PE Tutorial 3: File Header (File Head)
This lesson we will study the PE HEADER's File HEADER (file header) section.
At this point, we have learned which stuffs, first briefly review:
DOS MZ Header is named image_dos_header .. Only two domains are more important: E_magic includes a string "MZ", and the E_LFANEW contains the offset in the PE header in the file. Compare whether E_magic is image_dos_signature to verify that it is a valid DOS header. The compliance is considered to have a valid DOS HEADER. In order to locate the PE Header, the mobile file pointer to the offset pointed to the E_LFANEW. The first double word of PE Header contains a string "PE / 0/0". The double word is compliant with image_nt_signature, which is considered to be valid.
We continue to explore knowledge about Pe Header. The official naming of PE Header is image_nt_headers. Let's recall this structure.
Image_nt_headers Struct Signature DD? FileHeader Image_File_Header <> OptionalHeader Image_Optional_Header32 <> iMage_NT_HEADERS Ends
The Signature PE is marked, the value is 50h, 45h, 00h, 00h (PE / 0/0). FileHeader This domain contains general information about the physical distribution of PE files. OptionalHeader This domain contains information about the Logical distribution of PE files.
The most interesting stuff in OptionalHeader. However, some domains in FileHeader are also important. This lesson we will learn FileHeader, the next lesson research OptionalHeader.
IMAGE_FILE_HEADER STRUCT Machine WORD? NumberOfSections WORD? TimeDateStamp dd? PointerToSymbolTable dd? NumberOfSymbols dd? SizeOfOptionalHeader WORD? Characteristics WORD? IMAGE_FILE_HEADER ENDS
Field NamemeningsMachine This file runs the required CPU. For Intel platform, this value is image_file_machine_i386 (14ch). We tried LuevelSmeyer's PE.TXT declaration of 14DH and 14EH, but Windows did not execute correctly. It seems that in addition to prohibiting procedures, this domain is not much sure. Numberofsections file number. If we want to add or delete a section in the file, you need to modify this value. The TIMEDASTAMP file creates a date and time. We are not interested. Pointertosymboltable is used to debug. NumberOfSymbol is used to debug. SizeOfoptionalHeader indicates that the OptionalHeader structure after this structure must be a valid value. CHARACTERISTICS The markup of the file information, such as the file is EXE or DLL.
Briefly, there are only three domains to have some: Machine, Numberofsections and Characteristics. Normally does not change the value of Machine and Characteristics, but if you want to traverse the chart, you have to use NumberOfSections. In order to better explain NumberOfsections, here is a brief introduction to the table. The section table is an array of structures, and each structure contains information of a section. Therefore, if there are 3 festivals, there are 3 members. We need a NumberOfSections value to learn more than a member in this array. Maybe you will want to detect all 0 members in the structure to play the same effect. Windows does adopt this method. To prove this, you can increase the value of NumberOfSections, and Windows can still perform files normally. According to our observation, Windows reads the value of NumberOfSections and checks each structure in the chart. If you find a full 0 structure, you will end the search, otherwise the number of NumberOfSections specifies the number. Why can't we ignore the value of NumberOfSections? There are several reasons. There is no specified section table in the PE description must end with a total 0 structure. Thus there may be a situation where the last array member is contiguous to the first section, without empty space at all. Another reason has to do with bound imports. The new-style binding puts the information immediately following the section table's last structure array member So you still need NumberOfsections.
Translation: IAMGUFENG [ICZelion's Win32 Assembly Home] [Luoyunbin's Win32 ASM Page]
