Module object::pe

source · []
Expand description

PE/COFF definitions.

These definitions are independent of read/write support, although we do implement some traits useful for those.

This module is based heavily on “winnt.h” (10.0.17763.0).

Structs

Non-COFF Object file header

Auxiliary symbol format 1: function definitions.

Auxiliary symbol format 2: .bf and .ef symbols.

Auxiliary symbol format 5: sections.

Auxiliary symbol format 3: weak externals.

DOS .EXE header

OS/2 .EXE header

Windows VXD header

A PE rich header entry.

Constants

V-table slots are 32-bits in size.

V-table slots are 64-bits in size.

Call most derived method described by

If set, transition from unmanaged.

If set, transition from unmanaged with keeping the current appdomain.

Intel-IA64-Filler

Intel-IA64-Filler

Intel-IA64-Filler

Intel-IA64-Filler

Intel-IA64-Filler

Intel-IA64-Filler

Size of a jump thunk reserved range.

Delay load version 2 flag for ImageDelayloadDescriptor::attributes.

Architecture Specific Data

Base Relocation Table

Bound Import Directory in headers

Delay Load Import Descriptors

Import Address Table

Load Configuration Directory

Image should execute in an AppContainer

Image supports Control Flow Guard.

Image can handle a high entropy 64-bit virtual address space.

Do not bind this image.

Image understands isolation and doesn’t want it

Image does not use SEH. No SE handler may reside in this image

Image is NX compatible

32 bit word machine.

Aggressively trim working set

Bytes of machine word are reversed.

Bytes of machine word are reversed.

Debugging info stripped from file in .DBG file

File is a DLL.

File is executable (i.e. no unresolved external references).

App can handle >2gb addresses

Line nunbers stripped from file.

Local symbols stripped from file.

ARM Little-Endian

ARM64 Little-Endian

ARM Thumb-2 Little-Endian

M32R little-endian

IBM PowerPC Little-Endian

MIPS little-endian, 0x160 big-endian

MIPS little-endian

MIPS little-endian

SH3 little-endian

SH3E little-endian

SH4 little-endian

Useful for indicating we want to interact with the host and not a WoW guest.

ARM Thumb/Thumb-2 Little-Endian

MIPS little-endian WCE v2

If Image is on Net, copy and run from the swap file.

Relocation info stripped from file.

If Image is on removable media, copy and run from the swap file.

System File.

File should only be run on a UP machine

Module performs control flow and write integrity checks

Module enables suppression of exports

Module contains suppressed export information.

Module contains valid control flow target metadata

Stride of Guard CF function table encoded in these bits (additional count of bytes per element)

Shift to right-justify Guard CF function table stride

Module performs control flow integrity checks using system-supplied support

Module contains longjmp target information

Delayload import table in its own .didat section (with nothing else in it) that can be freely reprotected

The containing GFID entry is export suppressed

The containing GFID entry is suppressed

Module supports read only delay load IAT

Module was built with retpoline support

Module requests that the OS enable return flow protection

Module contains return flow instrumentation and metadata

Module requests that the OS enable return flow protection in strict mode

Module does not make use of the /GS security cookie

High 16-bit GP relative reference

Low 16-bit GP relative reference

Low 16 bits of 48 bit reference

Middle 16 bits of 48 bit reference

High 16 bits of 48 bit reference

High 16-bit section relative reference

Low 16-bit section relative reference

Reference is absolute, no relocation is necessary

32-bit address (VA).

32-bit address w/o image base (RVA).

64-bit address (VA).

Indirect branch to a CFG check

Indirect branch to a CFG check, with REX.W prefix

Indirect call to a CFG check

Indirect branch to an import

Indirect call to an import

Indirect branch to a target in RAX (no CFG)

Indirect branch to a target in RAX, with REX.W prefix (no CFG)

Indirect branch for a switch table using Reg 0 (RAX)

Indirect branch for a switch table using Reg 15 (R15)

Indirect call to a target in RAX (no CFG)

32-bit relative address from byte following reloc

32-bit relative address from byte distance 1 from reloc

32-bit relative address from byte distance 2 from reloc

32-bit relative address from byte distance 3 from reloc

32-bit relative address from byte distance 4 from reloc

32-bit relative address from byte distance 5 from reloc

32 bit offset from base of section containing target

7 bit unsigned offset from base of section containing target

32 bit signed span-dependent value emitted into object

32 bit signed span-dependent value applied at link time

32 bit metadata token

No relocation required

32 bit address. Review! do we need it?

32 bit address w/o image base (RVA: for Data/PData/XData)

64 bit address

19 bit offset << 2 & sign ext. for conditional B

26 bit offset << 2 & sign ext. for B & BL

ADD/ADDS (immediate) with zero shift, for page offset

LDR (indexed, unsigned immediate), for page offset

Offset within section

ADD/ADDS (immediate) with zero shift, for bit 12:23 of section offset

ADD/ADDS (immediate) with zero shift, for bit 0:11 of section offset

LDR (indexed, unsigned immediate), for bit 0:11 of section offset

Section table index

No relocation required

32 bit address

32 bit address w/o image base

Thumb: BLX immediate

Thumb: 2 11 bit offsets

Thumb: 32-bit conditional B

24 bit offset << 2 & sign ext.

Thumb: 32-bit B or BL

GP-relative addressing (Thumb)

GP-relative addressing (ARM)

ARM: MOVW/MOVT (deprecated)

ARM: MOVW/MOVT

Thumb: MOVW/MOVT

Offset within section

Section table index

Reference is absolute, no relocation is necessary

32-bit address (VA).

32-bit address w/o image base (RVA).

64-bit address (VA).

32 bit offset from base of section containing target

Section index

32 bit metadata token

Reference is absolute, no relocation is necessary

32-bit address (VA).

32-bit address w/o image base (RVA).

64-bit address (VA).

32 bit offset from base of section containing target

Section index

32 bit metadata token

No relocation required

32 bit address w/o image base

32-bit relative address from byte following reloc

Offset within section

Section table index

Reference is absolute, no relocation is necessary

Direct 16-bit reference to the symbols virtual address

Direct 32-bit reference to the symbols virtual address

Direct 32-bit reference to the symbols virtual address, base not included

PC-relative 16-bit reference to the symbols virtual address

PC-relative 32-bit reference to the symbols virtual address

7 bit offset from base of section containing target

Direct 16-bit reference to the segment-selector bits of a 32-bit virtual address

If possible, convert to MBB bundle with NOP.B in slot 1

If possible, convert to MFB bundle with NOP.F in slot 1

If possible, convert to MIB bundle with NOP.I in slot 1

If possible, convert to MMB bundle with NOP.M in slot 1

This is always a BRL and never converted

No relocation required

24 bit address

32 bit address

32 bit address w/o image base

GP relative addressing

Link HI and LO

8 bit offset << 2 & sign ext.

16 bit offset << 2 & sign ext.

24 bit offset << 2 & sign ext.

16 MSBs; adj for LSB sign ext.

32 bit section relative reference

Section table index

Reference is absolute, no relocation is necessary

High 16-bit section relative reference (used for >32k TLS)

Low 16-bit section relative referemce (used for >32k TLS)

16-bit address, shifted left 2 (load doubleword)

16-bit address

26-bit address, shifted left 2 (branch absolute)

32-bit address

32-bit addr w/o image base

64-bit address

fix branch prediction bit to predict branch not taken

fix branch prediction bit to predict branch taken

substitute TOC restore instruction iff symbol is glue code

symbol is glue code; virtual address is TOC restore instruction

subtract reloc value rather than adding it

16-bit PC-relative offset, shifted left 2 (br cond relative)

26-bit PC-relative offset, shifted left 2 (branch relative)

va of containing section (as in an image sectionhdr)

va of containing section (limited to 16 bits)

High 16-bit section relative reference (used for >32k TLS)

Low 16-bit section relative reference (used for >32k TLS)

sectionheader number

toc slot defined in file (or, data in toc)

16-bit offset from TOC base, shifted left 2 (load doubleword)

16-bit offset from TOC base

mask to isolate above values in IMAGE_RELOCATION.Type

4 bit direct (0 ext.)

4 bit direct .L (0 ext.)

4 bit direct .W (0 ext.)

8 bit direct, -128..255

8 bit direct .L (0 ext.)

8 bit direct .W (0 ext.)

32 bit direct not based

GP-relative addressing

8 bit PC relative .L

8 bit PC relative .W

12 LSB PC relative .W

Offset within section

Section table index

Size of EXE section

Start of EXE section

offset operand for relocation

Offset from current instruction in longwords if not NOMODE, insert the inverse of the low bit at bit 32 to select PTA/PTB

High bits of 32-bit address

Low bits of 32-bit address

High bits of relative reference

Low bits of relative reference

relocation ignores section mode

Thumb: BLX immediate (deprecated)

Thumb: 32-bit conditional B (deprecated)

Thumb: 32-bit B or BL (deprecated)

Thumb: MOVW/MOVT (deprecated)

Default alignment if no others are specified.

Section contains code.

Section contains initialized data.

Section contains uninitialized data.

Section content can be accessed relative to GP

Section contents comdat.

Section contains comments or some other type of information.

Section contains extended relocations.

Section contents will not become part of image.

Section can be discarded.

Section is executable.

Section is not cachable.

Section is not pageable.

Section is readable.

Section is shareable.

Section is writeable.

Reset speculative exceptions handling bits in the TLB entries for this section.

Tls index is scaled

when DBG was updated, the old checksum didn’t match.

Image doesn’t require a subsystem.

image is a native Win9x driver.

image runs in the OS/2 character subsystem.

image runs in the Posix character subsystem.

Unknown subsystem.

Image runs in the Windows CE subsystem.

Image runs in the Windows character subsystem.

Image runs in the Windows GUI subsystem.

Symbol is an absolute value.

Symbol is a special debug item.

no derived type.

Values 0xFF00-0xFFFF are special

type character.

enumeration.

member of enumeration.

type short integer.

Symbol is undefined or is common.

Import name == public symbol name.

Import name == a name is explicitly provided after the DLL name.

Import name == public symbol name skipping leading ?, @, or optionally _.

Import name == public symbol name skipping leading ?, @, or optionally _ and truncating at first @.

Import by ordinal

Intel-IA64-Filler

Intel-IA64-Filler

Intel-IA64-Filler

Intel-IA64-Filler

Intel-IA64-Filler

Intel-IA64-Filler

Intel-IA64-Filler

Intel-IA64-Filler

Intel-IA64-Filler

Intel-IA64-Filler

Intel-IA64-Filler

Intel-IA64-Filler

Intel-IA64-Filler

Intel-IA64-Filler

Intel-IA64-Filler

Intel-IA64-Filler

Intel-IA64-Filler

Intel-IA64-Filler

Intel-IA64-Filler

Intel-IA64-Filler

Intel-IA64-Filler

Intel-IA64-Filler

Intel-IA64-Filler

Intel-IA64-Filler

Intel-IA64-Filler

Intel-IA64-Filler

Intel-IA64-Filler

Intel-IA64-Filler

Intel-IA64-Filler

Intel-IA64-Filler

Intel-IA64-Filler

Intel-IA64-Filler

Intel-IA64-Filler

Intel-IA64-Filler

Intel-IA64-Filler

Intel-IA64-Filler

Intel-IA64-Filler

Intel-IA64-Filler

Intel-IA64-Filler

Intel-IA64-Filler

Type Definitions