7 #define IMAGE_DOS_SIGNATURE 0x5A4D
8 #define IMAGE_OS2_SIGNATURE 0x454E
9 #define IMAGE_OS2_SIGNATURE_LE 0x454C
10 #define IMAGE_VXD_SIGNATURE 0x454C
11 #define IMAGE_NT_SIGNATURE 0x00004550
14 // Image architectures
16 #define IMAGE_FILE_MACHINE_AM33 0x1d3
17 #define IMAGE_FILE_MACHINE_AMD64 0x8664
18 #define IMAGE_FILE_MACHINE_ARM 0x1c0
19 #define IMAGE_FILE_MACHINE_EBC 0xebc
20 #define IMAGE_FILE_MACHINE_I386 0x14c
21 #define IMAGE_FILE_MACHINE_IA64 0x200
22 #define IMAGE_FILE_MACHINE_M32R 0x9041
23 #define IMAGE_FILE_MACHINE_MIPS16 0x266
24 #define IMAGE_FILE_MACHINE_MIPSFPU 0x366
25 #define IMAGE_FILE_MACHINE_MIPSFPU16 0x466
26 #define IMAGE_FILE_MACHINE_POWERPC 0x1f0
27 #define IMAGE_FILE_MACHINE_POWERPCFP 0x1f1
28 #define IMAGE_FILE_MACHINE_R4000 0x166
29 #define IMAGE_FILE_MACHINE_SH3 0x1a2
30 #define IMAGE_FILE_MACHINE_SH3E 0x01a4
31 #define IMAGE_FILE_MACHINE_SH3DSP 0x1a3
32 #define IMAGE_FILE_MACHINE_SH4 0x1a6
33 #define IMAGE_FILE_MACHINE_SH5 0x1a8
34 #define IMAGE_FILE_MACHINE_THUMB 0x1c2
35 #define IMAGE_FILE_MACHINE_WCEMIPSV2 0x169
36 #define IMAGE_FILE_MACHINE_R3000 0x162
37 #define IMAGE_FILE_MACHINE_R10000 0x168
38 #define IMAGE_FILE_MACHINE_ALPHA 0x184
39 #define IMAGE_FILE_MACHINE_ALPHA64 0x0284
40 #define IMAGE_FILE_MACHINE_AXP64 IMAGE_FILE_MACHINE_ALPHA64
41 #define IMAGE_FILE_MACHINE_CEE 0xC0EE
42 #define IMAGE_FILE_MACHINE_TRICORE 0x0520
43 #define IMAGE_FILE_MACHINE_CEF 0x0CEF
47 // DOS Image Header Format
50 typedef struct _IMAGE_DOS_HEADER
{
70 } IMAGE_DOS_HEADER
, *PIMAGE_DOS_HEADER
;
74 // Export/Import Format
77 typedef struct _IMAGE_EXPORT_DIRECTORY
{
78 ULONG Characteristics
;
84 ULONG NumberOfFunctions
;
86 ULONG AddressOfFunctions
;
88 ULONG AddressOfNameOrdinals
;
89 } IMAGE_EXPORT_DIRECTORY
, *PIMAGE_EXPORT_DIRECTORY
;
92 // Resource Data Entry Format
94 typedef struct _IMAGE_RESOURCE_DATA_ENTRY
{
99 } IMAGE_RESOURCE_DATA_ENTRY
, *PIMAGE_RESOURCE_DATA_ENTRY
;
102 // Load Configuration Directory Entry Format
109 ULONG GlobalFlagsClear
;
110 ULONG GlobalFlagsSet
;
111 ULONG CriticalSectionDefaultTimeout
;
112 ULONG DeCommitFreeBlockThreshold
;
113 ULONG DeCommitTotalFreeThreshold
;
114 ULONG LockPrefixTable
;
115 ULONG MaximumAllocationSize
;
116 ULONG VirtualMemoryThreshold
;
117 ULONG ProcessHeapFlags
;
118 ULONG ProcessAffinityMask
;
122 ULONG SecurityCookie
;
123 ULONG SEHandlerTable
;
124 ULONG SEHandlerCount
;
125 } IMAGE_LOAD_CONFIG_DIRECTORY32
, *PIMAGE_LOAD_CONFIG_DIRECTORY32
;
132 ULONG GlobalFlagsClear
;
133 ULONG GlobalFlagsSet
;
134 ULONG CriticalSectionDefaultTimeout
;
135 ULONGLONG DeCommitFreeBlockThreshold
;
136 ULONGLONG DeCommitTotalFreeThreshold
;
137 ULONGLONG LockPrefixTable
;
138 ULONGLONG MaximumAllocationSize
;
139 ULONGLONG VirtualMemoryThreshold
;
140 ULONGLONG ProcessAffinityMask
;
141 ULONG ProcessHeapFlags
;
145 ULONGLONG SecurityCookie
;
146 ULONGLONG SEHandlerTable
;
147 ULONGLONG SEHandlerCount
;
148 } IMAGE_LOAD_CONFIG_DIRECTORY64
, *PIMAGE_LOAD_CONFIG_DIRECTORY64
;
151 typedef IMAGE_LOAD_CONFIG_DIRECTORY64 IMAGE_LOAD_CONFIG_DIRECTORY
;
152 typedef PIMAGE_LOAD_CONFIG_DIRECTORY64 PIMAGE_LOAD_CONFIG_DIRECTORY
;
154 typedef IMAGE_LOAD_CONFIG_DIRECTORY32 IMAGE_LOAD_CONFIG_DIRECTORY
;
155 typedef PIMAGE_LOAD_CONFIG_DIRECTORY32 PIMAGE_LOAD_CONFIG_DIRECTORY
;
159 // Base Relocation Format
161 typedef struct _IMAGE_BASE_RELOCATION
{
162 ULONG VirtualAddress
;
164 } IMAGE_BASE_RELOCATION
, *PIMAGE_BASE_RELOCATION
;
169 typedef struct _IMAGE_RESOURCE_DIRECTORY
{
170 ULONG Characteristics
;
174 USHORT NumberOfNamedEntries
;
175 USHORT NumberOfIdEntries
;
176 } IMAGE_RESOURCE_DIRECTORY
, *PIMAGE_RESOURCE_DIRECTORY
;
178 typedef struct _IMAGE_RESOURCE_DIRECTORY_STRING
{
180 CHAR NameString
[ANYSIZE_ARRAY
];
181 } IMAGE_RESOURCE_DIRECTORY_STRING
, *PIMAGE_RESOURCE_DIRECTORY_STRING
;
184 // Section Header Format
186 #define IMAGE_SIZEOF_SHORT_NAME 8
187 #define IMAGE_SIZEOF_SECTION_HEADER 40
189 typedef struct _IMAGE_SECTION_HEADER
{
190 UCHAR Name
[IMAGE_SIZEOF_SHORT_NAME
];
192 ULONG PhysicalAddress
;
195 ULONG VirtualAddress
;
197 ULONG PointerToRawData
;
198 ULONG PointerToRelocations
;
199 ULONG PointerToLinenumbers
;
200 USHORT NumberOfRelocations
;
201 USHORT NumberOfLinenumbers
;
202 ULONG Characteristics
;
203 } IMAGE_SECTION_HEADER
, *PIMAGE_SECTION_HEADER
;
206 // Section Characteristics
208 #define IMAGE_SCN_CNT_CODE 0x00000020
209 #define IMAGE_SCN_CNT_INITIALIZED_DATA 0x00000040
210 #define IMAGE_SCN_CNT_UNINITIALIZED_DATA 0x00000080
212 #define IMAGE_SCN_LNK_NRELOC_OVFL 0x01000000
213 #define IMAGE_SCN_MEM_DISCARDABLE 0x02000000
214 #define IMAGE_SCN_MEM_NOT_CACHED 0x04000000
215 #define IMAGE_SCN_MEM_NOT_PAGED 0x08000000
216 #define IMAGE_SCN_MEM_SHARED 0x10000000
217 #define IMAGE_SCN_MEM_EXECUTE 0x20000000
218 #define IMAGE_SCN_MEM_READ 0x40000000
219 #define IMAGE_SCN_MEM_WRITE 0x80000000
222 // File Header Format
224 #define IMAGE_SIZEOF_FILE_HEADER 20
226 typedef struct _IMAGE_FILE_HEADER
{
228 USHORT NumberOfSections
;
230 ULONG PointerToSymbolTable
;
231 ULONG NumberOfSymbols
;
232 USHORT SizeOfOptionalHeader
;
233 USHORT Characteristics
;
234 } IMAGE_FILE_HEADER
, *PIMAGE_FILE_HEADER
;
237 // File Characteristics
239 #define IMAGE_FILE_RELOCS_STRIPPED 0x0001
240 #define IMAGE_FILE_EXECUTABLE_IMAGE 0x0002
241 #define IMAGE_FILE_LINE_NUMS_STRIPPED 0x0004
242 #define IMAGE_FILE_LOCAL_SYMS_STRIPPED 0x0008
243 #define IMAGE_FILE_AGGRESIVE_WS_TRIM 0x0010
244 #define IMAGE_FILE_LARGE_ADDRESS_AWARE 0x0020
245 #define IMAGE_FILE_BYTES_REVERSED_LO 0x0080
246 #define IMAGE_FILE_32BIT_MACHINE 0x0100
247 #define IMAGE_FILE_DEBUG_STRIPPED 0x0200
248 #define IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP 0x0400
249 #define IMAGE_FILE_NET_RUN_FROM_SWAP 0x0800
250 #define IMAGE_FILE_SYSTEM 0x1000
251 #define IMAGE_FILE_DLL 0x2000
252 #define IMAGE_FILE_UP_SYSTEM_ONLY 0x4000
253 #define IMAGE_FILE_BYTES_REVERSED_HI 0x8000
258 #define IMAGE_NUMBEROF_DIRECTORY_ENTRIES 16
260 typedef struct _IMAGE_DATA_DIRECTORY
{
261 ULONG VirtualAddress
;
263 } IMAGE_DATA_DIRECTORY
, *PIMAGE_DATA_DIRECTORY
;
266 // Optional Header Formats
268 typedef struct _IMAGE_OPTIONAL_HEADER
{
270 UCHAR MajorLinkerVersion
;
271 UCHAR MinorLinkerVersion
;
273 ULONG SizeOfInitializedData
;
274 ULONG SizeOfUninitializedData
;
275 ULONG AddressOfEntryPoint
;
279 ULONG SectionAlignment
;
281 USHORT MajorOperatingSystemVersion
;
282 USHORT MinorOperatingSystemVersion
;
283 USHORT MajorImageVersion
;
284 USHORT MinorImageVersion
;
285 USHORT MajorSubsystemVersion
;
286 USHORT MinorSubsystemVersion
;
287 ULONG Win32VersionValue
;
292 USHORT DllCharacteristics
;
293 ULONG SizeOfStackReserve
;
294 ULONG SizeOfStackCommit
;
295 ULONG SizeOfHeapReserve
;
296 ULONG SizeOfHeapCommit
;
298 ULONG NumberOfRvaAndSizes
;
299 IMAGE_DATA_DIRECTORY DataDirectory
[IMAGE_NUMBEROF_DIRECTORY_ENTRIES
];
300 } IMAGE_OPTIONAL_HEADER32
, *PIMAGE_OPTIONAL_HEADER32
;
302 typedef struct _IMAGE_ROM_OPTIONAL_HEADER
{
304 UCHAR MajorLinkerVersion
;
305 UCHAR MinorLinkerVersion
;
307 ULONG SizeOfInitializedData
;
308 ULONG SizeOfUninitializedData
;
309 ULONG AddressOfEntryPoint
;
316 } IMAGE_ROM_OPTIONAL_HEADER
, *PIMAGE_ROM_OPTIONAL_HEADER
;
318 typedef struct _IMAGE_OPTIONAL_HEADER64
{
320 UCHAR MajorLinkerVersion
;
321 UCHAR MinorLinkerVersion
;
323 ULONG SizeOfInitializedData
;
324 ULONG SizeOfUninitializedData
;
325 ULONG AddressOfEntryPoint
;
328 ULONG SectionAlignment
;
330 USHORT MajorOperatingSystemVersion
;
331 USHORT MinorOperatingSystemVersion
;
332 USHORT MajorImageVersion
;
333 USHORT MinorImageVersion
;
334 USHORT MajorSubsystemVersion
;
335 USHORT MinorSubsystemVersion
;
336 ULONG Win32VersionValue
;
341 USHORT DllCharacteristics
;
342 ULONGLONG SizeOfStackReserve
;
343 ULONGLONG SizeOfStackCommit
;
344 ULONGLONG SizeOfHeapReserve
;
345 ULONGLONG SizeOfHeapCommit
;
347 ULONG NumberOfRvaAndSizes
;
348 IMAGE_DATA_DIRECTORY DataDirectory
[IMAGE_NUMBEROF_DIRECTORY_ENTRIES
];
349 } IMAGE_OPTIONAL_HEADER64
, *PIMAGE_OPTIONAL_HEADER64
;
352 // Format Identifier Magics
354 #define IMAGE_NT_OPTIONAL_HDR32_MAGIC 0x10b
355 #define IMAGE_NT_OPTIONAL_HDR64_MAGIC 0x20b
356 #define IMAGE_ROM_OPTIONAL_HDR_MAGIC 0x107
359 typedef IMAGE_OPTIONAL_HEADER64 IMAGE_OPTIONAL_HEADER
;
360 typedef PIMAGE_OPTIONAL_HEADER64 PIMAGE_OPTIONAL_HEADER
;
361 #define IMAGE_NT_OPTIONAL_HDR_MAGIC IMAGE_NT_OPTIONAL_HDR64_MAGIC
363 typedef IMAGE_OPTIONAL_HEADER32 IMAGE_OPTIONAL_HEADER
;
364 typedef PIMAGE_OPTIONAL_HEADER32 PIMAGE_OPTIONAL_HEADER
;
365 #define IMAGE_NT_OPTIONAL_HDR_MAGIC IMAGE_NT_OPTIONAL_HDR32_MAGIC
371 typedef struct _IMAGE_NT_HEADERS64
{
373 IMAGE_FILE_HEADER FileHeader
;
374 IMAGE_OPTIONAL_HEADER64 OptionalHeader
;
375 } IMAGE_NT_HEADERS64
;
377 typedef struct _IMAGE_NT_HEADERS
{
379 IMAGE_FILE_HEADER FileHeader
;
380 IMAGE_OPTIONAL_HEADER32 OptionalHeader
;
381 } IMAGE_NT_HEADERS32
;
384 typedef IMAGE_NT_HEADERS64 IMAGE_NT_HEADERS
;
386 typedef IMAGE_NT_HEADERS32 IMAGE_NT_HEADERS
;
391 typedef struct _IMAGE_NT_HEADERS
*PIMAGE_NT_HEADERS32
;
392 typedef struct _IMAGE_NT_HEADERS64
*PIMAGE_NT_HEADERS64
;
395 typedef PIMAGE_NT_HEADERS64 PIMAGE_NT_HEADERS
;
397 typedef PIMAGE_NT_HEADERS32 PIMAGE_NT_HEADERS
;
403 // Retreives the first image section header from the Nt Header
405 #define IMAGE_FIRST_SECTION( NtHeader ) \
406 ((PIMAGE_SECTION_HEADER) ((ULONG_PTR)(NtHeader) + \
407 FIELD_OFFSET( IMAGE_NT_HEADERS, OptionalHeader ) + \
408 ((NtHeader))->FileHeader.SizeOfOptionalHeader))
411 // Dll Characteristics
413 #define IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE 0x0040
414 #define IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY 0x0080
415 #define IMAGE_DLLCHARACTERISTICS_NX_COMPAT 0x0100
416 #define IMAGE_DLLCHARACTERISTICS_NO_ISOLATION 0x0200
417 #define IMAGE_DLLCHARACTERISTICS_NO_SEH 0x0400
418 #define IMAGE_DLLCHARACTERISTICS_NO_BIND 0x0800
419 #define IMAGE_DLLCHARACTERISTICS_WDM_DRIVER 0x2000
420 #define IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE 0x8000
423 // Directory Entry Specifiers
425 #define IMAGE_DIRECTORY_ENTRY_EXPORT 0
426 #define IMAGE_DIRECTORY_ENTRY_IMPORT 1
427 #define IMAGE_DIRECTORY_ENTRY_RESOURCE 2
428 #define IMAGE_DIRECTORY_ENTRY_EXCEPTION 3
429 #define IMAGE_DIRECTORY_ENTRY_SECURITY 4
430 #define IMAGE_DIRECTORY_ENTRY_BASERELOC 5
431 #define IMAGE_DIRECTORY_ENTRY_DEBUG 6
432 #define IMAGE_DIRECTORY_ENTRY_ARCHITECTURE 7
433 #define IMAGE_DIRECTORY_ENTRY_GLOBALPTR 8
434 #define IMAGE_DIRECTORY_ENTRY_TLS 9
435 #define IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 10
436 #define IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 11
437 #define IMAGE_DIRECTORY_ENTRY_IAT 12
438 #define IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 13
439 #define IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 14
444 typedef struct _IMAGE_IMPORT_BY_NAME
{
447 } IMAGE_IMPORT_BY_NAME
, *PIMAGE_IMPORT_BY_NAME
;
449 #include <pshpack8.h>
450 typedef struct _IMAGE_THUNK_DATA64
{
452 ULONGLONG ForwarderString
;
455 ULONGLONG AddressOfData
;
457 } IMAGE_THUNK_DATA64
, *PIMAGE_THUNK_DATA64
;
460 typedef struct _IMAGE_THUNK_DATA32
{
462 ULONG ForwarderString
;
467 } IMAGE_THUNK_DATA32
, *PIMAGE_THUNK_DATA32
;
469 #define IMAGE_ORDINAL_FLAG64 0x8000000000000000ULL
470 #define IMAGE_ORDINAL_FLAG32 0x80000000
471 #define IMAGE_ORDINAL64(Ordinal) (Ordinal & 0xffff)
472 #define IMAGE_ORDINAL32(Ordinal) (Ordinal & 0xffff)
473 #define IMAGE_SNAP_BY_ORDINAL64(Ordinal) ((Ordinal & IMAGE_ORDINAL_FLAG64) != 0)
474 #define IMAGE_SNAP_BY_ORDINAL32(Ordinal) ((Ordinal & IMAGE_ORDINAL_FLAG32) != 0)
477 // Thread Local Storage (TLS)
481 (NTAPI
*PIMAGE_TLS_CALLBACK
) (
486 typedef struct _IMAGE_TLS_DIRECTORY64
{
487 ULONGLONG StartAddressOfRawData
;
488 ULONGLONG EndAddressOfRawData
;
489 ULONGLONG AddressOfIndex
;
490 ULONGLONG AddressOfCallBacks
;
491 ULONG SizeOfZeroFill
;
492 ULONG Characteristics
;
493 } IMAGE_TLS_DIRECTORY64
, *PIMAGE_TLS_DIRECTORY64
;
495 typedef struct _IMAGE_TLS_DIRECTORY32
{
496 ULONG StartAddressOfRawData
;
497 ULONG EndAddressOfRawData
;
498 ULONG AddressOfIndex
;
499 ULONG AddressOfCallBacks
;
500 ULONG SizeOfZeroFill
;
501 ULONG Characteristics
;
502 } IMAGE_TLS_DIRECTORY32
, *PIMAGE_TLS_DIRECTORY32
;
505 #define IMAGE_ORDINAL_FLAG IMAGE_ORDINAL_FLAG64
506 #define IMAGE_ORDINAL(Ordinal) IMAGE_ORDINAL64(Ordinal)
507 typedef IMAGE_THUNK_DATA64 IMAGE_THUNK_DATA
;
508 typedef PIMAGE_THUNK_DATA64 PIMAGE_THUNK_DATA
;
509 #define IMAGE_SNAP_BY_ORDINAL(Ordinal) IMAGE_SNAP_BY_ORDINAL64(Ordinal)
510 typedef IMAGE_TLS_DIRECTORY64 IMAGE_TLS_DIRECTORY
;
511 typedef PIMAGE_TLS_DIRECTORY64 PIMAGE_TLS_DIRECTORY
;
513 #define IMAGE_ORDINAL_FLAG IMAGE_ORDINAL_FLAG32
514 #define IMAGE_ORDINAL(Ordinal) IMAGE_ORDINAL32(Ordinal)
515 typedef IMAGE_THUNK_DATA32 IMAGE_THUNK_DATA
;
516 typedef PIMAGE_THUNK_DATA32 PIMAGE_THUNK_DATA
;
517 #define IMAGE_SNAP_BY_ORDINAL(Ordinal) IMAGE_SNAP_BY_ORDINAL32(Ordinal)
518 typedef IMAGE_TLS_DIRECTORY32 IMAGE_TLS_DIRECTORY
;
519 typedef PIMAGE_TLS_DIRECTORY32 PIMAGE_TLS_DIRECTORY
;
522 typedef struct _IMAGE_IMPORT_DESCRIPTOR
{
523 _ANONYMOUS_UNION
union {
524 ULONG Characteristics
;
525 ULONG OriginalFirstThunk
;
528 ULONG ForwarderChain
;
531 } IMAGE_IMPORT_DESCRIPTOR
, *PIMAGE_IMPORT_DESCRIPTOR
;
535 #endif /* _NTIMAGE_ */