PE文件格式偏移参考

在进行PE文件格式病毒分析的时候，经常要使用到PE文件格式的解析，尤其是对LoadPE形式的病毒的分析，经常要查看PE文件格式的偏移，特地从博客《PE文件格式的偏移参考》中转载收录一份，之前在网上也看到比较不错的有关PE文件偏移的博客，但忘了收录。在进行PE文件格式的病毒分析时，还会经常参考这篇博客《PE文件格式学习笔记》，博主关于PE文件格式的学习笔记写的不错，其他的参考书籍《加密与解密（第3版）》、《黑客免杀攻防》，顺便提一句《黑客免杀攻防》这本书关于PE文件格式的解析比较不错，但是错误也不少，整体来说这本书对于学习PC上的逆向分析和内核攻防还是很不错的。

Complete PE Offset Reference

While there is a lot of data and various parts of the structure are at varying positions there are still a lot of useful fixed and relative offsets that will help when disassembling/examining PE files. Resource information and the such like are omitted - there are good tools available to manipulate these e.g. ResHacker.

The DOS Header

OFFSET	SIZE	NAME	EXPLANATION
00	WORD	e_magic	Magic DOS signature MZ (4Dh 5Ah)
02	WORD	e_cblp	Bytes on last page of file
04	WORD	e_cp	Pages in file
06	WORD	e_crlc	Relocations
08	WORD	e_cparhdr	Size of header in paragraphs
0A	WORD	e_minalloc	Minimum extra paragraphs needed
0C	WORD	e_maxalloc	Maximum extra paragraphs needed
0E	WORD	e_ss	Initial (relative) SS value
10	WORD	e_sp	Initial SP value
12	WORD	e_csum	Checksum
14	WORD	e_ip	Initial IP value
16	WORD	e_cs	Initial (relative) CS value
18	WORD	e_lfarlc	File address of relocation table
1A	WORD	e_ovno	Overlay number
1C	WORD	e_res[4]	Reserved words
24	WORD	e_oemid	OEM identifier (for e_oeminfo)
26	WORD	e_oeminfo	OEM information; e_oemid specific
28	WORD	e_res2[10]	Reserved words
3C	DWORD	e_lfanew	Offset to start of PE header

The PE Header

Offsets shown  are from the beginning of this section.

00	DWORD	Signature	PE Signature PE.. (50h 45h 00h 00h)
04	WORD	Machine	014Ch = Intel 386, 014Dh = Intel 486, 014Eh = Intel 586, 0200h = Intel 64-bit, 0162h=MIPS
06	WORD	NumberOfSections	Number Of Sections
08	DWORD	TimeDateStamp	Date & time image was created by the linker
0C	DWORD	PointerToSymbolTable	Zero or offset of COFF symbol table in older files
10	DWORD	NumberOfSymbols	Number of symbols in COFF symbol table
14	WORD	SizeOfOptionalHeader	Size of optional header in bytes (224 in 32bit exe)
16	WORD	Characteristics	see below
18	**********	START OF OPTIONAL HEADER	**************************************
18	WORD	Magic	010Bh=32-bit executable image 020Bh=64-bit executable image 0107h=ROM image
1A	BYTE	MajorLinkerVersion	Major version number of the linker
1B	BYTE	MinorLinkerVersion	Minor version number of the linker
1C	DWORD	SizeOfCode	size of code section or sum if multiple code sections
20	DWORD	SizeOfInitializedData	as above
24	DWORD	SizeOfUninitializedData	as above
28	DWORD	AddressOfEntryPoint	Start of code execution, optional for DLLs, zero when none present
2C	DWORD	BaseOfCode	RVA of first byte of code when loaded into RAM
30	DWORD	BaseOfData	RVA of first byte of data when loaded into RAM
34	DWORD	ImageBase	Preferred load address
38	DWORD	SectionAlignment	Alignment of sections when loaded in RAM
3C	DWORD	FileAlignment	Alignment of sections in file on disk
40	WORD	MajorOperatingSystemVersion	Major version no. of required operating system
42	WORD	MinorOperatingSystemVersion	Minor version no. of required operating system
44	WORD	MajorImageVersion	Major version number of the image
46	WORD	MinorImageVersion	Minor version number of the image
48	WORD	MajorSubsystemVersion	Major version number of the subsystem
4A	WORD	MinorSubsystemVersion	Minor version number of the subsystem
4C	DWORD	Reserved1
50	DWORD	SizeOfImage	Amount of memory allocated by loader for image. Must be a multiple of SectionAlignment
54	DWORD	SizeOfHeaders	Offset of first section, multiple of FileAlignment
58	DWORD	CheckSum	Image checksum (only required for kernel-mode drivers and some system DLLs).
5C	WORD	Subsystem	0002h=Windows GUI, 0003h=console
5E	WORD	DllCharacteristics	0001h=per-process library initialization 0002h=per-process library termination 0003h=per-thread library initialization 0004h=per-thread library termination
60	DWORD	SizeOfStackReserve	Number of bytes reserved for the stack
64	DWORD	SizeOfStackCommit	Number of bytes actually used for the stack
68	DWORD	SizeOfHeapReserve	Number of bytes to reserve for the local heap
6C	DWORD	SizeOfHeapCommit	Number of bytes actually used for local heap
70	DWORD	LoaderFlags	This member is obsolete.
74	DWORD	NumberOfRvaAndSizes	Number of directory entries.
78	**********	START OF DATA DIRECTORY	**************************************
78	DWORD	IMAGE_DATA_DIRECTORY0	RVA of Export Directory
7C	DWORD		size of Export Directory
80	DWORD	IMAGE_DATA_DIRECTORY1	RVA of Import Directory (array of IIDs)
84	DWORD		size of Import Directory (array of IIDs)
88	DWORD	IMAGE_DATA_DIRECTORY2	RVA of Resource Directory
8C	DWORD		size of Resource Directory
90	DWORD	IMAGE_DATA_DIRECTORY3	RVA of Exception Directory
94	DWORD		size of Exception Directory
98	DWORD	IMAGE_DATA_DIRECTORY4	Raw Offset of Security Directory
9C	DWORD		size of Security Directory
A0	DWORD	IMAGE_DATA_DIRECTORY5	RVA of Base Relocation Directory
A4	DWORD		size of Base Relocation Directory
A8	DWORD	IMAGE_DATA_DIRECTORY6	RVA of Debug Directory
AC	DWORD		size of Debug Directory
B0	DWORD	IMAGE_DATA_DIRECTORY7	RVA of Copyright Note
B4	DWORD		size of Copyright Note
B8	DWORD	IMAGE_DATA_DIRECTORY8	RVA to be used as Global Pointer (IA-64 only)
BC	DWORD		Not used
C0	DWORD	IMAGE_DATA_DIRECTORY9	RVA of Thread Local Storage Directory
C4	DWORD		size of Thread Local Storage Directory
C8	DWORD	IMAGE_DATA_DIRECTORY10	RVA of Load Configuration Directory
CC	DWORD		size of Load Configuration Directory
D0	DWORD	IMAGE_DATA_DIRECTORY11	RVA of Bound Import Directory
D4	DWORD		size of Bound Import Directory
D8	DWORD	IMAGE_DATA_DIRECTORY12	RVA of first Import Address Table
DC	DWORD		total size of all Import Address Tables
E0	DWORD	IMAGE_DATA_DIRECTORY13	RVA of Delay Import Directory
E4	DWORD		size of Delay Import Directory
E8	DWORD	IMAGE_DATA_DIRECTORY14	RVA of COM Header (top level info & metadata...
EC	DWORD		size of COM Header         ...in .NET executables)
F0	DWORD	ZERO (Reserved)	Reserved
F4	DWORD	ZERO (Reserved)	Reserved
F8	**********	START OF SECTION TABLE	*******Offsets shown from here********
00	8 Bytes	Name1	Name of first section header
08	DWORD	misc (VirtualSize)	Actual size of data in section
0C	DWORD	virtual address	RVA where section begins in memory
10	DWORD	SizeOfRawData	Size of data on disk (multiple of FileAlignment)
14	DWORD	pointerToRawData	Raw offset of section on disk
18	DWORD	pointerToRelocations	Start of relocation entries for section, zero if none
1C	DWORD	PointerToLinenumbers	Start of line-no. entries for section, zero if none
20	WORD	NumberOfRelocations	This value is zero for executable images.
22	WORD	NumberOfLineNumbers	Number of line-number entries for section.
24	DWORD	Characteristics	see end of page below
00	8 Bytes	Name1	Name of second section header
	**********	Repeats for rest of sections	**************************************

The Export Table

Offsets shown from beginning of table (given at offset 78 from start of PE header). The following 40 Bytes repeat for each export library (DLL whose functions are imported by the executable) and ends with one full of zeroes.

OFFSET	SIZE	NAME	EXPLANATION
00	DWORD	Characteristics	Set to zero (currently none defined)
04	DWORD	TimeDateStamp	often set to zero
08	WORD	MajorVersion	user-defined version number, otherwise zero
0A	WORD	MinorVersion	as above
0C	DWORD	Name	RVA of DLL name in null-terminated ASCII
10	DWORD	Base	First valid exported ordinal, normally=1
14	DWORD	NumberOfFunctions	Number of entries in EAT
18	DWORD	NumberOfNames	Number of entries in ENT
1C	DWORD	AddressOfFunctions	RVA of EAT (export address table)
20	DWORD	AddressOfNames	RVA of ENT (export name table)
24	DWORD	AddressOfNameOrdinals	RVA of EOT (export ordinal table)

The Import Table

Offsets shown from beginning of table (given at offset 80 from start of PE header). The following 5 DWORDS repeat for each import library (DLL whose functions are imported by the executable) and ends with one full of zeroes.

OFFSET	SIZE	NAME	EXPLANATION
00	DWORD	OriginalFirstThunk	RVA to Image_Thunk_Data
04	DWORD	TimeDateStamp	zero unless bound against imported DLL
08	DWORD	ForwarderChain	pointer to 1st redirected function (or 0)
0C	DWORD	Name1	RVA to name in null-terminated ASCII
10	DWORD	FirstThunk	RVA to Image_Thunk_Data

Image Characteristics Flags

FLAG	EXPLANATION
0001	Relocation info stripped from file
0002	File is executable (no unresolved external references)
0004	Line numbers stripped from file
0008	Local symbols stripped from file
0010	Lets OS aggressively trim working set
0020	App can handle >2Gb addresses
0080	Low bytes of machine word are reversed
0100	requires 32-bit WORD machine
0200	Debugging info stripped from file into .DBG file
0400	If image is on removable media, copy and run from swap file
0800	If image is on a network, copy and run from swap file
1000	System file
2000	File is a DLL
4000	File should only be run on a single-processor machine
8000	High bytes of machine word are reversed

Section Characteristics Flags

FLAG	EXPLANATION
00000008	Section should not be padded to next boundary
00000020	Section contains code
00000040	Section contains initialised data (which will become initialised with real values before the file is launched)
00000080	Section contains uninitialised data (which will be initialised as 00 byte values before launch)
00000200	Section contains comments for the linker
00000800	Section contents will not become part of image
00001000	Section contents comdat (Common Block Data)
00008000	Section contents cannot be accessed relative to GP
00100000 to 00800000	Boundary alignment settings
01000000	Section contains extended relocations
02000000	Section can be discarded (e.g. .reloc)
04000000	Section is not cacheable
08000000	Section is pageable
10000000	Section is shareable
20000000	Section is executable
40000000	Section is readable
80000000	Section is writable