Resource section pe file

Such a record has a symbol name that is the name of a section such as. The auxiliary record provides information about the section to which it refers. Thus, it duplicates some of the information in the section header. It is used to associate a token with the COFF symbol table's namespace.

The position of this table is found by taking the symbol table address in the COFF header and adding the number of symbols multiplied by the size of a symbol. At the beginning of the COFF string table are 4 bytes that contain the total size in bytes of the rest of the string table. This size includes the size field itself, so that the value in this location would be 4 if no strings were present. Following the size are null-terminated strings that are pointed to by symbols in the COFF symbol table.

Attribute certificates can be associated with an image by adding an attribute certificate table. The attribute certificate table is composed of a set of contiguous, quadword-aligned attribute certificate entries. Zero padding is inserted between the original end of the file and the beginning of the attribute certificate table to achieve this alignment.

Each attribute certificate entry contains the following fields. The virtual address value from the Certificate Table entry in the Optional Header Data Directory is a file offset to the first attribute certificate entry.

Subsequent entries are accessed by advancing that entry's dwLength bytes, rounded up to an 8-byte multiple, from the start of the current attribute certificate entry. This continues until the sum of the rounded dwLength values equals the Size value from the Certificates Table entry in the Optional Header Data Directory. If the sum of the rounded dwLength values does not equal the Size value, then either the attribute certificate table or the Size field is corrupted.

The first certificate starts at offset 0x from the start of the file on disk. To advance through all the attribute certificate entries:. Alternatively, you can enumerate the certificate entries by calling the Win32 ImageEnumerateCertificates function in a loop.

For a link to the function's reference page, see References. Attribute certificate table entries can contain any certificate type, as long as the entry has the correct dwLength value, a unique wRevision value, and a unique wCertificateType value. Note that some values are not currently supported. If the bCertificate content does not end on a quadword boundary, the attribute certificate entry is padded with zeros, from the end of bCertificate to the next quadword boundary.

As stated in the preceding section, the certificates in the attribute certificate table can contain any certificate type. Certificates that ensure a PE file's integrity may include a PE image hash. A PE image hash or file hash is similar to a file checksum in that the hash algorithm produces a message digest that is related to the integrity of a file.

However, a checksum is produced by a simple algorithm and is used primarily to detect whether a block of memory on disk has gone bad and the values stored there have become corrupted. A file hash is similar to a checksum in that it also detects file corruption. However, unlike most checksum algorithms, it is very difficult to modify a file without changing the file hash from its original unmodified value.

A file hash can thus be used to detect intentional and even subtle modifications to a file, such as those introduced by viruses, hackers, or Trojan horse programs. This is because the act of adding a Certificate changes these fields and would cause a different hash value to be calculated. This data stream remains consistent when certificates are added to or removed from a PE file. Based on the parameters that are passed to ImageGetDigestStream , other data from the PE image can be omitted from the hash computation.

These tables were added to the image to support a uniform mechanism for applications to delay the loading of a DLL until the first call into that DLL. The layout of the tables matches that of the traditional import tables that are described in section 6. The delay-load directory table is the counterpart to the import directory table. It can be retrieved through the Delay Import Descriptor entry in the optional header data directories list offset The table is arranged as follows:.

The tables that are referenced in this data structure are organized and sorted just as their counterparts are for traditional imports. For details, see The. As yet, no attribute flags are defined. The linker sets this field to zero in the image. This field can be used to extend the record by indicating the presence of new fields, or it can be used to indicate behaviors to the delay or unload helper functions.

The name of the DLL to be delay-loaded resides in the read-only data section of the image. It is referenced through the szName field. The handle of the DLL to be delay-loaded is in the data section of the image. The phmod field points to the handle. The supplied delay-load helper uses this location to store the handle to the loaded DLL. The delay-load helper updates these pointers with the real entry points so that the thunks are no longer in the calling loop.

The delay import name table INT contains the names of the imports that might require loading. They are ordered in the same fashion as the function pointers in the IAT.

It consists of initialized data in the read-only section that is an exact copy of the original IAT that referred the code to the delay-load thunks. Typical COFF sections contain code or data that linkers and Microsoft Win32 loaders process without special knowledge of the section contents.

The contents are relevant only to the application that is being linked or executed. However, some COFF sections have special meanings when found in object files or image files.

Tools and loaders recognize these sections because they have special flags set in the section header, because special locations in the image optional header point to them, or because the section name itself indicates a special function of the section. Even if the section name itself does not indicate a special function of the section, the section name is dictated by convention, so the authors of this specification can refer to a section name in all cases.

The reserved sections and their attributes are described in the table below, followed by detailed descriptions for the section types that are persisted into executables and the section types that contain metadata for extensions. Some of the sections listed here are marked "object only" or "image only" to indicate that their special semantics are relevant only for object files or image files, respectively.

A section that is marked "image only" might still appear in an object file as a way of getting into the image file, but the section has no special meaning to the linker, only to the image file loader. This section describes the packaging of debug information in object and image files.

The next section describes the format of the debug directory, which can be anywhere in the image. Subsequent sections describe the "groups" in object files that contain debug information. The default for the linker is that debug information is not mapped into the address space of the image. Image files contain an optional debug directory that indicates what form of debug information is present and where it is.

This directory consists of an array of debug directory entries whose location and size are indicated in the image optional header. The debug directory can be in a discardable. Each debug directory entry identifies the location and size of a block of debug information. The specified RVA can be zero if the debug information is not covered by a section header that is, it resides in the image file and is not mapped into the run-time address space.

If it is mapped, the RVA is its address. Those functions that do not have FPO information are assumed to have normal stack frames. The format for FPO information is as follows:. If the input does not change, the output PE file is guaranteed to be bit-for-bit identical no matter when or where the PE is produced.

The raw data of this debug entry may be empty, or may contain a calculated hash value preceded by a four-byte value that represents the hash value length. Object files can contain. The linker recognizes these. These are shared types among all of the objects that were compiled by using the precompiled header that was generated with this object. Gathers all relevant debug data from the. Processes that data along with the linker-generated debugging information into the PDB file, and creates a debug directory entry to refer to it.

The linker removes a. The directive string is a series of linker options that are separated by spaces. Each option contains a hyphen, the option name, and any appropriate attribute. If an option contains spaces, the option must be enclosed in quotes.

The export data section, named. An overview of the general structure of the export section is described below.

The tables described are usually contiguous in the file in the order shown though this is not required. Only the export directory table and export address table are required to export symbols as ordinals.

An ordinal is an export that is accessed directly by its export address table index. The name pointer table, ordinal table, and export name table all exist to support use of export names. When another image file imports a symbol by name, the Win32 loader searches the name pointer table for a matching string.

If a matching string is found, the associated ordinal is identified by looking up the corresponding member in the ordinal table that is, the member of the ordinal table with the same index as the string pointer found in the name pointer table. The resulting ordinal is an index into the export address table, which gives the actual location of the desired symbol. Every export symbol can be accessed by an ordinal. When another image file imports a symbol by ordinal, it is unnecessary to search the name pointer table for a matching string.

Direct use of an ordinal is therefore more efficient. However, an export name is easier to remember and does not require the user to know the table index for the symbol. The export symbol information begins with the export directory table, which describes the remainder of the export symbol information.

The export directory table contains address information that is used to resolve imports to the entry points within this image. The export address table contains the address of exported entry points and exported data and absolutes.

An ordinal number is used as an index into the export address table. Each entry in the export address table is a field that uses one of two formats in the following table.

If the address specified is not within the export section as defined by the address and length that are indicated in the optional header , the field is an export RVA, which is an actual address in code or data. A forwarder RVA exports a definition from some other image, making it appear as if it were being exported by the current image.

Thus, the symbol is simultaneously imported and exported. For example, in Kernel The application's import table refers only to Kernel Therefore, the application is not specific to Windows XP and can run on any Win32 system. The export name pointer table is an array of addresses RVAs into the export name table. The pointers are 32 bits each and are relative to the image base.

The pointers are ordered lexically to allow binary searches. The export ordinal table is an array of bit unbiased indexes into the export address table. Ordinals are biased by the Ordinal Base field of the export directory table. In other words, the ordinal base must be subtracted from the ordinals to obtain true indexes into the export address table. The export name pointer table and the export ordinal table form two parallel arrays that are separated to allow natural field alignment.

These two tables, in effect, operate as one table, in which the Export Name Pointer column points to a public exported name and the Export Ordinal column gives the corresponding ordinal for that public name. A member of the export name pointer table and a member of the export ordinal table are associated by having the same position index in their respective arrays. Thus, when the export name pointer table is searched and a matching string is found at position i, the algorithm for finding the symbol's RVA and biased ordinal is:.

When searching for a symbol by biased ordinal, the algorithm for finding the symbol's RVA and name is:. The export name table contains the actual string data that was pointed to by the export name pointer table.

The strings in this table are public names that other images can use to import the symbols. These public export names are not necessarily the same as the private symbol names that the symbols have in their own image file and source code, although they can be. Every exported symbol has an ordinal value, which is just the index into the export address table. Use of export names, however, is optional.

Some, all, or none of the exported symbols can have export names. For exported symbols that do have export names, corresponding entries in the export name pointer table and export ordinal table work together to associate each name with an ordinal. The structure of the export name table is a series of null-terminated ASCII strings of variable length. All image files that import symbols, including virtually all executable EXE files, have an. A typical file layout for the import information follows:.

The import information begins with the import directory table, which describes the remainder of the import information. The import directory table contains address information that is used to resolve fixup references to the entry points within a DLL image. The import directory table consists of an array of import directory entries, one entry for each DLL to which the image refers.

The last directory entry is empty filled with null values , which indicates the end of the directory table. Each entry uses the bit-field format that is described in the following table. The collection of these entries describes all imports from a given DLL. The last entry is set to zero NULL to indicate the end of the table.

The structure and content of the import address table are identical to those of the import lookup table, until the file is bound. These addresses are the actual memory addresses of the symbols, although technically they are still called "virtual addresses.

It is pointed to by the exception table entry in the image data directory. The entries must be sorted according to the function addresses the first field in each structure before being emitted into the final image. The target platform determines which of the three function table entry format variations described below is used.

The base relocation table contains entries for all base relocations in the image. The Base Relocation Table field in the optional header data directories gives the number of bytes in the base relocation table. The base relocation table is divided into blocks. Each block represents the base relocations for a 4K page. Each block must start on a bit boundary. The loader is not required to process base relocations that are resolved by the linker, unless the load image cannot be loaded at the image base that is specified in the PE header.

The Block Size field is then followed by any number of Type or Offset field entries. Each entry is a WORD 2 bytes and has the following structure:. To apply a base relocation, the difference is calculated between the preferred base address and the base where the image is actually loaded.

If the image is loaded at its preferred base, the difference is zero and thus the base relocations do not have to be applied. TLS is a special storage class that Windows supports in which a data object is not an automatic stack variable, yet is local to each individual thread that runs the code.

Thus, each thread can maintain a different value for a variable declared by using TLS. This implementation enables TLS data to be defined and initialized similarly to ordinary static variables in a program.

Statically declared TLS data objects can be used only in statically loaded image files. This field points to a location where the program expects to receive the TLS index.

The linker looks for this memory image and uses the data there to create the TLS directory. Other compilers that support TLS and work with the Microsoft linker must use this same technique. When a thread is created, the loader communicates the address of the thread's TLS array by placing the address of the thread environment block TEB in the FS register. This behavior is Intel xspecific. The loader assigns the value of the TLS index to the place that was indicated by the Address of Index field.

The code uses the TLS index and the TLS array location multiplying the index by 4 and using it as an offset to the array to get the address of the TLS data area for the given program and module. Each thread has its own TLS data area, but this is transparent to the program, which does not need to know how data is allocated for individual threads.

The TLS array is an array of addresses that the system maintains for each thread. The TLS index indicates which member of the array to use. The index is a number meaningful only to the system that identifies the module. The program can provide one or more TLS callback functions to support additional initialization and termination for TLS data objects. A typical use for such a callback function would be to call constructors and destructors for objects.

Although there is typically no more than one callback function, a callback is implemented as an array to make it possible to add additional callback functions if desired. If there is more than one callback function, each function is called in the order in which its address appears in the array. A null pointer terminates the array. It is perfectly valid to have an empty list no callback supported , in which case the callback array has exactly one member-a null pointer.

The Reserved parameter should be set to zero. The Reason parameter can take the following values:. Current versions of the Microsoft linker and Windows XP and later versions of Windows use a new version of this structure for bit xbased systems that include reserved SEH technology. This provides a list of safe structured exception handlers that the operating system uses during exception dispatching.

Otherwise, the operating system terminates the application. This helps prevent the "x86 exception handler hijacking" exploit that has been used in the past to take control of the operating system. The Microsoft linker automatically provides a default load configuration structure to include the reserved SEH data.

If the user code already provides a load configuration structure, it must include the new reserved SEH fields.

The data directory entry for a pre-reserved SEH load configuration structure must specify a particular size of the load configuration structure because the operating system loader always expects it to be a certain value. In that regard, the size is really only a version check. For compatibility with Windows XP and earlier versions of Windows, the size must be 64 for x86 images. Delayload import table in its own.

Module contains suppressed export information. This also infers that the address taken IAT table is also present in the load config.

Mask for the subfield that contains the stride of Control Flow Guard function table entries that is, the additional count of bytes per table entry. Additionally, the Windows SDK winnt. Resources are indexed by a multiple-level binary-sorted tree structure. By convention, however, Windows uses three levels:. A series of resource directory tables relates all of the levels in the following way: Each directory table is followed by a series of directory entries that give the name or identifier ID for that level Type, Name, or Language level and an address of either a data description or another directory table.

If the address points to a data description, then the data is a leaf in the tree. If the address points to another directory table, then that table lists directory entries at the next level down.

A leaf's Type, Name, and Language IDs are determined by the path that is taken through directory tables to reach the leaf. The first table determines Type ID, the second table pointed to by the directory entry in the first table determines Name ID, and the third table determines Language ID.

Each resource directory table has the following format. This data structure should be considered the heading of a table because the table actually consists of directory entries described in section 6. The directory entries make up the rows of a table. Each resource directory entry has the following format.

Whether the entry is a Name or ID entry is indicated by the resource directory table, which indicates how many Name and ID entries follow it remember that all the Name entries precede all the ID entries for the table. All entries for the table are sorted in ascending order: the Name entries by case-sensitive string and the ID entries by numeric value. The resource directory string area consists of Unicode strings, which are word-aligned.

These strings are stored together after the last Resource Directory entry and before the first Resource Data entry. This minimizes the impact of these variable-length strings on the alignment of the fixed-size directory entries. Each resource directory string has the following format:. Each Resource Data entry describes an actual unit of raw data in the Resource Data area. A Resource Data entry has the following format:. CLR metadata is stored in this section.

It is used to indicate that the object file contains managed code. The format of the metadata is not documented, but can be handed to the CLR interfaces for handling metadata. The valid exception handlers of an object are listed in the.

It contains the COFF symbol index of each valid handler, using 4 bytes per index. The COFF archive format provides a standard mechanism for storing collections of object files. These collections are commonly called libraries in programming documentation.

The first 8 bytes of an archive consist of the file signature. The rest of the archive consists of a series of archive members, as follows:. The first and second members are "linker members. Typically, a linker places information into these archive members. The linker members contain the directory of the archive. The third member is the "longnames" member. This optional member consists of a series of null-terminated ASCII strings in which each string is the name of another archive member.

The rest of the archive consists of standard object-file members. Each of these members contains the contents of one object file in its entirety. An archive member header precedes each member. The following list shows the general structure of an archive:. The archive file signature identifies the file type.

Any utility for example, a linker that takes an archive file as input can check the file type by reading this signature.

Each member linker, longnames, or object-file member is preceded by a header. An archive member header has the following format, in which each field is an ASCII text string that is left justified and padded with spaces to the end of the field. There is no terminating null character in any of these fields. Each member header starts on the first even address after the end of the previous archive member. The Name field has one of the formats shown in the following table. As mentioned earlier, each of these strings is left justified and padded with trailing spaces within a field of 16 bytes:.

The first linker member is included for backward compatibility. It is not used by current linkers, but its format must be correct. This linker member provides a directory of symbol names, as does the second linker member. For each symbol, the information indicates where to find the archive member that contains the symbol.

The elements in the offsets array must be arranged in ascending order. This fact implies that the symbols in the string table must be arranged according to the order of archive members. For example, all the symbols in the first object-file member would have to be listed before the symbols in the second object file.

Although both linker members provide a directory of symbols and archive members that contain them, the second linker member is used in preference to the first by all current linkers. The second linker member includes symbol names in lexical order, which enables faster searching by name.

The longnames member is a series of strings of archive member names. A name appears here only when there is insufficient room in the Name field 16 bytes. The longnames member is optional. It can be empty with only a header, or it can be completely absent without even a header. The strings are null-terminated. Each string begins immediately after the null byte in the previous string. Traditional import libraries, that is, libraries that describe the exports from one image for use by another, typically follow the layout described in section 7, Archive Library File Format.

The primary difference is that import library members contain pseudo-object files instead of real ones, in which each member includes the section contributions that are required to build the import tables that are described in section 6.

The section contributions for an import can be inferred from a small set of information. The linker can either generate the complete, verbose information into the import library for each member at the time of the library's creation or write only the canonical information to the library and let the application that later uses it generate the necessary data on the fly. This is sufficient information to accurately reconstruct the entire contents of the member at the time of its use.

This structure is followed by two null-terminated strings that describe the imported symbol's name and the DLL from which it came. These values are used to determine which section contributions must be generated by the tool that uses the library if it must access that data. The null-terminated import symbol name immediately follows its associated import header.

The following values are defined for the Name Type field in the import header. They indicate how the name is to be used to generate the correct symbols that represent the import:. Several attribute certificates are expected to be used to verify the integrity of the images. However, the most common is Authenticode signature. To accomplish this task, Authenticode signatures contain something called a PE image hash. The Authenticode PE image hash, or file hash for short, is similar to a file checksum in that it produces a small value that relates to the integrity of a file.

A checksum is produced by a simple algorithm and is used primarily to detect memory failures. That is, it is used to detect whether a block of memory on disk has gone bad and the values stored there have become corrupted. However, unlike most checksum algorithms, it is very difficult to modify a file so that it has the same file hash as its original unmodified form.

That is, a checksum is intended to detect simple memory failures that lead to corruption, but a file hash can be used to detect intentional and even subtle modifications to a file, such as those introduced by viruses, hackers, or Trojan horse programs. In an Authenticode signature, the file hash is digitally signed by using a private key known only to the signer of the file.

A software consumer can verify the integrity of the file by calculating the hash value of the file and comparing it to the value of signed hash contained in the Authenticode digital signature. If the file hashes do not match, part of the file covered by the PE image hash has been modified. It is not possible or desirable to include all image file data in the calculation of the PE image hash. Sometimes it simply presents undesirable characteristics for example, debugging information cannot be removed from publicly released files ; sometimes it is simply impossible.

For example, it is not possible to include all information within an image file in an Authenticode signature, then insert the Authenticode signature that contains that PE image hash into the PE image, and later be able to generate an identical PE image hash by including all image file data in the calculation again, because the file now contains the Authenticode signature that was not originally there. This section describes how a PE image hash is calculated and what parts of the PE image can be modified without invalidating the Authenticode signature.

The PE image hash for a specific file can be included in a separate catalog file without including an attribute certificate within the hashed file. This is relevant, because it becomes possible to invalidate the PE image hash in an Authenticode-signed catalog file by modifying a PE image that does not actually contain an Authenticode signature.

All data in sections of the PE image that are specified in the section table are hashed in their entirety except for the following exclusion ranges:. The file CheckSum field of the Windows-specific fields of the optional header. This checksum includes the entire file including any attribute certificates in the file. In all likelihood, the checksum will be different than the original value after inserting the Authenticode signature.

Information related to attribute certificates. The areas of the PE image that are related to the Authenticode signature are not included in the calculation of the PE image hash because Authenticode signatures can be added to or removed from an image without affecting the overall integrity of the image.

This is not a problem, because there are user scenarios that depend on re-signing PE images or adding a time stamp. Authenticode excludes the following information from the hash calculation:. The Certificate Table and corresponding certificates that are pointed to by the Certificate Table field listed immediately above.

To calculate the PE image hash, Authenticode orders the sections that are specified in the section table by address range, then hashes the resulting sequence of bytes, passing over the exclusion ranges. Information past of the end of the last section. The area past the last section defined by highest offset is not hashed.

This area commonly contains debug information. Debug information can generally be considered advisory to debuggers; it does not affect the actual integrity of the executable program. Ask Question. Asked 8 years, 4 months ago. Active 8 years, 4 months ago. Viewed 1k times. How to find starting offset of resource section in PE file?

The question is a bit unclear do you want to check an address as being a resource, or find a resource -- the code example suggests something different than the question , but doesn't the PointerToRawData field work for what you want? Well, there's a Name field, have you done a string compare against. Show 1 more comment. Active Oldest Votes. Add a comment. Sign up or log in Sign up using Google. Sign up using Facebook. Hence the. Data which does not fall into the any of the two above categories, falls into the.

It basically contains the information about the names and addresses of exported functions. Dynamic Linked Libraries provide a way to modularize applications so the functions can be reused and reused more easily. This section contains a export directory that provides the address and offset of the functions to programs that import the DLL.

The most important of the structures defined in this section is the Import Directory and the Import Address Table. The import section makes implementation of modularity easier.

Since the DLL can be modified at any time, the import section protects the application from such changes. Debug information is initially placed in the. The PE file format also supports separate debug files as a means of collecting debug information in a central location. This section contains the debug information. The above program is assembly code, compiled using FASM.

The executable file that is formed as a result of compiling the above is this:. The screenshot basically shows the hex code version of the section table. We can see the name of the sections as defined in the code.

Further posts detailing more intricate details of Portable Executable files is in the works. You are commenting using your WordPress. You are commenting using your Google account. You are commenting using your Twitter account. You are commenting using your Facebook account. Notify me of new comments via email.