Programs on disk
- Windows uses the portable executable format to store programs
- Based on the COFF format used for object files
- Cant just write the different sections to disk alone
- OS needs to know where the different sections of the file start so they can be loaded at the correct place in memory
- Need to know where to start executing the program from
- Need to know which DLLs are needed
- PE format contains this data so windows is able to load the program in
- Consists of a PE file header
- Followed by one or more sections containing code, data, etc
- As far as windows is concerned the section names are irrelevant
- Uses other information to ascertain how sections are used
- PE format often references locations using a Relative Virtual Address (RVA)
- Address of where something will be after it its loaded into memory, not within the file
- Given relative to the point where the point is loaded (
ImageBase), also specified within the header - Windows might choose to load it at a different location
- Relocation information in the PE file used to help relocate the file
- All windows programs will have some imports
- Win32 API is implemented as a series of DLLs
- These DLL then call into the NT kernel to implement the API
- Likely to have imports for other DLLs
- Windows programs often have a
.rsrc section - Used to store resources used by the program
- Programs can use the API function
FindResource to obtain a handle to the resource information block - Then load it in by calling
LoadResource