Continuing from the previous post (https://steemit.com/hive-133802/@kevin-mn/pe-file-format-analysis-001), let's get started!!!
IMAGE_FILE_HEADER structure
Machine:
(important) Machine model, each CPU has a unique Machine code indicating which CPU can execute --> 4C 01 for Intel 386 or successor processors and their compatible processors.
The Machine field can take one of the following values to specify the CPU type. The image file can only run on the specified processor or on a system that can emulate the specified processor.
Value Description
0x0 For any type of processor
0x1d3 Matsushita AM33 processor
0x8664 x64 processor
0x1c0 ARM small tail processor
0xebc EFI bytecode processors
0x14c Intel 386 or successor processors and their compatible processors
0x200 Intel Itanium processor
0x9041 Mitsubishi M32R small-tailed processor
0x266 MIPS16 processor
0x366 MIPS processor with FPU
0x466 MIPS16 processor with FPU
0x1f0 PowerPC small-tailed processor
0x1f1 PowerPC processor with symbol point support
0x166 MIPS small-tailed processor
0x1a2 Hitachi SH3 processor
0x1a3 Hitachi SH3 DSP processor
0x1a6 Hitachi SH4 processor
0x1a6 Hitachi SH5 processor
0x1c2 Thumb processor
0x169 MIPS Small Tail WCE v2 processor
NumberOfSections:
(Important) refers to the number of blocks in the PE file, (also known as section area) number, that is, the number of items in the section table -> 00 04 -> 4, the value must be greater than 0, and when the number of defined sections does not match the actual, a runtime error will occur.
TimeDateStamp:
the creation time of the PE file, generally with connectors to fill in.
PointerToSymbolTable: the offset position of the COFF symbol table. This field is only useful for COFF debugging information.
NumberOfSymbols:
the number of symbols in the COFF symbol table. This value and the previous one are 0 in the RELEASE version of the program, the number of symbols in the symbol table -> 00 00 00 00
SizeOfOptionalHeader:
(important) refers to the size of IMAGE_OPTIONAL_HEADER structure (number of bytes): 32-bit default E0H, 64-bit default F0H (can be modified). are not the same, so the size needs to be specified in SizeOfOptionalHeader.'
Characteristics:
(important) describe the file attributes, each bit in binary represents a different attribute eg-> 0F 01; single attribute (only 1 bit is 1): #define IMAGE_FILE_DLL 0x2000 File is a DLL.
Combined attribute (multiple bit is 1, single attribute or operation):0X010F Executable file
The Characteristics field contains the flags for the attributes of the image file. The following bolded ones are the commonly used attributes. The following values are currently defined (from low to high).
Position Description
0 It indicates that this file does not contain base address relocation information and therefore must be loaded to its preferred base address. If the base address is not available, the loader will report an error.
1 It indicates that this image file is legal. It seems a bit redundant, but it cannot be missing.
2 Reserved, must be 0.
3 Reserved, must be 0.
4 Reserved, must be 0.
5 The application can handle addresses larger than 2GB.
6 Reserved, must be 0.
7 Reserved, must be 0.
8 Machine type is based on a 32-bit architecture.
9 Debug information has been removed from this image file.
10 If this image file is on removable media, fully load it and copy it to the swap file. It is hardly necessary
11 If this image file is on network media, fully load it and copy it to the swap file. Hardly used
12 This image file is a system file, not a user program.
13 This image file is a dynamic link library (DLL).
14 This file can only be run on single processor machines.
15 Reserved, must be 0.
eg:
In the next chapter we continue with the IMAGE_OPTIONAL_HEADER structure.
To be continued。。。