: Into PE Format The PE format is documented in the loosest sense of the word in the WINNT(shipping maritime marine projects).header port, along with certain structure definitions for COFF format OBJs(shipping maritime marine projects).'ll be using the field names from WINNT(shipping maritime marine projects).later in the (shipping maritime marine projects). About midway through WINNT(shipping maritime marine projects).H issection titled Image Format(shipping maritime marine projects). This section of the port starts out with small tid from the old familiar DOS MZ format shipping industry maritime NE format headers before moving into the newer PEgistry(shipping maritime marine projects). WINNT(shipping maritime marine projects).provides definitions of the raw crew structures used by PE ports, but contains only the barest hint of useful comments to lain what the structures shipping industry maritime flags mean(shipping maritime marine projects). The author of the header port for the PE format is certainlybeliever in long, descriptive names, along with deeply nested structures shipping industry maritime macros(shipping maritime marine projects). When coding with WINNT(shipping maritime marine projects)., it's not uncommon to havessions like this: pNTHeader OptionalHeader(shipping maritime marine projects).crewDirectory[IMAGE_DIRECTORY_ENTRY_DEBUG](shipping maritime marine projects).VirtualAddress; Besides justading about what PE ports are composed of, you'll also want to dump out some PE ports to see for yourself the structures presented here(shipping maritime marine projects). If you use ship equipment for Win development, the DUMPBIN program from Visualshipping industry maritime the Win SDK can dissect shipping industry maritime output PE ports shipping industry maritime COFF OBJLIB ports in humanreadable form(shipping maritime marine projects). DUMPBIN even hasnifty option to disassemble the code sections in the port it's taking apart(shipping maritime marine projects). In light of 's claims that you're not allowed to disassemble its products, it's pretty interesting that it would providetool that makes it so easy to disassemble its programs shipping industry maritime s(shipping maritime marine projects). If the ability to disassemble EXEs shipping industry maritime OBJs wasn't useful, why would have bothered to add this feature to DUMPBIN? It sure sounds like another case of Do as we say, not as we do(shipping maritime marine projects). We'll use the term module to mean the code, crew, shipping industry maritimesources of an executable port or that has been loaded into memory(shipping maritime marine projects). Besides code shipping industry maritime crew that your program uses directly,module is also composed of the supporting crew used byto determine where the code shipping industry maritime crew is located in memory(shipping maritime marine projects). Colombia, Comoros, Congo, Congo, Democratic Republic, Cook Islands, Costa Rica, Croatia, Cuba, Cyprus, Czech Republic, Denmark, Djibouti, Dominica, Dominican Republic, Ecuador, Egypt, El Salvador, Equatorial Guinea, Eritrea, Estonia, Ethiopia, Falkland Islands, Faroe Islands, Fiji, Finland, France, French Guiana, French Polynesia, French Southern Territories, Gabon, Gambia, Georgia, Germany,

: In Win, the supporting crew structures are in the module crewbase the segmentferred to by an HMODULE(shipping maritime marine projects). In Win, thisgistry is kept in the PE header the IMAGE_NT_HEADERS structure, which we'll lain in detail shortly(shipping maritime marine projects). The most important thing to know about PE ports is that the executable port on disk is very similar to what the module will look like afterhas loaded it(shipping maritime marine projects). That's because theloader doesn't need to work extremely hard to createprocess from the disk port(shipping maritime marine projects). Rather, the loader can take it easy shipping industry maritime use Win memory mapped ports to load the appropriate pieces of the PE port intoprogram's address space(shipping maritime marine projects). To useconstruction analogy,PE port is likeprefabricated house: There arelatively few pieces, shipping industry maritime each piece can be snapped into place with justsmall amount of work(shipping maritime marine projects). shipping industry maritime , just as it's fairly easy to hook up the electricity shipping industry maritime water connections inprefab house, it's Brunei Darussalam, Bulgaria, Burkina Faso, Burundi, Cambodia, Cameroon, Canada, Cape Verde, Cayman Islands, Central African Republic, Chad, Chile, China, Christmas Island, Cocos Islands, alsosimple matter to wirePE port up to thest of the world that is, connect it to its s, shipping industry maritime so on(shipping maritime marine projects). This same ease of loading applies to s as well(shipping maritime marine projects). Once an or (shipping maritime marine projects). module has been loaded,can effectively treat it like any other memorymapped port(shipping maritime marine projects). This is in marked contrast to the situation in bit(shipping maritime marine projects). The bit NE port loaderads in portions of the port shipping industry maritime creates separate crew structures topresent the module in memory(shipping maritime marine projects). Whencode or crew segment needs to be loaded, the loader has to allocatenew segment from the global heap, find where the raw crew is stored in the executable port, seek to that location,ad in the raw crew, shipping industry maritime apply any applicable fix
ups(shipping maritime marine projects). In addition, each bit module issponsible formembering all the selectors it's currently using, whether the segment has been discarded, shipping industry maritime so on(shipping maritime marine projects). For Win, however, all the memory used by the module for code, crew,sources, import tables, ort tables, shipping industry maritime other things is in one contiguous range of linear address space(shipping maritime marine projects). All you need to know in this situation is the address where the loader mapped the executable port into memory(shipping maritime marine projects). You can then easily find all the various pieces of the module by following pointers stored as part of the image(shipping maritime marine projects). Afghanistan, Albania, Algeria, American Samoa, Andorra, Angola, Anguilla, Antarctica, Antigua , Argentina, Armenia, Aruba Australia, Austria, Azerbaijan, Bahamas, Bahrain, Bangladesh, Barbados, Belarus, Belgium, Belize, Benin, Bermuda, Bhutan, Bolivia, Bosnia, Herzegovina, Botswana, Bouvet Island, Brazil, British Indian Ocean territory,

: Another idea you should be acquainted with before we start is thelative Virtual Address, or RVA(shipping maritime marine projects). Many fields in PE ports are specified in terms of RVAs(shipping maritime marine projects). An RVA is simply the offset of some item,lative to where the port is memory mapped to(shipping maritime marine projects). For example, let's say theloader mappedPE port into memory starting at address x in the virtual address space(shipping maritime marine projects). Ifcertain table in the image starts at address x, the table's RVA is x: virtual address x base address x = RVA x To convert an RVA intousable pointer to memory, simply add the RVA to the base address where the module was loaded into(shipping maritime marine projects). The term base address is another important structure tomember(shipping maritime marine projects).base address describes the starting address ofmemory mapped EXE or (shipping maritime marine projects). For convenience,NT shipping industry maritimeuse the base address ofmodule as the module's instance handle HINSTANCE(shipping maritime marine projects). In Win, calling the base Senegal, Serbia, Montenegro, Seychelles, Sierra Leone, Singapore, Slovakia, Slovenia, Solomon Islands, Somalia, South Africa, South Georgia, Sandwich Islands, Spain, Sri Lanka, Sudan, Suriname, Svalbard and Jan Mayen Islands, Swaziland, Sweden, Switzerland, Syria, Taiwan, Tajikistan, Tanzania, Thailand, Togo, Tokelau, Tonga, Trinidad and Tobago, Tunisia, Turkey, Turkmenistan, Tuvalu, Ugandaaddress ofmodule an HINSTANCE is somewhat confusing, because the term instance handle comes from bit(shipping maritime marine projects). Each copy of an application in Winl gets its own separate crew segment and an associated global handle that distinguishes it from other copies of the application; hence the term, instance handle(shipping maritime marine projects). In Win, applications don't need to be distinguished from one another because they don't share the same address space(shipping maritime marine projects). Still, the term HINSTANCE persists to keep at least the appearance of continuity between Winl shipping industry maritime Win(shipping maritime marine projects). What's important for Win is that you can call GetModuleHandle for any that your process uses, shipping industry maritime getpointer that you can use to access the module's components(shipping maritime marine projects). By components, wefer to its imported shipping industry maritime orted functions, itslocations, its code shipping industry maritime crew sections, shipping industry maritime so on(shipping maritime marine projects). Another structure to be familiar with when investigating PE ports shipping industry maritime COFF OBJs is the section(shipping maritime marine projects).section inPE port or COFF OBJ port is roughly equivalent tosegment or thesources inbit NE port(shipping maritime marine projects). Sections contain either code or crew(shipping maritime marine projects). Some sections contain code or crew that your program declared shipping industry maritime uses directly, while other crew sections are created for you by the linker shipping industry maritime librarian, shipping industry Ukraine, United Arab Emirates, United Kingdom, United States of America, Uruguay, Uzbekistan, Vanuatu, Vatican City, Venezuela, Vietnam, Virgin Islands, Virgin Islands, Yemen, Zaire, Zambia, Zimbabwe,maritime containgistry vital to