What are in the "Unmapped Data" part of PE?

Anyone knows?

It seems to me most space of PE is taken up by Unmapped Data , is this the case in most occas开发者_高级运维ions?

No that is not the case in most situations.

There should be no data past the last section, though there can be. If there is, it will be data that is not loaded into memory and hence the executable might be doing something fishy with its own fileimage at runtime.

There is often some unmapped data, particularly in the .bss section which contains uninitialized data, but most of the PE will mapped to something. If, for example, the .text section contains unmapped data, it's a clear sign that you're looking at a weird binary that's probably been obfuscated by a defensive packer tool.

Your question makes me wonder what you're looking at the binary with. I would recommend OllyDbg or Ida Pro. Most of the program's address space will be unmapped, but not the memory that the PE loads into.