PE file format detailed (1)

zhaozj2021-02-16  51

Summary

Windows NT 3.1 introduces a new executable file format called PE file format. The specification in the PE file format is included in the MSDN's CD (Specs and Strategy, Specifications, Windows NT File Format Specifications, but it is very embarrassed. However, this document does not provide enough information, so developers can't understand the PE format well. This article is intended to solve this problem, which makes a very thorough explanation for the entire PE file format, in addition, this article also has a description of all necessary structures and an exemplary example of how to use this information. In order to get important information contained in the PE file, I have written a dynamic link library called PeFile.dll, and all the source code examples in this article are also taken here. This DLL and its source code are included in the CD as part of the PEFILE sample program (the illustration: sample program is looking for in MSDN), you can use this DLL in your own application; look, you can also You are willing to use and build its source code. At the end of this article, you will find the PEFILE.DLL function export list and one how to use them. I think you will find that these functions will make you calm down the PE file format.

Introduction

The recent increased Windows NT of the Windows operating system family has brought great changes to the development environment and the application itself, which is the most important as the PE file format. The new PE file format is mainly from the COFF specification common to the UNIX operating system, and in order to ensure compatibility with the old version MS-DOS and Windows operating systems, the PE file format also retains the familiar MZ head in MS-DOS. In this article, the PE file format is interpreted in the top of the top. This article will discuss each component of the PE file in detail in the process of studying the content of the document from the beginning. Many separate file ingredients are derived from Winnt.h files in the Microsoft Win32 SDK development package, which in this file you will find struct type definitions used to describe various components such as file headers and data directories. However, lack of sufficient definitions on the PE file structure in Winnt.h, in which case I define my own structure to access file data. You will find the definition of these structures in Pefile.dll project, and the entire PEFILE.H development file is included in the PEFILE sample program. In addition to the PEFILE.DLL sample code, this article has a separate Win32 sample application named ExeView.exe. Create this example, first: First, I need to test the function of pefile.dll, and some cases require me to view multiple files at the same time; secondly, many of the works of the PE file format are related to the direct viewing data. For example, to figure out how imported address name tables, I have to view .idata segment header, import image data directory, optional head, and current .idata segment entity, and exeview.exe is to view this information. Best example. Gossip less, let's get started.

PE file structure

The PE file format is organized as a linear data stream, which is started by a MS-DOS header, then one is a mode residual and a PE file mark, which follows the PE file header and optional head. These are followed by all the heads, and the section is followed by all of the entities. The end of the file is some other area, which is some mixed information, including the redistribution information, the symbolic table information, line number information, and the string table data. I am listed in Figure 1.

转载请注明原文地址:https://www.9cbs.com/read-22552.html

New Post(0)