PE文件格式分析心得

　　PE文件格式最近似乎炒得沸沸扬扬，由于我正在做一个这样的程序，索性将自己的心得写出来与大家同享。

PE文件头分两大部分：

1：DOS ‘MZ’ HEADER

2：IMAGE_NT_HEADERS

其中IMAGE_NT_HEADERS中包含

PE signature

IMAGE_FILE_HEADER

IMAGE_OPTIONAL_HEADER（其中包含Data Direcotry）

文件头后紧跟着为

Section Table (array of IMAGE_SECTION_HEADERs)

在Delphi的windows.pad中已经有定义的有：

TImageDosHeader;

TImageNtHeaders;

TImageSectionHeader; { size of TIm..der is $28 }

定义变量后按住Ctrl可以察看具体的项目，这里我就不多说了，这方面的东西也很多。

而其他的如TImageResourceDirectory等，在DELPHI中却没有定义，察看其他资料，我在这里给出他们的结构和简单说明：

以下是我写的PEDump.exe的类型说明：

type

PIMAGE_RESOURCE_DIRECTORY = ^TImageResourceDirectory;

_IMAGE_RESOURCE_DIRECTORY = packed record

Characteristics:DWord;

TimeDateStamp:DWORD;

MajorVersion:WORD;

MinorVersion:WORD;

NumberOfNamedEntries:WORD;

NumberOfIdEntries:WORD;

end;

TImageResourceDirectory = _IMAGE_RESOURCE_DIRECTORY;

{ 资源目录的格式说明 }

PIMAGE_RESOURCE_DIRECTORY_ENTRY = ^TImageResourceDirectoryEntry;

_IMAGE_RESOURCE_DIRECTORY_ENTRY = packed record

Name:DWORD; { NameOffset:31,NameIsString:1 }

// Id:WORD;

OffsetToData:DWORD; { OffsetToDirectory:31,DataIsDirectory:1 }

end;

TImageResourceDirectoryEntry = _IMAGE_RESOURCE_DIRECTORY_ENTRY;

{ 资源目录进入点的格式说明 }

PIMAGE_RESOURCE_DIRECTORY_STRING = ^TImageResourceDirectoryString;

_IMAGE_RESOURCE_DIRECTORY_STRING = packed record

Length:WORD;

NameString:CHAR;

end;

TImageResourceDirectoryString = _IMAGE_RESOURCE_DIRECTORY_STRING;

{ 资源目录名的格式说明 }

PIMAGE_RESOURCE_DIR_STRING_U = ^TImageResourceDirStringU;

_IMAGE_RESOURCE_DIR_STRING_U = packed record

Length:WORD;

NameString:WCHAR;

end;

TImageResourceDirStringU = _IMAGE_RESOURCE_DIR_STRING_U;

{ unicode形式的资源目录名的格式说明 }

PIMAGE_RESOURCE_DATA_ENTRY = ^TImageResourceDataEntry;

_IMAGE_RESOURCE_DATA_ENTRY = packed record

OffsetToData:DWORD;

Size:DWORD;

CodePage:DWORD;

Reserved:DWORD;

end;

TImageResourceDataEntry = _IMAGE_RESOURCE_DATA_ENTRY;

{ 资源目录数据进入点的格式说明 }

const

IMAGE_RESOURCE_NAME_IS_STRING = $80000000;

{ 检测TImageResourceDirectoryEntry.Name的最高为是否设立，

是则说明剩下的31位指向IMAGE_RESOURCE_DIR_STRING_U的偏移，

否则说明剩下的31位为一个整数ID。 }

IMAGE_RESOURCE_DATA_IS_DIRECTORY = $80000000;

{ 检测TImageResourceDirectoryEntry.OffsetToData的最高为是否设立，

是则说明剩下的31位指向另一个IMAGE_RESOURCE_DIRECTORY的偏移，

否则说明剩下的31位指向IMAGE_RESOURCE_DATA_ENTRY的偏移。 }

{ 以下是文件属性具体值常量说明 }

{ File Characteristics }

IMAGE_FILE_RELOCS_STRIPPED = $0001; // Relocation info stripped from file.

IMAGE_FILE_EXECUTABLE_IMAGE = $0002; // File is executable.

IMAGE_FILE_LINE_NUMS_STRIPPED = $0004; // Line nunbers stripped from file.

IMAGE_FILE_LOCAL_SYMS_STRIPPED = $0008; // Local symbols stripped from file.

IMAGE_FILE_AGGRESIVE_WS_TRIM = $0010; // Agressively trim working set

IMAGE_FILE_LARGE_ADDRESS_AWARE = $0020; // App can handle >2gb addresses

IMAGE_FILE_BYTES_REVERSED_LO = $0080; // Bytes of machine word are reversed.

IMAGE_FILE_32B99v_MACHINE = $0100; // 32 bit word machine.

IMAGE_FILE_DEBUG_STRIPPED = $0200;

// Debugging info stripped from file in .DBG file

IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP = $0400;

// If Image is on removable media, copy and run from the swap file.

IMAGE_FILE_NET_RUN_FROM_SWAP = $0800;

// If Image is on Net, copy and run from the swap file.

IMAGE_FILE_SYSTEM = $1000; // System File.

IMAGE_FILE_DLL = $2000; // File is a DLL.

IMAGE_FILE_UP_SYSTEM_ONLY = $4000; // File should only be run on a UP machine

IMAGE_FILE_BYTES_REVERSED_HI = $8000; // Bytes of machine word are reversed.

{ 以下是文件头机器属性值的具体说明 }

{ Machine }

IMAGE_FILE_MACHINE_UNKNOWN = $0;

IMAGE_FILE_MACHINE_I386 = $014c; // Intel 386.

IMAGE_FILE_MACHINE_R3000 = $0162; // MIPS little-endian, $160 big-endian

IMAGE_FILE_MACHINE_R4000 = $0166; // MIPS little-endian

IMAGE_FILE_MACHINE_R10000 = $0168; // MIPS little-endian

IMAGE_FILE_MACHINE_WCEMIPSV2 = $0169; // MIPS little-endian WCE v2

IMAGE_FILE_MACHINE_ALPHA = $0184; // Alpha_AXP

IMAGE_FILE_MACHINE_SH3 = $01a2; // SH3 little-endian

IMAGE_FILE_MACHINE_SH3E