{"id":146,"date":"2018-01-27T23:52:01","date_gmt":"2018-01-27T23:52:01","guid":{"rendered":"http:\/\/malwrforensics.com\/en\/?p=146"},"modified":"2018-01-29T00:30:16","modified_gmt":"2018-01-29T00:30:16","slug":"pe-header-for-x64","status":"publish","type":"post","link":"https:\/\/malwrforensics.com\/en\/2018\/01\/27\/pe-header-for-x64\/","title":{"rendered":"PE header for x64"},"content":{"rendered":"<p>For 64-bit executables\/PE files, there are a couple of changes in the <a href=\"http:\/\/www.sunshine2k.de\/reversing\/tuts\/tut_pe.htm\">PE header offsets<\/a>.<\/p>\n<ol>\n<li>Don&#8217;t consider the size of the OptionalHeader as 0x74, instead use the &#8220;SizeOfOptionalHeader&#8221; from the <a href=\"https:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/ms680313(v=vs.85).aspx\">_IMAGE_FILE_HEADER<\/a>.<\/li>\n<li>There is no longer a BaseOfData field, instead ImageBase is 8 bytes long. More details on\u00a0_IMAGE_OPTIONAL_HEADER64 you can found\u00a0<a href=\"https:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/ms680339(v=vs.85).aspx\">here<\/a>.<\/li>\n<\/ol>\n","protected":false},"excerpt":{"rendered":"<p>For 64-bit executables\/PE files, there are a couple of changes in the PE header offsets. Don&#8217;t consider the size of the OptionalHeader as 0x74, instead use the &#8220;SizeOfOptionalHeader&#8221; from the _IMAGE_FILE_HEADER. There is no longer a BaseOfData field, instead ImageBase is 8 bytes long. More details on\u00a0_IMAGE_OPTIONAL_HEADER64 you can found\u00a0here.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[40,9,37,38,4,39],"class_list":["post-146","post","type-post","status-publish","format-standard","hentry","category-security","tag-64bit","tag-file-format","tag-pe-header","tag-reverse-engineering","tag-windows","tag-x64"],"blocksy_meta":{"styles_descriptor":{"styles":{"desktop":"","tablet":"","mobile":""},"google_fonts":[]}},"featured_image_urls_v2":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":""},"post_excerpt_stackable_v2":"<p>For 64-bit executables\/PE files, there are a couple of changes in the PE header offsets. Don&#8217;t consider the size of the OptionalHeader as 0x74, instead use the &#8220;SizeOfOptionalHeader&#8221; from the _IMAGE_FILE_HEADER. There is no longer a BaseOfData field, instead ImageBase is 8 bytes long. More details on\u00a0_IMAGE_OPTIONAL_HEADER64 you can found\u00a0here.<\/p>\n","category_list_v2":"<a href=\"https:\/\/malwrforensics.com\/en\/category\/security\/\" rel=\"category tag\">Security<\/a>","author_info_v2":{"name":"malwrforensics","url":"https:\/\/malwrforensics.com\/en\/author\/u_malwrforensics\/"},"comments_num_v2":"0 comments","_links":{"self":[{"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/posts\/146","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/comments?post=146"}],"version-history":[{"count":2,"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/posts\/146\/revisions"}],"predecessor-version":[{"id":154,"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/posts\/146\/revisions\/154"}],"wp:attachment":[{"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/media?parent=146"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/categories?post=146"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/tags?post=146"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}