📄 29a-7.023
字号:
linker.
OPTIONAL HDR SIZE :Size of the optional header
FLAGS :Flag bits for the image.
Flag Definition
0000h Programm image
00001h (IMAGE_FILE_RELOCS_STRIPPED) Image only, Windows CE,
NT and above. Indicates that the file does not
contain base relocations and must therefore be loaded
at its preferred base address. If the base address is
not available, the loader reports an error. Operating
systems running on top of MS-DOS (Win32s) are
generally not able to use the preferred base address
and so cannot run these images. However, beginning
with version 4.0, Windows will use an application's
preferred base address. The default behavior of the
linker is to strip base relocations from EXEs.
00002h Image is executable.
00004h COFF line numbers have been removed.
00008h COFF symbol table entries for local symbols have been
removed.
00010h Aggressively trim working set.
00020h App can handle > 2gb addresses.
00040h Use of this flag is reserved for future use.
00080h Little endian: LSB precedes MSB in memory.
00100h 32 bit word machine. (win32 environment)
00200h Debugging information removed from image file.
00400h If image is on removable media, copy and run from swap
file.
01000h The image file is a system file, not a user program.
02000h Library image (.DLL)
04000h File should be run only on a UP machine.
08000h Big endian: MSB precedes LSB in memory.
if you found the flag 0102h then it means 0100h+0002h ...
NOW we know (look at the old DOS header) that the new header begin at offset 70h
So take a look are our hello.exe file at offset 70h
Physical
offset 0 1 2 3 4 5 6 7 8 9 A B C D E F
00000070 50 45 00 00 4C 01 04 00 74 93 5D 3D 00 00 00 00 PE..............
00000080 00 00 00 00 E0 00 02 01 ................
-At offset 70h we see the value "PE",0,0 so here is the beginning of
the PE header
-At offset 74h is the word 014Ch (reverse the bytes) so Intel 80386 PC is
needed to run this file.
-At offset 76h is the word 0004h. So there is 4 sections described in the
object table
-At offset 84h is the size of the optional header (00E0h)
-At offset 86h is the flag for the image: 0102h (0100h+0002h)
**********************
* PE OPTIONAL HEADER *
**********************
Before to show you the structure of the PE OPTIONAL HEADER I will tell you
some word about the notion of IMAGE BASE and Relative Virtual Address (RVA)
It is very simple but very important in WIN32 environment: The IMAGE BASE
is the address on which the file is load by the loader, so at this address
we will find the beginning of the file (old MZ DOS HEADER).
An RVA is in fact a distance from the image base (from the beginning of the
image of the file). For example if a file has 00400000h for IMAGE BASE and
his first section has for RVA 001000h then this section will be load at this
address: 00400000h + 00001000h (IMAGE BASE+RVA). CLEAR?
The PE OPTIONAL HEADER is place just after the PE HEADER. There are a lot of
very important for the loader and for us! I still don't know why it is called
'OPTIONAL'.
The PE OPTIONAL HEADER (PE32 only) looks like:
<---WORD---> <---------DWORD--------->
+------------+------------+------------+------------+
| SIGNATURE? | LMAJOR | LMINOR | RESERVED |
+------------+------------+------------+------------+
| RESERVED | RESERVED |
+-------------------------+-------------------------+
| ENTRYPOINT RVA | RESERVED |
+-------------------------+-------------------------+
| RESERVED | IMAGE BASE |
+-------------------------+-------------------------+
| OBJECT ALIGN | FILE ALIGN |
+-------------------------+-------------------------+
| OS MAJOR | OS MINOR | USER MAJOR | USER MINOR |
+------------+------------+------------+------------+
| SUBSYS MAJ | SUBSYS MIN | RESERVED |
+------------+------------+-------------------------+
| IMAGE SIZE | HEADER SIZE |
+-------------------------+------------+------------+
| FILE CHECKSUM | SUBSYSTEM | DLL FLAGS |
+-------------------------+------------+------------+
| STACK RESERVE SIZE | STACK COMMIT SIZE |
+-------------------------+-------------------------+
| HEAP RESERVE SIZE | HEAP COMMIT SIZE |
+-------------------------+-------------------------+
| RESERVED | # RVA/SIZES |
+-------------------------+-------------------------+
| EXPORT TABLE RVA | TOTAL EXPORT DATA SIZE |
+-------------------------+-------------------------+
| IMPORT TABLE RVA | TOTAL IMPORT DATA SIZE |
+-------------------------+-------------------------+
| RESOURCE TABLE RVA | TOTAL RESOURCE DATA SIZE|
+-------------------------+-------------------------+
| EXCEPTION TABLE RVA |TOTAL EXCEPTION DATA SIZE|
+-------------------------+-------------------------+
| SECURITY TABLE RVA |TOTAL SECURITY DATA SIZE |
+-------------------------+-------------------------+
| FIXUP TABLE RVA | TOTAL FIXUP DATA SIZE |
+-------------------------+-------------------------+
| DEBUG TABLE RVA |TOTAL DEBUG DIRECTORIES |
+-------------------------+-------------------------+
| IMAGE DESCRIPTION RVA |TOTAL DESCRIPTION SIZE |
+-------------------------+-------------------------+
| MACHINE SPECIFIC RVA | MACHINE SPECIFIC SIZE |
+-------------------------+-------------------------+
| THREAD LOCAL STORAGE RVA| TOTAL TLS SIZE |
+-------------------------+-------------------------+
SIGNATURE? : The Optional Header's Magic number determines
whether an image is a PE32 or PE32+ executable:
- 0x10b for PE32 (010bh)
- 0x20b for PE32+ (020bh)
PE32+ images allow for a 64-bit address space while
limiting the image size to 4 Gigabytes (code in
64bits) Other PE32+ modifications are addressed in
their respective sections. (In WIN9X ,NT, 2000, ME
you will find only PE32 but in XP you find
PE32+...it's not really different, download the PE
file format documentation on micro$oft web site)
LMAJOR/LMINOR : The major/minor version number of the linker.
ENTRYPOINT RVA : Entrypoint relative virtual address. The address is
relative to the Image Base. This address is the
starting address for the program.
IMAGE BASE : The virtual base of the image. This will be the
virtual address of the first byte of the file
(DOS Header). This must be a multiple of 64K.
(The file is load at this address in memory)
OBJECT ALIGN : The alignment of the objects. This must be a power
of 2 between 200h and 256M inclusive. The default is
1000h. All section of the file will be loaded at an
offset which is a power of OBJECT ALIGN dword.
FILE ALIGN : Alignment factor used to align image pages. All
section of the file are written at an offset which
is a power of FILE ALIGN dword. Larger alignment
factors will cost more file space Smaller alignment
factors will impact demand load performance, perhaps
significantly. Of the two, wasting file space is
preferable. This value should be a power of 2
between 200h and 64K inclusive.
OS MAJOR/OS MINOR : The OS version number required to run this image.
USER MAJOR/MINOR : User major/minor version number. This is useful for
differentiating between revisions of images/dynamic
linked libraries. The values are specified at link
time by the user.
SUBSYS MAJ/MIN : Subsystem major/minor version number.
IMAGE SIZE : The virtual size (in bytes) of the image. This
includes all headers. The total image size must be a
multiple of Object Align.
HEADER SIZE : Total header size. The combined size of the old DOS
Header, PE Header ,PE optional Header and Object
Table.
FILE CHECKSUM : Checksum for entire file. Set to zero by the linker.
SUBSYSTEM : subsystem required to run this image. The values
are:
0000h - Unknown
0001h - Used for device drivers and native Windows
NT processes.
0002h - Image runs in the Windows graphical user
interface (GUI) subsystem.
0003h - Image runs in the Windows character
subsystem.
0005h - OS/2 Character
0007h - POSIX Character
0008h - Image is a native Win9x driver.
0009h - Windows CE subsystem.
0010h - Image is an EFI application.
0011h - Image is an EFI driver that provides boot
services
0012h - Image is an EFI driver that provides runtime
services.
DLL FLAGS : Indicates special loader requirements. This flag has
the following bit values:
00001h - Per-Process Library Initialization
00002h - Per-Process Library Termination
00004h - Per-Thread Library Initialization
00008h - Per-Thread Library Termination
00800h - Do not bind image
02000h - Driver is a WDM Driver
08000h - mage is Terminal Server aware
All other bits are reserved for future
use and should be set to zero.
STACK RESERVE SIZE : Stack size needed for image. The memory is reserved,
but only the Stack Commit Size is committed. The
next page of the stack is a 'guarded page.' When the
application hits the guarded page, the guarded page
becomes valid, and the next page becomes the guarded
page. This continues until the Reserve Size is
reached.
STACK COMMIT SIZE : Stack commit size.
HEAP RESERVE SIZE : Size of local heap to reserve.
HEAP COMMIT SIZE : Amount to commit in local heap.
# RVA/SIZES : Indicates the size of the RVA/Size array that
follows.
EXPORT TABLE RVA : RVA of the Export Table.
TOTAL EXPORT DATA SIZE : Total size of the export data.
IMPORT TABLE RVA : RVA of the Import Table. This address is relative to
the Image Base.
TOTAL IMPORT DATA SIZE : Total size of the import data.
RESOURCE TABLE RVA : RVA of the Resource Table.
TOTAL RESOURCE DATA SIZE : Total size of the resource data.
EXCEPTION TABLE RVA : RVA of the Exception Table.
TOTAL EXCEPTION DATA SIZE : Total size of the exception data.
SECURITY TABLE RVA : RVA of the Security Table.
TOTAL SECURITY DATA SIZE : Total size of the security data.
FIXUP TABLE RVA : RVA of the Fixup Table.
TOTAL FIXUP DATA SIZE : Total size of the fixup data.
DEBUG TABLE RVA : RVA of the Debug Table.
TOTAL DEBUG DIRECTORIES : Total number of debug directories.
IMAGE DESCRIPTION RVA : RVA of the description string specified in the
module definition file.
TOTAL DESCRIPTION SIZE : Total size of the description data.
MACHINE SPECIFIC RVA : RVA of a machine-specific value.
MACHINE SPECIFIC SIZE : A machine-specific value.
THREAD LOCAL STORAGE RVA : RVA of local storage RVA
TOTAL TLS SIZE : Total size of local storage
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -