零基础逆向工程17_PE结构01_PE头解析_手动

PE文件的两种状态

1.在硬盘中

• 节省硬盘空间
• 硬盘对齐 内存对齐

2.在内存中

3.PE磁盘文件与内存映像结构图

PE文件为什么要分节

……

手动解析：PE文件

分析软件：飞鸽传书http://www.gpxz.com/soft/jiaoxue/wendang/219212.html

1. DOS头：
struct _IMAGE_DOS_HEADER {
0x00 WORD e_magic;       //5A4D
0x02 WORD e_cblp;        //0090
0x04 WORD e_cp;          //0003
0x06 WORD e_crlc;        //0000
0x08 WORD e_cparhdr;     //0004
0x0a WORD e_minalloc;    //0000
0x0c WORD e_maxalloc;    //FFFF
0x0e WORD e_ss;          //0000
0x10 WORD e_sp;          //00B8
0x12 WORD e_csum;        //0000
0x14 WORD e_ip;          //0000
0x16 WORD e_cs;          //0000
0x18 WORD e_lfarlc;      //0040
0x1a WORD e_ovno;        //0000
0x1c WORD e_res[4];      //0000 0000 0000 0000
0x24 WORD e_oemid;       //0000
0x26 WORD e_oeminfo;     //0000
0x28 WORD e_res2[10];    //0000 0000 0000 0000 0000 ……
0x3c DWORD e_lfanew;     //000000E8
};

2. 标准PE头
struct _IMAGE_FILE_HEADER {
0x00 WORD Machine;                   //014C
0x02 WORD NumberOfSections;          //0004
0x04 DWORD TimeDateStamp;            //4198C850
0x08 DWORD PointerT oSymbolTable;    //00000000
0x0c DWORD NumberOfSymbols;          //00000000
0x10 WORD SizeOfOptionalHeader;      //00E0
0x12 WORD Characteristics;           //010F
};
3. 可选PE头
struct _IMAGE_OPTIONAL_HEADER {
0x00 WORD Magic;                       //010B
0x02 BYTE MajorLinkerV ersion;         //06
0x03 BYTE MinorLinkerV ersion;         //00
0x04 DWORD SizeOfCode;                 //0001A000
0x08 DWORD SizeOfInitializedData;      //0000C000
0x0c DWORD SizeOfUninitializedData;    //00000000
0x10 DWORD AddressOfEntryPoint;        //000183D7
0x14 DWORD BaseOfCode;                 //00001000
0x18 DWORD BaseOfData;                 //0001B000
0x1c DWORD ImageBase;                  //00400000
0x20 DWORD SectionAlignment;           //00001000
0x24 DWORD FileAlignment;              //00001000
0x28 WORD MajorOperatingSystemVersion; //0004
0x2a WORD MinorOperatingSystemVersion; //0000
0x2c WORD MajorImageVersion;           //0000
0x2e WORD MinorImageVersion;           //0000
0x30 WORD MajorSubsystemVersion;       //0004
0x32 WORD MinorSubsystemVersion;       //0000
0x34 DWORD Win32VersionValue;          //00000000
0x38 DWORD SizeOfImage;                //00027000
0x3c DWORD SizeOfHeaders;              //00001000
0x40 DWORD CheckSum;                   //00000000
0x44 WORD Subsystem;                   //0002
0x46 WORD DllCharacteristics;          //0000
0x48 DWORD SizeOfStackReserve;         //00100000
0x4c DWORD SizeOfStackCommit;          //00001000
0x50 DWORD SizeOfHeapReserve;          //00100000
0x54 DWORD SizeOfHeapCommit;           //00001000
0x58 DWORD LoaderFlags;                //00000000
0x5c DWORD NumberOfRvaAndSizes;        //00000010
0x60 _IMAGE_DA TA_DIRECT ORY DataDirectory[16];
};