PE structure

DOS HEADER

DOS STUB

PE HEADER

      Signature
      FileHeader
      OptionalHeader
            DATA DIRECTORY

SECTION TABLE

DOS HEADER(64 bytes)
  typedef struct _IMAGE_DOS_HEADER {      // DOS .EXE header
      WORD   e_magic;                     // Magic number
      WORD   e_cblp;                      // Bytes on last page of file
      WORD   e_cp;                        // Pages in file
      WORD   e_crlc;                      // Relocations
      WORD   e_cparhdr;                   // Size of header in paragraphs
      WORD   e_minalloc;                  // Minimum extra paragraphs needed
      WORD   e_maxalloc;                  // Maximum extra paragraphs needed
      WORD   e_ss;                        // Initial (relative) SS value
      WORD   e_sp;                        // Initial SP value
      WORD   e_csum;                      // Checksum
      WORD   e_ip;                        // Initial IP value
      WORD   e_cs;                        // Initial (relative) CS value
      WORD   e_lfarlc;                    // File address of relocation table
      WORD   e_ovno;                      // Overlay number
      WORD   e_res[4];                    // Reserved words
      WORD   e_oemid;                     // OEM identifier (for e_oeminfo)
      WORD   e_oeminfo;                   // OEM information; e_oemid specific
      WORD   e_res2[10];                  // Reserved words
      LONG   e_lfanew;                    // File address of new exe header
    } IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER;

DOS STUB(192 bytes) ->we use 112  bytes

PE HEADER(248 bytes)

  typedef struct _IMAGE_NT_HEADERS {
      DWORD Signature;//(4 bytes)
      IMAGE_FILE_HEADER FileHeader;//(20 bytes)
      IMAGE_OPTIONAL_HEADER32 OptionalHeader;//(224 bytes)
  } IMAGE_NT_HEADERS32, *PIMAGE_NT_HEADERS32;


      FileHeader(20 bytes)
  typedef struct _IMAGE_FILE_HEADER {
      WORD    Machine;
      WORD    NumberOfSections;
      DWORD   TimeDateStamp;
      DWORD   PointerToSymbolTable;
      DWORD   NumberOfSymbols;
      WORD    SizeOfOptionalHeader;
      WORD    Characteristics;
  } IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;

      OptionalHeader(224 bytes)
typedef struct _IMAGE_OPTIONAL_HEADER {
    //
    // Standard fields.
    //

    WORD    Magic;
    BYTE    MajorLinkerVersion;
    BYTE    MinorLinkerVersion;
    DWORD   SizeOfCode;
    DWORD   SizeOfInitializedData;
    DWORD   SizeOfUninitializedData;
    DWORD   AddressOfEntryPoint;
    DWORD   BaseOfCode;
    DWORD   BaseOfData;

    //
    // NT additional fields.
    //

    DWORD   ImageBase;
    DWORD   SectionAlignment;
    DWORD   FileAlignment;
    WORD    MajorOperatingSystemVersion;
    WORD    MinorOperatingSystemVersion;
    WORD    MajorImageVersion;
    WORD    MinorImageVersion;
    WORD    MajorSubsystemVersion;
    WORD    MinorSubsystemVersion;
    DWORD   Win32VersionValue;
    DWORD   SizeOfImage;
    DWORD   SizeOfHeaders;
    DWORD   CheckSum;
    WORD    Subsystem;
    WORD    DllCharacteristics;
    DWORD   SizeOfStackReserve;
    DWORD   SizeOfStackCommit;
    DWORD   SizeOfHeapReserve;
    DWORD   SizeOfHeapCommit;
    DWORD   LoaderFlags;
    DWORD   NumberOfRvaAndSizes;
    IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];//(128 byte)

  } IMAGE_OPTIONAL_HEADER32, *PIMAGE_OPTIONAL_HEADER32;

      DataDirectory(128 byte) 
  typedef struct _IMAGE_DATA_DIRECTORY {
      DWORD   VirtualAddress;
      DWORD   Size;
  } IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY;

#define IMAGE_DIRECTORY_ENTRY_EXPORT          0 

#define IMAGE_DIRECTORY_ENTRY_IMPORT          1 

#define IMAGE_DIRECTORY_ENTRY_RESOURCE        2 

#define IMAGE_DIRECTORY_ENTRY_EXCEPTION       3 

#define IMAGE_DIRECTORY_ENTRY_SECURITY        4 

#define IMAGE_DIRECTORY_ENTRY_BASERELOC       5 

#define IMAGE_DIRECTORY_ENTRY_DEBUG           6 

//      IMAGE_DIRECTORY_ENTRY_COPYRIGHT       7   // (X86 usage) 

#define IMAGE_DIRECTORY_ENTRY_ARCHITECTURE    7  

#define IMAGE_DIRECTORY_ENTRY_GLOBALPTR       8  

#define IMAGE_DIRECTORY_ENTRY_TLS             9  

#define IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG    10  

#define IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT   11  

#define IMAGE_DIRECTORY_ENTRY_IAT            12 

#define IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT   13 

#define IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 14 

 0   // Export Directory
 1   // Import Directory
 2   // Resource Directory
 3   // Exception Directory
 4   // Security Directory
 5   // Base Relocation Table
 6   // Debug Directory
 7   // Architecture Specific Data
 8   // RVA of GP
 9   // TLS Directory
10   // Load Configuration Directory
11   // Bound Import Directory in headers
12   // Import Address Table
13   // Delay Load Import Descriptors
 

SECTION TABLE(n*40 bytes)

  typedef struct _IMAGE_SECTION_HEADER {
      BYTE    Name[IMAGE_SIZEOF_SHORT_NAME];
      union {
              DWORD   PhysicalAddress;
              DWORD   VirtualSize;
      } Misc;
      DWORD   VirtualAddress;
      DWORD   SizeOfRawData;
      DWORD   PointerToRawData;
      DWORD   PointerToRelocations;
      DWORD   PointerToLinenumbers;
      WORD    NumberOfRelocations;
      WORD    NumberOfLinenumbers;
      DWORD   Characteristics;
  } IMAGE_SECTION_HEADER, *PIMAGE_SECTION_HEADER;