The PE - Header

The PE - Header
^^^^^^^^^^^^^^^
by Renegade

The portable executable file format begins with the DOS header:
----------| DOS Header|
__________-----------_____________________
|dw e_magic: the magic number; 0x05A4 = MZ |
|------------------------------------------|
|dw e_cblp: bytes of last page
|
|------------------------------------------|
|dw e_cp: number of pages
|
|------------------------------------------|
|dw e_crlc: reloc.
|
|------------------------------------------|
|dw e_cparhdr: header-size
|
|------------------------------------------|
|dw e_minalloc: min. of alloc. paragraphs |
|------------------------------------------|
|dw e_maxalloc: max. of alloc. paragraphs |
|------------------------------------------|
|dw e_ss: SS value
|
|------------------------------------------|
|dw e_sp: SP value
|
|------------------------------------------|
|dw e_csum: checksum
|
|------------------------------------------|
|dw e_ip: IP value
|
|------------------------------------------|
|dw e_cs: CS value
|
|------------------------------------------|
|dw e_lfarlc: address of reloc. table
|
|------------------------------------------|
|dw e_ovno: overlays
|
|------------------------------------------|
|dw e_oemid: OEM - Identifier
|
|------------------------------------------|
|dw e_oeminfo: OEM Info
|
|------------------------------------------|
|dd e_lfanew: address of NE
|
|------------------------------------------|
dd e_lfanew: This RVA points also to the PE Header
________
|DOS Stub|
-------The stub contains informations about the OS where the program must be run,
eg " This program must be run under Microsoft Windows" or something like
that.
The actual PE-Header
^^^^^^^^^^^^^^^^^^^^
|--------------------------|-----------------------|--------------------|
|
Signature
|
CPU
|
Sections
|
|--------------------------|-----------------------|--------------------|
|
Time / Date Stamp
|
Pointer to symbol table
|
|--------------------------|-----------------------|--------------------|
|
Symbols
|
NT Header size
|
Flags
|
|---------|----------------|-----------------------|--------------------|
| LMAJOR | LMINOR
|
Size of code
|
Page 1

The PE - Header
|---------|----------------|--------------------------------------------|
| Initalized data
|
Uninitalized data
|
|--------------------------|--------------------------------------------|
| Entrypoint RVA
|
Base of code
|
|--------------------------|--------------------------------------------|
| Base of data
|
Image base
|
|--------------------------|--------------------------------------------|
| Section alignment
|
File alignment
|
|-----------|--------------|-----------------------|--------------------|
| OS MAJOR | OS MINOR
|
User MAJOR | User MINOR
|
|-----------|-|------------|-----------------------|--------------------|
| Subsys MAJ. | Subsys MIN.|
Version
|
|-------------|------------|--------------------------------------------|
| Image size
|
Header size
|
|--------------------------|---------------------|----------------------|
|
Checksum
|
Subsystem | DLL Flags
|
|--------------------------|---------------------|----------------------|
| Stack reserve size
|
Stack commit size
|
|--------------------------|--------------------------------------------|
| Heap reserve size
|
Heap commit size
|
|--------------------------|--------------------------------------------|
| Loader Flags
|
# interesting RVA / Sizes
|
|--------------------------|--------------------------------------------|
| Export table RVA
|
Total export data size
|
|--------------------------|--------------------------------------------|
| Import table RVA
|
Total import data size
|
|--------------------------|--------------------------------------------|
| Resource table RVA
|
Total resource data size
|
|--------------------------|--------------------------------------------|
| Exception table RVA
|
Total exception data size
|
|--------------------------|--------------------------------------------|
| Security table RVA
|
Total security data size
|
|--------------------------|--------------------------------------------|
| Fixup table RVA
|
Total fixup data size
|
|--------------------------|--------------------------------------------|
| Debug table RVA
|
Total debug directories
|
|--------------------------|--------------------------------------------|
| Image description RVA
|
Total description size
|
|--------------------------|--------------------------------------------|
| Machine specific RVA
|
Machine specific size
|
|--------------------------|--------------------------------------------|
| Thread local storage RVA |
Total TLS size
|
|--------------------------|--------------------------------------------|
| Loader configuration RVA |
Loader data size
|
|--------------------------|--------------------------------------------|
| Bounded imports table
|
Bounded imports data size
|
|--------------------------|--------------------------------------------|
| Import addresses table
|
Total IAT size
|
|-----------------------------------------------------------------------|

Signature: 0454E = NE
^^^^^^^^^
CPU:
^^^
0000 = unknown
014c = 386
014d = 486
014e = 586

04550 = PE

Sections: Number of sections in the section table

^^^^^^^^
Time / Date stamp: All infos about creation/modification of the file
^^^^^^^^^^^^^^^^^
NT Header size: bytes remaining in the NT header
^^^^^^^^^^^^^^
Flags:
0000 = image of program
^^^^^
0002 = image is executable
0200 = fixed image
2000 = lib. image
Page 2

The PE - Header
LMAJOR/LMINOR: LinkerMajor/LinkerMinor version
^^^^^^^^^^^^^
Entrypoint RVA: Starting address for program images
^^^^^^^^^^^^^^
Image base: Virtual address of the first byte of a file
^^^^^^^^^^
Section alignment: default is 64K
^^^^^^^^^^^^^^^^^
File alignment: Value between 515 and 64K
^^^^^^^^^^^^^^
OS MAJOR/OS MINOR: required version of OS to run the program
^^^^^^^^^^^^^^^^^
User MAJOR/User MINOR: values for images / dll's set by user
^^^^^^^^^^^^^^^^^^^^^
Image size: Virtual size of the image
^^^^^^^^^^
Header size: Total header size
^^^^^^^^^^^
Checksum: Complete file checksum
^^^^^^^^
Subsystem: required NT subsystem to run program
^^^^^^^^^
0000 = unknown
0001 = native
0002 = Win GUI
0003 = Win Char.
0005 = OS/2
0007 = Posix
DLL Flags: Loader
^^^^^^^^^
0001
0002
0004
0008

requirements
=
=
=
=

process lib. init.

process lib. term.
thread lib. init.
thread lib. term.

Stack reserve size: stack needed for program

^^^^^^^^^^^^^^^^^^
Stack commit size: committed size of stack
^^^^^^^^^^^^^^^^^
Heap reserve size: size of heap to reserve
^^^^^^^^^^^^^^^^^
Heap commit size: size to commit in heap
^^^^^^^^^^^^^^^^
Interesting RVA/Size: size of RVA array
^^^^^^^^^^^^^^^^^^^^
Export table RVA: RVA of export table
^^^^^^^^^^^^^^^^
Import table RVA: RVA of import table
^^^^^^^^^^^^^^^^
-------| etc... |
-------After that we have the Section header with all the sections like .text,.data
and so on.
short summary:
|
|
|
|
|
|
|
|
|

----------------PhysicalAddress |
VirtualSize
|
SizeofRawData
|
PointertoR.Data |
Pointertoreloc. |
Pointertolinenum|
Numberofrelocs |
Numberoflinenum |
Characteristics |
----------------Page 3

The PE - Header
-------------------------------------------------------------------------NB: Between the last section header,sections itself and the beginning of |
data there is some unused space because of the alignment.This space
|
can be used for saving code and data, things we use for our virii.
|
_________________________________________________________________________ |

Image base and RVA

^^^^^^^^^^^^^^^^^^
The imagebase is the linear address on which the loader will map the exe
image or load a dll, which changes from exe to exe.Nevertheless the
absolute address of the image base of a exe is 0x400000, because the loader
is not always able to load the image of the preferred image base.That's why
the relative virtual addresses of the absolute addresses were introduced.
So if you want to get a dw at the RVA, let's say 4444, you have to add the
image base and you'll get the virtual address:
VA = RVA + IB
0x404444 = 4444 + 400000
RAW OFS = (VA
- Image base - SVirtual Address ) + PointertoRawdata
0834
404444 - 400000
- 01000
+ 0600

Page 4