PE格式的定义头文件winnt.h
2024-05-11 08:22:04
PE格式定义的主要地方位于我们的头文件winnt.h,这个头文件中几乎能找到关于PE文件的所有定义。
在很多编译器、调试器中都会带有这个头文件,如VC++6.0、codeblocks、Ollydbg等,在自己的电脑上一搜就有好多个。
整个的头文件winnt.h代码太长了,文章放不下来,其中PE文件格式主要定义在image format部分:
这部分的代码:
//
// Line number format.
//typedef struct _IMAGE_LINENUMBER {union {DWORD SymbolTableIndex; // Symbol table index of function name if Linenumber is 0.DWORD VirtualAddress; // Virtual address of line number.} Type;WORD Linenumber; // Line number.
} IMAGE_LINENUMBER;
typedef IMAGE_LINENUMBER UNALIGNED *PIMAGE_LINENUMBER;#define IMAGE_SIZEOF_LINENUMBER 6#ifndef _MAC
#include "poppack.h" // Back to 4 byte packing
#endif//
// Based relocation format.
//typedef struct _IMAGE_BASE_RELOCATION {DWORD VirtualAddress;DWORD SizeOfBlock;
// WORD TypeOffset[1];
} IMAGE_BASE_RELOCATION;
typedef IMAGE_BASE_RELOCATION UNALIGNED * PIMAGE_BASE_RELOCATION;#define IMAGE_SIZEOF_BASE_RELOCATION 8//
// Based relocation types.
//#define IMAGE_REL_BASED_ABSOLUTE 0
#define IMAGE_REL_BASED_HIGH 1
#define IMAGE_REL_BASED_LOW 2
#define IMAGE_REL_BASED_HIGHLOW 3
#define IMAGE_REL_BASED_HIGHADJ 4
#define IMAGE_REL_BASED_MIPS_JMPADDR 5
#define IMAGE_REL_BASED_SECTION 6
#define IMAGE_REL_BASED_REL32 7#define IMAGE_REL_BASED_MIPS_JMPADDR16 9
#define IMAGE_REL_BASED_IA64_IMM64 9
#define IMAGE_REL_BASED_DIR64 10
#define IMAGE_REL_BASED_HIGH3ADJ 11//
// Archive format.
//#define IMAGE_ARCHIVE_START_SIZE 8
#define IMAGE_ARCHIVE_START "!<arch>\n"
#define IMAGE_ARCHIVE_END "`\n"
#define IMAGE_ARCHIVE_PAD "\n"
#define IMAGE_ARCHIVE_LINKER_MEMBER "/ "
#define IMAGE_ARCHIVE_LONGNAMES_MEMBER "// "typedef struct _IMAGE_ARCHIVE_MEMBER_HEADER {BYTE Name[16]; // File member name - `/' terminated.BYTE Date[12]; // File member date - decimal.BYTE UserID[6]; // File member user id - decimal.BYTE GroupID[6]; // File member group id - decimal.BYTE Mode[8]; // File member mode - octal.BYTE Size[10]; // File member size - decimal.BYTE EndHeader[2]; // String to end header.
} IMAGE_ARCHIVE_MEMBER_HEADER, *PIMAGE_ARCHIVE_MEMBER_HEADER;#define IMAGE_SIZEOF_ARCHIVE_MEMBER_HDR 60//
// DLL support.
////
// Export Format
//typedef struct _IMAGE_EXPORT_DIRECTORY {DWORD Characteristics;DWORD TimeDateStamp;WORD MajorVersion;WORD MinorVersion;DWORD Name;DWORD Base;DWORD NumberOfFunctions;DWORD NumberOfNames;DWORD AddressOfFunctions; // RVA from base of imageDWORD AddressOfNames; // RVA from base of imageDWORD AddressOfNameOrdinals; // RVA from base of image
} IMAGE_EXPORT_DIRECTORY, *PIMAGE_EXPORT_DIRECTORY;//
// Import Format
//typedef struct _IMAGE_IMPORT_BY_NAME {WORD Hint;BYTE Name[1];
} IMAGE_IMPORT_BY_NAME, *PIMAGE_IMPORT_BY_NAME;#include "pshpack8.h" // Use align 8 for the 64-bit IAT.typedef struct _IMAGE_THUNK_DATA64 {union {PBYTE ForwarderString;PDWORD Function;ULONGLONG Ordinal;PIMAGE_IMPORT_BY_NAME AddressOfData;} u1;
} IMAGE_THUNK_DATA64;
typedef IMAGE_THUNK_DATA64 * PIMAGE_THUNK_DATA64;#include "poppack.h" // Back to 4 byte packingtypedef struct _IMAGE_THUNK_DATA32 {union {PBYTE ForwarderString;PDWORD Function;DWORD Ordinal;PIMAGE_IMPORT_BY_NAME AddressOfData;} u1;
} IMAGE_THUNK_DATA32;
typedef IMAGE_THUNK_DATA32 * PIMAGE_THUNK_DATA32;#define IMAGE_ORDINAL_FLAG64 0x8000000000000000
#define IMAGE_ORDINAL_FLAG32 0x80000000
#define IMAGE_ORDINAL64(Ordinal) (Ordinal & 0xffff)
#define IMAGE_ORDINAL32(Ordinal) (Ordinal & 0xffff)
#define IMAGE_SNAP_BY_ORDINAL64(Ordinal) ((Ordinal & IMAGE_ORDINAL_FLAG64) != 0)
#define IMAGE_SNAP_BY_ORDINAL32(Ordinal) ((Ordinal & IMAGE_ORDINAL_FLAG32) != 0)//
// Thread Local Storage
//typedef VOID
(NTAPI *PIMAGE_TLS_CALLBACK) (PVOID DllHandle,DWORD Reason,PVOID Reserved);typedef struct _IMAGE_TLS_DIRECTORY64 {ULONGLONG StartAddressOfRawData;ULONGLONG EndAddressOfRawData;PDWORD AddressOfIndex;PIMAGE_TLS_CALLBACK *AddressOfCallBacks;DWORD SizeOfZeroFill;DWORD Characteristics;
} IMAGE_TLS_DIRECTORY64;
typedef IMAGE_TLS_DIRECTORY64 * PIMAGE_TLS_DIRECTORY64;typedef struct _IMAGE_TLS_DIRECTORY32 {DWORD StartAddressOfRawData;DWORD EndAddressOfRawData;PDWORD AddressOfIndex;PIMAGE_TLS_CALLBACK *AddressOfCallBacks;DWORD SizeOfZeroFill;DWORD Characteristics;
} IMAGE_TLS_DIRECTORY32;
typedef IMAGE_TLS_DIRECTORY32 * PIMAGE_TLS_DIRECTORY32;#ifdef _WIN64
#define IMAGE_ORDINAL_FLAG IMAGE_ORDINAL_FLAG64
#define IMAGE_ORDINAL(Ordinal) IMAGE_ORDINAL64(Ordinal)
typedef IMAGE_THUNK_DATA64 IMAGE_THUNK_DATA;
typedef PIMAGE_THUNK_DATA64 PIMAGE_THUNK_DATA;
#define IMAGE_SNAP_BY_ORDINAL(Ordinal) IMAGE_SNAP_BY_ORDINAL64(Ordinal)
typedef IMAGE_TLS_DIRECTORY64 IMAGE_TLS_DIRECTORY;
typedef PIMAGE_TLS_DIRECTORY64 PIMAGE_TLS_DIRECTORY;
#else
#define IMAGE_ORDINAL_FLAG IMAGE_ORDINAL_FLAG32
#define IMAGE_ORDINAL(Ordinal) IMAGE_ORDINAL32(Ordinal)
typedef IMAGE_THUNK_DATA32 IMAGE_THUNK_DATA;
typedef PIMAGE_THUNK_DATA32 PIMAGE_THUNK_DATA;
#define IMAGE_SNAP_BY_ORDINAL(Ordinal) IMAGE_SNAP_BY_ORDINAL32(Ordinal)
typedef IMAGE_TLS_DIRECTORY32 IMAGE_TLS_DIRECTORY;
typedef PIMAGE_TLS_DIRECTORY32 PIMAGE_TLS_DIRECTORY;
#endiftypedef struct _IMAGE_IMPORT_DESCRIPTOR {union {DWORD Characteristics; // 0 for terminating null import descriptorDWORD OriginalFirstThunk; // RVA to original unbound IAT (PIMAGE_THUNK_DATA)};DWORD TimeDateStamp; // 0 if not bound,// -1 if bound, and real date\time stamp// in IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT (new BIND)// O.W. date/time stamp of DLL bound to (Old BIND)DWORD ForwarderChain; // -1 if no forwardersDWORD Name;DWORD FirstThunk; // RVA to IAT (if bound this IAT has actual addresses)
} IMAGE_IMPORT_DESCRIPTOR;
typedef IMAGE_IMPORT_DESCRIPTOR UNALIGNED *PIMAGE_IMPORT_DESCRIPTOR;//
// New format import descriptors pointed to by DataDirectory[ IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT ]
//typedef struct _IMAGE_BOUND_IMPORT_DESCRIPTOR {DWORD TimeDateStamp;WORD OffsetModuleName;WORD NumberOfModuleForwarderRefs;
// Array of zero or more IMAGE_BOUND_FORWARDER_REF follows
} IMAGE_BOUND_IMPORT_DESCRIPTOR, *PIMAGE_BOUND_IMPORT_DESCRIPTOR;typedef struct _IMAGE_BOUND_FORWARDER_REF {DWORD TimeDateStamp;WORD OffsetModuleName;WORD Reserved;
} IMAGE_BOUND_FORWARDER_REF, *PIMAGE_BOUND_FORWARDER_REF;// Comment
// Comment
// Comment
// Comment
// Comment
// Comment
// Comment
// Comment
// Comment
// Comment
// Comment
// Comment
// Comment
// Comment//
// Resource Format.
////
// Resource directory consists of two counts, following by a variable length
// array of directory entries. The first count is the number of entries at
// beginning of the array that have actual names associated with each entry.
// The entries are in ascending order, case insensitive strings. The second
// count is the number of entries that immediately follow the named entries.
// This second count identifies the number of entries that have 16-bit integer
// Ids as their name. These entries are also sorted in ascending order.
//
// This structure allows fast lookup by either name or number, but for any
// given resource entry only one form of lookup is supported, not both.
// This is consistant with the syntax of the .RC file and the .RES file.
//typedef struct _IMAGE_RESOURCE_DIRECTORY {DWORD Characteristics;DWORD TimeDateStamp;WORD MajorVersion;WORD MinorVersion;WORD NumberOfNamedEntries;WORD NumberOfIdEntries;
// IMAGE_RESOURCE_DIRECTORY_ENTRY DirectoryEntries[];
} IMAGE_RESOURCE_DIRECTORY, *PIMAGE_RESOURCE_DIRECTORY;#define IMAGE_RESOURCE_NAME_IS_STRING 0x80000000
#define IMAGE_RESOURCE_DATA_IS_DIRECTORY 0x80000000
//
// Each directory contains the 32-bit Name of the entry and an offset,
// relative to the beginning of the resource directory of the data associated
// with this directory entry. If the name of the entry is an actual text
// string instead of an integer Id, then the high order bit of the name field
// is set to one and the low order 31-bits are an offset, relative to the
// beginning of the resource directory of the string, which is of type
// IMAGE_RESOURCE_DIRECTORY_STRING. Otherwise the high bit is clear and the
// low-order 16-bits are the integer Id that identify this resource directory
// entry. If the directory entry is yet another resource directory (i.e. a
// subdirectory), then the high order bit of the offset field will be
// set to indicate this. Otherwise the high bit is clear and the offset
// field points to a resource data entry.
//typedef struct _IMAGE_RESOURCE_DIRECTORY_ENTRY {union {struct {DWORD NameOffset:31;DWORD NameIsString:1;};DWORD Name;WORD Id;};union {DWORD OffsetToData;struct {DWORD OffsetToDirectory:31;DWORD DataIsDirectory:1;};};
} IMAGE_RESOURCE_DIRECTORY_ENTRY, *PIMAGE_RESOURCE_DIRECTORY_ENTRY;//
// For resource directory entries that have actual string names, the Name
// field of the directory entry points to an object of the following type.
// All of these string objects are stored together after the last resource
// directory entry and before the first resource data object. This minimizes
// the impact of these variable length objects on the alignment of the fixed
// size directory entry objects.
//typedef struct _IMAGE_RESOURCE_DIRECTORY_STRING {WORD Length;CHAR NameString[ 1 ];
} IMAGE_RESOURCE_DIRECTORY_STRING, *PIMAGE_RESOURCE_DIRECTORY_STRING;typedef struct _IMAGE_RESOURCE_DIR_STRING_U {WORD Length;WCHAR NameString[ 1 ];
} IMAGE_RESOURCE_DIR_STRING_U, *PIMAGE_RESOURCE_DIR_STRING_U;//
// Each resource data entry describes a leaf node in the resource directory
// tree. It contains an offset, relative to the beginning of the resource
// directory of the data for the resource, a size field that gives the number
// of bytes of data at that offset, a CodePage that should be used when
// decoding code point values within the resource data. Typically for new
// applications the code page would be the unicode code page.
//typedef struct _IMAGE_RESOURCE_DATA_ENTRY {DWORD OffsetToData;DWORD Size;DWORD CodePage;DWORD Reserved;
} IMAGE_RESOURCE_DATA_ENTRY, *PIMAGE_RESOURCE_DATA_ENTRY;//
// Load Configuration Directory Entry
//typedef struct _IMAGE_LOAD_CONFIG_DIRECTORY {DWORD Characteristics;DWORD TimeDateStamp;WORD MajorVersion;WORD MinorVersion;DWORD GlobalFlagsClear;DWORD GlobalFlagsSet;DWORD CriticalSectionDefaultTimeout;DWORD DeCommitFreeBlockThreshold;DWORD DeCommitTotalFreeThreshold;PVOID LockPrefixTable;DWORD MaximumAllocationSize;DWORD VirtualMemoryThreshold;DWORD ProcessHeapFlags;DWORD ProcessAffinityMask;WORD CSDVersion;WORD Reserved1;PVOID EditList;DWORD Reserved[ 1 ];
} IMAGE_LOAD_CONFIG_DIRECTORY, *PIMAGE_LOAD_CONFIG_DIRECTORY;//
// Function table entry format for IA64 images. Function table is
// pointed to by the IMAGE_DIRECTORY_ENTRY_EXCEPTION directory entry.
// This definition duplicates the one in ntia64.h for use by portable
// image file mungers.
//typedef struct _IMAGE_IA64_RUNTIME_FUNCTION_ENTRY {DWORD BeginAddress;DWORD EndAddress;DWORD UnwindInfoAddress;
} IMAGE_IA64_RUNTIME_FUNCTION_ENTRY, *PIMAGE_IA64_RUNTIME_FUNCTION_ENTRY;//
// Function table entry format for ALPHA images. Function table is
// pointed to by the IMAGE_DIRECTORY_ENTRY_EXCEPTION directory entry.
// This definition duplicates ones in ntmips.h and ntalpha.h for use
// by portable image file mungers.
//typedef struct _IMAGE_ALPHA_RUNTIME_FUNCTION_ENTRY {DWORD BeginAddress;DWORD EndAddress;DWORD ExceptionHandler;DWORD HandlerData;DWORD PrologEndAddress;
} IMAGE_ALPHA_RUNTIME_FUNCTION_ENTRY, *PIMAGE_ALPHA_RUNTIME_FUNCTION_ENTRY;typedef struct _IMAGE_ALPHA64_RUNTIME_FUNCTION_ENTRY {ULONGLONG BeginAddress;ULONGLONG EndAddress;ULONGLONG ExceptionHandler;ULONGLONG HandlerData;ULONGLONG PrologEndAddress;
} IMAGE_ALPHA64_RUNTIME_FUNCTION_ENTRY, *PIMAGE_ALPHA64_RUNTIME_FUNCTION_ENTRY;typedef IMAGE_ALPHA64_RUNTIME_FUNCTION_ENTRY IMAGE_AXP64_RUNTIME_FUNCTION_ENTRY;
typedef PIMAGE_ALPHA64_RUNTIME_FUNCTION_ENTRY PIMAGE_AXP64_RUNTIME_FUNCTION_ENTRY;//
// WIN CE Exception table format
//typedef struct _IMAGE_CE_RUNTIME_FUNCTION_ENTRY {DWORD FuncStart;DWORD PrologLen : 8;DWORD FuncLen : 22;DWORD ThirtyTwoBit : 1;DWORD ExceptionFlag : 1;
} IMAGE_CE_RUNTIME_FUNCTION_ENTRY, * PIMAGE_CE_RUNTIME_FUNCTION_ENTRY;#if defined(_IA64_)typedef IMAGE_IA64_RUNTIME_FUNCTION_ENTRY IMAGE_RUNTIME_FUNCTION_ENTRY;
typedef PIMAGE_IA64_RUNTIME_FUNCTION_ENTRY PIMAGE_RUNTIME_FUNCTION_ENTRY;#elsetypedef IMAGE_ALPHA_RUNTIME_FUNCTION_ENTRY IMAGE_RUNTIME_FUNCTION_ENTRY;
typedef PIMAGE_ALPHA_RUNTIME_FUNCTION_ENTRY PIMAGE_RUNTIME_FUNCTION_ENTRY;#endif//
// Debug Format
//typedef struct _IMAGE_DEBUG_DIRECTORY {DWORD Characteristics;DWORD TimeDateStamp;WORD MajorVersion;WORD MinorVersion;DWORD Type;DWORD SizeOfData;DWORD AddressOfRawData;DWORD PointerToRawData;
} IMAGE_DEBUG_DIRECTORY, *PIMAGE_DEBUG_DIRECTORY;#define IMAGE_DEBUG_TYPE_UNKNOWN 0
#define IMAGE_DEBUG_TYPE_COFF 1
#define IMAGE_DEBUG_TYPE_CODEVIEW 2
#define IMAGE_DEBUG_TYPE_FPO 3
#define IMAGE_DEBUG_TYPE_MISC 4
#define IMAGE_DEBUG_TYPE_EXCEPTION 5
#define IMAGE_DEBUG_TYPE_FIXUP 6
#define IMAGE_DEBUG_TYPE_OMAP_TO_SRC 7
#define IMAGE_DEBUG_TYPE_OMAP_FROM_SRC 8
#define IMAGE_DEBUG_TYPE_BORLAND 9
#define IMAGE_DEBUG_TYPE_RESERVED10 10typedef struct _IMAGE_COFF_SYMBOLS_HEADER {DWORD NumberOfSymbols;DWORD LvaToFirstSymbol;DWORD NumberOfLinenumbers;DWORD LvaToFirstLinenumber;DWORD RvaToFirstByteOfCode;DWORD RvaToLastByteOfCode;DWORD RvaToFirstByteOfData;DWORD RvaToLastByteOfData;
} IMAGE_COFF_SYMBOLS_HEADER, *PIMAGE_COFF_SYMBOLS_HEADER;#define FRAME_FPO 0
#define FRAME_TRAP 1
#define FRAME_TSS 2
#define FRAME_NONFPO 3typedef struct _FPO_DATA {DWORD ulOffStart; // offset 1st byte of function codeDWORD cbProcSize; // # bytes in functionDWORD cdwLocals; // # bytes in locals/4WORD cdwParams; // # bytes in params/4WORD cbProlog : 8; // # bytes in prologWORD cbRegs : 3; // # regs savedWORD fHasSEH : 1; // TRUE if SEH in funcWORD fUseBP : 1; // TRUE if EBP has been allocatedWORD reserved : 1; // reserved for future useWORD cbFrame : 2; // frame type
} FPO_DATA, *PFPO_DATA;
#define SIZEOF_RFPO_DATA 16#define IMAGE_DEBUG_MISC_EXENAME 1typedef struct _IMAGE_DEBUG_MISC {DWORD DataType; // type of misc data, see definesDWORD Length; // total length of record, rounded to four// byte multiple.BOOLEAN Unicode; // TRUE if data is unicode stringBYTE Reserved[ 3 ];BYTE Data[ 1 ]; // Actual data
} IMAGE_DEBUG_MISC, *PIMAGE_DEBUG_MISC;//
// Function table extracted from MIPS/ALPHA/IA64 images. Does not contain
// information needed only for runtime support. Just those fields for
// each entry needed by a debugger.
//#if defined(_IA64_)typedef struct _IMAGE_FUNCTION_ENTRY {DWORD StartingAddress;DWORD EndingAddress;DWORD UnwindInfoAddress;
} IMAGE_FUNCTION_ENTRY, *PIMAGE_FUNCTION_ENTRY;#elsetypedef struct _IMAGE_FUNCTION_ENTRY {DWORD StartingAddress;DWORD EndingAddress;DWORD EndOfPrologue;
} IMAGE_FUNCTION_ENTRY, *PIMAGE_FUNCTION_ENTRY;#endif
typedef struct _IMAGE_FUNCTION_ENTRY64 {ULONGLONG StartingAddress;ULONGLONG EndingAddress;ULONGLONG EndOfPrologue;
} IMAGE_FUNCTION_ENTRY64, *PIMAGE_FUNCTION_ENTRY64;//
// Debugging information can be stripped from an image file and placed
// in a separate .DBG file, whose file name part is the same as the
// image file name part (e.g. symbols for CMD.EXE could be stripped
// and placed in CMD.DBG). This is indicated by the IMAGE_FILE_DEBUG_STRIPPED
// flag in the Characteristics field of the file header. The beginning of
// the .DBG file contains the following structure which captures certain
// information from the image file. This allows a debug to proceed even if
// the original image file is not accessable. This header is followed by
// zero of more IMAGE_SECTION_HEADER structures, followed by zero or more
// IMAGE_DEBUG_DIRECTORY structures. The latter structures and those in
// the image file contain file offsets relative to the beginning of the
// .DBG file.
//
// If symbols have been stripped from an image, the IMAGE_DEBUG_MISC structure
// is left in the image file, but not mapped. This allows a debugger to
// compute the name of the .DBG file, from the name of the image in the
// IMAGE_DEBUG_MISC structure.
//typedef struct _IMAGE_SEPARATE_DEBUG_HEADER {WORD Signature;WORD Flags;WORD Machine;WORD Characteristics;DWORD TimeDateStamp;DWORD CheckSum;DWORD ImageBase;DWORD SizeOfImage;DWORD NumberOfSections;DWORD ExportedNamesSize;DWORD DebugDirectorySize;DWORD SectionAlignment;DWORD Reserved[2];
} IMAGE_SEPARATE_DEBUG_HEADER, *PIMAGE_SEPARATE_DEBUG_HEADER;#ifndef _MAC
#define IMAGE_SEPARATE_DEBUG_SIGNATURE 0x4944
#else
#define IMAGE_SEPARATE_DEBUG_SIGNATURE 0x4449
#endif#define IMAGE_SEPARATE_DEBUG_FLAGS_MASK 0x8000
#define IMAGE_SEPARATE_DEBUG_MISMATCH 0x8000 // when DBG was updated, the// old checksum didn't match.//
// The .arch section is made up of headers, each describing an amask position/value
// pointing to an array of IMAGE_ARCHITECTURE_ENTRY's. Each "array" (both the header
// and entry arrays) are terminiated by a quadword of 0xffffffffL.
//
// NOTE: There may be quadwords of 0 sprinkled around and must be skipped.
//typedef struct _ImageArchitectureHeader {unsigned int AmaskValue: 1; // 1 -> code section depends on mask bit// 0 -> new instruction depends on mask bitint :7; // MBZunsigned int AmaskShift: 8; // Amask bit in question for this fixupint :16; // MBZDWORD FirstEntryRVA; // RVA into .arch section to array of ARCHITECTURE_ENTRY's
} IMAGE_ARCHITECTURE_HEADER, *PIMAGE_ARCHITECTURE_HEADER;typedef struct _ImageArchitectureEntry {DWORD FixupInstRVA; // RVA of instruction to fixupDWORD NewInst; // fixup instruction (see alphaops.h)
} IMAGE_ARCHITECTURE_ENTRY, *PIMAGE_ARCHITECTURE_ENTRY;#include "poppack.h" // Back to the initial value// The following structure defines the new import object. Note the values of the first two fields,
// which must be set as stated in order to differentiate old and new import members.
// Following this structure, the linker emits two null-terminated strings used to recreate the
// import at the time of use. The first string is the import's name, the second is the dll's name.#define IMPORT_OBJECT_HDR_SIG2 0xfffftypedef struct IMPORT_OBJECT_HEADER {WORD Sig1; // Must be IMAGE_FILE_MACHINE_UNKNOWNWORD Sig2; // Must be IMPORT_OBJECT_HDR_SIG2.WORD Version;WORD Machine;DWORD TimeDateStamp; // Time/date stampDWORD SizeOfData; // particularly useful for incremental linksunion {WORD Ordinal; // if grf & IMPORT_OBJECT_ORDINALWORD Hint;};WORD Type : 2; // IMPORT_TYPEWORD NameType : 3; // IMPORT_NAME_TYPEWORD Reserved : 11; // Reserved. Must be zero.
} IMPORT_OBJECT_HEADER;typedef enum IMPORT_OBJECT_TYPE
{IMPORT_OBJECT_CODE = 0,IMPORT_OBJECT_DATA = 1,IMPORT_OBJECT_CONST = 2,
} IMPORT_OBJECT_TYPE;typedef enum IMPORT_OBJECT_NAME_TYPE
{IMPORT_OBJECT_ORDINAL = 0, // Import by ordinalIMPORT_OBJECT_NAME = 1, // Import name == public symbol name.IMPORT_OBJECT_NAME_NO_PREFIX = 2, // Import name == public symbol name skipping leading ?, @, or optionally _.IMPORT_OBJECT_NAME_UNDECORATE = 3, // Import name == public symbol name skipping leading ?, @, or optionally _// and truncating at first @
} IMPORT_OBJECT_NAME_TYPE;//
// Image Format
//#ifndef _MAC#include "pshpack4.h" // 4 byte packing is the default#define IMAGE_DOS_SIGNATURE 0x5A4D // MZ
#define IMAGE_OS2_SIGNATURE 0x454E // NE
#define IMAGE_OS2_SIGNATURE_LE 0x454C // LE
#define IMAGE_VXD_SIGNATURE 0x454C // LE
#define IMAGE_NT_SIGNATURE 0x00004550 // PE00#include "pshpack2.h" // 16 bit headers are 2 byte packed#else#include "pshpack1.h"#define IMAGE_DOS_SIGNATURE 0x4D5A // MZ
#define IMAGE_OS2_SIGNATURE 0x4E45 // NE
#define IMAGE_OS2_SIGNATURE_LE 0x4C45 // LE
#define IMAGE_NT_SIGNATURE 0x50450000 // PE00
#endiftypedef struct _IMAGE_DOS_HEADER { // DOS .EXE headerWORD e_magic; // Magic numberWORD e_cblp; // Bytes on last page of fileWORD e_cp; // Pages in fileWORD e_crlc; // RelocationsWORD e_cparhdr; // Size of header in paragraphsWORD e_minalloc; // Minimum extra paragraphs neededWORD e_maxalloc; // Maximum extra paragraphs neededWORD e_ss; // Initial (relative) SS valueWORD e_sp; // Initial SP valueWORD e_csum; // ChecksumWORD e_ip; // Initial IP valueWORD e_cs; // Initial (relative) CS valueWORD e_lfarlc; // File address of relocation tableWORD e_ovno; // Overlay numberWORD e_res[4]; // Reserved wordsWORD e_oemid; // OEM identifier (for e_oeminfo)WORD e_oeminfo; // OEM information; e_oemid specificWORD e_res2[10]; // Reserved wordsLONG e_lfanew; // File address of new exe header} IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER;typedef struct _IMAGE_OS2_HEADER { // OS/2 .EXE headerWORD ne_magic; // Magic numberCHAR ne_ver; // Version numberCHAR ne_rev; // Revision numberWORD ne_enttab; // Offset of Entry TableWORD ne_cbenttab; // Number of bytes in Entry TableLONG ne_crc; // Checksum of whole fileWORD ne_flags; // Flag wordWORD ne_autodata; // Automatic data segment numberWORD ne_heap; // Initial heap allocationWORD ne_stack; // Initial stack allocationLONG ne_csip; // Initial CS:IP settingLONG ne_sssp; // Initial SS:SP settingWORD ne_cseg; // Count of file segmentsWORD ne_cmod; // Entries in Module Reference TableWORD ne_cbnrestab; // Size of non-resident name tableWORD ne_segtab; // Offset of Segment TableWORD ne_rsrctab; // Offset of Resource TableWORD ne_restab; // Offset of resident name tableWORD ne_modtab; // Offset of Module Reference TableWORD ne_imptab; // Offset of Imported Names TableLONG ne_nrestab; // Offset of Non-resident Names TableWORD ne_cmovent; // Count of movable entriesWORD ne_align; // Segment alignment shift countWORD ne_cres; // Count of resource segmentsBYTE ne_exetyp; // Target Operating systemBYTE ne_flagsothers; // Other .EXE flagsWORD ne_pretthunks; // offset to return thunksWORD ne_psegrefbytes; // offset to segment ref. bytesWORD ne_swaparea; // Minimum code swap area sizeWORD ne_expver; // Expected Windows version number} IMAGE_OS2_HEADER, *PIMAGE_OS2_HEADER;typedef struct _IMAGE_VXD_HEADER { // Windows VXD headerWORD e32_magic; // Magic numberBYTE e32_border; // The byte ordering for the VXDBYTE e32_worder; // The word ordering for the VXDDWORD e32_level; // The EXE format level for now = 0WORD e32_cpu; // The CPU typeWORD e32_os; // The OS typeDWORD e32_ver; // Module versionDWORD e32_mflags; // Module flagsDWORD e32_mpages; // Module # pagesDWORD e32_startobj; // Object # for instruction pointerDWORD e32_eip; // Extended instruction pointerDWORD e32_stackobj; // Object # for stack pointerDWORD e32_esp; // Extended stack pointerDWORD e32_pagesize; // VXD page sizeDWORD e32_lastpagesize; // Last page size in VXDDWORD e32_fixupsize; // Fixup section sizeDWORD e32_fixupsum; // Fixup section checksumDWORD e32_ldrsize; // Loader section sizeDWORD e32_ldrsum; // Loader section checksumDWORD e32_objtab; // Object table offsetDWORD e32_objcnt; // Number of objects in moduleDWORD e32_objmap; // Object page map offsetDWORD e32_itermap; // Object iterated data map offsetDWORD e32_rsrctab; // Offset of Resource TableDWORD e32_rsrccnt; // Number of resource entriesDWORD e32_restab; // Offset of resident name tableDWORD e32_enttab; // Offset of Entry TableDWORD e32_dirtab; // Offset of Module Directive TableDWORD e32_dircnt; // Number of module directivesDWORD e32_fpagetab; // Offset of Fixup Page TableDWORD e32_frectab; // Offset of Fixup Record TableDWORD e32_impmod; // Offset of Import Module Name TableDWORD e32_impmodcnt; // Number of entries in Import Module Name TableDWORD e32_impproc; // Offset of Import Procedure Name TableDWORD e32_pagesum; // Offset of Per-Page Checksum TableDWORD e32_datapage; // Offset of Enumerated Data PagesDWORD e32_preload; // Number of preload pagesDWORD e32_nrestab; // Offset of Non-resident Names TableDWORD e32_cbnrestab; // Size of Non-resident Name TableDWORD e32_nressum; // Non-resident Name Table ChecksumDWORD e32_autodata; // Object # for automatic data objectDWORD e32_debuginfo; // Offset of the debugging informationDWORD e32_debuglen; // The length of the debugging info. in bytesDWORD e32_instpreload; // Number of instance pages in preload section of VXD fileDWORD e32_instdemand; // Number of instance pages in demand load section of VXD fileDWORD e32_heapsize; // Size of heap - for 16-bit appsBYTE e32_res3[12]; // Reserved wordsDWORD e32_winresoff;DWORD e32_winreslen;WORD e32_devid; // Device ID for VxDWORD e32_ddkver; // DDK version for VxD} IMAGE_VXD_HEADER, *PIMAGE_VXD_HEADER;#ifndef _MAC
#include "poppack.h" // Back to 4 byte packing
#endif//
// File header format.
//typedef struct _IMAGE_FILE_HEADER {WORD Machine;WORD NumberOfSections;DWORD TimeDateStamp;DWORD PointerToSymbolTable;DWORD NumberOfSymbols;WORD SizeOfOptionalHeader;WORD Characteristics;
} IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;#define IMAGE_SIZEOF_FILE_HEADER 20#define IMAGE_FILE_RELOCS_STRIPPED 0x0001 // Relocation info stripped from file.
#define IMAGE_FILE_EXECUTABLE_IMAGE 0x0002 // File is executable (i.e. no unresolved externel references).
#define IMAGE_FILE_LINE_NUMS_STRIPPED 0x0004 // Line nunbers stripped from file.
#define IMAGE_FILE_LOCAL_SYMS_STRIPPED 0x0008 // Local symbols stripped from file.
#define IMAGE_FILE_AGGRESIVE_WS_TRIM 0x0010 // Agressively trim working set
#define IMAGE_FILE_LARGE_ADDRESS_AWARE 0x0020 // App can handle >2gb addresses
#define IMAGE_FILE_BYTES_REVERSED_LO 0x0080 // Bytes of machine word are reversed.
#define IMAGE_FILE_32BIT_MACHINE 0x0100 // 32 bit word machine.
#define IMAGE_FILE_DEBUG_STRIPPED 0x0200 // Debugging info stripped from file in .DBG file
#define IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP 0x0400 // If Image is on removable media, copy and run from the swap file.
#define IMAGE_FILE_NET_RUN_FROM_SWAP 0x0800 // If Image is on Net, copy and run from the swap file.
#define IMAGE_FILE_SYSTEM 0x1000 // System File.
#define IMAGE_FILE_DLL 0x2000 // File is a DLL.
#define IMAGE_FILE_UP_SYSTEM_ONLY 0x4000 // File should only be run on a UP machine
#define IMAGE_FILE_BYTES_REVERSED_HI 0x8000 // Bytes of machine word are reversed.#define IMAGE_FILE_MACHINE_UNKNOWN 0
#define IMAGE_FILE_MACHINE_I386 0x014c // Intel 386.
#define IMAGE_FILE_MACHINE_R3000 0x0162 // MIPS little-endian, 0x160 big-endian
#define IMAGE_FILE_MACHINE_R4000 0x0166 // MIPS little-endian
#define IMAGE_FILE_MACHINE_R10000 0x0168 // MIPS little-endian
#define IMAGE_FILE_MACHINE_WCEMIPSV2 0x0169 // MIPS little-endian WCE v2
#define IMAGE_FILE_MACHINE_ALPHA 0x0184 // Alpha_AXP
#define IMAGE_FILE_MACHINE_POWERPC 0x01F0 // IBM PowerPC Little-Endian
#define IMAGE_FILE_MACHINE_SH3 0x01a2 // SH3 little-endian
#define IMAGE_FILE_MACHINE_SH3E 0x01a4 // SH3E little-endian
#define IMAGE_FILE_MACHINE_SH4 0x01a6 // SH4 little-endian
#define IMAGE_FILE_MACHINE_ARM 0x01c0 // ARM Little-Endian
#define IMAGE_FILE_MACHINE_THUMB 0x01c2
#define IMAGE_FILE_MACHINE_IA64 0x0200 // Intel 64
#define IMAGE_FILE_MACHINE_MIPS16 0x0266 // MIPS
#define IMAGE_FILE_MACHINE_MIPSFPU 0x0366 // MIPS
#define IMAGE_FILE_MACHINE_MIPSFPU16 0x0466 // MIPS
#define IMAGE_FILE_MACHINE_ALPHA64 0x0284 // ALPHA64
#define IMAGE_FILE_MACHINE_AXP64 IMAGE_FILE_MACHINE_ALPHA64
//
// Directory format.
//typedef struct _IMAGE_DATA_DIRECTORY {DWORD VirtualAddress;DWORD Size;
} IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY;#define IMAGE_NUMBEROF_DIRECTORY_ENTRIES 16//
// Optional header format.
//typedef struct _IMAGE_OPTIONAL_HEADER {//// Standard fields.//WORD Magic;BYTE MajorLinkerVersion;BYTE MinorLinkerVersion;DWORD SizeOfCode;DWORD SizeOfInitializedData;DWORD SizeOfUninitializedData;DWORD AddressOfEntryPoint;DWORD BaseOfCode;DWORD BaseOfData;//// NT additional fields.//DWORD ImageBase;DWORD SectionAlignment;DWORD FileAlignment;WORD MajorOperatingSystemVersion;WORD MinorOperatingSystemVersion;WORD MajorImageVersion;WORD MinorImageVersion;WORD MajorSubsystemVersion;WORD MinorSubsystemVersion;DWORD Win32VersionValue;DWORD SizeOfImage;DWORD SizeOfHeaders;DWORD CheckSum;WORD Subsystem;WORD DllCharacteristics;DWORD SizeOfStackReserve;DWORD SizeOfStackCommit;DWORD SizeOfHeapReserve;DWORD SizeOfHeapCommit;DWORD LoaderFlags;DWORD NumberOfRvaAndSizes;IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
} IMAGE_OPTIONAL_HEADER32, *PIMAGE_OPTIONAL_HEADER32;typedef struct _IMAGE_OPTIONAL_HEADER64 {WORD Magic;BYTE MajorLinkerVersion;BYTE MinorLinkerVersion;DWORD SizeOfCode;DWORD SizeOfInitializedData;DWORD SizeOfUninitializedData;DWORD AddressOfEntryPoint;DWORD BaseOfCode;ULONGLONG ImageBase;DWORD SectionAlignment;DWORD FileAlignment;WORD MajorOperatingSystemVersion;WORD MinorOperatingSystemVersion;WORD MajorImageVersion;WORD MinorImageVersion;WORD MajorSubsystemVersion;WORD MinorSubsystemVersion;DWORD Win32VersionValue;DWORD SizeOfImage;DWORD SizeOfHeaders;DWORD CheckSum;WORD Subsystem;WORD DllCharacteristics;ULONGLONG SizeOfStackReserve;ULONGLONG SizeOfStackCommit;ULONGLONG SizeOfHeapReserve;ULONGLONG SizeOfHeapCommit;DWORD LoaderFlags;DWORD NumberOfRvaAndSizes;IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
} IMAGE_OPTIONAL_HEADER64, *PIMAGE_OPTIONAL_HEADER64;#define IMAGE_SIZEOF_ROM_OPTIONAL_HEADER 56
#define IMAGE_SIZEOF_STD_OPTIONAL_HEADER 28
#define IMAGE_SIZEOF_NT_OPTIONAL32_HEADER 224
#define IMAGE_SIZEOF_NT_OPTIONAL64_HEADER 240#define IMAGE_NT_OPTIONAL_HDR32_MAGIC 0x10b
#define IMAGE_NT_OPTIONAL_HDR64_MAGIC 0x20b
#define IMAGE_ROM_OPTIONAL_HDR_MAGIC 0x107#ifdef _WIN64
typedef IMAGE_OPTIONAL_HEADER64 IMAGE_OPTIONAL_HEADER;
typedef PIMAGE_OPTIONAL_HEADER64 PIMAGE_OPTIONAL_HEADER;
#define IMAGE_SIZEOF_NT_OPTIONAL_HEADER IMAGE_SIZEOF_NT_OPTIONAL64_HEADER
#define IMAGE_NT_OPTIONAL_HDR_MAGIC IMAGE_NT_OPTIONAL_HDR64_MAGIC
#else
typedef IMAGE_OPTIONAL_HEADER32 IMAGE_OPTIONAL_HEADER;
typedef PIMAGE_OPTIONAL_HEADER32 PIMAGE_OPTIONAL_HEADER;
#define IMAGE_SIZEOF_NT_OPTIONAL_HEADER IMAGE_SIZEOF_NT_OPTIONAL32_HEADER
#define IMAGE_NT_OPTIONAL_HDR_MAGIC IMAGE_NT_OPTIONAL_HDR32_MAGIC
#endiftypedef struct _IMAGE_NT_HEADERS64 {DWORD Signature;IMAGE_FILE_HEADER FileHeader;IMAGE_OPTIONAL_HEADER64 OptionalHeader;
} IMAGE_NT_HEADERS64, *PIMAGE_NT_HEADERS64;typedef struct _IMAGE_NT_HEADERS {DWORD Signature;IMAGE_FILE_HEADER FileHeader;IMAGE_OPTIONAL_HEADER32 OptionalHeader;
} IMAGE_NT_HEADERS32, *PIMAGE_NT_HEADERS32;typedef struct _IMAGE_ROM_HEADERS {IMAGE_FILE_HEADER FileHeader;IMAGE_ROM_OPTIONAL_HEADER OptionalHeader;
} IMAGE_ROM_HEADERS, *PIMAGE_ROM_HEADERS;#define IMAGE_FIRST_SECTION64( ntheader ) ((PIMAGE_SECTION_HEADER) \((UINT_PTR)ntheader + \FIELD_OFFSET( IMAGE_NT_HEADERS64, OptionalHeader ) + \((PIMAGE_NT_HEADERS64)(ntheader))->FileHeader.SizeOfOptionalHeader \))#define IMAGE_FIRST_SECTION32( ntheader ) ((PIMAGE_SECTION_HEADER) \((UINT_PTR)ntheader + \FIELD_OFFSET( IMAGE_NT_HEADERS32, OptionalHeader ) + \((PIMAGE_NT_HEADERS32)(ntheader))->FileHeader.SizeOfOptionalHeader \))#ifdef _WIN64
typedef IMAGE_NT_HEADERS64 IMAGE_NT_HEADERS;
typedef PIMAGE_NT_HEADERS64 PIMAGE_NT_HEADERS;
#define IMAGE_FIRST_SECTION(ntheader) IMAGE_FIRST_SECTION64(ntheader)
#else
typedef IMAGE_NT_HEADERS32 IMAGE_NT_HEADERS;
typedef PIMAGE_NT_HEADERS32 PIMAGE_NT_HEADERS;
#define IMAGE_FIRST_SECTION(ntheader) IMAGE_FIRST_SECTION32(ntheader)
#endif// Subsystem Values#define IMAGE_SUBSYSTEM_UNKNOWN 0 // Unknown subsystem.
#define IMAGE_SUBSYSTEM_NATIVE 1 // Image doesn't require a subsystem.
#define IMAGE_SUBSYSTEM_WINDOWS_GUI 2 // Image runs in the Windows GUI subsystem.
#define IMAGE_SUBSYSTEM_WINDOWS_CUI 3 // Image runs in the Windows character subsystem.
#define IMAGE_SUBSYSTEM_OS2_CUI 5 // image runs in the OS/2 character subsystem.
#define IMAGE_SUBSYSTEM_POSIX_CUI 7 // image runs in the Posix character subsystem.
#define IMAGE_SUBSYSTEM_NATIVE_WINDOWS 8 // image is a native Win9x driver.
#define IMAGE_SUBSYSTEM_WINDOWS_CE_GUI 9 // Image runs in the Windows CE subsystem.// DllCharacteristics Entries// IMAGE_LIBRARY_PROCESS_INIT 0x0001 // Reserved.
// IMAGE_LIBRARY_PROCESS_TERM 0x0002 // Reserved.
// IMAGE_LIBRARY_THREAD_INIT 0x0004 // Reserved.
// IMAGE_LIBRARY_THREAD_TERM 0x0008 // Reserved.
#define IMAGE_DLLCHARACTERISTICS_WDM_DRIVER 0x2000 // Driver uses WDM model// Directory Entries#define IMAGE_DIRECTORY_ENTRY_EXPORT 0 // Export Directory
#define IMAGE_DIRECTORY_ENTRY_IMPORT 1 // Import Directory
#define IMAGE_DIRECTORY_ENTRY_RESOURCE 2 // Resource Directory
#define IMAGE_DIRECTORY_ENTRY_EXCEPTION 3 // Exception Directory
#define IMAGE_DIRECTORY_ENTRY_SECURITY 4 // Security Directory
#define IMAGE_DIRECTORY_ENTRY_BASERELOC 5 // Base Relocation Table
#define IMAGE_DIRECTORY_ENTRY_DEBUG 6 // Debug Directory
// IMAGE_DIRECTORY_ENTRY_COPYRIGHT 7 // (X86 usage)
#define IMAGE_DIRECTORY_ENTRY_ARCHITECTURE 7 // Architecture Specific Data
#define IMAGE_DIRECTORY_ENTRY_GLOBALPTR 8 // RVA of GP
#define IMAGE_DIRECTORY_ENTRY_TLS 9 // TLS Directory
#define IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 10 // Load Configuration Directory
#define IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 11 // Bound Import Directory in headers
#define IMAGE_DIRECTORY_ENTRY_IAT 12 // Import Address Table
#define IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 13 // Delay Load Import Descriptors
#define IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 14 // COM Runtime descriptor//
// Section header format.
//#define IMAGE_SIZEOF_SHORT_NAME 8typedef struct _IMAGE_SECTION_HEADER {BYTE Name[IMAGE_SIZEOF_SHORT_NAME];union {DWORD PhysicalAddress;DWORD VirtualSize;} Misc;DWORD VirtualAddress;DWORD SizeOfRawData;DWORD PointerToRawData;DWORD PointerToRelocations;DWORD PointerToLinenumbers;WORD NumberOfRelocations;WORD NumberOfLinenumbers;DWORD Characteristics;
} IMAGE_SECTION_HEADER, *PIMAGE_SECTION_HEADER;#define IMAGE_SIZEOF_SECTION_HEADER 40//
// Section characteristics.
//
// IMAGE_SCN_TYPE_REG 0x00000000 // Reserved.
// IMAGE_SCN_TYPE_DSECT 0x00000001 // Reserved.
// IMAGE_SCN_TYPE_NOLOAD 0x00000002 // Reserved.
// IMAGE_SCN_TYPE_GROUP 0x00000004 // Reserved.
#define IMAGE_SCN_TYPE_NO_PAD 0x00000008 // Reserved.
// IMAGE_SCN_TYPE_COPY 0x00000010 // Reserved.#define IMAGE_SCN_CNT_CODE 0x00000020 // Section contains code.
#define IMAGE_SCN_CNT_INITIALIZED_DATA 0x00000040 // Section contains initialized data.
#define IMAGE_SCN_CNT_UNINITIALIZED_DATA 0x00000080 // Section contains uninitialized data.#define IMAGE_SCN_LNK_OTHER 0x00000100 // Reserved.
#define IMAGE_SCN_LNK_INFO 0x00000200 // Section contains comments or some other type of information.
// IMAGE_SCN_TYPE_OVER 0x00000400 // Reserved.
#define IMAGE_SCN_LNK_REMOVE 0x00000800 // Section contents will not become part of image.
#define IMAGE_SCN_LNK_COMDAT 0x00001000 // Section contents comdat.
// 0x00002000 // Reserved.
// IMAGE_SCN_MEM_PROTECTED - Obsolete 0x00004000
#define IMAGE_SCN_NO_DEFER_SPEC_EXC 0x00004000 // Reset speculative exceptions handling bits in the TLB entries for this section.
#define IMAGE_SCN_GPREL 0x00008000 // Section content can be accessed relative to GP
#define IMAGE_SCN_MEM_FARDATA 0x00008000
// IMAGE_SCN_MEM_SYSHEAP - Obsolete 0x00010000
#define IMAGE_SCN_MEM_PURGEABLE 0x00020000
#define IMAGE_SCN_MEM_16BIT 0x00020000
#define IMAGE_SCN_MEM_LOCKED 0x00040000
#define IMAGE_SCN_MEM_PRELOAD 0x00080000#define IMAGE_SCN_ALIGN_1BYTES 0x00100000 //
#define IMAGE_SCN_ALIGN_2BYTES 0x00200000 //
#define IMAGE_SCN_ALIGN_4BYTES 0x00300000 //
#define IMAGE_SCN_ALIGN_8BYTES 0x00400000 //
#define IMAGE_SCN_ALIGN_16BYTES 0x00500000 // Default alignment if no others are specified.
#define IMAGE_SCN_ALIGN_32BYTES 0x00600000 //
#define IMAGE_SCN_ALIGN_64BYTES 0x00700000 //
#define IMAGE_SCN_ALIGN_128BYTES 0x00800000 //
#define IMAGE_SCN_ALIGN_256BYTES 0x00900000 //
#define IMAGE_SCN_ALIGN_512BYTES 0x00A00000 //
#define IMAGE_SCN_ALIGN_1024BYTES 0x00B00000 //
#define IMAGE_SCN_ALIGN_2048BYTES 0x00C00000 //
#define IMAGE_SCN_ALIGN_4096BYTES 0x00D00000 //
#define IMAGE_SCN_ALIGN_8192BYTES 0x00E00000 //
// Unused 0x00F00000#define IMAGE_SCN_LNK_NRELOC_OVFL 0x01000000 // Section contains extended relocations.
#define IMAGE_SCN_MEM_DISCARDABLE 0x02000000 // Section can be discarded.
#define IMAGE_SCN_MEM_NOT_CACHED 0x04000000 // Section is not cachable.
#define IMAGE_SCN_MEM_NOT_PAGED 0x08000000 // Section is not pageable.
#define IMAGE_SCN_MEM_SHARED 0x10000000 // Section is shareable.
#define IMAGE_SCN_MEM_EXECUTE 0x20000000 // Section is executable.
#define IMAGE_SCN_MEM_READ 0x40000000 // Section is readable.
#define IMAGE_SCN_MEM_WRITE 0x80000000 // Section is writeable.//
// TLS Chaacteristic Flags
//
#define IMAGE_SCN_SCALE_INDEX 0x00000001 // Tls index is scaled#ifndef _MAC
#include "pshpack2.h" // Symbols, relocs, and linenumbers are 2 byte packed
#endif//
// Symbol format.
//typedef struct _IMAGE_SYMBOL {union {BYTE ShortName[8];struct {DWORD Short; // if 0, use LongNameDWORD Long; // offset into string table} Name;PBYTE LongName[2];} N;DWORD Value;SHORT SectionNumber;WORD Type;BYTE StorageClass;BYTE NumberOfAuxSymbols;
} IMAGE_SYMBOL;
typedef IMAGE_SYMBOL UNALIGNED *PIMAGE_SYMBOL;#define IMAGE_SIZEOF_SYMBOL 18//
// Section values.
//
// Symbols have a section number of the section in which they are
// defined. Otherwise, section numbers have the following meanings:
//#define IMAGE_SYM_UNDEFINED (SHORT)0 // Symbol is undefined or is common.
#define IMAGE_SYM_ABSOLUTE (SHORT)-1 // Symbol is an absolute value.
#define IMAGE_SYM_DEBUG (SHORT)-2 // Symbol is a special debug item.//
// Type (fundamental) values.
//#define IMAGE_SYM_TYPE_NULL 0x0000 // no type.
#define IMAGE_SYM_TYPE_VOID 0x0001 //
#define IMAGE_SYM_TYPE_CHAR 0x0002 // type character.
#define IMAGE_SYM_TYPE_SHORT 0x0003 // type short integer.
#define IMAGE_SYM_TYPE_INT 0x0004 //
#define IMAGE_SYM_TYPE_LONG 0x0005 //
#define IMAGE_SYM_TYPE_FLOAT 0x0006 //
#define IMAGE_SYM_TYPE_DOUBLE 0x0007 //
#define IMAGE_SYM_TYPE_STRUCT 0x0008 //
#define IMAGE_SYM_TYPE_UNION 0x0009 //
#define IMAGE_SYM_TYPE_ENUM 0x000A // enumeration.
#define IMAGE_SYM_TYPE_MOE 0x000B // member of enumeration.
#define IMAGE_SYM_TYPE_BYTE 0x000C //
#define IMAGE_SYM_TYPE_WORD 0x000D //
#define IMAGE_SYM_TYPE_UINT 0x000E //
#define IMAGE_SYM_TYPE_DWORD 0x000F //
#define IMAGE_SYM_TYPE_PCODE 0x8000 //
//
// Type (derived) values.
//#define IMAGE_SYM_DTYPE_NULL 0 // no derived type.
#define IMAGE_SYM_DTYPE_POINTER 1 // pointer.
#define IMAGE_SYM_DTYPE_FUNCTION 2 // function.
#define IMAGE_SYM_DTYPE_ARRAY 3 // array.//
// Storage classes.
//
#define IMAGE_SYM_CLASS_END_OF_FUNCTION (BYTE )-1
#define IMAGE_SYM_CLASS_NULL 0x0000
#define IMAGE_SYM_CLASS_AUTOMATIC 0x0001
#define IMAGE_SYM_CLASS_EXTERNAL 0x0002
#define IMAGE_SYM_CLASS_STATIC 0x0003
#define IMAGE_SYM_CLASS_REGISTER 0x0004
#define IMAGE_SYM_CLASS_EXTERNAL_DEF 0x0005
#define IMAGE_SYM_CLASS_LABEL 0x0006
#define IMAGE_SYM_CLASS_UNDEFINED_LABEL 0x0007
#define IMAGE_SYM_CLASS_MEMBER_OF_STRUCT 0x0008
#define IMAGE_SYM_CLASS_ARGUMENT 0x0009
#define IMAGE_SYM_CLASS_STRUCT_TAG 0x000A
#define IMAGE_SYM_CLASS_MEMBER_OF_UNION 0x000B
#define IMAGE_SYM_CLASS_UNION_TAG 0x000C
#define IMAGE_SYM_CLASS_TYPE_DEFINITION 0x000D
#define IMAGE_SYM_CLASS_UNDEFINED_STATIC 0x000E
#define IMAGE_SYM_CLASS_ENUM_TAG 0x000F
#define IMAGE_SYM_CLASS_MEMBER_OF_ENUM 0x0010
#define IMAGE_SYM_CLASS_REGISTER_PARAM 0x0011
#define IMAGE_SYM_CLASS_BIT_FIELD 0x0012#define IMAGE_SYM_CLASS_FAR_EXTERNAL 0x0044 //#define IMAGE_SYM_CLASS_BLOCK 0x0064
#define IMAGE_SYM_CLASS_FUNCTION 0x0065
#define IMAGE_SYM_CLASS_END_OF_STRUCT 0x0066
#define IMAGE_SYM_CLASS_FILE 0x0067
// new
#define IMAGE_SYM_CLASS_SECTION 0x0068
#define IMAGE_SYM_CLASS_WEAK_EXTERNAL 0x0069// type packing constants#define N_BTMASK 0x000F
#define N_TMASK 0x0030
#define N_TMASK1 0x00C0
#define N_TMASK2 0x00F0
#define N_BTSHFT 4
#define N_TSHIFT 2
// MACROS// Basic Type of x
#define BTYPE(x) ((x) & N_BTMASK)// Is x a pointer?
#ifndef ISPTR
#define ISPTR(x) (((x) & N_TMASK) == (IMAGE_SYM_DTYPE_POINTER << N_BTSHFT))
#endif// Is x a function?
#ifndef ISFCN
#define ISFCN(x) (((x) & N_TMASK) == (IMAGE_SYM_DTYPE_FUNCTION << N_BTSHFT))
#endif// Is x an array?#ifndef ISARY
#define ISARY(x) (((x) & N_TMASK) == (IMAGE_SYM_DTYPE_ARRAY << N_BTSHFT))
#endif// Is x a structure, union, or enumeration TAG?
#ifndef ISTAG
#define ISTAG(x) ((x)==IMAGE_SYM_CLASS_STRUCT_TAG || (x)==IMAGE_SYM_CLASS_UNION_TAG || (x)==IMAGE_SYM_CLASS_ENUM_TAG)
#endif#ifndef INCREF
#define INCREF(x) ((((x)&~N_BTMASK)<<N_TSHIFT)|(IMAGE_SYM_DTYPE_POINTER<<N_BTSHFT)|((x)&N_BTMASK))
#endif
#ifndef DECREF
#define DECREF(x) ((((x)>>N_TSHIFT)&~N_BTMASK)|((x)&N_BTMASK))
#endif//
// Auxiliary entry format.
//typedef union _IMAGE_AUX_SYMBOL {struct {DWORD TagIndex; // struct, union, or enum tag indexunion {struct {WORD Linenumber; // declaration line numberWORD Size; // size of struct, union, or enum} LnSz;DWORD TotalSize;} Misc;union {struct { // if ISFCN, tag, or .bbDWORD PointerToLinenumber;DWORD PointerToNextFunction;} Function;struct { // if ISARY, up to 4 dimen.WORD Dimension[4];} Array;} FcnAry;WORD TvIndex; // tv index} Sym;struct {BYTE Name[IMAGE_SIZEOF_SYMBOL];} File;struct {DWORD Length; // section lengthWORD NumberOfRelocations; // number of relocation entriesWORD NumberOfLinenumbers; // number of line numbersDWORD CheckSum; // checksum for communalSHORT Number; // section number to associate withBYTE Selection; // communal selection type} Section;
} IMAGE_AUX_SYMBOL;
typedef IMAGE_AUX_SYMBOL UNALIGNED *PIMAGE_AUX_SYMBOL;#define IMAGE_SIZEOF_AUX_SYMBOL 18//
// Communal selection types.
//#define IMAGE_COMDAT_SELECT_NODUPLICATES 1
#define IMAGE_COMDAT_SELECT_ANY 2
#define IMAGE_COMDAT_SELECT_SAME_SIZE 3
#define IMAGE_COMDAT_SELECT_EXACT_MATCH 4
#define IMAGE_COMDAT_SELECT_ASSOCIATIVE 5
#define IMAGE_COMDAT_SELECT_LARGEST 6
#define IMAGE_COMDAT_SELECT_NEWEST 7#define IMAGE_WEAK_EXTERN_SEARCH_NOLIBRARY 1
#define IMAGE_WEAK_EXTERN_SEARCH_LIBRARY 2
#define IMAGE_WEAK_EXTERN_SEARCH_ALIAS 3//
// Relocation format.
//typedef struct _IMAGE_RELOCATION {union {DWORD VirtualAddress;DWORD RelocCount; // Set to the real count when IMAGE_SCN_LNK_NRELOC_OVFL is set};DWORD SymbolTableIndex;WORD Type;
} IMAGE_RELOCATION;
typedef IMAGE_RELOCATION UNALIGNED *PIMAGE_RELOCATION;#define IMAGE_SIZEOF_RELOCATION 10//
// I386 relocation types.
//
#define IMAGE_REL_I386_ABSOLUTE 0x0000 // Reference is absolute, no relocation is necessary
#define IMAGE_REL_I386_DIR16 0x0001 // Direct 16-bit reference to the symbols virtual address
#define IMAGE_REL_I386_REL16 0x0002 // PC-relative 16-bit reference to the symbols virtual address
#define IMAGE_REL_I386_DIR32 0x0006 // Direct 32-bit reference to the symbols virtual address
#define IMAGE_REL_I386_DIR32NB 0x0007 // Direct 32-bit reference to the symbols virtual address, base not included
#define IMAGE_REL_I386_SEG12 0x0009 // Direct 16-bit reference to the segment-selector bits of a 32-bit virtual address
#define IMAGE_REL_I386_SECTION 0x000A
#define IMAGE_REL_I386_SECREL 0x000B
#define IMAGE_REL_I386_REL32 0x0014 // PC-relative 32-bit reference to the symbols virtual address//
// MIPS relocation types.
//#define IMAGE_REL_MIPS_ABSOLUTE 0x0000 // Reference is absolute, no relocation is necessary
#define IMAGE_REL_MIPS_REFHALF 0x0001
#define IMAGE_REL_MIPS_REFWORD 0x0002
#define IMAGE_REL_MIPS_JMPADDR 0x0003
#define IMAGE_REL_MIPS_REFHI 0x0004
#define IMAGE_REL_MIPS_REFLO 0x0005
#define IMAGE_REL_MIPS_GPREL 0x0006
#define IMAGE_REL_MIPS_LITERAL 0x0007
#define IMAGE_REL_MIPS_SECTION 0x000A
#define IMAGE_REL_MIPS_SECREL 0x000B
#define IMAGE_REL_MIPS_SECRELLO 0x000C // Low 16-bit section relative referemce (used for >32k TLS)
#define IMAGE_REL_MIPS_SECRELHI 0x000D // High 16-bit section relative reference (used for >32k TLS)
#define IMAGE_REL_MIPS_JMPADDR16 0x0010
#define IMAGE_REL_MIPS_REFWORDNB 0x0022
#define IMAGE_REL_MIPS_PAIR 0x0025//
// Alpha Relocation types.
//#define IMAGE_REL_ALPHA_ABSOLUTE 0x0000
#define IMAGE_REL_ALPHA_REFLONG 0x0001
#define IMAGE_REL_ALPHA_REFQUAD 0x0002
#define IMAGE_REL_ALPHA_GPREL32 0x0003
#define IMAGE_REL_ALPHA_LITERAL 0x0004
#define IMAGE_REL_ALPHA_LITUSE 0x0005
#define IMAGE_REL_ALPHA_GPDISP 0x0006
#define IMAGE_REL_ALPHA_BRADDR 0x0007
#define IMAGE_REL_ALPHA_HINT 0x0008
#define IMAGE_REL_ALPHA_INLINE_REFLONG 0x0009
#define IMAGE_REL_ALPHA_REFHI 0x000A
#define IMAGE_REL_ALPHA_REFLO 0x000B
#define IMAGE_REL_ALPHA_PAIR 0x000C
#define IMAGE_REL_ALPHA_MATCH 0x000D
#define IMAGE_REL_ALPHA_SECTION 0x000E
#define IMAGE_REL_ALPHA_SECREL 0x000F
#define IMAGE_REL_ALPHA_REFLONGNB 0x0010
#define IMAGE_REL_ALPHA_SECRELLO 0x0011 // Low 16-bit section relative reference
#define IMAGE_REL_ALPHA_SECRELHI 0x0012 // High 16-bit section relative reference
#define IMAGE_REL_ALPHA_REFQ3 0x0013 // High 16 bits of 48 bit reference
#define IMAGE_REL_ALPHA_REFQ2 0x0014 // Middle 16 bits of 48 bit reference
#define IMAGE_REL_ALPHA_REFQ1 0x0015 // Low 16 bits of 48 bit reference
#define IMAGE_REL_ALPHA_GPRELLO 0x0016 // Low 16-bit GP relative reference
#define IMAGE_REL_ALPHA_GPRELHI 0x0017 // High 16-bit GP relative reference//
// IBM PowerPC relocation types.
//#define IMAGE_REL_PPC_ABSOLUTE 0x0000 // NOP
#define IMAGE_REL_PPC_ADDR64 0x0001 // 64-bit address
#define IMAGE_REL_PPC_ADDR32 0x0002 // 32-bit address
#define IMAGE_REL_PPC_ADDR24 0x0003 // 26-bit address, shifted left 2 (branch absolute)
#define IMAGE_REL_PPC_ADDR16 0x0004 // 16-bit address
#define IMAGE_REL_PPC_ADDR14 0x0005 // 16-bit address, shifted left 2 (load doubleword)
#define IMAGE_REL_PPC_REL24 0x0006 // 26-bit PC-relative offset, shifted left 2 (branch relative)
#define IMAGE_REL_PPC_REL14 0x0007 // 16-bit PC-relative offset, shifted left 2 (br cond relative)
#define IMAGE_REL_PPC_TOCREL16 0x0008 // 16-bit offset from TOC base
#define IMAGE_REL_PPC_TOCREL14 0x0009 // 16-bit offset from TOC base, shifted left 2 (load doubleword)#define IMAGE_REL_PPC_ADDR32NB 0x000A // 32-bit addr w/o image base
#define IMAGE_REL_PPC_SECREL 0x000B // va of containing section (as in an image sectionhdr)
#define IMAGE_REL_PPC_SECTION 0x000C // sectionheader number
#define IMAGE_REL_PPC_IFGLUE 0x000D // substitute TOC restore instruction iff symbol is glue code
#define IMAGE_REL_PPC_IMGLUE 0x000E // symbol is glue code; virtual address is TOC restore instruction
#define IMAGE_REL_PPC_SECREL16 0x000F // va of containing section (limited to 16 bits)
#define IMAGE_REL_PPC_REFHI 0x0010
#define IMAGE_REL_PPC_REFLO 0x0011
#define IMAGE_REL_PPC_PAIR 0x0012
#define IMAGE_REL_PPC_SECRELLO 0x0013 // Low 16-bit section relative reference (used for >32k TLS)
#define IMAGE_REL_PPC_SECRELHI 0x0014 // High 16-bit section relative reference (used for >32k TLS)
#define IMAGE_REL_PPC_GPREL 0x0015#define IMAGE_REL_PPC_TYPEMASK 0x00FF // mask to isolate above values in IMAGE_RELOCATION.Type// Flag bits in IMAGE_RELOCATION.TYPE#define IMAGE_REL_PPC_NEG 0x0100 // subtract reloc value rather than adding it
#define IMAGE_REL_PPC_BRTAKEN 0x0200 // fix branch prediction bit to predict branch taken
#define IMAGE_REL_PPC_BRNTAKEN 0x0400 // fix branch prediction bit to predict branch not taken
#define IMAGE_REL_PPC_TOCDEFN 0x0800 // toc slot defined in file (or, data in toc)//
// Hitachi SH3 relocation types.
//
#define IMAGE_REL_SH3_ABSOLUTE 0x0000 // No relocation
#define IMAGE_REL_SH3_DIRECT16 0x0001 // 16 bit direct
#define IMAGE_REL_SH3_DIRECT32 0x0002 // 32 bit direct
#define IMAGE_REL_SH3_DIRECT8 0x0003 // 8 bit direct, -128..255
#define IMAGE_REL_SH3_DIRECT8_WORD 0x0004 // 8 bit direct .W (0 ext.)
#define IMAGE_REL_SH3_DIRECT8_LONG 0x0005 // 8 bit direct .L (0 ext.)
#define IMAGE_REL_SH3_DIRECT4 0x0006 // 4 bit direct (0 ext.)
#define IMAGE_REL_SH3_DIRECT4_WORD 0x0007 // 4 bit direct .W (0 ext.)
#define IMAGE_REL_SH3_DIRECT4_LONG 0x0008 // 4 bit direct .L (0 ext.)
#define IMAGE_REL_SH3_PCREL8_WORD 0x0009 // 8 bit PC relative .W
#define IMAGE_REL_SH3_PCREL8_LONG 0x000A // 8 bit PC relative .L
#define IMAGE_REL_SH3_PCREL12_WORD 0x000B // 12 LSB PC relative .W
#define IMAGE_REL_SH3_STARTOF_SECTION 0x000C // Start of EXE section
#define IMAGE_REL_SH3_SIZEOF_SECTION 0x000D // Size of EXE section
#define IMAGE_REL_SH3_SECTION 0x000E // Section table index
#define IMAGE_REL_SH3_SECREL 0x000F // Offset within section
#define IMAGE_REL_SH3_DIRECT32_NB 0x0010 // 32 bit direct not based#define IMAGE_REL_ARM_ABSOLUTE 0x0000 // No relocation required
#define IMAGE_REL_ARM_ADDR32 0x0001 // 32 bit address
#define IMAGE_REL_ARM_ADDR32NB 0x0002 // 32 bit address w/o image base
#define IMAGE_REL_ARM_BRANCH24 0x0003 // 24 bit offset << 2 & sign ext.
#define IMAGE_REL_ARM_BRANCH11 0x0004 // Thumb: 2 11 bit offsets
#define IMAGE_REL_ARM_SECTION 0x000E // Section table index
#define IMAGE_REL_ARM_SECREL 0x000F // Offset within section//
// IA64 relocation types.
//#define IMAGE_REL_IA64_ABSOLUTE 0x0000
#define IMAGE_REL_IA64_IMM14 0x0001
#define IMAGE_REL_IA64_IMM22 0x0002
#define IMAGE_REL_IA64_IMM64 0x0003
#define IMAGE_REL_IA64_DIR32 0x0004
#define IMAGE_REL_IA64_DIR64 0x0005
#define IMAGE_REL_IA64_PCREL21B 0x0006
#define IMAGE_REL_IA64_PCREL21M 0x0007
#define IMAGE_REL_IA64_PCREL21F 0x0008
#define IMAGE_REL_IA64_GPREL22 0x0009
#define IMAGE_REL_IA64_LTOFF22 0x000A
#define IMAGE_REL_IA64_SECTION 0x000B
#define IMAGE_REL_IA64_SECREL22 0x000C
#define IMAGE_REL_IA64_SECREL64I 0x000D
#define IMAGE_REL_IA64_SECREL32 0x000E
#define IMAGE_REL_IA64_LTOFF64 0x000F
#define IMAGE_REL_IA64_DIR32NB 0x0010
#define IMAGE_REL_IA64_RESERVED_11 0x0011
#define IMAGE_REL_IA64_RESERVED_12 0x0012
#define IMAGE_REL_IA64_RESERVED_13 0x0013
#define IMAGE_REL_IA64_RESERVED_14 0x0014
#define IMAGE_REL_IA64_RESERVED_15 0x0015
#define IMAGE_REL_IA64_RESERVED_16 0x0016
#define IMAGE_REL_IA64_ADDEND 0x001F// Comment
// Comment
// Comment
// Comment
// Comment
// Comment
// Comment
// Comment
// Comment
// Comment
// Comment
// Comment
// Comment
// Comment
// Comment
// Comment
// Comment
// Comment
// Comment
// Comment
// Comment
// Comment
// Comment
// Comment
// Comment
// Comment
// Comment
// Comment
// Comment
// Comment
// Comment
// Comment
// Comment
// Comment
// Comment
// Comment
// Comment
// Comment
// Comment
// Comment
// Comment
// Comment
// Comment
// Comment
// Comment
// Comment//
// Line number format.
//typedef struct _IMAGE_LINENUMBER {union {DWORD SymbolTableIndex; // Symbol table index of function name if Linenumber is 0.DWORD VirtualAddress; // Virtual address of line number.} Type;WORD Linenumber; // Line number.
} IMAGE_LINENUMBER;
typedef IMAGE_LINENUMBER UNALIGNED *PIMAGE_LINENUMBER;#define IMAGE_SIZEOF_LINENUMBER 6#ifndef _MAC
#include "poppack.h" // Back to 4 byte packing
#endif//
// Based relocation format.
//typedef struct _IMAGE_BASE_RELOCATION {DWORD VirtualAddress;DWORD SizeOfBlock;
// WORD TypeOffset[1];
} IMAGE_BASE_RELOCATION;
typedef IMAGE_BASE_RELOCATION UNALIGNED * PIMAGE_BASE_RELOCATION;#define IMAGE_SIZEOF_BASE_RELOCATION 8//
// Based relocation types.
//#define IMAGE_REL_BASED_ABSOLUTE 0
#define IMAGE_REL_BASED_HIGH 1
#define IMAGE_REL_BASED_LOW 2
#define IMAGE_REL_BASED_HIGHLOW 3
#define IMAGE_REL_BASED_HIGHADJ 4
#define IMAGE_REL_BASED_MIPS_JMPADDR 5
#define IMAGE_REL_BASED_SECTION 6
#define IMAGE_REL_BASED_REL32 7#define IMAGE_REL_BASED_MIPS_JMPADDR16 9
#define IMAGE_REL_BASED_IA64_IMM64 9
#define IMAGE_REL_BASED_DIR64 10
#define IMAGE_REL_BASED_HIGH3ADJ 11//
// Archive format.
//#define IMAGE_ARCHIVE_START_SIZE 8
#define IMAGE_ARCHIVE_START "!<arch>\n"
#define IMAGE_ARCHIVE_END "`\n"
#define IMAGE_ARCHIVE_PAD "\n"
#define IMAGE_ARCHIVE_LINKER_MEMBER "/ "
#define IMAGE_ARCHIVE_LONGNAMES_MEMBER "// "typedef struct _IMAGE_ARCHIVE_MEMBER_HEADER {BYTE Name[16]; // File member name - `/' terminated.BYTE Date[12]; // File member date - decimal.BYTE UserID[6]; // File member user id - decimal.BYTE GroupID[6]; // File member group id - decimal.BYTE Mode[8]; // File member mode - octal.BYTE Size[10]; // File member size - decimal.BYTE EndHeader[2]; // String to end header.
} IMAGE_ARCHIVE_MEMBER_HEADER, *PIMAGE_ARCHIVE_MEMBER_HEADER;#define IMAGE_SIZEOF_ARCHIVE_MEMBER_HDR 60//
// DLL support.
////
// Export Format
//typedef struct _IMAGE_EXPORT_DIRECTORY {DWORD Characteristics;DWORD TimeDateStamp;WORD MajorVersion;WORD MinorVersion;DWORD Name;DWORD Base;DWORD NumberOfFunctions;DWORD NumberOfNames;DWORD AddressOfFunctions; // RVA from base of imageDWORD AddressOfNames; // RVA from base of imageDWORD AddressOfNameOrdinals; // RVA from base of image
} IMAGE_EXPORT_DIRECTORY, *PIMAGE_EXPORT_DIRECTORY;//
// Import Format
//typedef struct _IMAGE_IMPORT_BY_NAME {WORD Hint;BYTE Name[1];
} IMAGE_IMPORT_BY_NAME, *PIMAGE_IMPORT_BY_NAME;#include "pshpack8.h" // Use align 8 for the 64-bit IAT.typedef struct _IMAGE_THUNK_DATA64 {union {PBYTE ForwarderString;PDWORD Function;ULONGLONG Ordinal;PIMAGE_IMPORT_BY_NAME AddressOfData;} u1;
} IMAGE_THUNK_DATA64;
typedef IMAGE_THUNK_DATA64 * PIMAGE_THUNK_DATA64;#include "poppack.h" // Back to 4 byte packingtypedef struct _IMAGE_THUNK_DATA32 {union {PBYTE ForwarderString;PDWORD Function;DWORD Ordinal;PIMAGE_IMPORT_BY_NAME AddressOfData;} u1;
} IMAGE_THUNK_DATA32;
typedef IMAGE_THUNK_DATA32 * PIMAGE_THUNK_DATA32;#define IMAGE_ORDINAL_FLAG64 0x8000000000000000
#define IMAGE_ORDINAL_FLAG32 0x80000000
#define IMAGE_ORDINAL64(Ordinal) (Ordinal & 0xffff)
#define IMAGE_ORDINAL32(Ordinal) (Ordinal & 0xffff)
#define IMAGE_SNAP_BY_ORDINAL64(Ordinal) ((Ordinal & IMAGE_ORDINAL_FLAG64) != 0)
#define IMAGE_SNAP_BY_ORDINAL32(Ordinal) ((Ordinal & IMAGE_ORDINAL_FLAG32) != 0)//
// Thread Local Storage
//typedef VOID
(NTAPI *PIMAGE_TLS_CALLBACK) (PVOID DllHandle,DWORD Reason,PVOID Reserved);typedef struct _IMAGE_TLS_DIRECTORY64 {ULONGLONG StartAddressOfRawData;ULONGLONG EndAddressOfRawData;PDWORD AddressOfIndex;PIMAGE_TLS_CALLBACK *AddressOfCallBacks;DWORD SizeOfZeroFill;DWORD Characteristics;
} IMAGE_TLS_DIRECTORY64;
typedef IMAGE_TLS_DIRECTORY64 * PIMAGE_TLS_DIRECTORY64;typedef struct _IMAGE_TLS_DIRECTORY32 {DWORD StartAddressOfRawData;DWORD EndAddressOfRawData;PDWORD AddressOfIndex;PIMAGE_TLS_CALLBACK *AddressOfCallBacks;DWORD SizeOfZeroFill;DWORD Characteristics;
} IMAGE_TLS_DIRECTORY32;
typedef IMAGE_TLS_DIRECTORY32 * PIMAGE_TLS_DIRECTORY32;#ifdef _WIN64
#define IMAGE_ORDINAL_FLAG IMAGE_ORDINAL_FLAG64
#define IMAGE_ORDINAL(Ordinal) IMAGE_ORDINAL64(Ordinal)
typedef IMAGE_THUNK_DATA64 IMAGE_THUNK_DATA;
typedef PIMAGE_THUNK_DATA64 PIMAGE_THUNK_DATA;
#define IMAGE_SNAP_BY_ORDINAL(Ordinal) IMAGE_SNAP_BY_ORDINAL64(Ordinal)
typedef IMAGE_TLS_DIRECTORY64 IMAGE_TLS_DIRECTORY;
typedef PIMAGE_TLS_DIRECTORY64 PIMAGE_TLS_DIRECTORY;
#else
#define IMAGE_ORDINAL_FLAG IMAGE_ORDINAL_FLAG32
#define IMAGE_ORDINAL(Ordinal) IMAGE_ORDINAL32(Ordinal)
typedef IMAGE_THUNK_DATA32 IMAGE_THUNK_DATA;
typedef PIMAGE_THUNK_DATA32 PIMAGE_THUNK_DATA;
#define IMAGE_SNAP_BY_ORDINAL(Ordinal) IMAGE_SNAP_BY_ORDINAL32(Ordinal)
typedef IMAGE_TLS_DIRECTORY32 IMAGE_TLS_DIRECTORY;
typedef PIMAGE_TLS_DIRECTORY32 PIMAGE_TLS_DIRECTORY;
#endiftypedef struct _IMAGE_IMPORT_DESCRIPTOR {union {DWORD Characteristics; // 0 for terminating null import descriptorDWORD OriginalFirstThunk; // RVA to original unbound IAT (PIMAGE_THUNK_DATA)};DWORD TimeDateStamp; // 0 if not bound,// -1 if bound, and real date\time stamp// in IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT (new BIND)// O.W. date/time stamp of DLL bound to (Old BIND)DWORD ForwarderChain; // -1 if no forwardersDWORD Name;DWORD FirstThunk; // RVA to IAT (if bound this IAT has actual addresses)
} IMAGE_IMPORT_DESCRIPTOR;
typedef IMAGE_IMPORT_DESCRIPTOR UNALIGNED *PIMAGE_IMPORT_DESCRIPTOR;//
// New format import descriptors pointed to by DataDirectory[ IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT ]
//typedef struct _IMAGE_BOUND_IMPORT_DESCRIPTOR {DWORD TimeDateStamp;WORD OffsetModuleName;WORD NumberOfModuleForwarderRefs;
// Array of zero or more IMAGE_BOUND_FORWARDER_REF follows
} IMAGE_BOUND_IMPORT_DESCRIPTOR, *PIMAGE_BOUND_IMPORT_DESCRIPTOR;typedef struct _IMAGE_BOUND_FORWARDER_REF {DWORD TimeDateStamp;WORD OffsetModuleName;WORD Reserved;
} IMAGE_BOUND_FORWARDER_REF, *PIMAGE_BOUND_FORWARDER_REF;PE格式的定义头文件winnt.h相关推荐
- C语言创建MaxSize头文件,我不知道怎样定义头文件#includeseqlist.h
满意答案 sgkkz359 2017.10.26 采纳率:50% 等级:10 已帮助:671人 C语言的库文件中,并没有SeqList.h这个标准头文件.这个是一个自定义头文件. 在数据结构教材 ...
- 习题 8.4 在本章第8.3.3节中分别给出了包含类定义的头文件student.h,包含成员函数定义的源文件student.cpp以及包含主函数的源文件main.cpp。请完善该程序,在类中增加。。。
C++程序设计(第三版) 谭浩强 习题8.4 个人设计 习题 8.4 在本章第8.3.3节中分别给出了包含类定义的头文件student.h,包含成员函数定义的源文件student.cpp以及包含主函数 ...
- 习题 8.5 将本章的例8.4改写为一个多文件的程序:1.将类定义放在头文件arraymax.h中;2.将成员函数定义放在源文件arraymax.cpp中;3.主函数放在源文件file1.cpp中。
C++程序设计(第三版) 谭浩强 习题8.5 个人设计 习题 8.5 将本章的例8.4改写为一个多文件的程序: 1.将类定义放在头文件arraymax.h中: 2.将成员函数定义放在源文件arraym ...
- c语言中引用头使用什么指令,在源文件(.c)和头文件(.h)中声明和定义的区别——C语言...
最近在看多文件编程的时候遇到的一个问题,本来以为理解了声明和定义的区别(然而并没有····),也算是重新认识了一次声明和定义,下面上代码 声明和定义:有分配空间的叫定义,没分配空间的叫声明 定义:表示 ...
- C++中头文件(.h)和源文件(.cpp)都应该写些什么,头文件中的预编译语句作用,命名空间和头文件的区别与联系,内部链接和外部链接
1. C++中头文件(.h)和源文件(.cpp)都应该写些什么: 总结下来就是头文件写的就是类的声明(包括类里面的成员和方法的声明)和函数的声明,但一般来说不写出具体的实现.对应的同名(可以不同名,但 ...
- 头文件setjmp.h
头文件<setjmp.h>定义了宏setjmp,并且为了绕过正常的函数调用和返回规则声明了一个函数和一个类型. 1.类型jmp_buf 它是一个数组类型,适合存储恢复一个调用环境所需的信息 ...
- 【C++】C++中的头文件(.h)—详解(2)
接上... [fishing-pan:https://blog.csdn.net/u013921430转载请注明出处] 头文件中写些什么 在上篇博客中写到头文件本身不参与编译,但是它们被包含到源文件中 ...
- 【C++】C++中的头文件(.h)—详解(1)
[fishing-pan:https://blog.csdn.net/u013921430转载请注明出处] 前言 之前写过一篇<C++中头文件的使用>,那篇文章主要讲述C++中头文件的使用 ...
- C语言两个同名头文件,C lang: C语言中两个头文件引入相同的头文件(Header.h)
C lang: C语言中两个头文件引入相同的头文件(Header.h) C lang: C语言中两个头文件引入相同的头文件(Header.h) [var1] For example: Header.h ...
最新文章
- Lambda表达式可以被转换为委托类型
- Android Binder设计与实现 – 设计篇
- 面试题:问题:Java中,char型变量中能不能存储一个中文汉字,为什么?
- linux wine 中文乱码,Linux下使用Wine出现中文乱码的解决方法
- 服务器如何运行java文件_在linux服务器上运行java文件
- 关于pipelineDB调用GetLocalStreamReaders的BUG
- HTML标签类型及特点
- Fiddler进行模拟Post提交json数据,总为null解决方式
- adminlte支持html5吗,spring boot:用adminlte做前端
- mybatis3 配置文件解析
- 老板喜欢动脑子工作的人
- 【交通标志识别】基于matlab GUI BP神经网络交通标志识别【含Matlab源码 718期】
- instagram图片下载_如何使用Python下载Instagram个人资料图片
- Jshack网络验证系统,又名 JS下锅云网络验证系统-免费网络验证系统
- IOS上架时及开发注意事项
- linux查看附近可用wifi并进行通过命令行连接
- C++实现X11桌面录屏为H264文件
- 同事关系再好也别表现,学做曾国藩和左宗棠,多数人不懂三规矩
- 在硬盘留下后门,重装系统都没辙(太太太太太厉害了)
- 非因解读 | DSP空间多组学助力胃癌预后标志物的发现