记录一下PE文件学习笔记,防止以后忘了。
一、PE基本结构
PE文件从上到下包括下面几个部分:
DOS头
DOS存根
NT头
.text节区头
.data节区头
.rsrc节区头
.text节区
.data节区
.rsrc节区
二、PE各部分的意思
1 DOS头
一般如下:
4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00
B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 E0
共64个字节,与下面的结构体对应
typedef struct _IMAE_DOS_HEADER { //DOS .EXE header 位置
WORD e_magic; //Magic number; 0x00
WORD e_cblp; //Bytes on last page of file 0x02
WORD e_cp; //Pages in file 0x04
WORD e_crlc; //Relocations 0x06
WORD e_cparhdr; //Size of header in paragraphs 0x08
WORD e_minalloc; //Minimum extra paragraphs needed 0x0A
WORD e_maxalloc; //Maximum extra paragraphs needed 0x0C
WORD e_ss; //Initial (relative) SS value 0x0E
WORD e_sp; //Initial SP value 0x10
WORD e_csum; //Checksum 0x12
WORD e_ip; //Initial IP value 0x14
WORD e_cs; //Initial (relative) CS value 0x16
WORD e_lfarlc; //File address of relocation table 0x18
WORD e_ovno; //Overlay number 0x1A
WORD e_res[4]; //Reserved words 0x1C
WORD e_oemid; //OEM identifier (for e_oeminfo) 0x24
WORD e_oeminfo; //OEM information; e_oemid specific 0x26
WORD e_res2[10]; //Reserved words 0x28
LONG e_lfanew; //File address of new exe header 0x3C
} IMAGE_DOS-HEADER, *PIMAGE_DOS_HEADER; e_magic :DOS签名 4D 5A("MZ") DOS可执行文件设计者名字(Mark Zbiknowski)的首字母缩写
e_lfanew :指示NT头的偏移 00 00 00 E0
2 DOS 存根
可选项,字节数不固定,在MS-DOS运行会调用此段程序。在DOS头结束到e_lfanew 所标识的NT头偏移之间。
3 NT 头