Windows IT Pro
Windows IT Library
  - Advertise        
Windows IT Pro Logo

  Home  |   Books  |   Chapters  |   Topics  |   Authors  |   Book Reviews  |   Whitepapers  |   About Us  |   Contact Us

search for  on    power search   help
  






Portable Executable File Format
View the book table of contents
Author: Prasad Dabak
Milind Borate
Sandeep Phadke
Published: October 1999
Copyright: 1999
Publisher: M&T Books
 


RETURN VALUES
If the function succeeds, the return value is TRUE; otherwise, it is FALSE.

UnMapAndLoad()
After you are done with the mapped file, you should call the UnMapAndLoad() function. This function unmaps the PE file and deallocates the resources allocated by the MapAndLoad() function. 
BOOL UnMapAndLoad(

PLOADED_IMAGE LoadedImage

);
PARAMETERS
LoadedImagePointer to a LOADED_IMAGE structure that is returned from a call to the MapAndLoad() function.

RETURN VALUES
If the function succeeds, the return value is TRUE; otherwise, it is FALSE.

We will discuss the other useful functions from this DLL as we continue in this chapter.


DETAILS OF THE PE FORMAT

The WINNT.H file has the structure definitions representing the PE format. We refer to these structure definitions while describing the PE format. Let’s begin at the beginning. The DOS header that comes at the beginning of a PE file does not contain much important information from the PE viewpoint. The fields in this header have values pertaining to the DOS executable stub that follows this header. The only important field as far as PE format is considered is e_lfanew, which holds the offset to the PE header. You can add this offset to the base of the memory-mapped file to get the address of the PE header. You can also use the ImageNtHeader() function explained earlier, or simply use the FileHeader field from the LOADED_IMAGE after a call to the MapAndLoad() function.

The IMAGE_NT_HEADERS structure that represents the PE header is defined as follows in the WINNT.H file: 
typedef struct _IMAGE_NT_HEADERS {

DWORD Signature;

IMAGE_FILE_HEADER FileHeader;

IMAGE_OPTIONAL_HEADER OptionalHeader;

} IMAGE_NT_HEADERS, *PIMAGE_NT_HEADERS;
The signature is PE followed by two nulls, as mentioned earlier. The COFF style header is represented by the IMAGE_FILE_HEADER structure and is followed by the optional header represented by the IMAGE_OPTIONAL_HEADER structure. The fields in the COFF style header are as follows:

MachineTarget machine ID. Various values are defined in the WINNT.H file–for example, 0x14C is used for Intel 80386 (and compatibles) and 0x184 is used for Alpha AXP.
NumberOfSectionsNumber of sections in the file.
TimeDateStampTime and date when the file was created.
PointerToSymbolTableOffset to the COFF symbol table. This field is used only for COFF style object files and PE files with COFF style debug information.
NumberOfSymbolsNumber of symbols present in the symbol table.
SizeOfOptionalHeaderSize, in bytes, of the optional header that follows this header. This data can be used in locating the string table that immediately follows the symbol table. This field is set to 0 for the object files because the optional header is absent in them.
CharacteristicsAttributes of the file. The flag values are defined in the WINNT.H file. This field contains an OR of these flags. The important flags are as follows:
IMAGE_FILE_EXECUTABLE_IMAGESet for an executable file.
IMAGE_FILE_SYSTEMIndicates that it is a kernel-mode driver/DLL.
IMAGE_FILE_DLLThe file is a dynamic link library (DLL).
IMAGE_FILE_UP_SYSTEM_ONLYThis file should be run only on an UP machine.
IMAGE_FILE_LINE_NUMS_STRIPPEDIndicates that the COFF line numbers have been removed from the file.
IMAGE_FILE_LOCAL_SYMS_STRIPPEDIndicates that the COFF symbol table has been removed from the file.
IMAGE_FILE_DEBUG_STRIPPEDIndicates that the debugging information has been removed from the file.
IMAGE_FILE_RELOCS_STRIPPEDIndicates that the base relocation information is stripped from this file, and the file can be loaded only at the preferred base address. If the loader cannot load such an image at the preferred base address, it fails because it cannot relocate the image.
IMAGE_FILE_AGGRESIVE_WS_TRIMAggressively trim working set.
IMAGE_FILE_BYTES_REVERSED_LOLittle endian: the least significant bit (LSB) precedes the most significant bit (MSB) in memory, but they are stored in reverse order.
IMAGE_FILE_BYTES_REVERSED_HIBig endian: the MSB precedes the LSB in memory, but they are stored in reverse order.
IMAGE_FILE_32BIT_MACHINEThe target machine is based on 32-bit-word architecture.
IMAGE_FILE_REMOVABLE_RUN_FROM_SWAPIf this flag is set and the file is run from a removable media, such as a floppy, the loader copies the file to the swap area and runs it from there.
IMAGE_FILE_NET_RUN_FROM_SWAPSimilar to the previous flag. It is run from swap if the file is run from a network drive.

Note: The COFF style header is followed by the optional header. The optional header is absent in the object files. The format of the optional header is defined as the IMAGE_OPTIONAL_HEADER structure in the WINNT.H file. The first few fields in this structure are inherited from COFF.

MagicThis field is set to 0x10b for a normal executable/DLL.
MajorLinkerVersion, MinorLinkerVersionVersion of the linker that produced the file.
SizeOfCodeSize of the code section. If there are multiple code sections, this field contains the sum of sizes of all these sections.
SizeOfInitializedDataSize of the initialized data section. If there are multiple initialized data sections, this field contains the sum of sizes of all these sections.
SizeOfUninitializedDataSame as SizeOfInitializedData, but for the uninitialized data (BSS) section.
AddressOfEntryPointRVA of the entry point.
BaseOfCodeRVA of the start of the code section.
BaseOfDataRVA of the start of the data section.

Microsoft added some NT-specific fields to the optional header. These fields are as follows:
ImageBaseIf the file is loaded at this address in memory, the loader need not do any base relocations. This is because the linker resolves all the base relocations at the time of linking, assuming that the file will be loaded at this address. We discuss this in more detail in the section on the relocation table. For now, it is enough to know that the loading time is reduced if a file gets loaded at the preferred base address. A file may not get loaded at the preferred base address because of the nonavailability of the address. This happens when more than one DLL used by an executable use the same preferred base address. The default preferred base address is 0x400000. You may want to have a different preferred base address for your DLL so that it does not clash with that of any other DLL used by your application. You can change the preferred base address using a linker switch. You can also change the base address of a file using the rebase utility that comes with the Win32 SDK.

ReBaseImage()
The ReBaseImage() function from the IMAGEHLP.DLL also enables you to change the preferred base address. 
BOOL ReBaseImage(

LPSTR CurrentImageName,

LPSTR SymbolPath,

BOOL fReBase,

BOOL fRebaseSysfileOk,

BOOL fGoingDown,

DWORD CheckImageSize,

LPDWORD OldImageSize,

LPDWORD OldImageBase,

LPDWORD NewImageSize,

LPDWORD NewImageBase,

DWORD TimeStamp

);
PARAMETERS
CurrentImageNameFilename that is rebased.
SymbolPathIn case the symbolic debug information is stored as a separate file, the path to find the corresponding symbol file. This is required to update the header information and timestamp of the symbol file.
fReBaseThe file is really rebased only if this value is TRUE.
fRebaseSysfileOkIf the file is a system file with the preferred base address above 0x80000000, it is rebased only if this flag is TRUE.
fGoingDownIf you want the loaded image of the file to lie entirely below the given address, set this flag to TRUE. For example, if the loaded size of a DLL is 0x2000 and you call the function with the fGoingDown flag as TRUE and give the address as 0x600000, the DLL will be rebased at 0x508000.
CheckImageSizeRebasing might change the loaded image size of the file because of the section alignment requirements. If this parameter is nonzero, the file is rebased only if the changed size is less than this parameter.
OldImageSizeOriginal image size before the rebase operation is returned here.
OldImageBaseOriginal image base before the rebase operation is returned here.
NewImageSizeNew loaded image size after the rebase operation is returned here.
NewImageBaseNew base address. Upon return, it contains the actual address where the file is rebased.
TimeStampNew timestamp for the file.



Page: 1, 2, 3, 4, 5, 6
next page



ADS BY GOOGLE SPONSORED LINKS FEATURED LINKS

EXCHANGE 2007 Mastery Series – May 29, 2008
3 Info-packed eLearning seminars for only $99! Learn the pros and cons of your mailbox high availability options, see real-world examples of Transport Rules, and get started with basic PowerShell commands with Mark Arnold, MCSE+M and Microsoft MVP.

Windows IT Pro Master CD: Take the Experts with You!
Find the solutions you need in thousands of searchable articles, helpful bonus content, and loads of expert advice with the Windows IT Pro Master CD. Order comes with a 1-year subscription to the new, online articles posted every day!

SQL Server Magazine Master CD: Take the Experts with You!
Find the solutions you need in thousands of searchable articles, helpful bonus content, and loads of expert advice with the SQL Server Magazine Master CD. Order comes with a 1-year subscription to the new, online articles posted every day!

Attention User Group Leaders...
Announcing the eNews Generator—a FREE HTML e-newsletter builder for user group leaders. Build your HTML and text e-newsletters in minutes. And add Windows IT Pro & SQL Server Mag articles alongside your own message!.

Become a fan of Windows IT Pro on Facebook
Join the Windows IT Pro fan club on Facebook. Chat with other IT Pros, upload your pictures, check out what's up n' coming in the next issue and more!



Become a Response Point Specialist
Earn more with the small biz phone solution from Microsoft.

Get Started with Oracle on Windows DVD
Learn how Oracle gives you the power to grow by providing a scalable, easy-to-use platform for running your business at a price you can afford.

Agent-less Remote Backup Service, Free 30 Day Trial
Award winning remote backup service at a competitive price with no min GB/month. Sign up Now!
Windows IT Pro Home Register About Us Affiliates / Licensing Press Room Media Kit Contact Us/Customer Service  
SQL Connected Home IT Library SuperSite FAQ Wininfo News
Europe Edition Office & SharePoint Pro Windows Dev Pro Windows Excavator 
 
 Windows IT Pro is a Division of Penton Media Inc.
 Copyright © 2008 Penton Media, Inc., All rights reserved. Terms and Use | Privacy Statement | Reprints and Licensing