PE File structure
                IMAGE_NT_HEADERS32

              MZ
            header    PE header       Section 1    ...
Image Information
typedef struct _IMAGE_OPTIONAL_HEADER {
   // Standard fields.
   WORD Magic;
   …
   DWORD AddressOfEnt...
Section Information
typedef struct _IMAGE_SECTION_HEADER {
  BYTE Name[IMAGE_SIZEOF_SHORT_NAME];
  union {
       DWORD Ph...
Directory




 Import       Export      Relocation



Debug info   Resources       TLS
Import
Import
Import Descriptors Table   Import Names Table for kernel32.dll
                              “LoadLibraryA”
       ...
Import
typedef struct _IMAGE_IMPORT_DESCRIPTOR {
   union {
      DWORD Characteristics;     // 0 for terminating null imp...
Export
Export




 Names Table   Function Pointers Table    Ordinals Table




“StubData”           17138               0x00000001
Export
typedef struct _IMAGE_EXPORT_DIRECTORY {
   DWORD Characteristics;
   DWORD TimeDateStamp;
   WORD MajorVersion;
  ...
Relocations
Relocation



   Header   offs1   …   offsN    Header       offs1   …   offsN   Header




0x401000                       ...
Relocation
typedef struct _IMAGE_BASE_RELOCATION {
   DWORD VirtualAddress;
   DWORD SizeOfBlock;
// WORD TypeOffset[1];
}...
Loader
Upcoming SlideShare
Loading in …5
×

Pe Format

1,759 views
1,532 views

Published on

Portable executable format

Published in: Education, Business, Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,759
On SlideShare
0
From Embeds
0
Number of Embeds
11
Actions
Shares
0
Downloads
58
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Pe Format

  1. 1. PE File structure IMAGE_NT_HEADERS32 MZ header PE header Section 1 Section … Section N IMAGE_DOS_HEADER Image Section Directory Information Information IMAGE_OPTIONAL_HEADER32 IMAGE_SECTION_HEADER
  2. 2. Image Information typedef struct _IMAGE_OPTIONAL_HEADER { // Standard fields. WORD Magic; … DWORD AddressOfEntryPoint; DWORD BaseOfCode; DWORD BaseOfData; DWORD ImageBase; … DWORD SizeOfImage; DWORD SizeOfHeaders; … DWORD LoaderFlags; … IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES]; } IMAGE_OPTIONAL_HEADER32
  3. 3. Section Information typedef struct _IMAGE_SECTION_HEADER { BYTE Name[IMAGE_SIZEOF_SHORT_NAME]; union { DWORD PhysicalAddress; DWORD VirtualSize; } Misc; DWORD VirtualAddress; DWORD SizeOfRawData; DWORD PointerToRawData; DWORD PointerToRelocations; DWORD PointerToLinenumbers; WORD NumberOfRelocations; WORD NumberOfLinenumbers; DWORD Characteristics; } IMAGE_SECTION_HEADER
  4. 4. Directory Import Export Relocation Debug info Resources TLS
  5. 5. Import
  6. 6. Import Import Descriptors Table Import Names Table for kernel32.dll “LoadLibraryA” “GetProcAddress” Import Address Table for kernel32.dll Kernel32.dll RVA for LoadLibraryA() pointer RVA for GetProcAddress() pointer Import Names Table for ws2_32.dll “socket” “WSAStartup” Import Address Table for ws2_32.dll Ws2_32.dll RVA for socket() pointer RVA for WSAStartup() pointer
  7. 7. Import typedef struct _IMAGE_IMPORT_DESCRIPTOR { union { DWORD Characteristics; // 0 for terminating null import descriptor DWORD OriginalFirstThunk; // RVA to original unbound IAT (PIMAGE_THUNK_DATA) }; DWORD TimeDateStamp; DWORD ForwarderChain; // -1 if no forwarders DWORD Name; DWORD FirstThunk; // RVA to IAT } IMAGE_IMPORT_DESCRIPTOR; typedef struct _IMAGE_THUNK_DATA32 { union { DWORD ForwarderString; // PBYTE DWORD Function; // PDWORD DWORD Ordinal; DWORD AddressOfData; // PIMAGE_IMPORT_BY_NAME } u1; } IMAGE_THUNK_DATA32;
  8. 8. Export
  9. 9. Export Names Table Function Pointers Table Ordinals Table “StubData” 17138 0x00000001
  10. 10. Export typedef struct _IMAGE_EXPORT_DIRECTORY { DWORD Characteristics; DWORD TimeDateStamp; WORD MajorVersion; WORD MinorVersion; DWORD Name; DWORD Base; DWORD NumberOfFunctions; DWORD NumberOfNames; DWORD AddressOfFunctions; // RVA from base of image DWORD AddressOfNames; // RVA from base of image DWORD AddressOfNameOrdinals; // RVA from base of image } IMAGE_EXPORT_DIRECTORY, *PIMAGE_EXPORT_DIRECTORY;
  11. 11. Relocations
  12. 12. Relocation Header offs1 … offsN Header offs1 … offsN Header 0x401000 0x402000 Section
  13. 13. Relocation typedef struct _IMAGE_BASE_RELOCATION { DWORD VirtualAddress; DWORD SizeOfBlock; // WORD TypeOffset[1]; } IMAGE_BASE_RELOCATION; typedef struct TypeOffset { WORD Offset: 12; CHAR Type: 4; }; #define IMAGE_REL_BASED_HIGHLOW 3
  14. 14. Loader

×