Table of Contents
| Offset | Type | Field | Description |
|---|
| 00 | WORD | e_magic | MZ |
| 02 | WORD | e_cblp | Bytes on last page of file |
| 04 | WORD | e_cp | Pages in file |
| 06 | WORD | e_crlc | Relocations |
| 08 | WORD | e_cparhdr | Size of header in paragraphs |
| 0A | WORD | e_minalloc | Minimum extra paragraphs needed |
| 0C | WORD | e_maxalloc | Maximum extra paragraphs needed |
| 0E | WORD | e_ss | Initial (relative) SS value |
| 10 | WORD | e_sp | Initial SP value |
| 12 | WORD | e_csum | Checksum |
| 14 | WORD | e_ip | Initial IP value |
| 16 | WORD | e_cs | Initial (relative) CS value |
| 18 | WORD | e_lfarlc | File address of relocation table |
| 1A | WORD | e_ovno | Overlay number |
| 1C | WORD[4] | e_res | Reserved words |
| 24 | WORD | e_oemid | OEM identifier (for e_oeminfo) |
| 26 | WORD | e_oeminfo | OEM information; e_oemid specific |
| 28 | WORD[10] | e_res2 | Reserved words |
| 3C | DWORD | e_lfanew | File address of new exe header |
Note: Get the address of IMAGE_NT_HEADERS by adding the base address to e_lfanew
| Type | Field |
|---|
| DWORD | Signature |
| IMAGE_FILE_HEADER | FileHeader |
| IMAGE_OPTIONAL_HEADER | OptionalHeader |
| Offset | Type | Field |
|---|
| 00 | DWORD | Signature |
| 04 | WORD | Machine (0x8864 : AMD64, 0x14c : i386) |
| 06 | WORD | Number of Sections |
| 08 | DWORD | TimeDateStamp |
| 0C | DWORD | PointerToSymbolTable |
| 10 | DWORD | NumberOfSymbols |
| 14 | WORD | SizeOfOptionalHeader |
| 16 | WORD | Characteristics |
There are 2 versions of the Optional Header, 32-bit and 64-bit. Their differences are:
- The number of members defined within the struct: 32-bit has an additional member, BaseOfData (hold the RVA of the data section)
- The data type of some of members
32-bit
| Standard Fields | |
|---|
| 18 | WORD | Magic |
| 1A | BYTE | MajorLinkerVersion |
| 1B | BYTE | MinorLinkerVersion |
| 1C | DWORD | SizeOfCode (size of the code section) |
| 20 | DWORD | SizeOfInitializedData |
| 24 | DWORD | SizeOfUnitializedData |
| 28 | DWORD | AddressOfEntryPoint |
| 2C | DWORD | BaseOfCode |
| 30 | DWORD | BaseOfData |
| NT additional fields | |
| 34 | DWORD | ImageBase (The preferred address to be loaded) |
| 38 | DWORD | SectionAlignment |
| 3C | DWORD | FileAlignment |
| 40 | WORD | MajorOperatingSystemVersion |
| 42 | WORD | MinorOperatingSystemVersion |
| 44 | WORD | MajorImageVersion |
| 46 | WORD | MinorImageVersion |
| 48 | WORD | MajorSubsystemVersion |
| 4A | WORD | MinorSubsystemVersion |
| 4C | DWORD | Reserved1 |
| 50 | DWORD | SizeOfImage |
| 54 | DWORD | SizeOfHeaders |
| 58 | DWORD | CheckSum (The algorithm for computing the checksum is incorporated into IMAGHELP.DLL) |
| 5C | WORD | Subsystem |
| 5E | WORD | DllCharacteristics |
| 60 | DWORD | SizeOfStackReserve |
| 64 | DWORD | SizeOfStackCommit |
| 68 | DWORD | SizeOFHeapReserve |
| 6C | DWORD | SizeOfHeapCommit |
| 70 | DWORD | LoaderFlags |
| 74 | DWORD | NumberOfRvaAndSizes |
| 78 | DWORD | ExportDirectory VA |
| 7C | DWORD | ExportDirectory Size |
| 80 | DWORD | ImportDirectory VA |
| 84 | DWORD | ImportDirectory Size |
| 88 | DWORD | ResourceDirectory VA |
| 8C | DWORD | ResourceDirectory Size |
| 90 | DWORD | ExceptionDirectory VA |
| 94 | DWORD | ExceptionDirectory Size |
| 98 | DWORD | SecurityDirectory VA |
| 9C | DWORD | SecurityDirectory Size |
| A0 | DWORD | BaseRelocationTable VA |
| A4 | DWORD | BaseRelocationTable Size |
| A8 | DWORD | DebugDirectory VA |
| AC | DWORD | DebugDirectory Size |
| B0 | DWORD | ArchitectureSpecificData VA |
| B4 | DWORD | ArchitectureSpecificData Size |
| B8 | DWORD | RVAofGP VA |
| BC | DWORD | RVAofGP Size |
| C0 | DWORD | TLSDirectory VA |
| C4 | DWORD | TLSDirectory Size |
| C8 | DWORD | LoadConfigurationDirectory VA |
| CC | DWORD | LoadConfigurationDirectory Size |
| D0 | DWORD | BoundImportDirectoryinheaders VA |
| D4 | DWORD | BoundImportDirectoryinheaders Size |
| D8 | DWORD | ImportAddressTable VA |
| DC | DWORD | ImportAddressTable Size |
| E0 | DWORD | DelayLoadImportDescriptors VA |
| E4 | DWORD | DelayLoadImportDescriptors Size |
| E8 | DWORD | COMRuntimedescriptor VA |
| EC | DWORD | COMRuntimedescriptor Size |
| F0 | DWORD | 0 |
| F4 | DWORD | 0 |
IMAGE_DATA_DIRECTORY
typedef struct _IMAGE_DATA_DIRECTORY {
DWORD VirtualAddress;
DWORD Size;
} IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY;
- VirtualAddress: the RVA point to the start of the Data Directory
- Size: the size of the Data Directory
List of Data Directories defined in winnt.h
// Directory Entries
#define IMAGE_DIRECTORY_ENTRY_EXPORT 0 // Export Directory
#define IMAGE_DIRECTORY_ENTRY_IMPORT 1 // Import Directory
#define IMAGE_DIRECTORY_ENTRY_RESOURCE 2 // Resource Directory
#define IMAGE_DIRECTORY_ENTRY_EXCEPTION 3 // Exception Directory
#define IMAGE_DIRECTORY_ENTRY_SECURITY 4 // Security Directory
#define IMAGE_DIRECTORY_ENTRY_BASERELOC 5 // Base Relocation Table
#define IMAGE_DIRECTORY_ENTRY_DEBUG 6 // Debug Directory
// IMAGE_DIRECTORY_ENTRY_COPYRIGHT 7 // (X86 usage)
#define IMAGE_DIRECTORY_ENTRY_ARCHITECTURE 7 // Architecture Specific Data
#define IMAGE_DIRECTORY_ENTRY_GLOBALPTR 8 // RVA of GP
#define IMAGE_DIRECTORY_ENTRY_TLS 9 // TLS Directory
#define IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 10 // Load Configuration Directory
#define IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 11 // Bound Import Directory in headers
#define IMAGE_DIRECTORY_ENTRY_IAT 12 // Import Address Table
#define IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 13 // Delay Load Import Descriptors
#define IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 14 // COM Runtime descriptor
IMAGE_EXPORT_DIRECTORY
| Offset | Type | Field |
|---|
| 00 | DWORD | Characteristics |
| 04 | DWORD | TimeDateStamp |
| 08 | WORD | MajorVersion |
| 0A | WORD | MinorVersion |
| 0C | DWORD | Name |
| 10 | DWORD | Base |
| 14 | DWORD | NumberOfFunctions |
| 18 | DWORD | NumberOfNames |
| 1C | DWORD | AddressOfFunctions |
| 20 | DWORD | AddressOfNames |
| 24 | DWORD | AddressOfNameOrdinals |
Sections
| Section Name | Description |
|---|
| .text | Contains the executable code of the program |
| .data | Contains the initialized data |
| .bss | Contains the uninitialized data |
| .rdata | Contains Read-Only initialized data |
| .edata | Contains the Export tables |
| .idata | Contains the Import tables |
| .reloc | Contains image relocation information |
| .rsrc | Contains resources used by the program |
| .tls | Provides storage for every executing thread of the program |
| Offset | Type | Field |
|---|
| 00 | BYTE[8] | Name |
| 08 | DWORD | PhysicalAddress / VirtualSize |
| 0C | DWORD | VirtualAddress |
| 10 | DWORD | SizeOfRawData |
| 14 | DWORD | PointerToRawData |
| 18 | DWORD | PointerToRelocations |
| 1C | DWORD | PointerToLineNumbers |
| 20 | WORD | NumberOfRelocations |
| 22 | WORD | NumberOfLineNumbers |
| 24 | DWORD | Characteristics |
The SizeOfRawData and VirtualSize can be different based on:
- The file alignment as
SizeOfRawData must be a multiple of IMAGE_OPTIONAL_HEADER.FileAlignment.
- The
VirtualSize is depend on how the section expand to reserve memory space for the uninitialized data.
References
kienmanowar | 0xRick | microsoft