一、映像调试信息
PE文件头可选映像头中数据目录表的第7成员IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_DIRECTORY_ENTRY_DEBUG]指向映像调试信息,它保存在PE文件中,通常在".debug"区段。
映像调试信息是一个IMAGE_DEBUG_DIRECTORY结构体数组,该结构体定义如下:
typedef struct _IMAGE_DEBUG_DIRECTORY {
DWORD Characteristics;
DWORD TimeDateStamp; //创建时间(GMT时间)
WORD MajorVersion; //主版本号
WORD MinorVersion; //次版本号
DWORD Type; //调试类型
DWORD SizeOfData; //调试数据大小
DWORD AddressOfRawData; //调试数据RVA地址
DWORD PointerToRawData; //调试数据文件地址
} IMAGE_DEBUG_DIRECTORY, *PIMAGE_DEBUG_DIRECTORY;二、版权信息
PE文件头可选映像头中数据目录表的第8成员IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_DIRECTORY_ENTRY_ARCHITECTURE]指向版权信息。版权信息结构体是IMAGE_ARCHITECTURE_HEADER,它的定义如下:
typedef struct _ImageArchitectureHeader {
unsigned int AmaskValue: 1; // 1 -> code section depends on mask bit
// 0 -> new instruction depends on mask bit
int :7; // MBZ
unsigned int AmaskShift: 8; // Amask bit in question for this fixup
int :16; // MBZ
DWORD FirstEntryRVA; // RVA into .arch section to array of ARCHITECTURE_ENTRY's
} IMAGE_ARCHITECTURE_HEADER, *PIMAGE_ARCHITECTURE_HEADER;三、.NET信息(COM表)
PE文件头可选映像头中数据目录表的第15成员IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR]指向.NET信息。该结构是IMAGE_COR20_HEADER,结构体定义如下:
// CLR 2.0 header structure.
typedef struct IMAGE_COR20_HEADER
{
// Header versioning
ULONG cb;
USHORT MajorRuntimeVersion;
USHORT MinorRuntimeVersion;
// Symbol table and startup information
IMAGE_DATA_DIRECTORY MetaData;
ULONG Flags;
ULONG EntryPointToken;
// Binding information
IMAGE_DATA_DIRECTORY Resources;
IMAGE_DATA_DIRECTORY StrongNameSignature;
// Regular fixup and binding information
IMAGE_DATA_DIRECTORY CodeManagerTable;
IMAGE_DATA_DIRECTORY VTableFixups;
IMAGE_DATA_DIRECTORY ExportAddressTableJumps;
// Precompiled image info (internal use only - set to zero)
IMAGE_DATA_DIRECTORY ManagedNativeHeader;
} IMAGE_COR20_HEADER;