This value should be zero for an object file. Characteristics: These are the characteristic flags that indicate an attribute of the object or image file. It has also different flags that are not required for us at this time.
We can see the information in the snapshot below. We can see there are lots of headers and it is not possible to cover each and everything in detail due to space limitations, so we will discuss some of the important things that are necessary. As you see in the above picture, we have two fields that are again categorized into some headers. Magic: The unsigned integer that identifies the state of the image file. The most common number is 0x10b for bit and 0x10b for bit.
Before getting into the details, we should know some details of PE that are required here. RVA relative virtual address : An RVA is nothing but the offset of some item, relative to where it is memory-mapped; or we can simply say that this is an image file and the address of the item after it is loaded into memory, with the base address of image subtracted from memory. The address of the entry point is the address where the PE loader will begin execution; this is the address that is relative to image base when the executable is loaded into memory.
For the program image, this is the starting address; for device drivers, this is the address of the initialization function and, for the DLL, this is optional. Image base: the preferred address of the image when loaded into memory. The default address is 0x Section alignment: The alignment of the section when loaded into memory.
Section alignment can be no less than page size currently bytes on the windows x File alignment : The granularity of the alignment of the sections in the file. For example, if the value in this field is h , each section must start at multiples of bytes. Size of image: The size of the memory, including all of the headers. As the image is loaded into memory, it must be a multiple of SectionAllignment. In other words, we can say that this value is the file size—the combined size of all sections of the file.
Subsystem: The subsystem is required to run the PE image. Generally, the value of subsystem is 2 Number of Rva and sizes: The number of data directories in the reminder of optional header.
Data directories: This is another sub-section in the header section. In the current PE file, out of 16 only 11 are used, as defined in winnt. Some of the directories are shown below:. Each data directory entry specifies the size and relative virtual address of the directory. To locate a particular directory, we have to determine the relative address from the data directory array in the optional header. Then use the virtual address to determine which section the directory is in.
Once we determine which section contains the directory, the section header for that section is then used to find the exact file offset location of the data directory. So, to get a data directory, we first need to know about sections, which are described next.
An example of how to locate data directories immediately follows this discussion. We can see the various sections and headers in the following image, which is from a hex editor.
The RVA is the address of table relative to base address of the image when the table is loaded. The second field gives size in bytes. To make this work more practical, we can use ollydbg or Immunity Debugger here. We will use ollydbger to see the different sections of PE file, as shown below. Check below and we can clearly see all the headers and sections.
Hence the. Data which does not fall into the any of the two above categories, falls into the. It basically contains the information about the names and addresses of exported functions. Dynamic Linked Libraries provide a way to modularize applications so the functions can be reused and reused more easily. This section contains a export directory that provides the address and offset of the functions to programs that import the DLL.
The most important of the structures defined in this section is the Import Directory and the Import Address Table. The import section makes implementation of modularity easier. Since the DLL can be modified at any time, the import section protects the application from such changes. Debug information is initially placed in the. The PE file format also supports separate debug files as a means of collecting debug information in a central location. This section contains the debug information.
The above program is assembly code, compiled using FASM. The executable file that is formed as a result of compiling the above is this:. The screenshot basically shows the hex code version of the section table. We can see the name of the sections as defined in the code. Further posts detailing more intricate details of Portable Executable files is in the works.
You are commenting using your WordPress. You are commenting using your Google account. You are commenting using your Twitter account. You are commenting using your Facebook account. Notify me of new comments via email. It like a warning message displaying that the program cannot be run on windows. It starts just after a 4-byte reserved address " ifanew " and its standard universal size is bytes. The below diagram illustrates the structure and value of the PE executable.
Exhibit 1. Exhibit 2. This header follows FileHeader and makes the next bytes containing information about the logical layout of the file. Some of the important ones are:. Exhibit 3. This table immediately follows the optional header. It contains information about the Sections present in PE files. PE File section contains the main content of the file, including code, data, resources, and other executable files.
Each section has a header and a body. PE data can be viewed using various tools. Some of the free tools are listed below-.
Thus, this is a brief about the Portable Executable File Structure.
0コメント