DWORD SizeOfInitializedData;
DWORD SizeOfUninitializedData;
DWORD AddressOfEntryPoint;
DWORD BaseOfCode;
DWORD BaseOfData;// NT additional fields.
DWORD ImageBase;
DWORD SectionAlignment;
DWORD FileAlignment;
WORD MajorOperatingSystemVersion;
WORD MinorOperatingSystemVersion;
WORD MajorImageVersion;
WORD MinorImageVersion;
WORD MajorSubsystemVersion;
WORD MinorSubsystemVersion;
DWORD Win32VersionValue;
DWORD SizeOfImage;
DWORD SizeOfHeaders;
DWORD CheckSum;
WORD Subsystem;
WORD DllCharacteristics;
DWORD SizeOfStackReserve;
DWORD SizeOfStackCommit;
DWORD SizeOfHeapReserve;
DWORD SizeOfHeapCommit;
DWORD LoaderFlags;
DWORD NumberOfRvaAndSizes;
IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
} IMAGE_OPTIONAL_HEADER32, *PIMAGE_OPTIONAL_HEADER32;All of these headers are defined in the Microsoft Platform SDK in the
WinNT.H headerfile.
Most of these fields are self explanatory, but several notes are in order. First
of all, it goes without saying that all pointers within these headers (such as
AddressOfEntryPointor BaseOfCode) are RVAs and not actual pointers.
Additionally, it should be noted that most of the interesting contents in a PE
header actually resides in the DataDirectory, which is an array of addi-
tional data structures that are stored inside the PE header. The beauty of this
layout is that an executable doesn’t have to have every entry, only the ones it
requires. For more information on the individual directories refer to the sec-
tion on directories later in this chapter.98 Chapter 3