PE FORMAT] -4- NT Header (DOS Sign, IMAGE_FILE_HEADER, IMAGE_OPTIONAL_HEADER)
参考:
NT Headerの構造体はIMAGE_NT_HEADERS.
typedef struct _IMAGE_NT_HEADERS {
DWORD Signature; // PE sign (50 45 00 00)
IMAGE_FILE_HEADER FileHeader;
IMAGE_OPTIONAL_HEADER32 OptionalHeader;
} IMAGE_NT_HEADERS32, *PIMAGE_NT_HEADERS32;
size : F8
<member>
[DWORD Signature]
[IMAGE_FILE_HEADER FileHeader;]
typedef struct _IMAGE_FILE_HEADER {
WORD Machine;
WORD NumberOfSections;
DWORD TimeDateStamp;
DWORD PointerToSymbolTable;
DWORD NumberOfSymbols;
WORD SizeOfOptionalHeader;
WORD Characteristics;
} IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;
Machine
The architecture type of the computer. An image file can only be run on the specified computer or a system that emulates the specified computer. This member can be one of the following values.
| Value | Meaning |
|---|---|
|
x86 |
|
Intel Itanium |
|
x64 |
NumberOfSections
The number of sections. This indicates the size of the section table, which immediately follows the headers. Note that the Windows loader limits the number of sections to 96.
SizeOfOptionalHeader
The size of the optional header, in bytes. This value should be 0 for object files.
Characteristics
The characteristics of the image. This member can be one or more of the following values.
| Value | Meaning |
|---|---|
|
Relocation information was stripped from the file. The file must be loaded at its preferred base address. If the base address is not available, the loader reports an error. |
|
The file is executable (there are no unresolved external references). |
|
COFF line numbers were stripped from the file. |
|
COFF symbol table entries were stripped from file. |
|
Aggressively trim the working set. This value is obsolete. |
|
The application can handle addresses larger than 2 GB. |
|
The bytes of the word are reversed. This flag is obsolete. |
|
The computer supports 32-bit words. |
|
Debugging information was removed and stored separately in another file. |
|
If the image is on removable media, copy it to and run it from the swap file. |
|
If the image is on the network, copy it to and run it from the swap file. |
|
The image is a system file. |
|
The image is a DLL file. While it is an executable file, it cannot be run directly. |
|
The file should be run only on a uniprocessor computer. |
|
The bytes of the word are reversed. This flag is obsolete. |
[IMAGE_OPTIONAL_HEADER32 OptionalHeader;]
typedef struct _IMAGE_OPTIONAL_HEADER {
WORD Magic;
BYTE MajorLinkerVersion;
BYTE MinorLinkerVersion;
DWORD SizeOfCode;
DWORD SizeOfInitializedData;
DWORD SizeOfUninitializedData;
DWORD AddressOfEntryPoint;
DWORD BaseOfCode;
DWORD BaseOfData;
DWORD ImageBase;
DWORD SectionAlignment;
DWORD FileAlignment;
WORD MajorOperatingSystemVersion;
WORD MinorOperatingSystemVersion;
WORD MajorImageVersion;
WORD MinorImageVersion;
WORD MajorSubsystemVersion;
WORD MinorSubsystemVersion;
DWORD Win32VersionValue;
DWORD SizeOfImage;
DWORD SizeOfHeaders;
DWORD CheckSum;
WORD Subsystem;
WORD DllCharacteristics;
DWORD SizeOfStackReserve;
DWORD SizeOfStackCommit;
DWORD SizeOfHeapReserve;
DWORD SizeOfHeapCommit;
DWORD LoaderFlags;
DWORD NumberOfRvaAndSizes;
IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
} IMAGE_OPTIONAL_HEADER32, *PIMAGE_OPTIONAL_HEADER32;
WORD Magic;
BYTE MajorLinkerVersion;
BYTE MinorLinkerVersion;
DWORD SizeOfCode;
DWORD SizeOfInitializedData;
DWORD SizeOfUninitializedData;
DWORD AddressOfEntryPoint;
DWORD BaseOfCode;
DWORD BaseOfData;
DWORD ImageBase;
DWORD SectionAlignment;
DWORD FileAlignment;
WORD MajorOperatingSystemVersion;
WORD MinorOperatingSystemVersion;
WORD MajorImageVersion;
WORD MinorImageVersion;
WORD MajorSubsystemVersion;
WORD MinorSubsystemVersion;
DWORD Win32VersionValue;
DWORD SizeOfImage;
DWORD SizeOfHeaders;
DWORD CheckSum;
WORD Subsystem;
WORD DllCharacteristics;
DWORD SizeOfStackReserve;
DWORD SizeOfStackCommit;
DWORD SizeOfHeapReserve;
DWORD SizeOfHeapCommit;
DWORD LoaderFlags;
DWORD NumberOfRvaAndSizes;
IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
} IMAGE_OPTIONAL_HEADER32, *PIMAGE_OPTIONAL_HEADER32;
Magic
The state of the image file. This member can be one of the following values.
| Value | Meaning |
|---|---|
|
The file is an executable image. This value is defined as IMAGE_NT_OPTIONAL_HDR32_MAGIC in a 32-bit application and as IMAGE_NT_OPTIONAL_HDR64_MAGIC in a 64-bit application. |
|
The file is an executable image. |
|
The file is an executable image. |
|
The file is a ROM image. |
AddressOfEntryPoint
A pointer to the entry point function, relative to the image base address. For executable files, this is the starting address. For device drivers, this is the address of the initialization function. The entry point function is optional for DLLs. When no entry point is present, this member is zero.
(Entry PointのRVA値を持つ)
ImageBase
The preferred address of the first byte of the image when it is loaded in memory. This value is a multiple of 64K bytes. The default value for DLLs is 0x10000000. The default value for applications is 0x00400000, except on Windows CE where it is 0x00010000.
(PE FILEがロードされるスタート地点)
SectionAlignment
The alignment of sections loaded in memory, in bytes. This value must be greater than or equal to the FileAlignment member. The default value is the page size for the system.
(MEMORYでSECTIONの最小単位)
SizeOfImage
The size of the image, in bytes, including all headers. Must be a multiple ofSectionAlignment.
SizeOfHeaders
The combined size of the following items, rounded to a multiple of the value specified in the FileAlignment member.
- e_lfanew member of IMAGE_DOS_HEADER
- 4 byte signature
- size of IMAGE_FILE_HEADER
- size of optional header
- size of all section headers
Subsystem
The subsystem required to run this image. The following values are defined.
| Value | Meaning |
|---|---|
|
Unknown subsystem. |
|
No subsystem required (device drivers and native system processes). |
| Windows graphical user interface (GUI) subsystem. | |
| Windows character-mode user interface (CUI) subsystem. | |
|
OS/2 CUI subsystem. |
| POSIX CUI subsystem. | |
| Windows CE system. | |
|
Extensible Firmware Interface (EFI) application. |
|
EFI driver with boot services. |
|
EFI driver with run-time services. |
|
EFI ROM image. |
|
Xbox system. |
|
Boot application. |
NumberOfRvaAndSizes
The number of directory entries in the remainder of the optional header. Each entry describes a location and size.
DataDirectory
The following is a list of the data directories. Offsets are relative to the beginning of the optional header.
| Offset (PE/PE32+) | Description |
|---|---|
| 96/112 | Export table address and size |
| 104/120 | Import table address and size |
| 112/128 | Resource table address and size |
| 120/136 | Exception table address and size |
| 128/144 | Certificate table address and size |
| 136/152 | Base relocation table address and size |
| 144/160 | Debugging information starting address and size |
| 152/168 | Architecture-specific data address and size |
| 160/176 | Global pointer register relative virtual address |
| 168/184 | Thread local storage (TLS) table address and size |
| 176/192 | Load configuration table address and size |
| 184/200 | Bound import table address and size |
| 192/208 | Import address table address and size |
| 200/216 | Delay import descriptor address and size |
| 208/224 | The CLR header address and size |
| 216/232 | Reserved |
