PE文件結構
阿新 • • 發佈:2017-05-21
tin alignment tac ack ade ble sent struct 用戶
在win32 SDK的文件winnt.h中有PE文件格式的定義/
一個MS-DOS頭部 IMAGE_DOS_HEADER
一個是DOS的程序殘余以及一個PE文件標誌
PE文件頭和可選頭部: IMAGE_NT_HEADERS
typedef struct IMAGE_NT_HEADERS
{
DWORD Signature;
IMAGE_FILE_HEADER FileHeader; // PE文件頭
IMAGE_OPTIONAL_HEADER32 OptionalHeader; // 可選頭部
}IMAGE_NT_HEADERS,*PIMAGE_NT_HEADERS; typedef struct _IMAGE_OPTIONAL_HEADER {
WORD Magic;
BYTE MajorLinkerVersion;
BYTE MinorLinkerVersion;
DWORD SizeOfCode;
DWORD SizeOfInitializedData;
DWORD SizeOfUninitializedData;
DWORD AddressOfEntryPoint;
DWORD BaseOfCode;
DWORD BaseOfData;
DWORD ImageBase;
DWORD SectionAlignment;
DWORD FileAlignment;
WORD MajorOperatingSystemVersion;
WORD MinorOperatingSystemVersion;
WORD MajorImageVersion;
WORD MinorImageVersion;
WORD MajorSubsystemVersion;
WORD MinorSubsystemVersion;
DWORD Win32VersionValue;
DWORD SizeOfImage;
DWORD SizeOfHeaders;
DWORD CheckSum;
WORD Subsystem;
WORD DllCharacteristics;
DWORD SizeOfStackReserve;
DWORD SizeOfStackCommit;
DWORD SizeOfHeapReserve;
DWORD SizeOfHeapCommit;
DWORD LoaderFlags;
DWORD NumberOfRvaAndSizes;
IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
} IMAGE_OPTIONAL_HEADER, *PIMAGE_OPTIONAL_HEADER;
AddressOfEntryPoint
A pointer to the entry point function, relative to the image base address. For executable files, this is the starting address. For device drivers, this is the address of the initialization function. The entry point function is optional for DLLs. When no entry point is present, this member is zero.
所有的段頭部,
所有的段實體
一些其它的區域,其中是一些混雜的信息,包括重分配信息 、符號表信息、行號信息以及字串表數據。
內存映射文件,允許用戶使用一個簡單的指針來存取文件中所包含的數據,因此所有的示例都使用了內存映射文件來存取PE文件中的數據。
Windows裝載器 裝載,構成內存,執行。
Windows裝載器在裝載的時候僅僅建立好虛擬地址和PE文件之間的映射關系,只有真正執行到某個內存頁中的指令或訪問某一頁中的數據時,這個頁才會被從磁盤提交到物理內存。
http://www.cnblogs.com/tk091/archive/2012/09/04/2670936.html
PE文件結構