table
#define IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 13 // Delay Load Import Descriptors
#define IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 14 // COM Runtime descriptor
-----------------1.2.2.0导出函数表?
typedef struct _IMAGE_EXPORT_DIRECTORY {
DWORD Characteristics;
DWORD TimeDateStamp;
WORD MajorVersion;
WORD MinorVersion;
DWORD Name;
DWORD Base;
DWORD NumberOfFunctions;
DWORD NumberOfNames;
DWORD AddressOfFunctions; // RVA from base of image
DWORD AddressOfNames; // RVA from base of image
DWORD AddressOfNameOrdinals; // RVA from base of image
} IMAGE_EXPORT_DIRECTORY, *PIMAGE_EXPORT_DIRECTORY;
-----------------1.2.2.1引入函数表
-----------------1.2.2.2资源表
-----------------1.2.2.3异常表?
-----------------1.2.2.4安全表?
-----------------1.2.2.5重定向表
-----------------1.2.2.6调试信息表
……
-----------------2:节表
(
段表
)
typedef struct _IMAGE_SECTION_HEADER {
BYTE Name[IMAGE_SIZEOF_SHORT_NAME];//节表名称
,
如
“
.text
”
union {
DWORD PhysicalAddress; //物理地址
DWORD VirtualSize; //真实长度
} Misc;
DWORD VirtualAddress; //RVA
DWORD SizeOfRawData; //物理长度
DWORD PointerToRawData; //节基于文件的偏移量
DWORD PointerToRelocations; //重定位的偏移
DWORD PointerToLinenumbers; //行号表的偏移
WORD NumberOfRelocations; //重定位项数目
WORD NumberOfLinenumbers; //行号表的数目
DWORD Characteristics; //节属性
} IMAGE_SECTION_HEADER, *PIMAGE_SECTION_HEADER;
-----------------3:节
……
-----------------3.1资源目录
(_IMAGE_RESOURCE_DIRECTORY)
typedef struct _IMAGE_RESOURCE_DIRECTORY {
DWORD Characteristics;
DWORD TimeDateStamp;
WORD MajorVersion;
WORD MinorVersion;
WORD NumberOfNamedEntries;
WORD NumberOfIdEntries;
// IMAGE_RESOURCE_DIRECTORY_ENTRY DirectoryEntries[];
} IMAGE_RESOURCE_DIRECTORY, *PIMAGE_RESOURCE_DIRECTORY;
----------------3.2资源目录入口
(_IMAGE_RESOURCE_DIRECTORY_ENTRY)
typedef struct _IMAGE_RESOURCE_DIRECTORY_ENTRY {
union {
struct {
DWORD NameOffset:31;
DWORD NameIsString:1;
};
DWORD Name;
WORD Id;
};
union {
DWORD OffsetToData;
struct {
DWORD OffsetToDirectory:31;
DWORD DataIsDirectory:1;
};
};
} IMAGE_RESOURCE_DIRECTORY_ENTRY, *PIMAGE_RESOURCE_DIRECTORY_ENTRY;
-----------------3.211资源目录名
typedef struct _IMAGE_RESOURCE_DIRECTORY_STRING {
WORD Length;
CHAR NameString[ 1 ];
} IMAGE_RESOURCE_DIRECTORY_STRING, *PIMAGE_RESOURCE_DIRECTORY_STRING;
-----------------3.212资源目录
Unicode
名
typedef struct _IMAGE_RESOURCE_DIR_STRING_U {
WORD Length;
WCHAR NameString[ 1 ];
} IMAGE_RESOURCE_DIR_STRING_U, *PIMAGE_RESOURCE_DIR_STRING_U;
-----------------3.22资源数据入口
typedef struct _IMAGE_RESOURCE_DATA_ENTRY {
DWORD OffsetToData;//偏移地址。并非在文件中的偏移
!
DWORD Size; //大小
DWORD CodePage;
DWORD Reserved;
} IMAGE_RESOURCE_DATA_ENTRY, *PIMAGE_RESOURCE_DATA_ENTRY;
-----------------9:其他
如果是在资源根目录,id
为
:
1: cursor
2: bitmap
3: icon
4: menu
5: dialog
6: string table
7: font directory
8: font
9: accelerators
10: unformatted resource data
11: message table
12: group cursor
14: group icon
16: version information NT头
---
可选头
---IMAGE_DATA_DIRECTORY---IMAGE_DIRECTORY_ENTRY_RESOURCE--->
IMAGE_SECTION_HEADER[](节头
/
表
)
……
节n---->IMAGE_RESOURCE_DIRECTORY_ENTRY[]---IMAGE_RESOURCE_DIRECTORY[]
-----------------0:DOS头
-----------------1:NT头
typedef struct _IMAGE_NT_HEADERS {
DWORD Signature;//PE文件头标志
:"PE/0/0"
。在开始
DOS header
的偏移
3CH
处所指向的地址开始
IMAGE_FILE_HEADER FileHeader; //PE文件物理分布的信息
IMAGE_OPTIONAL_HEADER32 OptionalHeader;//PE文件逻辑分布的信息
} IMAGE_NT_HEADERS32, *PIMAGE_NT_HEADERS32;
-----------------1.1:文件头
typedef struct _IMAGE_FILE_HEADER {
WORD Machine; //该文件运行所需要的
CPU
,对于
Intel
平台是
14Ch
WORD NumberOfSections; //文件的节数目
DWORD TimeDateStamp; //文件创建日期和时间
DWORD PointerToSymbolTable; //用于调试
DWORD NumberOfSymbols; //符号表中符号个数
WORD SizeOfOptionalHeader; //OptionalHeader 结构大小
WORD Characteristics; //文件信息标记,区分文件是
exe
还是
dll
} IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;
-----------------1.2:可选头
typedef struct _IMAGE_OPTIONAL_HEADER {
WORD Magic; //标志字
(
总是
010bh)
BYTE MajorLinkerVersion; //连接器版本号
BYTE MinorLinkerVersion; //
DWORD SizeOfCode; //代码段大小
DWORD SizeOfInitializedData; //已初始化数据块大小
DWORD SizeOfUninitializedData;//未初始化数据块大小
DWORD AddressOfEntryPoint; //PE装载器准备运行的
PE
文件的第一个指令的
RVA
,若要改变整个执行的流程,可以将该值指定到新的
RVA
,这样新
RVA
处的指令首先被执行。(许多文章都有介绍
RVA
,请去了解)
DWORD BaseOfCode; //代码段起始
RVA
DWORD BaseOfData; //数据段起始
RVA
DWORD ImageBase; //PE文件的装载地址
DWORD SectionAlignment; //块对齐
DWORD FileAlignment; //文件块对齐
WORD MajorOperatingSystemVersion;//所需操作系统版本号
WORD MinorOperatingSystemVersion;//
WORD MajorImageVersion; //用户自定义版本号
WORD MinorImageVersion; //
WORD MajorSubsystemVersion; //win32子系统版本。若
PE
文件是专门为
Win32
设计的
WORD MinorSubsystemVersion; //该子系统版本必定是
4.0
否则对话框不会有
3
维立体感
DWORD Win32VersionValue; //保留
DWORD SizeOfImage; //内存中整个
PE
映像体的尺寸
DWORD SizeOfHeaders; //所有头 节表的大小
DWORD CheckSum; //校验和
WORD Subsystem; //NT用来识别
PE
文件属于哪个子系统
WORD DllCharacteristics; //
DWORD SizeOfStackReserve; //
DWORD SizeOfStackCommit; //
DWORD SizeOfHeapReserve; //
DWORD SizeOfHeapCommit; //
DWORD LoaderFlags; //
DWORD NumberOfRvaAndSizes; //
IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];//=16
} IMAGE_OPTIONAL_HEADER32, *PIMAGE_OPTIONAL_HEADER32;
-----------------1.2.1:数据目录?
typedef struct _IMAGE_DATA_DIRECTORY {
DWORD VirtualAddress; //表的
RVA
地址
DWORD Size; //大小
} IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY;
-----------------1.2.2数据入口
// Directory Entries
#define IMAGE_DIRECTORY_ENTRY_EXPORT 0 // Export Directory
#define IMAGE_DIRECTORY_ENTRY_IMPORT 1 // Import Directory
#define IMAGE_DIRECTORY_ENTRY_RESOURCE 2 // Resource Directory
#define IMAGE_DIRECTORY_ENTRY_EXCEPTION 3 // Exception Directory
#define IMAGE_DIRECTORY_ENTRY_SECURITY 4 // Security Directory
#define IMAGE_DIRECTORY_ENTRY_BASERELOC 5 // Base Relocation Table
#define IMAGE_DIRECTORY_ENTRY_DEBUG 6 // Debug Directory
// IMAGE_DIRECTORY_ENTRY_COPYRIGHT 7 // (X86 usage)
#define IMAGE_DIRECTORY_ENTRY_ARCHITECTURE 7 // Architecture Specific Data
#define IMAGE_DIRECTORY_ENTRY_GLOBALPTR 8 // RVA of GP
#define IMAGE_DIRECTORY_ENTRY_TLS 9 // TLS Directory
#define IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 10 // Load Configuration Directory
// 本文转自
C Builder
研究
- http://www.ccrun.com/article.asp?i=350&d=80huo6
#define IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 11 // Bound Import Directory in headers
#define IMAGE_DIRECTORY_ENTRY_IAT 12 // Import Address Table
#define IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 13 // Delay Load Import Descriptors
#define IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 14 // COM Runtime descriptor
-----------------1.2.2.0导出函数表?
typedef struct _IMAGE_EXPORT_DIRECTORY {
DWORD Characteristics;
DWORD TimeDateStamp;
WORD MajorVersion;
WORD MinorVersion;
DWORD Name;
DWORD Base;
DWORD NumberOfFunctions;
DWORD NumberOfNames;
DWORD AddressOfFunctions; // RVA from base of image
DWORD AddressOfNames; // RVA from base of image
DWORD AddressOfNameOrdinals; // RVA from base of image
} IMAGE_EXPORT_DIRECTORY, *PIMAGE_EXPORT_DIRECTORY;
-----------------1.2.2.1引入函数表
-----------------1.2.2.2资源表
-----------------1.2.2.3异常表?
-----------------1.2.2.4安全表?
-----------------1.2.2.5重定向表
-----------------1.2.2.6调试信息表
……
-----------------2:节表
(
段表
)
typedef struct _IMAGE_SECTION_HEADER {
BYTE Name[IMAGE_SIZEOF_SHORT_NAME];//节表名称
,
如
“
.text
”
union {
DWORD PhysicalAddress; //物理地址
DWORD VirtualSize; //真实长度
} Misc;
DWORD VirtualAddress; //RVA
DWORD SizeOfRawData; //物理长度
DWORD PointerToRawData; //节基于文件的偏移量
DWORD PointerToRelocations; //重定位的偏移
DWORD PointerToLinenumbers; //行号表的偏移
WORD NumberOfRelocations; //重定位项数目
WORD NumberOfLinenumbers; //行号表的数目
DWORD Characteristics; //节属性
} IMAGE_SECTION_HEADER, *PIMAGE_SECTION_HEADER;
-----------------3:节
……
-----------------3.1资源目录
(_IMAGE_RESOURCE_DIRECTORY)
typedef struct _IMAGE_RESOURCE_DIRECTORY {
DWORD Characteristics;
DWORD TimeDateStamp;
WORD MajorVersion;
WORD MinorVersion;
WORD NumberOfNamedEntries;
WORD NumberOfIdEntries;
// IMAGE_RESOURCE_DIRECTORY_ENTRY DirectoryEntries[];
} IMAGE_RESOURCE_DIRECTORY, *PIMAGE_RESOURCE_DIRECTORY;
----------------3.2资源目录入口
(_IMAGE_RESOURCE_DIRECTORY_ENTRY)
typedef struct _IMAGE_RESOURCE_DIRECTORY_ENTRY {
union {
struct {
DWORD NameOffset:31;
DWORD NameIsString:1;
};
DWORD Name;
WORD Id;
};
union {
DWORD OffsetToData;
struct {
DWORD OffsetToDirectory:31;
DWORD DataIsDirectory:1;
};
};
} IMAGE_RESOURCE_DIRECTORY_ENTRY, *PIMAGE_RESOURCE_DIRECTORY_ENTRY;
-----------------3.211资源目录名
typedef struct _IMAGE_RESOURCE_DIRECTORY_STRING {
WORD Length;
CHAR NameString[ 1 ];
} IMAGE_RESOURCE_DIRECTORY_STRING, *PIMAGE_RESOURCE_DIRECTORY_STRING;
-----------------3.212资源目录
Unicode
名
typedef struct _IMAGE_RESOURCE_DIR_STRING_U {
WORD Length;
WCHAR NameString[ 1 ];
} IMAGE_RESOURCE_DIR_STRING_U, *PIMAGE_RESOURCE_DIR_STRING_U;
-----------------3.22资源数据入口
typedef struct _IMAGE_RESOURCE_DATA_ENTRY {
DWORD OffsetToData;//偏移地址。并非在文件中的偏移
!
DWORD Size; //大小
DWORD CodePage;
DWORD Reserved;
} IMAGE_RESOURCE_DATA_ENTRY, *PIMAGE_RESOURCE_DATA_ENTRY;
-----------------9:其他
如果是在资源根目录,id
为
:
1: cursor
2: bitmap
3: icon
4: menu
5: dialog
6: string table
7: font directory
8: font
9: accelerators
10: unformatted resource data
11: message table
12: group cursor
14: group icon
16: version information
IMAGE_DOS_HEADER image_dos_header{
WORD e_magic;
WORD e_cblp;
WORD e_cp;
WORD e_crlc;
WORD e_cparhdr;
WORD e_minalloc;
WORD e_maxalloc;
WORD e_ss;
WORD e_sp;
WORD e_csum;
WORD e_ip;
WORD e_cs;
WORD e_lfarlc;
WORD e_ovno;
WORD e_res[4];
WORD e_oemid;
WORD e_oeminfo;
WORD e_res2[10];
LONG e_lfanew; }
IMAGE_NT_HEADER image_nt_header{
DWORD Signature;
IMAGE_FILE_HEADER FileHeader;
IMAGE_OPTIONAL_HEADER32 OptionalHeader; }
IMAGE_SECTION_HEADER image_section_header{
BYTE Name[IMAGE_SIZEOF_SHORT_NAME];
union {
DWORD PhysicalAddress;
DWORD VirtualSize;
} Misc;
DWORD VirtualAddress;
DWORD SizeOfRawData;
DWORD PointerToRawData;
DWORD PointerToRelocations;
DWORD PointerToLinenumbers;
WORD NumberOfRelocations;
WORD NumberOfLinenumbers;
DWORD Characteristics; }
} /*PE FILE END*/
typedef struct _IMAGE_FILE_HEADER {
WORD Machine;
WORD NumberOfSections;
DWORD TimeDateStamp;
DWORD PointerToSymbolTable;
DWORD NumberOfSymbols;
WORD SizeOfOptionalHeader;
WORD Characteristics;
} IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;
typedef struct _IMAGE_OPTIONAL_HEADER {
WORD Magic;
BYTE MajorLinkerVersion;
BYTE MinorLinkerVersion;
DWORD SizeOfCode;
DWORD SizeOfInitializedData;
DWORD SizeOfUninitializedData;
DWORD AddressOfEntryPoint;
DWORD BaseOfCode;
DWORD BaseOfData;
DWORD ImageBase;
DWORD SectionAlignment;
DWORD FileAlignment;
WORD MajorOperatingSystemVersion;
WORD MinorOperatingSystemVersion;
WORD MajorImageVersion;
WORD MinorImageVersion;
WORD MajorSubsystemVersion;
WORD MinorSubsystemVersion;
DWORD Win32VersionValue;
DWORD SizeOfImage;
DWORD SizeOfHeaders;
DWORD CheckSum;
WORD Subsystem;
WORD DllCharacteristics;
DWORD SizeOfStackReserve;
DWORD SizeOfStackCommit;
DWORD SizeOfHeapReserve;
DWORD SizeOfHeapCommit;
DWORD LoaderFlags;
DWORD NumberOfRvaAndSizes;
IMAGE_DATA_DIRECTORY DataDirectory[16];
/*其实就是
16
个
IMAGE_DATA_DIRECTORY*/
} IMAGE_OPTIONAL_HEADER, *PIMAGE_OPTIONAL_HEADER;
typedef struct _IMAGE_DATA_DIRECTORY {
DWORD VirtualAddress;
DWORD Size;
} IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY;
PEFile.image_nt_header.OptionalHeader.DataDirectory
--------------------------------->
//指向的索引
//
指向的结构
DataDirectory[0].VirtualAddress--->IMAGE_EXPORT_DIRECTORY export_directory;
DataDirectory[1].VirtualAddress--->IMAGE_IMPORT_DESCRIPTOR import_descriptor;
DataDirectory[2].VirtualAddress--->IMAGE_RESOURCE_DIRECTORY resource_directory;
DataDirectory[3].VirtualAddress--->IMAGE_EXCEPTION_DIRECTORY exception_directory;
//DataDirectory[4].VirtualAddress--->IMAGE_EXPORT_DIRECTORY export_directory;
DataDirectory[5].VirtualAddress--->IMAGE_BASE_RELOCATION base_relocation;
DataDirectory[6].VirtualAddress--->IMAGE_DEBUG_DIRECTORY debug_directory;
//DataDirectory[7].VirtualAddress--->IMAGE_EXPORT_DIRECTORY export_directory;
//DataDirectory[8].VirtualAddress--->IMAGE_EXPORT_DIRECTORY export_directory;
DataDirectory[9].VirtualAddress--->IMAGE_TLS_DIRECTORY tls_directory;
//DataDirectory[10].VirtualAddress--->IMAGE_EXPORT_DIRECTORY export_directory;
DataDirectory[11].VirtualAddress--->IMAGE_BOUND_IMPORT_DESCRIPTOR bound_import_descriptor;
//DataDirectory[12].VirtualAddress--->IMAGE_EXPORT_DIRECTORY export_directory;
//DataDirectory[13].VirtualAddress--->IMAGE_EXPORT_DIRECTORY export_directory;
//DataDirectory[14].VirtualAddress--->IMAGE_EXPORT_DIRECTORY export_directory;
//DataDirectory[15].VirtualAddress--->IMAGE_EXPORT_DIRECTORY export_directory;
#define IMAGE_DIRECTORY_ENTRY_EXPORT
0
#define IMAGE_DIRECTORY_ENTRY_IMPORT
1
#define IMAGE_DIRECTORY_ENTRY_RESOURCE
2
#define IMAGE_DIRECTORY_ENTRY_EXCEPTION
3
#define IMAGE_DIRECTORY_ENTRY_SECURITY
4
#define IMAGE_DIRECTORY_ENTRY_BASERELOC
5
#define IMAGE_DIRECTORY_ENTRY_DEBUG
6
#define IMAGE_DIRECTORY_ENTRY_COPYRIGHT
7
#define IMAGE_DIRECTORY_ENTRY_ARCHITECTURE
7
#define IMAGE_DIRECTORY_ENTRY_GLOBALPTR
8
#define IMAGE_DIRECTORY_ENTRY_TLS
9
#define IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
10
#define IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT
11
#define IMAGE_DIRECTORY_ENTRY_IAT
12
#define IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT
13
#define IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
14
注:Section Name(Define by Microsoft)
.text 默认代码区块
.data 默认读
/
写数据块
.rdata 默认只读数据块
.idata 输入表
.edata 输出表
.rsrc 资源
.bss 未初始化数据
.crt 用于支持
C++
运行时所添加数据
(CRT)
.tls TLS数据
.reloc 可执行文件的基址重定位
.sdata 相对于全局指针的可被定位的
"
短的
"
读
/
写数据
.srdata 相对于全局指针的可被定位的
"
短的
"
只读数据
.pdata 异常表
.debug$S OBJ文件
CodeView
格式符号
.debug$T OBJ文件
CodeView
格式的类型记录
.debug$P 预编译头
.drectve 链接命令
.didat 延迟装入数据
NT头
---
可选头
---IMAGE_DATA_DIRECTORY---IMAGE_DIRECTORY_ENTRY_RESOURCE--->
IMAGE_SECTION_HEADER[](节头
/
表
)
……
节n---->IMAGE_RESOURCE_DIRECTORY_ENTRY[]---IMAGE_RESOURCE_DIRECTORY[]
-----------------0:DOS头
-----------------1:NT头
typedef struct _IMAGE_NT_HEADERS {
DWORD Signature;//PE文件头标志
:"PE/0/0"
。在开始
DOS header
的偏移
3CH
处所指向的地址开始
IMAGE_FILE_HEADER FileHeader; //PE文件物理分布的信息
IMAGE_OPTIONAL_HEADER32 OptionalHeader;//PE文件逻辑分布的信息
} IMAGE_NT_HEADERS32, *PIMAGE_NT_HEADERS32;
-----------------1.1:文件头
typedef struct _IMAGE_FILE_HEADER {
WORD Machine; //该文件运行所需要的
CPU
,对于
Intel
平台是
14Ch
WORD NumberOfSections; //文件的节数目
DWORD TimeDateStamp; //文件创建日期和时间
DWORD PointerToSymbolTable; //用于调试
DWORD NumberOfSymbols; //符号表中符号个数
WORD SizeOfOptionalHeader; //OptionalHeader 结构大小
WORD Characteristics; //文件信息标记,区分文件是
exe
还是
dll
} IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;
-----------------1.2:可选头
typedef struct _IMAGE_OPTIONAL_HEADER {
WORD Magic; //标志字
(
总是
010bh)
BYTE MajorLinkerVersion; //连接器版本号
BYTE MinorLinkerVersion; //
DWORD SizeOfCode; //代码段大小
DWORD SizeOfInitializedData; //已初始化数据块大小
DWORD SizeOfUninitializedData;//未初始化数据块大小
DWORD AddressOfEntryPoint; //PE装载器准备运行的
PE
文件的第一个指令的
RVA
,若要改变整个执行的流程,可以将该值指定到新的
RVA
,这样新
RVA
处的指令首先被执行。(许多文章都有介绍
RVA
,请去了解)
DWORD BaseOfCode; //代码段起始
RVA
DWORD BaseOfData; //数据段起始
RVA
DWORD ImageBase; //PE文件的装载地址
DWORD SectionAlignment; //块对齐
DWORD FileAlignment; //文件块对齐
WORD MajorOperatingSystemVersion;//所需操作系统版本号
WORD MinorOperatingSystemVersion;//
WORD MajorImageVersion; //用户自定义版本号
WORD MinorImageVersion; //
WORD MajorSubsystemVersion; //win32子系统版本。若
PE
文件是专门为
Win32
设计的
WORD MinorSubsystemVersion; //该子系统版本必定是
4.0
否则对话框不会有
3
维立体感
DWORD Win32VersionValue; //保留
DWORD SizeOfImage; //内存中整个
PE
映像体的尺寸
DWORD SizeOfHeaders; //所有头 节表的大小
DWORD CheckSum; //校验和
WORD Subsystem; //NT用来识别
PE
文件属于哪个子系统
WORD DllCharacteristics; //
DWORD SizeOfStackReserve; //
DWORD SizeOfStackCommit; //
DWORD SizeOfHeapReserve; //
DWORD SizeOfHeapCommit; //
DWORD LoaderFlags; //
DWORD NumberOfRvaAndSizes; //
IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];//=16
} IMAGE_OPTIONAL_HEADER32, *PIMAGE_OPTIONAL_HEADER32;
-----------------1.2.1:数据目录?
typedef struct _IMAGE_DATA_DIRECTORY {
DWORD VirtualAddress; //表的
RVA
地址
DWORD Size; //大小
} IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY;
-----------------1.2.2数据入口
// Directory Entries
#define IMAGE_DIRECTORY_ENTRY_EXPORT 0 // Export Directory
#define IMAGE_DIRECTORY_ENTRY_IMPORT 1 // Import Directory
#define IMAGE_DIRECTORY_ENTRY_RESOURCE 2 // Resource Directory
#define IMAGE_DIRECTORY_ENTRY_EXCEPTION 3 // Exception Directory
#define IMAGE_DIRECTORY_ENTRY_SECURITY 4 // Security Directory
#define IMAGE_DIRECTORY_ENTRY_BASERELOC 5 // Base Relocation Table
#define IMAGE_DIRECTORY_ENTRY_DEBUG 6 // Debug Directory
// IMAGE_DIRECTORY_ENTRY_COPYRIGHT 7 // (X86 usage)
#define IMAGE_DIRECTORY_ENTRY_ARCHITECTURE 7 // Architecture Specific Data
#define IMAGE_DIRECTORY_ENTRY_GLOBALPTR 8 // RVA of GP
#define IMAGE_DIRECTORY_ENTRY_TLS 9 // TLS Directory
#define IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 10 // Load Configuration Directory
// 本文转自
C Builder
研究
- http://www.ccrun.com/article.asp?i=350&d=80huo6
#define IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 11 // Bound Import Directory in headers
#define IMAGE_DIRECTORY_ENTRY_IAT 12 // Import Address Table
#define IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 13 // Delay Load Import Descriptors
#define IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 14 // COM Runtime descriptor
-----------------1.2.2.0导出函数表?
typedef struct _IMAGE_EXPORT_DIRECTORY {
DWORD Characteristics;
DWORD TimeDateStamp;
WORD MajorVersion;
WORD MinorVersion;
DWORD Name;
DWORD Base;
DWORD NumberOfFunctions;
DWORD NumberOfNames;
DWORD AddressOfFunctions; // RVA from base of image
DWORD AddressOfNames; // RVA from base of image
DWORD AddressOfNameOrdinals; // RVA from base of image
} IMAGE_EXPORT_DIRECTORY, *PIMAGE_EXPORT_DIRECTORY;
-----------------1.2.2.1引入函数表
-----------------1.2.2.2资源表
-----------------1.2.2.3异常表?
-----------------1.2.2.4安全表?
-----------------1.2.2.5重定向表
-----------------1.2.2.6调试信息表
……
-----------------2:节表
(
段表
)
typedef struct _IMAGE_SECTION_HEADER {
BYTE Name[IMAGE_SIZEOF_SHORT_NAME];//节表名称
,
如
“
.text
”
union {
DWORD PhysicalAddress; //物理地址
DWORD VirtualSize; //真实长度
} Misc;
DWORD VirtualAddress; //RVA
DWORD SizeOfRawData; //物理长度
DWORD PointerToRawData; //节基于文件的偏移量
DWORD PointerToRelocations; //重定位的偏移
DWORD PointerToLinenumbers; //行号表的偏移
WORD NumberOfRelocations; //重定位项数目
WORD NumberOfLinenumbers; //行号表的数目
DWORD Characteristics; //节属性
} IMAGE_SECTION_HEADER, *PIMAGE_SECTION_HEADER;
-----------------3:节
……
-----------------3.1资源目录
(_IMAGE_RESOURCE_DIRECTORY)
typedef struct _IMAGE_RESOURCE_DIRECTORY {
DWORD Characteristics;
DWORD TimeDateStamp;
WORD MajorVersion;
WORD MinorVersion;
WORD NumberOfNamedEntries;
WORD NumberOfIdEntries;
// IMAGE_RESOURCE_DIRECTORY_ENTRY DirectoryEntries[];
} IMAGE_RESOURCE_DIRECTORY, *PIMAGE_RESOURCE_DIRECTORY;
----------------3.2资源目录入口
(_IMAGE_RESOURCE_DIRECTORY_ENTRY)
typedef struct _IMAGE_RESOURCE_DIRECTORY_ENTRY {
union {
struct {
DWORD NameOffset:31;
DWORD NameIsString:1;
};
DWORD Name;
WORD Id;
};
union {
DWORD OffsetToData;
struct {
DWORD OffsetToDirectory:31;
DWORD DataIsDirectory:1;
};
};
} IMAGE_RESOURCE_DIRECTORY_ENTRY, *PIMAGE_RESOURCE_DIRECTORY_ENTRY;
-----------------3.211资源目录名
typedef struct _IMAGE_RESOURCE_DIRECTORY_STRING {
WORD Length;
CHAR NameString[ 1 ];
} IMAGE_RESOURCE_DIRECTORY_STRING, *PIMAGE_RESOURCE_DIRECTORY_STRING;
-----------------3.212资源目录
Unicode
名
typedef struct _IMAGE_RESOURCE_DIR_STRING_U {
WORD Length;
WCHAR NameString[ 1 ];
} IMAGE_RESOURCE_DIR_STRING_U, *PIMAGE_RESOURCE_DIR_STRING_U;
-----------------3.22资源数据入口
typedef struct _IMAGE_RESOURCE_DATA_ENTRY {
DWORD OffsetToData;//偏移地址。并非在文件中的偏移
!
DWORD Size; //大小
DWORD CodePage;
DWORD Reserved;
} IMAGE_RESOURCE_DATA_ENTRY, *PIMAGE_RESOURCE_DATA_ENTRY;
-----------------9:其他
如果是在资源根目录,id
为
:
1: cursor
2: bitmap
3: icon
4: menu
5: dialog
6: string table
7: font directory
8: font
9: accelerators
10: unformatted resource data
11: message table
12: group cursor
14: group icon
16: version information NT头
---
可选头
---IMAGE_DATA_DIRECTORY---IMAGE_DIRECTORY_ENTRY_RESOURCE--->
IMAGE_SECTION_HEADER[](节头
/
表
)
……
节n---->IMAGE_RESOURCE_DIRECTORY_ENTRY[]---IMAGE_RESOURCE_DIRECTORY[]
-----------------0:DOS头
-----------------1:NT头
typedef struct _IMAGE_NT_HEADERS {
DWORD Signature;//PE文件头标志
:"PE/0/0"
。在开始
DOS header
的偏移
3CH
处所指向的地址开始
IMAGE_FILE_HEADER FileHeader; //PE文件物理分布的信息
IMAGE_OPTIONAL_HEADER32 OptionalHeader;//PE文件逻辑分布的信息
} IMAGE_NT_HEADERS32, *PIMAGE_NT_HEADERS32;
-----------------1.1:文件头
typedef struct _IMAGE_FILE_HEADER {
WORD Machine; //该文件运行所需要的
CPU
,对于
Intel
平台是
14Ch
WORD NumberOfSections; //文件的节数目
DWORD TimeDateStamp; //文件创建日期和时间
DWORD PointerToSymbolTable; //用于调试
DWORD NumberOfSymbols; //符号表中符号个数
WORD SizeOfOptionalHeader; //OptionalHeader 结构大小
WORD Characteristics; //文件信息标记,区分文件是
exe
还是
dll
} IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;
-----------------1.2:可选头
typedef struct _IMAGE_OPTIONAL_HEADER {
WORD Magic; //标志字
(
总是
010bh)
BYTE MajorLinkerVersion; //连接器版本号
BYTE MinorLinkerVersion; //
DWORD SizeOfCode; //代码段大小
DWORD SizeOfInitializedData; //已初始化数据块大小
DWORD SizeOfUninitializedData;//未初始化数据块大小
DWORD AddressOfEntryPoint; //PE装载器准备运行的
PE
文件的第一个指令的
RVA
,若要改变整个执行的流程,可以将该值指定到新的
RVA
,这样新
RVA
处的指令首先被执行。(许多文章都有介绍
RVA
,请去了解)
DWORD BaseOfCode; //代码段起始
RVA
DWORD BaseOfData; //数据段起始
RVA
DWORD ImageBase; //PE文件的装载地址
DWORD SectionAlignment; //块对齐
DWORD FileAlignment; //文件块对齐
WORD MajorOperatingSystemVersion;//所需操作系统版本号
WORD MinorOperatingSystemVersion;//
WORD MajorImageVersion; //用户自定义版本号
WORD MinorImageVersion; //
WORD MajorSubsystemVersion; //win32子系统版本。若
PE
文件是专门为
Win32
设计的
WORD MinorSubsystemVersion; //该子系统版本必定是
4.0
否则对话框不会有
3
维立体感
DWORD Win32VersionValue; //保留
DWORD SizeOfImage; //内存中整个
PE
映像体的尺寸
DWORD SizeOfHeaders; //所有头 节表的大小
DWORD CheckSum; //校验和
WORD Subsystem; //NT用来识别
PE
文件属于哪个子系统
WORD DllCharacteristics; //
DWORD SizeOfStackReserve; //
DWORD SizeOfStackCommit; //
DWORD SizeOfHeapReserve; //
DWORD SizeOfHeapCommit; //
DWORD LoaderFlags; //
DWORD NumberOfRvaAndSizes; //
IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];//=16
} IMAGE_OPTIONAL_HEADER32, *PIMAGE_OPTIONAL_HEADER32;
-----------------1.2.1:数据目录?
typedef struct _IMAGE_DATA_DIRECTORY {
DWORD VirtualAddress; //表的
RVA
地址
DWORD Size; //大小
} IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY;
-----------------1.2.2数据入口
// Directory Entries
#define IMAGE_DIRECTORY_ENTRY_EXPORT 0 // Export Directory
#define IMAGE_DIRECTORY_ENTRY_IMPORT 1 // Import Directory
#define IMAGE_DIRECTORY_ENTRY_RESOURCE 2 // Resource Directory
#define IMAGE_DIRECTORY_ENTRY_EXCEPTION 3 // Exception Directory
#define IMAGE_DIRECTORY_ENTRY_SECURITY 4 // Security Directory
#define IMAGE_DIRECTORY_ENTRY_BASERELOC 5 // Base Relocation Table
#define IMAGE_DIRECTORY_ENTRY_DEBUG 6 // Debug Directory
// IMAGE_DIRECTORY_ENTRY_COPYRIGHT 7 // (X86 usage)
#define IMAGE_DIRECTORY_ENTRY_ARCHITECTURE 7 // Architecture Specific Data
#define IMAGE_DIRECTORY_ENTRY_GLOBALPTR 8 // RVA of GP
#define IMAGE_DIRECTORY_ENTRY_TLS 9 // TLS Directory
#define IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 10 // Load Configuration Directory
// 本文转自
C Builder
研究
- http://www.ccrun.com/article.asp?i=350&d=80huo6
#define IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 11 // Bound Import Directory in headers
#define IMAGE_DIRECTORY_ENTRY_IAT 12 // Import Address Table
#define IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 13 // Delay Load Import Descriptors
#define IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 14 // COM Runtime descriptor
-----------------1.2.2.0导出函数表?
typedef struct _IMAGE_EXPORT_DIRECTORY {
DWORD Characteristics;
DWORD TimeDateStamp;
WORD MajorVersion;
WORD MinorVersion;
DWORD Name;
DWORD Base;
DWORD NumberOfFunctions;
DWORD NumberOfNames;
DWORD AddressOfFunctions; // RVA from base of image
DWORD AddressOfNames; // RVA from base of image
DWORD AddressOfNameOrdinals; // RVA from base of image
} IMAGE_EXPORT_DIRECTORY, *PIMAGE_EXPORT_DIRECTORY;
-----------------1.2.2.1引入函数表
-----------------1.2.2.2资源表
-----------------1.2.2.3异常表?
-----------------1.2.2.4安全表?
-----------------1.2.2.5重定向表
-----------------1.2.2.6调试信息表
……
-----------------2:节表
(
段表
)
typedef struct _IMAGE_SECTION_HEADER {
BYTE Name[IMAGE_SIZEOF_SHORT_NAME];//节表名称
,
如
“
.text
”
union {
DWORD PhysicalAddress; //物理地址
DWORD VirtualSize; //真实长度
} Misc;
DWORD VirtualAddress; //RVA
DWORD SizeOfRawData; //物理长度
DWORD PointerToRawData; //节基于文件的偏移量
DWORD PointerToRelocations; //重定位的偏移
DWORD PointerToLinenumbers; //行号表的偏移
WORD NumberOfRelocations; //重定位项数目
WORD NumberOfLinenumbers; //行号表的数目
DWORD Characteristics; //节属性
} IMAGE_SECTION_HEADER, *PIMAGE_SECTION_HEADER;
-----------------3:节
……
-----------------3.1资源目录
(_IMAGE_RESOURCE_DIRECTORY)
typedef struct _IMAGE_RESOURCE_DIRECTORY {
DWORD Characteristics;
DWORD TimeDateStamp;
WORD MajorVersion;
WORD MinorVersion;
WORD NumberOfNamedEntries;
WORD NumberOfIdEntries;
// IMAGE_RESOURCE_DIRECTORY_ENTRY DirectoryEntries[];
} IMAGE_RESOURCE_DIRECTORY, *PIMAGE_RESOURCE_DIRECTORY;
----------------3.2资源目录入口
(_IMAGE_RESOURCE_DIRECTORY_ENTRY)
typedef struct _IMAGE_RESOURCE_DIRECTORY_ENTRY {
union {
struct {
DWORD NameOffset:31;
DWORD NameIsString:1;
};
DWORD Name;
WORD Id;
};
union {
DWORD OffsetToData;
struct {
DWORD OffsetToDirectory:31;
DWORD DataIsDirectory:1;
};
};
} IMAGE_RESOURCE_DIRECTORY_ENTRY, *PIMAGE_RESOURCE_DIRECTORY_ENTRY;
-----------------3.211资源目录名
typedef struct _IMAGE_RESOURCE_DIRECTORY_STRING {
WORD Length;
CHAR NameString[ 1 ];
} IMAGE_RESOURCE_DIRECTORY_STRING, *PIMAGE_RESOURCE_DIRECTORY_STRING;
-----------------3.212资源目录
Unicode
名
typedef struct _IMAGE_RESOURCE_DIR_STRING_U {
WORD Length;
WCHAR NameString[ 1 ];
} IMAGE_RESOURCE_DIR_STRING_U, *PIMAGE_RESOURCE_DIR_STRING_U;
-----------------3.22资源数据入口
typedef struct _IMAGE_RESOURCE_DATA_ENTRY {
DWORD OffsetToData;//偏移地址。并非在文件中的偏移
!
DWORD Size; //大小
DWORD CodePage;
DWORD Reserved;
} IMAGE_RESOURCE_DATA_ENTRY, *PIMAGE_RESOURCE_DATA_ENTRY;
-----------------9:其他
如果是在资源根目录,id
为
:
1: cursor
2: bitmap
3: icon
4: menu
5: dialog
6: string table
7: font directory
8: font
9: accelerators
10: unformatted resource data
11: message table
12: group cursor
14: group icon
16: version information
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- PE文件结构的一些基础知识
- PE文件结构定义
- PE文件结构及在winnt.h中的定义
- PE文件结构详解(四)PE导入表
- Linux2.6X内核中文件相关结构体总结
- 使用notepad++删除webrtc中的所有相关的vcxproj文件中有关ninja属性字段的定义
- PE文件结构详解(五)延迟导入表
- mingw gcc的头文件存在结构定义错误!!
- PE文件结构详解(五)延迟导入表&n…
- PE文件加载时Section结构中的变化
- 一些常用的定义文件
- 小甲鱼PE详解之IMAGE_OPTIONAL_HEADER32 结构定义即各个属性的作用(PE详解03)
- PE详解之IMAGE_DOS_HEADER结构定义即各个属性的作用(PE详解01)
- 小甲鱼PE详解之IMAGE_DOS_HEADER结构定义即各个属性的作用(PE详解01)
- 小甲鱼PE详解之IMAGE_NT_HEADERS结构定义即各个属性的作用(PE详解02)
- PE文件结构(二)
- 小甲鱼PE详解之IMAGE_NT_HEADERS结构定义即各个属性的作用(PE详解02)
- 数据结构相关的一些定义
- 头文件中多层结构体嵌套的结构体定义问题
- PE文件结构与函数导出表——详解与实例