3. Structure of PE documents

3.2 NT head

By an image_ NT_ Heads structure, which contains the important fields needed when PE files are loaded into memory. Through E in DOS header_ Lfanew, you can directly locate the real PE Header part. The size of this structure is 0xf8 bytes.

typedef struct _IMAGE_NT_HEADERS {
    DWORD Signature;						//PE signature
    IMAGE_FILE_HEADER FileHeader;			//PE head
    IMAGE_OPTIONAL_HEADER32 OptionalHeader;	//PE optional head
} IMAGE_NT_HEADERS32, *PIMAGE_NT_HEADERS32;

3.2.1 Signature

The data size is 0x04 bytes, its value is fixed bit 0x4550, and ASCII characters are displayed as PE identification. From the above calculation to the starting position 0x00e0 of PE header, it can be seen that the first four bytes are indeed PE.

3.2.2 FileHeader

PE file header data is generated by image_ FILE_ The header structure is composed of 0x14 bytes. The specific contents of the structure are as follows:

typedef struct _IMAGE_FILE_HEADER {
    WORD    Machine;					//The MAchine code of CPU is 0x014c for Intel 386
    WORD    NumberOfSections;			//Number of sections
    DWORD   TimeDateStamp;				//File creation date
    DWORD   PointerToSymbolTable;		//Offset of COFF file symbol table in file
    DWORD   NumberOfSymbols;			//Number of symbol tables
    WORD    SizeOfOptionalHeader;		//Optional header size, fixed value 0xe0
    WORD    Characteristics;			//File information flags such as dll and exe	
} IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;

The specific information of each member is as follows:

• Machine

  The size of the data is 2 bytes, which identifies the operation platform of the file, and its value is as follows:

  #define IMAGE_FILE_MACHINE_UNKNOWN           0
  #define IMAGE_FILE_MACHINE_I386              0x014c  // Intel 386.
  #define IMAGE_FILE_MACHINE_R3000             0x0162  // MIPS little-endian, 0x160 big-endian
  #define IMAGE_FILE_MACHINE_R4000             0x0166  // MIPS little-endian
  #define IMAGE_FILE_MACHINE_R10000            0x0168  // MIPS little-endian
  #define IMAGE_FILE_MACHINE_WCEMIPSV2         0x0169  // MIPS little-endian WCE v2
  #define IMAGE_FILE_MACHINE_ALPHA             0x0184  // Alpha_AXP
  #define IMAGE_FILE_MACHINE_SH3               0x01a2  // SH3 little-endian
  #define IMAGE_FILE_MACHINE_SH3DSP            0x01a3
  #define IMAGE_FILE_MACHINE_SH3E              0x01a4  // SH3E little-endian
  #define IMAGE_FILE_MACHINE_SH4               0x01a6  // SH4 little-endian
  #define IMAGE_FILE_MACHINE_SH5               0x01a8  // SH5
  #define IMAGE_FILE_MACHINE_ARM               0x01c0  // ARM Little-Endian
  #define IMAGE_FILE_MACHINE_THUMB             0x01c2
  #define IMAGE_FILE_MACHINE_AM33              0x01d3
  #define IMAGE_FILE_MACHINE_POWERPC           0x01F0  // IBM PowerPC Little-Endian
  #define IMAGE_FILE_MACHINE_POWERPCFP         0x01f1
  #define IMAGE_FILE_MACHINE_IA64              0x0200  // Intel 64
  #define IMAGE_FILE_MACHINE_MIPS16            0x0266  // MIPS
  #define IMAGE_FILE_MACHINE_ALPHA64           0x0284  // ALPHA64
  #define IMAGE_FILE_MACHINE_MIPSFPU           0x0366  // MIPS
  #define IMAGE_FILE_MACHINE_MIPSFPU16         0x0466  // MIPS
  #define IMAGE_FILE_MACHINE_AXP64             IMAGE_FILE_MACHINE_ALPHA64
  #define IMAGE_FILE_MACHINE_TRICORE           0x0520  // Infineon
  #define IMAGE_FILE_MACHINE_CEF               0x0CEF
  #define IMAGE_FILE_MACHINE_EBC               0x0EBC  // EFI Byte Code
  #define IMAGE_FILE_MACHINE_AMD64             0x8664  // AMD64 (K8)
  #define IMAGE_FILE_MACHINE_M32R              0x9041  // M32R little-endian
  #define IMAGE_FILE_MACHINE_CEE               0xC0EE
  

  

  You can see that the machine code of the file is 0x014c. From the above information, it is Intel 386.

• NumberOfSections

  The data size is 2 bytes, which identifies how many sections the PE file contains.

  

  You can see that the number of sections of the PE file is 0x0005, that is, 5. Use PE tools to view that the PE contains 5 sections

  

• TimeDateStamp

  The data size is 4 bytes, which identifies the creation time of the PE file.

  

  The creation time of the PE file is 0x61767c9c, which represents the number of seconds from 0:0 on January 1, 1970 to the creation time.

  

  You can use PE tools to view the data and analyze it to get the specific time.

• PointerToSymbolTable

  The data size is 4 bytes, indicating the offset of COFF file symbol table in the file, and the value in the PE file is 0.

  

• NumberOfSymbols

  The data size is 4 bytes, indicating the number of symbol tables, and the value in the PE file is 0.

  

• SizeOfOptionalHeader

  The data size is 2 bytes, which identifies the size of PE optional header, and its value is fixed as 0xE0. The optional header will be explained in the next section.

  

• Characteristics

  The data size is 2 bytes and identifies the properties of the executable file. The 2 bytes are 16 bits in total. From low to high, each bit represents an attribute (the 7th bit does not represent it). Each 1 indicates that it has the attribute, and 0 indicates that it does not have the attribute. The specific contents of its attributes are as follows:

  #define IMAGE_ FILE_ RELOCS_ Stripped 0x0001 / / bit 1 Relocation info stripped from file
  #define IMAGE_ FILE_ EXECUTABLE_ Image 0x0002 / / bit 2 file is executable (i.e. no unresolved external references)
  #define IMAGE_ FILE_ LINE_ NUMS_ Stripped 0x0004 / / line nunbers striped from file
  #define IMAGE_ FILE_ LOCAL_ SYMS_ Stripped 0x0008 / / bit 4 local symbols striped from file
  #define IMAGE_ FILE_ AGGRESIVE_ WS_ Trim 0x0010 / / bit 5 aggressive trim working set
  #define IMAGE_ FILE_ LARGE_ ADDRESS_ Aware 0x0020 / / bit 6 app can handle > 2GB addresses
  #define IMAGE_ FILE_ BYTES_ REVERSED_ Lo 0x0080 / / bit 8 Bytes of machine word are reversed
  #define IMAGE_ FILE_ 32BIT_ Machine 0x0100 / / bit 9 32-bit word machine
  #define IMAGE_ FILE_ DEBUG_ Stripped 0x0200 / / bit 10 debugging info striped from file in. DBG file
  #define IMAGE_ FILE_ REMOVABLE_ RUN_ FROM_ Swap 0x0400 / / bit 11 If Image is on removable media, copy and run from the swap file
  #define IMAGE_ FILE_ NET_ RUN_ FROM_ Swap 0x0800 / / bit 12 If Image is on Net, copy and run from the swap file
  #define IMAGE_ FILE_ System 0x1000 / / bit 13 System File
  #define IMAGE_ FILE_ DLL 0x2000 / / bit 14 File is a DLL
  #define IMAGE_ FILE_ UP_ SYSTEM_ Only 0x4000 / / bit 15 File should only be run on a UP machine
  #define IMAGE_ FILE_ BYTES_ REVERSED_ Hi 0x8000 / / bit 16 Bytes of machine word are reversed
  

  

  You can see that the attribute value of the file is 0x0102, i.e. 0000 0001 0000 0010, and the 2nd and 9th bits of the file are 1, indicating that the file is an executable file and requires a 32-bit machine.

3.2.3 OptionalHeader

This data is provided by IMAGE_OPTIONAL_HEADER32 structure is composed of 0xE0 bytes, which is consistent with the SizeOfOptionalHeader ID in FileHeader. The optional header contains a lot of important information about the executable image, which is indispensable header information. The specific contents of the structure are as follows:

#define IMAGE_NUMBEROF_DIRECTORY_ENTRIES    16
typedef struct _IMAGE_OPTIONAL_HEADER {
    // Standard domain
    WORD    Magic;						//Optional header type
    BYTE    MajorLinkerVersion;			//Version number of the main linker
    BYTE    MinorLinkerVersion;			//Version number of the secondary linker
    DWORD   SizeOfCode;					//Code segment size
    DWORD   SizeOfInitializedData;		//Initialize data size
    DWORD   SizeOfUninitializedData;	//Uninitialized data size
    DWORD   AddressOfEntryPoint;		//Program entry point address RVA
    DWORD   BaseOfCode;					//Code segment start base RVA
    DWORD   BaseOfData;					//Data segment start base address RVA

    // NT additional domain
    DWORD   ImageBase;					//Mirror base address
    DWORD   SectionAlignment;			//Section alignment size in memory
    DWORD   FileAlignment;				//Alignment size of section in file
    WORD    MajorOperatingSystemVersion;//Version number of main operating system
    WORD    MinorOperatingSystemVersion;//Secondary operating system version number
    WORD    MajorImageVersion;			//Master image version number
    WORD    MinorImageVersion;			//Secondary image version number
    WORD    MajorSubsystemVersion;		//Version number of main subsystem
    WORD    MinorSubsystemVersion;		//Subsystem version number
    DWORD   Win32VersionValue;			//Win32 version value, must be 0
    DWORD   SizeOfImage;				//Image size in memory
    DWORD   SizeOfHeaders;				//Physical size of PE header, aligned with FileAlignment
    DWORD   CheckSum;					//Checksum
    WORD    Subsystem;					//Subsystem
    WORD    DllCharacteristics;			//DLL flag
    DWORD   SizeOfStackReserve;			//The amount of memory reserved at runtime for each thread stack
    DWORD   SizeOfStackCommit;			//Initial memory occupied by each thread stack at run time
    DWORD   SizeOfHeapReserve;			//Memory size reserved for process heap at runtime
    DWORD   SizeOfHeapCommit;			//Initial memory occupied by the runtime process heap
    DWORD   LoaderFlags;				//Loader flag, must be 0
    DWORD   NumberOfRvaAndSizes;		//The number of items in the data directory is IMAGE_NUMBEROF_DIRECTORY_ENTRIES is 0x0010
    IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];//Data directory
} IMAGE_OPTIONAL_HEADER32, *PIMAGE_OPTIONAL_HEADER32;

Next, we will introduce the specific contents of each member:

• Magic

  The data size is 2 bytes and identifies the type of optional header, mainly including the following:

  #define IMAGE_NT_OPTIONAL_HDR32_MAGIC      0x010B 	// 32-bit application
  #define IMAGE_NT_OPTIONAL_HDR64_MAGIC      0x020B 	// 64 bit applications
  #define IMAGE_ROM_OPTIONAL_HDR_MAGIC       0x0107 	// ROM image
  

  

  The magic of the optional header of the PE file is 0x010B, and the description is a 32-bit application.

• MajorLinkerVersion and MinorLinkerVersion

  Both data sizes are 1 byte, identifying the version of the primary / secondary linker

  

  It can be seen from the figure that the main linker value of this PE is 0x0A and the sub linker value is 0.

• SizeOfCode

  The data size is 4 bytes, which identifies the physical size of the code segment (. text) in the PE file.

  

  It can be seen that the. text segment size of the PE file is 0x0C00, and the section size viewed by PE tools is also this value.

  

• SizeOfInitializedData and SizeOfUninitializedData

  Both data sizes are 4 bytes, identifying the size of initialized and uninitialized data respectively

  

  It can be seen that the initialized data size of the PE file is 0x1400 bytes and the uninitialized size is 0.

• AddressOfEntryPoint

  The data size is 4 bytes, identifying the entry address of the program. When the PE file is loaded into memory, it will calculate the entry VA of the program according to the RVA address plus the ImageBase base address, and execute the whole program from there.

  

  It can be seen that the EP (RVA) of the PE file is 0x15A8. Generally, the base address of the PE file is 0x400000. Therefore, when the PE file is loaded into memory, the program instruction will be executed from 0x4015A8.

• BaseOfCode

  The data size is 4 bytes and identifies the RVA of the starting address of the code segment (. text)

  

  The RVA of the. text section of the PE file is 0x1000, which can be viewed from PE tools

  

• BaseOfData

  The data size is 4 bytes and identifies the RVA of the starting address of the data segment (. rdata,. Data,. idata)

  

  The RVA of the. text section of the PE file is 0x2000, which can be viewed from PE tools

  

• ImageBase

  The data size is 4 bytes, which identifies the base address of the PE file loaded into the virtual memory. Generally, the PE file will be loaded to 0x400000.

  

  The base address of the PE file is also 0x400000.

• SectionAlignment

  The data size is 4 bytes, which identifies the size to be aligned when all sections are loaded into memory, that is, the size of each section should be an integer multiple of this data.

  

  The section alignment size of the PE file is 0x1000 bytes. View the section information from PE tools

  

  You can see that the virtual memory start offset of each section is an integer multiple of 0x1000.

• FileAlignment

  The data size is 4 bytes, which identifies the size of all sections to be aligned in the physical disk, that is, the size of each section should be an integer multiple of this data.

  

  The physical alignment size in the PE file is 0x0200 bytes. View the section information from PE tools

  

  You can see that the physical start offset of each section is an integer multiple of 0x0200.

• MajorOperatingSystemVersion and MinorOperatingSystemVersion

  The size of both data is 2 bytes, which identifies the version number of the primary / secondary operating system required to run the PE file. This data is not important.

  

  The primary OS version number of the PE file is 0x05 and the secondary OS version number is 0x01.

• MajorImageVersion and MinorImageVersion

  Both data sizes are 2 bytes, identifying the primary / secondary version of the image, which is specified by the developer

  

  The primary image version number of the PE file is 0 and the secondary image version number is 0.

• MajorSubsystemVersion and MajorSubsystemVersion

  The size of both data is 2 bytes, which identifies the version number of the primary / secondary operating system required to run the PE file. This data is not important.

  

  The primary OS version number of the PE file is 0x05 and the secondary OS version number is 0x01.

• Win32VersionValue

  The data size is 4 bytes and its value must be 0.
  

• SizeOfImage

  The data size is 4 bytes, which identifies the size of the virtual address space occupied by the PE file when it is loaded into memory, starting from the base address. The value is aligned according to SectionAlignment. If the values of SectionAlignment and FileAlignment are equal, the size of the PE file on the physical disk is also the value.

  

  The image size of the PE file in the virtual address space is 0x6000 bytes.

• SizeOfHeaders

  The data size is 4 bytes, which identifies the size of the PE header (from the beginning of the file to the end of the section table)

  

  The PE header size of the PE file is 0x0400 bytes.

• CheckSum

  The data size is 4 bytes, which identifies the checksum of the PE file.

  

  The checksum of the PE file is 0x5D6B

• Subsystem

  The data size is 2 bytes, which identifies the subsystem required to run the PE file. Its values are as follows:

  #define IMAGE_SUBSYSTEM_UNKNOWN              0   // Unknown subsystem.
  #define IMAGE_SUBSYSTEM_NATIVE               1   // Image doesn't require a subsystem.
  #define IMAGE_SUBSYSTEM_WINDOWS_GUI          2   // Image runs in the Windows GUI subsystem.
  #define IMAGE_SUBSYSTEM_WINDOWS_CUI          3   // Image runs in the Windows character subsystem.
  #define IMAGE_SUBSYSTEM_OS2_CUI              5   // image runs in the OS/2 character subsystem.
  #define IMAGE_SUBSYSTEM_POSIX_CUI            7   // image runs in the Posix character subsystem.
  #define IMAGE_SUBSYSTEM_NATIVE_WINDOWS       8   // image is a native Win9x driver.
  #define IMAGE_SUBSYSTEM_WINDOWS_CE_GUI       9   // Image runs in the Windows CE subsystem.
  #define IMAGE_SUBSYSTEM_EFI_APPLICATION      10  //
  #define IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER  11   //
  #define IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER   12  //
  #define IMAGE_SUBSYSTEM_EFI_ROM              13
  #define IMAGE_SUBSYSTEM_XBOX                 14
  #define IMAGE_SUBSYSTEM_WINDOWS_BOOT_APPLICATION 16
  

  

  The PE file subsystem value is 0x0003.

• DllCharacteristics

  The data size is 2 bytes, which identifies the file attribute of the DLL and is only valid for the DLL. The two bytes are 16 bits in total, from the lower 7 bits to the upper 16 bits. Each represents an attribute, 1 means having the attribute, and 0 means not having the attribute. The specific contents of its attributes are as follows:

  #define IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE 0x0040      	//  Bit 7 DLL can move
  #define IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY    0x0080  	//  Bit 8 Code Integrity Image
  #define IMAGE_DLLCHARACTERISTICS_NX_COMPAT    0x0100      	//  Bit 9 Image is NX compatible
  #define IMAGE_DLLCHARACTERISTICS_NO_ISOLATION 0x0200      	//  Image understanding isolation and doesn't want it
  #define IMAGE_DLLCHARACTERISTICS_NO_SEH       0x0400      	//  Bit 11 image does not use sEH. No se handler may stay in this image
  #define IMAGE_DLLCHARACTERISTICS_NO_BIND      0x0800      	//  Bit 12 Do not bind this image
  //                                            0x1000      	//  13th place Reserved
  #define IMAGE_DLLCHARACTERISTICS_WDM_DRIVER   0x2000      	//  Bit 14 Driver uses WDM model
  //                                            0x4000      	//  15th Reserved
  #define IMAGE_ DLLCHARACTERISTICS_ TERMINAL_ SERVER_ Aware 0x8000 / / bit 16
  

  

  The DLL flag value of the PE file is 0x8140

• SizeOfStackReserve and SizeOfStackCommit

  Both data sizes are 4 bytes, identifying the virtual memory size reserved for each thread stack and the initial occupied size when the PE file runs.

  

  The default thread stack allocates 0x100000 bytes (1MB), and initially occupies 0x1000 bytes (4KB, one memory page).

• SizeOfHeapReserve and SizeOfHeapCommit

  Both data sizes are 4 bytes, identifying the virtual memory size reserved for the process heap when the PE file runs, and the initial occupied size.

  

  The default process heap allocates 0x100000 bytes (1MB), and initially occupies 0x1000 bytes (4KB, one memory page).

• LoaderFlags

  The data size is 4 bytes, which is related to debugging. The default is 0.

  

• NumberOfRvaAndSizes

  The data size is 4 bytes, which identifies the number of items in the following data directory table. The default value is 0x0010 and IMAGE_NUMBEROF_DIRECTORY_ENTRIES 16 macro constants are consistent.

  

• DataDirectory

  This data is provided by image_ DATA_ The directory structure is composed of data. The array has 16 items in total, and each image_ DATA_ The size of the directory structure is 0x08 bytes, occupying a total of 0x80 bytes. The specific contents of the structure are as follows:

  typedef struct _IMAGE_DATA_DIRECTORY {
      DWORD   VirtualAddress;			//Data start RVA address
      DWORD   Size;					//Data length
  } IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY;
  

  This structure indicates the location and size of a data area in the virtual address space. The image of each array member in the DataDirectory_ DATA_ The directory structure points to a specific data area of the PE file, and the data area pointed to is given by the index value. The data area corresponding to the specific index value is as follows:

  #define IMAGE_DIRECTORY_ENTRY_EXPORT          0   // Export Directory
  #define IMAGE_DIRECTORY_ENTRY_IMPORT          1   // Import Directory
  #define IMAGE_DIRECTORY_ENTRY_RESOURCE        2   // Resource Directory
  #define IMAGE_DIRECTORY_ENTRY_EXCEPTION       3   // Exception Directory
  #define IMAGE_DIRECTORY_ENTRY_SECURITY        4   // Security Directory
  #define IMAGE_DIRECTORY_ENTRY_BASERELOC       5   // Base Relocation Table
  #define IMAGE_DIRECTORY_ENTRY_DEBUG           6   // Debug Directory
  //      IMAGE_DIRECTORY_ENTRY_COPYRIGHT       7   // (X86 usage)
  #define IMAGE_DIRECTORY_ENTRY_ARCHITECTURE    7   // Architecture Specific Data
  #define IMAGE_DIRECTORY_ENTRY_GLOBALPTR       8   // RVA of GP
  #define IMAGE_DIRECTORY_ENTRY_TLS             9   // TLS Directory
  #define IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG    10   // Load Configuration Directory
  #define IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT   11   // Bound Import Directory in headers
  #define IMAGE_DIRECTORY_ENTRY_IAT            12   // Import Address Table
  #define IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT   13   // Delay Load Import Descriptors
  #define IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 14   // COM Runtime descriptor	
  

  The RVA and size of the specific data field in the PE file can be obtained by calculating the offset of the index value in the array.

  For example, check an important data area import table in the PE file, and the import table records the DLL that the program needs to import and the function address it uses. The index of the data is 1, that is, the offset is 0x08 bytes from the beginning of the whole array, and the starting position of the array is 0x158, so the data starts at 0x160.

  

  The VirtualAddress and Size account for 4 bytes respectively, so the RVA of the imported table is 0x2308 and the Size is 0x0050. Use PE tools to view directory information.

  

  The physical offset in PE can be calculated according to RVA TO RAW formula. View the section information. The data is located in the. rdata section. The virtual address of the. rdata section is 0x2000 and the pointtorawdata is 0x1000. Use the formula to calculate

  RAW-0x1000=0x2308-0x2000, and the RAW is 0x1308, which is the physical address of the import table. After introducing the detailed structure of the import table, the import table area will be resolved from this address.

Section 3.3 area table

The section table is located after the NT header of the PE file and is also the last part of the PE header. The section table records the relevant attributes of all sections in the PE file. The section table consists of a series of images_ SECTION_ The header structure is arranged. Each structure is used to describe a section. The arrangement order of the structures is consistent with the arrangement order of the sections they describe in the file. All valid structures end with an empty image_ SECTION_ The header structure ends as, so the image in the section table_ SECTION_ The number of header structures is equal to the number of sections plus one. IMAGE_ SECTION_ The size of header structure is 0x28 bytes. The contents of this structure are as follows:

#define IMAGE_SIZEOF_SHORT_NAME              8
typedef struct _IMAGE_SECTION_HEADER {
    BYTE    Name[IMAGE_SIZEOF_SHORT_NAME];		//Section table name
    union {
            DWORD   PhysicalAddress;			
            DWORD   VirtualSize;				//Section virtual memory size
    } Misc;
    DWORD   VirtualAddress;						//Virtual memory address (RVA)
    DWORD   SizeOfRawData;						//Physical size of the section
    DWORD   PointerToRawData;					//Physical offset of section
    DWORD   PointerToRelocations;				//Used in OBJ files to reposition the offset
    DWORD   PointerToLinenumbers;				//Offset of line number table (for commissioning)
    WORD    NumberOfRelocations;				//Used in OBJ files, number of relocates
    WORD    NumberOfLinenumbers;				//The number of row numbers in the row number table
    DWORD   Characteristics;					//Section properties
} IMAGE_SECTION_HEADER, *PIMAGE_SECTION_HEADER;

Next, introduce each specific member variable:

• Name

  The data is an array of bytes. The length of the array is 8 and the size is 8 bytes. The data identifies the name of this section table. The section names and meanings mainly include the following:

  Section name	describe
  .text	The default code block, whose content is instruction code
  .data	Default read / write data block
  .rdata	Default read-only data block
  .idata	Store import table information
  .edata	Store export table information
  .rsrc	Resources, including all resources of the module
  .bss	Store uninitialized data
  .crt	Used to support data added by C + + runtime (CRT)
  .tls	Thread local storage
  .reloc	Base relocation of executable

  

  The Name of the section table of the PE file is. text

• Misc

  The data is a common body, and the data size is 4 bytes. Generally, it is the size of the section in the virtual memory identified by VirtualSize, which is the actual size of the section before section alignment.

  

  The VirtualSize of the. text section of the PE file is 0x0B65 bytes.

• VirtualAddress

  The size of the data is 4 bytes, which identifies the offset address (RVA) when the section is loaded into the virtual memory. The address has been aligned according to the section alignment size.

  

  The starting virtual memory address of the. text section of the PE file is 0x1000.

• SizeOfRawData

  The size of the data is 4 bytes, which identifies the physical size of the section in the disk. The value has been aligned according to the FileAlignment size.

  

  The physical size of the. text section of the PE file is 0x0C00.

• PointerToRawData

  The size of the data is 4 bytes, which identifies the offset of the section in the PE file on disk.

  

  The. text section of the PE file starts at 0x0400 bytes.

• PointerToRelocations

  The size of the data is 4 bytes, which identifies the offset value of the relocation information of this block in the OBJ file and points to an image_ An array of relocation structures. It is generally useless in the exe file.

  

  The redirection value of the. text section of the PE file is 0.

• PointerToLinenumbers

  The size of the data is 4 bytes, which identifies the offset of the line number table in the file. It is mainly used for debugging and is not important.

  

  The line number table offset of the. text section of the PE file is 0.

• NumberOfRelocations

  The size of the data is 2 bytes, which identifies the number of relocations in the relocation table in the OBJ file.

  

  The retargeting number of the. text section of the PE file is 0.

• NumberOfLinenumbers

  The size of the data is 2 bytes, which identifies the number of row numbers in the row number table. It is used for debugging and is not important.

  

  The number of rows in the row number table of the. text section of the PE file is 0.

• Characteristics

  The size of the data is 4 bytes, which identifies the relevant attributes of the section area, and indicates the attributes of the section area by bit. If a bit is 1, the section area has the attributes represented by this bit. The specific attribute values of the section area are as follows, and only meaningful bit attributes are listed:

  //Digits from low to high
  #define IMAGE_ SCN_ SCALE_ Index 0x00000001 / / bit 1 Tls index is scaled
  #define IMAGE_ SCN_ CNT_ Code 0x00000020 / / bit 6 Section contains code
  #define IMAGE_ SCN_ CNT_ INITIALIZED_ Data 0x00000040 / / bit 7 Section contains initialized data
  #define IMAGE_ SCN_ CNT_ UNINITIALIZED_ Data 0x00000080 / / bit 8 Section contains uninitialized data
  #define IMAGE_ SCN_ LNK_ Info 0x00000200 / / Section contains comments or some other type of information
  #define IMAGE_ SCN_ LNK_ Remove 0x00000800 / / Section contents will not become part of image
  #define IMAGE_ SCN_ LNK_ Comdat 0x00001000 / / bit 13 Section contents comdat
  #define IMAGE_ SCN_ NO_ DEFER_ SPEC_ Exc 0x00004000 / / bit 15 reset specific exceptions handling bits in the TLB entries for this section
  #define IMAGE_ SCN_ Gprel 0x00008000 / / bit 16 Section content can be accessed relative to GP
  #define IMAGE_ SCN_ LNK_ NRELOC_ Ovfl 0x01000000 / / bit 25 Section contains extended relocations
  #define IMAGE_ SCN_ MEM_ Discardable 0x02000000 / / the 26th bit Section can be discarded
  #define IMAGE_ SCN_ MEM_ NOT_ Cached 0x04000000 / / bit 27 section is not cacheable
  #define IMAGE_ SCN_ MEM_ NOT_ Paged 0x08000000 / / bit 28 Section is not pageable
  #define IMAGE_ SCN_ MEM_ Shared 0x10000000 / / the 29th Section is shareable
  #define IMAGE_ SCN_ MEM_ Execute 0x20000000 / / bit 30 Section is executable
  #define IMAGE_ SCN_ MEM_ Read 0x40000000 / / bit 31 Section is readable
  #define IMAGE_ SCN_ MEM_ Write 0x80000000 / / the 32nd bit Section is writeable
  

  

  The attribute value of the. text section of the PE file is 0x60000200, that is, bit 6, bit 30, and bit 31 are 1. It identifies that the. text section is a readable, executable section containing code.