Offset
(PE/PE32+)
|
Size
|
Field
|
Description
|
96/112
|
8
|
Export
Table
|
The
export table address and size. For more information see section 6.3, “The
.edata Section (Image Only).”
|
104/120
|
8
|
Import
Table
|
The
import table address and size. For more information, see section 6.4, “The
.idata Section.”
|
112/128
|
8
|
Resource
Table
|
The
resource table address and size. For more information, see section 6.9, “The
.rsrc Section.”
|
120/136
|
8
|
Exception
Table
|
The
exception table address and size. For more information, see section 6.5, “The
.pdata Section.”
|
128/144
|
8
|
Certificate
Table
|
The
attribute certificate table address and size. For more information, see
section 5.7, “The Attribute Certificate Table (Image Only).”
|
136/152
|
8
|
Base
Relocation Table
|
The
base relocation table address and size. For more information, see section 6.6,
"The .reloc Section (Image Only)."
|
144/160
|
8
|
Debug
|
The
debug data starting address and size. For more information, see section 6.1,
“The .debug Section.”
|
152/168
|
8
|
Architecture
|
Reserved,
must be 0
|
160/176
|
8
|
Global
Ptr
|
The
RVA of the value to be stored in the global pointer register. The size member
of this structure must be set to zero.
|
168/184
|
8
|
TLS
Table
|
The
thread local storage (TLS) table address and size. For more information, see
section 6.7, “The .tls Section.”
|
176/192
|
8
|
Load
Config Table
|
The
load configuration table address and size. For more information, see section
6.8, “The Load Configuration Structure (Image Only).”
|
184/200
|
8
|
Bound
Import
|
The
bound import table address and size.
|
192/208
|
8
|
IAT
|
The
import address table address and size. For more information, see section 6.4.4,
“Import Address Table.”
|
200/216
|
8
|
Delay
Import Descriptor
|
The
delay import descriptor address and size. For more information, see section
5.8, “Delay-Load Import Tables (Image Only).”
|
208/224
|
8
|
CLR
Runtime Header
|
The
CLR runtime header address and size. For more information, see section 6.10,
“The .cormeta Section (Object Only).”
|
216/232
|
8
|
Reserved,
must be zero
|
And our data from the three are different, as expected. They are expected to be different because the files are different sizes. The CSC is 3072, the VS is 5102, and the Xamarin is 3584. So, if we dig into the CSC first, we have 16 double words:
D:\Source\HelloWorld\CommandLine>PrintBinaryFile.exe HelloWorld_CSC_2.0.exe
000000F0 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ················
00000100 5C 23 00 00 4F 00 00 00 00 40 00 00 D0 02 00 00 \#··O····@··D···
00000110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ················
00000120 00 60 00 00 0C 00 00 00 00 00 00 00 00 00 00 00 ·`··············
00000130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ················
00000140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ················
00000150 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 ········· ······
00000160 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 ········· ··H···
00000170 00 00 00 00 00 00 00 00 2E 74 65 78 74 00 00 00 ········.text···
We have the ExportTable at 0x00, the ImportTable at 0x0000004F0000235C, the ResourceTable at 0x000002D000004000, the ExceptionTable at 0x00, the CertificateTable at 0x00, the BaseRelocationTable at 0x0000000C00006000, the Debug at 0x00, the Architecture (reserved) at 0x00, the GlobalPtr at 0x00, the TLSTable at 0x00, the LoadConfigTable at 0x00, the BoundImport at 0x00, the IAT at 0x0000000800002000, the DelayImportDescriptor at 0x00, the CLRRuntimeHeader at 0x0000004800002008, and the Reserved at 0x00.
D:\Source\HelloWorld\CommandLine>PrintBinaryFile.exe HelloWorld_VS_2.0.exe
000000F0 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ················
00000100 58 27 00 00 4F 00 00 00 00 40 00 00 10 06 00 00 X'··O····@······
00000110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ················
00000120 00 60 00 00 0C 00 00 00 20 26 00 00 1C 00 00 00 ·`······ &······
00000130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ················
00000140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ················
00000150 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 ········· ······
00000160 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 ········· ··H···
00000170 00 00 00 00 00 00 00 00 2E 74 65 78 74 00 00 00 ········.text···
In the VS we have the ExportTable at 0x00, the ImportTable at 0x0000004F00002758, the ResourceTable at 0x0000061000004000, the ExceptionTable at 0x00, the CertificateTable at 0x00, the BaseRelocationTable at 0x0000000C00006000, the Debug at 0x0000001C00002620, the Architecture (reserved) at 0x00, the GlobalPtr at 0x00, the TLSTable at 0x00, the LoadConfigTable at 0x00, the BoundImport at 0x00, the IAT at 0x0000000800002000, the DelayImportDescriptor at 0x00, the CLRRuntimeHeader at 0x0000004800002008, and the Reserved at 0x00.
D:\Source\HelloWorld\CommandLine>PrintBinaryFile.exe HelloWorld_Xamarin_2.0.exe
000000F0 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ················
00000100 B0 24 00 00 4B 00 00 00 00 40 00 00 84 03 00 00 °$··K····@··?···
00000110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ················
00000120 00 60 00 00 0C 00 00 00 00 00 00 00 00 00 00 00 ·`··············
00000130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ················
00000140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ················
00000150 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 ········· ······
00000160 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 ········· ··H···
00000170 00 00 00 00 00 00 00 00 2E 74 65 78 74 00 00 00 ········.text···
Finally, in the Xamarin we have the ExportTable at 0x00, the ImportTable at 0x0000004B000024B0, the ResourceTable at 0x0000038400004000, the ExceptionTable at 0x00, the CertificateTable at 0x00, the BaseRelocationTable at 0x0000000C00006000, the Debug at 0x00, the Architecture (reserved) at 0x00, the GlobalPtr at 0x00, the TLSTable at 0x00, the LoadConfigTable at 0x00, the BoundImport at 0x00, the IAT at 0x0000000800002000, the DelayImportDescriptor at 0x00, the CLRRuntimeHeader at 0x0000004800002008, and the Reserved at 0x00.
So, this clears up why the VS images are so much larger than the others. Did you catch it? The VS image has a non-zero Debug section. That implies that the VS image has debug information, which if we look in the Advanced Build Settings we will see that the Output is set for Debug Info as pdb-only:
Advanced Build Settings with pdb-only set for Debug Info |
While we are here, also note that the DLL Base Address is 0x00400000. I am not sure why, but we will note it.
That is enough for tonight, we will pick back up with the Section Table next time.