1 IMAGE_DOS_HEADER STRUCT 2 { 3 +0h WORD e_magic // Magic DOS signature MZ(4Dh 5Ah) DOS可执行文件标记 4 +2h WORD e_cblp // Bytes on last page of file 5 +4h WORD e_cp // Pages in file 6 +6h WORD e_crlc // Relocations 7 +8h WORD e_cparhdr // Size of header in paragraphs 8 +0ah WORD e_minalloc // Minimun extra paragraphs needs 9 +0ch WORD e_maxalloc // Maximun extra paragraphs needs 10 +0eh WORD e_ss // intial(relative)SS value DOS代码的初始化堆栈SS 11 +10h WORD e_sp // intial SP value DOS代码的初始化堆栈指针SP 12 +12h WORD e_csum // Checksum 13 +14h WORD e_ip // intial IP value DOS代码的初始化指令入口[指针IP] 14 +16h WORD e_cs // intial(relative)CS value DOS代码的初始堆栈入口 15 +18h WORD e_lfarlc // File Address of relocation table 16 +1ah WORD e_ovno // Overlay number 17 +1ch WORD e_res[4] // Reserved words 18 +24h WORD e_oemid // OEM identifier(for e_oeminfo) 19 +26h WORD e_oeminfo // OEM information;e_oemid specific 20 +29h WORD e_res2[10] // Reserved words 21 +3ch DWORD e_lfanew // Offset to start of PE header 指向PE文件头 22 } IMAGE_DOS_HEADER ENDS 23 24 25 26 e_magic:一个WORD类型,值是一个常数0x4D5A,用文本编辑器查看该值位‘MZ’,可执行文件必须都是'MZ'开头。 27 e_lfanew:为32位可执行文件扩展的域,用来表示DOS头之后的NT头相对文件起始地址的偏移。