Figure 1
Section Names
Name
|
Description
|
.text
|
The default code section.
|
.data
|
The default read/write data section. Global variables
typically go here.
|
.rdata
|
The default read-only data section. String literals and
C++/COM vtables are examples of items put into .rdata.
|
.idata
|
The imports table. It has become common practice (either
explicitly, or via linker default behavior) to merge the .idata section into
another section, typically .rdata. By default, the linker only merges the .idata
section into another section when creating a release mode executable.
|
.edata
|
The exports table. When creating an executable that
exports APIs or data, the linker creates an .EXP file. The .EXP file contains an
.edata section that's added into the final executable. Like the .idata section,
the .edata section is often found merged into the .text or .rdata sections.
|
.rsrc
|
The resources. This section is read-only. However, it
should not be named anything other than .rsrc, and should not be merged into
other sections.
|
.bss
|
Uninitialized data. Rarely found in executables created
with recent linkers. Instead, the VirtualSize of the executable's .data section
is expanded to make enough room for uninitialized data.
|
.crt
|
Data added for supporting the C++
runtime (CRT). A good example is the function pointers that are used to call the
constructors and destructors of static C++ objects. See the January 2001
Under The Hood column for
details on this.
|
.tls
|
Data for supporting thread local storage variables
declared with __declspec(thread). This includes the initial value of the data,
as well as additional variables needed by the runtime.
|
.reloc
|
The base relocations in an executable. Base relocations
are generally only needed for DLLs and not EXEs. In release mode, the linker
doesn't emit base relocations for EXE files. Relocations can be removed when
linking with the /FIXED switch.
|
.sdata
|
"Short" read/write data that can be addressed relative to
the global pointer. Used for the IA-64 and other architectures that use a global
pointer register. Regular-sized global variables on the IA-64 will go in this
section.
|
.srdata
|
"Short" read-only data that can be addressed relative to
the global pointer. Used on the IA-64 and other architectures that use a global
pointer register.
|
.pdata
|
The exception table. Contains an array of
IMAGE_RUNTIME_FUNCTION_ENTRY structures, which are CPU-specific. Pointed to by
the IMAGE_DIRECTORY_ENTRY_EXCEPTION slot in the DataDirectory. Used for
architectures with table-based exception handling, such as the IA-64. The only
architecture that doesn't use table-based exception handling is the x86.
|
.debug$S
|
Codeview format symbols in the OBJ file. This is a stream
of variable-length CodeView format symbol records.
|
.debug$T
|
Codeview format type records in the OBJ file. This is a
stream of variable-length CodeView format type records.
|
.debug$P
|
Found in the OBJ file when using precompiled headers.
|
.drectve
|
Contains linker directives and is
only found in OBJs. Directives are ASCII strings that could be passed on the
linker command line. For instance:
-defaultlib:LIBC
Directives are separated by a space character.
|
.didat
|
Delayload import data. Found in executables built in
nonrelease mode. In release mode, the delayload data is merged into another
section.
|
Figure 2
IMAGE_EXPORT_DIRECTORY Structure Members
Size
|
Member
|
Description
|
DWORD
|
Characteristics
|
Flags for the exports. Currently, none are defined.
|
DWORD
|
TimeDateStamp
|
The time/date that the exports were created. This field
has the same definition as the IMAGE_NT_HEADERS.FileHeader. TimeDateStamp
(number of seconds since 1/1/1970 GMT).
|
WORD
|
MajorVersion
|
The major version number of the exports. Not used, and
set to 0.
|
WORD
|
MinorVersion
|
The minor version number of the exports. Not used, and
set to 0.
|
DWORD
|
Name
|
A relative virtual address (RVA) to an ASCII string with
the DLL name associated with these exports (for example, KERNEL32.DLL).
|
DWORD
|
Base
|
This field contains the starting ordinal value to be used
for this executable's exports. Normally, this value is 1, but it's not required
to be so. When looking up an export by ordinal, the value of this field is
subtracted from the ordinal, with the result used as a zero-based index into the
Export Address Table (EAT).
|
DWORD
|
NumberOfFunctions
|
The number of entries in the EAT. Note that some entries
may be 0, indicating that no code/data is exported with that ordinal value.
|
DWORD
|
NumberOfNames
|
The number of entries in the Export Names Table (ENT).
This value will always be less than or equal to the NumberOf-Functions field. It
will be less when there are symbols exported by ordinal only. It can also be
less if there are numeric gaps in the assigned ordinals. This field is also the
size of the export ordinal table (below).
|
DWORD
|
AddressOfFunctions
|
The RVA of the EAT. The EAT is an array of RVAs. Each
nonzero RVA in the array corresponds to an exported symbol.
|
DWORD
|
AddressOfNames
|
The RVA of the ENT. The ENT is an array of RVAs to ASCII
strings. Each ASCII string corresponds to a symbol exported by name. This table
is sorted so that the ASCII strings are in order. This allows the loader to do a
binary search when looking for an exported symbol. The sorting of the names is
binary (like the C++ RTL strcmp function provides), rather than a
locale-specific alphabetic ordering.
|
DWORD
|
AddressOfNameOrdinals
|
The RVA of the export ordinal table. This table is an
array of WORDs. This table maps an array index from the ENT into the
corresponding export address table entry.
|
Figure 4
KERNEL32 Exports
exports table:
Name: KERNEL32.dll
Characteristics: 00000000
TimeDateStamp: 3B7DDFD8 -> Fri Aug 17 23:24:08 2001
Version: 0.00
Ordinal base: 00000001
# of functions: 000003A0
# of Names: 000003A0
Entry Pt Ordn Name
00012ADA 1 ActivateActCtx
000082C2 2 AddAtomA
•••remainder of exports omitted
Figure 5
IMAGE_IMPORT_DESCRIPTOR Structure
Size
|
Member
|
Description
|
DWORD
|
OriginalFirstThunk
|
This field is badly named. It contains the RVA of the
Import Name Table (INT). This is an array of IMAGE_THUNK_DATA structures. This
field is set to 0 to indicate the end of the array of IMAGE_IMPORT_DESCRIPTORs.
|
DWORD
|
TimeDateStamp
|
This is 0 if this executable is not bound against the
imported DLL. When binding in the old style (see the section on Binding), this
field contains the time/date stamp (number of seconds since 1/1/1970 GMT) when
the binding occurred. When binding in the new style, this field is set to -1.
|
DWORD
|
ForwarderChain
|
This is the Index of the first forwarded API. Set to -1
if no forwarders. Only used for old-style binding, which could not handle
forwarded APIs efficiently.
|
DWORD
|
Name
|
The RVA of the ASCII string with the name of the imported
DLL.
|
DWORD
|
FirstThunk
|
Contains the RVA of the Import Address Table (IAT). This
is array of IMAGE_THUNK_DATA structures.
|
Figure 7
ImgDelayDescr Structure
Size
|
Member
|
Description
|
DWORD
|
grAttrs
|
The attributes for this structure. Currently, the only
flag defined is dlattrRva (1), indicating that the address fields in the
structure should be treated as RVAs, rather than virtual addresses.
|
RVA
|
rvaDLLName
|
An RVA to a string with the name of the imported DLL.
This string is passed to LoadLibrary.
|
RVA
|
rvaHmod
|
An RVA to an HMODULE-sized memory location. When the
Delayloaded DLL is brought into memory, its HMODULE is stored at this location.
|
RVA
|
rvaIAT
|
An RVA to the Import Address Table for this DLL. This is
the same format as a regular IAT.
|
RVA
|
rvaINT
|
An RVA to the Import Name Table for this DLL. This is the
same format as a regular INT.
|
RVA
|
rvaBoundIAT
|
An RVA of the optional bound IAT. An RVA to a bound copy
of an Import Address Table for this DLL. This is the same format as a regular
IAT. Currently, this copy of the IAT is not actually bound, but this feature may
be added in future versions of the BIND program.
|
RVA
|
rvaUnloadIAT
|
An RVA of the optional copy of the original IAT. An RVA
to an unbound copy of an Import Address Table for this DLL. This is the same
format as a regular IAT. Currently always set to 0.
|
DWORD
|
dwTimeStamp
|
The date/time stamp of the delayload imported DLL.
Normally set to 0.
|
Figure 8
Resources from ADVAPI32.DLL
Resources (RVA: 6B000)
ResDir (0) Entries:03 (Named:01, ID:02) TimeDate:00000000
———————————————————————————————
ResDir (MOFDATA) Entries:01 (Named:01, ID:00) TimeDate:00000000
ResDir (MOFRESOURCENAME) Entries:01 (Named:00, ID:01) TimeDate:00000000
ID: 00000409 DataEntryOffs: 00000128
DataRVA: 6B6F0 DataSize: 190F5 CodePage: 0
———————————————————————————————
ResDir (STRING) Entries:01 (Named:00, ID:01) TimeDate:00000000
ResDir (C36) Entries:01 (Named:00, ID:01) TimeDate:00000000
ID: 00000409 DataEntryOffs: 00000138
DataRVA: 6B1B0 DataSize: 0053C CodePage: 0
———————————————————————————————
ResDir (RCDATA) Entries:01 (Named:00, ID:01) TimeDate:00000000
ResDir (66) Entries:01 (Named:00, ID:01) TimeDate:00000000
ID: 00000409 DataEntryOffs: 00000148
DataRVA: 85908 DataSize: 0005C CodePage: 0
Figure 9
Fields of IMAGE_DEBUG_DIRECTORY
Size
|
Member
|
Description
|
DWORD
|
Characteristics
|
Unused and set to 0.
|
DWORD
|
TimeDateStamp
|
The time/date stamp of this debug information (number of
seconds since 1/1/1970, GMT).
|
WORD
|
MajorVersion
|
The major version of this debug information. Unused.
|
WORD
|
MinorVersion
|
The minor version of this debug information. Unused.
|
DWORD
|
Type
|
The type of the debug information.
The following types are the most commonly encountered:
IMAGE_DEBUG_TYPE_COFF
IMAGE_DEBUG_TYPE_CODEVIEW // Including PDB files
IMAGE_DEBUG_TYPE_FPO // Frame pointer omission
IMAGE_DEBUG_TYPE_MISC // IMAGE_DEBUG_MISC
IMAGE_DEBUG_TYPE_OMAP_TO_SRC
IMAGE_DEBUG_TYPE_OMAP_FROM_SRC
IMAGE_DEBUG_TYPE_BORLAND // Borland format
|
DWORD
|
SizeOfData
|
The size of the debug data in this file. Doesn't count
the size of external debug files such as .PDBs.
|
DWORD
|
AddressOfRawData
|
The RVA of the debug data, when mapped into memory. Set
to 0 if the debug data isn't mapped in.
|
DWORD
|
PointerToRawData
|
The file offset of the debug data (not an RVA).
|
Figure 10
IMAGE_COR20_HEADER Structure
Type
|
Member
|
Description
|
DWORD
|
cb
|
Size of the header in bytes.
|
WORD
|
MajorRuntimeVersion
|
The minimum version of the runtime required to run this
program. For the first release of .NET, this value is 2.
|
WORD
|
MinorRuntimeVersion
|
The minor portion of the version. Currently 0.
|
IMAGE_DATA_DIRECTORY
|
MetaData
|
The RVA to the metadata tables.
|
DWORD
|
Flags
|
Flag values containing attributes
for this image. These values are currently defined as:
COMIMAGE_FLAGS_ILONLY // Image contains only IL code that
// is not required to run on a specific CPU.
COMIMAGE_FLAGS_32BITREQUIRED // Only runs in 32-bit processes.
COMIMAGE_FLAGS_IL_LIBRARY
STRONGNAMESIGNED // Image is signed with hash data
COMIMAGE_FLAGS_TRACKDEBUGDATA // Causes the JIT/runtime to
// keep debug information
// around for methods.
|
DWORD
|
EntryPointToken
|
Token for the MethodDef of the entry point for the image.
The .NET runtime calls this method to begin managed execution in the file.
|
IMAGE_DATA_DIRECTORY
|
Resources
|
The RVA and size of the .NET resources.
|
IMAGE_DATA_DIRECTORY
|
StrongNameSignature
|
The RVA of the strong name hash data.
|
IMAGE_DATA_DIRECTORY
|
CodeManagerTable
|
The RVA of the code manager table. A code manager
contains the code required to obtain the state of a running program (such as
tracing the stack and track GC references).
|
IMAGE_DATA_DIRECTORY
|
VTableFixups
|
The RVA of an array of function pointers that need
fixups. This is for support of unmanaged C++ vtables.
|
IMAGE_DATA_DIRECTORY
|
ExportAddressTableJumps
|
The RVA to an array of RVAs where export JMP thunks are
written. These thunks allow managed methods to be exported so that unmanaged
code can call them.
|
IMAGE_DATA_DIRECTORY
|
ManagedNativeHeader
|
For internal use of the .NET runtime in memory. Set to 0
in the executable.
|
Figure 11
IMAGE_TLS_DIRECTORY Structure
Size
|
Member
|
Description
|
DWORD
|
StartAddressOfRawData
|
The beginning address of a range of memory used to
initialize a new thread's TLS data in memory.
|
DWORD
|
EndAddressOfRawData
|
The ending address of the range of memory used to
initialize a new thread's TLS data in memory.
|
DWORD
|
AddressOfIndex
|
When the executable is brought into memory and a .tls
section is present, the loader allocates a TLS handle via TlsAlloc. It stores
the handle at the address given by this field. The runtime library uses this
index to locate the thread local data.
|
DWORD
|
AddressOfCallBacks
|
Address of an array of PIMAGE_TLS_CALLBACK function
pointers. When a thread is created or destroyed, each function in the list is
called. The end of the list is indicated by a pointer-sized variable set to 0.
In normal Visual C++ executables, this list is empty.
|
DWORD
|
SizeOfZeroFill
|
The size in bytes of the initialization data, beyond the
initialized data delimited by the StartAddressOfRawData and EndAddressOfRawData
fields. All per-thread data after this range is initialized to 0.
|
DWORD
|
Characteristics
|
Reserved. Currently set to 0.
|
Figure 12
Command-line Options
/A
|
Include everything in dump
|
/B
|
Show base relocations
|
/H
|
Include hex dump of sections
|
/I
|
Include Import Address Table thunk addresses
|
/L
|
Include line number information
|
/P
|
Include PDATA (runtime functions)
|
/R
|
Include detailed resources (stringtables and dialogs)
|
/S
|
Show symbol table
|
|