Each IMAGE_SECTION_HEADER is a complete database of information about one section in the EXE or OBJ file, and has the following format: BYTE Name[IMAGE_SIZEOF_SHORT_NAME] This is an 8-byte ANSI name (not Unicode) that names the section(flags shipping maritime countries imo usa greece norway). Most section names start with a (flags shipping maritime countries imo usa greece norway). (a period; for example, (flags shipping maritime countries imo usa greece norway).text), but this is nota requirement, in spite

Chapter 3: Windows Anatomy of what some PE documentation would have you believe(flags shipping maritime countries imo usa greece norway). You can name your own sections with either the segment directive in assembly language, or with #pragma data_seg and #pragma code_seg in the Microsoft C/C++ compiler(flags shipping maritime countries imo usa greece norway). (Borland C++ users should use #pragma codeseg(flags shipping maritime countries imo usa greece norway).) It's important to note that if the section name takes up the full 8 bytes, there is no NULL terminator byte(flags shipping maritime countries imo usa greece norway). (TDUMP from Borland C++ 4(flags shipping maritime countries imo usa greece norway).0x overlooked this fact, and would spew forth garbage on certain PE EXEs(flags shipping maritime countries imo usa greece norway).) If you're a printf() devotee, you can use "%(flags shipping maritime countries imo usa greece norway).8s" to avoid having to copy the name string to another buffer to null terminate it(flags shipping maritime countries imo usa greece norway). union { DWORD PhysicalAddress DWORD VirtualSize } Misc; This field has different meanings, depending on whether it occurs in an EXE or an OBJ(flags shipping maritime countries imo usa greece norway). In an EXE, it holds the virtual size of the code or data section(flags shipping maritime countries imo usa greece norway). This is the size before rounding up to the nearest file-alignment multiple(flags shipping maritime countries imo usa greece norway). The SizeOfRawData field later on in the structure holds this rounded-up value(flags shipping maritime countries imo usa greece norway). Interestingly, Borland's TLINK32 reverses the meaning of this field and the SizeOfRawData field, and appears to be the correct linker(flags shipping maritime countries imo usa greece norway). For OBJ files, this field indicates the physical address of the section(flags shipping maritime countries imo usa greece norway). The first section starts at address 0(flags shipping maritime countries imo usa greece norway). To find the physical address of the next section, add the SizeOfRawData value to the physical address of the current section(flags shipping maritime countries imo usa greece norway). DWORD VirtualAddress In EXEs, this field holds the RVA for where the loader should map the section to(flags shipping maritime countries imo usa greece norway). To calculate the real starting address of a given section in memory, add the base address of the image to the section's VirtualAddress stored in this field(flags shipping maritime countries imo usa greece norway). With Microsoft tools, the first section defaults to an RVA of 0xl000(flags shipping maritime countries imo usa greece norway). In OBJs, this field is meaningless and is set to 0(flags shipping maritime countries imo usa greece norway). DWORD SizeOfRawData In EXEs, this field contains the size of the section after it's been rounded up to the file-alignment size(flags shipping maritime countries imo usa greece norway). For example, assume a file-alignment size of 0x200(flags shipping maritime countries imo usa greece norway). If the

Chapter 3: Windows Anatomy VirtualSize field says that the section is 0x35A bytes in length, this field will say that the section is 0x400 bytes long(flags shipping maritime countries imo usa greece norway). In OBJs, this field contains the exact size of the section emitted by the compiler or assembler(flags shipping maritime countries imo usa greece norway). In other words, for OBJs, it's equivalent to the VirtualSize field in EXEs(flags shipping maritime countries imo usa greece norway). DWORD PointerToRawData This is the file-based offset to where the raw data for the section can be found(flags shipping maritime countries imo usa greece norway). If you memory map a PE or COFF file yourself (rather than letting the operating system load it), this field is more important than the VirtualAddress field(flags shipping maritime countries imo usa greece norway). That's because in this situation you'll have a completely linear mapping of the entire file, so you'll find the data for the sections at this offset rather than at the RVA specified in the VirtualAddress field(flags shipping maritime countries imo usa greece norway). DWORD PointerToRelocations In OBJs, this is the file-based offset to the relocation information for this section(flags shipping maritime countries imo usa greece norway). The relocation information for each OBJ section immediately follows the raw data for that section(flags shipping maritime countries imo usa greece norway). In EXEs, this field (and the subsequent field) are meaningless, and are set to 0(flags shipping maritime countries imo usa greece norway). When the linker creates the EXE, it resolves most of the fix-ups, leaving only base address relocations and imported functions to be resolved at load time(flags shipping maritime countries imo usa greece norway). The information about base relocations and imported functions is kept in the base relocation and imported functions sections, so there's no need for an EXE to have per-section relocation data following the raw section data(flags shipping maritime countries imo usa greece norway). DWORD PointerToLinenumbers The file-based offset of the line number table(flags shipping maritime countries imo usa greece norway). A line number table correlates source-file line numbers to the addresses where the code generated for a given line can be found(flags shipping maritime countries imo usa greece norway). In modern debug formats like the CodeView format, line number information is stored as part of the debug information(flags shipping maritime countries imo usa greece norway). In the COFF debug format, however, the line number information is conceptually distinct from the symbolic name/type information(flags shipping maritime countries imo usa greece norway). Usually, only code sections (for example, (flags shipping maritime countries imo usa greece norway).text or CODE) have line numbers(flags shipping maritime countries imo usa greece norway). In EXE files,

Chapter 3: Windows Anatomy the line numbers are collected toward the end of the file, after the raw data for the sections(flags shipping maritime countries imo usa greece norway). In OBJ files, the line number table for a section comes after the raw section data and the relocation table for that section(flags shipping maritime countries imo usa greece norway). I'll discuss the format of line number tables in "The COFF Debug Information" section later in the chapter(flags shipping maritime countries imo usa greece norway). WORD NumberOfRelocations The number of relocations in the relocation table for this section (the PointerToRelocations field listed previously)(flags shipping maritime countries imo usa greece norway). This field appears to be used only in OBJ files(flags shipping maritime countries imo usa greece norway). WORD NumberOfLinenumbers The number of line numbers in the line number table for this section (the PointerToLinenumbers field listed previously)(flags shipping maritime countries imo usa greece norway). DWORD Characteristics What most programmers call flags, the COFF/PE format refers to as characteristics(flags shipping maritime countries imo usa greece norway). This field is a set of flags that indicate the section's attributes (code/data, readable, writeable, and so on)(flags shipping maritime countries imo usa greece norway). For a complete list of all possible section attributes, see the IMAGE_SCN_XXX XXX #defines in WINNT(flags shipping maritime countries imo usa greece norway). H(flags shipping maritime countries imo usa greece norway). Flag Usage It's interesting to note what's missing from the information stored for each section(flags shipping maritime countries imo usa greece norway). First, notice there's no indication of any PRELOAD attributes(flags shipping maritime countries imo usa greece norway). The NE file format lets you specify a PRELOAD attribute for segments that should be loaded immediately at module load time(flags shipping maritime countries imo usa greece norway). The OS/2 2(flags shipping maritime countries imo usa greece norway).0 LX format has something similar, allowing you to specify that up to 8 pages should be preloaded(flags shipping maritime countries imo usa greece norway). The PE format, on the other hand, has nothing like this(flags shipping maritime countries imo usa greece norway). Based on this, we have to assume that Microsoft is confident in the performance of the demand-paged loading of their Win32 implementations(flags shipping maritime countries imo usa greece norway). Also missing from the PE format is an intermediate page lookup table(flags shipping maritime countries imo usa greece norway).

Chapter 3: Windows Anatomy 0x00000020 COFF flags Explanation Section contains code(flags shipping maritime countries imo usa greece norway). Usually set in conjunction with the executable flag(flags shipping maritime countries imo usa greece norway). 0x00000040 0x00000080 This section contains initialized data(flags shipping maritime countries imo usa greece norway). Almost all sections except executable and the (flags shipping maritime countries imo usa greece norway).bss section have this flag set(flags shipping maritime countries imo usa greece norway). This section contains uninitialized data (for example, the (flags shipping maritime countries imo usa greece norway).bss section)(flags shipping maritime countries imo usa greece norway). 0x00000200 This section contains comments or some other type of information(flags shipping maritime countries imo usa greece norway). A typical use of this section is the (flags shipping maritime countries imo usa greece norway).drectve section emitted by the compiler, which contains commands for the linker(flags shipping maritime countries imo usa greece norway). 0x00000800 This section's contents shouldn't be put in the final EXE file(flags shipping maritime countries imo usa greece norway). This section is used by the compiler/assembler lo pass information to the linker 0x02000000 This section can be discarded, since it's not needed by the process once it's been loaded(flags shipping maritime countries imo usa greece norway). The most common discardable section is the base relocations section ((flags shipping maritime countries imo usa greece norway).reloc)(flags shipping maritime countries imo usa greece norway). 0x10000000 This section is shareable(flags shipping maritime countries imo usa greece norway). When used with a DLL, the data in this section is shared among all processes using the DLL(flags shipping maritime countries imo usa greece norway). The default is for data sections to be nonshared, meaning that each process using a DLL gets ils own separate copy of this section's data(flags shipping maritime countries imo usa greece norway). In more technical terms, a shared section tells the memory manager to set the page mappings for this section so that all processes using the DLL refer to the same physical page in memory(flags shipping maritime countries imo usa greece norway). To make a section shareable, use the SHARED attribute at link time(flags shipping maritime countries imo usa greece norway). For example: LINK/SECTION:MYDATA, RWS (flags shipping maritime countries imo usa greece norway).(flags shipping maritime countries imo usa greece norway).(flags shipping maritime countries imo usa greece norway). tells the linker that the section called MYDATA should be readable, write able, and shared(flags shipping maritime countries imo usa greece norway). By default, Borland C++ DLL data segments have the shared attribute(flags shipping maritime countries imo usa greece norway). 0x20000000 This section is executable(flags shipping maritime countries imo usa greece norway). This flag is usually set whenever the Contains Code flag (0x00000020) is set(flags shipping maritime countries imo usa greece norway). 0x40000000 This section is readable(flags shipping maritime countries imo usa greece norway). This flag is almost always set for sections in EXE flies(flags shipping maritime countries imo usa greece norway). 0x80000000 The section is writeable(flags shipping maritime countries imo usa greece norway). If this flag isn't set in an EXE's section, the loader should mark the memory-mapped pages as read-only or execute- only(flags shipping maritime countries imo usa greece norway). Typical sections with this attribute are (flags shipping maritime countries imo usa greece norway).data and (flags shipping maritime countries imo usa greece norway).bss(flags shipping maritime countries imo usa greece norway).

Chapter 3: Windows Anatomy The equivalent of an IMAGE_SECTION_HEADER in the OS/2 LX format doesn't point directly to where the code or data for a section can be found in the file(flags shipping maritime countries imo usa greece norway). Instead, an OS/2 LX file contains a page lookup table that specifies attributes and the location in the file of specific ranges of pages within a section(flags shipping maritime countries imo usa greece norway). The PE format dispenses with all that and guarantees that a section's data will be stored contiguously in the file(flags shipping maritime countries imo usa greece norway). Of the two formats, the LX method may allow more flexibility, but the PE style is significantly simpler and easier to work with(flags shipping maritime countries imo usa greece norway). Having written file dumpers and disassemblers for both formats, I can personally vouch for this! Another welcome change in the PE format from the older NE format is that the locations of items are stored as simple DWORD offsets(flags shipping maritime countries imo usa greece norway). In the NE format, the location of almost everything was stored as a sector value(flags shipping maritime countries imo usa greece norway). To find the real file offset, you need to first look up the alignment unit size in the NE header, and convert it to a sector size (typically, 16 or 512 bytes)(flags shipping maritime countries imo usa greece norway). You then need to multiply the sector size by the specified sector offset to get an actual file offset(flags shipping maritime countries imo usa greece norway). If by chance something isn't stored as a sector offset in an NE file, it's probably stored as an offset relative to the NE header(flags shipping maritime countries imo usa greece norway). Since the NE header isn't at the beginning of the file, you need to drag around the file offset of the NE header in your code(flags shipping maritime countries imo usa greece norway). In contrast, PE files specify the location of various items by using simple offsets relative to where the file was memory mapped to(flags shipping maritime countries imo usa greece norway). All in all, the PE format is much easier to work with than the NE, LX, or LE formats (assuming you can use memory mapped files)(flags shipping maritime countries imo usa greece norway). 3(flags shipping maritime countries imo usa greece norway).3(flags shipping maritime countries imo usa greece norway).5 Commonly Encountered Sections Now that we've got an overall picture of what sections are and how they're located, we can discuss more about the common sections we'll find in EXE and OBJ files(flags shipping maritime countries imo usa greece norway). Although this list of sections is by no means complete, it does include the sections you encounter every day (even if you're not aware of it)(flags shipping maritime countries imo usa greece norway). The sections are presented in order of their importance and by how frequently they're likely to be encountered(flags shipping maritime countries imo usa greece norway).

Chapter 3: Windows Anatomy The (flags shipping maritime countries imo usa greece norway).text section The (flags shipping maritime countries imo usa greece norway).text section is where all general-purpose code emitted by the compiler or assembler ends up(flags shipping maritime countries imo usa greece norway). Since PE files run in 32-bit mode and aren't restricted to 16-bit segments, there's no reason to break up the code from separate source files into separate sections(flags shipping maritime countries imo usa greece norway). Instead, the linker concatenates all the (flags shipping maritime countries imo usa greece norway).text sections from the various OBJs into one big (flags shipping maritime countries imo usa greece norway).text section in the EXE(flags shipping maritime countries imo usa greece norway). If you use Borland C++ the compiler emits its code to a segment named CODE(flags shipping maritime countries imo usa greece norway). Thus, PE files produced with Borland C++ have a section named CODE, rather than a (flags shipping maritime countries imo usa greece norway).text section(flags shipping maritime countries imo usa greece norway). I was surprised to find out that there was additional code in the (flags shipping maritime countries imo usa greece norway).text section beyond what I created with the compiler or used from the runtime libraries(flags shipping maritime countries imo usa greece norway). In a PE file, when you call a function in another module (for example, GetMessage() in USER32(flags shipping maritime countries imo usa greece norway).DLL), the CALL instruction emitted by the compiler doesn't transfer control directly to the function in the DLL(flags shipping maritime countries imo usa greece norway). Instead, the call instruction transfers control to a JMP DWORD PTR [XXXXXXXX] instruction that's also in the (flags shipping maritime countries imo usa greece norway).text section(flags shipping maritime countries imo usa greece norway). The JMP instruction jumps to an address stored in a DWORD in the (flags shipping maritime countries imo usa greece norway).idata section(flags shipping maritime countries imo usa greece norway). This (flags shipping maritime countries imo usa greece norway).idata section DWORD contains the real address of the operating system function entry point(flags shipping maritime countries imo usa greece norway). After contemplating this for awhile, I came to understand why calls to DLLs are implemented this way(flags shipping maritime countries imo usa greece norway). By funneling all calls to a given DLL function through one location, there's no longer any need for the loader to patch every instruction that calls a DLL(flags shipping maritime countries imo usa greece norway). All the PE loader has to do is put the correct address of the target function into the DWORD in the (flags shipping maritime countries imo usa greece norway).idata section(flags shipping maritime countries imo usa greece norway). No CALL instructions need to be patched(flags shipping maritime countries imo usa greece norway). This is markedly different from NE files, where each segment contains a list of