本篇博客为上面文章的总结。
Dynamically loaded: The loader uses the memory-mapped file mechanism to map the appropriate pieces of the file into the virtual address space. For Win32, all the memory used by the module for code, data, resources, import tables, export tables, and other required module data structures is in one contiguous block of memory.
INF: Executable-File Header Format http://benoit.papillault.free.fr/c/disc2/exefmt.txt
MS-DOS Header:
- To look up the real header for executable formats (Relative offset, RVA)
- 加壳后会发生变化
- 4D5A90000300000004000000FFFF0000B800000000000000400000000000000000000000000000000000000000000000000000000000000000000000C80000000E1FBA0E00B409CD21B8014CCD21546869732070726F6772616D2063616E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0A2400000000000000
MS-DOS Stub:
- Tiny program prints out to the effect of "This program cannot be run inMS-DOS Mode"
- 不支持 Win32 的系统中,erroe message
PE Header:
- Structure of type IMAGE_NT_HEADERS (defined in WINNT.H)
//additional information beyong standard IMAFE_FILE_HEADER
IMAGE_OPTIONAL_HEADER OptionalHeader;
Section Table: (IMAGE_SECTION_HEADERs)
- Each array stores an address where the file's raw data has been mapped into memory
- Any code or data that might be needed gets its own section.
Sections:
- .text: code
- .data: initialized data
- .bss: uninitlized static and global variables
- .CRT: utilized by he MS C/C++ run-time libraries
- .rsrc: all the resources for the module
- .data: functions & data that the module imports from the DLLs
- .edata: list of the functions and data that the PE file exports for other module
- .reloc: a table of base relocations