PE file format analysis (003)

in hive-133802 •  4 years ago 

Continuing from the previous post (https://steemit.com/hive-133802/@kevin-mn/pe-file-format-analysis-002), let's go!!!

IMAGE_OPTIONAL_HEADER structure

截屏2021-01-08下午5.24.32.png

Magic: Flag word, common executable (010Bh), typically 0x010BH, or 0x020BH if 64-bit, and the value is 0x0107H if ROM image.
MajorLinkerVersion: The linker major version number, the value is 0x0EH.
MinorLinkerVersion: The linker minor version number, the value is 0x00H.
SizeOfCode: The total size of all blocks containing code with the IMAGE_SCN_CNT_CODE attribute, which is an integer multiple of a value that is aligned upwards. Typically, most files have only one Code block, so this field matches the size of the .text block.
SizeOfInitializedData: The total size of all initialized data blocks, the value is 0x000B4000H, this is the size of the block (excluding code segments) at compile time, generally this value is inaccurate.
SizeOfUninitializedData: the total size of all uninitialized data blocks, the value is 0. These blocks are not specified at the beginning of the program, and the uninitialized data is usually in the .bss block.
AddressOfEntryPoint: the program execution entry RVA, the value is 0x002B56D0H. In most executables, this address does not point directly to Main, WinMain or DllMain, but to the runtime library code which calls the above functions. For DLLs, this entry point is called during program initialization and shutdown, as well as during thread creation and destruction.
BaseOfCode: The starting RVA of the code segment, the value is 0x00001000H, or usually 0x00001000H if generated with Microsoft's linker.
BaseOfData: the starting RVA of the data segment, the value is 0x0031E000H, the data segment is usually at the end of memory, for different versions of Microsoft linker, this value is inconsistent, it does not appear in 64-bit executable files.
ImageBase: the default loading address of the program, the value is 0x00400000H, the loader tries to load the PE file in this address table, if the executable is loaded at this address, then the loader will skip the step of applying base address relocation.
SectionAlignment: the block alignment size in memory, the value is 0x00001000H, the default alignment size is the page size of the target CPU, the minimum alignment size is one page 1000H (4KB), on IA-64 this value is 8KB. each block loading address must be an integer multiple of the value specified in this field.
FileAlignment: The alignment size of the block within the PE file on disk, the value is 0x00000200H, for x86 executables this value is usually 200H or 1000H, this is to ensure that the block always starts from a sector of the disk, this value must be a power of 2, the minimum is 200H.
MajorOpreatingSystemVersion: The major version number that requires the minimum version number of the operating system, this value is 0x0006H, this value does not seem to be useful.
MinorOperatingSystemVersion: The minor version number of the minimum version number of the required operating system
MajorImageVersion: the major version number that can run on the operating system
MinorImageVersion: the minor version number that can run on the OS
MajorSubsystemVersion: the major version number of the lowest subsystem version required
MinorSubsystemVersion: the minor version number of the lowest subsystem version required
Win32VersionValue: a field that is not necessary, usually 0 if it is not used by virus
SizeOfImage: The total size of the image after it is loaded into memory, the value is 0x003D5000H, it refers to the size of the loaded file from ImageBase to the last block, the last block is rounded up according to its size.
SizeOfHeaders: is the combined size of MS-DOS headers, PE headers, and block tables. The value is 0x00000400H.
CheckSum: check sum, the CheckSumMappedFile function in IMAGEHLP.DLL can calculate this value, the general EXE file can be 0, but some kernel mode drivers and system DLLs must have a check sum.
Subsystem: An enumeration value that indicates the subsystem expected by the executable file, this value is only important for EXEs. The value is 0x0003H.
DllCharacteristics: when the DllMain() function is called, default is 0.
SizeOfStackReserve: the size of the stack reserved for the thread in the EXE file, it only commits a part of it at first and only commits the rest when necessary.
SizeOfStackCommit: in the EXE file, the amount of memory that is delegated to the stack at the beginning, the default value is 4KB.
SizeHeapReserve: In the EXE file, the memory reserved for the default heap of the process, the default value is 1MB, but in current Windows, the heap value can grow beyond this value without user intervention.
SizeOfHeapCommit: the memory size delegated to the heap in the EXE file, the default value is 4KB.
LoaderFlag: related to debugging, default is 0.
NumberOfRvaAndSizes: the number of items in the data directory table, the value of this field is 16.
DataDirectory[16]: data directory table, consisting of several IMAGE_DATA_DIRECTORY structures, pointing to input tables, output tables, resources and other data.

hive-133802 pe
4 years ago by

Downvoting a post can decrease pending rewards and make it less visible. Common reasons:

  • Disagreement on rewards
  • Fraud or plagiarism
  • Hate speech or trolling
  • Miscategorized content or spam

Submit
$16.54
  • Past Payouts $16.54
  • - Author $8.27
  • - Curators $8.27
4 votes
0
Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!