3 File Headers


The PE file header consists of an MS-DOS stub, the PE signature, the COFF File Header, and an Optional header. A COFF object file header consists of a COFF File Header and an Optional Header. In both cases, the file headers are followed immediately by section headers.

3.1 MS-DOS Stub (Image Only)

The MS-DOS Stub is a valid application that runs under MS-DOS and is placed at the front of the .EXE image. The linker places a default stub here, which prints out the message "This program cannot be run in DOS mode" when the image is run in MS-DOS. The user can specify another stub by using the /STUB linker option.

At location 0x3c, the stub has the file offset to the Portable Executable (PE) signature. This information enables Windows to properly execute the image file, even though it has a DOS Stub. This file offset is placed at location 0x3c during linking.

3.2 Signature (Image Only)

After the MS-DOS stub, at the file offset specified at offset 0x3c, there is a 4-byte signature identifying the file as a PE format image file. Currently, this signature is "PE\0\0" (the letters "P" and "E" followed by two null bytes).

3.3 COFF File Header (Object & Image)

At the beginning of an object file, or immediately after the signature of an image file, there is a standard COFF header of the following format. Note that the Windows loader limits the Number of Sections to 96.

Offset

Size

Field

Description

0

2

Machine

Number identifying type of target machine. See Section 3.3.1, "Machine Types," for more information.

2

2

NumberOfSections

Number of sections; indicates size of the Section Table, which immediately follows the headers.

4

4

TimeDateStamp

The low 32-bits of the number of seconds since 00:00 January 1, 1970 (a C Runtime time_t value) when the file was created.

8

4

PointerToSymbolTable

File offset of the COFF symbol table or 0 if none is present. Should be zero for an image as COFF debugging information is deprecated.

12

4

NumberOfSymbols

Number of entries in the symbol table. This data can be used in locating the string table, which immediately follows the symbol table. Should be zero for an image as COFF debugging information is deprecated.

16

2

SizeOfOptionalHeader

Size of the optional header, which is required for executable files but not for object files. An object file should have a value of 0 here. The format is described in the section "Optional Header."

18

2

Characteristics

Flags indicating attributes of the file. See Section 3.3.2, "Characteristics," for specific flag values.

3.3.1 Machine Types

The Machine field has one of the following values, defined below, which specify its machine (CPU) type. An image file can be run only on the specified machine, or a system emulating it.

Constant

Value

Description

IMAGE_FILE_MACHINE_UNKNOWN

0x0

Contents assumed to be applicable to any machine type.

IMAGE_FILE_MACHINE_AM33

0x1d3

Matsushita AM33

IMAGE_FILE_MACHINE_AMD64

0x8664

AMD AMD64

IMAGE_FILE_MACHINE_ARM

0x1c0

ARM little endian

IMAGE_FILE_MACHINE_CEE

0xc0ee

clr pure MSIL (object only)

IMAGE_FILE_MACHINE_EBC

0xebc

EFI Byte Code

IMAGE_FILE_MACHINE_I386

0x14c

Intel 386 or later, and compatible processors

IMAGE_FILE_MACHINE_IA64

0x200

Intel IA64

IMAGE_FILE_MACHINE_M32R

0x9041

Mitsubishi M32R little endian

IMAGE_FILE_MACHINE_MIPS16

0x266

 

IMAGE_FILE_MACHINE_MIPSFPU

0x366

MIPS with FPU

IMAGE_FILE_MACHINE_MIPSFPU16

0x466

MIPS16 with FPU

IMAGE_FILE_MACHINE_POWERPC

0x1f0

Power PC, little endian

IMAGE_FILE_MACHINE_POWERPCFP

0x1f1

Power PC with floating point support

IMAGE_FILE_MACHINE_R4000

0x166

MIPS little endian

IMAGE_FILE_MACHINE_SH3

0x1a2

Hitachi SH3

IMAGE_FILE_MACHINE_SH3DSP

0x1a3

Hitachi SH3 DSP

IMAGE_FILE_MACHINE_SH4

0x1a6

Hitachi SH4

IMAGE_FILE_MACHINE_SH5

0x1a8

Hitachi SH5

IMAGE_FILE_MACHINE_THUMB

0x1c2

Thumb

IMAGE_FILE_MACHINE_WCEMIPSV2

0x169

MIPS little endian WCE v2

3.3.2 Characteristics

The Characteristics field contains flags that indicate attributes of the object or image file. The following flags are currently defined:

Flag

Value

Description

IMAGE_FILE_RELOCS_STRIPPED

0x0001

Image only, Windows CE, Windows NT and above. Indicates that the file does not contain base relocations and must therefore be loaded at its preferred base address. If the base address is not available, the loader reports an error. The default behavior of the linker is to strip base relocations from EXEs.

IMAGE_FILE_EXECUTABLE_IMAGE

0x0002

Image only. Indicates that the image file is valid and can be run. If this flag is not set, it indicates a linker error.

IMAGE_FILE_LINE_NUMS_STRIPPED

0x0004

COFF line numbers have been removed. Deprecated and should be zero.

IMAGE_FILE_LOCAL_SYMS_STRIPPED

0x0008

COFF symbol table entries for local symbols have been removed. Deprecated and should be zero.

IMAGE_FILE_AGGRESSIVE_WS_TRIM

0x0010

Obsolete. Aggressively trim working set. Deprecated in Windows 2000 and later. Must be zero.

IMAGE_FILE_LARGE_ADDRESS_AWARE

0x0020

App can handle > 2gb addresses.

 

0x0040

Use of this flag is reserved for future use.

IMAGE_FILE_BYTES_REVERSED_LO

0x0080

Little endian: LSB precedes MSB in memory. Deprecated and should be zero.

IMAGE_FILE_32BIT_MACHINE

0x0100

Machine based on 32-bit-word architecture.

IMAGE_FILE_DEBUG_STRIPPED

0x0200

Debugging information removed from image file.

IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP

0x0400

If image is on removable media, fully load it and copy it to the swap file.

IMAGE_FILE_NET_RUN_FROM_SWAP

0x0800

If image is on network media, fully load it and copy it to the swap file.

IMAGE_FILE_SYSTEM

0x1000

The image file is a system file, not a user program.

IMAGE_FILE_DLL

0x2000

The image file is a dynamic-link library (DLL). Such files are considered executable files for almost all purposes, although they cannot be directly run.

IMAGE_FILE_UP_SYSTEM_ONLY

0x4000

File should be run only on a UP machine.

IMAGE_FILE_BYTES_REVERSED_HI

0x8000

Big endian: MSB precedes LSB in memory. Deprecated and should be zero.

3.4 Optional Header (Image Only)

Every image file has an Optional Header that provides information to the loader. This header is optional in the sense that some files (specifically, object files) do not have it. For image files, this header is required. An object file may have an optional header, but generally this header has no function in an object file except to increase size.

Note that the size of the optional header is not fixed. The SizeOfOptionalHeader field in the COFF Header (see Section 3.3, "COFF File Header (Object & Image)") must be used to validate that a probe into the file for a particular Data Directory does not go beyond the SizeOfOptionalHeader. The NumberOfRvaAndSizes field of the Optional Header should also be used to ensure that no probe for a particular Data Directory entry goes beyond the Optional Header. In addition, it is important to validate the Optional Header's Magic number for format compatibility.

The Optional Header's Magic number determines whether an image is a PE32 or PE32+ executable:

Magic Number

PE Format

0x10b

PE32

0x20b

PE32+

PE32+ images allow for a 64-bit address space while limiting the image size to 2 Gigabytes. Other PE32+ modifications are addressed in their respective sections.

The Optional Header itself has three major parts:

Offset (PE32/PE32+)

Size (PE32/PE32+)

Header Part

Description

0

28/24

Standard fields

These are defined for all implementations of COFF, including UNIX.

28/24

68 / 88

Windows specific fields

These include additional fields to support specific features of Windows (for example, subsystem).

96/112

Variable

Data directories

These fields are address/size pairs for special tables, found in the image file and used by the operating system (for example, Import Table and Export Table).

3.4.1 Optional Header Standard Fields (Image Only)

The first eight fields of the Optional Header are standard fields, defined for every implementation of COFF. These fields contain general information useful for loading and running an executable file, and are unchanged for the PE32+ format.

Offset

Size

Field

Description

0

2

Magic

Unsigned integer identifying the state of the image file. The most common number is 0x10B, identifying it as a normal executable file, 0x107 identifies a ROM image, and 0x20B identifies it as a PE32+ executable.

2

1

MajorLinkerVersion

Linker major version number.

3

1

MinorLinkerVersion

Linker minor version number.

4

4

SizeOfCode

Size of the code (text) section, or the sum of all code sections if there are multiple sections.

8

4

SizeOfInitializedData

Size of the initialized data section, or the sum of all such sections if there are multiple data sections.

12

4

SizeOfUninitializedData

Size of the uninitialized data section (BSS), or the sum of all such sections if there are multiple BSS sections.

16

4

AddressOfEntryPoint

Address of entry point, relative to image base, when executable file is loaded into memory. For program images, this is the starting address. For device drivers, this is the address of the initialization function. An entry point is optional for DLLs. When none is present this field must be 0.

20

4

BaseOfCode

Address, relative to image base, of beginning of code section, when loaded into memory.

PE32 contains this additional field, absent in PE32+, following BaseOfCode:

24

4

BaseOfData

Address, relative to image base, of beginning of data section, when loaded into memory.

3.4.2 Optional Header Windows-Specific Fields (Image Only)

The next twenty-one fields are an extension to the COFF Optional Header format and contain additional information needed by the linker and loader in Windows.

Offset (PE32/PE32+)

Size (PE32/PE32+)

Field

Description

28 / 24

4 / 8

ImageBase

Preferred address of first byte of image when loaded into memory; must be a multiple of 64K. The default for DLLs is 0x10000000. The default for Windows CE EXEs is 0x00010000. The default for Windows NT, Windows 2000, Windows XP, Windows 95, Windows 98, and Windows Me is 0x00400000.

32 / 32

4

SectionAlignment

Alignment (in bytes) of sections when loaded into memory. Must [be] greater or equal to File Alignment. Default is the page size for the architecture.

36 / 36

4

FileAlignment

Alignment factor (in bytes) used to align the raw data of sections in the image file. The value should be a power of 2 between 512 and 64K inclusive. The default is 512. If the SectionAlignment is less than the architecture's page size, then this must match the SectionAlignment.

40 / 40

2

MajorOperatingSystemVersion

Major version number of required OS.

42 / 42

2

MinorOperatingSystemVersion

Minor version number of required OS.

44 / 44

2

MajorImageVersion

Major version number of image.

46 / 46

2

MinorImageVersion

Minor version number of image.

48 / 48

2

MajorSubsystemVersion

Major version number of subsystem.

50 / 50

2

MinorSubsystemVersion

Minor version number of subsystem.

52 / 52

4

Win32VersionValue

Reserved, must be zero.

56 / 56

4

SizeOfImage

Size, in bytes, of the image, including all headers as it is loaded in memory; must be a multiple of Section Alignment.

60 / 60

4

SizeOfHeaders

Combined size of MS-DOS stub, PE Header, and section headers rounded up to a multiple of FileAlignment.

64 / 64

4

CheckSum

Image file checksum. The algorithm for computing is incorporated into IMAGHELP.DLL. The following are checked for validation at load time: all drivers, any DLL loaded at boot time, and any DLL that ends up in the server.

68 / 68

2

Subsystem

Subsystem required to run this image. See "Windows Subsystem" below for more information.

70 / 70

2

DllCharacteristics

See "DLL Characteristics" below for more information.

72 / 72

4 / 8

SizeOfStackReserve

Size of stack to reserve. Only the Stack Commit Size is committed; the rest is made available one page at a time, until reserve size is reached.

76 / 80

4 / 8

SizeOfStackCommit

Size of stack to commit.

80 / 88

4 / 8

SizeOfHeapReserve

Size of local heap space to reserve. Only the Heap Commit Size is committed; the rest is made available one page at a time, until reserve size is reached.

84 / 96

4 / 8

SizeOfHeapCommit

Size of local heap space to commit.

88 / 104

4

LoaderFlags

Reserved, must be zero.

92 / 108

4

NumberOfRvaAndSizes

Number of data-directory entries in the remainder of the Optional Header. Each describes a location and size.

Windows Subsystem

The following values, defined for the Subsystem field of the Optional Header, determine what, if any, Windows subsystem is required to run the image.

Constant

Value

Description

IMAGE_SUBSYSTEM_UNKNOWN

0

Unknown subsystem.

IMAGE_SUBSYSTEM_NATIVE

1

Used for device drivers and native Windows processes.

IMAGE_SUBSYSTEM_WINDOWS_GUI

2

Image runs in the Windows graphical user interface (GUI) subsystem.

IMAGE_SUBSYSTEM_WINDOWS_CUI

3

Image runs in the Windows character subsystem.

IMAGE_SUBSYSTEM_POSIX_CUI

7

Image runs in the Posix character subsystem.

IMAGE_SUBSYSTEM_WINDOWS_CE_GUI

9

Image runs in Windows CE.

IMAGE_SUBSYSTEM_EFI_APPLICATION

10

Image is an EFI (Extensible Firmware Interface) application.

IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER

11

Image is an EFI driver with boot services.

IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER

12

Image is an EFI driver with runtime services.

IMAGE_SUBSYSTEM_EFI_ROM

13

Image is an EFI ROM image.

IMAGE_SUBSYSTEM_XBOX

14

Image runs in XBOX.

IMAGE_SUBSYSTEM_NEXUS_AGENT

15

 

DLL Characteristics

The following values are defined for the DllCharacteristics field of the Optional Header.

Constant

Value

Description

 

0x0001

Reserved.

 

0x0002

Reserved.

 

0x0004

Reserved.

 

0x0008

Reserved.

IMAGE_DLLCHARACTERISTICS_NO_ISOLATION

0x0200

Image understands isolation and doesn't want it.

IMAGE_DLLCHARACTERISTICS_NO_SEH

0x0400

Image does not use SEH. No SE handler may be called in this image.

IMAGE_DLLCHARACTERISTICS_NO_BIND

0x0800

Do not bind image.

 

0x1000

Reserved, must be zero.

IMAGE_DLLCHARACTERISTICS_WDM_DRIVER

0x2000

Driver is a WDM Driver.

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

0x8000

Image is Terminal Server aware.

3.4.3 Optional Header Data Directories (Image Only)

Each data directory gives the address and size of a table or string used by Windows. These data directory entries are all loaded into memory so that they can be used by the system at run time. A data directory is an eight-byte field that has the following declaration:

 
 typedef struct _IMAGE_DATA_DIRECTORY {     DWORD   VirtualAddress;     DWORD   Size; } IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY; 

The first field, VirtualAddress, is actually the relative virtual address of the table. The RVA is the address of the table, when loaded, relative to the base address of the image. The second field gives the size in bytes. The data directories, which form the last part of the Optional Header, are listed below.

Note that the number of directories is not fixed. The NumberOfRvaAndSizes field in the optional header should be checked before looking for a specific directory.

Do not assume that the RVAs given in this table point to the beginning of a section or that the sections containing specific tables have specific names.

Offset (PE/PE32+)

Size

Field

Description

96/112

8

Export Table

Export Table address and size.

104/120

8

Import Table

Import Table address and size.

112/128

8

Resource Table

Resource Table address and size.

120/136

8

Exception Table

Exception Table address and size.

128/144

8

Certificate Table

Attribute Certificate Table address and size.

136/152

8

Base Relocation Table

Base Relocation Table address and size.

144/160

8

Debug

Debug data starting address and size.

152/168

8

Architecture

Architecture-specific data address and size.

160/176

8

Global Ptr

Relative virtual address of the value to be stored in the global pointer register. Size member of this structure must be set to 0.

168/184

8

TLS Table

Thread Local Storage (TLS) Table address and size.

176/192

8

Load Config Table

Load Configuration Table address and size.

184/200

8

Bound Import

Bound Import Table address and size.

192/208

8

IAT

Import Address Table address and size.

200/216

8

Delay Import Descriptor

Address and size of the Delay Import Descriptor.

208/224

8

clr Runtime Header

clr Runtime Header address and size.

216/232

8

Reserved

The Certificate Table entry points to a table of attribute certificates. These certificates are not loaded into memory as part of the image. As such, the first field of this entry, which is normally an RVA, is a File Pointer instead.



The Common Language Infrastructure Annotated Standard (Microsoft. NET Development Series)
The Common Language Infrastructure Annotated Standard (Microsoft. NET Development Series)
ISBN: N/A
EAN: N/A
Year: 2002
Pages: 121

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net