PE file format detailed (3)

zhaozj2021-02-16  56

PE Optional Head

The 224 bytes of PE executables constitute a PE optional head. Although its name is "optional head", please be sure: this head is not "optional", but "essential". Macros can be obtained directed OPTHDROFFSET optional header pointer: PEFILE.H # define OPTHDROFFSET (a) ((LPVOID) ((BYTE *) a / ((PIMAGE_DOS_HEADER) a) -> e_lfanew / SIZE_OF_NT_SIGNATURE / sizeof (IMAGE_FILE_HEADER ))) The optional head contains many important information about the executable image, such as the initial stack size, location of the program entry point, the preferred base address, the operating system version, and the information of the segment. IMAGE_OPTIONAL_HEADER structure is as follows: WINNT.Htypedef struct _IMAGE_OPTIONAL_HEADER {// // standard domain // USHORT Magic; UCHAR MajorLinkerVersion; UCHAR MinorLinkerVersion; ULONG SizeOfCode; ULONG SizeOfInitializedData; ULONG SizeOfUninitializedData; ULONG AddressOfEntryPoint; ULONG BaseOfCode; ULONG BaseOfData; // // NT additional fields // ULONG ImageBase; ULONG SectionAlignment; ULONG FileAlignment; USHORT MajorOperatingSystemVersion; USHORT MinorOperatingSystemVersion; USHORT MajorImageVersion; USHORT MinorImageVersion; USHORT MajorSubsystemVersion; USHORT MinorSubsystemVersion; ULONG Reserved1; ULONG SizeOfImage; ULONG SizeOfHeaders; ULONG CheckSum; USHORT Subsystem; USHORT DllCharacteristics; ULONG SizeOfStackReserve; ULONG SizeOfStackCommit; ULONG SizeOfHeapReserve; ULONG SizeOfHeapCommit; ULONG LoaderFlags; ULONG NumberOfRvaAndSizes; IMAGE_DATA_DIRECTORY DataDirectory [IMAGE_NUMBEROF_DIRECTORY_ENTRIES];} IMAGE_OPTIONAL_HEADER, * PIMAGE_OPTIONAL_HEADER; as you can see, the structure of this field it is listed in too much long. In order not to make you feel tired of all these domains, I will only discuss useful - means that it is useful for exploring the format of PE files.

Standard domain

First, note that this structure is divided into "standard domain" and "NT additional domain". The so-called standard domain is a common part of the COFF format of UNIX executable. Although the standard domain retains the name defined in Coff, Windows NT still uses them as different purposes - although changed a name. Magic. I don't know what this domain is doing. For example programs ExeView.exe sample program, this value is 0x010b or 267 (translation: 0x010b is .exe, 0x0107 is ROM image, I am from Exescope) . · Majorlinkerversion, MinorLinkerversion. Represents the version of the linker that links this image. The linker version contained with Windows NT SDK with Windows NT Build 438 is 2.39 (hexadecimal 2.27). SizeOfcode. The code size can be performed. SizeOfinitializedData. The dimensions have been initialized. SizeOfunInitializeddata. Data size that is not initialized. AddressofentryPoint. In the standard domain, the AddressofEntryPoint domain is most interesting to the PE file format. This domain represents the location of the application entry point. Moreover, for system hackers, this location is the end of the import address table (IAT). The following functions demonstrate how to get the entry point of the Windows NT executable image from the optional header. PEFILE.CLPVOID WINAPI GetModuleEntryPoint (LPVOID lpFile) {PIMAGE_OPTIONAL_HEADER poh; poh = (PIMAGE_OPTIONAL_HEADER) OPTHDROFFSET (lpFile); if (! Poh = NULL) return (LPVOID) poh-> AddressOfEntryPoint; else return NULL;} · BaseOfCode. The relative offset of the image of the image (".text" segment) has been loaded. · BaseOfdata. The relative offset of uninited data (".bss" segment) is loaded into the image. Windows NT attached domain

Adding the additional fields added to the Windows NT PE file format For Windows NT-specific process behavior provides support for loaders, the following is an overview of these domains. · ImageBase. The preferred base address in the process image address space. Windows NT's Microsoft Win32 SDK linker sets this value to 0x00400000, but you can use the -base: Linker switch to change this value. · SectionAlignment. Starting from ImageBase, each segment is successfully loaded in the address space of the process. SectionAlignment specifies the minimum number of spaces that can occupy in the loading period - means that the segment is about SectionAlignment alignment. Windows NT Virtual Memory Manager specifies that the segment cannot be less than the page size (the current X86 platform is 4096 bytes), and must be a multiplied page size. 4096 bytes are the default value of the X86 linker, but it can be set by the -align: Linker switch. FileAlignment. The image file is first loaded with the minimum information block interval. For example, the linker adds a segment entity (original data of the segment) to the closest FileAlignment boundary in the file. The 2.39 version of the 1209 mentioned earlier will align the image file with the boundary of 0x200 bytes, which can be enforced to 512 to 65535 so much. · Majoroperatingsystemversion. Represents the main version number of the Windows NT operating system; this value is usually set to 1 for Windows NT 1.0. · Minoropratingsystemversion. Indicates the secondary version of the Windows NT operating system; usually in WINDOWS NT 1.0, this value is set to 0. MajorImageVersion. The main version of the application is used to represent the application; for Microsoft Excel 4.0, this value is 4. · Minorimageversion. Used to represent the second version of the application; for Microsoft Excel 4.0, this value is 0. · MajorsubsystemVersion. Represents the main version number of the Windows NT Win32 subsystem; usually for Windows NT 3.10, this value is set to 3. · Minorsubsystemversion. Represents the secondary version of the Windows NT Win32 subsystem; usually for Windows NT 3.10, this value is set to 10. · Reserved1. Unknown purposes, usually not used by the system, and is set to 0 by the linker. SizeOfimage. The address space to be retained in the address space of the loaded executable image is larger is largely affected by SectionAlignment. For example, consider a system with fixed page size 4096 bytes, if you have a 11-segment executable, it is less than 4096 bytes per segment, and the 65536 byte boundary is aligned, then the SizeOfImage domain will Will be set to 11 * 65536 = 720896 (page 176). If an identical file is aligned with 4096 bytes, then the result will be 11 * 4096 = 45056 (page 11). This is just a simple example, which shows that each segment needs less than one page memory. In reality, the linker determines the SIZEOFIMAGE value by calculating the method of each segment individually. It first decides how many bytes need each paragraph, and finally take the total number of pages to the closest Sectionalignment boundary, and then the total number is the sum of individual needs. SizeOfheaders.

How many spaces in this domain represent files are used to hold all file headers, including MS-DOS headers, PE file headers, PE optional headers, and PE segment headers. All segments in the file began in this position. Checksum. The checksum is used to verify executables when loading, which is set and tested by the linker. Since the algorithm for creating these validations is private information, it is not discussed here. Subsystem. The domain used to identify the executable file target subsystem. Each possible subsystem is listed after the Image_Optional_Header structure of Winnt.h. · DLLCharacteristics. It is used to represent whether a DLL image is initialization and thread initialization and termination of the label containing the entry point. · SizeOfstackReserve, SizeofstackCommit, SizeOfheapReserve, SizeOfheapCommit. These domains control the number of address spaces to be retained, and responsible for the stack and the default reactor. By default, stacks and stacks have a page's application value and a reserve value for 16 pages. These values ​​can be set using the linker switch -stacksize: to -HeapSize: · Loaderflags. Inform the loader to abort and debug when loading, or run it normally by default. · Numberofrvaandsizes. This domain identifies the next DATADIRECTORY array. Please note that it is used to identify this array, not the number of entrance numbers in arrays, this is very important. · DATADIRECTORY. The location of the data directory represents the location of the other executable information in the file. It is actually an array of image_data_directory structures located at the end of the optional header structure. The current PE file format defines 16 possible data directories, 11 of this is now in use. Data directory

转载请注明原文地址:https://www.9cbs.com/read-22550.html

New Post(0)