The PE - Header ^^^^^^^^^^^^^^^ by Renegade The portable executable file format begins with the DOS header: ----------- | DOS Header| __________-----------_____________________ |dw e_magic: the magic number; 0x05A4 = MZ | |------------------------------------------| |dw e_cblp: bytes of last page | |------------------------------------------| |dw e_cp: number of pages | |------------------------------------------| |dw e_crlc: reloc. | |------------------------------------------| |dw e_cparhdr: header-size | |------------------------------------------| |dw e_minalloc: min. of alloc. paragraphs | |------------------------------------------| |dw e_maxalloc: max. of alloc. paragraphs | |------------------------------------------| |dw e_ss: SS value | |------------------------------------------| |dw e_sp: SP value | |------------------------------------------| |dw e_csum: checksum | |------------------------------------------| |dw e_ip: IP value | |------------------------------------------| |dw e_cs: CS value | |------------------------------------------| |dw e_lfarlc: address of reloc. table | |------------------------------------------| |dw e_ovno: overlays | |------------------------------------------| |dw e_oemid: OEM - Identifier | |------------------------------------------| |dw e_oeminfo: OEM Info | |------------------------------------------| |dd e_lfanew: address of NE | |------------------------------------------| dd e_lfanew: This RVA points also to the PE Header ________ |DOS Stub| -------- The stub contains informations about the OS where the program must be run, eg " This program must be run under Microsoft Windows" or something like that. The actual PE-Header ^^^^^^^^^^^^^^^^^^^^ |--------------------------|-----------------------|--------------------| | Signature | CPU | Sections | |--------------------------|-----------------------|--------------------| | Time / Date Stamp | Pointer to symbol table | |--------------------------|-----------------------|--------------------| | Symbols | NT Header size | Flags | |---------|----------------|-----------------------|--------------------| | LMAJOR | LMINOR | Size of code | |---------|----------------|--------------------------------------------| | Initalized data | Uninitalized data | |--------------------------|--------------------------------------------| | Entrypoint RVA | Base of code | |--------------------------|--------------------------------------------| | Base of data | Image base | |--------------------------|--------------------------------------------| | Section alignment | File alignment | |-----------|--------------|-----------------------|--------------------| | OS MAJOR | OS MINOR | User MAJOR | User MINOR | |-----------|-|------------|-----------------------|--------------------| | Subsys MAJ. | Subsys MIN.| Version | |-------------|------------|--------------------------------------------| | Image size | Header size | |--------------------------|---------------------|----------------------| | Checksum | Subsystem | DLL Flags | |--------------------------|---------------------|----------------------| | Stack reserve size | Stack commit size | |--------------------------|--------------------------------------------| | Heap reserve size | Heap commit size | |--------------------------|--------------------------------------------| | Loader Flags | # interesting RVA / Sizes | |--------------------------|--------------------------------------------| | Export table RVA | Total export data size | |--------------------------|--------------------------------------------| | Import table RVA | Total import data size | |--------------------------|--------------------------------------------| | Resource table RVA | Total resource data size | |--------------------------|--------------------------------------------| | Exception table RVA | Total exception data size | |--------------------------|--------------------------------------------| | Security table RVA | Total security data size | |--------------------------|--------------------------------------------| | Fixup table RVA | Total fixup data size | |--------------------------|--------------------------------------------| | Debug table RVA | Total debug directories | |--------------------------|--------------------------------------------| | Image description RVA | Total description size | |--------------------------|--------------------------------------------| | Machine specific RVA | Machine specific size | |--------------------------|--------------------------------------------| | Thread local storage RVA | Total TLS size | |--------------------------|--------------------------------------------| | Loader configuration RVA | Loader data size | |--------------------------|--------------------------------------------| | Bounded imports table | Bounded imports data size | |--------------------------|--------------------------------------------| | Import addresses table | Total IAT size | |-----------------------------------------------------------------------| Signature: 0454E = NE 04550 = PE ^^^^^^^^^ CPU: ^^^ 0000 = unknown 014c = 386 014d = 486 014e = 586 Sections: Number of sections in the section table ^^^^^^^^ Time / Date stamp: All infos about creation/modification of the file ^^^^^^^^^^^^^^^^^ NT Header size: bytes remaining in the NT header ^^^^^^^^^^^^^^ Flags: 0000 = image of program ^^^^^ 0002 = image is executable 0200 = fixed image 2000 = lib. image LMAJOR/LMINOR: LinkerMajor/LinkerMinor version ^^^^^^^^^^^^^ Entrypoint RVA: Starting address for program images ^^^^^^^^^^^^^^ Image base: Virtual address of the first byte of a file ^^^^^^^^^^ Section alignment: default is 64K ^^^^^^^^^^^^^^^^^ File alignment: Value between 515 and 64K ^^^^^^^^^^^^^^ OS MAJOR/OS MINOR: required version of OS to run the program ^^^^^^^^^^^^^^^^^ User MAJOR/User MINOR: values for images / dll's set by user ^^^^^^^^^^^^^^^^^^^^^ Image size: Virtual size of the image ^^^^^^^^^^ Header size: Total header size ^^^^^^^^^^^ Checksum: Complete file checksum ^^^^^^^^ Subsystem: required NT subsystem to run program ^^^^^^^^^ 0000 = unknown 0001 = native 0002 = Win GUI 0003 = Win Char. 0005 = OS/2 0007 = Posix DLL Flags: Loader requirements ^^^^^^^^^ 0001 = process lib. init. 0002 = process lib. term. 0004 = thread lib. init. 0008 = thread lib. term. Stack reserve size: stack needed for program ^^^^^^^^^^^^^^^^^^ Stack commit size: committed size of stack ^^^^^^^^^^^^^^^^^ Heap reserve size: size of heap to reserve ^^^^^^^^^^^^^^^^^ Heap commit size: size to commit in heap ^^^^^^^^^^^^^^^^ Interesting RVA/Size: size of RVA array ^^^^^^^^^^^^^^^^^^^^ Export table RVA: RVA of export table ^^^^^^^^^^^^^^^^ Import table RVA: RVA of import table ^^^^^^^^^^^^^^^^ -------- | etc... | -------- After that we have the Section header with all the sections like .text,.data and so on. short summary: ----------------- | PhysicalAddress | | VirtualSize | | SizeofRawData | | PointertoR.Data | | Pointertoreloc. | | Pointertolinenum| | Numberofrelocs | | Numberoflinenum | | Characteristics | ----------------- -------------------------------------------------------------------------- NB: Between the last section header,sections itself and the beginning of | data there is some unused space because of the alignment.This space | can be used for saving code and data, things we use for our virii. | _________________________________________________________________________ | Image base and RVA ^^^^^^^^^^^^^^^^^^ The imagebase is the linear address on which the loader will map the exe image or load a dll, which changes from exe to exe.Nevertheless the absolute address of the image base of a exe is 0x400000, because the loader is not always able to load the image of the preferred image base.That's why the relative virtual addresses of the absolute addresses were introduced. So if you want to get a dw at the RVA, let's say 4444, you have to add the image base and you'll get the virtual address: VA = RVA + IB 0x404444 = 4444 + 400000 RAW OFS = (VA - Image base - SVirtual Address ) + PointertoRawdata 0834 404444 - 400000 - 01000 + 0600