- Joined
- 11 yrs. 8 mth. 23 days
- Messages
- 5,010
- Reaction score
- 11,818
- Wallet
- 13,191$
- [email protected]
Presenting the PE Header
Dejan Lukan May 08, 2013
Let’s present the whole PE file structure with the picture below (taken from [5]):
At the beginning there’s a DOS header, which is an MS-DOS compatible executable that always consists of exactly 100 bytes that outputs an error message such as “This program cannot be run in DOS mode.” The error message is displayed if we try to run program on the DOS system. Because the executable must display that text message, there’s a 16-bit DOS program included in the DOS header that actually does just that.
Then there’s a PE File Header, which is the structure IMAGE_FILE_HEADER and has the following members:
All of the above members and also all the other members of the PE header can be found by using the RVA, which is a relative virtual address. This is useful, because we don’t actually have to know the exact address of that member in memory, but only the offset within the current executable/library.
Let’s now take a look at the optional header, which contains the following elements:
We didn’t actually specify all the additional data directories that hold the data. We can see all of them specified inside the winnt.h header file and are presented on the picture below:
After that, there are also various sections like .data and .text that are an important part of the executable, because the hold the data of the program and the instructions that will be executed once the executable is loaded into the memory. There are also a lot of other structures, but we will not look at them in this article.
Conclusion
We’ve looked at the various fields of the PE file header. At the end, we determined that data directories are an important part of the executable/library, because they contain useful information like RVA addresses of imported/exported functions, resources, debugging information, etc… After the data directories there are also different sections that comprise the executable: the .idata, .data, .text and other sections. The .data section holds the executable data, while the .text section holds the executable instructions that will be executed when the executable is loaded in memory and started.
source:
Dejan Lukan May 08, 2013
Let’s present the whole PE file structure with the picture below (taken from [5]):
At the beginning there’s a DOS header, which is an MS-DOS compatible executable that always consists of exactly 100 bytes that outputs an error message such as “This program cannot be run in DOS mode.” The error message is displayed if we try to run program on the DOS system. Because the executable must display that text message, there’s a 16-bit DOS program included in the DOS header that actually does just that.
Then there’s a PE File Header, which is the structure IMAGE_FILE_HEADER and has the following members:
All of the above members and also all the other members of the PE header can be found by using the RVA, which is a relative virtual address. This is useful, because we don’t actually have to know the exact address of that member in memory, but only the offset within the current executable/library.
Let’s now take a look at the optional header, which contains the following elements:
We didn’t actually specify all the additional data directories that hold the data. We can see all of them specified inside the winnt.h header file and are presented on the picture below:
After that, there are also various sections like .data and .text that are an important part of the executable, because the hold the data of the program and the instructions that will be executed once the executable is loaded into the memory. There are also a lot of other structures, but we will not look at them in this article.
Conclusion
We’ve looked at the various fields of the PE file header. At the end, we determined that data directories are an important part of the executable/library, because they contain useful information like RVA addresses of imported/exported functions, resources, debugging information, etc… After the data directories there are also different sections that comprise the executable: the .idata, .data, .text and other sections. The .data section holds the executable data, while the .text section holds the executable instructions that will be executed when the executable is loaded in memory and started.
source:
Verified & Trusted WesternUnion | MoneyGram | Bank - Transferring [299$ BTC for 2000$ WU]
Verified & Trusted Electronics Carding, Carding iPhone, Samsung Carding, MacBook Carding, Laptops Carding