PE Tutorial 4: Optional Header
We have learned the knowledge about part of DOS HEADER and PE Header. Here is the last, maximum perhaps the most important member, Optional Header.
Looking back, the Optional HEADER structure is the last member of Image_NT_Headers. The logical distribution information of the PE file is included. This structure has a total of 31 domains, some are critical, and others are less common. Only those that are really useful here.
This has a common term about PE file format: RVA RVA represents relative virtual addresses. Know what is a virtual address? Relative to those simple concepts, RVA is somewhat awkward. Briefly, RVA is a distance from the virtual space to the reference point. I bet you are sure to be familiar with the file offset: RVA is something similar to the file offset. Of course it is an address in the virtual space, not the file header. For example, if the PE file is loaded into the 400000H of the virtual address (VA) space, and the process starts from the unique 401000h, we can say that the process performs the start address in RVA 1000h. Each RVA is a starting VA relative to the module. Why is the PE file format to use RVA? This is to reduce the burden on the PE loader. Because each module is mostly overloaded to any virtual address space, this is definitely a dream if the PE loader corrects each repositioning item. Conversely, if all relocation items use RVA, then the PE loader does not have to worry about those things: it will relocate the entire module to the new start VA. This is like the concept of relative path and absolute path: RVA is similar to the relative path, and VA is like an absolute path.
The FieldMeanings ADRESSOFENTRYPOINTPE loader is the RVA of the first instruction of the PE file running. If you want to change the entire execution process, you can specify this value to the new RVA, so that the instructions at the new RVA are first performed. The preferred load address of the ImageBasepe file. For example, if the value is 400000H, the PE loader will attempt to install the file to the 400000H of the virtual address space. Words "Priority" indicates that if the address area is occupied by other modules, the PE loader selects other idle addresses. SectionAlignment The particle size of the middle section alignment. For example, if the value is 4096 (1000H), then the start address of each section must be a multiple of 4096. If the first section starts from 401000h and the size is 10 bytes, the next section must start from 402000 h, even if there is still a lot of space between 401000 h and 402000h, there is no use. The particle size of the FileAlignment file in the middle of the section. For example, if the value is (200h), then the start address of each section must be a multiple of 512. If the first section starts from the file offset 200h and the size is 10 bytes, the next section must be positioned at an offset 400h: even if there is still a lot of space between the offset 512 and 1024, there is no use / definition. MajorsubsystemVersionminorsubsystemVersion Win32 subsystem version. If the PE file is designed for Win32, the subsystem version must be 4.0 otherwise the dialog will not have 3 dimensionality. The size of the entire PE image in the SIZEOFIMAGE memory. It is the size of the head and section passing through the section. SizeOfheaders all the size of the head session table is equal to the size of the file size minus the size of the file in the file. You can use this value as the file offset of the first section of the PE file. Subsystem NTEMNT is used to identify which subsystem belongs to the PE file. For most Win32 programs, there are only two types of values: Windows GUI and Windows CUI. DataDirectory an image_data_directory structure array. Each structure gives an important data structure RVA, such as introducing an address table, and the like.
