PE文件格式偏移参考

岁酱吖の 提交于 2020-08-15 02:42:21

在进行PE文件格式病毒分析的时候,经常要使用到PE文件格式的解析,尤其是对LoadPE形式的病毒的分析,经常要查看PE文件格式的偏移,特地从博客《PE文件格式的偏移参考》中转载收录一份,之前在网上也看到比较不错的有关PE文件偏移的博客,但忘了收录。在进行PE文件格式的病毒分析时,还会经常参考这篇博客《PE文件格式学习笔记》,博主关于PE文件格式的学习笔记写的不错,其他的参考书籍《加密与解密(第3版)》、《黑客免杀攻防》,顺便提一句《黑客免杀攻防》这本书关于PE文件格式的解析比较不错,但是错误也不少,整体来说这本书对于学习PC上的逆向分析和内核攻防还是很不错的。

Complete PE Offset Reference

While there is a lot of data and various parts of the structure are at varying positions there are still a lot of useful fixed and relative offsets that will help when disassembling/examining PE files. Resource information and the such like are omitted - there are good tools available to manipulate these e.g. ResHacker.

The DOS Header

 

OFFSET

SIZE

NAME

EXPLANATION

00

WORD

e_magic

Magic DOS signature MZ (4Dh 5Ah)

02

WORD

e_cblp

Bytes on last page of file

04

WORD

e_cp

Pages in file

06

WORD

e_crlc

Relocations

08

WORD

e_cparhdr

Size of header in paragraphs

0A

WORD

e_minalloc

Minimum extra paragraphs needed

0C

WORD

e_maxalloc

Maximum extra paragraphs needed

0E

WORD

e_ss

Initial (relative) SS value

10

WORD

e_sp

Initial SP value

12

WORD

e_csum

Checksum

14

WORD

e_ip

Initial IP value

16

WORD

e_cs

Initial (relative) CS value

18

WORD

e_lfarlc

File address of relocation table

1A

WORD

e_ovno

Overlay number

1C

WORD

e_res[4]

Reserved words

24

WORD

e_oemid

OEM identifier (for e_oeminfo)

26

WORD

e_oeminfo

OEM information; e_oemid specific

28

WORD

e_res2[10]

Reserved words

3C

DWORD

e_lfanew

Offset to start of PE header

 

The PE Header

Offsets shown  are from the beginning of this section.

 

00

DWORD

Signature

PE Signature PE.. (50h 45h 00h 00h)

04

WORD

Machine

014Ch = Intel 386, 014Dh = Intel 486, 014Eh = Intel 586, 0200h = Intel 64-bit, 0162h=MIPS

06

WORD

NumberOfSections

Number Of Sections

08

DWORD

TimeDateStamp

Date & time image was created by the linker

0C

DWORD

PointerToSymbolTable

Zero or offset of COFF symbol table in older files

10

DWORD

NumberOfSymbols

Number of symbols in COFF symbol table

14

WORD

SizeOfOptionalHeader

Size of optional header in bytes (224 in 32bit exe)

16

WORD

Characteristics

see below

18

**********

START OF OPTIONAL HEADER

**************************************

18

WORD

Magic

010Bh=32-bit executable image
020Bh=64-bit executable image
0107h=ROM image

1A

BYTE

MajorLinkerVersion

Major version number of the linker

1B

BYTE

MinorLinkerVersion

Minor version number of the linker

1C

DWORD

SizeOfCode

size of code section or sum if multiple code sections

20

DWORD

SizeOfInitializedData

as above

24

DWORD

SizeOfUninitializedData

as above

28

DWORD

AddressOfEntryPoint

Start of code execution, optional for DLLs, zero when none present

2C

DWORD

BaseOfCode

RVA of first byte of code when loaded into RAM

30

DWORD

BaseOfData

RVA of first byte of data when loaded into RAM

34

DWORD

ImageBase

Preferred load address

38

DWORD

SectionAlignment  

Alignment of sections when loaded in RAM

3C

DWORD

FileAlignment  

Alignment of sections in file on disk

40

WORD

MajorOperatingSystemVersion

Major version no. of required operating system

42

WORD

MinorOperatingSystemVersion

Minor version no. of required operating system

44

WORD

MajorImageVersion

Major version number of the image

46

WORD

MinorImageVersion

Minor version number of the image

48

WORD

MajorSubsystemVersion

Major version number of the subsystem

4A

WORD

MinorSubsystemVersion

Minor version number of the subsystem

4C

DWORD

Reserved1

 

50

DWORD

SizeOfImage

Amount of memory allocated by loader for image. Must be a multiple of SectionAlignment

54

DWORD

SizeOfHeaders  

Offset of first section, multiple of FileAlignment

58

DWORD

CheckSum

Image checksum (only required for kernel-mode drivers and some system DLLs).

5C

WORD

Subsystem

0002h=Windows GUI, 0003h=console

5E

WORD

DllCharacteristics

0001h=per-process library initialization
0002h=per-process library termination
0003h=per-thread library initialization
0004h=per-thread library termination


60

DWORD

SizeOfStackReserve

Number of bytes reserved for the stack

64

DWORD

SizeOfStackCommit

Number of bytes actually used for the stack

68

DWORD

SizeOfHeapReserve

Number of bytes to reserve for the local heap

6C

DWORD

SizeOfHeapCommit

Number of bytes actually used for local heap

70

DWORD

LoaderFlags

This member is obsolete.

74

DWORD

NumberOfRvaAndSizes

Number of directory entries.

78

**********

START OF DATA DIRECTORY

**************************************

78

DWORD

IMAGE_DATA_DIRECTORY0 

RVA of Export Directory

7C

DWORD

 

size of Export Directory

80

DWORD

IMAGE_DATA_DIRECTORY1

RVA of Import Directory (array of IIDs)

84

DWORD

 

size of Import Directory (array of IIDs)

88

DWORD

IMAGE_DATA_DIRECTORY2

RVA of Resource Directory

8C

DWORD

 

size of Resource Directory

90

DWORD

IMAGE_DATA_DIRECTORY3

RVA of Exception Directory

94

DWORD

 

size of Exception Directory

98

DWORD

IMAGE_DATA_DIRECTORY4

Raw Offset of Security Directory

9C

DWORD

 

size of Security Directory

A0

DWORD

IMAGE_DATA_DIRECTORY5

RVA of Base Relocation Directory

A4

DWORD

 

size of Base Relocation Directory

A8

DWORD

IMAGE_DATA_DIRECTORY6

RVA of Debug Directory

AC

DWORD

 

size of Debug Directory

B0

DWORD

IMAGE_DATA_DIRECTORY7

RVA of Copyright Note

B4

DWORD

 

size of Copyright Note

B8

DWORD

IMAGE_DATA_DIRECTORY8

RVA to be used as Global Pointer (IA-64 only)

BC

DWORD

 

Not used

C0

DWORD

IMAGE_DATA_DIRECTORY9

RVA of Thread Local Storage Directory

C4

DWORD

 

size of Thread Local Storage Directory

C8

DWORD

IMAGE_DATA_DIRECTORY10

RVA of Load Configuration Directory

CC

DWORD

 

size of Load Configuration Directory

D0

DWORD

IMAGE_DATA_DIRECTORY11

RVA of Bound Import Directory

D4

DWORD

 

size of Bound Import Directory

D8

DWORD

IMAGE_DATA_DIRECTORY12

RVA of first Import Address Table

DC

DWORD

 

total size of all Import Address Tables

E0

DWORD

IMAGE_DATA_DIRECTORY13

RVA of Delay Import Directory

E4

DWORD

 

size of Delay Import Directory

E8

DWORD

IMAGE_DATA_DIRECTORY14

RVA of COM Header (top level info & metadata...

EC

DWORD

 

size of COM Header         ...in .NET executables)

F0

DWORD

ZERO (Reserved)

Reserved

F4

DWORD

ZERO (Reserved)

Reserved

F8

**********

START OF SECTION TABLE

*******Offsets shown from here********

00

8 Bytes

Name1

Name of first section header

08

DWORD

misc (VirtualSize)

Actual size of data in section

0C

DWORD

virtual address

RVA where section begins in memory

10

DWORD

SizeOfRawData 

Size of data on disk (multiple of FileAlignment)

14

DWORD

pointerToRawData 

Raw offset of section on disk

18

DWORD

pointerToRelocations

Start of relocation entries for section, zero if none

1C

DWORD

PointerToLinenumbers

Start of line-no. entries for section, zero if none

20

WORD

NumberOfRelocations

This value is zero for executable images.

22

WORD

NumberOfLineNumbers

Number of line-number entries for section.

24

DWORD

Characteristics

see end of page below

00

8 Bytes

Name1

Name of second section header

 

**********

Repeats for rest of sections

**************************************

The Export Table

Offsets shown from beginning of table (given at offset 78 from start of PE header). The following 40 Bytes repeat for each export library (DLL whose functions are imported by the executable) and ends with one full of zeroes.

OFFSET

SIZE

NAME

EXPLANATION

00

DWORD

Characteristics

Set to zero (currently none defined)

04

DWORD

TimeDateStamp

often set to zero

08

WORD

MajorVersion

user-defined version number, otherwise zero

0A

WORD

MinorVersion

as above

0C

DWORD

Name

RVA of DLL name in null-terminated ASCII

10

DWORD

Base

First valid exported ordinal, normally=1

14

DWORD

NumberOfFunctions

Number of entries in EAT

18

DWORD

NumberOfNames

Number of entries in ENT

1C

DWORD

AddressOfFunctions

RVA of EAT (export address table)

20

DWORD

AddressOfNames

RVA of ENT (export name table)

24

DWORD

AddressOfNameOrdinals

RVA of EOT (export ordinal table)

The Import Table

Offsets shown from beginning of table (given at offset 80 from start of PE header). The following 5 DWORDS repeat for each import library (DLL whose functions are imported by the executable) and ends with one full of zeroes.

OFFSET

SIZE

NAME

EXPLANATION

00

DWORD

OriginalFirstThunk

RVA to Image_Thunk_Data

04

DWORD

TimeDateStamp

zero unless bound against imported DLL

08

DWORD

ForwarderChain

pointer to 1st redirected function (or 0)

0C

DWORD

Name1

RVA to name in null-terminated ASCII

10

DWORD

FirstThunk

RVA to Image_Thunk_Data

Image Characteristics Flags

 

FLAG

EXPLANATION

0001

Relocation info stripped from file

0002

File is executable (no unresolved external references)

0004

Line numbers stripped from file

0008

Local symbols stripped from file

0010

Lets OS aggressively trim working set

0020

App can handle >2Gb addresses

0080

Low bytes of machine word are reversed

0100

requires 32-bit WORD machine

0200

Debugging info stripped from file into .DBG file

0400

If image is on removable media, copy and run from swap file

0800

If image is on a network, copy and run from swap file

1000

System file

2000

File is a DLL

4000

File should only be run on a single-processor machine

8000

High bytes of machine word are reversed

Section Characteristics Flags

 

FLAG

EXPLANATION

00000008

Section should not be padded to next boundary

00000020

Section contains code

00000040

Section contains initialised data (which will become initialised with real values before the file is launched)

00000080

Section contains uninitialised data (which will be initialised as 00 byte values before launch)

00000200

Section contains comments for the linker

00000800

Section contents will not become part of image

00001000

Section contents comdat (Common Block Data)

00008000

Section contents cannot be accessed relative to GP

00100000 to 00800000

Boundary alignment settings

01000000

Section contains extended relocations

02000000

Section can be discarded (e.g. .reloc)

04000000

Section is not cacheable

08000000

Section is pageable

10000000

Section is shareable

20000000

Section is executable

40000000

Section is readable

80000000

Section is writable

 

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!