-------------------------------- The Optional header: The Optional header immediately follows the COFF header, and its size is indicated by SizeOfOptionalHeader at 0x400096. Despite its name, it is required for exectuable images. In this case, it starts at file offset 0x98, memory address 0x400098, and is 0xe0 bytes long. 090 400090 · ·0b 01 02 15·00 02 00 00 α ☼♥♂☺☻§ ☻ 0a0 4000a0 00 04 00 00·00 02 00 00·00 10 00 00·00 10 00 00 ♦ ☻ ► ► 0b0 4000b0 00 00 00 00·00 00 40 00·00 10 00 00·00 02 00 00 @ ► ☻ 0c0 4000c0 04 00 00 00·01 00 00 00·04 00 00 00·00 00 00 00 ♦ ☺ ♦ 0d0 4000d0 00 50 00 00·00 04 00 00·cd 3f 00 00·03 00 00 00 P ♦ ═? ♥ 0e0 4000e0 00 00 20 00·00 10 00 00·00 00 10 00·00 10 00 00 ► ► ► 0f0 4000f0 00 00 00 00·10 00 00 00·00 00 00 00·00 00 00 00 ► 100 400100 00 40 00 00·94 00 00 00·00 00 00 00·00 00 00 00 @ ö 110 400110 00 00 00 00·00 00 00 00·00 00 00 00·00 00 00 00 120 400120 00 00 00 00·00 00 00 00·00 00 00 00·00 00 00 00 130 400130 00 00 00 00·00 00 00 00·00 00 00 00·00 00 00 00 140 400140 00 00 00 00·00 00 00 00·00 00 00 00·00 00 00 00 150 400150 00 00 00 00·00 00 00 00·38 40 00 00·10 00 00 00 8@ ► 160 400160 00 00 00 00·00 00 00 00·00 00 00 00·00 00 00 00 170 400170 00 00 00 00·00 00 00 00· · ---- 090 400090 · ·0b 01 · ♂☺ Magic: 0x10b (normal PE32) 090 400090 · · 02 · ☻ 090 400090 · · 15· § MajorLinkerVersion: 0x2 MinorLinkerVersion: 0x15 090 400090 · · ·00 02 00 00 ☻ 0a0 4000a0 00 04 00 00· · · ♦ 0a0 4000a0 ·00 02 00 00· · ☻ SizeOfCode: 0x200 SizeOfInitializedData: 0x400 SizeOfUninitializedData: 0x200 0a0 4000a0 · ·00 10 00 00· ► 0a0 4000a0 · · ·00 10 00 00 ► 0b0 4000b0 00 00 00 00· · · 0b0 4000b0 ·00 00 40 00· · @ AddressOfEntryPoint: 0x1000 (relative to ImageBase) BaseOfCode: 0x1000 (relative to ImageBase) BaseOfData: 0 (relative to ImageBase) ImageBase: 0x400000 The executable image will be loaded starting at memory address 0x400000. Most memory addresses in the image are relative to this address. The MZ header will start at memory address 0x400000, but the various sections will be aligned as indicated below. 0b0 4000b0 · ·00 10 00 00· ► 0b0 4000b0 · · ·00 02 00 00 ☻ SectionAlignment: 0x1000 FileAlignment: 0x200 All sections will be aligned on a 0x1000 (4 KB) boundary in memory. 4 KB is the size of a small page on i386. All sections are aligned on a 0x200 (512 byte) boundary in the file. 0c0 4000c0 04 00 · · · ♦ 0c0 4000c0 00 00· · · MajorOperatingSystemVersion: 0x4 MinorOperatingSystemVersion: 0 Note that the program requires NT 5.0 or later. I neglected to tell the linker. Running it in older Windows should result in failure importing "WriteConsoleW". 0c0 4000c0 ·01 00 · · ☺ 0c0 4000c0 · 00 00· · MajorImageVersion: 0x1 MinorImageVersion: 0 0c0 4000c0 · ·04 00 · ♦ 0c0 4000c0 · · 00 00· MajorSubsystemVersion: 0x4 MinorSubsystemVersion: 0 0c0 4000c0 · · ·00 00 00 00 Win32VersionValue: 0 0d0 4000d0 00 50 00 00· · · P 0d0 4000d0 ·00 04 00 00· · ♦ SizeOfImage: 0x5000 (when loaded into memory) SizeOfHeaders: 0x400 (rounded up to a multiple of FileAlignment) 0d0 4000d0 · ·cd 3f 00 00· ═? CheckSum: 0x3fcd 0d0 4000d0 · · ·03 00 ♥ Subsystem: 0x3 (IMAGE_SUBSYSTEM_WINDOWS_CUI) This is a console (character based) application. 0d0 4000d0 · · · 00 00 DllCharacteristics: 0 0e0 4000e0 00 00 20 00· · · 0e0 4000e0 ·00 10 00 00· · ► 0e0 4000e0 · ·00 00 10 00· ► 0e0 4000e0 · · ·00 10 00 00 ► SizeOfStackReserve: 0x200000 (2 MB reserved for the user mode stack) SizeOfStackCommit: 0x1000 (4 KB (1 page) committed for the user mode stack) SizeOfHeapReserve: 100000 (1 MB reserved for the heap) SizeOfHeapCommit: 0x1000 (4 KB (1 page) committed for the heap) 0f0 4000f0 00 00 00 00· · · LoaderFlags: 0 0f0 4000f0 ·10 00 00 00· · ► NumberOfRvaAndSizes: 0x10 This indicates the size of the array that immediately follows, in elements. ---------------- The data directories. This is an array of qword entries within the Optional header. The size of this array, in elements, is indicated by NumberOfRvaAndSizes. In this case, it is an array of 0x10 qwords. In this case, it starts at file offset 0xf8, memory address 0x4000f8, and is 0x80 bytes long. Each qword element contains a dword memory address relative to ImageBase, followed by a dword size in bytes. Each directory gives the location and size of a table. As noted in the specification, don't assume that these tables are at the start of a section, or appear in a section with a particular name. 0f0 4000f0 · ·00 00 00 00·00 00 00 00 Export Table: 0 (This would be used for exporting DLL symbols.) 100 400100 00 40 00 00·94 00 00 00· · @ ö Import Table: Address: 0x4000 (relative to ImageBase) Size: 0x94 The import table is at memory address 0x404000. 100 400100 · ·00 00 00 00·00 00 00 00 110 400110 00 00 00 00·00 00 00 00· · 110 400110 · ·00 00 00 00·00 00 00 00 120 400120 00 00 00 00·00 00 00 00· · 120 400120 · ·00 00 00 00·00 00 00 00 130 400130 00 00 00 00·00 00 00 00· · 130 400130 · ·00 00 00 00·00 00 00 00 140 400140 00 00 00 00·00 00 00 00· · 140 400140 · ·00 00 00 00·00 00 00 00 150 400150 00 00 00 00·00 00 00 00· · Resource Table: 0 (This would be used for resources, such as icons, cursors, menus, and version information.) Exception Table: 0 Certificate Table: 0 Base Relocation Table: 0 (This would be used to patch memory addresses if a DLL could not be loaded at the prefered base specified in ImageBase.) Debug: 0 Architecture: 0 Global Ptr: 0 TLS Table: 0 (Thread Local Storage.) Load Config Table: 0 Bound Import: 0 150 400150 · ·38 40 00 00·10 00 00 00 8@ ► IAT: 0 Address: 0x4038 (relative to ImageBase) Size: 0x10 The import address table is at memory address: 0x404038. 160 400160 00 00 00 00·00 00 00 00· · 160 400160 · ·00 00 00 00·00 00 00 00 170 400170 00 00 00 00·00 00 00 00· · Delay Import Descriptor: 0 CLR Runtime Header: 0 Reserved: 0
|
