BanksySan
Reputation: 28500
BaseOfCode present in PE+ executable
The MS documentation says that the BaseOfCode value is only present in PE files, not in PE+. Looking at notepad.exe with dotPeek and with PE Viewer seems to indicate that the BaseOfCode is present and consumed.
0 1 2 3 4 5 6 7 8 9 A B C D E F
0x00E0 | 5045 0000 6486 0600 6a98 8957 0000 0000
0x00F0 | 0000 0000 f000 2200 0b02 0e00 0086 0100
0x0100 | 004e 0200 0000 0000 d087 0100 0010 0000
The two bytes at 0x00F8 signify that this is a PE+ header. The BaseOfCode is the four bytes at 0x010C.
Is the documentation (and myself) incorrect or are dotPeek and PE View incorrect?
The fact that these bytes aren't zeroed out would imply that it the bytes are significant in some way.
Upvotes: 0
Views: 519
Answers (1)
winapiadmin
Reputation: 139
The difference is the BaseOfData. It's present on PE32 (PE), not PE64 (PE+).
Upvotes: 0
Related Questions
- What is the image base (in windows PE files)
- Image base comes out wrong in manually-generated PE headers for a 64-bit executable
- Why I didn't get the "PE\0\0"?
- Why is my PE file invalid?
- Why value stored in PE file is reverse?
- jump stubs in PE files
- PE file opcodes
- About executable with debug information in windows
- About the code section of PE format
- How to investigate the calling convention of PE binary file in windows?