The PE file format has recently been fried to boil, because I am doing such a procedure, the sure is written out to share my own experience. PE header in two parts: 1: DOS 'MZ' HEADER 2: IMAGE_NT_HEADERS wherein IMAGE_NT_HEADERS included PE signature IMAGE_FILE_HEADER IMAGE_OPTIONAL_HEADER (containing Data Direcotry) followed by the file header Section Table (array of IMAGE_SECTION_HEADERs) windows as the DELPHI .Pad already defined: TIMAGENTHEADER; TIMAGENTHEADER; TIMAGENTHEADER; TIMAGESECTIONHEADER; {Size of Tim..der is $ 28} After the variable is defined, hold down CTRL to check the specific project, here I don't say much, this is also a lot of. Other TimageResourceDirectory, etc., but there is no definition in Delphi, see other information, I will give them the structure and brief description here: The following is the type of PEDUMP.EXE I wrote:
type PIMAGE_RESOURCE_DIRECTORY = ^ TImageResourceDirectory; _IMAGE_RESOURCE_DIRECTORY = packed record Characteristics: DWORD; TimeDateStamp: DWORD; MajorVersion: WORD; MinorVersion: WORD; NumberOfNamedEntries: WORD; NumberOfIdEntries: WORD; end; TImageResourceDirectory = _IMAGE_RESOURCE_DIRECTORY; {} resource directory format specifier
PIMAGE_RESOURCE_DIRECTORY_ENTRY = ^ TImageResourceDirectoryEntry; _IMAGE_RESOURCE_DIRECTORY_ENTRY = packed record Name: DWORD; {NameOffset: 31, NameIsString: 1} // Id: WORD; OffsetToData: DWORD; {OffsetToDirectory: 31, DataIsDirectory: 1} end; TImageResourceDirectoryEntry = _IMAGE_RESOURCE_DIRECTORY_ENTRY; {Resource Directory Format of entering point}
PIMAGE_RESOURCE_DIRECTORY_STRING = ^ TImageResourceDirectoryString; _IMAGE_RESOURCE_DIRECTORY_STRING = packed record Length: WORD; NameString: CHAR; end; TImageResourceDirectoryString = _IMAGE_RESOURCE_DIRECTORY_STRING; {format described resource directory name}
PIMAGE_RESOURCE_DIR_STRING_U = ^ TImageResourceDirStringU; _IMAGE_RESOURCE_DIR_STRING_U = packed record Length: WORD; NameString: WCHAR; end; TImageResourceDirStringU = _IMAGE_RESOURCE_DIR_STRING_U; {format described resource directory name unicode forms} PIMAGE_RESOURCE_DATA_ENTRY = ^ TImageResourceDataEntry; _IMAGE_RESOURCE_DATA_ENTRY = packed record OffsetToData: DWORD; Size: DWORD CODEPAGE: DWORD; reserved: DWORD; END; TIMAGERESOURCEDATAENTRY = _IMAGE_RESOURCE_DATA_ENTRY; {Resource directory data entry point format description}
const image_resource_name_is_string = $ 80000000; {Test TimageResourceDirectoryEntry.Name is the highest to set up, is that the remaining 31 bit points to the offset of Image_Resource_Dir_String_u, otherwise the remaining 31 bit is an integer ID. } IMAGE_RESOURCE_DATA_IS_DIRECTORY = $ 80000000; {TImageResourceDirectoryEntry.OffsetToData for detecting whether to establish the highest, then the rest is further directed offset IMAGE_RESOURCE_DIRECTORY 31, 31 or the remaining description IMAGE_RESOURCE_DATA_ENTRY of offset points. }
{The following file attributes specific values Constant Description} {File Characteristics} IMAGE_FILE_RELOCS_STRIPPED = $ 0001;. // Relocation info stripped from file IMAGE_FILE_EXECUTABLE_IMAGE = $ 0002;. // File is executable (ie no unresolved externel references) IMAGE_FILE_LINE_NUMS_STRIPPED = $ 0004; // Line . nunbers stripped from file IMAGE_FILE_LOCAL_SYMS_STRIPPED = $ 0008;. // Local symbols stripped from file IMAGE_FILE_AGGRESIVE_WS_TRIM = $ 0010; // Agressively trim working set IMAGE_FILE_LARGE_ADDRESS_AWARE = $ 0020; // App can handle> 2gb addresses IMAGE_FILE_BYTES_REVERSED_LO = $ 0080; // Bytes of machine word are . reversed IMAGE_FILE_32BIT_MACHINE = $ 0100;. // 32 bit word machine IMAGE_FILE_DEBUG_STRIPPED = $ 0200; // Debugging info stripped from file in .DBG file IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP = $ 0400; // If Image is on removable media, copy and run from the swap file IMAGE_FILE_NET_RUN_FROM_SWAP. = $ 0800; // If Image is on Net, copy and run from the swap file IMAGE_FILE_SYSTEM = $ 1000;.. // System File IMAGE_FILE_DLL = $ 2000; // File is a DLL IMAGE_FILE_UP_SYSTEM_ONLY = $ 4000;. // File should only be run on A UP Machine Image_File_Bytes_Revesed_hi = $ 8000; // bytes of Machine Word Are Reverse.
{The following is a detailed description header machine attribute value} {Machine} IMAGE_FILE_MACHINE_UNKNOWN = $ 0; IMAGE_FILE_MACHINE_I386 = $ 014c; // Intel 386. IMAGE_FILE_MACHINE_R3000 = $ 0162; // MIPS little-endian, $ 160 big-endian IMAGE_FILE_MACHINE_R4000 = $ 0166; // MIPS little-endian IMAGE_FILE_MACHINE_R10000 = $ 0168; // MIPS little-endian IMAGE_FILE_MACHINE_WCEMIPSV2 = $ 0169; // MIPS little-endian WCE v2 IMAGE_FILE_MACHINE_ALPHA = $ 0184; // Alpha_AXP IMAGE_FILE_MACHINE_SH3 = $ 01a2; // SH3 little-endian IMAGE_FILE_MACHINE_SH3E = $ 01a4; / / SH3E little-endian IMAGE_FILE_MACHINE_SH4 = $ 01a6; // SH4 little-endian IMAGE_FILE_MACHINE_SH5 = $ 01a8; // SH5 IMAGE_FILE_MACHINE_ARM = $ 01c0; // ARM Little-endian IMAGE_FILE_MACHINE_THUMB = $ 01c2; IMAGE_FILE_MACHINE_ARM33 = $ 01d3; IMAGE_FILE_MACHINE_POWERPC = $ 01F0; // ib M PowerPC Little-Endian IMAGE_FILE_MACHINE_IA64 = $ 0200; // Intel 64 IMAGE_FILE_MACHINE_MIPS16 = $ 0266; // MIPS IMAGE_FILE_MACHINE_ALPHA64 = $ 0284; // ALPHA64 IMAGE_FILE_MACHINE_MIPSFPU = $ 0366; // MIPS IMAGE_FILE_MACHINE_MIPSFPU16 = $ 0466; // MIPS // IMAGE_FILE_MACHINE_AXP64 IMAGE_FILE_MACHINE_ALPHA64 IMAGE_FILE_MACHINE_AMD64 = $ 0500; / / AMD K8 Image_File_Machine_Tricore = $ 0520; // infineon image_file_machine_cef = $ 0CEF;
{The following is a detailed description attribute value SECTION} {Section characteristics} // IMAGE_SCN_TYPE_REG = $ 00000000; // Reserved // IMAGE_SCN_TYPE_DSECT = $ 00000001;.. // Reserved // IMAGE_SCN_TYPE_NOLOAD = $ 00000002;. // Reserved // IMAGE_SCN_TYPE_GROUP = $ 00000004; // Reserved IMAGE_SCN_TYPE_NO_PAD = $ 00000008;. // Reserved // IMAGE_SCN_TYPE_COPY = $ 00000010;. // Reserved.IMAGE_SCN_CNT_CODE = $ 00000020;. // Section contains code IMAGE_SCN_CNT_INITIALIZED_DATA = $ 00000040;. // Section contains initialized data IMAGE_SCN_CNT_UNINITIALIZED_DATA = $ 00000080; // Section Contains Uninitialized Data.
IMAGE_SCN_LNK_OTHER = $ 00000100;. // Reserved IMAGE_SCN_LNK_INFO = $ 00000200; // Section contains comments or some other type of information // IMAGE_SCN_TYPE_OVER = $ 00000400;.. // Reserved IMAGE_SCN_LNK_REMOVE = $ 00000800; // Section contents will not become part of image IMAGE_SCN_LNK_COMDAT. = $ 00001000; // Section contents comdat // = $ 00002000;.. // Reserved // IMAGE_SCN_MEM_PROTECTED - Obsolete = $ 00004000; IMAGE_SCN_NO_DEFER_SPEC_EXC = $ 00004000; // Reset speculative exceptions handling bits in the TLB entries for this section IMAGE_SCN_GPREL = $ 00008000; /. / Section content can be accessed relative to GP IMAGE_SCN_MEM_FARDATA = $ 00008000; // IMAGE_SCN_MEM_SYSHEAP - Obsolete = $ 00010000; IMAGE_SCN_MEM_PURGEABLE = $ 00020000; IMAGE_SCN_MEM_16BIT = $ 00020 000; Image_scn_mem_locked = $ 00040000; Image_scn_mem_preeload = 00080000;
IMAGE_SCN_ALIGN_1BYTES = $ 00100000; // IMAGE_SCN_ALIGN_2BYTES = $ 00200000; // IMAGE_SCN_ALIGN_4BYTES = $ 00300000; // IMAGE_SCN_ALIGN_8BYTES = $ 00400000; // IMAGE_SCN_ALIGN_16BYTES = $ 00500000; // Default alignment if no others are specified IMAGE_SCN_ALIGN_32BYTES = $ 00600000;. // IMAGE_SCN_ALIGN_64BYTES = $ 00700000; // IMAGE_SCN_ALIGN_128BYTES = $ 00800000; // IMAGE_SCN_ALIGN_256BYTES = $ 00900000; // IMAGE_SCN_ALIGN_512BYTES = $ 00A00000; // IMAGE_SCN_ALIGN_1024BYTES = $ 00B00000; // IMAGE_SCN_ALIGN_2048BYTES = $ 00C00000; // IMAGE_SCN_ALIGN_4096BYTES = $ 00D00000; // IMAGE_SCN_ALIGN_8192BYTES = $ 00E00000; // // Unused = $ 00F00000; image_scn_align_mask = $ 00F00000; Image_SCN_LNK_NRELOC_OVFL = $ 01000000; // Section CONTA . Ins extended relocations IMAGE_SCN_MEM_DISCARDABLE = $ 02000000;. // Section can be discarded IMAGE_SCN_MEM_NOT_CACHED = $ 04000000;. // Section is not cachable IMAGE_SCN_MEM_NOT_PAGED = $ 08000000;. // Section is not pageable IMAGE_SCN_MEM_SHARED = $ 10000000;. // Section is shareable IMAGE_SCN_MEM_EXECUTE = $ 20000000 // section is executable. Image_scn_mem_read = $ 40000000; // section is readable. Image_scn_mem_write = 80000000; // section is writteable.
I wrote to detect the function of the function that contains this property. Function betrue (fg: cardinal, value): boolean; begin result: = fg and not value = 0; END; if the fg's attribute value is true, otherwise it is False;, for example, betrue (image_fileheader.characteristics; as for the reading of the resource directory, at least two cycles need to be positioned, the specific implementation will rely on your algorithm :)
April 26, 2001 Xi'an
