PE格式

一、概述:

PE(Portable Executable)格式,是微軟Win32環境可移植執行檔(如exe、dll、vxd、sys和vdm等)的標準檔案格式。PE格式衍生於早期建立在VAX(R)VMS(R)上的COFF(Common Object File Format)檔案格式。Portable 是指對於不同的Windows版本和不同的CPU類型上PE檔案的格式是一樣的,當然CPU不一樣了,CPU指令的二進制編碼是不一樣的。只是檔案中各種東西的布局是一樣的。
PE檔案使用的是一個平面地址空間,所有代碼和數據都合併在一起,組成一個很大的結構。主要有:
下面是一個簡化的PE檔案格式

簡化PE檔案格式
DOS MZ Header
DOS Stub
PE Header
Section Table
Section 1
Section 2
...
Section n
Dos Mz head 和Dos stub和稱Dos檔案頭,PE檔案的第一個位元組起始於於MS-DOS頭部,被稱作IMAGE_DOS_HEADER.緊隨Dos stub的是PE檔案頭(PE Header),PE Header的PE相關結構NT映像頭(IMAGE_NT_HEADERS)的簡稱,其中包含許多PE裝載器用到的重要欄位。
1、入口點 Entry Point
2、檔案偏移地址 File Offset
3、虛擬地址 Virtual Address 簡稱:VA
4、基地址 ImageBase
5、相對虛擬地址 Relative Virual Address 簡稱:RVA
公式: RVA (相對虛擬地址) =VA (虛擬地址) - ImageBase (基地址)
檔案偏移地址和虛擬地址轉換
在X86系統中,每個記憶體的大小是4KB,即0X1000個位元組。
檔案偏移地址 File Offset = RVA (相對虛擬地址) - ΔK
檔案偏移地址 File Offset = VA (虛擬地址) - ImageBase (基地址) - ΔK
pe具體結構圖:
pe格式的結構體定義可以在編譯器的include資料夾里的winnt.h找到。

二、 pe的具體結構

如下所示(經過簡化的,具體的可以查看winnt.h,不同字長的結構,其實大體一樣的)。
幾個宏定義
typedef unsigned long DWORD;
typedef unsigned short WORD;
typedef unsigned char BYTE;

(1)、IMAGE_DOS_HEADER

typedef struct IMAGE_DOS_HEADER
{
WORD e_magic;
WORD e_cblp;
WORD e_cp;
WORD e_crlc;
WORD e_cparhdr;
WORD e_minalloc;
WORD e_maxalloc;
WORD e_ss;
WORD e_sp;
WORD e_csum;
WORD e_ip;
WORD e_cs;
WORD e_lfarlc;
WORD e_ovno;
WORD e_res[4];
WORD e_oemid;
WORD e_oeminfo;
WORD e_res2[10];
DWORD e_lfanew;
}IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER;
這裡的

(2)、IMAGE_NT_HEADERS

#define IMAGE_NUMBEROF_DIRECTORY_ENTRIES 16
typedef struct IMAGE_NT_HEADERS
{
DWORD Signature;
IMAGE_FILE_HEADER FileHeader;
IMAGE_OPTIONAL_HEADER32 OptionalHeader;
}IMAGE_NT_HEADERS,*PIMAGE_NT_HEADERS;
typedef struct IMAGE_FILE_HEADER
{
WORD Machine;
WORD NumberOfSections;//節的數量
DWORD TimeDateStamp;
DWORD PointerToSymbols;
DWORD NumberOfSymbols;
WORD SizeOfOptionalHeader;
WORD Characteristics;
}IMAGE_FILE_HEADER,*PIMAGE_FILE_HEADER;
typedef struct IMAGE_OPTIONAL_HEADER32
{
WORD Magic;
BYTE MajorLinkerVersion;
BYTE MinorLinkerVersion;
DWORD SizeOfCode;
DWORD SizeOfInitializedData;
DWORD SizeOfUnInitializedData;
DWORD AddressOfEntryPoint;
DWORD BaseOfCode;
DWORD BaseOfData;
DWORD ImgaeBase;
DWORD SectionAlignment;
DWORD FileAlignment;
WORD MajorOperatingSystemVersion;
WORD MinorOperatingsystemversion;
WORD MajorImageVersion;
WORD MinorImageVersion;
WORD MajorSubsybtemVersion;
WORD MinorSubsybtemVersion;
DWORD Win32VersionValue;
DWORD SizeOfImage;
DWORD SizeoOfHeaders;
DWORD CheckSum;
WORD Subsystem;
WORD DllCharacteristics;
DWORD SizeOfStackReserve;
DWORD SizeOfStackCommit;
DWORD SizeOfHeapReserve;
DWORD SizeOfHeapCommit;
DWORD LoaderFlages;
DWORD NumberOfRvaAndSizes;
IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
}IMAGE_OPTIONAL_HEADER32,*PIMAGE_OPTIONAL_HEADER32;

(3)、 IMAGE_SECTION_HEADER

#define IMAGE_SIZEOF_SHORT_NAME 8
typedef struct IMAGE_SECTION_HEADER
{
BYTE Name[IMAGE_SIZEOF_SHORT_NAME];
union
{
DWORD PhysicalAddress;
DWORD VirtualSize;
}Misc;
DWORD VirtualAddress; //節被載到記憶體之後的偏移
DWORD SizeOfRawData;
DWORD PointerToRawData;
DWORD PointerToRelocations;
DWORD PointerToLinenumbers;
WORD NumberOfRelocations;
WORD NumberOfLinenumbers;
DWORD Characteristics;
}IMAGE_SECTION_HEADER, *PIMAGE_SECTION_HEADER;
typedef struct IMAGE_THUNK_DATA
{
union
{
DWORD ForwarderString;
DWORD Function;
DWORD Ordinal;
DWORD AddressOfData;
}u1;
}IMAGE_THUNK_DATA,*PIMAGE_THUNK_DATA;
typedef struct IMAGE_IMPORT_BY_NAME
{
WORD Hint;
BYTE Name;
}IMAGE_IMPORT_BY_NAME;

熱門詞條

聯絡我們