portable-executable

After adding the /TSAWARE linker flag to one of my projects (Visual Studio 6), I was surprised to find a new section in the PE file (.idata). If I don't set the flag, the imports are merged into .rdata. To illustrate the "problem" we start out with a simple console program: #include <stdio.h> int main() { printf("hello world\n"); return 0; } and compile with: cl /Og /O1 /GF /WX /c main.c Then link with link /MACHINE:IX86 /SUBSYSTEM:CONSOLE /RELEASE /OUT:a.exe main.obj link /MACHINE:IX86 /SUBSYSTEM:CONSOLE /RELEASE /OUT:b.exe /TSAWARE main.obj Let's compare the dumpbin output: Dump of file a

In ELF file format we have an Alignment field in Segment Header Table aka Program Header Table . In case of Windows PE file format they take it to next level the Sections have two alignment values, one within the disk file and the other in memory. The PE file header specifies both of these values. I didn't understand a thing about this alignment. What do we need it for? How & Where is it used? Again, I don't know what is alignment in binary file format context but why do we need it? Well, alignment is usually stretching the storage size of some value to occupy some "round" space, like 32, 64,

In the PE format we have Import Table Directory (accessed by IMAGE_DIRECTORY_ENTRY_IMPORT ) and IAT Directory (accessed by IMAGE_DIRECTORY_ENTRY_IAT ) both are part of the Optional Header Data Directory. Using the Import Table, the loader dynamically loads and resolves necessary libraries and functions. This is done by iterating through the Import Address Table RVA (Thunk Table) which is part of the Import Table. So, if we use the import directory for import resolution what do we need IAT Directory for ? I've been reading the Microsoft PE specification but couldn't find an answer. Also, there

I'm experimenting with memory access in .NET. At the moment, I have a managed program that starts an unmanaged process and retrieves the BaseAddress of one of its loaded modules (a DLL). What I would like to do is somehow read the PE header of the loaded module so that I can later retrieve the addresses of its exports. Unfortunately, I can't find any good information about this. Any ideas? This is a good starting point for the PE file format. You can P/Invoke ReadProcessMemory from the base address you have to copy the headers into your process. You'll need to parse the memory you read into