880 lines
32 KiB
C
880 lines
32 KiB
C
/**
|
|
* PE format.
|
|
*/
|
|
|
|
#ifndef PE_H
|
|
#define PE_H
|
|
|
|
#ifdef VMP_GNU
|
|
|
|
#define DLL_PROCESS_ATTACH 1
|
|
#define DLL_THREAD_ATTACH 2
|
|
#define DLL_THREAD_DETACH 3
|
|
#define DLL_PROCESS_DETACH 0
|
|
|
|
#define READ_NAME(de) (*(DWORD *)&de)
|
|
#define READ_OFFSETTODATA(de) (*(((DWORD *)&de) + 1))
|
|
#define READ_ID(de) (*(WORD *)&de)
|
|
|
|
#define IMAGE_DOS_SIGNATURE 0x5A4D // MZ
|
|
#define IMAGE_OS2_SIGNATURE 0x454E // NE
|
|
#define IMAGE_OS2_SIGNATURE_LE 0x454C // LE
|
|
#define IMAGE_VXD_SIGNATURE 0x454C // LE
|
|
#define IMAGE_NT_SIGNATURE 0x00004550 // PE00
|
|
|
|
#pragma pack(push, 1)
|
|
typedef struct _IMAGE_DOS_HEADER { // DOS .EXE header
|
|
WORD e_magic; // Magic number
|
|
WORD e_cblp; // Bytes on last page of file
|
|
WORD e_cp; // Pages in file
|
|
WORD e_crlc; // Relocations
|
|
WORD e_cparhdr; // Size of header in paragraphs
|
|
WORD e_minalloc; // Minimum extra paragraphs needed
|
|
WORD e_maxalloc; // Maximum extra paragraphs needed
|
|
WORD e_ss; // Initial (relative) SS value
|
|
WORD e_sp; // Initial SP value
|
|
WORD e_csum; // Checksum
|
|
WORD e_ip; // Initial IP value
|
|
WORD e_cs; // Initial (relative) CS value
|
|
WORD e_lfarlc; // File address of relocation table
|
|
WORD e_ovno; // Overlay number
|
|
WORD e_res[4]; // Reserved words
|
|
WORD e_oemid; // OEM identifier (for e_oeminfo)
|
|
WORD e_oeminfo; // OEM information; e_oemid specific
|
|
WORD e_res2[10]; // Reserved words
|
|
LONG e_lfanew; // File address of new exe header
|
|
} IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER;
|
|
|
|
typedef struct tagVS_FIXEDFILEINFO {
|
|
DWORD dwSignature; /* e.g. 0xfeef04bd */
|
|
DWORD dwStrucVersion; /* e.g. 0x00000042 = "0.42" */
|
|
DWORD dwFileVersionMS; /* e.g. 0x00030075 = "3.75" */
|
|
DWORD dwFileVersionLS; /* e.g. 0x00000031 = "0.31" */
|
|
DWORD dwProductVersionMS; /* e.g. 0x00030010 = "3.10" */
|
|
DWORD dwProductVersionLS; /* e.g. 0x00000031 = "0.31" */
|
|
DWORD dwFileFlagsMask; /* = 0x3F for version "0.42" */
|
|
DWORD dwFileFlags; /* e.g. VFF_DEBUG | VFF_PRERELEASE */
|
|
DWORD dwFileOS; /* e.g. VOS_DOS_WINDOWS16 */
|
|
DWORD dwFileType; /* e.g. VFT_DRIVER */
|
|
DWORD dwFileSubtype; /* e.g. VFT2_DRV_KEYBOARD */
|
|
DWORD dwFileDateMS; /* e.g. 0 */
|
|
DWORD dwFileDateLS; /* e.g. 0 */
|
|
} VS_FIXEDFILEINFO;
|
|
|
|
//
|
|
// Directory format.
|
|
//
|
|
|
|
typedef struct _IMAGE_DATA_DIRECTORY {
|
|
DWORD VirtualAddress;
|
|
DWORD Size;
|
|
} IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY;
|
|
|
|
#pragma pack(pop)
|
|
|
|
//
|
|
// File header format.
|
|
//
|
|
|
|
typedef struct _IMAGE_FILE_HEADER {
|
|
WORD Machine;
|
|
WORD NumberOfSections;
|
|
DWORD TimeDateStamp;
|
|
DWORD PointerToSymbolTable;
|
|
DWORD NumberOfSymbols;
|
|
WORD SizeOfOptionalHeader;
|
|
WORD Characteristics;
|
|
} IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;
|
|
|
|
#define IMAGE_FILE_RELOCS_STRIPPED 0x0001 // Relocation info stripped from file.
|
|
#define IMAGE_FILE_EXECUTABLE_IMAGE 0x0002 // File is executable (i.e. no unresolved externel references).
|
|
#define IMAGE_FILE_LINE_NUMS_STRIPPED 0x0004 // Line nunbers stripped from file.
|
|
#define IMAGE_FILE_LOCAL_SYMS_STRIPPED 0x0008 // Local symbols stripped from file.
|
|
#define IMAGE_FILE_AGGRESIVE_WS_TRIM 0x0010 // Agressively trim working set
|
|
#define IMAGE_FILE_LARGE_ADDRESS_AWARE 0x0020 // App can handle >2gb addresses
|
|
#define IMAGE_FILE_BYTES_REVERSED_LO 0x0080 // Bytes of machine word are reversed.
|
|
#define IMAGE_FILE_32BIT_MACHINE 0x0100 // 32 bit word machine.
|
|
#define IMAGE_FILE_DEBUG_STRIPPED 0x0200 // Debugging info stripped from file in .DBG file
|
|
#define IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP 0x0400 // If Image is on removable media, copy and run from the swap file.
|
|
#define IMAGE_FILE_NET_RUN_FROM_SWAP 0x0800 // If Image is on Net, copy and run from the swap file.
|
|
#define IMAGE_FILE_SYSTEM 0x1000 // System File.
|
|
#define IMAGE_FILE_DLL 0x2000 // File is a DLL.
|
|
#define IMAGE_FILE_UP_SYSTEM_ONLY 0x4000 // File should only be run on a UP machine
|
|
#define IMAGE_FILE_BYTES_REVERSED_HI 0x8000 // Bytes of machine word are reversed.
|
|
|
|
#define IMAGE_FILE_MACHINE_UNKNOWN 0
|
|
#define IMAGE_FILE_MACHINE_I386 0x014c // Intel 386.
|
|
#define IMAGE_FILE_MACHINE_R3000 0x0162 // MIPS little-endian, 0x160 big-endian
|
|
#define IMAGE_FILE_MACHINE_R4000 0x0166 // MIPS little-endian
|
|
#define IMAGE_FILE_MACHINE_R10000 0x0168 // MIPS little-endian
|
|
#define IMAGE_FILE_MACHINE_WCEMIPSV2 0x0169 // MIPS little-endian WCE v2
|
|
#define IMAGE_FILE_MACHINE_ALPHA 0x0184 // Alpha_AXP
|
|
#define IMAGE_FILE_MACHINE_SH3 0x01a2 // SH3 little-endian
|
|
#define IMAGE_FILE_MACHINE_SH3DSP 0x01a3
|
|
#define IMAGE_FILE_MACHINE_SH3E 0x01a4 // SH3E little-endian
|
|
#define IMAGE_FILE_MACHINE_SH4 0x01a6 // SH4 little-endian
|
|
#define IMAGE_FILE_MACHINE_SH5 0x01a8 // SH5
|
|
#define IMAGE_FILE_MACHINE_ARM 0x01c0 // ARM Little-Endian
|
|
#define IMAGE_FILE_MACHINE_THUMB 0x01c2
|
|
#define IMAGE_FILE_MACHINE_AM33 0x01d3
|
|
#define IMAGE_FILE_MACHINE_POWERPC 0x01F0 // IBM PowerPC Little-Endian
|
|
#define IMAGE_FILE_MACHINE_POWERPCFP 0x01f1
|
|
#define IMAGE_FILE_MACHINE_IA64 0x0200 // Intel 64
|
|
#define IMAGE_FILE_MACHINE_MIPS16 0x0266 // MIPS
|
|
#define IMAGE_FILE_MACHINE_ALPHA64 0x0284 // ALPHA64
|
|
#define IMAGE_FILE_MACHINE_MIPSFPU 0x0366 // MIPS
|
|
#define IMAGE_FILE_MACHINE_MIPSFPU16 0x0466 // MIPS
|
|
#define IMAGE_FILE_MACHINE_AXP64 IMAGE_FILE_MACHINE_ALPHA64
|
|
#define IMAGE_FILE_MACHINE_TRICORE 0x0520 // Infineon
|
|
#define IMAGE_FILE_MACHINE_CEF 0x0CEF
|
|
#define IMAGE_FILE_MACHINE_EBC 0x0EBC // EFI Byte Code
|
|
#define IMAGE_FILE_MACHINE_AMD64 0x8664 // AMD64 (K8)
|
|
#define IMAGE_FILE_MACHINE_M32R 0x9041 // M32R little-endian
|
|
#define IMAGE_FILE_MACHINE_CEE 0xC0EE
|
|
|
|
// Subsystem Values
|
|
|
|
#define IMAGE_SUBSYSTEM_UNKNOWN 0 // Unknown subsystem.
|
|
#define IMAGE_SUBSYSTEM_NATIVE 1 // Image doesn't require a subsystem.
|
|
#define IMAGE_SUBSYSTEM_WINDOWS_GUI 2 // Image runs in the Windows GUI subsystem.
|
|
#define IMAGE_SUBSYSTEM_WINDOWS_CUI 3 // Image runs in the Windows character subsystem.
|
|
#define IMAGE_SUBSYSTEM_OS2_CUI 5 // image runs in the OS/2 character subsystem.
|
|
#define IMAGE_SUBSYSTEM_POSIX_CUI 7 // image runs in the Posix character subsystem.
|
|
#define IMAGE_SUBSYSTEM_NATIVE_WINDOWS 8 // image is a native Win9x driver.
|
|
#define IMAGE_SUBSYSTEM_WINDOWS_CE_GUI 9 // Image runs in the Windows CE subsystem.
|
|
#define IMAGE_SUBSYSTEM_EFI_APPLICATION 10 //
|
|
#define IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER 11 //
|
|
#define IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER 12 //
|
|
#define IMAGE_SUBSYSTEM_EFI_ROM 13
|
|
#define IMAGE_SUBSYSTEM_XBOX 14
|
|
#define IMAGE_SUBSYSTEM_WINDOWS_BOOT_APPLICATION 16
|
|
|
|
// DllCharacteristics Entries
|
|
|
|
// IMAGE_LIBRARY_PROCESS_INIT 0x0001 // Reserved.
|
|
// IMAGE_LIBRARY_PROCESS_TERM 0x0002 // Reserved.
|
|
// IMAGE_LIBRARY_THREAD_INIT 0x0004 // Reserved.
|
|
// IMAGE_LIBRARY_THREAD_TERM 0x0008 // Reserved.
|
|
#define IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE 0x0040 // DLL can move.
|
|
#define IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY 0x0080 // Code Integrity Image
|
|
#define IMAGE_DLLCHARACTERISTICS_NX_COMPAT 0x0100 // Image is NX compatible
|
|
#define IMAGE_DLLCHARACTERISTICS_NO_ISOLATION 0x0200 // Image understands isolation and doesn't want it
|
|
#define IMAGE_DLLCHARACTERISTICS_NO_SEH 0x0400 // Image does not use SEH. No SE handler may reside in this image
|
|
#define IMAGE_DLLCHARACTERISTICS_NO_BIND 0x0800 // Do not bind this image.
|
|
// 0x1000 // Reserved.
|
|
#define IMAGE_DLLCHARACTERISTICS_WDM_DRIVER 0x2000 // Driver uses WDM model
|
|
// 0x4000 // Reserved
|
|
#define IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE 0x8000
|
|
|
|
// Directory Entries
|
|
|
|
#define IMAGE_DIRECTORY_ENTRY_EXPORT 0 // Export Directory
|
|
#define IMAGE_DIRECTORY_ENTRY_IMPORT 1 // Import Directory
|
|
#define IMAGE_DIRECTORY_ENTRY_RESOURCE 2 // Resource Directory
|
|
#define IMAGE_DIRECTORY_ENTRY_EXCEPTION 3 // Exception Directory
|
|
#define IMAGE_DIRECTORY_ENTRY_SECURITY 4 // Security Directory
|
|
#define IMAGE_DIRECTORY_ENTRY_BASERELOC 5 // Base Relocation Table
|
|
#define IMAGE_DIRECTORY_ENTRY_DEBUG 6 // Debug Directory
|
|
// IMAGE_DIRECTORY_ENTRY_COPYRIGHT 7 // (X86 usage)
|
|
#define IMAGE_DIRECTORY_ENTRY_ARCHITECTURE 7 // Architecture Specific Data
|
|
#define IMAGE_DIRECTORY_ENTRY_GLOBALPTR 8 // RVA of GP
|
|
#define IMAGE_DIRECTORY_ENTRY_TLS 9 // TLS Directory
|
|
#define IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 10 // Load Configuration Directory
|
|
#define IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 11 // Bound Import Directory in headers
|
|
#define IMAGE_DIRECTORY_ENTRY_IAT 12 // Import Address Table
|
|
#define IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 13 // Delay Load Import Descriptors
|
|
#define IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 14 // COM Runtime descriptor
|
|
|
|
#define IMAGE_NUMBEROF_DIRECTORY_ENTRIES 16
|
|
|
|
//
|
|
// Optional header format.
|
|
//
|
|
|
|
typedef struct _IMAGE_OPTIONAL_HEADER32 {
|
|
//
|
|
// Standard fields.
|
|
//
|
|
|
|
WORD Magic;
|
|
BYTE MajorLinkerVersion;
|
|
BYTE MinorLinkerVersion;
|
|
DWORD SizeOfCode;
|
|
DWORD SizeOfInitializedData;
|
|
DWORD SizeOfUninitializedData;
|
|
DWORD AddressOfEntryPoint;
|
|
DWORD BaseOfCode;
|
|
DWORD BaseOfData;
|
|
|
|
//
|
|
// NT additional fields.
|
|
//
|
|
|
|
DWORD ImageBase;
|
|
DWORD SectionAlignment;
|
|
DWORD FileAlignment;
|
|
WORD MajorOperatingSystemVersion;
|
|
WORD MinorOperatingSystemVersion;
|
|
WORD MajorImageVersion;
|
|
WORD MinorImageVersion;
|
|
WORD MajorSubsystemVersion;
|
|
WORD MinorSubsystemVersion;
|
|
DWORD Win32VersionValue;
|
|
DWORD SizeOfImage;
|
|
DWORD SizeOfHeaders;
|
|
DWORD CheckSum;
|
|
WORD Subsystem;
|
|
WORD DllCharacteristics;
|
|
DWORD SizeOfStackReserve;
|
|
DWORD SizeOfStackCommit;
|
|
DWORD SizeOfHeapReserve;
|
|
DWORD SizeOfHeapCommit;
|
|
DWORD LoaderFlags;
|
|
DWORD NumberOfRvaAndSizes;
|
|
IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
|
|
} IMAGE_OPTIONAL_HEADER32, *PIMAGE_OPTIONAL_HEADER32;
|
|
|
|
typedef struct _IMAGE_OPTIONAL_HEADER64 {
|
|
WORD Magic;
|
|
BYTE MajorLinkerVersion;
|
|
BYTE MinorLinkerVersion;
|
|
DWORD SizeOfCode;
|
|
DWORD SizeOfInitializedData;
|
|
DWORD SizeOfUninitializedData;
|
|
DWORD AddressOfEntryPoint;
|
|
DWORD BaseOfCode;
|
|
ULONGLONG ImageBase;
|
|
DWORD SectionAlignment;
|
|
DWORD FileAlignment;
|
|
WORD MajorOperatingSystemVersion;
|
|
WORD MinorOperatingSystemVersion;
|
|
WORD MajorImageVersion;
|
|
WORD MinorImageVersion;
|
|
WORD MajorSubsystemVersion;
|
|
WORD MinorSubsystemVersion;
|
|
DWORD Win32VersionValue;
|
|
DWORD SizeOfImage;
|
|
DWORD SizeOfHeaders;
|
|
DWORD CheckSum;
|
|
WORD Subsystem;
|
|
WORD DllCharacteristics;
|
|
ULONGLONG SizeOfStackReserve;
|
|
ULONGLONG SizeOfStackCommit;
|
|
ULONGLONG SizeOfHeapReserve;
|
|
ULONGLONG SizeOfHeapCommit;
|
|
DWORD LoaderFlags;
|
|
DWORD NumberOfRvaAndSizes;
|
|
IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
|
|
} IMAGE_OPTIONAL_HEADER64, *PIMAGE_OPTIONAL_HEADER64;
|
|
|
|
#define IMAGE_NT_OPTIONAL_HDR32_MAGIC 0x10b
|
|
#define IMAGE_NT_OPTIONAL_HDR64_MAGIC 0x20b
|
|
|
|
typedef struct _IMAGE_NT_HEADERS64 {
|
|
DWORD Signature;
|
|
IMAGE_FILE_HEADER FileHeader;
|
|
IMAGE_OPTIONAL_HEADER64 OptionalHeader;
|
|
} IMAGE_NT_HEADERS64, *PIMAGE_NT_HEADERS64;
|
|
|
|
typedef struct _IMAGE_NT_HEADERS {
|
|
DWORD Signature;
|
|
IMAGE_FILE_HEADER FileHeader;
|
|
IMAGE_OPTIONAL_HEADER32 OptionalHeader;
|
|
} IMAGE_NT_HEADERS32, *PIMAGE_NT_HEADERS32;
|
|
|
|
//
|
|
// Section header format.
|
|
//
|
|
|
|
#define IMAGE_SIZEOF_SHORT_NAME 8
|
|
|
|
typedef struct _IMAGE_SECTION_HEADER {
|
|
BYTE Name[IMAGE_SIZEOF_SHORT_NAME];
|
|
union {
|
|
DWORD PhysicalAddress;
|
|
DWORD VirtualSize;
|
|
} Misc;
|
|
DWORD VirtualAddress;
|
|
DWORD SizeOfRawData;
|
|
DWORD PointerToRawData;
|
|
DWORD PointerToRelocations;
|
|
DWORD PointerToLinenumbers;
|
|
WORD NumberOfRelocations;
|
|
WORD NumberOfLinenumbers;
|
|
DWORD Characteristics;
|
|
} IMAGE_SECTION_HEADER, *PIMAGE_SECTION_HEADER;
|
|
|
|
//
|
|
// Section characteristics.
|
|
//
|
|
// IMAGE_SCN_TYPE_REG 0x00000000 // Reserved.
|
|
// IMAGE_SCN_TYPE_DSECT 0x00000001 // Reserved.
|
|
// IMAGE_SCN_TYPE_NOLOAD 0x00000002 // Reserved.
|
|
// IMAGE_SCN_TYPE_GROUP 0x00000004 // Reserved.
|
|
#define IMAGE_SCN_TYPE_NO_PAD 0x00000008 // Reserved.
|
|
// IMAGE_SCN_TYPE_COPY 0x00000010 // Reserved.
|
|
|
|
#define IMAGE_SCN_CNT_CODE 0x00000020 // Section contains code.
|
|
#define IMAGE_SCN_CNT_INITIALIZED_DATA 0x00000040 // Section contains initialized data.
|
|
#define IMAGE_SCN_CNT_UNINITIALIZED_DATA 0x00000080 // Section contains uninitialized data.
|
|
|
|
#define IMAGE_SCN_LNK_OTHER 0x00000100 // Reserved.
|
|
#define IMAGE_SCN_LNK_INFO 0x00000200 // Section contains comments or some other type of information.
|
|
// IMAGE_SCN_TYPE_OVER 0x00000400 // Reserved.
|
|
#define IMAGE_SCN_LNK_REMOVE 0x00000800 // Section contents will not become part of image.
|
|
#define IMAGE_SCN_LNK_COMDAT 0x00001000 // Section contents comdat.
|
|
// 0x00002000 // Reserved.
|
|
// IMAGE_SCN_MEM_PROTECTED - Obsolete 0x00004000
|
|
#define IMAGE_SCN_NO_DEFER_SPEC_EXC 0x00004000 // Reset speculative exceptions handling bits in the TLB entries for this section.
|
|
#define IMAGE_SCN_GPREL 0x00008000 // Section content can be accessed relative to GP
|
|
#define IMAGE_SCN_MEM_FARDATA 0x00008000
|
|
// IMAGE_SCN_MEM_SYSHEAP - Obsolete 0x00010000
|
|
#define IMAGE_SCN_MEM_PURGEABLE 0x00020000
|
|
#define IMAGE_SCN_MEM_16BIT 0x00020000
|
|
#define IMAGE_SCN_MEM_LOCKED 0x00040000
|
|
#define IMAGE_SCN_MEM_PRELOAD 0x00080000
|
|
|
|
#define IMAGE_SCN_ALIGN_1BYTES 0x00100000 //
|
|
#define IMAGE_SCN_ALIGN_2BYTES 0x00200000 //
|
|
#define IMAGE_SCN_ALIGN_4BYTES 0x00300000 //
|
|
#define IMAGE_SCN_ALIGN_8BYTES 0x00400000 //
|
|
#define IMAGE_SCN_ALIGN_16BYTES 0x00500000 // Default alignment if no others are specified.
|
|
#define IMAGE_SCN_ALIGN_32BYTES 0x00600000 //
|
|
#define IMAGE_SCN_ALIGN_64BYTES 0x00700000 //
|
|
#define IMAGE_SCN_ALIGN_128BYTES 0x00800000 //
|
|
#define IMAGE_SCN_ALIGN_256BYTES 0x00900000 //
|
|
#define IMAGE_SCN_ALIGN_512BYTES 0x00A00000 //
|
|
#define IMAGE_SCN_ALIGN_1024BYTES 0x00B00000 //
|
|
#define IMAGE_SCN_ALIGN_2048BYTES 0x00C00000 //
|
|
#define IMAGE_SCN_ALIGN_4096BYTES 0x00D00000 //
|
|
#define IMAGE_SCN_ALIGN_8192BYTES 0x00E00000 //
|
|
// Unused 0x00F00000
|
|
#define IMAGE_SCN_ALIGN_MASK 0x00F00000
|
|
|
|
#define IMAGE_SCN_LNK_NRELOC_OVFL 0x01000000 // Section contains extended relocations.
|
|
#define IMAGE_SCN_MEM_DISCARDABLE 0x02000000 // Section can be discarded.
|
|
#define IMAGE_SCN_MEM_NOT_CACHED 0x04000000 // Section is not cachable.
|
|
#define IMAGE_SCN_MEM_NOT_PAGED 0x08000000 // Section is not pageable.
|
|
#define IMAGE_SCN_MEM_SHARED 0x10000000 // Section is shareable.
|
|
#define IMAGE_SCN_MEM_EXECUTE 0x20000000 // Section is executable.
|
|
#define IMAGE_SCN_MEM_READ 0x40000000 // Section is readable.
|
|
#define IMAGE_SCN_MEM_WRITE 0x80000000 // Section is writeable.
|
|
|
|
//
|
|
// Export Format
|
|
//
|
|
|
|
typedef struct _IMAGE_EXPORT_DIRECTORY {
|
|
DWORD Characteristics;
|
|
DWORD TimeDateStamp;
|
|
WORD MajorVersion;
|
|
WORD MinorVersion;
|
|
DWORD Name;
|
|
DWORD Base;
|
|
DWORD NumberOfFunctions;
|
|
DWORD NumberOfNames;
|
|
DWORD AddressOfFunctions; // RVA from base of image
|
|
DWORD AddressOfNames; // RVA from base of image
|
|
DWORD AddressOfNameOrdinals; // RVA from base of image
|
|
} IMAGE_EXPORT_DIRECTORY, *PIMAGE_EXPORT_DIRECTORY;
|
|
|
|
//
|
|
// Import Format
|
|
//
|
|
|
|
typedef struct _IMAGE_IMPORT_BY_NAME {
|
|
WORD Hint;
|
|
BYTE Name[1];
|
|
} IMAGE_IMPORT_BY_NAME, *PIMAGE_IMPORT_BY_NAME;
|
|
|
|
#pragma pack(push, 8) // Use align 8 for the 64-bit IAT.
|
|
|
|
typedef struct _IMAGE_THUNK_DATA64 {
|
|
union {
|
|
ULONGLONG ForwarderString; // PBYTE
|
|
ULONGLONG Function; // PDWORD
|
|
ULONGLONG Ordinal;
|
|
ULONGLONG AddressOfData; // PIMAGE_IMPORT_BY_NAME
|
|
} u1;
|
|
} IMAGE_THUNK_DATA64;
|
|
typedef IMAGE_THUNK_DATA64 * PIMAGE_THUNK_DATA64;
|
|
|
|
#pragma pack(pop) // Back to 4 byte packing
|
|
|
|
typedef struct _IMAGE_THUNK_DATA32 {
|
|
union {
|
|
DWORD ForwarderString; // PBYTE
|
|
DWORD Function; // PDWORD
|
|
DWORD Ordinal;
|
|
DWORD AddressOfData; // PIMAGE_IMPORT_BY_NAME
|
|
} u1;
|
|
} IMAGE_THUNK_DATA32;
|
|
typedef IMAGE_THUNK_DATA32 * PIMAGE_THUNK_DATA32;
|
|
|
|
#define IMAGE_ORDINAL_FLAG64 0x8000000000000000ULL
|
|
#define IMAGE_ORDINAL_FLAG32 0x80000000
|
|
#define IMAGE_ORDINAL64(Ordinal) ((Ordinal) & 0xffff)
|
|
#define IMAGE_ORDINAL32(Ordinal) ((Ordinal) & 0xffff)
|
|
#define IMAGE_SNAP_BY_ORDINAL64(Ordinal) (((Ordinal) & IMAGE_ORDINAL_FLAG64) != 0)
|
|
#define IMAGE_SNAP_BY_ORDINAL32(Ordinal) (((Ordinal) & IMAGE_ORDINAL_FLAG32) != 0)
|
|
|
|
typedef struct _IMAGE_IMPORT_DESCRIPTOR {
|
|
union {
|
|
DWORD Characteristics; // 0 for terminating null import descriptor
|
|
DWORD OriginalFirstThunk; // RVA to original unbound IAT (PIMAGE_THUNK_DATA)
|
|
} DUMMYUNIONNAME;
|
|
DWORD TimeDateStamp; // 0 if not bound,
|
|
// -1 if bound, and real date\time stamp
|
|
// in IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT (new BIND)
|
|
// O.W. date/time stamp of DLL bound to (Old BIND)
|
|
|
|
DWORD ForwarderChain; // -1 if no forwarders
|
|
DWORD Name;
|
|
DWORD FirstThunk; // RVA to IAT (if bound this IAT has actual addresses)
|
|
} IMAGE_IMPORT_DESCRIPTOR;
|
|
typedef IMAGE_IMPORT_DESCRIPTOR *PIMAGE_IMPORT_DESCRIPTOR;
|
|
|
|
//
|
|
// Resource Format.
|
|
//
|
|
|
|
typedef struct _IMAGE_RESOURCE_DIRECTORY {
|
|
DWORD Characteristics;
|
|
DWORD TimeDateStamp;
|
|
WORD MajorVersion;
|
|
WORD MinorVersion;
|
|
WORD NumberOfNamedEntries;
|
|
WORD NumberOfIdEntries;
|
|
// IMAGE_RESOURCE_DIRECTORY_ENTRY DirectoryEntries[];
|
|
} IMAGE_RESOURCE_DIRECTORY, *PIMAGE_RESOURCE_DIRECTORY;
|
|
|
|
#define IMAGE_RESOURCE_NAME_IS_STRING 0x80000000
|
|
#define IMAGE_RESOURCE_DATA_IS_DIRECTORY 0x80000000
|
|
|
|
typedef struct _IMAGE_RESOURCE_DIRECTORY_ENTRY {
|
|
union {
|
|
struct {
|
|
DWORD NameOffset:31;
|
|
DWORD NameIsString:1;
|
|
} DUMMYSTRUCTNAME;
|
|
DWORD Name;
|
|
WORD Id;
|
|
} DUMMYUNIONNAME;
|
|
union {
|
|
DWORD OffsetToData;
|
|
struct {
|
|
DWORD OffsetToDirectory:31;
|
|
DWORD DataIsDirectory:1;
|
|
} DUMMYSTRUCTNAME2;
|
|
} DUMMYUNIONNAME2;
|
|
} IMAGE_RESOURCE_DIRECTORY_ENTRY, *PIMAGE_RESOURCE_DIRECTORY_ENTRY;
|
|
|
|
typedef struct _IMAGE_RESOURCE_DATA_ENTRY {
|
|
DWORD OffsetToData;
|
|
DWORD Size;
|
|
DWORD CodePage;
|
|
DWORD Reserved;
|
|
} IMAGE_RESOURCE_DATA_ENTRY, *PIMAGE_RESOURCE_DATA_ENTRY;
|
|
|
|
//
|
|
// Based relocation format.
|
|
//
|
|
|
|
typedef struct _IMAGE_BASE_RELOCATION {
|
|
DWORD VirtualAddress;
|
|
DWORD SizeOfBlock;
|
|
// WORD TypeOffset[1];
|
|
} IMAGE_BASE_RELOCATION;
|
|
typedef IMAGE_BASE_RELOCATION * PIMAGE_BASE_RELOCATION;
|
|
|
|
//
|
|
// Based relocation types.
|
|
//
|
|
|
|
#define IMAGE_REL_BASED_ABSOLUTE 0
|
|
#define IMAGE_REL_BASED_HIGH 1
|
|
#define IMAGE_REL_BASED_LOW 2
|
|
#define IMAGE_REL_BASED_HIGHLOW 3
|
|
#define IMAGE_REL_BASED_HIGHADJ 4
|
|
#define IMAGE_REL_BASED_MIPS_JMPADDR 5
|
|
#define IMAGE_REL_BASED_MIPS_JMPADDR16 9
|
|
#define IMAGE_REL_BASED_IA64_IMM64 9
|
|
#define IMAGE_REL_BASED_DIR64 10
|
|
|
|
typedef enum _EXCEPTION_DISPOSITION {
|
|
ExceptionContinueExecution,
|
|
ExceptionContinueSearch,
|
|
ExceptionNestedException,
|
|
ExceptionCollidedUnwind
|
|
} EXCEPTION_DISPOSITION;
|
|
|
|
//
|
|
// Thread Local Storage
|
|
//
|
|
|
|
typedef struct _IMAGE_TLS_DIRECTORY64 {
|
|
ULONGLONG StartAddressOfRawData;
|
|
ULONGLONG EndAddressOfRawData;
|
|
ULONGLONG AddressOfIndex; // PDWORD
|
|
ULONGLONG AddressOfCallBacks; // PIMAGE_TLS_CALLBACK *;
|
|
DWORD SizeOfZeroFill;
|
|
union { DWORD Characteristics; };
|
|
} IMAGE_TLS_DIRECTORY64;
|
|
typedef IMAGE_TLS_DIRECTORY64 * PIMAGE_TLS_DIRECTORY64;
|
|
|
|
typedef struct _IMAGE_TLS_DIRECTORY32 {
|
|
DWORD StartAddressOfRawData;
|
|
DWORD EndAddressOfRawData;
|
|
DWORD AddressOfIndex; // PDWORD
|
|
DWORD AddressOfCallBacks; // PIMAGE_TLS_CALLBACK *
|
|
DWORD SizeOfZeroFill;
|
|
union { DWORD Characteristics; };
|
|
} IMAGE_TLS_DIRECTORY32;
|
|
typedef IMAGE_TLS_DIRECTORY32 * PIMAGE_TLS_DIRECTORY32;
|
|
|
|
//
|
|
// Debug Format
|
|
//
|
|
|
|
typedef struct _IMAGE_DEBUG_DIRECTORY {
|
|
DWORD Characteristics;
|
|
DWORD TimeDateStamp;
|
|
WORD MajorVersion;
|
|
WORD MinorVersion;
|
|
DWORD Type;
|
|
DWORD SizeOfData;
|
|
DWORD AddressOfRawData;
|
|
DWORD PointerToRawData;
|
|
} IMAGE_DEBUG_DIRECTORY, *PIMAGE_DEBUG_DIRECTORY;
|
|
|
|
#define IMAGE_DEBUG_TYPE_UNKNOWN 0
|
|
#define IMAGE_DEBUG_TYPE_COFF 1
|
|
#define IMAGE_DEBUG_TYPE_CODEVIEW 2
|
|
#define IMAGE_DEBUG_TYPE_FPO 3
|
|
#define IMAGE_DEBUG_TYPE_MISC 4
|
|
#define IMAGE_DEBUG_TYPE_EXCEPTION 5
|
|
#define IMAGE_DEBUG_TYPE_FIXUP 6
|
|
#define IMAGE_DEBUG_TYPE_OMAP_TO_SRC 7
|
|
#define IMAGE_DEBUG_TYPE_OMAP_FROM_SRC 8
|
|
#define IMAGE_DEBUG_TYPE_BORLAND 9
|
|
#define IMAGE_DEBUG_TYPE_RESERVED10 10
|
|
|
|
typedef struct _IMAGE_SYMBOL {
|
|
union {
|
|
BYTE ShortName[8];
|
|
struct {
|
|
DWORD Short; // if 0, use LongName
|
|
DWORD Long; // offset into string table
|
|
} Name;
|
|
DWORD LongName[2]; // PBYTE [2]
|
|
} N;
|
|
DWORD Value;
|
|
SHORT SectionNumber;
|
|
WORD Type;
|
|
BYTE StorageClass;
|
|
BYTE NumberOfAuxSymbols;
|
|
} IMAGE_SYMBOL;
|
|
|
|
#define IMAGE_SYM_CLASS_EXTERNAL 0x0002
|
|
#define IMAGE_SYM_CLASS_STATIC 0x0003
|
|
|
|
#endif // VMP_GNU
|
|
|
|
#ifndef RUNTIME_FUNCTION_INDIRECT
|
|
typedef struct _RUNTIME_FUNCTION {
|
|
DWORD BeginAddress;
|
|
DWORD EndAddress;
|
|
union {
|
|
DWORD UnwindInfoAddress;
|
|
DWORD UnwindData;
|
|
};
|
|
} RUNTIME_FUNCTION;
|
|
#endif
|
|
|
|
typedef enum _UNWIND_OP_CODES
|
|
{
|
|
UWOP_PUSH_NONVOL = 0, /* info == register number */
|
|
UWOP_ALLOC_LARGE, /* no info, alloc size in next 2 slots */
|
|
UWOP_ALLOC_SMALL, /* info == size of allocation / 8 - 1 */
|
|
UWOP_SET_FPREG, /* no info, FP = RSP + UNWIND_INFO.FPRegOffset*16 */
|
|
UWOP_SAVE_NONVOL, /* info == register number, offset in next slot */
|
|
UWOP_SAVE_NONVOL_FAR, /* info == register number, offset in next 2 slots */
|
|
UWOP_EPILOG,
|
|
UWOP_SAVE_XMM128 = 8, /* info == XMM reg number, offset in next slot */
|
|
UWOP_SAVE_XMM128_FAR, /* info == XMM reg number, offset in next 2 slots */
|
|
UWOP_PUSH_MACHFRAME /* info == 0: no error-code, 1: error-code */
|
|
} UNWIND_CODE_OPS;
|
|
|
|
typedef union _UNWIND_CODE
|
|
{
|
|
struct {
|
|
BYTE CodeOffset;
|
|
BYTE UnwindOp : 4;
|
|
BYTE OpInfo : 4;
|
|
};
|
|
USHORT FrameOffset;
|
|
} UNWIND_CODE, *PUNWIND_CODE;
|
|
|
|
typedef struct _UNWIND_INFO
|
|
{
|
|
BYTE Version : 3;
|
|
BYTE Flags : 5;
|
|
BYTE SizeOfProlog;
|
|
BYTE CountOfCodes;
|
|
BYTE FrameRegister : 4;
|
|
BYTE FrameOffset : 4;
|
|
UNWIND_CODE UnwindCode[1];
|
|
/* UNWIND_CODE MoreUnwindCode[((CountOfCodes + 1) & ~1) - 1];
|
|
* union {
|
|
* OPTIONAL ULONG ExceptionHandler;
|
|
* OPTIONAL ULONG FunctionEntry;
|
|
* };
|
|
* OPTIONAL ULONG ExceptionData[]; */
|
|
} UNWIND_INFO, *PUNWIND_INFO;
|
|
|
|
#ifndef UNW_FLAG_NHANDLER
|
|
#define UNW_FLAG_NHANDLER 0
|
|
#define UNW_FLAG_EHANDLER 1
|
|
#define UNW_FLAG_UHANDLER 2
|
|
#define UNW_FLAG_CHAININFO 4
|
|
#endif
|
|
|
|
typedef struct _CONTEXT64 {
|
|
|
|
//
|
|
// Register parameter home addresses.
|
|
//
|
|
// N.B. These fields are for convience - they could be used to extend the
|
|
// context record in the future.
|
|
//
|
|
|
|
DWORD64 P1Home;
|
|
DWORD64 P2Home;
|
|
DWORD64 P3Home;
|
|
DWORD64 P4Home;
|
|
DWORD64 P5Home;
|
|
DWORD64 P6Home;
|
|
|
|
//
|
|
// Control flags.
|
|
//
|
|
|
|
DWORD ContextFlags;
|
|
DWORD MxCsr;
|
|
|
|
//
|
|
// Segment Registers and processor flags.
|
|
//
|
|
|
|
WORD SegCs;
|
|
WORD SegDs;
|
|
WORD SegEs;
|
|
WORD SegFs;
|
|
WORD SegGs;
|
|
WORD SegSs;
|
|
DWORD EFlags;
|
|
|
|
//
|
|
// Debug registers
|
|
//
|
|
|
|
DWORD64 Dr0;
|
|
DWORD64 Dr1;
|
|
DWORD64 Dr2;
|
|
DWORD64 Dr3;
|
|
DWORD64 Dr6;
|
|
DWORD64 Dr7;
|
|
|
|
//
|
|
// Integer registers.
|
|
//
|
|
|
|
DWORD64 Rax;
|
|
DWORD64 Rcx;
|
|
DWORD64 Rdx;
|
|
DWORD64 Rbx;
|
|
DWORD64 Rsp;
|
|
DWORD64 Rbp;
|
|
DWORD64 Rsi;
|
|
DWORD64 Rdi;
|
|
DWORD64 R8;
|
|
DWORD64 R9;
|
|
DWORD64 R10;
|
|
DWORD64 R11;
|
|
DWORD64 R12;
|
|
DWORD64 R13;
|
|
DWORD64 R14;
|
|
DWORD64 R15;
|
|
|
|
//
|
|
// Program counter.
|
|
//
|
|
|
|
DWORD64 Rip;
|
|
|
|
//
|
|
// Floating point state.
|
|
//
|
|
|
|
/*
|
|
union {
|
|
XMM_SAVE_AREA32 FltSave;
|
|
struct {
|
|
M128A Header[2];
|
|
M128A Legacy[8];
|
|
M128A Xmm0;
|
|
M128A Xmm1;
|
|
M128A Xmm2;
|
|
M128A Xmm3;
|
|
M128A Xmm4;
|
|
M128A Xmm5;
|
|
M128A Xmm6;
|
|
M128A Xmm7;
|
|
M128A Xmm8;
|
|
M128A Xmm9;
|
|
M128A Xmm10;
|
|
M128A Xmm11;
|
|
M128A Xmm12;
|
|
M128A Xmm13;
|
|
M128A Xmm14;
|
|
M128A Xmm15;
|
|
} DUMMYSTRUCTNAME;
|
|
} DUMMYUNIONNAME;
|
|
|
|
//
|
|
// Vector registers.
|
|
//
|
|
|
|
M128A VectorRegister[26];
|
|
DWORD64 VectorControl;
|
|
|
|
//
|
|
// Special debug control registers.
|
|
//
|
|
|
|
DWORD64 DebugControl;
|
|
DWORD64 LastBranchToRip;
|
|
DWORD64 LastBranchFromRip;
|
|
DWORD64 LastExceptionToRip;
|
|
DWORD64 LastExceptionFromRip;
|
|
*/
|
|
} CONTEXT64;
|
|
|
|
typedef struct _IMAGE_DELAY_IMPORT_DESCRIPTOR {
|
|
DWORD Attrs;
|
|
DWORD DllName;
|
|
DWORD Hmod;
|
|
DWORD IAT;
|
|
DWORD INT;
|
|
DWORD BoundIAT;
|
|
DWORD UnloadIAT;
|
|
DWORD TimeStamp;
|
|
} IMAGE_DELAY_IMPORT_DESCRIPTOR;
|
|
|
|
typedef struct _IMAGE_LOAD_CONFIG_CODE_INTEGRITY {
|
|
WORD Flags; // Flags to indicate if CI information is available, etc.
|
|
WORD Catalog; // 0xFFFF means not available
|
|
DWORD CatalogOffset;
|
|
DWORD Reserved; // Additional bitmask to be defined later
|
|
} IMAGE_LOAD_CONFIG_CODE_INTEGRITY, *PIMAGE_LOAD_CONFIG_CODE_INTEGRITY;
|
|
|
|
//
|
|
// Load Configuration Directory Entry
|
|
//
|
|
|
|
typedef struct _IMAGE_LOAD_CONFIG_DIRECTORYEX32 {
|
|
DWORD Size;
|
|
DWORD TimeDateStamp;
|
|
WORD MajorVersion;
|
|
WORD MinorVersion;
|
|
DWORD GlobalFlagsClear;
|
|
DWORD GlobalFlagsSet;
|
|
DWORD CriticalSectionDefaultTimeout;
|
|
DWORD DeCommitFreeBlockThreshold;
|
|
DWORD DeCommitTotalFreeThreshold;
|
|
DWORD LockPrefixTable; // VA
|
|
DWORD MaximumAllocationSize;
|
|
DWORD VirtualMemoryThreshold;
|
|
DWORD ProcessHeapFlags;
|
|
DWORD ProcessAffinityMask;
|
|
WORD CSDVersion;
|
|
WORD DependentLoadFlags;
|
|
DWORD EditList; // VA
|
|
DWORD SecurityCookie; // VA
|
|
DWORD SEHandlerTable; // VA
|
|
DWORD SEHandlerCount;
|
|
DWORD GuardCFCheckFunctionPointer; // VA
|
|
DWORD GuardCFDispatchFunctionPointer; // VA
|
|
DWORD GuardCFFunctionTable; // VA
|
|
DWORD GuardCFFunctionCount;
|
|
DWORD GuardFlags;
|
|
IMAGE_LOAD_CONFIG_CODE_INTEGRITY CodeIntegrity;
|
|
DWORD GuardAddressTakenIatEntryTable; // VA
|
|
DWORD GuardAddressTakenIatEntryCount;
|
|
DWORD GuardLongJumpTargetTable; // VA
|
|
DWORD GuardLongJumpTargetCount;
|
|
DWORD DynamicValueRelocTable; // VA
|
|
DWORD CHPEMetadataPointer;
|
|
DWORD GuardRFFailureRoutine; // VA
|
|
DWORD GuardRFFailureRoutineFunctionPointer; // VA
|
|
DWORD DynamicValueRelocTableOffset;
|
|
WORD DynamicValueRelocTableSection;
|
|
WORD Reserved2;
|
|
} IMAGE_LOAD_CONFIG_DIRECTORYEX32, *PIMAGE_LOAD_CONFIG_DIRECTORYEX32;
|
|
|
|
typedef struct _IMAGE_LOAD_CONFIG_DIRECTORYEX64 {
|
|
DWORD Size;
|
|
DWORD TimeDateStamp;
|
|
WORD MajorVersion;
|
|
WORD MinorVersion;
|
|
DWORD GlobalFlagsClear;
|
|
DWORD GlobalFlagsSet;
|
|
DWORD CriticalSectionDefaultTimeout;
|
|
ULONGLONG DeCommitFreeBlockThreshold;
|
|
ULONGLONG DeCommitTotalFreeThreshold;
|
|
ULONGLONG LockPrefixTable; // VA
|
|
ULONGLONG MaximumAllocationSize;
|
|
ULONGLONG VirtualMemoryThreshold;
|
|
ULONGLONG ProcessAffinityMask;
|
|
DWORD ProcessHeapFlags;
|
|
WORD CSDVersion;
|
|
WORD DependentLoadFlags;
|
|
ULONGLONG EditList; // VA
|
|
ULONGLONG SecurityCookie; // VA
|
|
ULONGLONG SEHandlerTable; // VA
|
|
ULONGLONG SEHandlerCount;
|
|
ULONGLONG GuardCFCheckFunctionPointer; // VA
|
|
ULONGLONG GuardCFDispatchFunctionPointer; // VA
|
|
ULONGLONG GuardCFFunctionTable; // VA
|
|
ULONGLONG GuardCFFunctionCount;
|
|
DWORD GuardFlags;
|
|
IMAGE_LOAD_CONFIG_CODE_INTEGRITY CodeIntegrity;
|
|
ULONGLONG GuardAddressTakenIatEntryTable; // VA
|
|
ULONGLONG GuardAddressTakenIatEntryCount;
|
|
ULONGLONG GuardLongJumpTargetTable; // VA
|
|
ULONGLONG GuardLongJumpTargetCount;
|
|
ULONGLONG DynamicValueRelocTable; // VA
|
|
ULONGLONG CHPEMetadataPointer; // VA
|
|
ULONGLONG GuardRFFailureRoutine; // VA
|
|
ULONGLONG GuardRFFailureRoutineFunctionPointer; // VA
|
|
DWORD DynamicValueRelocTableOffset;
|
|
WORD DynamicValueRelocTableSection;
|
|
WORD Reserved2;
|
|
} IMAGE_LOAD_CONFIG_DIRECTORYEX64, *PIMAGE_LOAD_CONFIG_DIRECTORYEX64;
|
|
|
|
#define IMAGE_GUARD_CF_INSTRUMENTED 0x00000100 // Module performs control flow integrity checks using system-supplied support
|
|
#define IMAGE_GUARD_CFW_INSTRUMENTED 0x00000200 // Module performs control flow and write integrity checks
|
|
#define IMAGE_GUARD_CF_FUNCTION_TABLE_PRESENT 0x00000400 // Module contains valid control flow target metadata
|
|
#define IMAGE_GUARD_SECURITY_COOKIE_UNUSED 0x00000800 // Module does not make use of the /GS security cookie
|
|
#define IMAGE_GUARD_PROTECT_DELAYLOAD_IAT 0x00001000 // Module supports read only delay load IAT
|
|
#define IMAGE_GUARD_DELAYLOAD_IAT_IN_ITS_OWN_SECTION 0x00002000 // Delayload import table in its own .didat section (with nothing else in it) that can be freely reprotected
|
|
#define IMAGE_GUARD_CF_EXPORT_SUPPRESSION_INFO_PRESENT 0x00004000 // Module contains suppressed export information
|
|
#define IMAGE_GUARD_CF_ENABLE_EXPORT_SUPPRESSION 0x00008000 // Module enables suppression of exports
|
|
#define IMAGE_GUARD_CF_LONGJUMP_TABLE_PRESENT 0x00010000 // Module contains longjmp target information
|
|
#define IMAGE_GUARD_RF_INSTRUMENTED 0x00020000 // Module contains return flow instrumentation and metadata
|
|
#define IMAGE_GUARD_RF_ENABLE 0x00040000 // Module requests that the OS enable return flow protection
|
|
#define IMAGE_GUARD_RF_STRICT 0x00080000 // Module requests that the OS enable return flow protection in strict mode
|
|
#define IMAGE_GUARD_CF_FUNCTION_TABLE_SIZE_MASK 0xF0000000 // Stride of Guard CF function table encoded in these bits (additional count of bytes per element)
|
|
#define IMAGE_GUARD_CF_FUNCTION_TABLE_SIZE_SHIFT 28 // Shift to right-justify Guard CF function table stride
|
|
|
|
#endif // PE_H
|