Current location - Quotes Website - Signature design - Help: How to know the "file signature" and "signature offset" of a file?
Help: How to know the "file signature" and "signature offset" of a file?
Why bother? It is more convenient and faster to use FINALDATA.

DOS title structure definition

//word is equivalent to UNSHORT.

Typedef struct _ image _ dos _ header {//dos.exe header structure defines the position (offset) in the start file.

WORD e _ magic// magic number 0x0000000-0x0000001

The number of bytes in the last page of the WORD e _ cblp// file is 0x00000002-0x00000003.

WORD e _ cp// Document page number 0x00000004-0x00000005

WORD e _ crlc// Number of relocation elements 0x00000006-0x00000007

The title size in the WORD e _ cparhdr// paragraph is 0x00000008-0x00000009.

The minimum additional segment 0x0000000A-0x0000000B required by WORD e _ minalloc//

Maximum additional segment 0x0000000C-0x0000000D required by WORD e _ maxalloc//

WORD e _ SS// Initial relative offset value of stack part (SS) 0x0000000E-0x0000000F.

WORD e _ SP// Initial stack pointer (SP) value 0x0000010-0x0000011.

WORD e _ csum// checksum 0x0000012-0x0000013

WORD e _ ip// Initial instruction pointer (IP) value 0x00000014-0x00000015.

WORD e _ CS// initial code segment (cs) relative offset value 0x0000016-0x00000017.

The offset address of the relocation table in the WORD e _ lfarlc// file is 0x00000018-0x0000019.

WORD e _ ovno// coverage number 0x000001a-0x000001b

WORD e _ RES[4]; //reserved words (usually reserved to ensure alignment) 0x000000 1C-0x00000023

WORD e _ oemid// OEM identifier (relative to e _ oeminfo) 0x00000024-0x00000025.

WORD e _ oeminfo// OEM information, that is, the detailed information of e_oemid 0x00000026-0x00000027.

WORD e _ res2[ 10]; //reserved words (usually reserved to ensure alignment) 0x00000028-0x0000003B

The offset address of the new exe header in E Long _ lfanew// file is 0x0000003C-0x0000003F.

} IMAGE_DOS_HEADER,* PIMAGE _ DOS _ HEADER//DOS。 End of EXE header structure definition; Reference structure name: IMAGE_DOS_HEADER, structure pointer.

Name: PIMAGE_DOS_HEADER

//DOS header * * * occupies 64 bytes (0x0000003f-0x0000000+1) = 0x40 = 64.

//Then there is DOSTUB (residual program of DOS real mode or complete DOS program), which has little influence on Windows NT and windows 3. 1 or above.

When running an executable file in DOS mode, just display a message, such as "This program cannot run in DOS mode".

Line) "or" This program requires to run under windows ",of course, such a prompt can be programmed.

You can modify it at will, just select the -STUB: linker option in the link stage. Although the DOS header, DOS stub, PE file flag and PE header are sequentially arranged and stored.

Yes, but I'm not sure how many bytes DOSTUB takes up. There is generally no fixed number of bytes. Therefore, the location of the PE header in the file cannot be stored.

To get it directly, we must point to it through the e_lfanew field.

Among the above domains under windows, only e_lfanew is really useful.

PE header structure (including signature, file header and optional header)

//Note: The optional header is not only optional, but also the most important part of the PE file. I want to know why it is easy for Micosoft to use this head.

Name this structure with a name that causes misunderstanding or ambiguity;

Typedef struct _ image _ nt _ headers {//PE header structure definition begins.

Double-word signature; //Signature (file type flag), and the offset in the file is specified by the field e_lfanew in the DOS header.

IMAGE_FILE_HEADER file header; //PE file header structure (occupying 20 bytes)

IMAGE_OPTIONAL_HEADER32 Optional HEADER32// Optional header structure (occupying 224 bytes)

} image _ nt _ headers32, * pimage _ nt _ headers 3//End of PE header structure definition; Reference structure name: IMAGE_NT_HEADERS32, structure pointer name:

PIMAGE_NT_HEADERS3

//Definition of signature in header file WINNT. H is as follows:

Signature type hexadecimal value ASCII string form

# define IMAGE _ DOS _ SIGNATURE 0x5a 4d//MZ

# define IMAGE_OS2_SIGNATURE 0x454E // NE.

# Define image _ os2 _ signature _ le 0x454c//le

# Define image _ VXD _ signature 0x454C // LE

# define IMAGE _ NT _ SIGNATURE 0x 00004550//PE00

PE file header structure definition

Typedef struct _ image _ file _ header {//PE file header structure definition begins.

Word machine; //OS all processor types offset position: e_lfanew+0x04.

Number of words in chapters; //Number of sections

Date and time when the DWORD TimeDateStamp// file was created.

DWORD pointer symbol table; //symbol table pointer

DWORD NumberOfSymbols// symbol number

WORD SizeOfOptionalHeader// Optional header size.

Character characteristics; //feature (through which you can know whether the PE file contains debugging information)

} IMAGE_FILE_HEADER, * PIMAGE _ FILE _ HEADER//PE file header structure definition//End

I heard someone say that there is a kind of bird in this world that has no feet. It can only keep flying and flying. When it is tired of flying, it sleeps in the wind. This bird can only land once in its life and once when it dies.

Related articles
  • Shanghai Netcom has gone through the formalities of withdrawing from the network.
  • The Divine Throne gang skills are launched. Is the gang still there? Detailed explanation of gang skills.
  • What does the five elements of the word grain belong to?
  • Teach your girlfriend to recognize luxury cars: Mercedes-Benz AMG
  • What if someone else uses my signature?
  • Shallow QQ icon
  • How does Xiaohongshu leave WeChat?
  • You are my Bai Yueguang, and you are my meaning.
  • Dream of asking boys for star autographs.
  • A pair of 2022 WeChat bestie names are playful, cute and fresh. They will be sisters for life.

    • copyright 2024 Quotes Website All rights reserved