Section Headers

The header structure (IMAGE_SECTION_HEADER,contains information for the loader so that it knows how to locate the section in the PE file, which memory address to load these sections to and how large memory need to allocate for them. 

PointeToRawData contains the offset of the corresponding section data in the file. 

SizeOfRawData gives the size or end point of the section. 

VirtualAddress gives the relative offset the section to be placed in memory. 

VirtualSizr indicates the memory block to allocate for the section. 

Characteristics indicates the protection attribute for the section in memory (read, write, execute). These attributes are not mutually exclusive and can added together. 

NT Header - Optional Header

This structure is added by the linker. 

ImageBase contain the memory address to load the text action in memory determined at compile time (0x400000 or 0x800000 by default).

SizeOfMemory is the size of memory to allocate to holds anll the sections above the ImageBase address when the program is load. 

SizeOfHeadet contains the size of DOS, NT and Sectii in on headers combined. 

AddresssOfEntryPoint points to the beginning of the text action. 

File alignment indicate the byte alignment of each section in the PE file. For example, if the value is 0x200, a section of 10 byte will padded to a section size of 0x200 bytes. A section of 202 bytes will padded to a size of 0x400 bytes 

SextionAlignment field bdicate the section alignment when loaded into memory and default to 0x1000 in 32 bits. 

DataDictionary field is a table containing the starting point and size of 15 program details - export directory, import directory, resource directory, exception directory, security directory authentication code,base relocation table, debug directory, x86 specific data, global pointer offset table, thread local storage (TLS), load configuration directory, bound import directory in headers, inport address table, delay load import descriptor, COM runtime descriptor. 

NT Header - File Header

This is the file header of the COFF produced by the assembler after the compiler translate the C/C++ code to assembly language. 

The Machine field indicate the machine code type such as x86, x65 or ARM. 

TimeStamp contains the date time stamp when the compilation was executed. 

SizeOfOptionLHeader contains the size of the the Optional Header structure that follows. The value is fixed to either 0xE0 for 32.bit or 0xF0 for 64 bit. 

Characteristic field indicates the type of load module - is it 32 bit, a DLL or an executable. 

Window Portable Executable

The compiler generate an object file in COFF format.   The linker modify the COFF to produce the PE file structure 

The PE file starts with a DOS header with the magic number MZ. The .e_Ifanew field contain the RVA, relative virtual address, of the NT header in the PE file. 

NT header contain the File Header which the .NumberOfSection field co rain the number of sections produced ed by the compiler.  Following the File Header structure fire is the Optional Header structure produced by the linker in the last stage of compilation. 

After the NT header is an array of section headers each describe the sections (e.g. text, data etc) produced by the compiler  th actual sections is placed after this array  

C++ Reference

A reference is an alias to another variable.

int b = 1;

int &a = b;

a = 2

b will have a value of 2

If & is used to the left side of "=", it is used to represent the address of variable.

A constant reference means one cannot use the reference to change the value that it points to

const int &a  = b

a = 2 generates an error