Complete PE Offset Reference

While there is a lot of data and various parts of the structure are at varying positions there are still a lot of useful fixed and relative offsets that will help when disassembling/examining PE files. Resource information and the such like are omitted - there are good tools available to manipulate these e.g. ResHacker.

The DOS Header

 



DOS Stub

如果在DoS下执行PE文件,此段中保存的字符串“This program can’t  run in DOS Mode”如果在windows下执行PE文件,根据Dos Header的最后一个域e_lfanew所给的偏移量跳过DosStub,直接跳到PEHeader


The PE Header

Offsets shown  are from the beginning of this section.Add=DosHeader+DosHeader->e_lfanew;




The Export Table (导出表)

Offsets shown from beginning of table (given at offset 78 from start of PE header). The following 40 Bytes repeat for each export library (DLL whose functions are imported by the executable) and ends with one full of zeroes.



The Import Table (引入表)

Offsets shown from beginning of table (given at offset 80 from start of PE header). The following 5 DWORDS repeat for each import library (DLL whose functions are imported by the executable) and ends with one full of zeroes.

IMAGE_IMPORT_DESCRIPTOR STRUCT
  union
    Characteristics dd ?
    OriginalFirstThunk dd ?
  ends
  TimeDateStamp dd ?
  ForwarderChain dd ?
  Name1 dd ?
  FirstThunk dd ?
IMAGE_IMPORT_DESCRIPTOR ENDS



Image Characteristics Flags



Section Characteristics Flags



 

OFFSET

SIZE

NAME

EXPLANATION

00

WORD

e_magic

Magic DOS signature MZ (4Dh 5Ah)判断

02

WORD

e_cblp

Bytes on last page of file

04

WORD

e_cp

Pages in file

06

WORD

e_crlc

Relocations

08

WORD

e_cparhdr

Size of header in paragraphs

0A

WORD

e_minalloc

Minimum extra paragraphs needed

0C

WORD

e_maxalloc

Maximum extra paragraphs needed

0E

WORD

e_ss

Initial (relative) SS value

10

WORD

e_sp

Initial SP value

12

WORD

e_csum

Checksum

14

WORD

e_ip

Initial IP value

16

WORD

e_cs

Initial (relative) CS value

18

WORD

e_lfarlc

File address of relocation table

1A

WORD

e_ovno

Overlay number

1C

WORD

e_res[4]

Reserved words

24

WORD

e_oemid

OEM identifier (for e_oeminfo)

26

WORD

e_oeminfo

OEM information; e_oemid specific

28

WORD

e_res2[10]

Reserved words

3C

DWORD

e_lfanew

Offset to start of PE header PEHeader的偏移量