typedef struct _IMTE { DWORD un1; // 00h // PIMAGE_NT_HEADERS pNTHdr; // 04h DWORD pNTHdr; DWORD un2; // 08h PSTR pszFileName; // 0Ch PSTR pszModName; // 10h WORD cbFileName; // 14h WORD cbModName; // 16h DWORD un3; // 18h DWORD cSections; // 1Ch DWORD un5; // 20h DWORD baseAddress; // 24h WORD hModule16; // 28h WORD cUsage; // 2Ah DWORD un7; // 2Ch PSTR pszFileName2; // 30h WORD cbFileName2; // 34h DWORD pszModName2; // 36h WORD cbModName2; // 3Ah } IMTE, *PIMTE; typedef struct { DWORD Signature; //00 'PE' // IMAGE_FILE_HEADER FileHeader; WORD Machine; //04 WORD NumberOfSections; //06 DWORD TimeDateStamp; //08 DWORD PointerToSymbolTable; //0c DWORD NumberOfSymbols; //10 WORD SizeOfOptionalHeader; //14 WORD Characteristics; //16 // IMAGE_OPTIONAL_HEADER OptionalHeader; WORD Magic; //+18 BYTE MajorLinkerVersion; //+1a BYTE MinorLinkerVersion; DWORD SizeOfCode; //+1c DWORD SizeOfInitializedData; //+20 DWORD SizeOfUninitializedData; DWORD AddressOfEntryPoint; DWORD BaseOfCode; //+2c DWORD BaseOfData; //+30 DWORD ImageBase; //+34 DWORD SectionAlignment; DWORD FileAlignment; WORD MajorOperatingSystemVersion; //+40 WORD MinorOperatingSystemVersion; WORD MajorImageVersion; WORD MinorImageVersion; WORD MajorSubsystemVersion; //+48 WORD MinorSubsystemVersion; DWORD Win32VersionValue; //+4c DWORD SizeOfImage; //+50 DWORD SizeOfHeaders; DWORD CheckSum; //+58 WORD Subsystem; //+5c WORD DllCharacteristics; DWORD SizeOfStackReserve; //+60 DWORD SizeOfStackCommit; DWORD SizeOfHeapReserve; DWORD SizeOfHeapCommit; DWORD LoaderFlags; //+70 DWORD NumberOfRvaAndSizes; //+74 // IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES]; DWORD EXPORT_VirtualAddress; //+78 DWORD EXPORT_Size; //+7c DWORD IMPORT_VirtualAddress; //+80 DWORD IMPORT_Size; //+84 DWORD RESORC_VirtualAddress; //+88 DWORD RESORC_Size; //+8c DWORD EXCEPT_VirtualAddress; //+90 DWORD EXCEPT_Size; //+94 DWORD SECURT_VirtualAddress; //+98 DWORD SECURT_Size; //+9c } myPE,*PmyPE; // // Section header format. // #define IMAGE_SIZEOF_SHORT_NAME 8 typedef struct _IMAGE_SECTION_HEADER { BYTE Name[IMAGE_SIZEOF_SHORT_NAME]; union { DWORD PhysicalAddress; DWORD VirtualSize; } Misc; DWORD VirtualAddress; DWORD SizeOfRawData; DWORD PointerToRawData; DWORD PointerToRelocations; DWORD PointerToLinenumbers; WORD NumberOfRelocations; WORD NumberOfLinenumbers; DWORD Characteristics; } IMAGE_SECTION_HEADER, *PIMAGE_SECTION_HEADER; #define IMAGE_SIZEOF_SECTION_HEADER 40 #define my_FIRST_SECTION( ntheader ) ((PIMAGE_SECTION_HEADER) \ ((DWORD)ntheader + 0x18 + \ ntheader->SizeOfOptionalHeader \ )) // // Export Format // typedef struct _IMAGE_EXPORT_DIRECTORY { DWORD Characteristics; //00 DWORD TimeDateStamp; //04 WORD MajorVersion; //08 WORD MinorVersion; //0a DWORD Name; //0c DWORD Base; //10 DWORD NumberOfFunctions; //14 DWORD NumberOfNames; //18 PDWORD *AddressOfFunctions;//1c PDWORD *AddressOfNames; //20 PWORD *AddressOfNameOrdinals;//24 } IMAGE_EXPORT_DIRECTORY, *PIMAGE_EXPORT_DIRECTORY; typedef struct { //size = 40 BYTE Name[8]; //+0 DWORD VirtualSize; //+8 DWORD RVA; //+c DWORD PhysicalSize; //+10 DWORD PhysicalOffset; //+14 DWORD PointerToRelocations; //+18 DWORD PointerToLinenumbers; //+1c WORD NumberOfRelocations; //+20 WORD NumberOfLinenumbers; //+22 DWORD Object_Flags; //+24 } Object_Table, *PObject_Table;