IMAGE_NT_HEADERS STRUCT
{
+0h
DWORD
Signature
//
+4h
IMAGE_FILE_HEADER
FileHeader
//
+18h
IMAGE_OPTIONAL_HEADER32 OptionalHeader //
} IMAGE_NT_HEADERS ENDS
Signature 字段:
在一個有效的 PE 文件裏,Signature 字段被設置爲00004550h, ASCII 碼字符是“PE00”。標誌這 PE 文件頭的開始。
“PE00” 字符串是 PE 文件頭的開始,DOS 頭部的 e_lfanew 字段正是指向這裏。
如下圖所示:
IMAGE_FILE_HEADER 結構
typedef struct _IMAGE_FILE_HEADER
{
+04h WORD Machine; // 運行平臺
+06h WORD NumberOfSections; // 文件的區塊數目
+08h DWORD TimeDateStamp; // 文件創建日期和時間
+0Ch DWORD PointerToSymbolTable; // 指向符號表(主要用於調試)
+10h DWORD NumberOfSymbols; // 符號表中符號個數(同上)
+14h WORD SizeOfOptionalHeader; // IMAGE_OPTIONAL_HEADER32 結構大小
+16h WORD Characteristics; // 文件屬性
} IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;
該結構如下圖所示:
下邊,小甲魚童鞋爲大家詳細解釋各個成員的含義和用法:
(1)Machine:可執行文件的目標CPU類型。
Value |
Meaning |
---|
- IMAGE_FILE_MACHINE_I386
- 0x014c
|
x86
|
- IMAGE_FILE_MACHINE_IA64
- 0x0200
|
Intel Itanium
|
- IMAGE_FILE_MACHINE_AMD64
- 0x8664
|
x64
|
(2)NumberOfSection:
區塊的數目。(注:區塊表是緊跟在 IMAGE_NT_HEADERS 後邊的)
(3)TimeDataStamp:
表明文件是何時被創建的。
提示:VC的話可以用_ctime 函數或者 gmtime 函數。
(4)PointerToSymbolTable:
COFF 符號表的文件偏移位置,現在基本沒用了。
(5)NumberOfSymbols:
如果有COFF 符號表,它代表其中的符號數目,COFF符號是一個大小固定的結構,如果想找到COFF 符號表的結束位置,則需要這個變量。
(6)SizeOfOptionalHeader:
緊跟着IMAGE_FILE_HEADER 後邊的數據結構(IMAGE_OPTIONAL_HEADER)的大小。(對於32位PE文件,這個值通常是00E0h;對於64位PE32+文件,這個值是00F0h )。
(7)Characteristics:
文件屬性,有選擇的通過幾個值可以運算得到。( 這些標誌的有效值是定義於 winnt.h 內的 IMAGE_FILE_** 的值,具體含義見下表。普通的EXE文件這個字段的值一般是 0100h,DLL文件這個字段的值一般是 210Eh。)小甲魚溫馨提示:多種屬性可以通過 “或運算” 使得同時擁有!
The characteristics of the image. This member can be one or more of the following values.
Value |
Meaning |
---|
- IMAGE_FILE_RELOCS_STRIPPED
- 0x0001
|
Relocation information was stripped from the
file. The file must be loaded at its preferred
base address. If the base address is not
available, the loader reports an error.
|
- IMAGE_FILE_EXECUTABLE_IMAGE
- 0x0002
|
The file is executable (there are no unresolved
external references).
|
- IMAGE_FILE_LINE_NUMS_STRIPPED
- 0x0004
|
COFF line numbers were stripped from the
file.
|
- IMAGE_FILE_LOCAL_SYMS_STRIPPED
- 0x0008
|
COFF symbol table entries were stripped from
file.
|
- IMAGE_FILE_AGGRESIVE_WS_TRIM
- 0x0010
|
Aggressively trim the working set. This value is
obsolete as of Windows 2000.
|
- IMAGE_FILE_LARGE_ADDRESS_AWARE
- 0x0020
|
The application can handle addresses larger
than 2 GB.
|
- IMAGE_FILE_BYTES_REVERSED_LO
- 0x0080
|
The bytes of the word are reversed. This flag
is obsolete.
|
- IMAGE_FILE_32BIT_MACHINE
- 0x0100
|
The computer supports 32-bit words.
|
- IMAGE_FILE_DEBUG_STRIPPED
- 0x0200
|
Debugging information was removed and stored
separately in another file.
|
- IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP
- 0x0400
|
If the image is on removable media, copy it to
and run it from the swap file.
|
- IMAGE_FILE_NET_RUN_FROM_SWAP
- 0x0800
|
If the image is on the network, copy it to and
run it from the swap file.
|
- IMAGE_FILE_SYSTEM
- 0x1000
|
The image is a system file.
|
- IMAGE_FILE_DLL
- 0x2000
|
The image is a DLL file. While it is an executable
file, it cannot be run directly.
|
- IMAGE_FILE_UP_SYSTEM_ONLY
- 0x4000
|
The file should be run only on a uniprocessor
computer.
|
- IMAGE_FILE_BYTES_REVERSED_HI
- 0x8000
|
The bytes of the word are reversed. This flag
is obsolete.
|