Portable Executable Format Layout

struct _IMAGE_EXPORT_DIRECTORY {
0x00 DWORD Characteristics;
0x04 DWORD TimeDateStamp; Indexed by Ordinals
0x08 WORD MajorVersion;
IMAGE_DIRECTORY_ENTRY_EXPORT
0x0a WORD MinorVersion; address_of_function[0] Code/Data
0x0c DWORD Name; address_of_function[1] Code/Data
struct _IMAGE_DATA_DIRECTORY { Code/Data
0x10 DWORD Base; address_of_function[2] Code/Data
0x00 DWORD VirtualAddress; Code/Data
0x14 DWORD NumberOfFunctions; .
0x04 DWORD Size;
struct _IMAGE_IMPORT_DESCRIPTOR { 0x18 DWORD NumberOfNames; .
};
0x00
structunion {
_IMAGE_IMPORT_DESCRIPTOR { 0x1c DWORD AddressOfFunctions; .
structunion
_IMAGE_IMPORT_DESCRIPTOR
/* {0 for terminating null import descriptor { */ 0x20 DWORD AddressOfNames; address_of_function[NumberOfFunctions]
structunion
_IMAGE_IMPORT_DESCRIPTOR
{ { 0x24 DWORD AddressOfNameOrdinals;
0x00 DWORD Characteristics;
/* 0 for terminating null import descriptor */
union/*{0 for terminating null import descriptor */ };
/* RVA
DWORD to originalCharacteristics;
unbound IAT */
/* 0 for terminating
DWORD null import descriptor */
0x00 /* RVA to originalCharacteristics;
PIMAGE_THUNK_DATA unbound OriginalFirstThunk;
IAT */ If a symbol N is exported by ordinal and name then:
struct _IMAGE_DOS_HEADER { /* DWORD
RVA to original Characteristics;
unbound IAT */
} u; PIMAGE_THUNK_DATA OriginalFirstThunk; -Its name will be located at AddressOfNames[N]
0x00 WORD e_magic; IMAGE_DIRECTORY_ENTRY_IMPORT /* RVA to original unbound
PIMAGE_THUNK_DATA IAT */
OriginalFirstThunk;
0x04 DWORD } u; TimeDateStamp; /* 0 if not bound, -Its ordinal at AddressOfNameOrdinals[N]
0x02 WORD e_cblp; } u; PIMAGE_THUNK_DATA OriginalFirstThunk;
DWORD * -1 if bound, and
TimeDateStamp; /* 0real date\time
if not bound,stamp Array of WORDs Pointers to strings -And its address* will be
0x04 WORD e_cp; struct _IMAGE_DATA_DIRECTORY { } u;
DWORD TimeDateStamp; /* 0 if not bound, stamp
* * in
-1IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT
if bound, and real date\time AddressOfFunctions[AddressOfNameOrdinals[N]]
0x06 WORD e_crlc; 0x00 DWORD VirtualAddress; DWORD TimeDateStamp;
* -1 if bound, and /* 0 if not
real bound, stamp
date\time
* (new
* inBIND) IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT name_ordinal[0] address_of_name[0]
0x08 WORD e_cparhdr; 0x04 DWORD Size; * * in
-1 IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT
if bound, and real date\time stamp
* otherwise
* (new BIND) date/time stamp of DLL bound to name_ordinal[1] address_of_name[1] The function might be forwarded, in that case the last pointer will
0x0a WORD e_minalloc; }; * in IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT
* (new
* (Old BIND)BIND)
* otherwise date/time stamp of DLL bound to name_ordinal[2] address_of_name[2] refer to an address within the exports pointing to the forwarder string,
0x0c WORD e_maxalloc; * (new BIND)
* otherwise
*/ * (Old BIND) date/time stamp of DLL bound to . . which will contain information on the symbol and the module where
0x0e WORD e_ss; * otherwise date/time stamp of DLL bound to
0x08 DWORD */ * (Old BIND)
ForwarderChain; /* -1 if no forwarders */ . . to find it.
0x10 WORD e_sp; */ * (Old BIND)
0x0c DWORD DWORD Name; ForwarderChain; /* -1 if no forwarders */ . .
0x12 WORD e_csum; struct _IMAGE_FILE_HEADER { DWORD */
ForwarderChain; /* -1 if no forwarders */
/* RVA
DWORD to IAT (if bound
Name; this IAT has actual addresses) */ name_ordinal[NumberOfNames] address_of_name[NumberOfNames]
0x14 WORD e_ip; 0x00 WORD Machine; DWORD Name;
DWORD ForwarderChain; /* -1 if no forwarders */
0x10 PIMAGE_THUNK_DATA
/* RVA to IAT (if bound thisFirstThunk;
IAT has actual addresses) */
0x16 WORD e_cs; 0x02 WORD NumberOfSections; DWORD
/* RVA Name;this IAT has actual addresses) */
to IAT (if bound
}; PIMAGE_THUNK_DATA FirstThunk;
0x18 WORD e_lfarlc; 0x04 DWORD TimeDateStamp; /* RVA to IAT (if bound this
PIMAGE_THUNK_DATA IAT has actual addresses) */
FirstThunk;
};
0x1a WORD e_ovno; 0x08 DWORD PointerToSymbolTable; }; PIMAGE_THUNK_DATA FirstThunk;
0x1c WORD e_res[4]; 0x0c DWORD NumberOfSymbols; }; typedef struct _IMAGE_THUNK_DATA {
0x24 WORD e_oemid; 0x10 WORD SizeOfOptionalHeader; typedef struct
union { _IMAGE_THUNK_DATA {
0x26 WORD e_oeminfo; typedef
unionstruct
{ _IMAGE_THUNK_DATA {
0x12 WORD Characteristics; 0x00 LPBYTE ForwarderString;
0x28 WORD e_res2[10]; struct _IMAGE_RESOURCE_DIRECTORY { unionLPBYTE
{ ForwarderString;
}; 0x00 PDWORD Function;
0x3c DWORD e_lfanew; IMAGE_DIRECTORY_ENTRY_RESOURCE 0x00 DWORD Characteristics; LPBYTE Function;
PDWORD ForwarderString;
0x00 DWORD Ordinal;
}; 0x04 DWORD TimeDateStamp; PDWORDOrdinal;
DWORD Function;
0x00 PIMAGE_IMPORT_BY_NAME AddressOfData;
struct _IMAGE_DATA_DIRECTORY { 0x08 WORD MajorVersion; DWORD Ordinal;
PIMAGE_IMPORT_BY_NAME AddressOfData;
} u1;
0x00 DWORD VirtualAddress; 0x0a WORD MinorVersion; } u1; PIMAGE_IMPORT_BY_NAME AddressOfData;
} IMAGE_THUNK_DATA,*PIMAGE_THUNK_DATA;
0x04 DWORD Size; 0x0c WORD NumberOfNamedEntries; } u1;
} IMAGE_THUNK_DATA,*PIMAGE_THUNK_DATA;
}; 0x0e WORD NumberOfIdEntries; } IMAGE_THUNK_DATA,*PIMAGE_THUNK_DATA;

IMAGE_DIRECTORY_ENTRY_EXCEPTION
};
typedef struct _IMAGE_IMPORT_BY_NAME {
typedef
0x00 struct _IMAGE_IMPORT_BY_NAME
WORD Hint; {
The PE32 and PE32+
typedef struct _IMAGE_IMPORT_BY_NAME {
struct _IMAGE_NT_HEADERS {
0x00 DWORD Signature;
struct _IMAGE_DATA_DIRECTORY {
0x00 DWORD VirtualAddress;
0x04 DWORD Size;
0x02 BYTE WORD
WORD
BYTE
Name[1];Hint;
Name[1]; Hint;
} IMAGE_IMPORT_BY_NAME,*PIMAGE_IMPORT_BY_NAME;
BYTE Name[1];
} IMAGE_IMPORT_BY_NAME,*PIMAGE_IMPORT_BY_NAME;
Format
0x04 _IMAGE_FILE_HEADER FileHeader; } IMAGE_IMPORT_BY_NAME,*PIMAGE_IMPORT_BY_NAME;
0x18 _IMAGE_OPTIONAL_HEADER OptionalHeader; };
}; Display of the main headers describing the basic
IMAGE_DIRECTORY_ENTRY_SECURITY
information in a Portable Executable file.
struct _IMAGE_OPTIONAL_HEADER {
struct _IMAGE_DATA_DIRECTORY { typedef struct _IMAGE_THUNK_DATA {
0x00 WORD Magic; typedef struct
0x00 DWORD VirtualAddress; union { _IMAGE_THUNK_DATA {
0x02 BYTE MajorLinkerVersion;
0x00
typedef
unionstruct
{ _IMAGE_THUNK_DATA
LPBYTE ForwarderString;
{ More details about the Portable Executable
0x03 BYTE MinorLinkerVersion; 0x04 DWORD Size; unionLPBYTE
{
0x00 ForwarderString;
PDWORD Function; specification can be found at:
0x04 DWORD SizeOfCode; }; LPBYTE Function;
ForwarderString;
typedef struct _IMAGE_SECTION_HEADER { 0x00 PDWORD
DWORD Ordinal;
0x08 DWORD SizeOfInitializedData; PDWORDOrdinal;
DWORD Function;
0x00 BYTE Name[IMAGE_SIZEOF_SHORT_NAME]; 0x00 PIMAGE_IMPORT_BY_NAME AddressOfData;
0x0c DWORD SizeOfUninitializedData; IMAGE_DIRECTORY_ENTRY_BASERELOC DWORD Ordinal;
PIMAGE_IMPORT_BY_NAME AddressOfData;
union { 0x10 DWORD AddressOfEntryPoint;
} u1;
PIMAGE_IMPORT_BY_NAME AddressOfData;
http://en.wikipedia.org/wiki/Portable_Executable
0x08 DWORD PhysicalAddress; } u1;
} IMAGE_THUNK_DATA,*PIMAGE_THUNK_DATA;
0x14 DWORD BaseOfCode; struct _IMAGE_DATA_DIRECTORY { } u1;
} IMAGE_THUNK_DATA,*PIMAGE_THUNK_DATA;
0x08 DWORD VirtualSize; 0x18 DWORD BaseOfData; 0x00 DWORD VirtualAddress; } IMAGE_THUNK_DATA,*PIMAGE_THUNK_DATA;
} Misc; 0x1c DWORD ImageBase;
0x0c DWORD VirtualAddress; 0x04 DWORD Size;
0x20 DWORD SectionAlignment; };
0x10 DWORD SizeOfRawData; 0x24 DWORD FileAlignment; struct _IMAGE_DEBUG_DIRECTORY { typedef struct _IMAGE_IMPORT_BY_NAME {
0x14 DWORD PointerToRawData; 0x00 DWORD Characteristics; typedef
0x00 struct _IMAGE_IMPORT_BY_NAME
WORD Hint; {
0x28 WORD MajorOperatingSystemVersion; typedef
WORDstruct _IMAGE_IMPORT_BY_NAME { Structure contained within parent
0x18 DWORD PointerToRelocations; 0x2a WORD MinorOperatingSystemVersion; IMAGE_DIRECTORY_ENTRY_DEBUG 0x04 DWORD TimeDateStamp; 0x02 BYTE Name[1];Hint;
WORD
BYTE Name[1]; Hint;
0x1c DWORD PointerToLinenumbers; 0x2c WORD MajorImageVersion; 0x08 WORD MajorVersion; } IMAGE_IMPORT_BY_NAME,*PIMAGE_IMPORT_BY_NAME;
BYTE Name[1];
} IMAGE_IMPORT_BY_NAME,*PIMAGE_IMPORT_BY_NAME;
0x20 WORD NumberOfRelocations; 0x2e WORD MinorImageVersion; struct _IMAGE_DATA_DIRECTORY { 0x0a WORD MinorVersion;
} IMAGE_IMPORT_BY_NAME,*PIMAGE_IMPORT_BY_NAME;
0x22 WORD NumberOfLinenumbers; 0x30 WORD MajorSubsystemVersion; 0x00 DWORD VirtualAddress; 0x0c DWORD Type;
0x24 DWORD Characteristics; 0x32 WORD MinorSubsystemVersion; 0x04 DWORD Size; 0x10 DWORD SizeOfData;
}; 0x34 DWORD Win32VersionValue; }; 0x14 DWORD AddressOfRawData;
0x18 DWORD PointerToRawData; typedef struct _IMAGE_THUNK_DATA {
0x38 DWORD SizeOfImage; typedef struct
union { _IMAGE_THUNK_DATA {
}; typedef struct Structure pointed to by the parent
typedef struct _IMAGE_SECTION_HEADER { 0x3c DWORD SizeOfHeaders; IMAGE_DIRECTORY_ENTRY_COPYRIGHT 0x00 union { _IMAGE_THUNK_DATA
LPBYTE ForwarderString;
{
0x00 BYTE Name[IMAGE_SIZEOF_SHORT_NAME]; 0x40 DWORD CheckSum; unionLPBYTE
{ ForwarderString;
0x00 PDWORD Function;
union { 0x44 WORD Subsystem; struct _IMAGE_DATA_DIRECTORY { LPBYTE Function;
PDWORD ForwarderString;
0x00 DWORD Ordinal;
0x08 DWORD PhysicalAddress; 0x46 WORD DllCharacteristics; 0x00 DWORD VirtualAddress; PDWORDOrdinal;
DWORD Function;
0x00 PIMAGE_IMPORT_BY_NAME AddressOfData;
0x48 DWORD SizeOfStackReserve; 0x04 DWORD Size; DWORD Ordinal;
_IMAGE_FILE_HEADER .NumberOfSections

0x08 DWORD VirtualSize; } u1; PIMAGE_IMPORT_BY_NAME AddressOfData;

} Misc; 0x4c DWORD SizeOfStackCommit; }; } u1; PIMAGE_IMPORT_BY_NAME AddressOfData;
} IMAGE_THUNK_DATA,*PIMAGE_THUNK_DATA;
0x0c DWORD VirtualAddress; 0x50 DWORD SizeOfHeapReserve; } u1;
} IMAGE_THUNK_DATA,*PIMAGE_THUNK_DATA;
0x10 DWORD SizeOfRawData; 0x54 DWORD SizeOfHeapCommit; } IMAGE_THUNK_DATA,*PIMAGE_THUNK_DATA;
IMAGE_DIRECTORY_ENTRY_GLOBALPTR
0x14 DWORD PointerToRawData; 0x58 DWORD LoaderFlags;
0x18 DWORD PointerToRelocations; 0x5c DWORD NumberOfRvaAndSizes;
struct _IMAGE_DATA_DIRECTORY { typedef struct _IMAGE_IMPORT_BY_NAME {
0x1c DWORD PointerToLinenumbers; 0x60 _IMAGE_DATA_DIRECTORY DataDirectory[16]; typedef struct _IMAGE_IMPORT_BY_NAME {
0x00 DWORD VirtualAddress; 0x00 WORD Hint;
0x20 WORD NumberOfRelocations; }; typedef
WORDstruct _IMAGE_IMPORT_BY_NAME {
0x04 DWORD Size; 0x02 BYTE Name[1];Hint;
WORD Hint;
0x22 WORD NumberOfLinenumbers;
0x24 DWORD Characteristics;
PE32+ }; BYTE Name[1];
} IMAGE_IMPORT_BY_NAME,*PIMAGE_IMPORT_BY_NAME;
BYTE Name[1];
} IMAGE_IMPORT_BY_NAME,*PIMAGE_IMPORT_BY_NAME;
}; struct _IMAGE_TLS_DIRECTORY { } IMAGE_IMPORT_BY_NAME,*PIMAGE_IMPORT_BY_NAME;
struct _IMAGE_OPTIONAL_HEADER { IMAGE_DIRECTORY_ENTRY_TLS 0x00 DWORD StartAddressOfRawData;
0x00 WORD Magic; 0x04 DWORD EndAddressOfRawData;
0x02 BYTE MajorLinkerVersion; struct _IMAGE_DATA_DIRECTORY { 0x08 DWORD AddressOfIndex;
0x03 BYTE MinorLinkerVersion; 0x00 DWORD VirtualAddress; 0x0c DWORD AddressOfCallBacks; typedef struct _IMAGE_THUNK_DATA {
. 0x04 DWORD SizeOfCode; 0x04 DWORD Size; 0x10 DWORD SizeOfZeroFill; typedef
unionstruct
{ _IMAGE_THUNK_DATA {
typedef
unionstruct
{ _IMAGE_THUNK_DATA {
. 0x08 DWORD SizeOfInitializedData; }; 0x14 DWORD Characteristics; 0x00 LPBYTE
unionLPBYTE
{
ForwarderString;
. 0x0c DWORD SizeOfUninitializedData; }; 0x00
0x00
ForwarderString;
PDWORD Function;
LPBYTE Function;
PDWORD
DWORD
ForwarderString;
Ordinal;
PE32+
0x10 DWORD AddressOfEntryPoint;
0x14 DWORD BaseOfCode;
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
PE32+ 0x00
PDWORD
DWORD Ordinal;Function;
PIMAGE_IMPORT_BY_NAME
DWORD Ordinal;
PIMAGE_IMPORT_BY_NAME
AddressOfData;
AddressOfData;
typedef struct _IMAGE_THUNK_DATA64 {
0x18 QWORD ImageBase; } u1; union {
struct _IMAGE_DATA_DIRECTORY { } u1; PIMAGE_IMPORT_BY_NAME AddressOfData;
0x20 DWORD SectionAlignment; struct _IMAGE_TLS_DIRECTORY { } IMAGE_THUNK_DATA,*PIMAGE_THUNK_DATA; 0x00 QWORD ForwarderString;
0x00 DWORD VirtualAddress; } u1;
} IMAGE_THUNK_DATA,*PIMAGE_THUNK_DATA;
typedef struct _IMAGE_SECTION_HEADER { 0x24 DWORD FileAlignment; 0x00 QWORD StartAddressOfRawData; 0x00 QWORD Function;
0x04 DWORD Size; } IMAGE_THUNK_DATA,*PIMAGE_THUNK_DATA;
0x00 BYTE Name[IMAGE_SIZEOF_SHORT_NAME]; 0x28 WORD MajorOperatingSystemVersion; 0x08 QWORD EndAddressOfRawData; 0x00 QWORD Ordinal;
};
union { 0x2a WORD MinorOperatingSystemVersion; 0x10 QWORD AddressOfIndex; 0x00 QWORD AddressOfData;
0x08 DWORD PhysicalAddress; 0x2c WORD MajorImageVersion; 0x18 QWORD AddressOfCallBacks; typedef struct _IMAGE_IMPORT_BY_NAME { } u1;
0x08 DWORD VirtualSize; 0x2e WORD MinorImageVersion; IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 0x20 DWORD SizeOfZeroFill; typedef
0x00 struct _IMAGE_IMPORT_BY_NAME
WORD Hint; { } IMAGE_THUNK_DATA64,*PIMAGE_THUNK_DATA64;
typedef
WORDstruct _IMAGE_IMPORT_BY_NAME {
} Misc; 0x30 WORD MajorSubsystemVersion; 0x24 DWORD Characteristics; 0x02 BYTE Name[1];Hint;
0x0c DWORD VirtualAddress; struct _IMAGE_DATA_DIRECTORY { WORD
BYTE Name[1]; Hint;
0x32 WORD MinorSubsystemVersion; }; } IMAGE_IMPORT_BY_NAME,*PIMAGE_IMPORT_BY_NAME;
0x10 DWORD SizeOfRawData; 0x00 DWORD VirtualAddress; BYTE Name[1];
} IMAGE_IMPORT_BY_NAME,*PIMAGE_IMPORT_BY_NAME;
0x34 DWORD Win32VersionValue;
0x14 DWORD PointerToRawData; 0x04 DWORD Size; } IMAGE_IMPORT_BY_NAME,*PIMAGE_IMPORT_BY_NAME;
0x38 DWORD SizeOfImage;
0x18 DWORD PointerToRelocations; 0x3c DWORD SizeOfHeaders; };
0x1c DWORD PointerToLinenumbers; 0x40 DWORD CheckSum;
0x20 WORD NumberOfRelocations; 0x44 WORD Subsystem; IMAGE_DIRECTORY_ENTRY_IAT
0x22 WORD NumberOfLinenumbers; 0x46 WORD DllCharacteristics;
0x24 DWORD Characteristics; 0x48 QWORD SizeOfStackReserve; struct _IMAGE_DATA_DIRECTORY {
}; 0x50 QWORD SizeOfStackCommit; 0x00 DWORD VirtualAddress;
0x58 QWORD SizeOfHeapReserve; 0x04 DWORD Size;
0x60 QWORD SizeOfHeapCommit; }; struct _IMAGE_DELAY_IMPORT_DESCRIPTOR {
0x68 DWORD LoaderFlags;
0x00 DWORD grAttrs;
0x6c DWORD NumberOfRvaAndSizes;
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 0x04 DWORD szName;
0x70 _IMAGE_DATA_DIRECTORY DataDirectory[16];
0x08 DWORD phmod;
};
struct _IMAGE_DATA_DIRECTORY { 0x0c DWORD pIAT;
0x00 DWORD VirtualAddress; 0x10 DWORD pINT;
0x04 DWORD Size; 0x14 DWORD pBoundIAT;
}; 0x18 DWORD pUnloadIAT;
0x1c DWORD dwTimeStamp;
};
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

struct _IMAGE_DATA_DIRECTORY {
© 2007-2018 Ero Carrera
0x00 DWORD VirtualAddress;
0x04 DWORD Size;
http://dkbza.org
};
http://blog.dkbza.org