WIN32汇编语言教程:第17章 PE文件 · 17.1 PE文件的结构(1)

17.1.1 概论

在一个操作系统中,可执行的代码在被最终装入内存执行之前是以文件的方式存放在磁盘中的,DOS操作系统中的COM文件是最早的也是结构最简单的可执行文件,COM文件中仅仅包括可执行代码,没有附带任何“支持性”的数据,所以COM文件在使用方便的同时也存在诸多的限制:首先是没有附加数据来指定文件入口,这样,第一句执行指令必须安排在文件头部;再就是没有重定位信息,这样代码中不能有跨段操作数据的指令,造成代码和数据,甚至包括堆栈只能限制在同一个64 KB的段中。

为了更灵活地使用可执行代码,DOS系统中又定义了另一种可执行文件,那就是我们熟悉的EXE文件,EXE文件在代码的前面加了一个文件头,文件头中包括各种说明数据,如文件入口、堆栈的位置、重定位表等等,操作系统根据文件头中的信息将代码部分装入内存,根据重定位表修正代码,最后在设置好堆栈后从文件头中指定的入口开始执行。

显然,可执行文件的格式是操作系统工作方式的写照,因为可执行文件头部的数据是供操作系统装载文件用的,不同操作系统的运行方式各不相同,所以造成可执行文件的格式各不相同。

当Windows 3.x出现的时候,可执行文件中出现了32位代码,程序运行时转到保护模式之前需要在实模式下做一些初始化,这样实模式的16位代码必须和32位代码一起放在可执行文件中,旧的DOS可执行文件格式无法满足这个要求,所以Windows 3.x执行文件使用新的LE格式的可执行文件(Linear executable/线性可执行文件),Windows 9x中的VxD驱动程序也使用LE格式,因为这些驱动程序中也同时包括16位和32位代码。

而在Windows 9x,Windows NT,Windows 2000下,纯32位的可执行文件都使用微软设计的一种新的文件格式——PE格式(Portable Executable File Format/可移植的执行体)。

PE文件的基本结构如图17.1所示,在PE文件中,代码、已初始化的数据、资源和重定位信息等数据被按照属性分类放到不同的节(Section)中,而每个节的属性和位置等信息用一个IMAGE_SECTION_HEADER结构来描述,所有的IMAGE_SECTION_HEADER结构组成一个节表(Section Table),节表数据在PE文件中被放在所有节数据的前面。我们知道,Win32中可以对每个内存页分别指定可执行、可读写等属性,PE文件将同样属性的数据分类放在一起是为了统一描述这些数据装入内存后的页面属性。

由于数据是按照属性在节中放置的,不同用途但是属性相同的数据(如导入表、导出表以及.const段指定的只读数据)可能被放在同一个节中,所以PE文件中还用一系列的数据目录结构IMAGE_DATA_DIRECTORY来分别指明这些数据的位置,数据目录表和其他描述文件属性的数据合在一起称为PE文件头,PE文件头被放置在节和节表的前面。


图17.1 PE文件的基本结构

上面介绍的这些部分是PE文件中真正用于Win32的部分,为了与DOS系统的文件格式兼容,在这部分的前面又加上了一个标准的DOS MZ格式的可执行部分,所有这些部分合起来组成了现在使用的PE文件。下面分别介绍这些组成部分。

00000000: 4D 5A 90 00 03 00 00 00-04 00 00 00 FF FF 00 00 MZ..............
00000010: B8 00 00 00 00 00 00 00-40 00 00 00 00 00 00 00 ........@.......
00000020: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00000030: 00 00 00 00 00 00 00 00-00 00 00 00 C8 00 00 00 ................
00000040: 0E 1F BA 0E 00 B4 09 CD-21 B8 01 4C CD 21 54 68 ........!..L.!Th
00000050: 69 73 20 70 72 6F 67 72-61 6D 20 63 61 6E 6E 6F is program canno
00000060: 74 20 62 65 20 72 75 6E-20 69 6E 20 44 4F 53 20 t be run in DOS 
00000070: 6D 6F 64 65 2E 0D 0D 0A-24 00 00 00 00 00 00 00 mode....$.......
00000080: 7B E5 81 D7 3F 84 EF 84-3F 84 EF 84 3F 84 EF 84 {...?...?...?...
00000090: B1 9B FC 84 2C 84 EF 84-C3 A4 FD 84 3E 84 EF 84 ....,.......>...
000000A0: F8 82 E9 84 3E 84 EF 84-52 69 63 68 3F 84 EF 84 ....>...Rich?...
000000B0: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
000000C0: 00 00 00 00 00 00 00 00-50 45 00 00 4C 01 04 00 ........PE..L...
000000D0: 51 E9 21 51 00 00 00 00-00 00 00 00 E0 00 0F 01 Q.!Q............
000000E0: 0B 01 05 0C 00 02 00 00-00 0C 00 00 00 00 00 00 ................
000000F0: 2A 11 00 00 00 10 00 00-00 20 00 00 00 00 40 00 *........ ....@.
00000100: 00 10 00 00 00 02 00 00-04 00 00 00 00 00 00 00 ................
00000110: 04 00 00 00 00 00 00 00-00 50 00 00 00 04 00 00 .........P......
00000120: 00 00 00 00 02 00 00 00-00 00 10 00 00 10 00 00 ................
00000130: 00 00 10 00 00 10 00 00-00 00 00 00 10 00 00 00 ................
00000140: 00 00 00 00 00 00 00 00-3C 20 00 00 50 00 00 00 ........< ..P...
00000150: 00 40 00 00 48 07 00 00-00 00 00 00 00 00 00 00 .@..H...........
00000160: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00000170: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00000180: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00000190: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
000001A0: 00 20 00 00 3C 00 00 00-00 00 00 00 00 00 00 00 . ..<...........
000001B0: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
000001C0: 2E 74 65 78 74 00 00 00-9E 01 00 00 00 10 00 00 .text...........
000001D0: 00 02 00 00 00 04 00 00-00 00 00 00 00 00 00 00 ................
000001E0: 00 00 00 00 20 00 00 60-2E 72 64 61 74 61 00 00 .... ..`.rdata..
000001F0: B2 01 00 00 00 20 00 00-00 02 00 00 00 06 00 00 ..... ..........
00000200: 00 00 00 00 00 00 00 00-00 00 00 00 40 00 00 40 ............@..@
00000210: 2E 64 61 74 61 00 00 00-30 01 00 00 00 30 00 00 .data...0....0..
00000220: 00 02 00 00 00 08 00 00-00 00 00 00 00 00 00 00 ................
00000230: 00 00 00 00 40 00 00 C0-2E 72 73 72 63 00 00 00 ....@....rsrc...
00000240: 48 07 00 00 00 40 00 00-00 08 00 00 00 0A 00 00 H....@..........
00000250: 00 00 00 00 00 00 00 00-00 00 00 00 40 00 00 40 ............@..@
00000260: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00000270: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00000280: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00000290: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
000002A0: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
000002B0: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
000002C0: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
000002D0: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
000002E0: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
000002F0: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00000300: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00000310: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00000320: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00000330: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00000340: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00000350: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00000360: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00000370: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00000380: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00000390: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
000003A0: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
000003B0: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
000003C0: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
000003D0: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
000003E0: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
000003F0: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00000400: 55 8B EC 81 C4 00 FC FF-FF 53 51 52 57 56 55 8B U........SQRWVU.
00000410: 45 0C 3D 11 01 00 00 75-31 8B 45 10 66 3D EA 03 E.=....u1.E.f=..
00000420: 75 0F 6A 00 FF 75 08 E8-48 01 00 00 E9 EA 00 00 u.j..u..H.......
00000430: 00 66 3D 12 27 0F 85 E0-00 00 00 6A 00 FF 75 08 .f=.'......j..u.
00000440: E8 2F 01 00 00 E9 D1 00-00 00 3D 10 01 00 00 0F ./........=.....
00000450: 85 9B 00 00 00 FF 75 08-8F 05 24 30 40 00 68 E9 ......u...$0@.h.
00000460: 03 00 00 FF 35 20 30 40-00 E8 12 01 00 00 50 6A ....5 0@......Pj
00000470: 00 68 80 00 00 00 FF 75-08 E8 0E 01 00 00 68 EA .h.....u......h.
00000480: 03 00 00 FF 35 20 30 40-00 E8 EC 00 00 00 A3 28 ....5 0@.......(
00000490: 30 40 00 50 6A 00 68 72-01 00 00 68 EB 03 00 00 0@.Pj.hr...h....
000004A0: FF 35 24 30 40 00 E8 DB-00 00 00 68 2C 30 40 00 .5$0@......h,0@.
000004B0: 68 04 01 00 00 E8 A2 00-00 00 0B C0 74 5D 68 2C h...........t]h,
000004C0: 30 40 00 68 00 30 40 00-8D 85 00 FC FF FF 50 E8 0@.h.0@.......P.
000004D0: 94 00 00 00 83 C4 0C 8D-85 00 FC FF FF 50 68 E9 .............Ph.
000004E0: 03 00 00 FF 35 24 30 40-00 E8 A4 00 00 00 EB 2B ....5$0@.......+
000004F0: 83 F8 10 75 17 6A 00 FF-75 08 E8 75 00 00 00 FF ...u.j..u..u....
00000500: 35 28 30 40 00 E8 8E 00-00 00 EB 0F B8 00 00 00 5(0@............
00000510: 00 5D 5E 5F 5A 59 5B C9-C2 10 00 B8 01 00 00 00 .]^_ZY[.........
00000520: 5D 5E 5F 5A 59 5B C9 C2-10 00 6A 00 E8 31 00 00 ]^_ZY[....j..1..
00000530: 00 A3 20 30 40 00 6A 00-68 00 10 40 00 6A 00 68 .. 0@.j.h..@.j.h
00000540: E8 03 00 00 FF 35 20 30-40 00 E8 1F 00 00 00 6A .....5 0@......j
00000550: 00 E8 00 00 00 00 FF 25-10 20 40 00 FF 25 0C 20 .......%. @..%. 
00000560: 40 00 FF 25 08 20 40 00-FF 25 30 20 40 00 FF 25 @..%. @..%0 @..%
00000570: 1C 20 40 00 FF 25 18 20-40 00 FF 25 34 20 40 00 . @..%. @..%4 @.
00000580: FF 25 20 20 40 00 FF 25-24 20 40 00 FF 25 28 20 .%  @..%$ @..%( 
00000590: 40 00 FF 25 2C 20 40 00-FF 25 00 20 40 00 00 00 @..%, @..%. @...
000005A0: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
000005B0: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
000005C0: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
000005D0: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
000005E0: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
000005F0: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00000600: 98 21 00 00 00 00 00 00-EE 20 00 00 D6 20 00 00 .!....... ... ..
00000610: C8 20 00 00 00 00 00 00-2E 21 00 00 1C 21 00 00 . .......!...!..
00000620: 48 21 00 00 54 21 00 00-6A 21 00 00 7A 21 00 00 H!..T!..j!..z!..
00000630: 10 21 00 00 3A 21 00 00-00 00 00 00 94 20 00 00 .!..:!....... ..
00000640: 00 00 00 00 00 00 00 00-02 21 00 00 08 20 00 00 .........!... ..
00000650: A4 20 00 00 00 00 00 00-00 00 00 00 8C 21 00 00 . ...........!..
00000660: 18 20 00 00 8C 20 00 00-00 00 00 00 00 00 00 00 . ... ..........
00000670: A8 21 00 00 00 20 00 00-00 00 00 00 00 00 00 00 .!... ..........
00000680: 00 00 00 00 00 00 00 00-00 00 00 00 98 21 00 00 .............!..
00000690: 00 00 00 00 EE 20 00 00-D6 20 00 00 C8 20 00 00 ..... ... ... ..
000006A0: 00 00 00 00 2E 21 00 00-1C 21 00 00 48 21 00 00 .....!...!..H!..
000006B0: 54 21 00 00 6A 21 00 00-7A 21 00 00 10 21 00 00 T!..j!..z!...!..
000006C0: 3A 21 00 00 00 00 00 00-80 00 45 78 69 74 50 72 :!........ExitPr
000006D0: 6F 63 65 73 73 00 D9 00-47 65 74 43 75 72 72 65 ocess...GetCurre
000006E0: 6E 74 44 69 72 65 63 74-6F 72 79 41 00 00 09 01 ntDirectoryA....
000006F0: 47 65 74 4D 6F 64 75 6C-65 48 61 6E 64 6C 65 41 GetModuleHandleA
00000700: 00 00 6B 65 72 6E 65 6C-33 32 2E 64 6C 6C 00 00 ..kernel32.dll..
00000710: 62 02 77 73 70 72 69 6E-74 66 41 00 8A 00 44 69 b.wsprintfA...Di
00000720: 61 6C 6F 67 42 6F 78 50-61 72 61 6D 41 00 AD 00 alogBoxParamA...
00000730: 45 6E 64 44 69 61 6C 6F-67 00 7E 01 4C 6F 61 64 EndDialog.~.Load
00000740: 42 69 74 6D 61 70 41 00-84 01 4C 6F 61 64 49 63 BitmapA...LoadIc
00000750: 6F 6E 41 00 DD 01 53 65-6E 64 44 6C 67 49 74 65 onA...SendDlgIte
00000760: 6D 4D 65 73 73 61 67 65-41 00 E2 01 53 65 6E 64 mMessageA...Send
00000770: 4D 65 73 73 61 67 65 41-00 00 F8 01 53 65 74 44 MessageA....SetD
00000780: 6C 67 49 74 65 6D 54 65-78 74 41 00 75 73 65 72 lgItemTextA.user
00000790: 33 32 2E 64 6C 6C 00 00-4B 00 44 65 6C 65 74 65 32.dll..K.Delete
000007A0: 4F 62 6A 65 63 74 00 00-67 64 69 33 32 2E 64 6C Object..gdi32.dl
000007B0: 6C 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 l...............
000007C0: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
000007D0: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
000007E0: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
000007F0: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00000800: B5 B1 C7 B0 B9 A4 D7 F7-C4 BF C2 BC A3 BA 25 73 ..............%s
00000810: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00000820: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00000830: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00000840: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00000850: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00000860: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00000870: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00000880: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00000890: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
000008A0: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
000008B0: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
000008C0: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
000008D0: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
000008E0: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
000008F0: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00000900: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00000910: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00000920: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00000930: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00000940: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00000950: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00000960: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00000970: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00000980: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00000990: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
000009A0: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
000009B0: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
000009C0: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
000009D0: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
000009E0: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
000009F0: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00000A00: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 05 00 ................
00000A10: 02 00 00 00 38 00 00 80-03 00 00 00 50 00 00 80 ....8.......P...
00000A20: 04 00 00 00 68 00 00 80-05 00 00 00 80 00 00 80 ....h...........
00000A30: 0E 00 00 00 98 00 00 80-00 00 00 00 00 00 00 00 ................
00000A40: 00 00 00 00 00 00 01 00-EA 03 00 00 B0 00 00 80 ................
00000A50: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 01 00 ................
00000A60: 01 00 00 00 C8 00 00 80-00 00 00 00 00 00 00 00 ................
00000A70: 00 00 00 00 00 00 01 00-10 27 00 00 E0 00 00 80 .........'......
00000A80: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 01 00 ................
00000A90: E8 03 00 00 F8 00 00 80-00 00 00 00 00 00 00 00 ................
00000AA0: 00 00 00 00 00 00 01 00-E9 03 00 00 10 01 00 80 ................
00000AB0: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 01 00 ................
00000AC0: 09 04 00 00 28 01 00 00-00 00 00 00 00 00 00 00 ....(...........
00000AD0: 00 00 00 00 00 00 01 00-09 04 00 00 38 01 00 00 ............8...
00000AE0: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 01 00 ................
00000AF0: 09 04 00 00 48 01 00 00-00 00 00 00 00 00 00 00 ....H...........
00000B00: 00 00 00 00 00 00 01 00-09 04 00 00 58 01 00 00 ............X...
00000B10: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 01 00 ................
00000B20: 09 04 00 00 68 01 00 00-50 45 00 00 D8 01 00 00 ....h...PE......
00000B30: 00 00 00 00 00 00 00 00-50 42 00 00 E8 02 00 00 ........PB......
00000B40: 00 00 00 00 00 00 00 00-28 47 00 00 20 00 00 00 ........(G.. ...
00000B50: 00 00 00 00 00 00 00 00-80 41 00 00 CC 00 00 00 .........A......
00000B60: 00 00 00 00 00 00 00 00-38 45 00 00 14 00 00 00 ........8E......
00000B70: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00000B80: 01 00 FF FF 00 00 00 00-00 00 00 00 40 08 C8 10 ............@...
00000B90: 03 00 06 00 06 00 03 01-2C 00 FF FF 10 27 00 00 ........,....'..
00000BA0: C0 68 D6 53 53 5F 4D 52-DB 8F 0B 7A 84 76 53 5F .h.SS_MR...z.vS_
00000BB0: 4D 52 EE 76 55 5F 00 00-09 00 90 01 00 86 4D 00 MR.vU_........M.
00000BC0: 69 00 63 00 72 00 6F 00-73 00 6F 00 66 00 74 00 i.c.r.o.s.o.f.t.
00000BD0: 20 00 53 00 61 00 6E 00-73 00 20 00 53 00 65 00  .S.a.n.s. .S.e.
00000BE0: 72 00 69 00 66 00 00 00-00 00 00 00 00 00 00 00 r.i.f...........
00000BF0: 00 00 01 50 C3 00 18 00-29 00 0D 00 EA 03 00 00 ...P....).......
00000C00: FF FF 80 00 00 90 FA 51-00 00 00 00 00 00 00 00 .......Q........
00000C10: 00 02 00 00 00 00 01 50-22 00 09 00 C9 00 0A 00 .......P".......
00000C20: E9 03 00 00 FF FF 81 00-00 00 00 00 00 00 00 00 ................
00000C30: 00 00 00 00 0E 00 00 50-14 00 0B 00 0B 00 0A 00 .......P........
00000C40: EB 03 00 00 FF FF 82 00-00 00 00 00 00 00 00 00 ................
00000C50: 28 00 00 00 20 00 00 00-40 00 00 00 01 00 04 00 (... ...@.......
00000C60: 00 00 00 00 80 02 00 00-00 00 00 00 00 00 00 00 ................
00000C70: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 80 00 ................
00000C80: 00 80 00 00 00 80 80 00-80 00 00 00 80 00 80 00 ................
00000C90: 80 80 00 00 80 80 80 00-C0 C0 C0 00 00 00 FF 00 ................
00000CA0: 00 FF 00 00 00 FF FF 00-FF 00 00 00 FF 00 FF 00 ................
00000CB0: FF FF 00 00 FF FF FF 00-00 00 00 00 00 00 00 00 ................
00000CC0: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00000CD0: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00000CE0: 00 00 00 00 00 00 00 00-00 00 77 77 77 77 77 77 ..........wwwwww
00000CF0: 77 77 77 77 77 77 77 00-00 00 00 00 00 00 00 00 wwwwwww.........
00000D00: 00 00 00 00 00 00 07 00-00 0F FF FF FF FF FF FF ................
00000D10: FF FF FF FF FF FF 07 00-00 0F FF FF FF FF FF FF ................
00000D20: FF FF FF FF FF FF 07 00-00 0F FF FF FF FF F0 00 ................
00000D30: 00 00 00 00 00 FF 07 00-00 0F FF FF FF FF F0 F8 ................
00000D40: F8 F8 F8 F8 F0 FF 07 00-00 0F FF FF FF FF F0 8F ................
00000D50: 8F 8F 8F 8F 80 FF 07 00-00 0F F0 00 00 00 00 F8 ................
00000D60: F8 F8 F8 F8 F0 FF 07 00-00 0F F0 8F 8F 8F 80 8F ................
00000D70: 8F 8F 8F 8F 80 FF 07 00-00 0F F0 F8 F8 F8 F0 F8 ................
00000D80: F8 F8 F8 F8 F0 FF 07 00-00 0F F0 8F 8F 8F 80 8F ................
00000D90: 8F 8F 8F 8F 80 FF 07 00-00 0F F0 F8 F8 F8 F4 44 ...............D
00000DA0: 44 44 44 44 44 FF 07 00-00 0F F0 8F 8F 8F 84 84 DDDDD...........
00000DB0: 44 44 44 44 44 FF 07 00-00 0F F0 F8 F8 F8 F4 44 DDDDD..........D
00000DC0: 44 44 44 44 44 FF 07 00-00 0F F0 8F 8F 8F 8F 8F DDDDD...........
00000DD0: 8F 8F 80 FF FF FF 07 00-00 0F F0 F8 F8 F8 F8 F8 ................
00000DE0: F8 F8 F0 FF FF FF 07 00-00 0F F4 44 44 44 44 44 ...........DDDDD
00000DF0: 44 44 44 FF FF FF 07 00-00 0F F4 84 44 44 44 44 DDD.........DDDD
00000E00: 44 44 44 FF FF FF 07 00-00 0F F4 44 44 44 44 44 DDD........DDDDD
00000E10: 44 44 44 FF FF FF 07 00-00 0F FF FF FF FF FF FF DDD.............
00000E20: FF FF FF FF FF FF 07 00-00 0F FF FF FF FF FF FF ................
00000E30: FF FF FF FF FF FF 07 00-00 44 44 44 44 44 44 44 .........DDDDDDD
00000E40: 44 44 44 44 44 44 47 00-00 44 44 44 44 44 44 44 DDDDDDG..DDDDDDD
00000E50: 44 44 4F 7F 74 F7 47 00-00 44 44 44 44 44 44 44 DDO.t.G..DDDDDDD
00000E60: 44 44 4F FF F4 FF 40 00-00 44 44 44 44 44 44 44 DDO...@..DDDDDDD
00000E70: 44 44 44 44 44 44 40 00-00 00 00 00 00 00 00 00 DDDDDD@.........
00000E80: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00000E90: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00000EA0: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00000EB0: 00 00 00 00 00 00 00 00-FF FF FF FF FF FF FF FF ................
00000EC0: FF FF FF FF F0 00 00 03-C0 00 00 03 C0 00 00 03 ................
00000ED0: C0 00 00 03 C0 00 00 03-C0 00 00 03 C0 00 00 03 ................
00000EE0: C0 00 00 03 C0 00 00 03-C0 00 00 03 C0 00 00 03 ................
00000EF0: C0 00 00 03 C0 00 00 03-C0 00 00 03 C0 00 00 03 ................
00000F00: C0 00 00 03 C0 00 00 03-C0 00 00 03 C0 00 00 03 ................
00000F10: C0 00 00 03 C0 00 00 03-C0 00 00 03 C0 00 00 03 ................
00000F20: C0 00 00 07 C0 00 00 07-FF FF FF FF FF FF FF FF ................
00000F30: FF FF FF FF FF FF FF FF-00 00 01 00 01 00 20 20 ..............  
00000F40: 10 00 01 00 04 00 E8 02-00 00 01 00 00 00 00 00 ................
00000F50: 28 00 00 00 0C 00 00 00-0C 00 00 00 01 00 18 00 (...............
00000F60: 00 00 00 00 B0 01 00 00-00 00 00 00 00 00 00 00 ................
00000F70: 00 00 00 00 00 00 00 00-00 FF FF 00 FF FF 00 FF ................
00000F80: FF 00 FF FF 00 FF FF 00-FF FF FF 00 FF FF 00 FF ................
00000F90: FF 00 FF FF 00 FF FF 00-FF FF 00 FF 00 FF FF 00 ................
00000FA0: FF FF 00 FF FF 00 FF FF-00 FF FF 00 FF FF FF 00 ................
00000FB0: FF FF 00 FF FF 00 FF FF-00 FF FF 00 FF FF 00 FF ................
00000FC0: 00 FF FF 00 FF FF 00 FF-FF 00 FF FF 00 FF FF 00 ................
00000FD0: FF FF FF 00 FF FF 00 FF-FF 00 FF FF 00 FF FF 00 ................
00000FE0: FF FF 00 FF 00 FF FF 00-FF FF 00 FF FF 00 FF FF ................
00000FF0: 00 FF FF 00 FF FF FF 00-FF FF 00 FF FF 00 FF FF ................
00001000: 00 FF FF 00 FF FF 00 FF-00 FF FF 00 FF FF 00 FF ................
00001010: FF 00 FF FF 00 FF FF 00-FF FF FF 00 FF FF 00 FF ................
00001020: FF 00 FF FF 00 FF FF 00-FF FF 00 FF 00 FF FF 00 ................
00001030: FF FF 00 FF FF 00 FF FF-00 FF FF 00 FF FF FF 00 ................
00001040: FF FF 00 FF FF 00 FF FF-00 FF FF 00 FF FF 00 FF ................
00001050: 00 00 FF 00 00 FF 00 00-FF 00 00 FF 00 00 FF 00 ................
00001060: 00 FF 00 FF 00 00 FF 00-00 FF 00 00 FF 00 00 FF ................
00001070: 00 00 FF 00 00 00 FF 00-00 FF 00 00 FF 00 00 FF ................
00001080: 00 00 FF 00 00 FF 00 FF-00 00 FF 00 00 FF 00 00 ................
00001090: FF 00 00 FF 00 00 FF 00-00 00 FF 00 00 FF 00 00 ................
000010A0: FF 00 00 FF 00 00 FF 00-00 FF 00 FF 00 00 FF 00 ................
000010B0: 00 FF 00 00 FF 00 00 FF-00 00 FF 00 00 00 FF 00 ................
000010C0: 00 FF 00 00 FF 00 00 FF-00 00 FF 00 00 FF 00 FF ................
000010D0: 00 00 FF 00 00 FF 00 00-FF 00 00 FF 00 00 FF 00 ................
000010E0: 00 00 FF 00 00 FF 00 00-FF 00 00 FF 00 00 FF 00 ................
000010F0: 00 FF 00 FF 00 00 FF 00-00 FF 00 00 FF 00 00 FF ................
00001100: 00 00 FF 00 00 00 FF 00-00 FF 00 00 FF 00 00 FF ................
00001110: 00 00 FF 00 00 FF 00 FF-00 00 FF 00 00 FF 00 00 ................
00001120: FF 00 00 FF 00 00 FF 00-00 00 00 00 90 00 87 65 ...............e
00001130: F6 4E 00 00 00 00 13 27-53 62 00 5F 00 00 80 00 .N.....'Sb._....
00001140: 12 27 00 90 FA 51 00 00-00 00 00 00 00 00 00 00 .'...Q..........
00001150: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00001160: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00001170: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00001180: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00001190: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
000011A0: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
000011B0: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
000011C0: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
000011D0: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
000011E0: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
000011F0: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................

17.1.2 DOS文件头和DOS

PE文件中还包括一个标准的DOS可执行文件部分,如图17.1中左边的①所示,这看上去有些奇怪,但是这对于可执行文件的向下兼容性来说却是不可缺少的。

操作系统识别可执行文件的方法是按照文件格式而不是按照扩展名,所以,虽然DOS的传统EXE文件、LE格式和PE格式的可执行文件都沿用了.exe的扩展名,但是操作系统总是能够正确识别这些文件并按照正确的方法装入它们。如果文件头中的数据格式不符合任何已经定义的格式,那么系统按照COM文件的格式装入文件,也就是说将整个文件的数据全部当做代码装入执行。

这个规则说明了为什么很多非.exe扩展名的可执行文件(如LE格式的VxD文件、PE格式的.dll,.scr文件等等)也能够被装入并正确运行,也说明了为什么把可执行文件的扩展名随意修改为.exe、.com或者.bat(甚至是.pif,.scr或者.bat),系统也能正确识别并执行的原因。

但是这种方法也存在一个问题,假如一个PE格式的可执行文件在Windows中执行,那没有任何异常,因为Windows能够识别PE文件头并正确装入,但如果将PE文件放入DOS执行,那么DOS系统肯定无法识别PE文件头,假如PE文件的头部不包括一个DOS部分的话,那么按照前面介绍的规则,PE文件头的数据会被DOS系统作为代码装入并执行,这种操作几乎可以肯定会让系统立刻挂起。

为了避免这种情况,PE文件的头部包括了一个标准的DOS MZ格式的可执行部分,这样万一在DOS下执行一个PE文件,系统可以将文件解释为DOS下的.exe可执行格式,并执行DOS部分的代码。

一般来说,DOS部分的执行代码只是简单地显示一个“This program cannot be run in DOS mode.”就退出了,这段简单的代码是编译器自动生成的。

如果对编译器内定的这段简单代码不满意的话,读者可以回忆一下第02章2.2.1节中介绍link.exe参数部分的内容,如果在link时使用/stub:dos_file_name.exe选项,读者完全可以用一个全功能的DOS程序来作为PE文件的DOS部分。

笔者就见过一个CD播放程序,在DOS下执行是一个文本界面的播放器,而在Windows下执行又是标准的Windows界面。我们知道,DOS和Windows下不管是界面还是CD操作都是完全不同的概念,它们不可能在同一段代码中完成。实际上,这个程序就是用这种方法插入了一个完全独立的DOS CD播放程序。

PE文件中的DOS部分由MZ格式的文件头和可执行代码部分组成,可执行代码被称为“DOS块”(DOS stub)。MZ格式的文件头由IMAGE_DOS_HEADER结构定义:

IMAGE_DOS_HEADER STRUCT
	e_magic           WORD     ?     ;DOS可执行文件标记,为“MZ”★
	e_cblp            WORD     ?
	e_cp              WORD     ?
	e_crlc            WORD     ?
	e_cparhdr         WORD     ?
	e_minalloc        WORD     ?
	e_maxalloc        WORD     ?
	e_ss              WORD     ?     ;DOS代码的初始化堆栈段
	e_sp              WORD     ?     ;DOS代码的初始化堆栈指针
	e_csum            WORD     ?
	e_ip              WORD     ?     ;DOS代码的入口IP
	e_cs              WORD     ?     ;DOS代码的入口CS
	e_lfarlc          WORD     ?
	e_ovno            WORD     ?
	e_res             WORD     4 dup(?)
	e_oemid           WORD     ?
	e_oeminfo         WORD     ?
	e_res2            WORD     10 dup(?)
	e_lfanew          DWORD    ?     ;指向PE文件头★
IMAGE_DOS_HEADER ENDS

DOS文件头的前面部分并不陌生,第一个字段e_magic被定义成字符“MZ”(在Windows.inc文件中已经预定义为 IMAGE_DOS_SIGNATURE equ 5A4Dh )作为识别标志,后面的一些字段指明了入口地址、堆栈位置和重定位表位置等。

标准的DOS文件头的定义只到e_ovno字段位置,后面的这些字段是在Windows系统出现后为了定义LE、PE等文件格式而扩充的,DOS系统对这些字段不进行解释。对于PE文件来说,有用的是最后的e_lfanew字段,这个字段指出了真正的PE文件头(如图17.1中的②所示)在文件中的位置,这个位置总是以8字节为单位对齐的。

实际上,Windows中使用的其他几种可执行文件格式也是这样引出的,如果是LE,LX等格式的文件,那么e_lfanew字段指向的位置会是LE文件头和LX文件头。

上页:第16章 TCP/IP和网络通信 · 16.5 ICMP协议编程(7) 下页:第17章 PE文件 · 17.1 PE文件的结构(2)

第17章 PE文件

版权所有 © 云南伯恩科技 证书:粤ICP备09170368号