先祭出一张不是很清楚的图，实在找不到清楚的图，

所以网上随便找了张图凑合下

PE文件在磁盘中和内存中的映射关系，在磁盘中是200h对齐，在内存中是1000h（4KB）对齐，所以在内存中会变大，所以红框以上的块表被放大了，磁盘中200h是为了节省磁盘空间，

不够200h的用00补足（200h就是200行的16进制数，也就是512字节）

用图文配字表达更容易理解。。。。

Dos Header如下：

Nt Headers如下：

更多细节参考：c99K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6X3K9i4y4Z5j5#2)9J5k6h3y4G2L8g2)9J5k6h3y4F1i4K6u0r3k6X3!0J5N6h3#2Q4x3X3g2H3K9s2m8Q4x3@1k6E0L8$3c8Q4x3@1c8$3K9h3g2%4N6r3S2J5k6h3q4V1i4K6t1$3j5h3#2H3i4K6y4n7N6r3W2V1i4K6y4p5x3e0l9K6x3o6b7H3

IMAGE_OPTIONAL_HEADER32结构如下：

更多细节参考：3e0K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6X3K9i4y4Z5j5#2)9J5k6h3y4G2L8g2)9J5k6h3y4F1i4K6u0r3k6X3!0J5N6h3#2Q4x3X3g2H3K9s2m8Q4x3@1k6E0L8$3c8Q4x3@1c8$3K9h3g2%4N6r3S2J5k6h3q4V1i4K6t1$3j5h3#2H3i4K6y4n7N6r3W2V1i4K6y4p5x3e0l9K6x3e0V1H3i4K6t1$3j5h3#2H3i4K6y4n7K9r3W2Y4K9r3I4A6k6$3S2@1i4K6y4p5i4K6t1#2b7V1c8Q4x3U0g2q4x3W2)9J5y4f1x3K6i4K6t1#2c8p5y4Q4x3U0g2o6c8W2)9J5y4f1t1#2i4K6t1#2b7K6q4Q4x3U0g2p5x3l9`.`.

SectionHeaders：

 835K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6X3K9i4y4Z5j5#2)9J5k6h3y4G2L8g2)9J5k6h3y4F1i4K6u0r3k6X3!0J5N6h3#2Q4x3X3g2H3K9s2m8Q4x3@1k6E0L8$3c8Q4x3@1c8$3K9h3g2%4N6r3S2J5k6h3q4V1i4K6t1$3j5h3#2H3i4K6y4n7N6r3W2V1i4K6y4p5x3e0l9K6y4o6t1I4i4K6t1$3j5h3#2H3i4K6y4n7K9r3W2Y4K9r3I4A6k6$3S2@1i4K6y4p5f1p5g2Q4x3U0g2n7c8q4)9J5y4f1f1I4i4K6t1#2b7U0W2Q4x3U0g2n7z5g2)9J5y4f1y4r3i4K6t1#2c8f1q4Q4x3U0g2n7c8q4)9J5y4f1f1J5y4b7`.`.

计算IMAGE_SECTION_HEADER中的子成员VirtualAdress值如下：

 总结就是跳来跳去，各种指向，各种加加减减

以上均得益于“鱼C-小甲鱼”

可以在B站搜索：鱼C-小甲鱼 解密系列

论坛是：32dK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6X3K9i4y4Z5j5#2)9J5k6h3y4G2L8g2)9J5k6h3y4F1i4K6u0r3

文章部分分析可能有误，欢迎斧正

有兴趣的可以进群交流，QQ群:542863693，主要用于手游安全分析

以上仅供学习，切勿用于非法用途，文章如有侵犯，请联系文章对应版主删除

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课