Expand description
PE/COFF definitions.
These definitions are independent of read/write support, although we do implement some traits useful for those.
This module is based heavily on “winnt.h” (10.0.17763.0).
Structs
Non-COFF Object file header
Auxiliary symbol format 1: function definitions.
Auxiliary symbol format 2: .bf and .ef symbols.
Auxiliary symbol format 5: sections.
Auxiliary symbol format 3: weak externals.
DOS .EXE header
OS/2 .EXE header
Windows VXD header
A PE rich header entry.
Constants
V-table slots are 32-bits in size.
V-table slots are 64-bits in size.
Call most derived method described by
If set, transition from unmanaged.
If set, transition from unmanaged with keeping the current appdomain.
Intel-IA64-Filler
Intel-IA64-Filler
Intel-IA64-Filler
Intel-IA64-Filler
Intel-IA64-Filler
Intel-IA64-Filler
Intel-IA64-Filler
Intel-IA64-Filler
Intel-IA64-Filler
Intel-IA64-Filler
Intel-IA64-Filler
Intel-IA64-Filler
Intel-IA64-Filler
Intel-IA64-Filler
Intel-IA64-Filler
Intel-IA64-Filler
Intel-IA64-Filler
Intel-IA64-Filler
Intel-IA64-Filler
Intel-IA64-Filler
Intel-IA64-Filler
Intel-IA64-Filler
Intel-IA64-Filler
Intel-IA64-Filler
Intel-IA64-Filler
Intel-IA64-Filler
Intel-IA64-Filler
Intel-IA64-Filler
Intel-IA64-Filler
Intel-IA64-Filler
Intel-IA64-Filler
Intel-IA64-Filler
Size of a jump thunk reserved range.
Delay load version 2 flag for ImageDelayloadDescriptor::attributes
.
Architecture Specific Data
Base Relocation Table
Bound Import Directory in headers
COM Runtime descriptor
Debug Directory
Delay Load Import Descriptors
Exception Directory
Export Directory
RVA of GP
Import Address Table
Import Directory
Load Configuration Directory
Resource Directory
Security Directory
TLS Directory
Image should execute in an AppContainer
DLL can move.
Code Integrity Image
Image supports Control Flow Guard.
Image can handle a high entropy 64-bit virtual address space.
Do not bind this image.
Image understands isolation and doesn’t want it
Image does not use SEH. No SE handler may reside in this image
Image is NX compatible
Driver uses WDM model
32 bit word machine.
Aggressively trim working set
Bytes of machine word are reversed.
Bytes of machine word are reversed.
Debugging info stripped from file in .DBG file
File is a DLL.
File is executable (i.e. no unresolved external references).
App can handle >2gb addresses
Line nunbers stripped from file.
Local symbols stripped from file.
Alpha_AXP
ALPHA64
AMD64 (K8)
ARM Little-Endian
ARM64 Little-Endian
ARM Thumb-2 Little-Endian
EFI Byte Code
Intel 386.
Intel 64
M32R little-endian
IBM PowerPC Little-Endian
MIPS little-endian, 0x160 big-endian
MIPS little-endian
MIPS little-endian
RISCV32
RISCV64
RISCV128
SH3 little-endian
SH3E little-endian
SH4 little-endian
Useful for indicating we want to interact with the host and not a WoW guest.
ARM Thumb/Thumb-2 Little-Endian
Infineon
MIPS little-endian WCE v2
If Image is on Net, copy and run from the swap file.
Relocation info stripped from file.
If Image is on removable media, copy and run from the swap file.
System File.
File should only be run on a UP machine
Module performs control flow and write integrity checks
Module enables suppression of exports
Module contains suppressed export information.
Module contains valid control flow target metadata
Stride of Guard CF function table encoded in these bits (additional count of bytes per element)
Shift to right-justify Guard CF function table stride
Module performs control flow integrity checks using system-supplied support
Module contains longjmp target information
Delayload import table in its own .didat section (with nothing else in it) that can be freely reprotected
The containing GFID entry is export suppressed
The containing GFID entry is suppressed
Module supports read only delay load IAT
Module was built with retpoline support
Module requests that the OS enable return flow protection
Module contains return flow instrumentation and metadata
Module requests that the OS enable return flow protection in strict mode
Module does not make use of the /GS security cookie
High 16-bit GP relative reference
Low 16-bit GP relative reference
Low 16 bits of 48 bit reference
Middle 16 bits of 48 bit reference
High 16 bits of 48 bit reference
High 16-bit section relative reference
Low 16-bit section relative reference
Reference is absolute, no relocation is necessary
32-bit address (VA).
32-bit address w/o image base (RVA).
64-bit address (VA).
Indirect branch to a CFG check
Indirect branch to a CFG check, with REX.W prefix
Indirect call to a CFG check
Indirect branch to an import
Indirect call to an import
Indirect branch to a target in RAX (no CFG)
Indirect branch to a target in RAX, with REX.W prefix (no CFG)
Indirect branch for a switch table using Reg 0 (RAX)
Indirect branch for a switch table using Reg 15 (R15)
Indirect call to a target in RAX (no CFG)
32-bit relative address from byte following reloc
32-bit relative address from byte distance 1 from reloc
32-bit relative address from byte distance 2 from reloc
32-bit relative address from byte distance 3 from reloc
32-bit relative address from byte distance 4 from reloc
32-bit relative address from byte distance 5 from reloc
32 bit offset from base of section containing target
7 bit unsigned offset from base of section containing target
Section index
32 bit signed span-dependent value emitted into object
32 bit signed span-dependent value applied at link time
32 bit metadata token
No relocation required
32 bit address. Review! do we need it?
32 bit address w/o image base (RVA: for Data/PData/XData)
64 bit address
19 bit offset << 2 & sign ext. for conditional B
26 bit offset << 2 & sign ext. for B & BL
ADD/ADDS (immediate) with zero shift, for page offset
LDR (indexed, unsigned immediate), for page offset
Offset within section
ADD/ADDS (immediate) with zero shift, for bit 12:23 of section offset
ADD/ADDS (immediate) with zero shift, for bit 0:11 of section offset
LDR (indexed, unsigned immediate), for bit 0:11 of section offset
Section table index
No relocation required
32 bit address
32 bit address w/o image base
Thumb: BLX immediate
Thumb: 2 11 bit offsets
Thumb: 32-bit conditional B
24 bit offset << 2 & sign ext.
Thumb: 32-bit B or BL
GP-relative addressing (Thumb)
GP-relative addressing (ARM)
ARM: MOVW/MOVT (deprecated)
ARM: MOVW/MOVT
Thumb: MOVW/MOVT
Offset within section
Section table index
clr token
Reference is absolute, no relocation is necessary
32-bit address (VA).
32-bit address w/o image base (RVA).
64-bit address (VA).
32 bit offset from base of section containing target
Section index
32 bit metadata token
Reference is absolute, no relocation is necessary
32-bit address (VA).
32-bit address w/o image base (RVA).
64-bit address (VA).
32 bit offset from base of section containing target
Section index
32 bit metadata token
No relocation required
32 bit address w/o image base
32-bit relative address from byte following reloc
Offset within section
Section table index
Reference is absolute, no relocation is necessary
Direct 16-bit reference to the symbols virtual address
Direct 32-bit reference to the symbols virtual address
Direct 32-bit reference to the symbols virtual address, base not included
PC-relative 16-bit reference to the symbols virtual address
PC-relative 32-bit reference to the symbols virtual address
7 bit offset from base of section containing target
Direct 16-bit reference to the segment-selector bits of a 32-bit virtual address
clr token
If possible, convert to MBB bundle with NOP.B in slot 1
If possible, convert to MFB bundle with NOP.F in slot 1
If possible, convert to MIB bundle with NOP.I in slot 1
If possible, convert to MMB bundle with NOP.M in slot 1
This is always a BRL and never converted
clr token
No relocation required
24 bit address
32 bit address
32 bit address w/o image base
GP relative addressing
Link HI and LO
8 bit offset << 2 & sign ext.
16 bit offset << 2 & sign ext.
24 bit offset << 2 & sign ext.
16 MSBs
16 MSBs; adj for LSB sign ext.
16 LSBs
32 bit section relative reference
Section table index
clr token
Reference is absolute, no relocation is necessary
High 16-bit section relative reference (used for >32k TLS)
Low 16-bit section relative referemce (used for >32k TLS)
clr token
16-bit address, shifted left 2 (load doubleword)
16-bit address
26-bit address, shifted left 2 (branch absolute)
32-bit address
32-bit addr w/o image base
64-bit address
fix branch prediction bit to predict branch not taken
fix branch prediction bit to predict branch taken
substitute TOC restore instruction iff symbol is glue code
symbol is glue code; virtual address is TOC restore instruction
subtract reloc value rather than adding it
16-bit PC-relative offset, shifted left 2 (br cond relative)
26-bit PC-relative offset, shifted left 2 (branch relative)
va of containing section (as in an image sectionhdr)
va of containing section (limited to 16 bits)
High 16-bit section relative reference (used for >32k TLS)
Low 16-bit section relative reference (used for >32k TLS)
sectionheader number
toc slot defined in file (or, data in toc)
16-bit offset from TOC base, shifted left 2 (load doubleword)
16-bit offset from TOC base
clr token
mask to isolate above values in IMAGE_RELOCATION.Type
No relocation
4 bit direct (0 ext.)
4 bit direct .L (0 ext.)
4 bit direct .W (0 ext.)
8 bit direct, -128..255
8 bit direct .L (0 ext.)
8 bit direct .W (0 ext.)
16 bit direct
32 bit direct
32 bit direct not based
GP-relative addressing
8 bit PC relative .L
8 bit PC relative .W
12 LSB PC relative .W
Offset within section
Section table index
Size of EXE section
Start of EXE section
clr token
offset operand for relocation
Offset from current instruction in longwords if not NOMODE, insert the inverse of the low bit at bit 32 to select PTA/PTB
High bits of 32-bit address
Low bits of 32-bit address
High bits of relative reference
Low bits of relative reference
relocation ignores section mode
Thumb: BLX immediate (deprecated)
Thumb: 32-bit conditional B (deprecated)
Thumb: 32-bit B or BL (deprecated)
Thumb: MOVW/MOVT (deprecated)
Default alignment if no others are specified.
Section contains code.
Section contains initialized data.
Section contains uninitialized data.
Section content can be accessed relative to GP
Section contents comdat.
Section contains comments or some other type of information.
Section contains extended relocations.
Reserved.
Section contents will not become part of image.
Section can be discarded.
Section is executable.
Section is not cachable.
Section is not pageable.
Section is readable.
Section is shareable.
Section is writeable.
Reset speculative exceptions handling bits in the TLB entries for this section.
Tls index is scaled
Reserved.
when DBG was updated, the old checksum didn’t match.
Image doesn’t require a subsystem.
image is a native Win9x driver.
image runs in the OS/2 character subsystem.
image runs in the Posix character subsystem.
Unknown subsystem.
Image runs in the Windows CE subsystem.
Image runs in the Windows character subsystem.
Image runs in the Windows GUI subsystem.
Symbol is an absolute value.
Symbol is a special debug item.
array.
function.
no derived type.
pointer.
Values 0xFF00-0xFFFF are special
type character.
enumeration.
member of enumeration.
no type.
type short integer.
Symbol is undefined or is common.
Import name == public symbol name.
Import name == a name is explicitly provided after the DLL name.
Import name == public symbol name skipping leading ?, @, or optionally _.
Import name == public symbol name skipping leading ?, @, or optionally _ and truncating at first @.
Import by ordinal
Intel-IA64-Filler
Intel-IA64-Filler
Intel-IA64-Filler
Intel-IA64-Filler
Intel-IA64-Filler
Intel-IA64-Filler
Intel-IA64-Filler
Intel-IA64-Filler
Intel-IA64-Filler
Intel-IA64-Filler
Intel-IA64-Filler
Intel-IA64-Filler
Intel-IA64-Filler
Intel-IA64-Filler
Intel-IA64-Filler
Intel-IA64-Filler
Intel-IA64-Filler
Intel-IA64-Filler
Intel-IA64-Filler
Intel-IA64-Filler
Intel-IA64-Filler
Intel-IA64-Filler
Intel-IA64-Filler
Intel-IA64-Filler
Intel-IA64-Filler
Intel-IA64-Filler
Intel-IA64-Filler
Intel-IA64-Filler
Intel-IA64-Filler
Intel-IA64-Filler
Intel-IA64-Filler
Intel-IA64-Filler
Intel-IA64-Filler
Intel-IA64-Filler
Intel-IA64-Filler
Intel-IA64-Filler
Intel-IA64-Filler
Intel-IA64-Filler
Intel-IA64-Filler
Intel-IA64-Filler