7 #define IMAGE_DOS_SIGNATURE 0x5A4D
8 #define IMAGE_OS2_SIGNATURE 0x454E
9 #define IMAGE_OS2_SIGNATURE_LE 0x454C
10 #define IMAGE_VXD_SIGNATURE 0x454C
11 #define IMAGE_NT_SIGNATURE 0x00004550
14 // Image architectures
16 #define IMAGE_FILE_MACHINE_AM33 0x1d3
17 #define IMAGE_FILE_MACHINE_AMD64 0x8664
18 #define IMAGE_FILE_MACHINE_ARM 0x1c0
19 #define IMAGE_FILE_MACHINE_EBC 0xebc
20 #define IMAGE_FILE_MACHINE_I386 0x14c
21 #define IMAGE_FILE_MACHINE_IA64 0x200
22 #define IMAGE_FILE_MACHINE_M32R 0x9041
23 #define IMAGE_FILE_MACHINE_MIPS16 0x266
24 #define IMAGE_FILE_MACHINE_MIPSFPU 0x366
25 #define IMAGE_FILE_MACHINE_MIPSFPU16 0x466
26 #define IMAGE_FILE_MACHINE_POWERPC 0x1f0
27 #define IMAGE_FILE_MACHINE_POWERPCFP 0x1f1
28 #define IMAGE_FILE_MACHINE_R4000 0x166
29 #define IMAGE_FILE_MACHINE_SH3 0x1a2
30 #define IMAGE_FILE_MACHINE_SH3E 0x01a4
31 #define IMAGE_FILE_MACHINE_SH3DSP 0x1a3
32 #define IMAGE_FILE_MACHINE_SH4 0x1a6
33 #define IMAGE_FILE_MACHINE_SH5 0x1a8
34 #define IMAGE_FILE_MACHINE_THUMB 0x1c2
35 #define IMAGE_FILE_MACHINE_WCEMIPSV2 0x169
36 #define IMAGE_FILE_MACHINE_R3000 0x162
37 #define IMAGE_FILE_MACHINE_R10000 0x168
38 #define IMAGE_FILE_MACHINE_ALPHA 0x184
39 #define IMAGE_FILE_MACHINE_ALPHA64 0x0284
40 #define IMAGE_FILE_MACHINE_AXP64 IMAGE_FILE_MACHINE_ALPHA64
41 #define IMAGE_FILE_MACHINE_CEE 0xC0EE
42 #define IMAGE_FILE_MACHINE_TRICORE 0x0520
43 #define IMAGE_FILE_MACHINE_CEF 0x0CEF
48 // DOS Image Header Format
51 typedef struct _IMAGE_DOS_HEADER
{
71 } IMAGE_DOS_HEADER
, *PIMAGE_DOS_HEADER
;
77 // Export/Import Format
80 typedef struct _IMAGE_EXPORT_DIRECTORY
{
81 ULONG Characteristics
;
87 ULONG NumberOfFunctions
;
89 ULONG AddressOfFunctions
;
91 ULONG AddressOfNameOrdinals
;
92 } IMAGE_EXPORT_DIRECTORY
, *PIMAGE_EXPORT_DIRECTORY
;
97 // Resource Data Entry Format
99 typedef struct _IMAGE_RESOURCE_DATA_ENTRY
{
104 } IMAGE_RESOURCE_DATA_ENTRY
, *PIMAGE_RESOURCE_DATA_ENTRY
;
109 // Load Configuration Directory Entry Format
116 ULONG GlobalFlagsClear
;
117 ULONG GlobalFlagsSet
;
118 ULONG CriticalSectionDefaultTimeout
;
119 ULONG DeCommitFreeBlockThreshold
;
120 ULONG DeCommitTotalFreeThreshold
;
121 ULONG LockPrefixTable
;
122 ULONG MaximumAllocationSize
;
123 ULONG VirtualMemoryThreshold
;
124 ULONG ProcessHeapFlags
;
125 ULONG ProcessAffinityMask
;
129 ULONG SecurityCookie
;
130 ULONG SEHandlerTable
;
131 ULONG SEHandlerCount
;
132 } IMAGE_LOAD_CONFIG_DIRECTORY32
, *PIMAGE_LOAD_CONFIG_DIRECTORY32
;
139 ULONG GlobalFlagsClear
;
140 ULONG GlobalFlagsSet
;
141 ULONG CriticalSectionDefaultTimeout
;
142 ULONGLONG DeCommitFreeBlockThreshold
;
143 ULONGLONG DeCommitTotalFreeThreshold
;
144 ULONGLONG LockPrefixTable
;
145 ULONGLONG MaximumAllocationSize
;
146 ULONGLONG VirtualMemoryThreshold
;
147 ULONGLONG ProcessAffinityMask
;
148 ULONG ProcessHeapFlags
;
152 ULONGLONG SecurityCookie
;
153 ULONGLONG SEHandlerTable
;
154 ULONGLONG SEHandlerCount
;
155 } IMAGE_LOAD_CONFIG_DIRECTORY64
, *PIMAGE_LOAD_CONFIG_DIRECTORY64
;
158 typedef IMAGE_LOAD_CONFIG_DIRECTORY64 IMAGE_LOAD_CONFIG_DIRECTORY
;
159 typedef PIMAGE_LOAD_CONFIG_DIRECTORY64 PIMAGE_LOAD_CONFIG_DIRECTORY
;
161 typedef IMAGE_LOAD_CONFIG_DIRECTORY32 IMAGE_LOAD_CONFIG_DIRECTORY
;
162 typedef PIMAGE_LOAD_CONFIG_DIRECTORY32 PIMAGE_LOAD_CONFIG_DIRECTORY
;
167 // Base Relocation Format
169 typedef struct _IMAGE_BASE_RELOCATION
{
170 ULONG VirtualAddress
;
172 } IMAGE_BASE_RELOCATION
, *PIMAGE_BASE_RELOCATION
;
179 typedef struct _IMAGE_RESOURCE_DIRECTORY
{
180 ULONG Characteristics
;
184 USHORT NumberOfNamedEntries
;
185 USHORT NumberOfIdEntries
;
186 } IMAGE_RESOURCE_DIRECTORY
, *PIMAGE_RESOURCE_DIRECTORY
;
188 typedef struct _IMAGE_RESOURCE_DIRECTORY_STRING
{
190 CHAR NameString
[ANYSIZE_ARRAY
];
191 } IMAGE_RESOURCE_DIRECTORY_STRING
, *PIMAGE_RESOURCE_DIRECTORY_STRING
;
196 // Section Header Format
198 #define IMAGE_SIZEOF_SHORT_NAME 8
199 #define IMAGE_SIZEOF_SECTION_HEADER 40
201 typedef struct _IMAGE_SECTION_HEADER
{
202 UCHAR Name
[IMAGE_SIZEOF_SHORT_NAME
];
205 ULONG PhysicalAddress
;
208 ULONG VirtualAddress
;
210 ULONG PointerToRawData
;
211 ULONG PointerToRelocations
;
212 ULONG PointerToLinenumbers
;
213 USHORT NumberOfRelocations
;
214 USHORT NumberOfLinenumbers
;
215 ULONG Characteristics
;
216 } IMAGE_SECTION_HEADER
, *PIMAGE_SECTION_HEADER
;
219 // Section Characteristics
221 #define IMAGE_SCN_CNT_CODE 0x00000020
222 #define IMAGE_SCN_CNT_INITIALIZED_DATA 0x00000040
223 #define IMAGE_SCN_CNT_UNINITIALIZED_DATA 0x00000080
225 #define IMAGE_SCN_LNK_NRELOC_OVFL 0x01000000
226 #define IMAGE_SCN_MEM_DISCARDABLE 0x02000000
227 #define IMAGE_SCN_MEM_NOT_CACHED 0x04000000
228 #define IMAGE_SCN_MEM_NOT_PAGED 0x08000000
229 #define IMAGE_SCN_MEM_SHARED 0x10000000
230 #define IMAGE_SCN_MEM_EXECUTE 0x20000000
231 #define IMAGE_SCN_MEM_READ 0x40000000
232 #define IMAGE_SCN_MEM_WRITE 0x80000000
237 // File Header Format
239 #define IMAGE_SIZEOF_FILE_HEADER 20
241 typedef struct _IMAGE_FILE_HEADER
{
243 USHORT NumberOfSections
;
245 ULONG PointerToSymbolTable
;
246 ULONG NumberOfSymbols
;
247 USHORT SizeOfOptionalHeader
;
248 USHORT Characteristics
;
249 } IMAGE_FILE_HEADER
, *PIMAGE_FILE_HEADER
;
252 // File Characteristics
254 #define IMAGE_FILE_RELOCS_STRIPPED 0x0001
255 #define IMAGE_FILE_EXECUTABLE_IMAGE 0x0002
256 #define IMAGE_FILE_LINE_NUMS_STRIPPED 0x0004
257 #define IMAGE_FILE_LOCAL_SYMS_STRIPPED 0x0008
258 #define IMAGE_FILE_AGGRESIVE_WS_TRIM 0x0010
259 #define IMAGE_FILE_LARGE_ADDRESS_AWARE 0x0020
260 #define IMAGE_FILE_BYTES_REVERSED_LO 0x0080
261 #define IMAGE_FILE_32BIT_MACHINE 0x0100
262 #define IMAGE_FILE_DEBUG_STRIPPED 0x0200
263 #define IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP 0x0400
264 #define IMAGE_FILE_NET_RUN_FROM_SWAP 0x0800
265 #define IMAGE_FILE_SYSTEM 0x1000
266 #define IMAGE_FILE_DLL 0x2000
267 #define IMAGE_FILE_UP_SYSTEM_ONLY 0x4000
268 #define IMAGE_FILE_BYTES_REVERSED_HI 0x8000
275 #define IMAGE_NUMBEROF_DIRECTORY_ENTRIES 16
277 typedef struct _IMAGE_DATA_DIRECTORY
{
278 ULONG VirtualAddress
;
280 } IMAGE_DATA_DIRECTORY
, *PIMAGE_DATA_DIRECTORY
;
285 // Optional Header Formats
287 typedef struct _IMAGE_OPTIONAL_HEADER
{
289 UCHAR MajorLinkerVersion
;
290 UCHAR MinorLinkerVersion
;
292 ULONG SizeOfInitializedData
;
293 ULONG SizeOfUninitializedData
;
294 ULONG AddressOfEntryPoint
;
298 ULONG SectionAlignment
;
300 USHORT MajorOperatingSystemVersion
;
301 USHORT MinorOperatingSystemVersion
;
302 USHORT MajorImageVersion
;
303 USHORT MinorImageVersion
;
304 USHORT MajorSubsystemVersion
;
305 USHORT MinorSubsystemVersion
;
306 ULONG Win32VersionValue
;
311 USHORT DllCharacteristics
;
312 ULONG SizeOfStackReserve
;
313 ULONG SizeOfStackCommit
;
314 ULONG SizeOfHeapReserve
;
315 ULONG SizeOfHeapCommit
;
317 ULONG NumberOfRvaAndSizes
;
318 IMAGE_DATA_DIRECTORY DataDirectory
[IMAGE_NUMBEROF_DIRECTORY_ENTRIES
];
319 } IMAGE_OPTIONAL_HEADER32
, *PIMAGE_OPTIONAL_HEADER32
;
321 typedef struct _IMAGE_ROM_OPTIONAL_HEADER
{
323 UCHAR MajorLinkerVersion
;
324 UCHAR MinorLinkerVersion
;
326 ULONG SizeOfInitializedData
;
327 ULONG SizeOfUninitializedData
;
328 ULONG AddressOfEntryPoint
;
335 } IMAGE_ROM_OPTIONAL_HEADER
, *PIMAGE_ROM_OPTIONAL_HEADER
;
337 typedef struct _IMAGE_OPTIONAL_HEADER64
{
339 UCHAR MajorLinkerVersion
;
340 UCHAR MinorLinkerVersion
;
342 ULONG SizeOfInitializedData
;
343 ULONG SizeOfUninitializedData
;
344 ULONG AddressOfEntryPoint
;
347 ULONG SectionAlignment
;
349 USHORT MajorOperatingSystemVersion
;
350 USHORT MinorOperatingSystemVersion
;
351 USHORT MajorImageVersion
;
352 USHORT MinorImageVersion
;
353 USHORT MajorSubsystemVersion
;
354 USHORT MinorSubsystemVersion
;
355 ULONG Win32VersionValue
;
360 USHORT DllCharacteristics
;
361 ULONGLONG SizeOfStackReserve
;
362 ULONGLONG SizeOfStackCommit
;
363 ULONGLONG SizeOfHeapReserve
;
364 ULONGLONG SizeOfHeapCommit
;
366 ULONG NumberOfRvaAndSizes
;
367 IMAGE_DATA_DIRECTORY DataDirectory
[IMAGE_NUMBEROF_DIRECTORY_ENTRIES
];
368 } IMAGE_OPTIONAL_HEADER64
, *PIMAGE_OPTIONAL_HEADER64
;
371 // Format Identifier Magics
373 #define IMAGE_NT_OPTIONAL_HDR32_MAGIC 0x10b
374 #define IMAGE_NT_OPTIONAL_HDR64_MAGIC 0x20b
375 #define IMAGE_ROM_OPTIONAL_HDR_MAGIC 0x107
379 typedef IMAGE_OPTIONAL_HEADER64 IMAGE_OPTIONAL_HEADER
;
380 typedef PIMAGE_OPTIONAL_HEADER64 PIMAGE_OPTIONAL_HEADER
;
381 #define IMAGE_NT_OPTIONAL_HDR_MAGIC IMAGE_NT_OPTIONAL_HDR64_MAGIC
383 typedef IMAGE_OPTIONAL_HEADER32 IMAGE_OPTIONAL_HEADER
;
384 typedef PIMAGE_OPTIONAL_HEADER32 PIMAGE_OPTIONAL_HEADER
;
385 #define IMAGE_NT_OPTIONAL_HDR_MAGIC IMAGE_NT_OPTIONAL_HDR32_MAGIC
393 typedef struct _IMAGE_NT_HEADERS64
{
395 IMAGE_FILE_HEADER FileHeader
;
396 IMAGE_OPTIONAL_HEADER64 OptionalHeader
;
397 } IMAGE_NT_HEADERS64
, *PIMAGE_NT_HEADERS64
;
399 typedef struct _IMAGE_NT_HEADERS
{
401 IMAGE_FILE_HEADER FileHeader
;
402 IMAGE_OPTIONAL_HEADER32 OptionalHeader
;
403 } IMAGE_NT_HEADERS32
, *PIMAGE_NT_HEADERS32
;
406 typedef IMAGE_NT_HEADERS64 IMAGE_NT_HEADERS
;
407 typedef PIMAGE_NT_HEADERS64 PIMAGE_NT_HEADERS
;
409 typedef IMAGE_NT_HEADERS32 IMAGE_NT_HEADERS
;
410 typedef PIMAGE_NT_HEADERS32 PIMAGE_NT_HEADERS
;
414 // Retreives the first image section header from the Nt Header
416 #define IMAGE_FIRST_SECTION( NtHeader ) ((PIMAGE_SECTION_HEADER) \
417 ((ULONG_PTR)(NtHeader) + \
418 FIELD_OFFSET( IMAGE_NT_HEADERS, OptionalHeader ) + \
419 ((NtHeader))->FileHeader.SizeOfOptionalHeader \
423 // Dll Characteristics
425 #define IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE 0x0040
426 #define IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY 0x0080
427 #define IMAGE_DLLCHARACTERISTICS_NX_COMPAT 0x0100
428 #define IMAGE_DLLCHARACTERISTICS_NO_ISOLATION 0x0200
429 #define IMAGE_DLLCHARACTERISTICS_NO_SEH 0x0400
430 #define IMAGE_DLLCHARACTERISTICS_NO_BIND 0x0800
431 #define IMAGE_DLLCHARACTERISTICS_WDM_DRIVER 0x2000
432 #define IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE 0x8000
435 // Directory Entry Specifiers
437 #define IMAGE_DIRECTORY_ENTRY_EXPORT 0
438 #define IMAGE_DIRECTORY_ENTRY_IMPORT 1
439 #define IMAGE_DIRECTORY_ENTRY_RESOURCE 2
440 #define IMAGE_DIRECTORY_ENTRY_EXCEPTION 3
441 #define IMAGE_DIRECTORY_ENTRY_SECURITY 4
442 #define IMAGE_DIRECTORY_ENTRY_BASERELOC 5
443 #define IMAGE_DIRECTORY_ENTRY_DEBUG 6
444 #define IMAGE_DIRECTORY_ENTRY_ARCHITECTURE 7
445 #define IMAGE_DIRECTORY_ENTRY_GLOBALPTR 8
446 #define IMAGE_DIRECTORY_ENTRY_TLS 9
447 #define IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 10
448 #define IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 11
449 #define IMAGE_DIRECTORY_ENTRY_IAT 12
450 #define IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 13
451 #define IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 14
458 typedef struct _IMAGE_IMPORT_BY_NAME
{
461 } IMAGE_IMPORT_BY_NAME
, *PIMAGE_IMPORT_BY_NAME
;
463 #include <pshpack8.h>
464 typedef struct _IMAGE_THUNK_DATA64
{
466 ULONGLONG ForwarderString
;
469 ULONGLONG AddressOfData
;
471 } IMAGE_THUNK_DATA64
, *PIMAGE_THUNK_DATA64
;
474 typedef struct _IMAGE_THUNK_DATA32
{
476 ULONG ForwarderString
;
481 } IMAGE_THUNK_DATA32
, *PIMAGE_THUNK_DATA32
;
483 #define IMAGE_ORDINAL_FLAG64 0x8000000000000000ULL
484 #define IMAGE_ORDINAL_FLAG32 0x80000000
485 #define IMAGE_ORDINAL64(Ordinal) (Ordinal & 0xffff)
486 #define IMAGE_ORDINAL32(Ordinal) (Ordinal & 0xffff)
487 #define IMAGE_SNAP_BY_ORDINAL64(Ordinal) ((Ordinal & IMAGE_ORDINAL_FLAG64) != 0)
488 #define IMAGE_SNAP_BY_ORDINAL32(Ordinal) ((Ordinal & IMAGE_ORDINAL_FLAG32) != 0)
493 // Thread Local Storage (TLS)
497 (NTAPI
*PIMAGE_TLS_CALLBACK
) (
503 typedef struct _IMAGE_TLS_DIRECTORY64
{
504 ULONGLONG StartAddressOfRawData
;
505 ULONGLONG EndAddressOfRawData
;
506 ULONGLONG AddressOfIndex
;
507 ULONGLONG AddressOfCallBacks
;
508 ULONG SizeOfZeroFill
;
509 ULONG Characteristics
;
510 } IMAGE_TLS_DIRECTORY64
, *PIMAGE_TLS_DIRECTORY64
;
512 typedef struct _IMAGE_TLS_DIRECTORY32
{
513 ULONG StartAddressOfRawData
;
514 ULONG EndAddressOfRawData
;
515 ULONG AddressOfIndex
;
516 ULONG AddressOfCallBacks
;
517 ULONG SizeOfZeroFill
;
518 ULONG Characteristics
;
519 } IMAGE_TLS_DIRECTORY32
, *PIMAGE_TLS_DIRECTORY32
;
522 #define IMAGE_ORDINAL_FLAG IMAGE_ORDINAL_FLAG64
523 #define IMAGE_ORDINAL(Ordinal) IMAGE_ORDINAL64(Ordinal)
524 typedef IMAGE_THUNK_DATA64 IMAGE_THUNK_DATA
;
525 typedef PIMAGE_THUNK_DATA64 PIMAGE_THUNK_DATA
;
526 #define IMAGE_SNAP_BY_ORDINAL(Ordinal) IMAGE_SNAP_BY_ORDINAL64(Ordinal)
527 typedef IMAGE_TLS_DIRECTORY64 IMAGE_TLS_DIRECTORY
;
528 typedef PIMAGE_TLS_DIRECTORY64 PIMAGE_TLS_DIRECTORY
;
530 #define IMAGE_ORDINAL_FLAG IMAGE_ORDINAL_FLAG32
531 #define IMAGE_ORDINAL(Ordinal) IMAGE_ORDINAL32(Ordinal)
532 typedef IMAGE_THUNK_DATA32 IMAGE_THUNK_DATA
;
533 typedef PIMAGE_THUNK_DATA32 PIMAGE_THUNK_DATA
;
534 #define IMAGE_SNAP_BY_ORDINAL(Ordinal) IMAGE_SNAP_BY_ORDINAL32(Ordinal)
535 typedef IMAGE_TLS_DIRECTORY32 IMAGE_TLS_DIRECTORY
;
536 typedef PIMAGE_TLS_DIRECTORY32 PIMAGE_TLS_DIRECTORY
;
539 typedef struct _IMAGE_IMPORT_DESCRIPTOR
{
540 _ANONYMOUS_UNION
union {
541 ULONG Characteristics
;
542 ULONG OriginalFirstThunk
;
545 ULONG ForwarderChain
;
548 } IMAGE_IMPORT_DESCRIPTOR
, *PIMAGE_IMPORT_DESCRIPTOR
;