PE文件结构

PE文件结构学习

PE文件结构预览

查看PE文件结构

  • 以windows的powershell为例:
    1
    Format-Hex -Path PE_file.exe

DOS header

  • 微软创建PE文件时,DOS文件仍在广泛使用,为了兼容DOS文件,使用64(0x40)个字节用来扩展DOS-EXE文件。

数据结构

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
typedef struct _IMAGE_DOS_HEADER {      // DOS .EXE header
    WORD   e_magic;                     // Magic number
    WORD   e_cblp;                      // Bytes on last page of file
    WORD   e_cp;                        // Pages in file
    WORD   e_crlc;                      // Relocations
    WORD   e_cparhdr;                   // Size of header in paragraphs
    WORD   e_minalloc;                  // Minimum extra paragraphs needed
    WORD   e_maxalloc;                  // Maximum extra paragraphs needed
    WORD   e_ss;                        // Initial (relative) SS value
    WORD   e_sp;                        // Initial SP value
    WORD   e_csum;                      // Checksum
    WORD   e_ip;                        // Initial IP value
    WORD   e_cs;                        // Initial (relative) CS value
    WORD   e_lfarlc;                    // File address of relocation table
    WORD   e_ovno;                      // Overlay number
    WORD   e_res[4];                    // Reserved words
    WORD   e_oemid;                     // OEM identifier (for e_oeminfo)
    WORD   e_oeminfo;                   // OEM information; e_oemid specific
    WORD   e_res2[10];                  // Reserved words
    LONG   e_lfanew;                    // File address of new exe header
  } IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER;

举例

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
           00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000000   4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00  MZ.............
00000010   B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00  ¸.......@.......
00000020   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000030   00 00 00 00 00 00 00 00 00 00 00 00 E8 00 00 00  ............è...
00000040   0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68  ..º..´.Í!¸.LÍ!Th
00000050   69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F  is program canno
00000060   74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20  t be run in DOS
00000070   6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00  mode....$.......
00000080   EA 4B A4 12 AE 2A CA 41 AE 2A CA 41 AE 2A CA 41  êK¤.®*ÊA®*ÊA®*ÊA
00000090   A7 52 4E 41 B7 2A CA 41 A7 52 5F 41 BE 2A CA 41  §RNA·*ÊA§R_A¾*ÊA
000000A0   A7 52 49 41 E5 2A CA 41 89 EC B1 41 AB 2A CA 41  §RIAå*ÊA‰ì±A«*ÊA
000000B0   AE 2A CB 41 E7 2A CA 41 A7 52 40 41 AF 2A CA 41  ®*ËAç*ÊA§R@A¯*ÊA
000000C0   A7 52 5B 41 AF 2A CA 41 52 69 63 68 AE 2A CA 41  §R[A¯*ÊARich®*ÊA
000000D0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000000E0   00 00 00 00 00 00 00 00 50 45 00 00 4C 01 04 00  ........PE..L...
  • 重要成员如下:
    • e_magic: DOS signature,为固定值:4D5A (“MZ”)
    • e_lfanew: File address of new exe header,指⽰NT头的偏移,即标准的PE文件入口,这里的值为000000E8(小端序)

DOS存根(stub)

NT header

NT头:⽂件头

NT头:可选头

节区头

本文作者: yd0ng
本文链接: https://blog.yd0ng.top/2025/09/26/PE%E6%96%87%E4%BB%B6%E7%BB%93%E6%9E%84/
版权声明: 本作品采用 知识共享署名-非商业性使用-相同方式共享 4.0 国际许可协议 进行许可。转载请注明出处!

谢谢您的打赏,大家一起加油喔~

支付宝
微信

扫一扫,分享到微信

微信分享二维码

阅读数: 次   
载入天数...载入时分秒...

tag:

    缺失模块。
    1、请确保node版本大于6.2
    2、在博客根目录(注意不是yilia根目录)执行以下命令:
    npm i hexo-generator-json-content --save

    3、在根目录_config.yml里添加配置: 

      jsonContent:
    meta: false
    pages: false
    posts:
      title: true
      date: true
      path: true
      text: false
      raw: false
      content: false
      slug: false
      updated: false
      comments: false
      link: false
      permalink: false
      excerpt: false
      categories: false
      tags: true

网络安全<br>敬畏技术<br>保持正直