Contenu connexe
Plus de Ange Albertini (20)
the PE format 2011/01/17
- 1. the PE format
(17th January 2011)
Ange Albertini
http://corkami.blogspot.com
Creative Commons Attribution 3.0
- 2. Table of contents
3 Standard File & Memory layouts
4 the PE Headers
5 Data Directories 1/2: Exports, Imports, Import table
6 Data Directories 2/2: Resources, Relocations, Debug, TLS, Delay imports
Changelog
2011/01/17 minor changes, fixed data directories, better resource directories layout
2010/04/07 +data directories
2010/04/03 +layouts
2010/01/28 +headers
- 3. Virtual
Physical Address Virtual
file memory
Stack
Offset Environment
0 ImageBase
MZ
Header SizeOfHeaders Header SizeOfHeaders
FileAlignment rounded
Section[0].Offset SectionAlignment rounded
push ebp BaseOfCode
Section[0].Address
Section .text EntryPoint
Section[0].PSize
code Section .text Section[0].VSize
code
FileAlignment rounded
SizeOfCode
Section[1].Offset
i dd 0
SectionAlignment rounded
Section .data Section[1].PSize BaseOfData
Section[1].Address
data
FileAlignment rounded
Section .data Section[1].VSize
data
Section[2].Offset
__imp__MessageBox_:
dd aMessageBox SizeOfData
PE
Section .idata Section[2].PSize SectionAlignment rounded
imports Section[2].Address
Import table
FileAlignment rounded
Section .idata Section[2].VSize
Imports imports
File
Appended data
filesize
SectionAlignment rounded
SizeOfImage
offset PointerToRawData libraries
the PE Format PSize SizeOfRawData
Standard File & Memory layouts address VirtualAddress system libraries
VSize VirtualSize
Ange Albertini 2010
Creative Commons Attribution
http://corkami.blogspot.com
- 4. offset 0
IMAGE_DOS_HEADER
0x00 dw e_magic MZ
0x02 dw e_cblp
0x04 dw e_cp exe size
0x06 dw e_crlc
0x08 dw e_cparhdr exe start
0x0a dw e_minalloc
0x0c dw e_maxalloc
0x0e dw e_ss
0x10 dw e_sp
0x12 dw e_csum
0x14 dw e_ip
0x16 dw e_cs
0x18 dw e_lfarlc
0x1a dw e_ovno
0x1c dw e_res[4]
0x24 dw e_oemid
0x26 dw e_oeminfo
0x28 dw e_res2[10]
0x3c dd e_lfanew
0x00 dd Signature PE00 IMAGE_NT_HEADERS[32/64]
0x04 FileHeader
0x00 dw Machine 0x014c [32b]/0x8664 [64b] IMAGE_FILE_HEADER
0x02 dw NumberOfSections
0x04 dd TimeDateStamp
0x08 dd PointerToSymbolTable
0x0c dd NumberOfSymbols
0x10 dw SizeOfOptionalHeader
0x12 dw Characteristics exe/dll,relocs
0x18 OptionalHeader
0x00 dw Magic 0x10b [32b]/0x20b [64b] IMAGE_OPTIONAL_HEADER[32/64]
0x02 db MajorLinkerVersion
0x03 db MinorLinkerVersion
0x04 dd SizeOfCode
0x08 dd SizeOfInitializedData
0x0c dd SizeOfUninitializedData
0x10 dd AddressOfEntryPoint
0x14 dd BaseOfCode dq in 64b
0x18 dd BaseOfData only in 32b
SizeofOptionalHeader
0x1c dd ImageBase dq in 64b
0x20 dd SectionAlignment =2^y, with y≥x
0x24 dd FileAlignment =2^x
0x28 dw MajorOperatingSystemVersion
the PE Format (1/2)
4/5
0x2a dw MinorOperatingSystemVersion
0x2c dw MajorImageVersion
0x2e dw MinorImageVersion
the PE Headers 0x30
0x32
dw
dw
MajorSubsystemVersion
MinorSubsystemVersion
0x34 dd Win32VersionValue
0x38 dd SizeOfImage
relative offset 0x3c dd SizeOfHeaders
0x40 dd CheckSum [drivers]
offset 0x44 dw Subsystem 1 driver/2 gui/3 cli
RVA 0x46 dw DllCharacteristics
0x48 dd SizeOfStackReserve dq in 64b
0x4c dd SizeOfStackCommit dq in 64b
0x50 dd SizeOfHeapReserve dq in 64b
0x54 dd SizeOfHeapCommit dq in 64b
Critical 0x58 dd LoaderFlags
standard 0x5c dd NumberOfRvaAndSizes ≤16
minor/ignored 0x60 DataDirectory
NumberOfRvaAndSizes
list
0x00 dd VirtualAddress
0x04 dd Size IMAGE_DATA_DIRECTORY
Data Directories
0x00 db Name[8] IMAGE_SECTION_HEADER
NumberOfSections
0x08 dd PhysicalAddress | VirtualSize
0x0c dd VirtualAddress
0x10 dd SizeOfRawData
0x14 dd PointerToRawData
0x18 dd PointerToRelocations
0x1c dd PointerToLinenumbers
0x20 dw NumberOfRelocations
0x22 dw NumberOfLinenumbers
0x24 dd Characteristics RWX
Section Table
Ange Albertini 2009-2011
Creative Commons Attribution
http://corkami.blogspot.com
- 5. DATA DIRECTORIES
0 IMAGE_DIRECTORY_ENTRY_EXPORT
1 IMAGE_DIRECTORY_ENTRY_IMPORT 00 dd
IMAGE_EXPORT_DIRECTORY
Characteristics
2 IMAGE_DIRECTORY_ENTRY_RESOURCE 04 dd TimeDateStamp
3 IMAGE_DIRECTORY_ENTRY_SECURITY 08 dw MajorVersion
4 IMAGE_DIRECTORY_ENTRY_EXCEPTION 0a dw MinorVersion
5 IMAGE_DIRECTORY_ENTRY_BASERELOC 0c dd Name MyLib.dll 00 dd Function
6 IMAGE_DIRECTORY_ENTRY_DEBUG 10 dd Base “Export Table”
7 IMAGE_DIRECTORY_ENTRY_COPYRIGHT
8 IMAGE_DIRECTORY_ENTRY_GLOBALPTR 14 dd NumberOfFunctions 401020: MyFunction (ord:01)
9 IMAGE_DIRECTORY_ENTRY_TLS 18 dd NumberOfNames
A IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
B IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 1c dd AddressOfFunctions
C IMAGE_DIRECTORY_ENTRY_IAT
D IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT
20 dd AddressOfNames 00 dd Name
E IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 24 dd AddressOfNameOrdinals
F reserved
00 dd NameOrdinal
IMAGE_IMPORT_DESCRIPTOR
00 OriginalFirstThunk/Characteristics
04 dd TimeDateStamp
08 dd ForwarderChain
0c dd Name Kernel32.dll
10 FirstThunk
the PE Format dd 0,0,0,0,0
Data Directories 1/2 IMAGE_THUNK_DATA IMAGE_THUNK_DATA
00 dd AddressOfData 00 dd AddressOfData
relative offset /Ordinal/ForwarderString/Function /Ordinal/ForwarderString/Function
offset dd 0 dd 0
RVA
VA
(on file) IMAGE_IMPORT_BY_NAME
(after loading) 00 dw Hint
02 db Name[*]
IAT
7C81127A Kernel32.dll!GetVersion (hint:4)
Ange Albertini 2010-2011
Creative Commons Attribution - cc by
http://corkami.blogspot.com
- 6. ROOT
resource directory
DATA DIRECTORIES IMAGE_RESOURCE_DIRECTORY
0 IMAGE_DIRECTORY_ENTRY_EXPORT 00
04
dd
dd
Characteristics
TimeDateStamp
TYPE
08 dw MajorVersion
1 IMAGE_DIRECTORY_ENTRY_IMPORT 0a dw MinorVersion LANGUAGE
2 IMAGE_DIRECTORY_ENTRY_RESOURCE 0c dw NumberOfNamedEntries IMAGE_RESOURCE_DIRECTORY
3 IMAGE_DIRECTORY_ENTRY_SECURITY
4 IMAGE_DIRECTORY_ENTRY_EXCEPTION 0e dw NumberOfIdEntries 00 dd Characteristics
5 IMAGE_DIRECTORY_ENTRY_BASERELOC
04
08
dd
dw
TimeDateStamp
MajorVersion
IMAGE_RESOURCE_DIRECTORY
IMAGE_RESOURCE_DIRECTORY_ENTRY 0a dw MinorVersion 00 dd Characteristics
Named
6 IMAGE_DIRECTORY_ENTRY_DEBUG 04 dd TimeDateStamp
7 IMAGE_DIRECTORY_ENTRY_COPYRIGHT
8 IMAGE_DIRECTORY_ENTRY_GLOBALPTR
00 dd Name/ID type: RT_* 0c dw NumberOfNamedEntries 08 dw MajorVersion
0a dw MinorVersion
9 IMAGE_DIRECTORY_ENTRY_TLS 04 dd OffsetToData 0e dw NumberOfIdEntries 0c dw NumberOfNamedEntries
A IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Id
B IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT IMAGE_RESOURCE_DIRECTORY_ENTRY 0e dw NumberOfIdEntries
Named
C IMAGE_DIRECTORY_ENTRY_IAT
D IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT
00 dd Name/ID name IMAGE_RESOURCE_DIRECTORY_ENTRY
Named
E IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
F reserved
04 dd OffsetToData 00 dd Name/ID language
Id
04 dd OffsetToData
Id
IMAGE_BASE_RELOCATION relocation block IMAGE_RESOURCE_DATA_ENTRY
00 dd VirtualAddress 00 dd OffsetToData
DIRECTORY.SIZE
PUSH EBP
04 dd SizeOfBlock 04 dd Size1
08 dd CodePage
SizeOfBlock 0c dd Reserved
dw TypeOffset
PUSH offset szMyString
the PE Format
Data Directories 2/2 IMAGE_DEBUG_DIRECTORY
00 dd Characteristics
04 dd TimeDateStamp
08 dw MajorVersion
relative offset 0a
0c
dw
dd
MinorVersion
Type 1 Coff/2 CV-PDB/9 Borland
offset IMAGE_TLS_DIRECTORY 10 dd SizeOfData
00 dd StartAddressOfRawData 14 dd AddressOfRawData
RVA 04 dd EndAddressOfRawData
18 dd PointerToRawData
08 LPDWORD AddressOfIndex
VA 00 dd Callback
0c AddressOfCallBacks
10 dd SizeOfZeroFill
14 dd Characteristics dd 0
IMAGE_DELAY_IMPORT_DESCRIPTOR
00 dd grAttrs
04 dd szName
08 dd phmod
0c dd pIAT
10 dd pINT
14 dd pBoundIAT
18 dd pUnloadIAT
1c dd dwTimeStamp
Ange Albertini 2010 - 2011
Creative Commons Attribution - cc by
http://corkami.blogspot.com