ICZelion PE TUT1

zhaozj2021-02-11  229

Tutorial 1: Overview of PE File Format

. So I decided to replace it with this new one.

... PE stands for Portable Executable It's the native file format of Win32 Its specification is derived somewhat from the Unix Coff (common object file format) The meaning of "portable executable" is that the file format is universal across win32 platform: the PE loader of every win32 platform recognizes and uses this file format even when Windows is running on CPU platforms other than Intel. It does not mean your PE executables would be able to port to other CPU platforms without change. Every win32 executable (except VxDs and 16-bit DLLS) Uses pe file format. Even NT'S Kernel Mode Drivers Use PE File Format. Thus studying the pe file format gives You Valuable Insights Into The Structure of Windows.

Let's Jump INTO The General Outline of PE File Format WITHOUT FURTHER ADO.

DOS MZ HEADER

Dos Stub

PE Header

Section Table

Section 1

Section 2

Section ...

Section N

The above picture is the general layout of a PE file. All PE files (even 32-bit DLLs) must start with a simple DOS MZ header. We usually are not interested in this structure much. It's provided in the case when the program is run from DOS, so DOS can recognize it as a valid executable and can thus run the DOS stub which is stored next to the MZ header. The DOS stub is actually a valid EXE that is executed in case the operating system does not know . about PE file format It can simply display a string like "This program requires Windows" or it can be a full-blown DOS program depending on the intent of the programmer We are also not very interested in DOS stub:. it's usually provided by THE Assembler / Compiler. In Most Case, IT Simply Uses Int 21h, Service 9 To Print A String Saying "this Program Cannot Run in dos mode" .AFTER The dos stub comes the pe header. The pe header is a recognor term for the PE-Related structure named image_nt_headers. This Structure Contains Many Essential Fields Tha t are used by the PE loader. We will be quite familiar with it as you know more about PE file format. In the case the program is executed in the operating system that knows about PE file format, the PE loader can find the starting offset .

The real content of the PE file is divided into blocks called sections. A section is nothing more than a block of data with common attributes such as code / data, read / write etc. You can think of a PE file as a logical disk. The PE header is the boot sector and the sections are files in the disk. The files can have different attributes such as read-only, system, hidden, archive and so on. I want to make it clear from this point onwards that the grouping of data into a section is done on the common attribute basis:. not on logical basis It does not matter how the code / data are used, if the data / code in the PE file have the same attribute, they can be lumped together in a section you should not think of a section as "data", "code" or some other logical concepts:. sections can contain both code and data provided that they have the same attribute If you have a block of data that you want. To Be Read-Only, You Can Put That Data In The Section That Marked As Read-Only. by PE Loader MA Ps The Sections Into Memory, IT Examines The attributes of the section and gives the memory.

If We View The Pe File Format As A Logical Disk, The PE Header As The Boot Sector and The Sections As Files, West Don't have finned information to find out where the files reside on the disk, ie. We haven't discussed the directory equivalent of the PE file format. Immediately following the PE header is the section table which is an array of structures. each structure contains the information about each section in the PE file such as its attribute, the file offset, virtual offset. If there are 5 sections in the PE file, there will be exactly 5 members in this structure array. We can then view the section table as the root directory of the logical disk. each member of the array is equvalent to the each directory entry in The root directory.that's all about the physical layout of the pe file format. I'll Summarize The Major Steps in Loading a pe file Into memory Below:

When the Pe File Is Run, The Pe Loader EXAMINES The Dos Mz Header for the Offset of The Pe Header. IT Skips To The Pecks If The Pe Header Is Valid. If So, IT Goes To the end of the PE header. Immediately following the PE header is the section table. The PE header reads information about the sections and maps those sections into memory using file mapping. It also gives each section the attributes as specified in the section table. After .......... ..

The Above Steps Are Oversimplification and is based on My OWN OBSERVATION. There may be here inaccuracies But it would give you the clear picture of the process.

You Should Download Luevelsmeyer's Description About PE File Format. It's very detailed and you shop it is as a reference. [ICzelion's Win32 Assembly Home]

转载请注明原文地址:https://www.9cbs.com/read-4650.html

New Post(0)