Professional Documents
Culture Documents
The PE - Header
^^^^^^^^^^^^^^^
by Renegade
The portable executable file format begins with the DOS header:
----------| DOS Header|
__________-----------_____________________
|dw e_magic: the magic number; 0x05A4 = MZ |
|------------------------------------------|
|dw e_cblp: bytes of last page
|
|------------------------------------------|
|dw e_cp: number of pages
|
|------------------------------------------|
|dw e_crlc: reloc.
|
|------------------------------------------|
|dw e_cparhdr: header-size
|
|------------------------------------------|
|dw e_minalloc: min. of alloc. paragraphs |
|------------------------------------------|
|dw e_maxalloc: max. of alloc. paragraphs |
|------------------------------------------|
|dw e_ss: SS value
|
|------------------------------------------|
|dw e_sp: SP value
|
|------------------------------------------|
|dw e_csum: checksum
|
|------------------------------------------|
|dw e_ip: IP value
|
|------------------------------------------|
|dw e_cs: CS value
|
|------------------------------------------|
|dw e_lfarlc: address of reloc. table
|
|------------------------------------------|
|dw e_ovno: overlays
|
|------------------------------------------|
|dw e_oemid: OEM - Identifier
|
|------------------------------------------|
|dw e_oeminfo: OEM Info
|
|------------------------------------------|
|dd e_lfanew: address of NE
|
|------------------------------------------|
dd e_lfanew: This RVA points also to the PE Header
________
|DOS Stub|
-------The stub contains informations about the OS where the program must be run,
eg " This program must be run under Microsoft Windows" or something like
that.
The actual PE-Header
^^^^^^^^^^^^^^^^^^^^
|--------------------------|-----------------------|--------------------|
|
Signature
|
CPU
|
Sections
|
|--------------------------|-----------------------|--------------------|
|
Time / Date Stamp
|
Pointer to symbol table
|
|--------------------------|-----------------------|--------------------|
|
Symbols
|
NT Header size
|
Flags
|
|---------|----------------|-----------------------|--------------------|
| LMAJOR | LMINOR
|
Size of code
|
Page 1
The PE - Header
|---------|----------------|--------------------------------------------|
| Initalized data
|
Uninitalized data
|
|--------------------------|--------------------------------------------|
| Entrypoint RVA
|
Base of code
|
|--------------------------|--------------------------------------------|
| Base of data
|
Image base
|
|--------------------------|--------------------------------------------|
| Section alignment
|
File alignment
|
|-----------|--------------|-----------------------|--------------------|
| OS MAJOR | OS MINOR
|
User MAJOR | User MINOR
|
|-----------|-|------------|-----------------------|--------------------|
| Subsys MAJ. | Subsys MIN.|
Version
|
|-------------|------------|--------------------------------------------|
| Image size
|
Header size
|
|--------------------------|---------------------|----------------------|
|
Checksum
|
Subsystem | DLL Flags
|
|--------------------------|---------------------|----------------------|
| Stack reserve size
|
Stack commit size
|
|--------------------------|--------------------------------------------|
| Heap reserve size
|
Heap commit size
|
|--------------------------|--------------------------------------------|
| Loader Flags
|
# interesting RVA / Sizes
|
|--------------------------|--------------------------------------------|
| Export table RVA
|
Total export data size
|
|--------------------------|--------------------------------------------|
| Import table RVA
|
Total import data size
|
|--------------------------|--------------------------------------------|
| Resource table RVA
|
Total resource data size
|
|--------------------------|--------------------------------------------|
| Exception table RVA
|
Total exception data size
|
|--------------------------|--------------------------------------------|
| Security table RVA
|
Total security data size
|
|--------------------------|--------------------------------------------|
| Fixup table RVA
|
Total fixup data size
|
|--------------------------|--------------------------------------------|
| Debug table RVA
|
Total debug directories
|
|--------------------------|--------------------------------------------|
| Image description RVA
|
Total description size
|
|--------------------------|--------------------------------------------|
| Machine specific RVA
|
Machine specific size
|
|--------------------------|--------------------------------------------|
| Thread local storage RVA |
Total TLS size
|
|--------------------------|--------------------------------------------|
| Loader configuration RVA |
Loader data size
|
|--------------------------|--------------------------------------------|
| Bounded imports table
|
Bounded imports data size
|
|--------------------------|--------------------------------------------|
| Import addresses table
|
Total IAT size
|
|-----------------------------------------------------------------------|
Signature: 0454E = NE
^^^^^^^^^
CPU:
^^^
0000 = unknown
014c = 386
014d = 486
014e = 586
04550 = PE
The PE - Header
LMAJOR/LMINOR: LinkerMajor/LinkerMinor version
^^^^^^^^^^^^^
Entrypoint RVA: Starting address for program images
^^^^^^^^^^^^^^
Image base: Virtual address of the first byte of a file
^^^^^^^^^^
Section alignment: default is 64K
^^^^^^^^^^^^^^^^^
File alignment: Value between 515 and 64K
^^^^^^^^^^^^^^
OS MAJOR/OS MINOR: required version of OS to run the program
^^^^^^^^^^^^^^^^^
User MAJOR/User MINOR: values for images / dll's set by user
^^^^^^^^^^^^^^^^^^^^^
Image size: Virtual size of the image
^^^^^^^^^^
Header size: Total header size
^^^^^^^^^^^
Checksum: Complete file checksum
^^^^^^^^
Subsystem: required NT subsystem to run program
^^^^^^^^^
0000 = unknown
0001 = native
0002 = Win GUI
0003 = Win Char.
0005 = OS/2
0007 = Posix
DLL Flags: Loader
^^^^^^^^^
0001
0002
0004
0008
requirements
=
=
=
=
----------------PhysicalAddress |
VirtualSize
|
SizeofRawData
|
PointertoR.Data |
Pointertoreloc. |
Pointertolinenum|
Numberofrelocs |
Numberoflinenum |
Characteristics |
----------------Page 3
The PE - Header
-------------------------------------------------------------------------NB: Between the last section header,sections itself and the beginning of |
data there is some unused space because of the alignment.This space
|
can be used for saving code and data, things we use for our virii.
|
_________________________________________________________________________ |
Page 4