Visual Studio, Microsoft Portable Executable and Common Object File Format Specification
2007-12-14 15:37
441 查看
1 General Concepts
This document specifies the structure of executable (image) files and object files under the Microsoft® Windows® family of operating systems. These files are referred to as Portable Executable (PE) and Common Object File Format (COFF) files, respectively. The name “Portable Executable” refers to the fact that the format is not architecture specific.
Certain concepts that appear throughout this specification are described in the following table:
2 Overview
Figure 1 illustrates the Microsoft PE executable format:
Figure 1. Typical Portable EXE File Layout
Figure 2 illustrates the Microsoft COFF object-module format:
Figure 2. Typical COFF Object Module Layout
3 File Headers
The PE file header consists of a Microsoft MS‑DOS® stub, the PE signature, the COFF file header, and an optional header. A COFF object file header consists of a COFF file header and an optional header. In both cases, the file headers are followed immediately by section headers.
3.1 MS‑DOS Stub (Image Only)
The MS‑DOS stub is a valid application that runs under MS‑DOS. It is placed at the front of the EXE image. The linker places a default stub here, which prints out the message “This program cannot be run in DOS mode” when the image is run in MS‑DOS. The user can specify a different stub by using the /STUB linker option.
At location 0x3c, the stub has the file offset to the PE signature. This information enables Windows to properly execute the image file, even though it has an MS‑DOS stub. This file offset is placed at location 0x3c during linking.
3.2 Signature (Image Only)
After the MS‑DOS stub, at the file offset specified at offset 0x3c, is a 4-byte signature that identifies the file as a PE format image file. This signature is “PE/0/0” (the letters “P” and “E” followed by two null bytes).
3.3 COFF File Header (Object and Image)
At the beginning of an object file, or immediately after the signature of an image file, is a standard COFF file header in the following format. Note that the Windows loader limits the number of sections to 96.
3.3.1 Machine Types
The Machine field has one of the following values that specifies its CPU type. An image file can be run only on the specified machine or on a system that emulates the specified machine.
3.3.2 Characteristics
The Characteristics field contains flags that indicate attributes of the object or image file. The following flags are currently defined:
3.4 Optional Header (Image Only)
Every image file has an optional header that provides information to the loader. This header is optional in the sense that some files (specifically, object files) do not have it. For image files, this header is required. An object file can have an optional header, but generally this header has no function in an object file except to increase its size.
Note that the size of the optional header is not fixed. The SizeOfOptionalHeader field in the COFF header must be used to validate that a probe into the file for a particular data directory does not go beyond SizeOfOptionalHeader. For more information, see section 3.3, “COFF File Header (Object and Image).”
The NumberOfRvaAndSizes field of the optional header should also be used to ensure that no probe for a particular data directory entry goes beyond the optional header. In addition, it is important to validate the optional header magic number for format compatibility.
The optional header magic number determines whether an image is a PE32 or PE32+ executable:
PE32+ images allow for a 64-bit address space while limiting the image size to 2 gigabytes. Other PE32+ modifications are addressed in their respective sections.
The optional header itself has three major parts:
3.4.1Optional Header Standard Fields (Image Only)
The first eight fields of the optional header are standard fields that are defined for every implementation of COFF. These fields contain general information that is useful for loading and running an executable file. They are unchanged for the PE32+ format.
PE32 contains this additional field, which is absent in PE32+, following BaseOfCode:
3.4.2 Optional Header Windows-Specific Fields (Image Only)
The next 21 fields are an extension to the COFF optional header format. They contain additional information that is required by the linker and loader in Windows.
Windows Subsystem
The following values defined for the Subsystem field of the optional header determine which Windows subsystem (if any) is required to run the image.
DLL Characteristics
The following values are defined for the DllCharacteristics field of the optional header.
3.4.3 Optional Header Data Directories (Image Only)
Each data directory gives the address and size of a table or string that Windows uses. These data directory entries are all loaded into memory so that the system can use them at run time. A data directory is an 8‑byte field that has the following declaration:
typedef struct _IMAGE_DATA_DIRECTORY {
DWORD VirtualAddress;
DWORD Size;
} IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY;
The first field, VirtualAddress, is actually the RVA of the table. The RVA is the address of the table relative to the base address of the image when the table is loaded. The second field gives the size in bytes. The data directories, which form the last part of the optional header, are listed in the following table.
Note that the number of directories is not fixed. Before looking for a specific directory, check the NumberOfRvaAndSizes field in the optional header.
Also, do not assume that the RVAs in this table point to the beginning of a section or that the sections that contain specific tables have specific names.
The Certificate Table entry points to a table of attribute certificates. These certificates are not loaded into memory as part of the image. As such, the first field of this entry, which is normally an RVA, is a file pointer instead.
4 Section Table (Section Headers)
Each row of the section table is, in effect, a section header. This table immediately follows the optional header, if any. This positioning is required because the file header does not contain a direct pointer to the section table. Instead, the location of the section table is determined by calculating the location of the first byte after the headers. Make sure to use the size of the optional header as specified in the file header.
The number of entries in the section table is given by the NumberOfSections field in the file header. Entries in the section table are numbered starting from one (1). The code and data memory section entries are in the order chosen by the linker.
In an image file, the VAs for sections must be assigned by the linker so that they are in ascending order and adjacent, and they must be a multiple of the SectionAlignment value in the optional header.
Each section header (section table entry) has the following format, for a total of 40 bytes per entry:
4.1 Section Flags
The section flags in the Characteristics field of the section header indicate characteristics of the section.
IMAGE_SCN_LNK_NRELOC_OVFL indicates that the count of relocations for the section exceeds the 16 bits that are reserved for it in the section header. If the bit is set and the NumberOfRelocations field in the section header is 0xffff, the actual relocation count is stored in the 32-bit VirtualAddress field of the first relocation. It is an error if IMAGE_SCN_LNK_NRELOC_OVFL is set and there are fewer than 0xffff relocations in the section.
4.2 Grouped Sections (Object Only)
The “$” character (dollar sign) has a special interpretation in section names in object files.
When determining the image section that will contain the contents of an object section, the linker discards the “$” and all characters that follow it. Thus, an object section named .text$X actually contributes to the .text section in the image.
However, the characters following the “$” determine the ordering of the contributions to the image section. All contributions with the same object-section name are allocated contiguously in the image, and the blocks of contributions are sorted in lexical order by object-section name. Therefore, everything in object files with section name .text$X ends up together, after the .text$W contributions and before the .text$Y contributions.
The section name in an image file never contains a “$” character.
This document specifies the structure of executable (image) files and object files under the Microsoft® Windows® family of operating systems. These files are referred to as Portable Executable (PE) and Common Object File Format (COFF) files, respectively. The name “Portable Executable” refers to the fact that the format is not architecture specific.
Certain concepts that appear throughout this specification are described in the following table:
Name | Description |
attribute certificate | A certificate that is used to associate verifiable statements with an image. A number of different verifiable statements can be associated with a file; one of the most useful ones is a statement by a software manufacturer that indicates what the message digest of the image is expected to be. A message digest is similar to a checksum except that it is extremely difficult to forge. Therefore, it is very difficult to modify a file to have the same message digest as the original file. The statement can be verified as being made by the manufacturer by using public or private key cryptography schemes. This document describes details about attribute certificates other than to allow for their insertion into image files. |
date/time stamp | A stamp that is used for different purposes in several places in a PE or COFF file. The format of each stamp is the same as that used by the time functions in the C run-time library. |
file pointer | The location of an item within the file itself, before being processed by the linker (in the case of object files) or the loader (in the case of image files). In other words, this is a position within the file as stored on disk. |
linker | A reference to the linker that is provided with Microsoft Visual Studio®. |
object file | A file that is given as input to the linker. The linker produces an image file, which in turn is used as input by the loader. The term “object file” does not necessarily imply any connection to object-oriented programming. |
reserved, must be 0 | A description of a field that indicates that the value of the field must be zero for generators and consumers must ignore the field. |
RVA | Relative virtual address. In an image file, the address of an item after it is loaded into memory, with the base address of the image file subtracted from it. The RVA of an item almost always differs from its position within the file on disk (file pointer). In an object file, an RVA is less meaningful because memory locations are not assigned. In this case, an RVA would be an address within a section (described later in this table), to which a relocation is later applied during linking. For simplicity, a compiler should just set the first RVA in each section to zero. |
section | The basic unit of code or data within a PE or COFF file. For example, all code in an object file can be combined within a single section or (depending on compiler behavior) each function can occupy its own section. With more sections, there is more file overhead, but the linker is able to link in code more selectively. A section is similar to a segment in Intel 8086 architecture. All the raw data in a section must be loaded contiguously. In addition, an image file can contain a number of sections, such as .tls or .reloc, which have special purposes. |
VA | virtual address. Same as RVA, except that the base address of the image file is not subtracted. The address is called a “VA” because Windows creates a distinct VA space for each process, independent of physical memory. For almost all purposes, a VA should be considered just an address. A VA is not as predictable as an RVA because the loader might not load the image at its preferred location. |
Figure 1 illustrates the Microsoft PE executable format:
[align=center]MS-DOS 2.0 Compatible[/align] [align=center]EXE Header[/align] | Base of Image Header | |
[align=center]unused[/align] | ||
[align=center]OEM Identifier[/align] [align=center]OEM Information[/align] [align=center] [/align] [align=center]Offset to PE Header[/align] | MS‑DOS 2.0 Section (for MS‑DOS compatibility only) | |
[align=center]MS‑DOS 2.0 Stub Program and[/align] [align=center]Relocation Table[/align] | ||
[align=center]unused[/align] | ||
[align=center]PE Header[/align] [align=center](aligned on 8-byte boundary)[/align] | ||
[align=center] [/align] [align=center]Section Headers[/align] [align=center] [/align] [align=center] [/align] | ||
[align=center] [/align] [align=center]Image Pages:[/align] [align=center]import info[/align] [align=center]export info[/align] [align=center]base relocations[/align] [align=center]resource info[/align] [align=center] [/align] |
Figure 2 illustrates the Microsoft COFF object-module format:
[align=center]Microsoft COFF Header[/align] [align=center] [/align] | ||
[align=center] [/align] [align=center]Section Headers[/align] [align=center] [/align] [align=center] [/align] | ||
[align=center] [/align] [align=center]Raw Data:[/align] [align=center]code[/align] [align=center]data[/align] [align=center]debug info[/align] [align=center]relocations[/align] [align=center] [/align] |
3 File Headers
The PE file header consists of a Microsoft MS‑DOS® stub, the PE signature, the COFF file header, and an optional header. A COFF object file header consists of a COFF file header and an optional header. In both cases, the file headers are followed immediately by section headers.
3.1 MS‑DOS Stub (Image Only)
The MS‑DOS stub is a valid application that runs under MS‑DOS. It is placed at the front of the EXE image. The linker places a default stub here, which prints out the message “This program cannot be run in DOS mode” when the image is run in MS‑DOS. The user can specify a different stub by using the /STUB linker option.
At location 0x3c, the stub has the file offset to the PE signature. This information enables Windows to properly execute the image file, even though it has an MS‑DOS stub. This file offset is placed at location 0x3c during linking.
3.2 Signature (Image Only)
After the MS‑DOS stub, at the file offset specified at offset 0x3c, is a 4-byte signature that identifies the file as a PE format image file. This signature is “PE/0/0” (the letters “P” and “E” followed by two null bytes).
3.3 COFF File Header (Object and Image)
At the beginning of an object file, or immediately after the signature of an image file, is a standard COFF file header in the following format. Note that the Windows loader limits the number of sections to 96.
Offset | Size | Field | Description |
0 | 2 | Machine | The number that identifies the type of target machine. For more information, see section 3.3.1, “Machine Types.” |
2 | 2 | NumberOfSections | The number of sections. This indicates the size of the section table, which immediately follows the headers. |
4 | 4 | TimeDateStamp | The low 32 bits of the number of seconds since 00:00 January 1, 1970 (a C run-time time_t value), that indicates when the file was created. |
8 | 4 | PointerToSymbolTable | The file offset of the COFF symbol table, or zero if no COFF symbol table is present. This value should be zero for an image because COFF debugging information is deprecated. |
12 | 4 | NumberOfSymbols | The number of entries in the symbol table. This data can be used to locate the string table, which immediately follows the symbol table. This value should be zero for an image because COFF debugging information is deprecated. |
16 | 2 | SizeOfOptionalHeader | The size of the optional header, which is required for executable files but not for object files. This value should be zero for an object file. For a description of the header format, see section 3.4, “Optional Header (Image Only).” |
18 | 2 | Characteristics | The flags that indicate the attributes of the file. For specific flag values, see section 3.3.2, “Characteristics.” |
The Machine field has one of the following values that specifies its CPU type. An image file can be run only on the specified machine or on a system that emulates the specified machine.
Constant | Value | Description |
IMAGE_FILE_MACHINE_UNKNOWN | 0x0 | The contents of this field are assumed to be applicable to any machine type |
IMAGE_FILE_MACHINE_AM33 | 0x1d3 | Matsushita AM33 |
IMAGE_FILE_MACHINE_AMD64 | 0x8664 | x64 |
IMAGE_FILE_MACHINE_ARM | 0x1c0 | ARM little endian |
IMAGE_FILE_MACHINE_EBC | 0xebc | EFI byte code |
IMAGE_FILE_MACHINE_I386 | 0x14c | Intel 386 or later processors and compatible processors |
IMAGE_FILE_MACHINE_IA64 | 0x200 | Intel Itanium processor family |
IMAGE_FILE_MACHINE_M32R | 0x9041 | Mitsubishi M32R little endian |
IMAGE_FILE_MACHINE_MIPS16 | 0x266 | MIPS16 |
IMAGE_FILE_MACHINE_MIPSFPU | 0x366 | MIPS with FPU |
IMAGE_FILE_MACHINE_MIPSFPU16 | 0x466 | MIPS16 with FPU |
IMAGE_FILE_MACHINE_POWERPC | 0x1f0 | Power PC little endian |
IMAGE_FILE_MACHINE_POWERPCFP | 0x1f1 | Power PC with floating point support |
IMAGE_FILE_MACHINE_R4000 | 0x166 | MIPS little endian |
IMAGE_FILE_MACHINE_SH3 | 0x1a2 | Hitachi SH3 |
IMAGE_FILE_MACHINE_SH3DSP | 0x1a3 | Hitachi SH3 DSP |
IMAGE_FILE_MACHINE_SH4 | 0x1a6 | Hitachi SH4 |
IMAGE_FILE_MACHINE_SH5 | 0x1a8 | Hitachi SH5 |
IMAGE_FILE_MACHINE_THUMB | 0x1c2 | Thumb |
IMAGE_FILE_MACHINE_WCEMIPSV2 | 0x169 | MIPS little-endian WCE v2 |
The Characteristics field contains flags that indicate attributes of the object or image file. The following flags are currently defined:
Flag | Value | Description |
IMAGE_FILE_RELOCS_STRIPPED | 0x0001 | Image only, Windows CE, and Microsoft Windows NT® and later. This indicates that the file does not contain base relocations and must therefore be loaded at its preferred base address. If the base address is not available, the loader reports an error. The default behavior of the linker is to strip base relocations from executable (EXE) files. |
IMAGE_FILE_EXECUTABLE_IMAGE | 0x0002 | Image only. This indicates that the image file is valid and can be run. If this flag is not set, it indicates a linker error. |
IMAGE_FILE_LINE_NUMS_STRIPPED | 0x0004 | COFF line numbers have been removed. This flag is deprecated and should be zero. |
IMAGE_FILE_LOCAL_SYMS_STRIPPED | 0x0008 | COFF symbol table entries for local symbols have been removed. This flag is deprecated and should be zero. |
IMAGE_FILE_AGGRESSIVE_WS_TRIM | 0x0010 | Obsolete. Aggressively trim working set. This flag is deprecated for Windows 2000 and later and must be zero. |
IMAGE_FILE_LARGE_ADDRESS_ AWARE | 0x0020 | Application can handle > 2‑GB addresses. |
0x0040 | This flag is reserved for future use. | |
IMAGE_FILE_BYTES_REVERSED_LO | 0x0080 | Little endian: the least significant bit (LSB) precedes the most significant bit (MSB) in memory. This flag is deprecated and should be zero. |
IMAGE_FILE_32BIT_MACHINE | 0x0100 | Machine is based on a 32-bit-word architecture. |
IMAGE_FILE_DEBUG_STRIPPED | 0x0200 | Debugging information is removed from the image file. |
IMAGE_FILE_REMOVABLE_RUN_ FROM_SWAP | 0x0400 | If the image is on removable media, fully load it and copy it to the swap file. |
IMAGE_FILE_NET_RUN_FROM_SWAP | 0x0800 | If the image is on network media, fully load it and copy it to the swap file. |
IMAGE_FILE_SYSTEM | 0x1000 | The image file is a system file, not a user program. |
IMAGE_FILE_DLL | 0x2000 | The image file is a dynamic-link library (DLL). Such files are considered executable files for almost all purposes, although they cannot be directly run. |
IMAGE_FILE_UP_SYSTEM_ONLY | 0x4000 | The file should be run only on a uniprocessor machine. |
IMAGE_FILE_BYTES_REVERSED_HI | 0x8000 | Big endian: the MSB precedes the LSB in memory. This flag is deprecated and should be zero. |
Every image file has an optional header that provides information to the loader. This header is optional in the sense that some files (specifically, object files) do not have it. For image files, this header is required. An object file can have an optional header, but generally this header has no function in an object file except to increase its size.
Note that the size of the optional header is not fixed. The SizeOfOptionalHeader field in the COFF header must be used to validate that a probe into the file for a particular data directory does not go beyond SizeOfOptionalHeader. For more information, see section 3.3, “COFF File Header (Object and Image).”
The NumberOfRvaAndSizes field of the optional header should also be used to ensure that no probe for a particular data directory entry goes beyond the optional header. In addition, it is important to validate the optional header magic number for format compatibility.
The optional header magic number determines whether an image is a PE32 or PE32+ executable:
Magic number | PE format |
0x10b | PE32 |
0x20b | PE32+ |
The optional header itself has three major parts:
Offset (PE32/PE32+) | Size (PE32/PE32+) | Header part | Description |
0 | 28/24 | Standard fields | Fields that are defined for all implementations of COFF, including UNIX. |
28/24 | 68/88 | Windows-specific fields | Additional fields to support specific features of Windows (for example, subsystems). |
96/112 | Variable | Data directories | Address/size pairs for special tables that are found in the image file and are used by the operating system (for example, the import table and the export table). |
The first eight fields of the optional header are standard fields that are defined for every implementation of COFF. These fields contain general information that is useful for loading and running an executable file. They are unchanged for the PE32+ format.
Offset | Size | Field | Description |
0 | 2 | Magic | The unsigned integer that identifies the state of the image file. The most common number is 0x10B, which identifies it as a normal executable file. 0x107 identifies it as a ROM image, and 0x20B identifies it as a PE32+ executable. |
2 | 1 | MajorLinkerVersion | The linker major version number. |
3 | 1 | MinorLinkerVersion | The linker minor version number. |
4 | 4 | SizeOfCode | The size of the code (text) section, or the sum of all code sections if there are multiple sections. |
8 | 4 | SizeOfInitializedData | The size of the initialized data section, or the sum of all such sections if there are multiple data sections. |
12 | 4 | SizeOfUninitializedData | The size of the uninitialized data section (BSS), or the sum of all such sections if there are multiple BSS sections. |
16 | 4 | AddressOfEntryPoint | The address of the entry point relative to the image base when the executable file is loaded into memory. For program images, this is the starting address. For device drivers, this is the address of the initialization function. An entry point is optional for DLLs. When no entry point is present, this field must be zero. |
20 | 4 | BaseOfCode | The address that is relative to the image base of the beginning-of-code section when it is loaded into memory. |
Offset | Size | Field | Description |
24 | 4 | BaseOfData | The address that is relative to the image base of the beginning-of-data section when it is loaded into memory. |
The next 21 fields are an extension to the COFF optional header format. They contain additional information that is required by the linker and loader in Windows.
Offset (PE32/ PE32+) | Size (PE32/ PE32+) | Field | Description |
28/24 | 4/8 | ImageBase | The preferred address of the first byte of image when loaded into memory; must be a multiple of 64 K. The default for DLLs is 0x10000000. The default for Windows CE EXEs is 0x00010000. The default for Windows NT, Windows 2000, Windows XP, Windows 95, Windows 98, and Windows Me is 0x00400000. |
32/32 | 4 | SectionAlignment | The alignment (in bytes) of sections when they are loaded into memory. It must be greater than or equal to FileAlignment. The default is the page size for the architecture. |
36/36 | 4 | FileAlignment | The alignment factor (in bytes) that is used to align the raw data of sections in the image file. The value should be a power of 2 between 512 and 64 K, inclusive. The default is 512. If the SectionAlignment is less than the architecture’s page size, then FileAlignment must match SectionAlignment. |
40/40 | 2 | MajorOperatingSystemVersion | The major version number of the required operating system. |
42/42 | 2 | MinorOperatingSystemVersion | The minor version number of the required operating system. |
44/44 | 2 | MajorImageVersion | The major version number of the image. |
46/46 | 2 | MinorImageVersion | The minor version number of the image. |
48/48 | 2 | MajorSubsystemVersion | The major version number of the subsystem. |
50/50 | 2 | MinorSubsystemVersion | The minor version number of the subsystem. |
52/52 | 4 | Win32VersionValue | Reserved, must be zero. |
56/56 | 4 | SizeOfImage | The size (in bytes) of the image, including all headers, as the image is loaded in memory. It must be a multiple of SectionAlignment. |
60/60 | 4 | SizeOfHeaders | The combined size of an MS‑DOS stub, PE header, and section headers rounded up to a multiple of FileAlignment. |
64/64 | 4 | CheckSum | The image file checksum. The algorithm for computing the checksum is incorporated into IMAGHELP.DLL. The following are checked for validation at load time: all drivers, any DLL loaded at boot time, and any DLL that is loaded into a critical Windows process. |
68/68 | 2 | Subsystem | The subsystem that is required to run this image. For more information, see “Windows Subsystem” later in this specification. |
70/70 | 2 | DllCharacteristics | For more information, see “DLL Characteristics” later in this specification. |
72/72 | 4/8 | SizeOfStackReserve | The size of the stack to reserve. Only SizeOfStackCommit is committed; the rest is made available one page at a time until the reserve size is reached. |
76/80 | 4/8 | SizeOfStackCommit | The size of the stack to commit. |
80/88 | 4/8 | SizeOfHeapReserve | The size of the local heap space to reserve. Only SizeOfHeapCommit is committed; the rest is made available one page at a time until the reserve size is reached. |
84/96 | 4/8 | SizeOfHeapCommit | The size of the local heap space to commit. |
88/104 | 4 | LoaderFlags | Reserved, must be zero. |
92/108 | 4 | NumberOfRvaAndSizes | The number of data-directory entries in the remainder of the optional header. Each describes a location and size. |
The following values defined for the Subsystem field of the optional header determine which Windows subsystem (if any) is required to run the image.
Constant | Value | Description |
IMAGE_SUBSYSTEM_UNKNOWN | 0 | An unknown subsystem |
IMAGE_SUBSYSTEM_NATIVE | 1 | Device drivers and native Windows processes |
IMAGE_SUBSYSTEM_WINDOWS_GUI | 2 | The Windows graphical user interface (GUI) subsystem |
IMAGE_SUBSYSTEM_WINDOWS_CUI | 3 | The Windows character subsystem |
IMAGE_SUBSYSTEM_POSIX_CUI | 7 | The Posix character subsystem |
IMAGE_SUBSYSTEM_WINDOWS_CE_GUI | 9 | Windows CE |
IMAGE_SUBSYSTEM_EFI_APPLICATION | 10 | An Extensible Firmware Interface (EFI) application |
IMAGE_SUBSYSTEM_EFI_BOOT_ SERVICE_DRIVER | 11 | An EFI driver with boot services |
IMAGE_SUBSYSTEM_EFI_RUNTIME_ DRIVER | 12 | An EFI driver with run-time services |
IMAGE_SUBSYSTEM_EFI_ROM | 13 | An EFI ROM image |
IMAGE_SUBSYSTEM_XBOX | 14 | XBOX |
The following values are defined for the DllCharacteristics field of the optional header.
Constant | Value | Description |
0x0001 | Reserved, must be zero. | |
0x0002 | Reserved, must be zero. | |
0x0004 | Reserved, must be zero. | |
0x0008 | Reserved, must be zero. | |
IMAGE_DLL_CHARACTERISTICS_ DYNAMIC_BASE | 0x0040 | DLL can be relocated at load time. |
IMAGE_DLL_CHARACTERISTICS_ FORCE_INTEGRITY | 0x0080 | Code Integrity checks are enforced. |
IMAGE_DLL_CHARACTERISTICS_ NX_COMPAT | 0x0100 | Image is NX compatible. |
IMAGE_DLLCHARACTERISTICS_ NO_ISOLATION | 0x0200 | Isolation aware, but do not isolate the image. |
IMAGE_DLLCHARACTERISTICS_ NO_SEH | 0x0400 | Does not use structured exception (SE) handling. No SE handler may be called in this image. |
IMAGE_DLLCHARACTERISTICS_ NO_BIND | 0x0800 | Do not bind the image. |
0x1000 | Reserved, must be zero. | |
IMAGE_DLLCHARACTERISTICS_ WDM_DRIVER | 0x2000 | A WDM driver. |
IMAGE_DLLCHARACTERISTICS_ TERMINAL_SERVER_AWARE | 0x8000 | Terminal Server aware. |
Each data directory gives the address and size of a table or string that Windows uses. These data directory entries are all loaded into memory so that the system can use them at run time. A data directory is an 8‑byte field that has the following declaration:
typedef struct _IMAGE_DATA_DIRECTORY {
DWORD VirtualAddress;
DWORD Size;
} IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY;
The first field, VirtualAddress, is actually the RVA of the table. The RVA is the address of the table relative to the base address of the image when the table is loaded. The second field gives the size in bytes. The data directories, which form the last part of the optional header, are listed in the following table.
Note that the number of directories is not fixed. Before looking for a specific directory, check the NumberOfRvaAndSizes field in the optional header.
Also, do not assume that the RVAs in this table point to the beginning of a section or that the sections that contain specific tables have specific names.
Offset (PE/PE32+) | Size | Field | Description |
96/112 | 8 | Export Table | The export table address and size. For more information see section 6.3, “The .edata Section (Image Only).” |
104/120 | 8 | Import Table | The import table address and size. For more information, see section 6.4, “The .idata Section.” |
112/128 | 8 | Resource Table | The resource table address and size. For more information, see section 6.9, “The .rsrc Section.” |
120/136 | 8 | Exception Table | The exception table address and size. For more information, see section 6.5, “The .pdata Section.” |
128/144 | 8 | Certificate Table | The attribute certificate table address and size. For more information, see section 5.7, “The Attribute Certificate Table (Image Only).” |
136/152 | 8 | Base Relocation Table | The base relocation table address and size. For more information, see section 6.6, "The .reloc Section (Image Only)." |
144/160 | 8 | Debug | The debug data starting address and size. For more information, see section 6.1, “The .debug Section.” |
152/168 | 8 | Architecture | Reserved, must be 0 |
160/176 | 8 | Global Ptr | The RVA of the value to be stored in the global pointer register. The size member of this structure must be set to zero. |
168/184 | 8 | TLS Table | The thread local storage (TLS) table address and size. For more information, see section 6.7, “The .tls Section.” |
176/192 | 8 | Load Config Table | The load configuration table address and size. For more information, see section 6.8, “The Load Configuration Structure (Image Only).” |
184/200 | 8 | Bound Import | The bound import table address and size. |
192/208 | 8 | IAT | The import address table address and size. For more information, see section 6.4.4, “Import Address Table.” |
200/216 | 8 | Delay Import Descriptor | The delay import descriptor address and size. For more information, see section 5.8, “Delay-Load Import Tables (Image Only).” |
208/224 | 8 | CLR Runtime Header | The CLR runtime header address and size. For more information, see section 6.10, “The .cormeta Section (Object Only).” |
216/232 | 8 | Reserved, must be zero |
4 Section Table (Section Headers)
Each row of the section table is, in effect, a section header. This table immediately follows the optional header, if any. This positioning is required because the file header does not contain a direct pointer to the section table. Instead, the location of the section table is determined by calculating the location of the first byte after the headers. Make sure to use the size of the optional header as specified in the file header.
The number of entries in the section table is given by the NumberOfSections field in the file header. Entries in the section table are numbered starting from one (1). The code and data memory section entries are in the order chosen by the linker.
In an image file, the VAs for sections must be assigned by the linker so that they are in ascending order and adjacent, and they must be a multiple of the SectionAlignment value in the optional header.
Each section header (section table entry) has the following format, for a total of 40 bytes per entry:
Offset | Size | Field | Description |
0 | 8 | Name | An 8-byte, null-padded UTF-8 encoded string. If the string is exactly 8 characters long, there is no terminating null. For longer names, this field contains a slash (/) that is followed by an ASCII representation of a decimal number that is an offset into the string table. Executable images do not use a string table and do not support section names longer than 8 characters. Long names in object files are truncated if they are emitted to an executable file. |
8 | 4 | VirtualSize | The total size of the section when loaded into memory. If this value is greater than SizeOfRawData, the section is zero-padded. This field is valid only for executable images and should be set to zero for object files. |
12 | 4 | VirtualAddress | For executable images, the address of the first byte of the section relative to the image base when the section is loaded into memory. For object files, this field is the address of the first byte before relocation is applied; for simplicity, compilers should set this to zero. Otherwise, it is an arbitrary value that is subtracted from offsets during relocation. |
16 | 4 | SizeOfRawData | The size of the section (for object files) or the size of the initialized data on disk (for image files). For executable images, this must be a multiple of FileAlignment from the optional header. If this is less than VirtualSize, the remainder of the section is zero-filled. Because the SizeOfRawData field is rounded but the VirtualSize field is not, it is possible for SizeOfRawData to be greater than VirtualSize as well. When a section contains only uninitialized data, this field should be zero. |
20 | 4 | PointerToRawData | The file pointer to the first page of the section within the COFF file. For executable images, this must be a multiple of FileAlignment from the optional header. For object files, the value should be aligned on a 4‑byte boundary for best performance. When a section contains only uninitialized data, this field should be zero. |
24 | 4 | PointerToRelocations | The file pointer to the beginning of relocation entries for the section. This is set to zero for executable images or if there are no relocations. |
28 | 4 | PointerToLinenumbers | The file pointer to the beginning of line-number entries for the section. This is set to zero if there are no COFF line numbers. This value should be zero for an image because COFF debugging information is deprecated. |
32 | 2 | NumberOfRelocations | The number of relocation entries for the section. This is set to zero for executable images. |
34 | 2 | NumberOfLinenumbers | The number of line-number entries for the section. This value should be zero for an image because COFF debugging information is deprecated. |
36 | 4 | Characteristics | The flags that describe the characteristics of the section. For more information, see section 4.1, “Section Flags.” |
The section flags in the Characteristics field of the section header indicate characteristics of the section.
Flag | Value | Description |
0x00000000 | Reserved for future use. | |
0x00000001 | Reserved for future use. | |
0x00000002 | Reserved for future use. | |
0x00000004 | Reserved for future use. | |
IMAGE_SCN_TYPE_NO_PAD | 0x00000008 | The section should not be padded to the next boundary. This flag is obsolete and is replaced by IMAGE_SCN_ALIGN_1BYTES. This is valid only for object files. |
0x00000010 | Reserved for future use. | |
IMAGE_SCN_CNT_CODE | 0x00000020 | The section contains executable code. |
IMAGE_SCN_CNT_INITIALIZED_DATA | 0x00000040 | The section contains initialized data. |
IMAGE_SCN_CNT_UNINITIALIZED_ DATA | 0x00000080 | The section contains uninitialized data. |
IMAGE_SCN_LNK_OTHER | 0x00000100 | Reserved for future use. |
IMAGE_SCN_LNK_INFO | 0x00000200 | The section contains comments or other information. The .drectve section has this type. This is valid for object files only. |
0x00000400 | Reserved for future use. | |
IMAGE_SCN_LNK_REMOVE | 0x00000800 | The section will not become part of the image. This is valid only for object files. |
IMAGE_SCN_LNK_COMDAT | 0x00001000 | The section contains COMDAT data. For more information, see section 5.5.6, “COMDAT Sections (Object Only).” This is valid only for object files. |
IMAGE_SCN_GPREL | 0x00008000 | The section contains data referenced through the global pointer (GP). |
IMAGE_SCN_MEM_PURGEABLE | 0x00020000 | Reserved for future use. |
IMAGE_SCN_MEM_16BIT | 0x00020000 | Reserved for future use. |
IMAGE_SCN_MEM_LOCKED | 0x00040000 | Reserved for future use. |
IMAGE_SCN_MEM_PRELOAD | 0x00080000 | Reserved for future use. |
IMAGE_SCN_ALIGN_1BYTES | 0x00100000 | Align data on a 1-byte boundary. Valid only for object files. |
IMAGE_SCN_ALIGN_2BYTES | 0x00200000 | Align data on a 2-byte boundary. Valid only for object files. |
IMAGE_SCN_ALIGN_4BYTES | 0x00300000 | Align data on a 4-byte boundary. Valid only for object files. |
IMAGE_SCN_ALIGN_8BYTES | 0x00400000 | Align data on an 8-byte boundary. Valid only for object files. |
IMAGE_SCN_ALIGN_16BYTES | 0x00500000 | Align data on a 16-byte boundary. Valid only for object files. |
IMAGE_SCN_ALIGN_32BYTES | 0x00600000 | Align data on a 32-byte boundary. Valid only for object files. |
IMAGE_SCN_ALIGN_64BYTES | 0x00700000 | Align data on a 64-byte boundary. Valid only for object files. |
IMAGE_SCN_ALIGN_128BYTES | 0x00800000 | Align data on a 128-byte boundary. Valid only for object files. |
IMAGE_SCN_ALIGN_256BYTES | 0x00900000 | Align data on a 256-byte boundary. Valid only for object files. |
IMAGE_SCN_ALIGN_512BYTES | 0x00A00000 | Align data on a 512-byte boundary. Valid only for object files. |
IMAGE_SCN_ALIGN_1024BYTES | 0x00B00000 | Align data on a 1024-byte boundary. Valid only for object files. |
IMAGE_SCN_ALIGN_2048BYTES | 0x00C00000 | Align data on a 2048-byte boundary. Valid only for object files. |
IMAGE_SCN_ALIGN_4096BYTES | 0x00D00000 | Align data on a 4096-byte boundary. Valid only for object files. |
IMAGE_SCN_ALIGN_8192BYTES | 0x00E00000 | Align data on an 8192-byte boundary. Valid only for object files. |
IMAGE_SCN_LNK_NRELOC_OVFL | 0x01000000 | The section contains extended relocations. |
IMAGE_SCN_MEM_DISCARDABLE | 0x02000000 | The section can be discarded as needed. |
IMAGE_SCN_MEM_NOT_CACHED | 0x04000000 | The section cannot be cached. |
IMAGE_SCN_MEM_NOT_PAGED | 0x08000000 | The section is not pageable. |
IMAGE_SCN_MEM_SHARED | 0x10000000 | The section can be shared in memory. |
IMAGE_SCN_MEM_EXECUTE | 0x20000000 | The section can be executed as code. |
IMAGE_SCN_MEM_READ | 0x40000000 | The section can be read. |
IMAGE_SCN_MEM_WRITE | 0x80000000 | The section can be written to. |
4.2 Grouped Sections (Object Only)
The “$” character (dollar sign) has a special interpretation in section names in object files.
When determining the image section that will contain the contents of an object section, the linker discards the “$” and all characters that follow it. Thus, an object section named .text$X actually contributes to the .text section in the image.
However, the characters following the “$” determine the ordering of the contributions to the image section. All contributions with the same object-section name are allocated contiguously in the image, and the blocks of contributions are sorted in lexical order by object-section name. Therefore, everything in object files with section name .text$X ends up together, after the .text$W contributions and before the .text$Y contributions.
The section name in an image file never contains a “$” character.
相关文章推荐
- Visual Studio, Microsoft Portable Executable and Common Object File Format Specification
- Microsoft Portable Executable and Common Object File Format Specification
- Peering Inside the PE: A Tour of the Win32 Portable Executable File Format - Part 1
- The Portable Executable File Format PE文件格式中文翻译文档
- An In-Depth Look into the Win32 Portable Executable File Format, Part 2
- The Portable Executable File Format from Top to Bottom
- Linker and Libraries Guide Chapter 7 Object File Format
- An In-Depth Look into the Win32 Portable Executable File Format
- The Portable Executable File Format from Top to Bottom
- Microsoft Office Word、Excel and PowerPoint 2007 file format compatible package
- Peering Inside the PE: A Tour of the Win32 Portable Executable File Format
- Peering Inside the PE: A Tour of the Win32 Portable Executable File Format - Part 2
- Inside Windows:An In-Depth Look into the Win32 Portable Executable File Format
- An In-Depth Look into the Win32 Portable Executable File Format, Part 2
- Peering Inside the PE: A Tour of the Win32 Portable Executable File Format
- 探密PE文件格式(Portable Executable File Format)(上)
- Portable Executable FILE FORMAT
- The Portable Executable File Format PE文件格式英文说明文档