Figure 1 Section Names
Name
|
Description
|
.text
|
The default code section.
|
.data
|
The default read/write data section. Global variables typically go here.
|
.rdata
|
The default read-only data section. String literals and C++/COM vtables are examples of items put into .rdata.
|
.idata
|
The imports table. It has become common practice (either explicitly, or via linker default behavior) to merge the .idata section into another section, typically .rdata. By default, the linker only merges the .idata section into another section when creating a release mode executable.
|
.edata
|
The exports table. When creating an executable that exports APIs or data, the linker creates an .EXP file. The .EXP file contains an .edata section that's added into the final executable. Like the .idata section, the .edata section is often found merged into the .text or .rdata sections.
|
.rsrc
|
The resources. This section is read-only. However, it should not be named anything other than .rsrc, and should not be merged into other sections.
|
.bss
|
Uninitialized data. Rarely found in executables created with recent linkers. Instead, the VirtualSize of the executable's .data section is expanded to make enough room for uninitialized data.
|
.crt
|
Data added for supporting the C++ runtime (CRT). A good example is the function pointers that are used to call the constructors and destructors of static C++ objects. See the January 2001 Under The Hood column for details on this.
|
.tls
|
Data for supporting thread local storage variables declared with __declspec(thread). This includes the initial value of the data, as well as additional variables needed by the runtime.
|
.reloc
|
The base relocations in an executable. Base relocations are generally only needed for DLLs and not EXEs. In release mode, the linker doesn't emit base relocations for EXE files. Relocations can be removed when linking with the /FIXED switch.
|
.sdata
|
"Short" read/write data that can be addressed relative to the global pointer. Used for the IA-64 and other architectures that use a global pointer register. Regular-sized global variables on the IA-64 will go in this section.
|
.srdata
|
"Short" read-only data that can be addressed relative to the global pointer. Used on the IA-64 and other architectures that use a global pointer register.
|
.pdata
|
The exception table. Contains an array of IMAGE_RUNTIME_FUNCTION_ENTRY structures, which are CPU-specific. Pointed to by the IMAGE_DIRECTORY_ENTRY_EXCEPTION slot in the DataDirectory. Used for architectures with table-based exception handling, such as the IA-64. The only architecture that doesn't use table-based exception handling is the x86.
|
.debug$S
|
Codeview format symbols in the OBJ file. This is a stream of variable-length CodeView format symbol records.
|
.debug$T
|
Codeview format type records in the OBJ file. This is a stream of variable-length CodeView format type records.
|
.debug$P
|
Found in the OBJ file when using precompiled headers.
|
.drectve
|
Contains linker directives and is only found in OBJs. Directives are ASCII strings that could be passed on the linker command line. For instance:
-defaultlib:LIBC
Directives are separated by a space character.
|
.didat
|
Delayload import data. Found in executables built in nonrelease mode. In release mode, the delayload data is merged into another section.
|
Figure 2 IMAGE_EXPORT_DIRECTORY Structure Members
Size
|
Member
|
Description
|
DWORD
|
Characteristics
|
Flags for the exports. Currently, none are defined.
|
DWORD
|
TimeDateStamp
|
The time/date that the exports were created. This field has the same definition as the IMAGE_NT_HEADERS.FileHeader. TimeDateStamp (number of seconds since 1/1/1970 GMT).
|
WORD
|
MajorVersion
|
The major version number of the exports. Not used, and set to 0.
|
WORD
|
MinorVersion
|
The minor version number of the exports. Not used, and set to 0.
|
DWORD
|
Name
|
A relative virtual address (RVA) to an ASCII string with the DLL name associated with these exports (for example, KERNEL32.DLL).
|
DWORD
|
Base
|
This field contains the starting ordinal value to be used for this executable's exports. Normally, this value is 1, but it's not required to be so. When looking up an export by ordinal, the value of this field is subtracted from the ordinal, with the result used as a zero-based index into the Export Address Table (EAT).
|
DWORD
|
NumberOfFunctions
|
The number of entries in the EAT. Note that some entries may be 0, indicating that no code/data is exported with that ordinal value.
|
DWORD
|
NumberOfNames
|
The number of entries in the Export Names Table (ENT). This value will always be less than or equal to the NumberOf-Functions field. It will be less when there are symbols exported by ordinal only. It can also be less if there are numeric gaps in the assigned ordinals. This field is also the size of the export ordinal table (below).
|
DWORD
|
AddressOfFunctions
|
The RVA of the EAT. The EAT is an array of RVAs. Each nonzero RVA in the array corresponds to an exported symbol.
|
DWORD
|
AddressOfNames
|
The RVA of the ENT. The ENT is an array of RVAs to ASCII strings. Each ASCII string corresponds to a symbol exported by name. This table is sorted so that the ASCII strings are in order. This allows the loader to do a binary search when looking for an exported symbol. The sorting of the names is binary (like the C++ RTL strcmp function provides), rather than a locale-specific alphabetic ordering.
|
DWORD
|
AddressOfNameOrdinals
|
The RVA of the export ordinal table. This table is an array of WORDs. This table maps an array index from the ENT into the corresponding export address table entry.
|
Figure 4 KERNEL32 Exports
exports table:
Name: KERNEL32.dll
Characteristics: 00000000
TimeDateStamp: 3B7DDFD8 -> Fri Aug 17 23:24:08 2001
Version: 0.00
Ordinal base: 00000001
# of functions: 000003A0
# of Names: 000003A0
Entry Pt Ordn Name
00012ADA 1 ActivateActCtx
000082C2 2 AddAtomA
•••remainder of exports omitted
Figure 5 IMAGE_IMPORT_DESCRIPTOR Structure
Size
|
Member
|
Description
|
DWORD
|
OriginalFirstThunk
|
This field is badly named. It contains the RVA of the Import Name Table (INT). This is an array of IMAGE_THUNK_DATA structures. This field is set to 0 to indicate the end of the array of IMAGE_IMPORT_DESCRIPTORs.
|
DWORD
|
TimeDateStamp
|
This is 0 if this executable is not bound against the imported DLL. When binding in the old style (see the section on Binding), this field contains the time/date stamp (number of seconds since 1/1/1970 GMT) when the binding occurred. When binding in the new style, this field is set to -1.
|
DWORD
|
ForwarderChain
|
This is the Index of the first forwarded API. Set to -1 if no forwarders. Only used for old-style binding, which could not handle forwarded APIs efficiently.
|
DWORD
|
Name
|
The RVA of the ASCII string with the name of the imported DLL.
|
DWORD
|
FirstThunk
|
Contains the RVA of the Import Address Table (IAT). This is array of IMAGE_THUNK_DATA structures.
|
Figure 7 ImgDelayDescr Structure
Size
|
Member
|
Description
|
DWORD
|
grAttrs
|
The attributes for this structure. Currently, the only flag defined is dlattrRva (1), indicating that the address fields in the structure should be treated as RVAs, rather than virtual addresses.
|
RVA
|
rvaDLLName
|
An RVA to a string with the name of the imported DLL. This string is passed to LoadLibrary.
|
RVA
|
rvaHmod
|
An RVA to an HMODULE-sized memory location. When the Delayloaded DLL is brought into memory, its HMODULE is stored at this location.
|
RVA
|
rvaIAT
|
An RVA to the Import Address Table for this DLL. This is the same format as a regular IAT.
|
RVA
|
rvaINT
|
An RVA to the Import Name Table for this DLL. This is the same format as a regular INT.
|
RVA
|
rvaBoundIAT
|
An RVA of the optional bound IAT. An RVA to a bound copy of an Import Address Table for this DLL. This is the same format as a regular IAT. Currently, this copy of the IAT is not actually bound, but this feature may be added in future versions of the BIND program.
|
RVA
|
rvaUnloadIAT
|
An RVA of the optional copy of the original IAT. An RVA to an unbound copy of an Import Address Table for this DLL. This is the same format as a regular IAT. Currently always set to 0.
|
DWORD
|
dwTimeStamp
|
The date/time stamp of the delayload imported DLL. Normally set to 0.
|
Figure 8 Resources from ADVAPI32.DLL
Resources (RVA: 6B000)
ResDir (0) Entries:03 (Named:01, ID:02) TimeDate:00000000
ResDir (MOFDATA) Entries:01 (Named:01, ID:00) TimeDate:00000000
ResDir (MOFRESOURCENAME) Entries:01 (Named:00, ID:01) TimeDate:00000000
ID: 00000409 DataEntryOffs: 00000128
DataRVA: 6B6F0 DataSize: 190F5 CodePage: 0
ResDir (STRING) Entries:01 (Named:00, ID:01) TimeDate:00000000
ResDir (C36) Entries:01 (Named:00, ID:01) TimeDate:00000000
ID: 00000409 DataEntryOffs: 00000138
DataRVA: 6B1B0 DataSize: 0053C CodePage: 0
ResDir (RCDATA) Entries:01 (Named:00, ID:01) TimeDate:00000000
ResDir (66) Entries:01 (Named:00, ID:01) TimeDate:00000000
ID: 00000409 DataEntryOffs: 00000148
DataRVA: 85908 DataSize: 0005C CodePage: 0
Figure 9 Fields of IMAGE_DEBUG_DIRECTORY
Size
|
Member
|
Description
|
DWORD
|
Characteristics
|
Unused and set to 0.
|
DWORD
|
TimeDateStamp
|
The time/date stamp of this debug information (number of seconds since 1/1/1970, GMT).
|
WORD
|
MajorVersion
|
The major version of this debug information. Unused.
|
WORD
|
MinorVersion
|
The minor version of this debug information. Unused.
|
DWORD
|
Type
|
The type of the debug information. The following types are the most commonly encountered:
IMAGE_DEBUG_TYPE_COFF
IMAGE_DEBUG_TYPE_CODEVIEW // Including PDB files
IMAGE_DEBUG_TYPE_FPO // Frame pointer omission
IMAGE_DEBUG_TYPE_MISC // IMAGE_DEBUG_MISC
IMAGE_DEBUG_TYPE_OMAP_TO_SRC
IMAGE_DEBUG_TYPE_OMAP_FROM_SRC
IMAGE_DEBUG_TYPE_BORLAND // Borland format
|
DWORD
|
SizeOfData
|
The size of the debug data in this file. Doesn't count the size of external debug files such as .PDBs.
|
DWORD
|
AddressOfRawData
|
The RVA of the debug data, when mapped into memory. Set to 0 if the debug data isn't mapped in.
|
DWORD
|
PointerToRawData
|
The file offset of the debug data (not an RVA).
|
Figure 10 IMAGE_COR20_HEADER Structure
Type
|
Member
|
Description
|
DWORD
|
cb
|
Size of the header in bytes.
|
WORD
|
MajorRuntimeVersion
|
The minimum version of the runtime required to run this program. For the first release of .NET, this value is 2.
|
WORD
|
MinorRuntimeVersion
|
The minor portion of the version. Currently 0.
|
IMAGE_DATA_DIRECTORY
|
MetaData
|
The RVA to the metadata tables.
|
DWORD
|
Flags
|
Flag values containing attributes for this image. These values are currently defined as:
COMIMAGE_FLAGS_ILONLY // Image contains only IL code that
// is not required to run on a specific CPU.
COMIMAGE_FLAGS_32BITREQUIRED // Only runs in 32-bit processes.
COMIMAGE_FLAGS_IL_LIBRARY
STRONGNAMESIGNED // Image is signed with hash data
COMIMAGE_FLAGS_TRACKDEBUGDATA // Causes the JIT/runtime to
// keep debug information
// around for methods.
|
DWORD
|
EntryPointToken
|
Token for the MethodDef of the entry point for the image. The .NET runtime calls this method to begin managed execution in the file.
|
IMAGE_DATA_DIRECTORY
|
Resources
|
The RVA and size of the .NET resources.
|
IMAGE_DATA_DIRECTORY
|
StrongNameSignature
|
The RVA of the strong name hash data.
|
IMAGE_DATA_DIRECTORY
|
CodeManagerTable
|
The RVA of the code manager table. A code manager contains the code required to obtain the state of a running program (such as tracing the stack and track GC references).
|
IMAGE_DATA_DIRECTORY
|
VTableFixups
|
The RVA of an array of function pointers that need fixups. This is for support of unmanaged C++ vtables.
|
IMAGE_DATA_DIRECTORY
|
ExportAddressTableJumps
|
The RVA to an array of RVAs where export JMP thunks are written. These thunks allow managed methods to be exported so that unmanaged code can call them.
|
IMAGE_DATA_DIRECTORY
|
ManagedNativeHeader
|
For internal use of the .NET runtime in memory. Set to 0 in the executable.
|
Figure 11 IMAGE_TLS_DIRECTORY Structure
Size
|
Member
|
Description
|
DWORD
|
StartAddressOfRawData
|
The beginning address of a range of memory used to initialize a new thread's TLS data in memory.
|
DWORD
|
EndAddressOfRawData
|
The ending address of the range of memory used to initialize a new thread's TLS data in memory.
|
DWORD
|
AddressOfIndex
|
When the executable is brought into memory and a .tls section is present, the loader allocates a TLS handle via TlsAlloc. It stores the handle at the address given by this field. The runtime library uses this index to locate the thread local data.
|
DWORD
|
AddressOfCallBacks
|
Address of an array of PIMAGE_TLS_CALLBACK function pointers. When a thread is created or destroyed, each function in the list is called. The end of the list is indicated by a pointer-sized variable set to 0. In normal Visual C++ executables, this list is empty.
|
DWORD
|
SizeOfZeroFill
|
The size in bytes of the initialization data, beyond the initialized data delimited by the StartAddressOfRawData and EndAddressOfRawData fields. All per-thread data after this range is initialized to 0.
|
DWORD
|
Characteristics
|
Reserved. Currently set to 0.
|
Figure 12 Command-line Options
/A
|
Include everything in dump
|
/B
|
Show base relocations
|
/H
|
Include hex dump of sections
|
/I
|
Include Import Address Table thunk addresses
|
/L
|
Include line number information
|
/P
|
Include PDATA (runtime functions)
|
/R
|
Include detailed resources (stringtables and dialogs)
|
/S
|
Show symbol table
|
|