Windows PE基础补充(Windows PE basic supplement)

Windows PE基础补充

0x00 前言

补充一些WIndows PE学习过程的基础知识。

0x01 过程

1.PE文件格式

Win16平台(Windows3.x)可执行格式是NE格式。

Win32平台(Windows 9x/NT/2000/xp/2003/vista/CE)可执行格式是PE格式。

PE 全称 Portable Executable File Format,可移植的执行体。是目前Windows平台的主流可执行文件格式。

2.EXE和DLL区别

EXE和DLL区别只是语义上的,他们使用的PE格式完全相同。区别在于有一个字段标识出文件为EXE或者DLL。

DLL的扩展,OCX控件和CPL文件(控制面板程序)等。

3.64位Windows和32位Windows区别

64位Windows是对PE格式做了一些修饰,新格式叫PE32+。将32位字段扩展位64位。

4.PE文件的数据结构

PE文件的数据结构也区分32位和64位。结构选择依赖用户正在编译的模式(例_WIN64是否被定义)。

5.PE格式定义

PE格式定义的主要地方位于我们的头文件: winnt.h 。这个头文件中几乎能找到关于PE文件的所有定义。

6.PE文件的概念

PE文件使用一个平面地址空间,所有代码和数据都被合并在一起,组成一个大型结构。文件的内容被分割位不同的区块(section,又称区段、节等)区块中包含代码或数据。

PE文件各个区块按页边界对齐,区块无大小限制,是一个连续结构。每个块都有自己在内存中的一套属性,例,单个区块是否包含代码,是否只读或可读/写等。

6.PE基地址

当PE文件通过Windows加载器加载到内存后,内存中的版本称为模块(Module)。

映射文件的起始地址被称为模块的句柄(hModule),可以用过句柄访问内存其他的数据结构。这个初始内存地址也称为基地址(ImageBase)。

————————

Windows PE基础补充

0x00 Preface

Add some basic knowledge of the learning process of Windows PE.

0x01 process

1. PE file format

The executable format of win16 platform (Windows3. X) is ne format.

The executable format of Win32 platform (Windows 9x / NT / 2000 / XP / 2003 / Vista / CE) is PE format.

The full name of PE is portable executable file format, which is a portable executable. It is the mainstream executable file format of Windows platform.

2.EXE和DLL区别

The difference between exe and DLL is only semantic. They use the same PE format. The difference is that there is a field that identifies the file as exe or DLL.

DLL extension, ocx control and CPL file (control panel program), etc.

3.64位Windows和32位Windows区别

64 bit windows has modified the PE format. The new format is called PE32 +. Expand the 32-bit field to 64 bits.

4. Data structure of PE file

The data structure of PE file also distinguishes between 32-bit and 64 bit. The structure selection depends on the mode being compiled by the user (for example, _win64is defined).

5. Definition of PE format

The main place of PE format definition is in our header file: WinNT. H. Almost all definitions of PE files can be found in this header file.

6. Concept of PE document

PE files use a flat address space, and all codes and data are combined to form a large structure. The content of the file is divided into blocks (sections, also known as sections, sections, etc.) with different bits. The blocks contain code or data.

Each block of PE file is aligned according to the page boundary. The block has no size limit and is a continuous structure. Each block has its own set of attributes in memory. For example, whether a single block contains code, whether it is read-only or read / write, etc.

6. PE base address

When PE files are loaded into memory through windows loader, the version in memory is called module.

The starting address of the mapping file is called the handle of the module (hmodule), which can be used to access other data structures in memory. This initial memory address is also called the base address (imagebase).