00001 /* 00002 * HT Editor 00003 * pestruct.h 00004 * 00005 * Copyright (C) 1999-2002 Stefan Weyergraf (stefan@weyergraf.de) 00006 * 00007 * This program is free software; you can redistribute it and/or modify 00008 * it under the terms of the GNU General Public License version 2 as 00009 * published by the Free Software Foundation. 00010 * 00011 * This program is distributed in the hope that it will be useful, 00012 * but WITHOUT ANY WARRANTY; without even the implied warranty of 00013 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 00014 * GNU General Public License for more details. 00015 * 00016 * You should have received a copy of the GNU General Public License 00017 * along with this program; if not, write to the Free Software 00018 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. 00019 */ 00020 00021 #ifndef __PESTRUCT_H_ 00022 #define __PESTRUCT_H_ 00023 00024 #include "global.h" 00025 #include "tools.h" 00026 00027 #include "coff_s.h" 00028 00029 #define PE_MAGIC0 'P' 00030 #define PE_MAGIC1 'E' 00031 #define PE_MAGIC2 0 00032 #define PE_MAGIC3 0 00033 00034 // 00035 // Directory format. 00036 // 00037 00038 typedef struct PE_DATA_DIRECTORY { 00039 dword address HTPACKED; 00040 dword size HTPACKED; 00041 }; 00042 00043 #define PE_NUMBEROF_DIRECTORY_ENTRIES 16 00044 00045 // 00046 // Optional header format. 00047 // 00048 00049 typedef struct PE_OPTIONAL_HEADER32_NT { 00050 // NT additional fields. 00051 dword image_base HTPACKED; 00052 dword section_alignment HTPACKED; 00053 dword file_alignment HTPACKED; 00054 word major_os_version HTPACKED; 00055 word minor_os_version HTPACKED; 00056 word major_image_version HTPACKED; 00057 word minor_image_version HTPACKED; 00058 word major_subsystem_version HTPACKED; 00059 word minor_subsystem_version HTPACKED; 00060 dword win32_version HTPACKED; 00061 dword image_size HTPACKED; 00062 dword header_size HTPACKED; 00063 dword checksum HTPACKED; 00064 word subsystem HTPACKED; 00065 word dll_characteristics HTPACKED; 00066 dword stack_reserve_size HTPACKED; 00067 dword stack_commit_size HTPACKED; 00068 dword heap_reserve_size HTPACKED; 00069 dword heap_commit_size HTPACKED; 00070 dword loader_flags HTPACKED; 00071 dword directory_count HTPACKED; 00072 PE_DATA_DIRECTORY directory[PE_NUMBEROF_DIRECTORY_ENTRIES] HTPACKED; 00073 }; 00074 00075 typedef struct PE_OPTIONAL_HEADER64_NT { 00076 // NT additional fields. 00077 qword image_base HTPACKED; 00078 dword section_alignment HTPACKED; 00079 dword file_alignment HTPACKED; 00080 word major_os_version HTPACKED; 00081 word minor_os_version HTPACKED; 00082 word major_image_version HTPACKED; 00083 word minor_image_version HTPACKED; 00084 word major_subsystem_version HTPACKED; 00085 word minor_subsystem_version HTPACKED; 00086 dword win32_version HTPACKED; 00087 dword image_size HTPACKED; 00088 dword header_size HTPACKED; 00089 dword checksum HTPACKED; 00090 word subsystem HTPACKED; 00091 word dll_characteristics HTPACKED; 00092 qword stack_reserve_size HTPACKED; 00093 qword stack_commit_size HTPACKED; 00094 qword heap_reserve_size HTPACKED; 00095 qword heap_commit_size HTPACKED; 00096 dword loader_flags HTPACKED; 00097 dword directory_count HTPACKED; 00098 PE_DATA_DIRECTORY directory[PE_NUMBEROF_DIRECTORY_ENTRIES] HTPACKED; 00099 }; 00100 00101 // Subsystem Values 00102 00103 #define PE_SUBSYSTEM_NATIVE 1 // image doesn't require a subsystem. 00104 #define PE_SUBSYSTEM_WINDOWS_GUI 2 // image runs in the Windows GUI subsystem. 00105 #define PE_SUBSYSTEM_WINDOWS_CUI 3 // image runs in the Windows character subsystem. 00106 #define PE_SUBSYSTEM_OS2_CUI 5 // image runs in the OS/2 character subsystem. 00107 #define PE_SUBSYSTEM_POSIX_CUI 7 // image run in the Posix character subsystem. 00108 #define PE_SUBSYSTEM_RESERVED8 8 // image run in the 8 subsystem. 00109 #define PE_SUBSYSTEM_CE_GUI 9 // image runs in the Windows CE subsystem. 00110 #define PE_SUBSYSTEM_EFI_APPLICATION 10 // image is an EFI application. 00111 #define PE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER 11 // image is an EFI driver that provides boot services. 00112 #define PE_SUBSYSTEM_EFI_RUNTIME_DRIVER 12 // image is an EFI driver that provides runtime services. 00113 00114 // Directory Entries 00115 00116 #define PE_DIRECTORY_ENTRY_EXPORT 0 // Export Directory 00117 #define PE_DIRECTORY_ENTRY_IMPORT 1 // Import Directory 00118 #define PE_DIRECTORY_ENTRY_RESOURCE 2 // Resource Directory 00119 #define PE_DIRECTORY_ENTRY_EXCEPTION 3 // Exception Directory 00120 #define PE_DIRECTORY_ENTRY_SECURITY 4 // Security Directory 00121 #define PE_DIRECTORY_ENTRY_BASERELOC 5 // Base Relocation Table 00122 #define PE_DIRECTORY_ENTRY_DEBUG 6 // Debug Directory 00123 #define PE_DIRECTORY_ENTRY_COPYRIGHT 7 // Description String 00124 #define PE_DIRECTORY_ENTRY_GLOBALPTR 8 // Machine Value (MIPS GP) 00125 #define PE_DIRECTORY_ENTRY_TLS 9 // TLS Directory 00126 #define PE_DIRECTORY_ENTRY_LOAD_CONFIG 10 // Load Configuration Directory 00127 #define PE_DIRECTORY_ENTRY_BOUND_IMPORT 11 // Bound Import Directory in headers 00128 #define PE_DIRECTORY_ENTRY_IAT 12 // Import Address Table 00129 #define PE_DIRECTORY_ENTRY_DELAY_IMPORT 13 // Delay Import Directory 00130 #define PE_DIRECTORY_ENTRY_IL 14 // IL (e.g. MS .NET) 00131 00132 /* 00133 * Export 00134 */ 00135 00136 struct PE_EXPORT_DIRECTORY { 00137 dword characteristics HTPACKED; 00138 dword timestamp HTPACKED; 00139 word major_version HTPACKED; 00140 word minor_version HTPACKED; 00141 dword name_address HTPACKED; 00142 dword ordinal_base HTPACKED; 00143 dword function_count HTPACKED; 00144 dword name_count HTPACKED; 00145 dword function_table_address HTPACKED; 00146 dword name_table_address HTPACKED; 00147 dword ordinal_table_address HTPACKED; 00148 }; 00149 00150 /* 00151 * Import 00152 */ 00153 00154 struct PE_THUNK_DATA { 00155 union { 00156 dword forwarder_string HTPACKED; 00157 dword function_desc_address HTPACKED; 00158 dword ordinal HTPACKED; 00159 dword data_address HTPACKED; 00160 }; 00161 }; 00162 00163 struct PE_THUNK_DATA_64 { 00164 union { 00165 qword forwarder_string HTPACKED; 00166 qword function_desc_address HTPACKED; 00167 qword ordinal HTPACKED; 00168 qword data_address HTPACKED; 00169 }; 00170 }; 00171 00172 struct PE_IMPORT_DESCRIPTOR { 00173 union { 00174 dword characteristics HTPACKED; // 0 for terminating null import descriptor 00175 dword original_first_thunk HTPACKED; // rva to original unbound IAT 00176 }; 00177 dword timestamp HTPACKED; // 0 if not bound, 00178 // -1 if bound, and real date\time stamp 00179 // in IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT (new BIND) 00180 // O.W. date/time stamp of DLL bound to (Old BIND) 00181 00182 dword forwarder_chain HTPACKED; // -1 if no forwarders 00183 dword name HTPACKED; 00184 dword first_thunk HTPACKED; // rva to IAT (if bound this IAT has actual addresses) 00185 }; 00186 00187 /* 00188 * Delay Import 00189 */ 00190 00191 struct PE_DELAY_IMPORT_DESCRIPTOR { 00192 dword attributes HTPACKED; 00193 dword name HTPACKED; 00194 dword module_handle HTPACKED; 00195 dword delay_iat HTPACKED; 00196 dword delay_int HTPACKED; 00197 dword bound_delay_import_table HTPACKED; 00198 dword unload_delay_import_table HTPACKED; 00199 dword timestamp HTPACKED; 00200 }; 00201 00202 /* 00203 * Resource 00204 */ 00205 00206 struct PE_RESOURCE_DIRECTORY { 00207 dword characteristics HTPACKED; 00208 dword timedate_stamp HTPACKED; 00209 word major_version HTPACKED; 00210 word minor_version HTPACKED; 00211 word name_count HTPACKED; 00212 word id_count HTPACKED; 00213 // PE_RESOURCE_DIRECTORY_ENTRY DirectoryEntries[]; 00214 }; 00215 00216 #define PE_RESOURCE_NAME_IS_STRING 0x80000000 00217 #define PE_RESOURCE_DATA_IS_DIRECTORY 0x80000000 00218 00219 struct PE_RESOURCE_DIRECTORY_ENTRY { 00220 dword name HTPACKED; // or id 00221 dword offset_to_directory HTPACKED; // or data 00222 }; 00223 00224 /*typedef struct PE_RESOURCE_DIRECTORY_STRING { 00225 word Length; 00226 CHAR NameString[ 1 ]; 00227 }; 00228 00229 00230 typedef struct PE_RESOURCE_DIR_STRING_U { 00231 word Length; 00232 WCHAR NameString[ 1 ]; 00233 };*/ 00234 00235 struct PE_RESOURCE_DATA_ENTRY { 00236 dword offset_to_data HTPACKED; 00237 dword size HTPACKED; 00238 dword codepage HTPACKED; 00239 dword reserved HTPACKED; 00240 }; 00241 00242 /* 00243 * IL 00244 */ 00245 00246 #define PE_IL_DIRECTORY_ATTRIBUTES_HAD_NATIVE 0x1 00247 #define PE_IL_DIRECTORY_ATTRIBUTES_INT64 0x2 00248 00249 struct PE_IL_DIRECTORY { 00250 dword size HTPACKED; 00251 word major_version HTPACKED; 00252 word minor_version HTPACKED; 00253 dword metadata_section_rva HTPACKED; 00254 dword metadata_section_size HTPACKED; 00255 dword attributes HTPACKED; 00256 }; 00257 00258 extern byte PE_DATA_DIRECTORY_struct[]; 00259 extern byte PE_OPTIONAL_HEADER32_NT_struct[]; 00260 extern byte PE_OPTIONAL_HEADER64_NT_struct[]; 00261 extern byte PE_EXPORT_DIRECTORY_struct[]; 00262 extern byte PE_THUNK_DATA_struct[]; 00263 extern byte PE_THUNK_DATA_64_struct[]; 00264 extern byte PE_IMPORT_DESCRIPTOR_struct[]; 00265 extern byte PE_DELAY_IMPORT_DESCRIPTOR_struct[]; 00266 extern byte PE_RESOURCE_DIRECTORY_struct[]; 00267 extern byte PE_RESOURCE_DIRECTORY_ENTRY_struct[]; 00268 extern byte PE_RESOURCE_DATA_ENTRY_struct[]; 00269 extern byte PE_IL_DIRECTORY_struct[]; 00270 00271 #endif
1.3.5