The following example illustrates the difference between absolute and relative paths. If you would like to see code comments translated to languages other than English, let us know in this GitHub discussion issue. Universal naming convention UNC paths, which are used to access network resources, have the following format:. UNC paths must always be fully qualified. They can include relative directory segments.
You can use relative paths only by mapping a UNC path to a drive letter. The Windows operating system has a unified object model that points to all resources, including files. These object paths are accessible from the console window and are exposed to the Win32 layer through a special folder of symbolic links that legacy DOS and UNC paths are mapped to. This special folder is accessed via the DOS device path syntax, which is one of:.
In addition to identifying a drive by its drive letter, you can identify a volume by using its volume GUID. This takes the form:. DOS device path syntax is supported on. NET implementations running on Windows starting with. NET Core 1. NET Framework 4. NET Core and. NET Framework starting with version 4. The first segment of the DOS device path after the device path specifier identifies the volume or drive.
For example:. This is significant when calling a method such as Path. GetFullPath String, String with relative directory segments; it is never possible to navigate past the volume. DOS device paths are fully qualified by definition.
Relative directory segments. Current directories never enter into their usage. The following example illustrates some of the ways in which you can refer to a file when using the APIs in the System.
IO namespace. The example instantiates a FileInfo object and uses its Name and Length properties to display the filename and the length of the file. Almost all paths passed to Windows APIs are normalized. During normalization, Windows performs the following steps:. This normalization happens implicitly, but you can do it explicitly by calling the Path. The first step in path normalization is identifying the type of path. Paths fall into one of a few categories:. The type of the path determines whether or not a current directory is applied in some way.
It also determines what the "root" of the path is. A path that begins with a legacy device name is always interpreted as a legacy device by the Path.
GetFullPath String method. Collectives on Stack Overflow. Learn more. Ask Question. Asked 8 years, 6 months ago. Active 4 years, 5 months ago. Viewed 2k times. Improve this question.
Zachary Zachary 1, 2 2 gold badges 19 19 silver badges 33 33 bronze badges. Add a comment. Active Oldest Votes. Improve this answer. TheGameiswar Jonathon Reinhart Jonathon Reinhart k 29 29 gold badges silver badges bronze badges.
Thx for late response. I was away for other business. PE is very expensive. I just want to learn program by myself. They contain additional information that is required by the linker and loader in Windows.
The following values defined for the Subsystem field of the optional header determine which Windows subsystem if any is required to run the image. Each data directory gives the address and size of a table or string that Windows uses. These data directory entries are all loaded into memory so that the system can use them at run time. A data directory is an 8-byte field that has the following declaration:. The RVA is the address of the table relative to the base address of the image when the table is loaded.
The second field gives the size in bytes. The data directories, which form the last part of the optional header, are listed in the following table. Note that the number of directories is not fixed. Also, do not assume that the RVAs in this table point to the beginning of a section or that the sections that contain specific tables have specific names. The Certificate Table entry points to a table of attribute certificates. These certificates are not loaded into memory as part of the image.
As such, the first field of this entry, which is normally an RVA, is a file pointer instead. Each row of the section table is, in effect, a section header. This table immediately follows the optional header, if any.
This positioning is required because the file header does not contain a direct pointer to the section table. Instead, the location of the section table is determined by calculating the location of the first byte after the headers. Make sure to use the size of the optional header as specified in the file header. The number of entries in the section table is given by the NumberOfSections field in the file header.
Entries in the section table are numbered starting from one 1. The code and data memory section entries are in the order chosen by the linker. In an image file, the VAs for sections must be assigned by the linker so that they are in ascending order and adjacent, and they must be a multiple of the SectionAlignment value in the optional header.
Each section header section table entry has the following format, for a total of 40 bytes per entry. The section flags in the Characteristics field of the section header indicate characteristics of the section. If the bit is set and the NumberOfRelocations field in the section header is 0xffff, the actual relocation count is stored in the bit VirtualAddress field of the first relocation.
Thus, an object section named. All contributions with the same object-section name are allocated contiguously in the image, and the blocks of contributions are sorted in lexical order by object-section name. Therefore, everything in object files with section name. The data structures that were described so far, up to and including the optional header, are all located at a fixed offset from the beginning of the file or from the PE header if the file is an image that contains an MS-DOS stub.
The remainder of a COFF object or image file contains blocks of data that are not necessarily at any specific file offset. Instead, the locations are defined by pointers in the optional header or a section header. In this case, there are constraints on the file offset of the section data, as described in section 5.
The rule about attribute certificate and debug information does not apply to object files, however. Initialized data for a section consists of simple blocks of bytes. However, for sections that contain all zeros, the section data need not be included. The data for each section is located at the file offset that was given by the PointerToRawData field in the section header.
The size of this data in the file is indicated by the SizeOfRawData field. In an image file, the section data must be aligned on a boundary as specified by the FileAlignment field in the optional header.
Section data must appear in order of the RVA values for the corresponding sections as do the individual section headers in the section table.
There are additional restrictions on image files if the SectionAlignment value in the optional header is less than the page size of the architecture. For such files, the location of section data in the file must match its location in memory when the image is loaded, so that the physical offset for section data is the same as the RVA.
Object files contain COFF relocations, which specify how the section data should be modified when placed in the image file and subsequently loaded into memory. Image files do not contain COFF relocations, because all referenced symbols have already been assigned addresses in a flat address space. An image contains relocation information in the form of base relocations in the. For more information, see The. For each section in an object file, an array of fixed-length records holds the section's COFF relocations.
The position and length of the array are specified in the section header. Each element of the array has the following format. The section is usually in the same file, except when the object file is part of an archive library. In that case, the section can be found in any other object file in the archive that has the same archive-member name as the current object file.
The relationship with the archive-member name is used in the linking of import tables, that is, the. The Type field of the relocation record indicates what kind of relocation should be performed. Different relocation types are defined for each type of machine. The following relocation type indicators are defined for SH3 and SH4 processors. The following relocation type indicators are defined for the Intel Itanium processor family and compatible processors.
Note that relocations on instructions use the bundle's offset and slot number for the relocation offset. COFF line numbers indicate the relationship between code and line numbers in source files. The Microsoft format for COFF line numbers is similar to standard COFF, but it has been extended to allow a single section to relate to line numbers in multiple source files. COFF line numbers consist of an array of fixed-length records.
The location file offset and size of the array are specified in the section header. Each line-number record is of the following format. A line-number record can either set the Linenumber field to zero and point to a function definition in the symbol table or it can work as a standard line-number entry by giving a positive integer line number and the corresponding address in the object code. A group of line-number entries always begins with the first format: the index of a function symbol.
The function's auxiliary record in the symbol table has a pointer to the Linenumber field that points to this same line-number record. A record that identifies a function is followed by any number of line-number entries that give actual line-number information that is, entries with Linenumber greater than zero. These entries are one-based, relative to the beginning of the function, and represent every source line in the function except for the first line.
For example, the first line-number record for the following example would specify the ReverseSign function SymbolTableIndex of ReverseSign and Linenumber set to zero. Then records with Linenumber values of 1, 2, and 3 would follow, corresponding to source lines as shown:. The symbol table in this section is inherited from the traditional COFF format. Section names and file names, as well as code and data symbols, are listed in the symbol table. The symbol table is an array of records, each 18 bytes long.
Each record is either a standard or auxiliary symbol-table record. A standard record defines a symbol or name and has the following format.
Zero or more auxiliary symbol-table records immediately follow each standard symbol-table record. However, typically not more than one auxiliary symbol-table record follows a standard symbol-table record except for.
Each auxiliary record is the same size as a standard symbol-table record 18 bytes , but rather than define a new symbol, the auxiliary record gives additional information on the last symbol defined. The choice of which of several formats to use depends on the StorageClass field. Currently-defined formats for auxiliary symbol table records are shown in section 5. Tools that read COFF symbol tables must ignore auxiliary symbol records whose interpretation is unknown.
This allows the symbol table format to be extended to add new auxiliary records, without breaking existing tools. The ShortName field in a symbol table consists of 8 bytes that contain the name itself, if it is not more than 8 bytes long, or the ShortName field gives an offset into the string table. To determine whether the name itself or an offset is given, test the first 4 bytes for equality to zero.
Normally, the Section Value field in a symbol table entry is a one-based index into the section table. However, this field is a signed integer and can take negative values. The following values, less than one, have special meanings. The Type field of a symbol table entry contains 2 bytes, where each byte represents type information. The following values are defined for base type, although Microsoft tools generally do not use this field and set the LSB to 0. However, the possible COFF values are listed here for completeness.
The most significant byte specifies whether the symbol is a pointer to, function returning, or array of the base type that is specified in the LSB. Microsoft tools use this field only to indicate whether the symbol is a function, so that the only two resulting values are 0x0 and 0x20 for the Type field.
However, other tools can use this field to communicate more information. It is very important to specify the function attribute correctly. This information is required for incremental linking to work correctly. For some architectures, the information may be required for other purposes. The StorageClass field of the symbol table indicates what kind of definition a symbol represents.
The following table shows possible values. Note that the StorageClass field is an unsigned 1-byte integer. The special value -1 should therefore be taken to mean its unsigned equivalent, 0xFF.
Except in the second column heading below, "Value" should be taken to mean the Value field of the symbol record whose interpretation depends on the number found as the storage class. Auxiliary symbol table records always follow, and apply to, some standard symbol table record.
An auxiliary record can have any format that the tools can recognize, but 18 bytes must be allocated for them so that symbol table is maintained as an array of regular size. Currently, Microsoft tools recognize auxiliary formats for the following kinds of records: function definitions, function begin and end symbols. The traditional COFF design also includes auxiliary-record formats for arrays and structures.
A symbol table record marks the beginning of a function definition if it has all of the following: a storage class of EXTERNAL 2 , a Type value that indicates it is a function 0x20 , and a section number that is greater than zero.
Function-definition symbol records are followed by an auxiliary record in the format described below:. For each function definition in the symbol table, three items describe the beginning, ending, and number of lines.
A symbol record named. The Value field gives the number of lines in the function. The Value field has the same number as the Total Size field in the function-definition symbol record. A module can contain an unresolved external symbol sym1 , but it can also include an auxiliary record that indicates that if sym1 is not present at link time, another external symbol sym2 is used to resolve references instead.
If a definition of sym1 is linked, then an external reference to the symbol is resolved normally. If a definition of sym1 is not linked, then all references to the weak external for sym1 refer to sym2 instead. The external symbol, sym2, must always be linked; typically, it is defined in the module that contains the weak reference to sym1.
The weak-external symbol record is followed by an auxiliary record with the following format:. H; instead, the Total Size field is used. This format follows a symbol-table record with storage class FILE The symbol name itself should be. This format follows a symbol-table record that defines a section. Such a record has a symbol name that is the name of a section such as.
The auxiliary record provides information about the section to which it refers. Thus, it duplicates some of the information in the section header. It is used to associate a token with the COFF symbol table's namespace. The position of this table is found by taking the symbol table address in the COFF header and adding the number of symbols multiplied by the size of a symbol.
At the beginning of the COFF string table are 4 bytes that contain the total size in bytes of the rest of the string table. This size includes the size field itself, so that the value in this location would be 4 if no strings were present.
Following the size are null-terminated strings that are pointed to by symbols in the COFF symbol table. Attribute certificates can be associated with an image by adding an attribute certificate table. The attribute certificate table is composed of a set of contiguous, quadword-aligned attribute certificate entries. Zero padding is inserted between the original end of the file and the beginning of the attribute certificate table to achieve this alignment. Each attribute certificate entry contains the following fields.
The virtual address value from the Certificate Table entry in the Optional Header Data Directory is a file offset to the first attribute certificate entry. Subsequent entries are accessed by advancing that entry's dwLength bytes, rounded up to an 8-byte multiple, from the start of the current attribute certificate entry. This continues until the sum of the rounded dwLength values equals the Size value from the Certificates Table entry in the Optional Header Data Directory. If the sum of the rounded dwLength values does not equal the Size value, then either the attribute certificate table or the Size field is corrupted.
The first certificate starts at offset 0x from the start of the file on disk. To advance through all the attribute certificate entries:. Alternatively, you can enumerate the certificate entries by calling the Win32 ImageEnumerateCertificates function in a loop.
For a link to the function's reference page, see References. Attribute certificate table entries can contain any certificate type, as long as the entry has the correct dwLength value, a unique wRevision value, and a unique wCertificateType value.
Note that some values are not currently supported. If the bCertificate content does not end on a quadword boundary, the attribute certificate entry is padded with zeros, from the end of bCertificate to the next quadword boundary. As stated in the preceding section, the certificates in the attribute certificate table can contain any certificate type. Certificates that ensure a PE file's integrity may include a PE image hash.
A PE image hash or file hash is similar to a file checksum in that the hash algorithm produces a message digest that is related to the integrity of a file. However, a checksum is produced by a simple algorithm and is used primarily to detect whether a block of memory on disk has gone bad and the values stored there have become corrupted.
A file hash is similar to a checksum in that it also detects file corruption. However, unlike most checksum algorithms, it is very difficult to modify a file without changing the file hash from its original unmodified value. A file hash can thus be used to detect intentional and even subtle modifications to a file, such as those introduced by viruses, hackers, or Trojan horse programs.
This is because the act of adding a Certificate changes these fields and would cause a different hash value to be calculated.
This data stream remains consistent when certificates are added to or removed from a PE file. Based on the parameters that are passed to ImageGetDigestStream , other data from the PE image can be omitted from the hash computation.
These tables were added to the image to support a uniform mechanism for applications to delay the loading of a DLL until the first call into that DLL. The layout of the tables matches that of the traditional import tables that are described in section 6.
The delay-load directory table is the counterpart to the import directory table. It can be retrieved through the Delay Import Descriptor entry in the optional header data directories list offset The table is arranged as follows:. The tables that are referenced in this data structure are organized and sorted just as their counterparts are for traditional imports. For details, see The. As yet, no attribute flags are defined. The linker sets this field to zero in the image.
This field can be used to extend the record by indicating the presence of new fields, or it can be used to indicate behaviors to the delay or unload helper functions.
The name of the DLL to be delay-loaded resides in the read-only data section of the image. It is referenced through the szName field. The handle of the DLL to be delay-loaded is in the data section of the image. The phmod field points to the handle.
The supplied delay-load helper uses this location to store the handle to the loaded DLL. The delay-load helper updates these pointers with the real entry points so that the thunks are no longer in the calling loop. The delay import name table INT contains the names of the imports that might require loading.
They are ordered in the same fashion as the function pointers in the IAT. It consists of initialized data in the read-only section that is an exact copy of the original IAT that referred the code to the delay-load thunks.
Typical COFF sections contain code or data that linkers and Microsoft Win32 loaders process without special knowledge of the section contents. The contents are relevant only to the application that is being linked or executed. However, some COFF sections have special meanings when found in object files or image files.
Tools and loaders recognize these sections because they have special flags set in the section header, because special locations in the image optional header point to them, or because the section name itself indicates a special function of the section.
Even if the section name itself does not indicate a special function of the section, the section name is dictated by convention, so the authors of this specification can refer to a section name in all cases.
The reserved sections and their attributes are described in the table below, followed by detailed descriptions for the section types that are persisted into executables and the section types that contain metadata for extensions.
Some of the sections listed here are marked "object only" or "image only" to indicate that their special semantics are relevant only for object files or image files, respectively.
A section that is marked "image only" might still appear in an object file as a way of getting into the image file, but the section has no special meaning to the linker, only to the image file loader. This section describes the packaging of debug information in object and image files.
The next section describes the format of the debug directory, which can be anywhere in the image. Subsequent sections describe the "groups" in object files that contain debug information. The default for the linker is that debug information is not mapped into the address space of the image.
Image files contain an optional debug directory that indicates what form of debug information is present and where it is. This directory consists of an array of debug directory entries whose location and size are indicated in the image optional header.
The debug directory can be in a discardable. Each debug directory entry identifies the location and size of a block of debug information. The specified RVA can be zero if the debug information is not covered by a section header that is, it resides in the image file and is not mapped into the run-time address space.
If it is mapped, the RVA is its address. Those functions that do not have FPO information are assumed to have normal stack frames. The format for FPO information is as follows:. If the input does not change, the output PE file is guaranteed to be bit-for-bit identical no matter when or where the PE is produced.
The raw data of this debug entry may be empty, or may contain a calculated hash value preceded by a four-byte value that represents the hash value length. Object files can contain.
The linker recognizes these. These are shared types among all of the objects that were compiled by using the precompiled header that was generated with this object. Gathers all relevant debug data from the. Processes that data along with the linker-generated debugging information into the PDB file, and creates a debug directory entry to refer to it. The linker removes a. The directive string is a series of linker options that are separated by spaces.
Each option contains a hyphen, the option name, and any appropriate attribute. If an option contains spaces, the option must be enclosed in quotes. The export data section, named. An overview of the general structure of the export section is described below. The tables described are usually contiguous in the file in the order shown though this is not required.
Only the export directory table and export address table are required to export symbols as ordinals. An ordinal is an export that is accessed directly by its export address table index.
The name pointer table, ordinal table, and export name table all exist to support use of export names. When another image file imports a symbol by name, the Win32 loader searches the name pointer table for a matching string. If a matching string is found, the associated ordinal is identified by looking up the corresponding member in the ordinal table that is, the member of the ordinal table with the same index as the string pointer found in the name pointer table.
The resulting ordinal is an index into the export address table, which gives the actual location of the desired symbol. Every export symbol can be accessed by an ordinal. When another image file imports a symbol by ordinal, it is unnecessary to search the name pointer table for a matching string.
Direct use of an ordinal is therefore more efficient. However, an export name is easier to remember and does not require the user to know the table index for the symbol. The export symbol information begins with the export directory table, which describes the remainder of the export symbol information.
The export directory table contains address information that is used to resolve imports to the entry points within this image. The export address table contains the address of exported entry points and exported data and absolutes.
An ordinal number is used as an index into the export address table. Each entry in the export address table is a field that uses one of two formats in the following table. If the address specified is not within the export section as defined by the address and length that are indicated in the optional header , the field is an export RVA, which is an actual address in code or data. A forwarder RVA exports a definition from some other image, making it appear as if it were being exported by the current image.
Thus, the symbol is simultaneously imported and exported. For example, in Kernel The application's import table refers only to Kernel Therefore, the application is not specific to Windows XP and can run on any Win32 system. The export name pointer table is an array of addresses RVAs into the export name table. The pointers are 32 bits each and are relative to the image base. The pointers are ordered lexically to allow binary searches.
The export ordinal table is an array of bit unbiased indexes into the export address table. Ordinals are biased by the Ordinal Base field of the export directory table. In other words, the ordinal base must be subtracted from the ordinals to obtain true indexes into the export address table. The export name pointer table and the export ordinal table form two parallel arrays that are separated to allow natural field alignment. These two tables, in effect, operate as one table, in which the Export Name Pointer column points to a public exported name and the Export Ordinal column gives the corresponding ordinal for that public name.
A member of the export name pointer table and a member of the export ordinal table are associated by having the same position index in their respective arrays. Thus, when the export name pointer table is searched and a matching string is found at position i, the algorithm for finding the symbol's RVA and biased ordinal is:.
When searching for a symbol by biased ordinal, the algorithm for finding the symbol's RVA and name is:. The export name table contains the actual string data that was pointed to by the export name pointer table. The strings in this table are public names that other images can use to import the symbols. These public export names are not necessarily the same as the private symbol names that the symbols have in their own image file and source code, although they can be.
Every exported symbol has an ordinal value, which is just the index into the export address table. Use of export names, however, is optional. Some, all, or none of the exported symbols can have export names. For exported symbols that do have export names, corresponding entries in the export name pointer table and export ordinal table work together to associate each name with an ordinal.
The structure of the export name table is a series of null-terminated ASCII strings of variable length. All image files that import symbols, including virtually all executable EXE files, have an. A typical file layout for the import information follows:. The import information begins with the import directory table, which describes the remainder of the import information. The import directory table contains address information that is used to resolve fixup references to the entry points within a DLL image.
The import directory table consists of an array of import directory entries, one entry for each DLL to which the image refers. The last directory entry is empty filled with null values , which indicates the end of the directory table. Each entry uses the bit-field format that is described in the following table.
The collection of these entries describes all imports from a given DLL. The last entry is set to zero NULL to indicate the end of the table. The structure and content of the import address table are identical to those of the import lookup table, until the file is bound. These addresses are the actual memory addresses of the symbols, although technically they are still called "virtual addresses.
It is pointed to by the exception table entry in the image data directory. The entries must be sorted according to the function addresses the first field in each structure before being emitted into the final image. The target platform determines which of the three function table entry format variations described below is used. The base relocation table contains entries for all base relocations in the image.
The Base Relocation Table field in the optional header data directories gives the number of bytes in the base relocation table. The base relocation table is divided into blocks.
Each block represents the base relocations for a 4K page. Each block must start on a bit boundary. The loader is not required to process base relocations that are resolved by the linker, unless the load image cannot be loaded at the image base that is specified in the PE header. The Block Size field is then followed by any number of Type or Offset field entries. Each entry is a WORD 2 bytes and has the following structure:.
To apply a base relocation, the difference is calculated between the preferred base address and the base where the image is actually loaded. If the image is loaded at its preferred base, the difference is zero and thus the base relocations do not have to be applied.
TLS is a special storage class that Windows supports in which a data object is not an automatic stack variable, yet is local to each individual thread that runs the code.
Thus, each thread can maintain a different value for a variable declared by using TLS. This implementation enables TLS data to be defined and initialized similarly to ordinary static variables in a program. Statically declared TLS data objects can be used only in statically loaded image files.
This field points to a location where the program expects to receive the TLS index. The linker looks for this memory image and uses the data there to create the TLS directory.
Other compilers that support TLS and work with the Microsoft linker must use this same technique. When a thread is created, the loader communicates the address of the thread's TLS array by placing the address of the thread environment block TEB in the FS register. This behavior is Intel xspecific. The loader assigns the value of the TLS index to the place that was indicated by the Address of Index field.
The code uses the TLS index and the TLS array location multiplying the index by 4 and using it as an offset to the array to get the address of the TLS data area for the given program and module. Each thread has its own TLS data area, but this is transparent to the program, which does not need to know how data is allocated for individual threads.
The TLS array is an array of addresses that the system maintains for each thread. The TLS index indicates which member of the array to use.
The index is a number meaningful only to the system that identifies the module. The program can provide one or more TLS callback functions to support additional initialization and termination for TLS data objects. A typical use for such a callback function would be to call constructors and destructors for objects.
Although there is typically no more than one callback function, a callback is implemented as an array to make it possible to add additional callback functions if desired. If there is more than one callback function, each function is called in the order in which its address appears in the array.
A null pointer terminates the array.
0コメント