?? pe-tut4.html
字號:
<html>
<head>
<title>Iczelion's PE Tutorial 4: Optional Header</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>
<body bgcolor="#003366" text="#FFFFFF" link="#FFFFCC" vlink="#FFCCCC" alink="#CCFFCC">
<h1 align="center"><font face="Arial, Helvetica, sans-serif" color="#FFFFCC">Tutorial
4: Optional Header</font></h1>
<p><font face="MS Sans Serif" size="-1">We have learned about the DOS header and
some members of the PE header. Here's the last, the biggest and probably the
most important member of the PE header, the optional header.</font></p>
<p><font face="MS Sans Serif" size="-1">To refresh your memory, the optional header
is a structure that is the last member of <font color="#CCFFCC"><b>IMAGE_NT_HEADERS</b></font>.
It contains information about the logical layout in the PE file. There are 31
fields in this structure. Some of them are crucial and some are not useful.
I'll explain only those fields that are really useful.</font></p>
<p><font face="MS Sans Serif" size="-1">There is a word that's used frequently
in relation to PE file format: RVA <br>
RVA stands for relative virtual address. You know what virtual address is. RVA
is a daunting term for such a simple concept. Simply put, an RVA is a distance
from a reference point in the virtual address space. I bet you're familiar with
file offset: an RVA is exactly the same thing as file offset. However, it's
relative to a point in virtual address space, not a file. I'll show you an example.
If a PE file loads at 400000h in the virtual address (VA) space and the program
starts execution at the virtual address 401000h, we can say that the program
starts execution at RVA 1000h. An RVA is relative to the starting VA of the
module. <br>
Why does the PE file format use RVA? It's to help reduce the load of the PE
loader. Since a module can be relocated anywhere in the virtual address space,
it would be a hell for the PE loader to fix every relocatable items in the module.
In contrast, if all relocatable items in the file use RVA, there is no need
for the PE loader to fix anything: it simply relocates the whole module to a
new starting VA. It's like the concept of relative path and absolute path: RVA
is akin to relative path, VA is like absolute path.</font></p>
<table border="1" cellspacing="2" cellpadding="2" align="center">
<tr bgcolor="#006666">
<th><b><font face="MS Sans Serif" size="-1">Field</font></b></th>
<th><font face="MS Sans Serif" size="-1">Meanings</font></th>
</tr>
<tr>
<td><b><font face="MS Sans Serif" size="-1">AddressOfEntryPoint</font></b></td>
<td><font face="MS Sans Serif" size="-1">It's the RVA of the first instruction
that will be executed when the PE loader is ready to run the PE file. If
you want to divert the flow of execution right from the start, you need
to change the value in this field to a new RVA and the instruction at the
new RVA will be executed first.</font></td>
</tr>
<tr>
<td><b><font face="MS Sans Serif" size="-1">ImageBase</font></b></td>
<td><font face="MS Sans Serif" size="-1">It's the preferred load address for
the PE file. For example, if the value in this field is 400000h, the PE
loader will try to load the file into the virtual address space starting
at 400000h. The word "preferred" means that the PE loader may
not load the file at that address if some other module already occupied
that address range.</font></td>
</tr>
<tr>
<td><b><font face="MS Sans Serif" size="-1">SectionAlignment</font></b></td>
<td><font face="MS Sans Serif" size="-1">The granularity of the alignment
of the sections in memory. For example, if the value in this field is 4096
(1000h), each section must start at multiples of 4096 bytes. If the first
section is at 401000h and its size is 10 bytes, the next section must be
at 402000h even if the address space between 401000h and 402000h will be
mostly unused.</font></td>
</tr>
<tr>
<td><b><font face="MS Sans Serif" size="-1">FileAlignment</font></b></td>
<td><font face="MS Sans Serif" size="-1">The granularity of the alignment
of the sections in the file. For example, if the value in this field is
512 (200h), each section must start at multiples of 512 bytes. If the first
section is at file offset 200h and the size is 10 bytes, the next section
must be located at file offset 400h: the space between file offsets 522
and 1024 is unused/undefined.</font></td>
</tr>
<tr>
<td><b><font face="MS Sans Serif" size="-1">MajorSubsystemVersion<br>
MinorSubsystemVersion </font></b></td>
<td><font face="MS Sans Serif" size="-1">The win32 subsystem version. If the
PE file is designed for Win32, the subsystem version must be 4.0 else the
dialog won't have 3-D look.</font></td>
</tr>
<tr>
<td><b><font face="MS Sans Serif" size="-1">SizeOfImage</font></b></td>
<td><font face="MS Sans Serif" size="-1">The overall size of the PE image
in memory. It's the sum of all headers and sections aligned to SectionAlignment.
</font></td>
</tr>
<tr>
<td><b><font face="MS Sans Serif" size="-1">SizeOfHeaders</font></b></td>
<td><font face="MS Sans Serif" size="-1">The size of all headers+section table.
In short, this value is equal to the file size minus the combined size of
all sections in the file. You can also use this value as the file offset
of the first section in the PE file.</font></td>
</tr>
<tr>
<td><b><font face="MS Sans Serif" size="-1">Subsystem</font></b></td>
<td><font face="MS Sans Serif" size="-1">Tell in which of the NT subsystem
the PE file is intended for. For most win32 progs, only two values are used:
Windows GUI and Windows CUI (console).</font></td>
</tr>
<tr>
<td><b><font face="MS Sans Serif" size="-1">DataDirectory</font></b></td>
<td><font face="MS Sans Serif" size="-1">An array of <font color="#CCFFCC"><b>IMAGE_DATA_DIRECTORY
</b></font>structures. Each structure gives the RVA of an important data
structure in the PE file such as the import address table.</font></td>
</tr>
</table>
<hr>
<p align="center"><b><font face="MS Sans Serif" size="-1">[<a href="http://win32asm.cjb.net">Iczelion's
Win32 Assembly Homepage</a>]</font></b></p>
<p> </p>
</body>
</html>
?? 快捷鍵說明
復制代碼
Ctrl + C
搜索代碼
Ctrl + F
全屏模式
F11
切換主題
Ctrl + Shift + D
顯示快捷鍵
?
增大字號
Ctrl + =
減小字號
Ctrl + -