1、自己最近正在看加密解密中的 PE 文件格式,原来也一直看过 PE 格式,但是很快就忘了,这次特地自己把 WINNT.H 找出来,对每个结构参照书上面的说明研究了下,把 PE 的框架结构里面的一些结构体整理了下,分享给大家!代码:/MZ 格式typedef struct _IMAGE_DOS_HEADER / DOS .EXE headerWORD e_magic; / Magic numberWORD e_cblp; / Bytes on last page of fileWORD e_cp; / Pages in fileWORD e_crlc; / RelocationsWORD e_cp
2、arhdr; / Size of header in paragraphsWORD e_minalloc; / Minimum extra paragraphs neededWORD e_maxalloc; / Maximum extra paragraphs neededWORD e_ss; / Initial (relative) SS valueWORD e_sp; / Initial SP valueWORD e_csum; / ChecksumWORD e_ip; / Initial IP valueWORD e_cs; / Initial (relative) CS valueWO
3、RD e_lfarlc; / File address of relocationtableWORD e_ovno; / Overlay numberWORD e_res4; / Reserved wordsWORD e_oemid; / OEM identifier (for e_oeminfo)WORD e_oeminfo; / OEM information; e_oemid specificWORD e_res210; / Reserved wordsLONG e_lfanew; / File address of new exe header 这个最有用指出了真正的 PE 文件头 位
4、于开始偏移 3CH 字节处 /IMAGE_NT_HEADERS 结构(PE 头由三部分组成)typedef struct _IMAGE_NT_HEADERS DWORD Signature;IMAGE_FILE_HEADER FileHeader; /结构体IMAGE_OPTIONAL_HEADER32 OptionalHeader;/结构体 /IMAGE_FILE_HEADER 结构typedef struct _IMAGE_FILE_HEADER WORD Machine; /运行平台 intel i386 一般为 14ChWORD NumberOfSections; /块(section
5、)数目 DWORD TimeDateStamp; /时间日期标记DWORD PointerToSymbolTable; /COFF 符号指针,这是程序调试信息DWORD NumberOfSymbols; /符号数WORD SizeOfOptionalHeader; /可选部首长度,是IMAGE_OPTIONAL_HEADER 的长度WORD Characteristics; /文件属性 /IMAGE_OPTIONAL_HEADER 结构(可选映像头)typedef struct _IMAGE_OPTIONAL_HEADER / Standard fields./WORD Magic; /幻数,
6、一般为 10BH BYTE MajorLinkerVersion; /链接程序的主版本号BYTE MinorLinkerVersion; /链接程序的次版本号DWORD SizeOfCode; /代码段大小DWORD SizeOfInitializedData; /已初始化数据块的大小DWORD SizeOfUninitializedData; /未初始化数据库的大小DWORD AddressOfEntryPoint; /程序开始执行的入口地址,这是一个RVA(相对虚拟地址)DWORD BaseOfCode; /代码段的起始 RVADWORD BaseOfData; /数据段的起始 RVA/
7、NT additional fields./DWORD ImageBase; /可执行文件默认装入的基地址DWORD SectionAlignment; /内存中块的对齐值(默认的块对齐值为1000H,4KB 个字节)DWORD FileAlignment;/文件中块的对齐值(默认值为 200H 字节,为了保证块总是从磁盘的扇区开始的)WORD MajorOperatingSystemVersion;/要求操作系统的最低版本号的主版本号WORD MinorOperatingSystemVersion;/要求操作系统的最低版本号的次版本号WORD MajorImageVersion;/该可执行文
8、件的主版本号WORD MinorImageVersion;/该可执行文件的次版本号WORD MajorSubsystemVersion;/要求最低之子系统版本的主版本号WORD MinorSubsystemVersion;/要求最低之子系统版本的次版本号DWORD Win32VersionValue;/保留字DWORD SizeOfImage;/映像装入内存后的总尺寸DWORD SizeOfHeaders;/部首及块表的大小DWORD CheckSum;/CRC 检验和WORD Subsystem;/程序使用的用户接口子系统WORD DllCharacteristics;/DLLmain 函数
9、何时被调用,默认为 0DWORD SizeOfStackReserve;/初始化时堆栈大小DWORD SizeOfStackCommit;/初始化时实际提交的堆栈大小DWORD SizeOfHeapReserve;/初始化时保留的堆大小DWORD SizeOfHeapCommit;/初始化时实际提交的对大小DWORD LoaderFlags;/与调试有关,默认为 0DWORD NumberOfRvaAndSizes;/数据目录结构的数目IMAGE_DATA_DIRECTORY DataDirectoryIMAGE_NUMBEROF_DIRECTORY_ENTRIES;/数据目录表 /数据目录表
10、typedef struct _IMAGE_DATA_DIRECTORY DWORD VirtualAddress;/数据块的起始 RVADWORD Size;/数据块的长度 /块表()typedef struct _IMAGE_SECTION_HEADER BYTE NameIMAGE_SIZEOF_SHORT_NAME;union DWORD PhysicalAddress;DWORD VirtualSize; Misc;DWORD VirtualAddress;/该块的 RVADWORD SizeOfRawData;/在文件中对齐后的尺寸DWORD PointerToRawData;/在
11、文件中偏移DWORD PointerToRelocations;/重定位偏移DWORD PointerToLinenumbers;/行号表的偏移WORD NumberOfRelocations;/重定位项数目WORD NumberOfLinenumbers;/行号表中行号的数目DWORD Characteristics;/块属性 /输入表结构typedef struct _IMAGE_IMPORT_DESCRIPTOR union DWORD Characteristics; / 0 for terminating nullimport descriptorDWORD OriginalFirs
12、tThunk; / RVA to original unbound IAT (PIMAGE_THUNK_DATA);DWORD TimeDateStamp; / 0 if not bound,/ -1 if bound, and real datetime stamp/ in IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT (new BIND)/ O.W. date/time stamp of DLL bound to (Old BIND)DWORD ForwarderChain; / -1 if no forwardersDWORD Name;DWORD FirstTh
13、unk; / RVA to IAT (if bound this IAT has actual addresses) /输出表结构typedef struct _IMAGE_EXPORT_DIRECTORY DWORD Characteristics;DWORD TimeDateStamp;WORD MajorVersion;WORD MinorVersion;DWORD Name;DWORD Base;DWORD NumberOfFunctions;DWORD NumberOfNames;DWORD AddressOfFunctions; / RVA from base of imageDWORD AddressOfNames; / RVA from base of imageDWORD AddressOfNameOrdinals; / RVA from base of image
