PE file segment
The PE file specification consists of those headings and a general object called "segments". The segment contains the contents of the file, including code, data, resources, and other executable information, each with a head and an entity (raw data). I will describe the relevant information of the section below, but the segment entity lacks a strict file structure. Therefore, they can almost organize any methods, as long as its head is filled with information that can interpret data.
Section head
In the PE file format, all segments are located after the optional header. Each head is 40 bytes long and there is no fill information. It is defined as a head section of the structure: WINNT.H # define IMAGE_SIZEOF_SHORT_NAME 8typedef struct _IMAGE_SECTION_HEADER {UCHAR Name [IMAGE_SIZEOF_SHORT_NAME]; union {ULONG PhysicalAddress; ULONG VirtualSize;} Misc; ULONG VirtualAddress; ULONG SizeOfRawData; ULONG PointerToRawData; ULONG PointerToRelocations; ULONG PointertolinenumBers; ushort numberoflinenumbers; ulong characteristics;} image_section_header, * pimage_section_header; How can you get a specific segment section information? Since the header is continuous, there is no specific order, the segment head must be positioned by the name. The following demonstrates how to obtain a function of a segment head from a given PE image file name in the section: PEFILE.CBOOL WINAPI GetSectionHdrByName (LPVOID lpFile, IMAGE_SECTION_HEADER * sh, char * szSection) {PIMAGE_SECTION_HEADER psh; int nSections = NumOfSections ( LPFILE); INT i; IF ((psh = (psh =)! = null) {/ * by name finding segment * / for (i = 0; i
Domain's domain
· Name. Each section has an 8-character name domain, and the first character must be a period. · PhysicalAddress or Virtualsize. The second domain is a UNION domain and is now not used. · VirtualAddress. This domain identifies the virtual address to load this segment in the process address space. The actual address is obtained by adding the value of this domain to the ImageBase virtual address in the optional header structure. Remember, if this image file is a DLL, then this DLL will not be loaded into the image of ImageBase. So once this file is loaded into a process, the actual imagebase value should be checked by using getModuleHandle. SizeOfrawData. This field represents segment entity size relative to FileAlignment. The actual segment entity size in the file will be less than or equal to the total number of FileAlignment. Once the image is loaded into the address space of a process, the size of the segment entity will become less or equal to the number of FileAlignment. Pointertorawdata. This is the offset of a file medium in the middle of the file. Pointertorelocations, PointertolinenumBers, NumberofrelOcations, Numberoflinenumbers. These domains are not used in the PE format. Characteristics. Define the characteristics of the segment. These values can be found in the PE format specification of Winnt.h and this disc (translation: MSDN). Value Definition 0x00000020 code segment 0x00000040 has initialized data segment 0x00000080 Unin-initialized data segment 0x040000 This segment data cannot be cached 0x08000000 This paragraph can not be paised 0x10000000 shared segment 0x20000000 executable 0x40000000 readable segment 0x80000000 can be writable
Positioning data directory
