CHAPTER 68. WINDOWS NT CHAPTER 68. WINDOWS NT
68.2.5 Sections
Division in sections, as it seems, is present in all executable file formats.
It is devised in order to separate code from data, and data—from constant data.
- Either theIMAGE_SCN_CNT_CODEorIMAGE_SCN_MEM_EXECUTEflags will be set on the code section—this is executable
code. - On data section—IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READandIMAGE_SCN_MEM_WRITEflags.
- On an empty section with uninitialized data—IMAGE_SCN_CNT_UNINITIALIZED_DATA,IMAGE_SCN_MEM_READandIM-
AGE_SCN_MEM_WRITE. - On a constant data section (one that’s protected from writing), the flags
IMAGE_SCN_CNT_INITIALIZED_DATAandIMAGE_SCN_MEM_READcan be set, but notIMAGE_SCN_MEM_WRITE. A process
going to crash if it tries to write to this section.
Each section in PE-file may have a name, however, it is not very important. Often (but not always) the code section is named
.text, the data section—.data, the constant data section —.rdata(readable data). Other popular section names are:
- .idata—imports section.IDAmay create a pseudo-section named like this:68.2.1 on the previous page.
- .edata—exports section (rare)
- .pdata— section containing all information about exceptions in Windows NT for MIPS,IA64and x64:68.3.3 on
page 695 - .reloc—relocs section
- .bss—uninitialized data (BSS)
- .tls—thread local storage (TLS)
- .rsrc—resources
- .CRT— may present in binary files compiled by ancient MSVC versions
PE file packers/encryptors often garble section names or replace the names with their own.
MSVCallows you to declare data in arbitrarily named section^18.
Some compilers and linkers can add a section with debugging symbols and other debugging information (MinGW for in-
stance). However it is not so in modern versions ofMSVC( separatePDBfiles are used there for this purpose).
That is how a PE section is described in the file:
typedef struct _IMAGE_SECTION_HEADER {
BYTE Name[IMAGE_SIZEOF_SHORT_NAME];
union {
DWORD PhysicalAddress;
DWORD VirtualSize;
} Misc;
DWORD VirtualAddress;
DWORD SizeOfRawData;
DWORD PointerToRawData;
DWORD PointerToRelocations;
DWORD PointerToLinenumbers;
WORD NumberOfRelocations;
WORD NumberOfLinenumbers;
DWORD Characteristics;
} IMAGE_SECTION_HEADER, *PIMAGE_SECTION_HEADER;
19
A word about terminology:PointerToRawDatait called “Offset” in Hiew andVirtualAddressis called “RVA” there.
68.2.6 Relocations (relocs)
AKAFIXUP-s (at least in Hiew).
They are also present in almost all executable file formats^20. Exceptions are shared dynamic libraries compiled withPIC, or
any otherPIC-code.
(^18) MSDN
(^19) MSDN
(^20) Even in .exe files for MS-DOS