c# - 为什么我没有得到 "PE\0\0"？

Question

来自 PE 规范:

At location 0x3c, the stub has the file offset to the PE signature. This information enables Windows to properly execute the image file, even though it has an MS DOS stub. This file offset is placed at location 0x3c during linking.

2.2. Signature (Image Only)
After the MS DOS stub, at the file offset specified at offset 0x3c, is a 4-byte signature that identifies the file as a PE format image file. This signature is “PE\0\0” (the letters “P” and “E” followed by two null bytes).

我尝试读取这些字节:

using System;
using System.IO;

class Program {
  const String fileName = @".\some_application.exe";
  const Int64 peMarkerPosition = 0x3c;

  static void Main(string[] args) {
    using (FileStream fs = new FileStream(fileName, FileMode.Open,
      FileAccess.Read)) {
      Byte[] marker = new Byte[4];
      fs.Position = peMarkerPosition;
      fs.Read(marker, 0, marker.Length);
      // Now I expect 'marker'has such bytes: "PE\0\0".
      fs.Close();

      foreach (Byte b in marker) {
        Console.Write(Convert.ToChar(b)); // But I see other values...
      }

      Console.WriteLine("\nPress any key for exit...");
      Console.ReadKey();
    }
  }
}

但是marker变量有0x08、0x01、0x00和x0x00字节(第一个和第二个不是 P 和 E 字符)...为什么我得到这样的结果？

Answer 1

PE header 本身并不从偏移量 0x3C 开始 - 相反，那里有一个指向 PE header 开始位置的指针(从文件开头开始的 32 位文件偏移量)。