PE文件格式偏移参考

Posted Fly20141201

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了PE文件格式偏移参考相关的知识,希望对你有一定的参考价值。

在进行PE文件格式病毒分析的时候,经常要使用到PE文件格式的解析,尤其是对LoadPE形式的病毒的分析,经常要查看PE文件格式的偏移,特地从博客《PE文件格式的偏移参考》中转载收录一份,之前在网上也看到比较不错的有关PE文件偏移的博客,但忘了收录。在进行PE文件格式的病毒分析时,还会经常参考这篇博客《PE文件格式学习笔记》,博主关于PE文件格式的学习笔记写的不错,其他的参考书籍《加密与解密(第3版)》、《黑客免杀攻防》,顺便提一句《黑客免杀攻防》这本书关于PE文件格式的解析比较不错,但是错误也不少,整体来说这本书对于学习PC上的逆向分析和内核攻防还是很不错的。

Complete PE Offset Reference

While there is a lot of data and various parts of the structure are at varying positions there are still a lot of useful fixed and relative offsets that will help when disassembling/examining PE files. Resource information and the such like are omitted - there are good tools available to manipulate these e.g. ResHacker.

The DOS Header

 

OFFSET

SIZE

NAME

EXPLANATION

00

WORD

e_magic

Magic DOS signature MZ (4Dh 5Ah)

02

WORD

e_cblp

Bytes on last page of file

04

WORD

e_cp

Pages in file

06

WORD

e_crlc

Relocations

08

WORD

e_cparhdr

Size of header in paragraphs

0A

WORD

e_minalloc

Minimum extra paragraphs needed

0C

WORD

e_maxalloc

Maximum extra paragraphs needed

0E

WORD

e_ss

Initial (relative) SS value

10

WORD

e_sp

Initial SP value

12

WORD

e_csum

Checksum

14

WORD

e_ip

Initial IP value

16

WORD

e_cs

Initial (relative) CS value

18

WORD

e_lfarlc

File address of relocation table

1A

WORD

e_ovno

Overlay number

1C

WORD

e_res[4]

Reserved words

24

WORD

e_oemid

OEM identifier (for e_oeminfo)

26

WORD

e_oeminfo

OEM information; e_oemid specific

28

WORD

e_res2[10]

Reserved words

3C

DWORD

e_lfanew

Offset to start of PE header

 

The PE Header

Offsets shown  are from the beginning of this section.

 

00

DWORD

Signature

PE Signature PE.. (50h 45h 00h 00h)

04

WORD

Machine

014Ch = Intel 386, 014Dh = Intel 486, 014Eh = Intel 586, 0200h = Intel 64-bit, 0162h=MIPS

06

WORD

NumberOfSections

Number Of Sections

08

DWORD

TimeDateStamp

Date & time image was created by the linker

0C

DWORD

PointerToSymbolTable

Zero or offset of COFF symbol table in older files

10

DWORD

NumberOfSymbols

Number of symbols in COFF symbol table

14

WORD

SizeOfOptionalHeader

Size of optional header in bytes (224 in 32bit exe)

16

WORD

Characteristics

see below

18

**********

START OF OPTIONAL HEADER

**************************************

18

WORD

Magic

010Bh=32-bit executable image
020Bh=64-bit executable image
0107h=ROM image

1A

BYTE

MajorLinkerVersion

Major version number of the linker

1B

BYTE

MinorLinkerVersion

Minor version number of the linker

1C

DWORD

SizeOfCode

size of code section or sum if multiple code sections

20

DWORD

SizeOfInitializedData

as above

24

DWORD

SizeOfUninitializedData

as above

28

DWORD

AddressOfEntryPoint

Start of code execution, optional for DLLs, zero when none present

2C

DWORD

BaseOfCode

RVA of first byte of code when loaded into RAM

30

DWORD

BaseOfData

RVA of first byte of data when loaded into RAM

34

DWORD

ImageBase

Preferred load address

38

DWORD

SectionAlignment  

Alignment of sections when loaded in RAM

3C

DWORD

FileAlignment  

Alignment of sections in file on disk

40

WORD

MajorOperatingSystemVersion

Major version no. of required operating system

42

WORD

MinorOperatingSystemVersion

Minor version no. of required operating system

44

WORD

MajorImageVersion

Major version number of the image

46

WORD

MinorImageVersion

Minor version number of the image

48

WORD

MajorSubsystemVersion

Major version number of the subsystem

4A

WORD

MinorSubsystemVersion

Minor version number of the subsystem

4C

DWORD

Reserved1

 

50

DWORD

SizeOfImage

Amount of memory allocated by loader for image. Must be a multiple of SectionAlignment

54

DWORD

SizeOfHeaders  

Offset of first section, multiple of FileAlignment

58

DWORD

CheckSum

Image checksum (only required for kernel-mode drivers and some system DLLs).

5C

WORD

Subsystem

0002h=Windows GUI, 0003h=console

5E

WORD

DllCharacteristics

0001h=per-process library initialization
0002h=per-process library termination
0003h=per-thread library initialization
0004h=per-thread library termination

60

DWORD

SizeOfStackReserve

Number of bytes reserved for the stack

64

DWORD

SizeOfStackCommit

Number of bytes actually used for the stack

68

DWORD

SizeOfHeapReserve

Number of bytes to reserve for the local heap

6C

DWORD

SizeOfHeapCommit

Number of bytes actually used for local heap

70

DWORD

LoaderFlags

This member is obsolete.

74

DWORD

NumberOfRvaAndSizes

Number of directory entries.

78

**********

START OF DATA DIRECTORY

**************************************

78

DWORD

IMAGE_DATA_DIRECTORY0 

RVA of Export Directory

7C

DWORD

 

size of Export Directory

80

DWORD

IMAGE_DATA_DIRECTORY1

RVA of Import Directory (array of IIDs)

84

DWORD

 

size of Import Directory (array of IIDs)

88

DWORD

IMAGE_DATA_DIRECTORY2

RVA of Resource Directory

8C

DWORD

 

size of Resource Directory

90

DWORD

IMAGE_DATA_DIRECTORY3

RVA of Exception Directory

94

DWORD

 

size of Exception Directory

98

DWORD

IMAGE_DATA_DIRECTORY4

Raw Offset of Security Directory

9C

PE文件格式

PE结构

PE文件格式详解,第一讲,DOS头文件格式

PE文件格式详解

PE查找文件偏移地址

逆向-PE头解析

(c)2006-2024 SYSTEM All Rights Reserved IT常识