PE结构一览

Offset	0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F
00000000 00000010 00000020 00000030	4D 5A 90 00 03 00 00 00  04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00  40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  00 00 00 00 B0 00 00 00	MZ?.......... ?......@....... ................ ............?..
00000040 00000050 00000060 00000070 00000080 00000090 000000A0	0E 1F BA 0E 00 B4 09 CD  21 B8 01 4C CD 21 54 68 69 73 20 70 72 6F 67 72  61 6D 20 63 61 6E 6E 6F 74 20 62 65 20 72 75 6E  20 69 6E 20 44 4F 53 20 6D 6F 64 65 2E 0D 0D 0A  24 00 00 00 00 00 00 00 5D 65 FD C8 19 04 93 9B  19 04 93 9B 19 04 93 9B 97 1B 80 9B 11 04 93 9B  E5 24 81 9B 18 04 93 9B 52 69 63 68 19 04 93 9B  00 00 00 00 00 00 00 00	..?.???L?Th is program canno t be run in DOS mode....$....... ]e..摏..摏..摏 ?€?.摏?仜..摏 Rich..摏........
000000B0 000000C0 000000D0 000000E0 000000f0 00000100 00000110 00000120 00000130 00000140 00000150 00000160 00000170 00000180 00000190 000001A0	50 45 00 00 4C 01 03 00  3E FD 24 45 00 00 00 00 00 00 00 00 E0 00 0F 01  0B 01 05 0C 00 02 00 00 00 04 00 00 00 00 00 00  00 10 00 00 00 10 00 00 00 20 00 00 00 00 40 00  00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00  04 00 00 00 00 00 00 00 00 40 00 00 00 04 00 00  00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00  00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00  00 00 00 00 00 00 00 00 14 20 00 00 3C 00 00 00  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  00 20 00 00 14 00 00 00 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  2E 74 65 78 74 00 00 00	PE..L...>?E.... ....?.......... ................ . ....@......... ................ .@.............. ................ ................ . ..<........... ................ ................ ................ ................ ......... ...... ................ .........text...
000001B0 000001C0 000001D0 000001E0 000001F0 00000200 00000210 …………	30 00 00 00 00 10 00 00  00 02 00 00 00 04 00 00 00 00 00 00 00 00 00 00  00 00 00 00 20 00 00 E0 2E 72 64 61 74 61 00 00  A6 00 00 00 00 20 00 00 00 02 00 00 00 06 00 00  00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40  2E 64 61 74 61 00 00 00 42 00 00 00 00 30 00 00  00 02 00 00 00 08 00 00 00 00 00 00 00 00 00 00  00 00 00 00 40 00 00 C0  节表	0............... ............ ..? .rdata..?... .. ................ ....@[email protected]... B....0.......... ............@..
00000400 ………… 000009F0	节文件数据

 

DOS头（DOS MZ header）：它是一个IMAGE_DOS_HEADER结构，定义如下：

IMAGE_DOS_HEADER STRUCT     ;64个字节

  e_magic           WORD      ?     ;DOS头标记，其值固定为5A4Dh

  e_cblp            WORD      ?

  e_cp              WORD      ?

  e_crlc            WORD      ?

  e_cparhdr         WORD      ?

  e_minalloc        WORD      ?

  e_maxalloc        WORD      ?

  e_ss              WORD      ?

  e_sp              WORD      ?

  e_csum            WORD      ?

  e_ip              WORD      ?

  e_cs              WORD      ?

  e_lfarlc          WORD      ?

  e_ovno            WORD      ?

  e_res             WORD   4 dup(?)

  e_oemid           WORD      ?

  e_oeminfo         WORD      ?

  e_res2            WORD  10 dup(?)

  e_lfanew          DWORD      ?    ;指向 PE header 的文件偏移量

IMAGE_DOS_HEADER ENDS

DOS代码（DOS stub）

PE头（PE header）：它是一个IMAGE_NT_HEADERS 结构，定义如下：

IMAGE_NT_HEADERS STRUCT

  Signature         DWORD                   ?     ;PE头标记

  FileHeader        IMAGE_FILE_HEADER       <>    ;文件头/20个字节

  OptionalHeader    IMAGE_OPTIONAL_HEADER32 <>    ;任选头

IMAGE_NT_HEADERS ENDS

文件头（FileHeader）：它是一个IMAGE_FILE_HEADER结构，定义如下：

IMAGE_FILE_HEADER STRUCT    ;20个字节

  Machine               WORD    ?

  NumberOfSections      WORD    ? ;文件的节数目

  TimeDateStamp         DWORD   ? ;文件创建日期和时间

  PointerToSymbolTable  DWORD   ?

  NumberOfSymbols       DWORD   ?

  SizeOfOptionalHeader  WORD    ?    ; 指示紧随本结构之后的OptionalHeader 结构大小

  Characteristics       WORD    ?; 关于文件信息的标记，比如文件是exe还是dll

IMAGE_FILE_HEADER ENDS

任选头（OptionalHeader）：它是一个IMAGE_OPTIONAL_HEADER32结构，定义如下：

IMAGE_OPTIONAL_HEADER32 STRUCT

  Magic                         WORD       ?

  MajorLinkerVersion            BYTE       ?

  MinorLinkerVersion            BYTE       ?

  SizeOfCode                    DWORD      ?

  SizeOfInitializedData         DWORD      ?

  SizeOfUninitializedData       DWORD      ?

  AddressOfEntryPoint           DWORD      ?; PE装载器准备运行的第一个指令的RVA

  BaseOfCode                    DWORD      ?

  BaseOfData                    DWORD      ?

  ImageBase                     DWORD      ?; PE文件的优先装载地址（映像基址）

  SectionAlignment              DWORD      ?; 内存中节对齐的粒度

  FileAlignment                 DWORD      ?; 文件中节对齐的粒度

  MajorOperatingSystemVersion   WORD       ?

  MinorOperatingSystemVersion   WORD       ?

  MajorImageVersion             WORD       ?

  MinorImageVersion             WORD       ?

  MajorSubsystemVersion         WORD       ?

  MinorSubsystemVersion         WORD       ?

  Win32VersionValue             DWORD      ?

  SizeOfImage                   DWORD      ?; 内存中整个PE映像体的尺寸

  SizeOfHeaders                 DWORD      ?; 所有头+节表的大小

  CheckSum                      DWORD      ?

  Subsystem                     WORD       ?; NT用来识别PE文件属于哪个子系统

  DllCharacteristics            WORD       ?

  SizeOfStackReserve            DWORD      ?

  SizeOfStackCommit             DWORD      ?

  SizeOfHeapReserve             DWORD      ?

  SizeOfHeapCommit              DWORD      ?

  LoaderFlags                   DWORD      ?

  NumberOfRvaAndSizes           DWORD      ?

  DataDirectory                 IMAGE_DATA_DIRECTORY 16 dup(<>);数据目录

IMAGE_OPTIONAL_HEADER32 ENDS

数据目录（DataDirectory）：它是一个IMAGE_DATA_DIRECTORY结构，定义如下：

IMAGE_DATA_DIRECTORY STRUCT

  VirtualAddress    DWORD      ?;指向 IMAGE_IMPORT_DESCRIPTOR 数组的RVA

  isize             DWORD      ?

IMAGE_DATA_DIRECTORY ENDS

 

节表（Section table）：它是一个IMAGE_SECTION_HEADER结构，定义如下

IMAGE_SECTION_HEADER STRUCT     ;40个字节

    Name1                 db        8 dup(?)  ;节名

    union Misc

        PhysicalAddress   dd  ?

        VirtualSize       dd      ?

    ends

    VirtualAddress        dd       ?; 本节的RVA（相对虚拟地址）

    SizeOfRawData         dd        ?; 经过文件对齐处理后节尺寸

    PointerToRawData      dd     ?; 这是节基于文件的偏移量

    PointerToRelocations  dd ?

    PointerToLinenumbers  dd ?

    NumberOfRelocations   dw  ?

    NumberOfLinenumbers   dw  ?

    Characteristics       dd      ?; 包含标记以指示节属性

IMAGE_SECTION_HEADER ENDS：