====== Theory ======
===== Virtual Addressing =====
| VA | Virtual Address |
| RVA | Relative Virtual Adress VA2-VA1 |
| Offset | Difference Virtual - Physcial Address (?) |
===== PE Files (32 bit) =====
IMAGE_DOS_HEADER
+00 WORD e_magic Magic Number MZ ($5A4D) IMAGE_DOS_SIGNATURE
+02 WORD e_cblp Bytes on last page of file
+04 WORD e_cp Pages in file
+06 WORD e_crlc Relocations
+08 WORD e_cparhdr Size of header in paragraphs
+0A (10) WORD e_minalloc Minimum extra paragraphs needed
+0C (12) WORD e_maxalloc Maximum extra paragraphs needed
+0E (14) WORD e_ss Initial (relative) SS value
+10 (16) WORD e_sp Initial SP value
+12 (18) WORD e_csum Checksum
+14 (20) WORD e_ip Initial IP value
+16 (22) WORD e_cs Initial (relative) CS value
+18 (24) WORD e_lfarlc File address of relocation table
+1A (26) WORD e_ovno Overlay number
+1C (28) Array[4] of WORD e_res Reserved words
+24 (36) WORD e_oemid OEM identifier (for e_oeminfo)
+26 (28) WORD e_oeminfo OEM information; e_oemid specific
+28 (40) Array[10] of WORD e_res2 Reserved words
+3C (60) DWORD e_lfanew File address of new exe header IMAGE_NT_HEADERS
typedef struct _IMAGE_NT_HEADERS {
DWORD Signature;
IMAGE_FILE_HEADER FileHeader;
IMAGE_OPTIONAL_HEADER OptionalHEader; //Not Optional :-)
} IMAGE_NT_HEADERS, *PIAMGE_NT_HEADERS;
typedef struct _IMAGE_FILE_HEADER {
WORD Machine;
WORD NumberOfSections;
DWORD TimeDateStamp;
DWORD PointerToSymbolTable;
DWORD NumberOfSymbols;
WORD SizeOfOptionalHeader; //E0h
WORd Characteristics;
} IMAGE_FILE_HEADER, *PINMAGE_FILE_HEADER;
|0x00 | DWORD | Signature | PE Magic Value |
|0x04 | WORD | Machine | For a list of values, see machine types section |
|0x06 | WORD | NumberOfSections | Number Of Sections |
|0x08 | DWORD | TimeDateStamp | The low 32 bits of the number of seconds since 00:00 January 1, 1970 (a C run-time time_t value), that indicates when the file was created. |
|0x0C | DWORD | PointerToSymbolTable | The file offset of the COFF symbol table, or zero if no COFF symbol table is present. This value should be zero for an image because COFF debugging information is deprecated. |
|0x10 | DWORD | NumberOfSymbols | The number of entries in the symbol table. This data can be used to locate the string table, which immediately follows the symbol table. This value should be zero for an image because COFF debugging information is deprecated. |
|0x14 | WORD | SizeOfOptionalHeader | The size of the optional header, which is required for executable files but not for object files. This value should be zero for an object file. |
|0x16 | WORD | Characteristics | The flags that indicate the attributes of the file. For list of values, refer to the Image Characteristics section. |
| 0x18 | WORD | Magic | The unsigned integer that identifies the state of the image file. The most common number is 0x10B, which identifies it as a normal executable file (PE32). 0x107 identifies it as a ROM image, and 0x20B identifies it as a PE32+ executable.|
| 0x1A | BYTE | MajorLinkerVersion | The linker major version number.|
| 0x1B | BYTE | MinorLinkerVersion | The linker minor version number.|
| 0x1C | DWORD | SizeOfCode | The size of the code (text) section, or the sum of all code sections if there are multiple sections.|
| 0x20 | DWORD | SizeOfInitializedData | The size of the initialized data section, or the sum of all such sections if there are multiple data sections.|
| 0x24 | DWORD | SizeOfUninitializedData | The size of the uninitialized data section (BSS), or the sum of all such sections if there are multiple BSS sections.|
| 0x28 | DWORD | AddressOfEntryPoint | The address of the entry point relative to the image base when the executable file is loaded into memory. For program images, this is the starting address. For device drivers, this is the address of the initialization function. An entry point is optional for DLLs. When no entry point is present, this field must be zero.|
| 0x2C | DWORD | BaseOfCode | The address that is relative to the image base of the beginning-of-code section when it is loaded into memory.|
| 0x30 | DWORD | BaseOfData | This field does not appear in PE32+. The address that is relative to the image base of the beginning-of-data section when it is loaded into memory.|
| 0x34 | DWORD | ImageBase | The preferred address of the first byte of image when loaded into memory; must be a multiple of 64 K. The default for DLLs is 0x10000000. The default for Windows CE EXEs is 0x00010000. The default for Windows NT, Windows 2000, Windows XP, Windows 95, Windows 98, and Windows Me is 0x00400000.|
| 0x38 | DWORD | SectionAlignment | The alignment (in bytes) of sections when they are loaded into memory. It must be greater than or equal to FileAlignment. The default is the page size for the architecture.|
| 0x3C | DWORD | FileAlignment | The alignment factor (in bytes) that is used to align the raw data of sections in the image file. The value should be a power of 2 between 512 and 64 K, inclusive. The default is 512. If the SectionAlignment is less than the architecture's page size, then FileAlignment must match SectionAlignment.|
| 0x40 | WORD | MajorOperatingSystemVersion | The major version number of the required operating system.|
| 0x42 | WORD | MinorOperatingSystemVersion | The minor version number of the required operating system.|
| 0x44 | WORD | MajorImageVersion | The major version number of the image.|
| 0x46 | WORD | MinorImageVersion | The minor version number of the image.|
| 0x48 | WORD | MajorSubsystemVersion | The major version number of the subsystem.|
| 0x4A | WORD | MinorSubsystemVersion | The minor version number of the subsystem.|
| 0x4C | DWORD | Win32VersionValue | Reserved, must be zero.|
| 0x50 | DWORD | SizeOfImage | The size (in bytes) of the image, including all headers, as the image is loaded in memory. It must be a multiple of SectionAlignment.|
| 0x54 | DWORD | SizeOfHeaders | The combined size of an MS‑DOS stub, PE header, and section headers rounded up to a multiple of FileAlignment.|
| 0x58 | DWORD | CheckSum | The image file checksum. The algorithm for computing the checksum is incorporated into IMAGHELP.DLL. The following are checked for validation at load time: all drivers, any DLL loaded at boot time, and any DLL that is loaded into a critical Windows process.|
| 0x5C | WORD | Subsystem | The subsystem that is required to run this image. For list of values, refer to the Windows Subsystem section.|
| 0x5E | WORD | DllCharacteristics | For list of values, refer to the DLL Characteristics section.|
| 0x60 | DWORD | SizeOfStackReserve | The size of the stack to reserve. Only SizeOfStackCommit is committed; the rest is made available one page at a time until the reserve size is reached.|
| 0x64 | DWORD | SizeOfStackCommit | The size of the stack to commit.|
| 0x68 | DWORD | SizeOfHeapReserve | The size of the local heap space to reserve. Only SizeOfHeapCommit is committed; the rest is made available one page at a time until the reserve size is reached.|
| 0x6C | DWORD | SizeOfHeapCommit | The size of the local heap space to commit.|
| 0x70 | DWORD | LoaderFlags | Reserved, must be zero.|
| 0x74 | DWORD | NumberOfRvaAndSizes | The number of data-directory entries in the remainder of the optional header. Each describes a location and size.|
Magic -> 32 or 64
AddressOfEntryPoints -> RVA of Entry Point (EP) ~ location of first instruction
BaseOfCode, BaseOfData -> Code and Data Sections
ImageBase -> Preferred VA for PE file in memory (default: 0x00400000 for .exe, 0x10000000 for DLLs)
SectionAlignment, FileAlignment -> Alignment in memory
SizeOfImage -> MemorySize of PE file at runtime, must be multiple of SectionAlignment
DataDirectory Array:
typedef struct _IMAGE_DATA_DIRECTORY {
DWORD VirtualAddress;
DWORD Size;
} IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY;
* 16 Data Directory Structures per default htat point to RVA and size of specific data inside PE image on runtime.
* Example: ExportTableAddress (exported functions), ImportTableAddress (imported functions), ResourceTable (embedded resources), ImportAddressTable (IAT, runtime addresses of imported functions)