IMAGE_SECTION_HEADER

1
2
3
4
5
6
7
8
9
10
11
12
13
14
IMAGE_SECTION_HEADER STRUCT 
	Name					BYTE		; 节表名
	Misc					UNION		; 联合结构,可以使用其中的任何一个,一般后者
		Physical_Address	DWORD		; 物理文件地址
		VirtualSize			DWORD		; 载入内存时长度(未对齐)
	VirtualAddress			DWORD		; RVA 地址
	SizeOfRawData			DWORD		; 在文件中对齐后的尺寸
	PointerToRawData		DWORD		; 在文件中的偏移量
	PointerToRelocations	DWORD		; 在OBJ文件中使用,重定位的偏移
	PointerToLinenumbers	DWORD		; 行号表的偏移(调试使用)
	NumberOfRelocations		WORD		; 在OBJ文件中使用,重定位项数目
	NumberOfLinenumbers		WORD		; 行号表中行号的数目
	Characteristics			DWORD		; 节属性
IMAGE_SECTION_HEADER ENDS

SECTION_CHARACTERISTICS Characteristics:

Flag Meaning
0x00000000 Reserved.
0x00000001 Reserved.
0x00000002 Reserved.
0x00000004 Reserved.
IMAGE_SCN_TYPE_NO_PAD 0x00000008 The section should not be padded to the next boundary. This flag is obsolete and is replaced by IMAGE_SCN_ALIGN_1BYTES.
0x00000010 Reserved.
IMAGE_SCN_CNT_CODE 0x00000020 The section contains executable code.
IMAGE_SCN_CNT_INITIALIZED_DATA 0x00000040 The section contains initialized data.
IMAGE_SCN_CNT_UNINITIALIZED_DATA 0x00000080 The section contains uninitialized data.
IMAGE_SCN_LNK_OTHER 0x00000100 Reserved.
IMAGE_SCN_LNK_INFO 0x00000200 The section contains comments or other information. This is valid only for object files.
0x00000400 Reserved.
IMAGE_SCN_LNK_REMOVE 0x00000800 The section will not become part of the image. This is valid only for object files.
IMAGE_SCN_LNK_COMDAT 0x00001000 The section contains COMDAT data. This is valid only for object files.
0x00002000 Reserved.
IMAGE_SCN_NO_DEFER_SPEC_EXC 0x00004000 Reset speculative exceptions handling bits in the TLB entries for this section.
IMAGE_SCN_GPREL 0x00008000 The section contains data referenced through the global pointer.
0x00010000 Reserved.
IMAGE_SCN_MEM_PURGEABLE 0x00020000 Reserved.
IMAGE_SCN_MEM_LOCKED 0x00040000 Reserved.
IMAGE_SCN_MEM_PRELOAD 0x00080000 Reserved.
IMAGE_SCN_ALIGN_1BYTES 0x00100000 Align data on a 1-byte boundary. This is valid only for object files.
IMAGE_SCN_ALIGN_2BYTES 0x00200000 Align data on a 2-byte boundary. This is valid only for object files.
IMAGE_SCN_ALIGN_4BYTES 0x00300000 Align data on a 4-byte boundary. This is valid only for object files.
IMAGE_SCN_ALIGN_8BYTES 0x00400000 Align data on a 8-byte boundary. This is valid only for object files.
IMAGE_SCN_ALIGN_16BYTES 0x00500000 Align data on a 16-byte boundary. This is valid only for object files.
IMAGE_SCN_ALIGN_32BYTES 0x00600000 Align data on a 32-byte boundary. This is valid only for object files.
IMAGE_SCN_ALIGN_64BYTES 0x00700000 Align data on a 64-byte boundary. This is valid only for object files.
IMAGE_SCN_ALIGN_128BYTES 0x00800000 Align data on a 128-byte boundary. This is valid only for object files.
IMAGE_SCN_ALIGN_256BYTES 0x00900000 Align data on a 256-byte boundary. This is valid only for object files.
IMAGE_SCN_ALIGN_512BYTES 0x00A00000 Align data on a 512-byte boundary. This is valid only for object files.
IMAGE_SCN_ALIGN_1024BYTES 0x00B00000 Align data on a 1024-byte boundary. This is valid only for object files.
IMAGE_SCN_ALIGN_2048BYTES 0x00C00000 Align data on a 2048-byte boundary. This is valid only for object files.
IMAGE_SCN_ALIGN_4096BYTES 0x00D00000 Align data on a 4096-byte boundary. This is valid only for object files.
IMAGE_SCN_ALIGN_8192BYTES 0x00E00000 Align data on a 8192-byte boundary. This is valid only for object files.
IMAGE_SCN_LNK_NRELOC_OVFL 0x01000000 The section contains extended relocations. The count of relocations for the section exceeds the 16 bits that is reserved for it in the section header. If the NumberOfRelocations field in the section header is 0xffff, the actual relocation count is stored in the VirtualAddress field of the first relocation. It is an error if IMAGE_SCN_LNK_NRELOC_OVFL is set and there are fewer than 0xffff relocations in the section.
IMAGE_SCN_MEM_DISCARDABLE 0x02000000 The section can be discarded as needed.
IMAGE_SCN_MEM_NOT_CACHED 0x04000000 The section cannot be cached.
IMAGE_SCN_MEM_NOT_PAGED 0x08000000 The section cannot be paged.
IMAGE_SCN_MEM_SHARED 0x10000000 The section can be shared in memory.
IMAGE_SCN_MEM_EXECUTE 0x20000000 The section can be executed as code.
IMAGE_SCN_MEM_READ 0x40000000 The section can be read.
IMAGE_SCN_MEM_WRITE 0x80000000

RVA 与 FOA 的转换

image-20201113220426144

文件在从磁盘加载进内存时,对齐粒度从文件对齐转向内存对齐,对于我们使用的示例常常是200h和1000h,这使得PE文件在内存中的大小大于在磁盘中的大小。

如图,对于某个section中某个位置的地址换算如下:

  1. 求出该位置相对于section起始位置的偏移量offset
  2. 确定section的RVA对应的FOA是多少(PointerToRawData)
  3. FOA = section起始FOA + offset

显然文件在加载入内存时仅仅是文件头和区段整块的重新对齐,区段内的相对地址偏移没有变化。

参考资料

IMAGE_SECTION_HEADER (winnt.h) - Win32 apps | Microsoft Docs