PE结构(1)DOS/NT/PE/OP头信息
Last updated on January 7, 2024 pm
结构图总览
DOS HEAD
总计64字节存储DOS头信息
| 字节数 | 名称 | 示例值 | 备注 |
|---|---|---|---|
| WORD | e_magic | 5A 4D | 标注该文件为可执行文件 |
| WORD | e_cblp | 00 90 | |
| WORD | e_cp | 00 03 | |
| WORD | e_crlc | 00 00 | |
| WORD | e_cparhdr | 00 04 | |
| WORD | e_minalloc | 00 00 | |
| WORD | e_maxalloc | FF FF | |
| WORD | e_ss | 00 00 | |
| WORD | e_sp | 00 B8 | |
| WORD | e_csum | 00 00 | |
| WORD | e_ip | 00 00 | |
| WORD | e_cs | 00 00 | |
| WORD | e_lfarlc | 00 40 | |
| WORD | e_ovno | 00 00 | |
| WORD[4] | e_res | 00 00 | 0000 0000 0000 0000 |
| WORD | e_oemid | 00 00 | |
| WORD | e_oeminfo | 00 00 | |
| WORD[10] | e_res2 | 00 00 | 0000…0000 |
| DWORD | e_lfanew | 00 00 00 F8 | PE文件头偏移量 |
NT HEAD
前4字节存储”PE”字符串
| 字节数 | 名称 | 示例值 | 备注 |
|---|---|---|---|
| DWORD | Signature | 00 00 45 50 | 字符串”PE”,由e_lfanew偏移至此 |
PE HEAD
中20字节存储PE文件头
| 字节数 | 名称 | 示例值 | 备注 |
|---|---|---|---|
| WORD | Machine | 01 4C | 运行CPU型号 0x0:任意CPU 0x14C:386及后续处理器 |
| WORD | NumberOfSections | 00 02 | 区块(节)数量 |
| DWORD | TimeDateStamp | 44 62 0B BF | 文件创建(编译)时间 |
| DWORD | PointerToSymbolTable | 00 00 00 00 | |
| DWORD | NumberOfSymbols | 00 00 00 00 | |
| WORD | SizeOfOptionalHeader | 00 E0 | OP头所占字节长度,32位默认0xE0,64位默认0xF0,可自定义 |
| WORD | Characteristics | 01 0F | 位标识器,可执行文件为01 0F |
OPTIONAL HEAD
| 字节数 | 名称 | 示例值 | 备注 |
|---|---|---|---|
| WORD | Magic | 01 0B | 0x010B为32位PE文件,0x020B为64位 |
| BYTE | MajorLinkerVersion | 07 | |
| BYTE | MinorLinkerVersion | 0A | |
| DWORD | SizeOfCode | 00 06 C0 00 | |
| DWORD | SizeOfInitializedData | 00 00 C0 00 | |
| DWORD | SizeOfUninitializedData | 00 00 00 00 | |
| DWORD | AddressOfEntryPoint | 00 00 10 00 | 程序执行入口RVA |
| DWORD | BaseOfCode | 00 00 10 00 | 代码区块(节)起始RVA,没用 |
| DWORD | BaseOfData | 00 06 D0 00 | 数据区块(节)起始RVA,没用 |
| DWORD | ImageBase | 00 40 00 00 | 文件装载入内存时的首选地址 |
| DWORD | SectionAlignment | 00 00 10 00 | 内存中区块(节)对齐长度,一般为0x1000(4KB) |
| DWORD | FileAlignment | 00 00 02 00 | 文件中区块(节)对齐长度 |
| WORD | MajorOperatingSystemVersion | 00 04 | |
| WORD | MinorOperatingSystemVersion | 00 00 | |
| WORD | MajorImageVersion | 00 00 | |
| WORD | MinorImageVersion | 00 00 | |
| WORD | MajorSubsystemVersion | 00 04 | |
| WORD | MinorSubsystemVersion | 00 00 | |
| DWORD | Win32VersionValue | 00 00 00 00 | |
| DWORD | SizeOfImage | 00 07 B0 00 | 映像装入内存后总大小,可以比实际值大,但必须是SectionAlignment的整数倍 |
| DWORD | SizeOfHeader | 00 00 04 00 | 从S-DOS头部+PE头部+区块表总大小,必须是SectionAlignment的整数倍 |
| DWORD | CheckSum | 00 03 2E 63 | 区块的校验和 |
| WORD | Subsystem | 00 02 | |
| WORD | DllCharacteristics | 00 00 | |
| DWORD | SizeOfStackReserve | 00 10 00 00 | |
| DWORD | SizeOfStackCommit | 00 00 10 00 | |
| DWORD | SizeOfHeapReserve | 00 10 00 00 | |
| DWORD | SizeOfHeapCommit | 00 00 10 00 | |
| DWORD | LoaderFlags | 00 00 00 00 | |
| DWORD | NmberOfRvaAndSizes | 00 00 00 10 | 数据目录表个数 |
PE结构(1)DOS/NT/PE/OP头信息
http://dubhehub.github.io/blogs/2024010716170052947.html