Theory

Virtual Addressing

VA	Virtual Address
RVA	Relative Virtual Adress VA2-VA1
Offset	Difference Virtual - Physcial Address (?)

PE Files (32 bit)

IMAGE_DOS_HEADER
+00        WORD e_magic Magic Number MZ ($5A4D)     IMAGE_DOS_SIGNATURE
+02        WORD e_cblp Bytes on last page of file
+04        WORD e_cp Pages in file
+06 	   WORD 	e_crlc 	Relocations
+08 	   WORD 	e_cparhdr 	Size of header in paragraphs
+0A  (10)  WORD 	e_minalloc 	Minimum extra paragraphs needed
+0C  (12)  WORD 	e_maxalloc 	Maximum extra paragraphs needed
+0E  (14)  WORD 	e_ss 	Initial (relative) SS value
+10  (16)  WORD 	e_sp 	Initial SP value
+12  (18)  WORD 	e_csum 	Checksum
+14  (20)  WORD 	e_ip 	Initial IP value
+16  (22)  WORD 	e_cs 	Initial (relative) CS value
+18  (24)  WORD 	e_lfarlc 	File address of relocation table
+1A  (26)  WORD 	e_ovno 	Overlay number
+1C  (28)  Array[4] of WORD 	e_res 	Reserved words
+24  (36)  WORD 	e_oemid 	OEM identifier (for e_oeminfo)
+26  (28)  WORD 	e_oeminfo 	OEM information; e_oemid specific
+28  (40)  Array[10] of WORD 	e_res2 	Reserved words
+3C  (60)  DWORD 	e_lfanew 	File address of new exe header   IMAGE_NT_HEADERS

typedef struct _IMAGE_NT_HEADERS {
  DWORD                 Signature;
  IMAGE_FILE_HEADER     FileHeader;
  IMAGE_OPTIONAL_HEADER OptionalHEader;  //Not Optional :-)
} IMAGE_NT_HEADERS, *PIAMGE_NT_HEADERS;

typedef struct _IMAGE_FILE_HEADER {
  WORD  Machine;
  WORD  NumberOfSections;
  DWORD TimeDateStamp;
  DWORD PointerToSymbolTable;
  DWORD NumberOfSymbols;
  WORD  SizeOfOptionalHeader;  //E0h
  WORd  Characteristics;
} IMAGE_FILE_HEADER, *PINMAGE_FILE_HEADER;

PE File Header (0x10)

PE Optional Header (0x18)

0x18	WORD	Magic	The unsigned integer that identifies the state of the image file. The most common number is 0x10B, which identifies it as a normal executable file (PE32). 0x107 identifies it as a ROM image, and 0x20B identifies it as a PE32+ executable.
0x1A	BYTE	MajorLinkerVersion	The linker major version number.
0x1B	BYTE	MinorLinkerVersion	The linker minor version number.
0x1C	DWORD	SizeOfCode	The size of the code (text) section, or the sum of all code sections if there are multiple sections.
0x20	DWORD	SizeOfInitializedData	The size of the initialized data section, or the sum of all such sections if there are multiple data sections.
0x24	DWORD	SizeOfUninitializedData	The size of the uninitialized data section (BSS), or the sum of all such sections if there are multiple BSS sections.
0x28	DWORD	AddressOfEntryPoint	The address of the entry point relative to the image base when the executable file is loaded into memory. For program images, this is the starting address. For device drivers, this is the address of the initialization function. An entry point is optional for DLLs. When no entry point is present, this field must be zero.
0x2C	DWORD	BaseOfCode	The address that is relative to the image base of the beginning-of-code section when it is loaded into memory.
0x30	DWORD	BaseOfData	This field does not appear in PE32+. The address that is relative to the image base of the beginning-of-data section when it is loaded into memory.
0x34	DWORD	ImageBase	The preferred address of the first byte of image when loaded into memory; must be a multiple of 64 K. The default for DLLs is 0x10000000. The default for Windows CE EXEs is 0x00010000. The default for Windows NT, Windows 2000, Windows XP, Windows 95, Windows 98, and Windows Me is 0x00400000.
0x38	DWORD	SectionAlignment	The alignment (in bytes) of sections when they are loaded into memory. It must be greater than or equal to FileAlignment. The default is the page size for the architecture.
0x3C	DWORD	FileAlignment	The alignment factor (in bytes) that is used to align the raw data of sections in the image file. The value should be a power of 2 between 512 and 64 K, inclusive. The default is 512. If the SectionAlignment is less than the architecture's page size, then FileAlignment must match SectionAlignment.
0x40	WORD	MajorOperatingSystemVersion	The major version number of the required operating system.
0x42	WORD	MinorOperatingSystemVersion	The minor version number of the required operating system.
0x44	WORD	MajorImageVersion	The major version number of the image.
0x46	WORD	MinorImageVersion	The minor version number of the image.
0x48	WORD	MajorSubsystemVersion	The major version number of the subsystem.
0x4A	WORD	MinorSubsystemVersion	The minor version number of the subsystem.
0x4C	DWORD	Win32VersionValue	Reserved, must be zero.
0x50	DWORD	SizeOfImage	The size (in bytes) of the image, including all headers, as the image is loaded in memory. It must be a multiple of SectionAlignment.
0x54	DWORD	SizeOfHeaders	The combined size of an MS‑DOS stub, PE header, and section headers rounded up to a multiple of FileAlignment.
0x58	DWORD	CheckSum	The image file checksum. The algorithm for computing the checksum is incorporated into IMAGHELP.DLL. The following are checked for validation at load time: all drivers, any DLL loaded at boot time, and any DLL that is loaded into a critical Windows process.
0x5C	WORD	Subsystem	The subsystem that is required to run this image. For list of values, refer to the Windows Subsystem section.
0x5E	WORD	DllCharacteristics	For list of values, refer to the DLL Characteristics section.
0x60	DWORD	SizeOfStackReserve	The size of the stack to reserve. Only SizeOfStackCommit is committed; the rest is made available one page at a time until the reserve size is reached.
0x64	DWORD	SizeOfStackCommit	The size of the stack to commit.
0x68	DWORD	SizeOfHeapReserve	The size of the local heap space to reserve. Only SizeOfHeapCommit is committed; the rest is made available one page at a time until the reserve size is reached.
0x6C	DWORD	SizeOfHeapCommit	The size of the local heap space to commit.
0x70	DWORD	LoaderFlags	Reserved, must be zero.
0x74	DWORD	NumberOfRvaAndSizes	The number of data-directory entries in the remainder of the optional header. Each describes a location and size.

Magic -> 32 or 64
AddressOfEntryPoints -> RVA of Entry Point (EP) ~ location of first instruction
BaseOfCode, BaseOfData -> Code and Data Sections
ImageBase -> Preferred VA for PE file in memory (default: 0x00400000 for .exe, 0x10000000 for DLLs)
SectionAlignment, FileAlignment -> Alignment in memory
SizeOfImage -> MemorySize of PE file at runtime, must be multiple of SectionAlignment

DataDirectory Array:

typedef struct _IMAGE_DATA_DIRECTORY {
  DWORD VirtualAddress;
  DWORD Size;
} IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY;
 
* 16 Data Directory Structures per default htat point to RVA and size of specific data inside PE image on runtime.
* Example: ExportTableAddress (exported functions), ImportTableAddress (imported functions), ResourceTable (embedded resources), ImportAddressTable (IAT, runtime addresses of imported functions)

0x00	DWORD	Signature	PE Magic Value
0x04	WORD	Machine	For a list of values, see machine types section
0x06	WORD	NumberOfSections	Number Of Sections
0x08	DWORD	TimeDateStamp	The low 32 bits of the number of seconds since 00:00 January 1, 1970 (a C run-time time_t value), that indicates when the file was created.
0x0C	DWORD	PointerToSymbolTable	The file offset of the COFF symbol table, or zero if no COFF symbol table is present. This value should be zero for an image because COFF debugging information is deprecated.
0x10	DWORD	NumberOfSymbols	The number of entries in the symbol table. This data can be used to locate the string table, which immediately follows the symbol table. This value should be zero for an image because COFF debugging information is deprecated.
0x14	WORD	SizeOfOptionalHeader	The size of the optional header, which is required for executable files but not for object files. This value should be zero for an object file.
0x16	WORD	Characteristics	The flags that indicate the attributes of the file. For list of values, refer to the Image Characteristics section.