Figure 1 Section Names Name | Description | .text | The default code section. | .data | The default read/write data section. Global variables typically go here. | .rdata | The default read-only data section. String literals and C++/COM vtables are examples of items put into .rdata. | .idata | The
imports table. It has become common practice (either explicitly, or via
linker default behavior) to merge the .idata section into another
section, typically .rdata. By default, the linker only merges the .idata
section into another section when creating a release mode executable. | .edata | The
exports table. When creating an executable that exports APIs or data,
the linker creates an .EXP file. The .EXP file contains an .edata
section that's added into the final executable. Like the .idata section,
the .edata section is often found merged into the .text or .rdata
sections. | .rsrc | The
resources. This section is read-only. However, it should not be named
anything other than .rsrc, and should not be merged into other sections. | .bss | Uninitialized
data. Rarely found in executables created with recent linkers. Instead,
the VirtualSize of the executable's .data section is expanded to make
enough room for uninitialized data. | .crt | Data
added for supporting the C++ runtime (CRT). A good example is the
function pointers that are used to call the constructors and destructors
of static C++ objects. See the January 2001 Under The Hood column for details on this. | .tls | Data
for supporting thread local storage variables declared with
__declspec(thread). This includes the initial value of the data, as well
as additional variables needed by the runtime. | .reloc | The
base relocations in an executable. Base relocations are generally only
needed for DLLs and not EXEs. In release mode, the linker doesn't emit
base relocations for EXE files. Relocations can be removed when linking
with the /FIXED switch. | .sdata | "Short"
read/write data that can be addressed relative to the global pointer.
Used for the IA-64 and other architectures that use a global pointer
register. Regular-sized global variables on the IA-64 will go in this
section. | .srdata | "Short"
read-only data that can be addressed relative to the global pointer.
Used on the IA-64 and other architectures that use a global pointer
register. | .pdata | The
exception table. Contains an array of IMAGE_RUNTIME_FUNCTION_ENTRY
structures, which are CPU-specific. Pointed to by the
IMAGE_DIRECTORY_ENTRY_EXCEPTION slot in the DataDirectory. Used for
architectures with table-based exception handling, such as the IA-64.
The only architecture that doesn't use table-based exception handling is
the x86. | .debug$S | Codeview format symbols in the OBJ file. This is a stream of variable-length CodeView format symbol records. | .debug$T | Codeview format type records in the OBJ file. This is a stream of variable-length CodeView format type records. | .debug$P | Found in the OBJ file when using precompiled headers. | .drectve | Contains
linker directives and is only found in OBJs. Directives are ASCII
strings that could be passed on the linker command line. For instance:
-defaultlib:LIBC
Directives are separated by a space character. | .didat | Delayload
import data. Found in executables built in nonrelease mode. In release
mode, the delayload data is merged into another section. | Figure 2 IMAGE_EXPORT_DIRECTORY Structure Members Size | Member | Description | DWORD | Characteristics | Flags for the exports. Currently, none are defined. | DWORD | TimeDateStamp | The
time/date that the exports were created. This field has the same
definition as the IMAGE_NT_HEADERS.FileHeader. TimeDateStamp (number of
seconds since 1/1/1970 GMT). | WORD | MajorVersion | The major version number of the exports. Not used, and set to 0. | WORD | MinorVersion | The minor version number of the exports. Not used, and set to 0. | DWORD | Name | A relative virtual address (RVA) to an ASCII string with the DLL name associated with these exports (for example, KERNEL32.DLL). | DWORD | Base | This
field contains the starting ordinal value to be used for this
executable's exports. Normally, this value is 1, but it's not required
to be so. When looking up an export by ordinal, the value of this field
is subtracted from the ordinal, with the result used as a zero-based
index into the Export Address Table (EAT). | DWORD | NumberOfFunctions | The
number of entries in the EAT. Note that some entries may be 0,
indicating that no code/data is exported with that ordinal value. | DWORD | NumberOfNames | The
number of entries in the Export Names Table (ENT). This value will
always be less than or equal to the NumberOf-Functions field. It will be
less when there are symbols exported by ordinal only. It can also be
less if there are numeric gaps in the assigned ordinals. This field is
also the size of the export ordinal table (below). | DWORD | AddressOfFunctions | The RVA of the EAT. The EAT is an array of RVAs. Each nonzero RVA in the array corresponds to an exported symbol. | DWORD | AddressOfNames | The
RVA of the ENT. The ENT is an array of RVAs to ASCII strings. Each
ASCII string corresponds to a symbol exported by name. This table is
sorted so that the ASCII strings are in order. This allows the loader to
do a binary search when looking for an exported symbol. The sorting of
the names is binary (like the C++ RTL strcmp function provides), rather
than a locale-specific alphabetic ordering. | DWORD | AddressOfNameOrdinals | The
RVA of the export ordinal table. This table is an array of WORDs. This
table maps an array index from the ENT into the corresponding export
address table entry. | Figure 4 KERNEL32 Exportsexports table:
Name: KERNEL32.dll
Characteristics: 00000000
TimeDateStamp: 3B7DDFD8 -> Fri Aug 17 23:24:08 2001
Version: 0.00
Ordinal base: 00000001
# of functions: 000003A0
# of Names: 000003A0
Entry Pt Ordn Name
00012ADA 1 ActivateActCtx
000082C2 2 AddAtomA
•••remainder of exports omitted
Figure 5 IMAGE_IMPORT_DESCRIPTOR Structure Size | Member | Description | DWORD | OriginalFirstThunk | This
field is badly named. It contains the RVA of the Import Name Table
(INT). This is an array of IMAGE_THUNK_DATA structures. This field is
set to 0 to indicate the end of the array of IMAGE_IMPORT_DESCRIPTORs. | DWORD | TimeDateStamp | This
is 0 if this executable is not bound against the imported DLL. When
binding in the old style (see the section on Binding), this field
contains the time/date stamp (number of seconds since 1/1/1970 GMT) when
the binding occurred. When binding in the new style, this field is set
to -1. | DWORD | ForwarderChain | This
is the Index of the first forwarded API. Set to -1 if no forwarders.
Only used for old-style binding, which could not handle forwarded APIs
efficiently. | DWORD | Name | The RVA of the
ASCII string with the name of the imported DLL. |
DWORD | FirstThunk | Contains
the RVA of the Import Address Table (IAT). This is array of IMAGE_THUNK_DATA structures. | Figure 7 ImgDelayDescr Structure Size | Member | Description | DWORD | grAttrs | The
attributes for this structure. Currently, the only flag defined is
dlattrRva (1), indicating that the address fields in the structure
should be treated as RVAs, rather than virtual addresses. | RVA | rvaDLLName | An RVA to a string with the name of the imported DLL. This string is passed to LoadLibrary. | RVA | rvaHmod | An
RVA to an HMODULE-sized memory location. When the Delayloaded DLL is
brought into memory, its HMODULE is stored at this location. | RVA | rvaIAT | An RVA to the Import Address Table for this DLL. This is the same format as a regular IAT. | RVA | rvaINT | An RVA to the Import Name Table for this DLL. This is the same format as a regular INT. | RVA | rvaBoundIAT | An
RVA of the optional bound IAT. An RVA to a bound copy of an Import
Address Table for this DLL. This is the same format as a regular IAT.
Currently, this copy of the IAT is not actually bound, but this feature
may be added in future versions of the BIND program. | RVA | rvaUnloadIAT | An
RVA of the optional copy of the original IAT. An RVA to an unbound copy
of an Import Address Table for this DLL. This is the same format as a
regular IAT. Currently always set to 0. | DWORD | dwTimeStamp | The
date/time stamp of the delayload imported DLL. Normally set to 0. | Figure 8 Resources from ADVAPI32.DLL
Resources (RVA: 6B000)
ResDir (0) Entries:03 (Named:01, ID:02) TimeDate:00000000
ResDir (MOFDATA) Entries:01 (Named:01, ID:00) TimeDate:00000000
ResDir (MOFRESOURCENAME) Entries:01 (Named:00, ID:01) TimeDate:00000000
ID: 00000409 DataEntryOffs: 00000128
DataRVA: 6B6F0 DataSize: 190F5 CodePage: 0
ResDir (STRING) Entries:01 (Named:00, ID:01) TimeDate:00000000
ResDir (C36) Entries:01 (Named:00, ID:01) TimeDate:00000000
ID: 00000409 DataEntryOffs: 00000138
DataRVA: 6B1B0 DataSize: 0053C CodePage: 0
ResDir (RCDATA) Entries:01 (Named:00, ID:01) TimeDate:00000000
ResDir (66) Entries:01 (Named:00, ID:01) TimeDate:00000000
ID: 00000409 DataEntryOffs: 00000148
DataRVA: 85908 DataSize: 0005C CodePage: 0
Figure 9 Fields of IMAGE_DEBUG_DIRECTORY Size | Member | Description | DWORD | Characteristics | Unused and set to 0. | DWORD | TimeDateStamp | The time/date stamp of this debug information (number of seconds since 1/1/1970, GMT). | WORD | MajorVersion | The major version of this debug information. Unused. | WORD | MinorVersion | The minor version of this debug information. Unused. | DWORD | Type | The type of the debug information. The following types are the most commonly encountered:
IMAGE_DEBUG_TYPE_COFF
IMAGE_DEBUG_TYPE_CODEVIEW // Including PDB files
IMAGE_DEBUG_TYPE_FPO // Frame pointer omission
IMAGE_DEBUG_TYPE_MISC // IMAGE_DEBUG_MISC
IMAGE_DEBUG_TYPE_OMAP_TO_SRC
IMAGE_DEBUG_TYPE_OMAP_FROM_SRC
IMAGE_DEBUG_TYPE_BORLAND // Borland format
| DWORD | SizeOfData | The size of the debug data in this file. Doesn't count the size of external debug files such as .PDBs. | DWORD | AddressOfRawData | The RVA of the debug data, when mapped into memory. Set to 0 if the debug data isn't mapped in. | DWORD | PointerToRawData | The file offset of the debug data (not an RVA). | Figure 10 IMAGE_COR20_HEADER Structure Type | Member | Description | DWORD | cb | Size of the header in bytes. | WORD | MajorRuntimeVersion | The minimum version of the runtime required to run this program. For the first release of .NET, this value is 2. | WORD | MinorRuntimeVersion | The minor portion of the version. Currently 0. | IMAGE_DATA_DIRECTORY | MetaData | The RVA to the metadata tables. | DWORD | Flags | Flag values containing attributes for this image. These values are currently defined as:
COMIMAGE_FLAGS_ILONLY // Image contains only IL code that
// is not required to run on a specific CPU.
COMIMAGE_FLAGS_32BITREQUIRED // Only runs in 32-bit processes.
COMIMAGE_FLAGS_IL_LIBRARY
STRONGNAMESIGNED // Image is signed with hash data
COMIMAGE_FLAGS_TRACKDEBUGDATA // Causes the JIT/runtime to
// keep debug information
// around for methods.
| DWORD | EntryPointToken | Token
for the MethodDef of the entry point for the image. The .NET runtime
calls this method to begin managed execution in the file. | IMAGE_DATA_DIRECTORY | Resources | The RVA and size of the .NET resources. | IMAGE_DATA_DIRECTORY | StrongNameSignature | The RVA of the strong name hash data. | IMAGE_DATA_DIRECTORY | CodeManagerTable | The
RVA of the code manager table. A code manager contains the code
required to obtain the state of a running program (such as tracing the
stack and track GC references). | IMAGE_DATA_DIRECTORY | VTableFixups | The RVA of an array of function pointers that need fixups. This is for support of unmanaged C++ vtables. | IMAGE_DATA_DIRECTORY | ExportAddressTableJumps | The
RVA to an array of RVAs where export JMP thunks are written. These
thunks allow managed methods to be exported so that unmanaged code can
call them. | IMAGE_DATA_DIRECTORY | ManagedNativeHeader | For internal use of the .NET runtime in memory. Set to 0 in the executable. | Figure 11 IMAGE_TLS_DIRECTORY Structure Size | Member | Description | DWORD | StartAddressOfRawData | The beginning address of a range of memory used to initialize a new thread's TLS data in memory. | DWORD | EndAddressOfRawData | The ending address of the range of memory used to initialize a new thread's TLS data in memory. | DWORD | AddressOfIndex | When
the executable is brought into memory and a .tls section is present,
the loader allocates a TLS handle via TlsAlloc. It stores the handle at
the address given by this field. The runtime library uses this index to
locate the thread local data. | DWORD | AddressOfCallBacks | Address
of an array of PIMAGE_TLS_CALLBACK function pointers. When a thread is
created or destroyed, each function in the list is called. The end of
the list is indicated by a pointer-sized variable set to 0. In normal
Visual C++ executables, this list is empty. | DWORD | SizeOfZeroFill | The
size in bytes of the initialization data, beyond the initialized data
delimited by the StartAddressOfRawData and EndAddressOfRawData fields.
All per-thread data after this range is initialized to 0. | DWORD | Characteristics | Reserved. Currently set to 0. | Figure 12 Command-line Options /A | Include everything in dump | /B | Show base relocations | /H | Include hex dump of sections | /I | Include Import Address Table thunk addresses | /L | Include line number information | /P | Include PDATA (runtime functions) | /R | Include detailed resources (stringtables and dialogs) | /S | Show symbol table | |