forked from arsium/ShellCodeExec
-
Notifications
You must be signed in to change notification settings - Fork 0
/
pe.h
303 lines (275 loc) · 9.39 KB
/
pe.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
#pragma once
#include "global.h"
/*
|| AUTHOR Arsium ||
|| github : https://github.com/arsium ||
*/
typedef struct IMAGE_DOS_HEADER
{
_WORD e_magic;
_WORD e_cblp;
_WORD e_cp;
_WORD e_crlc;
_WORD e_cparhdr;
_WORD e_minalloc;
_WORD e_maxalloc;
_WORD e_ss;
_WORD e_sp;
_WORD e_csum;
_WORD e_ip;
_WORD e_cs;
_WORD e_lfarlc;
_WORD e_ovno;
_WORD e_res[4];
_WORD e_oemid;
_WORD e_oeminfo;
_WORD e_res2[10];
_LONG e_lfanew;
} _IMAGE_DOS_HEADER, * _PIMAGE_DOS_HEADER;
typedef struct IMAGE_DATA_DIRECTORY
{
_DWORD VirtualAddress;
_DWORD Size;
} _IMAGE_DATA_DIRECTORY, * _PIMAGE_DATA_DIRECTORY;
typedef struct IMAGE_OPTIONAL_HEADER
{
_WORD Magic;
_BYTE MajorLinkerVersion;
_BYTE MinorLinkerVersion;
_DWORD SizeOfCode;
_DWORD SizeOfInitializedData;
_DWORD SizeOfUninitializedData;
_DWORD AddressOfEntryPoint;
_DWORD BaseOfCode;
_DWORD BaseOfData;
_DWORD ImageBase;
_DWORD SectionAlignment;
_DWORD FileAlignment;
_WORD MajorOperatingSystemVersion;
_WORD MinorOperatingSystemVersion;
_WORD MajorImageVersion;
_WORD MinorImageVersion;
_WORD MajorSubsystemVersion;
_WORD MinorSubsystemVersion;
_DWORD Win32VersionValue;
_DWORD SizeOfImage;
_DWORD SizeOfHeaders;
_DWORD CheckSum;
_WORD Subsystem;
_WORD DllCharacteristics;
_DWORD SizeOfStackReserve;
_DWORD SizeOfStackCommit;
_DWORD SizeOfHeapReserve;
_DWORD SizeOfHeapCommit;
_DWORD LoaderFlags;
_DWORD NumberOfRvaAndSizes;
_IMAGE_DATA_DIRECTORY DataDirectory[_IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
} _IMAGE_OPTIONAL_HEADER32, * _PIMAGE_OPTIONAL_HEADER32;
typedef struct IMAGE_OPTIONAL_HEADER64
{
_WORD Magic;
_BYTE MajorLinkerVersion;
_BYTE MinorLinkerVersion;
_DWORD SizeOfCode;
_DWORD SizeOfInitializedData;
_DWORD SizeOfUninitializedData;
_DWORD AddressOfEntryPoint;
_DWORD BaseOfCode;
_ULONGLONG ImageBase;
_DWORD SectionAlignment;
_DWORD FileAlignment;
_WORD MajorOperatingSystemVersion;
_WORD MinorOperatingSystemVersion;
_WORD MajorImageVersion;
_WORD MinorImageVersion;
_WORD MajorSubsystemVersion;
_WORD MinorSubsystemVersion;
_DWORD Win32VersionValue;
_DWORD SizeOfImage;
_DWORD SizeOfHeaders;
_DWORD CheckSum;
_WORD Subsystem;
_WORD DllCharacteristics;
_ULONGLONG SizeOfStackReserve;
_ULONGLONG SizeOfStackCommit;
_ULONGLONG SizeOfHeapReserve;
_ULONGLONG SizeOfHeapCommit;
_DWORD LoaderFlags;
_DWORD NumberOfRvaAndSizes;
_IMAGE_DATA_DIRECTORY DataDirectory[_IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
} _IMAGE_OPTIONAL_HEADER64, * _PIMAGE_OPTIONAL_HEADER64;
#if defined(_M_MRX000) || defined(_M_ALPHA) || defined(_M_PPC) || defined(_M_IA64) || defined(_M_AMD64) || defined(_M_ARM) || defined(_M_ARM64)
#define _ALIGNMENT_MACHINE
#define _UNALIGNED __unaligned
#if defined(_WIN64)
#define _UNALIGNED64 __unaligned
#else
#define _UNALIGNED64
#endif
#else
#undef _ALIGNMENT_MACHINE
#define _UNALIGNED
#define _UNALIGNED64
#endif
typedef struct IMAGE_FILE_HEADER
{
_WORD Machine;
_WORD NumberOfSections;
_DWORD TimeDateStamp;
_DWORD PointerToSymbolTable;
_DWORD NumberOfSymbols;
_WORD SizeOfOptionalHeader;
_WORD Characteristics;
} _IMAGE_FILE_HEADER, * _PIMAGE_FILE_HEADER;
typedef struct IMAGE_NT_HEADERS64
{
_DWORD Signature;
_IMAGE_FILE_HEADER FileHeader;
_IMAGE_OPTIONAL_HEADER64 OptionalHeader;
} _IMAGE_NT_HEADERS64, * _PIMAGE_NT_HEADERS64;
typedef struct IMAGE_NT_HEADERS
{
_DWORD Signature;
_IMAGE_FILE_HEADER FileHeader;
_IMAGE_OPTIONAL_HEADER32 OptionalHeader;
} _IMAGE_NT_HEADERS32, * _PIMAGE_NT_HEADERS32;
typedef struct IMAGE_SECTION_HEADER {
_BYTE Name[_IMAGE_SIZEOF_SHORT_NAME];
union {
_DWORD PhysicalAddress;
_DWORD VirtualSize;
} Misc;
_DWORD VirtualAddress;
_DWORD SizeOfRawData;
_DWORD PointerToRawData;
_DWORD PointerToRelocations;
_DWORD PointerToLinenumbers;
_WORD NumberOfRelocations;
_WORD NumberOfLinenumbers;
_DWORD Characteristics;
} _IMAGE_SECTION_HEADER, * _PIMAGE_SECTION_HEADER;
typedef struct IMAGE_IMPORT_DESCRIPTOR
{
union {
_DWORD Characteristics; // 0 for terminating null import descriptor
_DWORD OriginalFirstThunk; // RVA to original unbound IAT (PIMAGE_THUNK_DATA)
} DUMMYUNIONNAME;
_DWORD TimeDateStamp; // 0 if not bound,
// -1 if bound, and real date\time stamp
// in IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT (new BIND)
// O.W. date/time stamp of DLL bound to (Old BIND)
_DWORD ForwarderChain; // -1 if no forwarders
_DWORD Name;
_DWORD FirstThunk; // RVA to IAT (if bound this IAT has actual addresses)
} _IMAGE_IMPORT_DESCRIPTOR;
typedef _IMAGE_IMPORT_DESCRIPTOR _UNALIGNED* _PIMAGE_IMPORT_DESCRIPTOR;
//@[comment("MVI_tracked")]
typedef struct IMAGE_IMPORT_BY_NAME
{
_WORD Hint;
_CHAR Name[1];
} _IMAGE_IMPORT_BY_NAME, * _PIMAGE_IMPORT_BY_NAME;
//@[comment("MVI_tracked")]
typedef struct IMAGE_THUNK_DATA64
{
union {
_ULONGLONG ForwarderString; // PBYTE
_ULONGLONG Function; // PDWORD
_ULONGLONG Ordinal;
_ULONGLONG AddressOfData; // PIMAGE_IMPORT_BY_NAME
} u1;
} _IMAGE_THUNK_DATA64;
typedef _IMAGE_THUNK_DATA64* _PIMAGE_THUNK_DATA64;
//@[comment("MVI_tracked")]
typedef struct IMAGE_THUNK_DATA32
{
union {
_DWORD ForwarderString; // PBYTE
_DWORD Function; // PDWORD
_DWORD Ordinal;
_DWORD AddressOfData; // PIMAGE_IMPORT_BY_NAME
} u1;
} _IMAGE_THUNK_DATA32;
typedef _IMAGE_THUNK_DATA32* _PIMAGE_THUNK_DATA32;
typedef struct IMAGE_TLS_DIRECTORY64
{
_ULONGLONG StartAddressOfRawData;
_ULONGLONG EndAddressOfRawData;
_ULONGLONG AddressOfIndex; // PDWORD
_ULONGLONG AddressOfCallBacks; // PIMAGE_TLS_CALLBACK *;
_DWORD SizeOfZeroFill;
union {
_DWORD Characteristics;
struct {
_DWORD Reserved0 : 20;
_DWORD Alignment : 4;
_DWORD Reserved1 : 8;
} _DUMMYSTRUCTNAME;
} _DUMMYUNIONNAME;
} _IMAGE_TLS_DIRECTORY64;
typedef _IMAGE_TLS_DIRECTORY64* _PIMAGE_TLS_DIRECTORY64;
typedef struct IMAGE_TLS_DIRECTORY32
{
_DWORD StartAddressOfRawData;
_DWORD EndAddressOfRawData;
_DWORD AddressOfIndex; // PDWORD
_DWORD AddressOfCallBacks; // PIMAGE_TLS_CALLBACK *
_DWORD SizeOfZeroFill;
union {
_DWORD Characteristics;
struct {
_DWORD Reserved0 : 20;
_DWORD Alignment : 4;
_DWORD Reserved1 : 8;
} _DUMMYSTRUCTNAME;
} _DUMMYUNIONNAME;
} _IMAGE_TLS_DIRECTORY32;
typedef _IMAGE_TLS_DIRECTORY32* _PIMAGE_TLS_DIRECTORY32;
typedef struct IMAGE_BASE_RELOCATION
{
_DWORD VirtualAddress;
_DWORD SizeOfBlock;
// WORD TypeOffset[1];
} _IMAGE_BASE_RELOCATION;
typedef _IMAGE_BASE_RELOCATION _UNALIGNED* _PIMAGE_BASE_RELOCATION;
typedef struct IMAGE_EXPORT_DIRECTORY
{
_DWORD Characteristics;
_DWORD TimeDateStamp;
_WORD MajorVersion;
_WORD MinorVersion;
_DWORD Name;
_DWORD Base;
_DWORD NumberOfFunctions;
_DWORD NumberOfNames;
_DWORD AddressOfFunctions; // RVA from base of image
_DWORD AddressOfNames; // RVA from base of image
_DWORD AddressOfNameOrdinals; // RVA from base of image
} _IMAGE_EXPORT_DIRECTORY, * _PIMAGE_EXPORT_DIRECTORY;
#ifdef _WIN64
typedef _IMAGE_NT_HEADERS64 _IMAGE_NT_HEADERS;
typedef _PIMAGE_NT_HEADERS64 _PIMAGE_NT_HEADERS;
typedef _IMAGE_OPTIONAL_HEADER64 _IMAGE_OPTIONAL_HEADER;
typedef _PIMAGE_OPTIONAL_HEADER64 _PIMAGE_OPTIONAL_HEADER;
#define _IMAGE_NT_OPTIONAL_HDR_MAGIC _IMAGE_NT_OPTIONAL_HDR64_MAGIC
#define _IMAGE_ORDINAL_FLAG _IMAGE_ORDINAL_FLAG64
#define _IMAGE_ORDINAL(Ordinal) _IMAGE_ORDINAL64(Ordinal)
typedef _IMAGE_THUNK_DATA64 _IMAGE_THUNK_DATA;
typedef _PIMAGE_THUNK_DATA64 _PIMAGE_THUNK_DATA;
#define _IMAGE_SNAP_BY_ORDINAL(Ordinal) _IMAGE_SNAP_BY_ORDINAL64(Ordinal)
typedef _IMAGE_TLS_DIRECTORY64 _IMAGE_TLS_DIRECTORY;
typedef _PIMAGE_TLS_DIRECTORY64 _PIMAGE_TLS_DIRECTORY;
#else
typedef _IMAGE_NT_HEADERS32 _IMAGE_NT_HEADERS;
typedef _PIMAGE_NT_HEADERS32 _PIMAGE_NT_HEADERS;
typedef _IMAGE_OPTIONAL_HEADER32 _IMAGE_OPTIONAL_HEADER;
typedef _PIMAGE_OPTIONAL_HEADER32 _PIMAGE_OPTIONAL_HEADER;
#define _IMAGE_NT_OPTIONAL_HDR_MAGIC _IMAGE_NT_OPTIONAL_HDR32_MAGIC
#define _IMAGE_ORDINAL_FLAG _IMAGE_ORDINAL_FLAG32
#define _IMAGE_ORDINAL(Ordinal) _IMAGE_ORDINAL32(Ordinal)
typedef _IMAGE_THUNK_DATA32 _IMAGE_THUNK_DATA;
typedef _PIMAGE_THUNK_DATA32 _PIMAGE_THUNK_DATA;
#define IMAGE_SNAP_BY_ORDINAL(Ordinal) _IMAGE_SNAP_BY_ORDINAL32(Ordinal)
typedef _IMAGE_TLS_DIRECTORY32 _IMAGE_TLS_DIRECTORY;
typedef _PIMAGE_TLS_DIRECTORY32 _PIMAGE_TLS_DIRECTORY;
#endif