Windows可执行文件的“数据目录”条目和“节头”条目之间有什么区别?
[英]What's the difference between a Windows executable's Data Directory entry and Section Header entry?
问题描述
I have a Windows executable .exe file. 
我有Windows可执行文件.exe文件。 I peeked inside the file and found the Data Directory. 我偷看了文件内部,找到了Data Directory. Within it is a directory entry for Thread Local Storage . 其中包含“ Thread Local Storage的目录条目。 That entry specifies this: 该条目指定了以下内容:
RVA (Relative Virtual Address) of the data: 10000
Size of the data: 24
I found the Section Table in the executable and it contains a Section Header named .tls (Thread Local Storage). 我在可执行文件中找到了节表,它包含名为.tls (线程本地存储)的节头。 That header specifies this: 该标头指定了以下内容:
Pointer to the raw data: A400
Size of the raw data: 512
What is the difference between these two parts of the executable? 可执行文件的这两部分有什么区别? They both seem to be talking about Thread Local Storage but they point to different places and specify different sizes. 他们俩似乎都在谈论线程本地存储,但是它们指向不同的地方并指定不同的大小。
That is just one example. 那只是一个例子。 Here's another example: In the Data Directory is an Import Directory and in the Section Table is a Section Header named .idata (import data). 这是另一个示例:在Data Directory是Import Directory ,在Section Table是名为.idata (导入数据)的Section Header 。 They contain seemingly conflicting values. 它们包含看似相互矛盾的价值观。
And there are other examples. 还有其他例子。
What is the difference between the entries in the Data Directory and the entries in the Section Table ? Data Directory的entries the Section Table的entries什么区别?
1 个解决方案
解决方案1
0 2019-04-05 20:51:53
exes are typically loaded in ram to adres 0c00400000 and further exe文件通常以ram的形式加载到地址0c00400000
rva adressas is an offset after that (like 0x00401000 which may be begining of code in ram is rva of 0x1000) rva adressas是此后的偏移量(例如0x00401000(可能是ram中代码的开头)是0x1000的rva)
exes are also build from sections, those sections when loaded to ram are typicaly aligned to 4096 (to be in different ram pages) where when in exe file on disk, they are usually aligned to 512 (to save space) exe也是从段构建的,这些段在加载到ram时通常会对齐4096(在不同的ram页面中),而在磁盘上的exe文件中,它们通常会对齐512(以节省空间)
so for example 0x00401007 adres in ram, will be 0x1007 in rva, and 0x207 in file... PE format some informations gives as rvas and some as a file ofsets... also sizes of data contained in that section may be given as unaligned (like say 177) and aligned (like 512), this is the same size then but one is aligned and one not.. 例如在ram中为0x00401007,在rva中为0x1007,在文件中为0x207。 (例如177)和对齐(例如512),则其大小相同,但对齐但不对齐。
which exact fields in pe stores info in which format is needed to be checked in pe format details (which is confusing format but after learning it shows not being so scarry) pe中的哪个确切字段存储需要以pe格式详细信息检查哪种格式的信息(这是令人困惑的格式,但在学习后显示并不那么令人担忧)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.