Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
win10/11 PE-file layout
0 views
Skip to first unread message
wolfgang kern
Jan 8, 2024, 9:27:17 PM1/8/24
to
an attempt to create a new version [UEFI] of my old OS (1985..2014)
need me to learn more about currently in use MS PE-files.
my docs are pretty old and so am I.
I cant read and never use any C-libraries,
TIA if you can correct or note what have changed:
__
wolfgang
----------------------------------------------
[my size cast is b/w/q/dq/qq/dqq for 8/16/32/64/128/256 bit]
[everything except bit-numbers and ASCII is in hexadecimal]
000 w 5A4D "MZ" DOS 2.0 Compatible EXE Header
002 w .... remaining bytes on last sector, aka tail start (0160)?
004 w 0001 file size (in 512 byte sectors)
006 w 0000 number of relocation entries ??? required or not ???
008 w 0004 DOS header size (in 16 byte paragraphs) ==0040
00a w 0000 needed minimum extra paragraphs
00c w ffff needed maximum extra paragraphs ?? why max ???
00e w 0000 add SS (to load-address)
010 w .... SP initial (0160 if it use the tail here)
012 w 0000 checksum (of what and how)
014 w 0000 IP initial
016 w 0000 add CS (to load address)
018 w 0040 offset of RELOCATION table **** useless if none ???
01a w 0000 overlay number
01c dq.... reserved, all Zero
024 w 0000 OEM identifier, mine would be "KE" even not recognized
026 w 0000 OEM specific
028 .... unused, all Zero
03c q 00a0 Offset to PE Header (relative to file-start)
040 ... relocation table (if any at all)
;DOS 2.0 Stub Program
040 push CS ;assume it's 0004 (from DOS header size) yet ???
041 pop DS
042 mov DX,000e
045 mov AH,09
047 INT_21
049 mov AX.4c01
04c INT_21
04e (aka 000e) just text+$ 0004:000e
------------
PE HEADER
pointed to by file-offset 003c q
+[003c]q == 00a0 yet
0a0 q 00004550 "PE"0,0 SIGNATURE
0a4 w 0000 Unknown CPU TYPE
014C 80386
014D 80486
014E PentiumTM
???? RYZEN 5/6.. ????
0a6 w 0001 number of sections
0a8 q 3700_0000 TIMESTAMP (seconds since 31.12.69 16:00)
0ac q reserved Zero/ PointerToSymbolTable
0b0 q reserved Zero/ NumberOfSymbols
0b4 w 00e0 why? SizeOfOptionalHeader
0b6 w 010f (I had 030f) Characteristics-flags
bit# my |if set
0 1 Relocation info stripped from file.
1 1 File is executable (i.e. no unresolved externel references).
2 1 Line numbers stripped from file.
3 1 Local symbols stripped from file.
4 0 Aggressively trim working set
5..6 00 ??
7 0 Bytes of machine word are reversed.
8 1 ? 32 bit word machine.
9 1 Debugging info stripped from file in .DBG file
10 0 If Image is on removable media, copy and run from swap file.
11 0 If Image is on Net, copy and run from the swap file.
12 0 System File.
13 0 File is a DLL.
14 0 File should only be run on a UP machine
15 0 Bytes of machine word are reversed.
0b8 w 010b MAGIC # ??
0ba b 05 ?? major linker version
0bb b 0c ?? minor
0bc q any SizeOfCode
0c0 q any SizeOfInitializedData
0c4 q any SizeOfUninitializedData
0c8 q ???? /winmain-ImageBase;AddressOfEntryPoint (0000_1094) ????
0cc q any BaseOfCode
0d0 q any BaseOfData
0d4 q ... IMAGE BASE (0040_0000) ??? required by UEFI ???
0d8 q 1000 SectionAlignment
0dc q 0200 FileAlignment
0e0 w ? MajorOperatingSystemVersion
0e2 w 0 minorOperatingSystemVersion
0e4 w 0 MajorImageVersion
0e6 w 0 MinorImageVersion
0e8 w ? MajorSubsystemVersion
0ea w 0 MinorSubsystemVersion
0ec q 0 Win32VersionValue
0f0 q any SizeOfImage
0f4 q 0200 SizeOfHeaders ?
0f8 q 0 CheckSum of what?
0fc w 0003 SUBSYSTEM
bit# my |if set
0 1 Unknown subsystem.
1 1 Image doesn't require a subsystem.
2 0 Image runs in the Windows GUI subsystem.
3 0 Image runs in the Windows character subsystem.
4 0 ?
5 0 image runs in the OS/2 character subsystem.
6 0 ?
7 0 image run in the Posix character subsystem.
8 0 image run in the 8 subsystem.
9..15 all zero
0fe w 0000 DLL Characteristic flags
Indicates special loader requirements.
b0 Per-Process Library Initialization
b1 Per-Process Library Termination
b2 Per-Thread Library Initialization
b3 Per-Thread Library Termination
b15..4 reserved for future use and should be set to zero.
0100 q any STACK RESERVE SIZE SizeOfStackReserve
0104 q any STACK COMMIT SIZE SizeOfStackCommit
0108 q any HEAP RESERVE SIZE SizeOfHeapReserve
010c q any HEAP COMMIT SIZE SizeOfHeapCommit
0110 q 0 loader-flags ???? (guess what this is) ????
0114 q any NumberOfRvaAndSize (entries in the data dir)
0118 dq 0 EXPORT DIRECTORY start+size
0120 dq 0 IMPORT DIRECTORY start+size
0128 dq 0 Resource Directory
0130 dq 0 Exception Directory
0138 dq 0 Security Directory
0140 dq 0 Base Relocation Table
0148 dq 0 Debug Directory
0150 dq 0 Description String
0158 dq 0 Machine Value (MIPS GP)
0160 dq 0 THREAD LOCAL STORAGE TLS Directory
0168 dq 0 Load Configuration Directory
0170 dq 0 Bound Import Directory in headers
0178 q 00000014 Import Address Table "IAT" ???? what for ???
017c q 00001000 size
0180 dq 0 RVA/14 ;SIZE
0188 dq 0 RVA/15 ;SIZE
0190 dq 0 RVA/16 ;SIZE
-----------------------
object table:
Each Object Table entry has this format (40 byte):
000 dq strptr ??? or 7char+00 OBJECT NAME (ascii Z-pad)
008 q VIRTUAL SIZE /(VSizeOf_text/VSizeOf_idat/VSizeOf_udat)
00c q RVA /VBaseOf_text
010 q PHYSICAL SIZE /FSizeOf_text ;raw data
014 q PHYSICAL OFFSET /FBaseOf_text ;raw data
018 q RESERVED /pointer to relocatins
01c q RESERVED /pointer to line numbers
020 w 0 number of relocations
022 w ?? number of line numbers
024 q OBJECT FLAGS (E0000020/40/80)
b5 Code object
b6 Initialized data object
b7 Uninitialized data object
b26 Object must not be cached
b27 Object is not page able
b28 Object is shared
b29 Executable object
b30 Readable object
b31 Writable object
All other bits are reserved and should be set to zero.
----------------
need me to learn more about currently in use MS PE-files.
my docs are pretty old and so am I.
I cant read and never use any C-libraries,
TIA if you can correct or note what have changed:
__
wolfgang
----------------------------------------------
[my size cast is b/w/q/dq/qq/dqq for 8/16/32/64/128/256 bit]
[everything except bit-numbers and ASCII is in hexadecimal]
000 w 5A4D "MZ" DOS 2.0 Compatible EXE Header
002 w .... remaining bytes on last sector, aka tail start (0160)?
004 w 0001 file size (in 512 byte sectors)
006 w 0000 number of relocation entries ??? required or not ???
008 w 0004 DOS header size (in 16 byte paragraphs) ==0040
00a w 0000 needed minimum extra paragraphs
00c w ffff needed maximum extra paragraphs ?? why max ???
00e w 0000 add SS (to load-address)
010 w .... SP initial (0160 if it use the tail here)
012 w 0000 checksum (of what and how)
014 w 0000 IP initial
016 w 0000 add CS (to load address)
018 w 0040 offset of RELOCATION table **** useless if none ???
01a w 0000 overlay number
01c dq.... reserved, all Zero
024 w 0000 OEM identifier, mine would be "KE" even not recognized
026 w 0000 OEM specific
028 .... unused, all Zero
03c q 00a0 Offset to PE Header (relative to file-start)
040 ... relocation table (if any at all)
;DOS 2.0 Stub Program
040 push CS ;assume it's 0004 (from DOS header size) yet ???
041 pop DS
042 mov DX,000e
045 mov AH,09
047 INT_21
049 mov AX.4c01
04c INT_21
04e (aka 000e) just text+$ 0004:000e
------------
PE HEADER
pointed to by file-offset 003c q
+[003c]q == 00a0 yet
0a0 q 00004550 "PE"0,0 SIGNATURE
0a4 w 0000 Unknown CPU TYPE
014C 80386
014D 80486
014E PentiumTM
???? RYZEN 5/6.. ????
0a6 w 0001 number of sections
0a8 q 3700_0000 TIMESTAMP (seconds since 31.12.69 16:00)
0ac q reserved Zero/ PointerToSymbolTable
0b0 q reserved Zero/ NumberOfSymbols
0b4 w 00e0 why? SizeOfOptionalHeader
0b6 w 010f (I had 030f) Characteristics-flags
bit# my |if set
0 1 Relocation info stripped from file.
1 1 File is executable (i.e. no unresolved externel references).
2 1 Line numbers stripped from file.
3 1 Local symbols stripped from file.
4 0 Aggressively trim working set
5..6 00 ??
7 0 Bytes of machine word are reversed.
8 1 ? 32 bit word machine.
9 1 Debugging info stripped from file in .DBG file
10 0 If Image is on removable media, copy and run from swap file.
11 0 If Image is on Net, copy and run from the swap file.
12 0 System File.
13 0 File is a DLL.
14 0 File should only be run on a UP machine
15 0 Bytes of machine word are reversed.
0b8 w 010b MAGIC # ??
0ba b 05 ?? major linker version
0bb b 0c ?? minor
0bc q any SizeOfCode
0c0 q any SizeOfInitializedData
0c4 q any SizeOfUninitializedData
0c8 q ???? /winmain-ImageBase;AddressOfEntryPoint (0000_1094) ????
0cc q any BaseOfCode
0d0 q any BaseOfData
0d4 q ... IMAGE BASE (0040_0000) ??? required by UEFI ???
0d8 q 1000 SectionAlignment
0dc q 0200 FileAlignment
0e0 w ? MajorOperatingSystemVersion
0e2 w 0 minorOperatingSystemVersion
0e4 w 0 MajorImageVersion
0e6 w 0 MinorImageVersion
0e8 w ? MajorSubsystemVersion
0ea w 0 MinorSubsystemVersion
0ec q 0 Win32VersionValue
0f0 q any SizeOfImage
0f4 q 0200 SizeOfHeaders ?
0f8 q 0 CheckSum of what?
0fc w 0003 SUBSYSTEM
bit# my |if set
0 1 Unknown subsystem.
1 1 Image doesn't require a subsystem.
2 0 Image runs in the Windows GUI subsystem.
3 0 Image runs in the Windows character subsystem.
4 0 ?
5 0 image runs in the OS/2 character subsystem.
6 0 ?
7 0 image run in the Posix character subsystem.
8 0 image run in the 8 subsystem.
9..15 all zero
0fe w 0000 DLL Characteristic flags
Indicates special loader requirements.
b0 Per-Process Library Initialization
b1 Per-Process Library Termination
b2 Per-Thread Library Initialization
b3 Per-Thread Library Termination
b15..4 reserved for future use and should be set to zero.
0100 q any STACK RESERVE SIZE SizeOfStackReserve
0104 q any STACK COMMIT SIZE SizeOfStackCommit
0108 q any HEAP RESERVE SIZE SizeOfHeapReserve
010c q any HEAP COMMIT SIZE SizeOfHeapCommit
0110 q 0 loader-flags ???? (guess what this is) ????
0114 q any NumberOfRvaAndSize (entries in the data dir)
0118 dq 0 EXPORT DIRECTORY start+size
0120 dq 0 IMPORT DIRECTORY start+size
0128 dq 0 Resource Directory
0130 dq 0 Exception Directory
0138 dq 0 Security Directory
0140 dq 0 Base Relocation Table
0148 dq 0 Debug Directory
0150 dq 0 Description String
0158 dq 0 Machine Value (MIPS GP)
0160 dq 0 THREAD LOCAL STORAGE TLS Directory
0168 dq 0 Load Configuration Directory
0170 dq 0 Bound Import Directory in headers
0178 q 00000014 Import Address Table "IAT" ???? what for ???
017c q 00001000 size
0180 dq 0 RVA/14 ;SIZE
0188 dq 0 RVA/15 ;SIZE
0190 dq 0 RVA/16 ;SIZE
-----------------------
object table:
Each Object Table entry has this format (40 byte):
000 dq strptr ??? or 7char+00 OBJECT NAME (ascii Z-pad)
008 q VIRTUAL SIZE /(VSizeOf_text/VSizeOf_idat/VSizeOf_udat)
00c q RVA /VBaseOf_text
010 q PHYSICAL SIZE /FSizeOf_text ;raw data
014 q PHYSICAL OFFSET /FBaseOf_text ;raw data
018 q RESERVED /pointer to relocatins
01c q RESERVED /pointer to line numbers
020 w 0 number of relocations
022 w ?? number of line numbers
024 q OBJECT FLAGS (E0000020/40/80)
b5 Code object
b6 Initialized data object
b7 Uninitialized data object
b26 Object must not be cached
b27 Object is not page able
b28 Object is shared
b29 Executable object
b30 Readable object
b31 Writable object
All other bits are reserved and should be set to zero.
----------------
0 new messages