0x20B: Identifies the image as a PE32+ executable.0x10B: Identifies the image as a PE32 executable.Magic: Microsoft documentation describes this field as an integer that identifies the state of the image, the documentation mentions three common values: Typedef struct _IMAGE_FILE_HEADER IMAGE_OPTIONAL_HEADER64, * PIMAGE_OPTIONAL_HEADER64 ![]() The main difference between the two versions is the used version of IMAGE_OPTIONAL_HEADER structure which has two versions, IMAGE_OPTIONAL_HEADER32 for 32-bit executables and IMAGE_OPTIONAL_HEADER64 for 64-bit executables. It’s worth mentioning that this structure is defined in two different versions, one for 32-bit executables (Also named PE32 executables) named IMAGE_NT_HEADERS and one for 64-bit executables (Also named PE32+ executables) named IMAGE_NT_HEADERS64. NT headers is a structure defined in winnt.h as IMAGE_NT_HEADERS, by looking at its definition we can see that it has three members, a DWORD signature, an IMAGE_FILE_HEADER structure called FileHeader and an IMAGE_OPTIONAL_HEADER structure called OptionalHeader. PE files rely heavily on the use of RVAs as we’ll see later. So to translate an RVA into an absolute virtual address you need to add the value of the RVA to the value of the Image Base. In this post we’re going to talk about the NT Headers part of the PE file structure.īefore we get into the post, we need to talk about an important concept that we’re going to see a lot, and that is the concept of a Relative Virtual Address or an RVA.Īn RVA is just an offset from where the image was loaded in memory (the Image Base). In the previous post we looked at the structure of the DOS header and we reversed the DOS stub.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |