加载中…PE结构(一)IMAGE_DOS_HEADER STRUCT 及DOS Stub
(2011-12-10 15:03:50)
标签:
win32可执行文件执行体栈指针pe |
分类: PE |
http://s5/middle/7eb50b18xb3b7a8ad9a14&690STRUCT
{
+00h WORD
e_magic
// Magic DOS signature MZ(4Dh 5Ah)
DOS可执行文件标记
+02h WORD
e_cblp
// Bytes on last page of file
+04h WORD e_cp
// Pages in file
+06h WORD e_crlc
// Relocations
+08h WORD e_cparhdr
// Size of header in paragraphs
+0ah WORD e_minalloc
// Minimun extra paragraphs needs
+0ch WORD e_maxalloc
// Maximun extra paragraphs needs
+0eh WORD e_ss
// intial(relative)SS value
DOS代码的初始化堆栈SS
+10h WORD e_sp
// intial SP value
DOS代码的初始化堆栈指针SP
+12h WORD e_csum
//
Checksum
+14h WORD e_ip
// intial IP
value
DOS代码的初始化指令入口[指针IP]
+16h WORD e_cs
// intial(relative)CS value
DOS代码的初始堆栈入口
+18h WORD e_lfarlc
// File Address of relocation
table
+1ah //
Overlay number
+1ch WORD
e_res[4] //
Reserved words
+24h WORD e_oemid
// OEM identifier(for
e_oeminfo)
+26h WORD e_oeminfo // OEM
information;e_oemid specific
+29h WORD
e_res2[10] // Reserved
words
+3ch
e_lfanew //
Offset to start of PE header
指向PE文件头
} IMAGE_DOS_HEADER
ENDS
1.该结构有两个重要的成员,DWORD e_magic和LONG e_lfanew。DWORD
e_magic为"MZ",定义为IMAGE_DOS_SIGNATURE。LONG
e_lfanew存放PE头的文件偏移量。
#define
IMAGE_DOS_SIGNATURE
#define IMAGE_OS2_SIGNATURE
#define IMAGE_OS2_SIGNATURE_LE
#define IMAGE_NT_SIGNATURE
#define IMAGE_OS2_SIGNATURE
#define IMAGE_OS2_SIGNATURE_LE
#define IMAGE_NT_SIGNATURE
它是一个总是由大约100个字节所组成的和MS-DOS 2.0兼容的可执行体,用来输出象
“this program needs windows NT”之类的错误信息。win32系统都直接跳过DOS
Stub定
位到PE头。
喜欢
0
赠金笔