上次我們學習了IMAGE_OPTIONAL_HEADER的前十個參數,下面我們繼續學習。
第十一個值SectionAlignment,表示節對齊粒度。這個值一定要大於或等於文件對齊粒度。
The alignment of sections loaded in memory, in bytes. This value must be greater than or equal to the FileAlignment member.
The default value is the page size for the system.
原來是4096B,也就是4kb了。
第十二個值是FileAlignment,表示文件對齊粒度。
The alignment of the raw data of sections in the image file, in bytes. The value should be a power of 2 between 512 and 64K (inclusive). The default is 512. If the SectionAlignment member is less than the system page size, this member must be the same as SectionAlignment.
這個值應該是512B的倍數。
第十三個值是MajorOperatingSystemVersion,所需操作系統的主版本號。
The major version number of the required operating system.
第十四個值是MinorOperatingSystemVersion,所需操作系統的副版本號。
The minor version number of the required operating system.
第十五個值是MajorImageVersion
The major version number of the image.
第十六個值是MinorImageVersion
The minor version number of the image.
第十七個值是MajorSubsystemVersion
The major version number of the subsystem.
第十八個值為MinorSubsystemVersion
The minor version number of the subsystem.
第十九個值為Win32VersionValue,保留值,且必須為零。
This member is reserved and must be 0.
第二十個值為SizeOfImage,4個字節,表示程序調入后占用內存大小(字節),等於所有段的長度之和。
The size of the image, in bytes, including all headers. Must be a multiple of SectionAlignment.
0x2B000=?
好吧,兩三天了,終於弄明白這個值了,由於在實驗過程中,為了防止意外,所以復制了一個副本在當前文件夾下,通過二進制的對比,發現這兩個文件的SizeOfImage值是不一樣的,所以走了彎路。
既然錯了文件,那么我還是以這個文件為例吧,因為其他的部分都一樣,所以就不修改其他的部分了。
0x25000+0x5188=0x2A188,再考慮內存對齊,我們試着用這個值除以對齊粒度0x1000,看是否能除盡。
結果是不能除盡,所以要求大一點,結果這個SizeOfImage就變成了0x2B000。
第二十一個值為SizeOfHeaders,占用4個字節,表示所有頭加節表的大小。
The combined size of the following items, rounded to a multiple of the value specified in the FileAlignment member.
- 4 byte signature
- size of IMAGE_FILE_HEADER
- size of optional header
- size of all section headers
也就是0x1000了。
第二十二個值為CheckSum,占用四個字節。
The image file checksum. The following files are validated(驗證) at load time: all drivers, any DLL loaded at boot time, and any DLL loaded into a critical (關鍵)system process.
第二十三個值為Subsystem,占用兩個字節。表示文件運行所需的子系統。
The subsystem required to run this image. The following values are defined.
| Value | Meaning |
|---|---|
|
Unknown subsystem. |
|
No subsystem required (device drivers and native system processes). |
|
Windows graphical user interface (GUI) subsystem. |
|
Windows character-mode user interface (CUI) subsystem. |
|
OS/2 CUI subsystem. |
|
POSIX CUI subsystem. |
|
Windows CE system. |
|
Extensible Firmware Interface (EFI) application. |
|
EFI driver with boot services. |
|
EFI driver with run-time services. |
|
EFI ROM image. |
|
Xbox system. |
|
Boot application. |
第二十四個值為DllCharacteristics,占用兩個字節。表示dll文件的屬性值。
The DLL characteristics of the image. The following values are defined.
| Value | Meaning |
|---|---|
|
Reserved.(保留) |
|
Reserved. |
|
Reserved. |
|
Reserved. |
|
The DLL can be relocated at load time.(允許在載入的時候進行重定位) |
|
Code integrity checks are forced. If you set this flag and a section contains only uninitialized data, set the PointerToRawData member of IMAGE_SECTION_HEADER for that section to zero; otherwise, the image will fail to load because the digital signature cannot be verified. |
|
The image is compatible(兼容) with data execution prevention (DEP). |
|
The image is isolation(隔離) aware, but should not be isolated. |
|
The image does not use structured exception handling (SEH). No handlers can be called in this image. |
|
Do not bind the image. |
|
Reserved. |
|
A WDM driver. |
|
Reserved. |
|
The image is terminal server aware. |
第二十五個值為SizeOfStackReserve,占用4個字節。表示初始化是的堆棧大小。
The number of bytes to reserve for the stack. Only the memory specified by the SizeOfStackCommit member is committed at load time; the rest is made available one page at a time until this reserve size is reached.
0x00100000=1MB
第二十六個值為SizeOfStackCommit,占用四個字節。表示初始化時實際提交的堆棧大小。
The number of bytes to commit for the stack.
0x1000字節=4kb
第二十七個值為SizeOfHeapReserve,占用四個字節。初始化時保留堆的大小。
The number of bytes to reserve for the local heap. Only the memory specified by the SizeOfHeapCommit member is committed at load time; the rest is made available one page at a time until this reserve size is reached.
第二十八個值為SizeOfHeapCommit,占用四個字節。初始化時實際提交的堆得大小。
The number of bytes to commit for the local heap.
第二十九個值為LoaderFlags,占用4個字節。未使用。
This member is obsolete.
第三十個值為NumberOfRvaAndSizes,占用四個字節。表示下面個成員數據目錄結構的數量。
這個值一般就直接是16.
下面是最后一個成員DataDirectory,占用128個字節,為一個IMAGE_DATA_DIRECTORY structure結構體數組(16個)。
A pointer to the first IMAGE_DATA_DIRECTORY structure in the data directory.
typedef struct _IMAGE_DATA_DIRECTORY { DWORD VirtualAddress; DWORD Size; } IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY;
這個結構體有兩個成員,一個成員占用4個字節,也就是8個字節。這個數組有16個數據,也就是16*8=128字節。
我們來看第一個。
IMAGE_DIRECTORY_ENTRY_EXPORT 導出表
這個程序沒有導出函數,所以沒有導出表。
第二個IMAGE_DIRECTORY_ENTRY_IMPORT 導入表
這個程序需要用到dll中的函數
我們用PEiD來查看下
結果是一樣的。這個是RVA,表示偏移地址哦。
第三個IMAGE_DIRECTORY_ENTRY_RESOURCE 資源目錄
從上面這張圖也可以看出。RVA為00025000,大小為5188byte
第四個IMAGE_DIRECTORY_ENTRY_EXCEPTION 異常目錄
未使用。
第五個 IMAGE_DIRECTORY_ENTRY_SECURITY 安全目錄
第六個 IMAGE_DIRECTORY_ENTRY_BASERELOC 重定位表
第七個 IMAGE_DIRECTORY_ENTRY_DEBUG 調試信息
第八個 IMAGE_DIRECTORY_ENTRY_COPYRIGHT 版權信息
第九個 IMAGE_DIRECTORY_ENTRY_GLOBALPTR
第十個 IMAGE_DIRECTORY_ENTRY_TLS 線程的本地存儲器
第十一個 IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 載入配置目錄
Load configuration table address and size
第十二個 IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 綁定導入表地址和大小
Bound import table address and size
第十三個 IMAGE_DIRECTORY_ENTRY_IAT 導入函數地址表Import Address Table
Import address table address and size
用Exeinfo PE 查看
第十四個 IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT
Delay import descriptor address and size
第十五個 IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
The CLR header address and size
第十六個 IMAGE_NUMBEROF_DIRECTORY_ENTRIES 保留值
到此,整個PE文件頭結束了。