PE file format analysis (001)

in hive-133802 •  4 years ago 

I recently researched the PE file side of things and found that the PE format is worth summarizing for everyone, so let's get go!!!

Concept

PE file is the general name of executable program files in Windows operating system, PE is the abbreviation of Portable Execute, meaning "portable, executable", which means a file can be run in multiple operating systems, common ones are DLL, EXE, OCX, SYS, etc. are PE files.

File Structure

截屏2021-01-05下午7.37.01.png

DOS HEADER

截屏2021-01-06上午11.34.49.png
The above figure shows the prototype of IMAGE_DOS_HEADER structure, which is located at the top of the PE header and is the starting part of the PE file. The structure is defined in the winnt.h header file, which defines the structure prototype of the PE header and section area. the form of the IMAGE_DOS_HEADER structure is determined and its size is constant, totaling 64 bytes (offset in the PE file is 0h to 40h).
IMAGE_DOS_HEADER structure, 32-bit / 64 for the system we live to focus on two members: e_magic (the first) and e_lfanew (the last)

e_magic: IMAGE_DOS_HEADER structure initially 2 bytes for 4D5A, the comment content is the signature, 4D5A corresponding to the character MZ, so what exactly does MZ mean? MZ is the acronym of Mark Zbikowski, who is one of the designers of the DOS system. In the PE file China it is like seeing Mark Zbikowski himself when you find MZ.

截屏2021-01-06下午4.57.18.png

e_lfanew: located at the end of the structure, it is a LONG type variable with a size of 4 bytes. Offset relative to the beginning of the file, used to find the PE header;

DOS Stub Program

Immediately after the IMAGE_DOS_HEADER structure is the DOS Stub Program, which is not a structure but, as the name implies, a program. The DOS Stub Program is a small program, so its length is not fixed. So, how do you know where he ends? This can be known based on the value of the e_lfanew member variable. Since the e_lfanew value is the start offset of the IMAGE_NT_HEADER structure and follows immediately after the DOS Stub Program, you know where the DOS Stub Program ends as long as you have the e_lfanew value.

截屏2021-01-06下午5.00.40.png

IMAGE_NT_HEADER

The first member of the NT header is "PE\0\0" (0X50 0X45 0X00 0X00 four-byte signature), and the next two members are the standard PE header (_IMAGE_FILE_HEADER) and the optional PE header (_IMAGE_OPTIONAL_HEADER).

截屏2021-01-06下午5.03.04.png

To be continued。。。

hive-133802 pe
4 years ago by

Downvoting a post can decrease pending rewards and make it less visible. Common reasons:

  • Disagreement on rewards
  • Fraud or plagiarism
  • Hate speech or trolling
  • Miscategorized content or spam

Submit
$16.69
  • Past Payouts $16.69
  • - Author $8.35
  • - Curators $8.35
3 votes
0
Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!