1 /* radare - LGPL - Copyright 2008 nibble */ 2 3 #undef PE_ 4 #undef ILT_MASK1 5 #undef ILT_MASK2 6 #undef PE_Word 7 #undef PE_DWord 8 #undef PE_VWord 9 #undef R_BUF_READ_PE_DWORD_AT 10 #undef PE_DWORD_MAX 11 12 #ifdef R_BIN_PE64 13 #define PE_(name) Pe64_ ## name 14 #define ILT_MASK1 0x8000000000000000LL 15 #define ILT_MASK2 0x7fffffffffffffffLL 16 #define PE_Word ut16 17 #define PE_DWord ut64 18 #define PE_VWord ut32 19 #define R_BUF_READ_PE_DWORD_AT r_buf_read_le64_at 20 #define PE_DWORD_MAX UT64_MAX 21 #else 22 #define PE_(name) Pe32_ ## name 23 #define ILT_MASK1 0x80000000 24 #define ILT_MASK2 0x7fffffff 25 #define PE_Word ut16 26 #define PE_DWord ut32 27 #define PE_VWord ut32 28 #define R_BUF_READ_PE_DWORD_AT r_buf_read_le32_at 29 #define PE_DWORD_MAX UT32_MAX 30 #endif 31 32 #ifndef _INCLUDE_R_BIN_PE_SPECS_H_ 33 #define _INCLUDE_R_BIN_PE_SPECS_H_ 34 35 #define PE_NAME_LENGTH 256 36 #define PE_STRING_LENGTH 256 37 38 typedef struct { 39 ut16 e_magic; /* 00: MZ Header signature */ 40 ut16 e_cblp; /* 02: Bytes on last page of file */ 41 ut16 e_cp; /* 04: Pages in file */ 42 ut16 e_crlc; /* 06: Relocations */ 43 ut16 e_cparhdr; /* 08: Size of header in paragraphs */ 44 ut16 e_minalloc; /* 0a: Minimum extra paragraphs needed */ 45 ut16 e_maxalloc; /* 0c: Maximum extra paragraphs needed */ 46 ut16 e_ss; /* 0e: Initial (relative) SS value */ 47 ut16 e_sp; /* 10: Initial SP value */ 48 ut16 e_csum; /* 12: Checksum */ 49 ut16 e_ip; /* 14: Initial IP value */ 50 ut16 e_cs; /* 16: Initial (relative) CS value */ 51 ut16 e_lfarlc; /* 18: File address of relocation table */ 52 ut16 e_ovno; /* 1a: Overlay number */ 53 ut16 e_res[4]; /* 1c: Reserved words */ 54 ut16 e_oemid; /* 24: OEM identifier (for e_oeminfo) */ 55 ut16 e_oeminfo; /* 26: OEM information; e_oemid specific */ 56 ut16 e_res2[10]; /* 28: Reserved words */ 57 ut32 e_lfanew; /* 3c: Offset to extended header */ 58 } Pe32_image_dos_header, Pe64_image_dos_header; 59 60 #define PE_IMAGE_FILE_TYPE_PE32 0x10b 61 #define PE_IMAGE_FILE_TYPE_PE32PLUS 0x20b 62 63 #define PE_IMAGE_FILE_MACHINE_UNKNOWN 0x0000 64 #define PE_IMAGE_FILE_MACHINE_ALPHA 0x0184 65 #define PE_IMAGE_FILE_MACHINE_ALPHA64 0x0284 66 #define PE_IMAGE_FILE_MACHINE_AM33 0x01d3 67 #define PE_IMAGE_FILE_MACHINE_AMD64 0x8664 68 #define PE_IMAGE_FILE_MACHINE_ARM 0x01c0 69 #define PE_IMAGE_FILE_MACHINE_ARM64 0xaa64 70 #define PE_IMAGE_FILE_MACHINE_AXP64 PE_IMAGE_FILE_MACHINE_ALPHA64 71 #define PE_IMAGE_FILE_MACHINE_CEE 0xc0ee 72 #define PE_IMAGE_FILE_MACHINE_CEF 0x0cef 73 #define PE_IMAGE_FILE_MACHINE_EBC 0x0ebc 74 #define PE_IMAGE_FILE_MACHINE_I386 0x014c 75 #define PE_IMAGE_FILE_MACHINE_IA64 0x0200 76 #define PE_IMAGE_FILE_MACHINE_M32R 0x9041 77 #define PE_IMAGE_FILE_MACHINE_M68K 0x0268 78 #define PE_IMAGE_FILE_MACHINE_MIPS16 0x0266 79 #define PE_IMAGE_FILE_MACHINE_MIPSFPU 0x0366 80 #define PE_IMAGE_FILE_MACHINE_MIPSFPU16 0x0466 81 #define PE_IMAGE_FILE_MACHINE_POWERPC 0x01f0 82 #define PE_IMAGE_FILE_MACHINE_POWERPCFP 0x01f1 83 #define PE_IMAGE_FILE_MACHINE_R10000 0x0168 84 #define PE_IMAGE_FILE_MACHINE_R3000 0x0162 85 #define PE_IMAGE_FILE_MACHINE_R4000 0x0166 86 #define PE_IMAGE_FILE_MACHINE_SH3 0x01a2 87 #define PE_IMAGE_FILE_MACHINE_SH3DSP 0x01a3 88 #define PE_IMAGE_FILE_MACHINE_SH3E 0x01a4 89 #define PE_IMAGE_FILE_MACHINE_SH4 0x01a6 90 #define PE_IMAGE_FILE_MACHINE_SH5 0x01a8 91 #define PE_IMAGE_FILE_MACHINE_THUMB 0x01c2 92 #define PE_IMAGE_FILE_MACHINE_TRICORE 0x0520 93 #define PE_IMAGE_FILE_MACHINE_WCEMIPSV2 0x0169 94 #define PE_IMAGE_FILE_MACHINE_RISCV32 0x5032 95 #define PE_IMAGE_FILE_MACHINE_RISCV64 0x5064 96 #define PE_IMAGE_FILE_MACHINE_RISCV128 0x5128 97 98 #define PE_IMAGE_FILE_RELOCS_STRIPPED 0x0001 99 #define PE_IMAGE_FILE_EXECUTABLE_IMAGE 0x0002 100 #define PE_IMAGE_FILE_LINE_NUMS_STRIPPED 0x0004 101 #define PE_IMAGE_FILE_LOCAL_SYMS_STRIPPED 0x0008 102 #define PE_IMAGE_FILE_AGGRESSIVE_WS_TRIM 0x0010 103 #define PE_IMAGE_FILE_LARGE_ADDRESS_AWARE 0x0020 104 #define PE_IMAGE_FILE_16BIT_MACHINE 0x0040 105 #define PE_IMAGE_FILE_BYTES_REVERSED_LO 0x0080 106 #define PE_IMAGE_FILE_32BIT_MACHINE 0x0100 107 #define PE_IMAGE_FILE_DEBUG_STRIPPED 0x0200 108 #define PE_IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP 0x0400 109 #define PE_IMAGE_FILE_NET_RUN_FROM_SWAP 0x0800 110 #define PE_IMAGE_FILE_SYSTEM 0x1000 111 #define PE_IMAGE_FILE_DLL 0x2000 112 #define PE_IMAGE_FILE_UP_SYSTEM_ONLY 0x4000 113 #define PE_IMAGE_FILE_BYTES_REVERSED_HI 0x8000 114 115 #define IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA 0x0020 116 #define IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE 0x0040 117 #define IMAGE_DLL_CHARACTERISTICS_FORCE_INTEGRITY 0x0080 118 #define IMAGE_DLL_CHARACTERISTICS_NX_COMPAT 0x0100 119 #define IMAGE_DLLCHARACTERISTICS_NO_ISOLATION 0x0200 120 #define IMAGE_DLLCHARACTERISTICS_NO_SEH 0x0400 121 #define IMAGE_DLLCHARACTERISTICS_NO_BIND 0x0800 122 #define IMAGE_DLLCHARACTERISTICS_APPCONTAINER 0x1000 123 #define IMAGE_DLLCHARACTERISTICS_WDM_DRIVER 0x2000 124 #define IMAGE_DLLCHARACTERISTICS_GUARD_CF 0x4000 125 #define IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE 0x8000 126 127 #define IMAGE_DEBUG_TYPE_CODEVIEW 2 128 #define IMAGE_DEBUG_TYPE_MISC 4 129 130 typedef struct { 131 ut16 Machine; 132 ut16 NumberOfSections; 133 ut32 TimeDateStamp; 134 ut32 PointerToSymbolTable; 135 ut32 NumberOfSymbols; 136 ut16 SizeOfOptionalHeader; 137 ut16 Characteristics; 138 } Pe32_image_file_header, Pe64_image_file_header; 139 140 #define PE_IMAGE_DIRECTORY_ENTRIES 16 141 #define PE_IMAGE_DIRECTORY_ENTRY_EXPORT 0 142 #define PE_IMAGE_DIRECTORY_ENTRY_IMPORT 1 143 #define PE_IMAGE_DIRECTORY_ENTRY_RESOURCE 2 144 #define PE_IMAGE_DIRECTORY_ENTRY_EXCEPTION 3 145 #define PE_IMAGE_DIRECTORY_ENTRY_SECURITY 4 146 #define PE_IMAGE_DIRECTORY_ENTRY_BASERELOC 5 147 #define PE_IMAGE_DIRECTORY_ENTRY_DEBUG 6 148 #define PE_IMAGE_DIRECTORY_ENTRY_COPYRIGHT 7 149 #define PE_IMAGE_DIRECTORY_ENTRY_ARCHITECTURE 7 150 #define PE_IMAGE_DIRECTORY_ENTRY_GLOBALPTR 8 151 #define PE_IMAGE_DIRECTORY_ENTRY_TLS 9 152 #define PE_IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 10 153 #define PE_IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 11 154 #define PE_IMAGE_DIRECTORY_ENTRY_IAT 12 155 #define PE_IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 13 156 #define PE_IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 14 157 158 #define PE_IMAGE_SUBSYSTEM_UNKNOWN 0 159 #define PE_IMAGE_SUBSYSTEM_NATIVE 1 160 #define PE_IMAGE_SUBSYSTEM_WINDOWS_GUI 2 161 #define PE_IMAGE_SUBSYSTEM_WINDOWS_CUI 3 162 #define PE_IMAGE_SUBSYSTEM_POSIX_CUI 7 163 #define PE_IMAGE_SUBSYSTEM_WINDOWS_CE_GUI 9 164 #define PE_IMAGE_SUBSYSTEM_EFI_APPLICATION 10 165 #define PE_IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER 11 166 #define PE_IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER 12 167 #define PE_IMAGE_SUBSYSTEM_EFI_ROM 13 168 #define PE_IMAGE_SUBSYSTEM_XBOX 14 169 170 //language 171 172 #define PE_LANG_NEUTRAL 0x00 173 #define PE_LANG_INVARIANT 0x7f 174 #define PE_LANG_AFRIKAANS 0x36 175 #define PE_LANG_ALBANIAN 0x1c 176 #define PE_LANG_ARABIC 0x01 177 #define PE_LANG_ARMENIAN 0x2b 178 #define PE_LANG_ASSAMESE 0x4d 179 #define PE_LANG_AZERI 0x2c 180 #define PE_LANG_BASQUE 0x2d 181 #define PE_LANG_BELARUSIAN 0x23 182 #define PE_LANG_BENGALI 0x45 183 #define PE_LANG_BULGARIAN 0x02 184 #define PE_LANG_CATALAN 0x03 185 #define PE_LANG_CHINESE 0x04 186 #define PE_LANG_CROATIAN 0x1a 187 #define PE_LANG_CZECH 0x05 188 #define PE_LANG_DANISH 0x06 189 #define PE_LANG_DIVEHI 0x65 190 #define PE_LANG_DUTCH 0x13 191 #define PE_LANG_ENGLISH 0x09 192 #define PE_LANG_ESTONIAN 0x25 193 #define PE_LANG_FAEROESE 0x38 194 #define PE_LANG_FARSI 0x29 195 #define PE_LANG_FINNISH 0x0b 196 #define PE_LANG_FRENCH 0x0c 197 #define PE_LANG_GALICIAN 0x56 198 #define PE_LANG_GEORGIAN 0x37 199 #define PE_LANG_GERMAN 0x07 200 #define PE_LANG_GREEK 0x08 201 #define PE_LANG_GUJARATI 0x47 202 #define PE_LANG_HEBREW 0x0d 203 #define PE_LANG_HINDI 0x39 204 #define PE_LANG_HUNGARIAN 0x0e 205 #define PE_LANG_ICELANDIC 0x0f 206 #define PE_LANG_INDONESIAN 0x21 207 #define PE_LANG_ITALIAN 0x10 208 #define PE_LANG_JAPANESE 0x11 209 #define PE_LANG_KANNADA 0x4b 210 #define PE_LANG_KASHMIRI 0x60 211 #define PE_LANG_KAZAK 0x3f 212 #define PE_LANG_KONKANI 0x57 213 #define PE_LANG_KOREAN 0x12 214 #define PE_LANG_KYRGYZ 0x40 215 #define PE_LANG_LATVIAN 0x26 216 #define PE_LANG_LITHUANIAN 0x27 217 #define PE_LANG_MACEDONIAN 0x2f 218 #define PE_LANG_MALAY 0x3e 219 #define PE_LANG_MALAYALAM 0x4c 220 #define PE_LANG_MANIPURI 0x58 221 #define PE_LANG_MARATHI 0x4e 222 #define PE_LANG_MONGOLIAN 0x50 223 #define PE_LANG_NEPALI 0x61 224 #define PE_LANG_NORWEGIAN 0x14 225 #define PE_LANG_ORIYA 0x48 226 #define PE_LANG_POLISH 0x15 227 #define PE_LANG_PORTUGUESE 0x16 228 #define PE_LANG_PUNJABI 0x46 229 #define PE_LANG_ROMANIAN 0x18 230 #define PE_LANG_RUSSIAN 0x19 231 #define PE_LANG_SANSKRIT 0x4f 232 #define PE_LANG_SERBIAN 0x1a 233 #define PE_LANG_SINDHI 0x59 234 #define PE_LANG_SLOVAK 0x1b 235 #define PE_LANG_SLOVENIAN 0x24 236 #define PE_LANG_SPANISH 0x0a 237 #define PE_LANG_SWAHILI 0x41 238 #define PE_LANG_SWEDISH 0x1d 239 #define PE_LANG_SYRIAC 0x5a 240 #define PE_LANG_TAMIL 0x49 241 #define PE_LANG_TATAR 0x44 242 #define PE_LANG_TELUGU 0x4a 243 #define PE_LANG_THAI 0x1e 244 #define PE_LANG_TURKISH 0x1f 245 #define PE_LANG_UKRAINIAN 0x22 246 #define PE_LANG_URDU 0x20 247 #define PE_LANG_UZBEK 0x43 248 #define PE_LANG_VIETNAMESE 0x2a 249 #define PE_LANG_GAELIC 0x3c 250 #define PE_LANG_MALTESE 0x3a 251 #define PE_LANG_MAORI 0x28 252 #define PE_LANG_RHAETO_ROMANCE 0x17 253 #define PE_LANG_SAAMI 0x3b 254 #define PE_LANG_SORBIAN 0x2e 255 #define PE_LANG_SUTU 0x30 256 #define PE_LANG_TSONGA 0x31 257 #define PE_LANG_TSWANA 0x32 258 #define PE_LANG_VENDA 0x33 259 #define PE_LANG_XHOSA 0x34 260 #define PE_LANG_ZULU 0x35 261 #define PE_LANG_ESPERANTO 0x8f 262 #define PE_LANG_WALON 0x90 263 #define PE_LANG_CORNISH 0x91 264 #define PE_LANG_WELSH 0x92 265 #define PE_LANG_BRETON 0x93 266 267 typedef struct { 268 ut32 VirtualAddress; 269 ut32 Size; 270 } Pe32_image_data_directory, Pe64_image_data_directory; 271 272 typedef struct { 273 /* Standard fields */ 274 ut16 Magic; 275 ut8 MajorLinkerVersion; 276 ut8 MinorLinkerVersion; 277 ut32 SizeOfCode; 278 ut32 SizeOfInitializedData; 279 ut32 SizeOfUninitializedData; 280 ut32 AddressOfEntryPoint; 281 ut32 BaseOfCode; 282 ut32 BaseOfData; 283 /* NT additional fields */ 284 ut32 ImageBase; 285 ut32 SectionAlignment; 286 ut32 FileAlignment; 287 ut16 MajorOperatingSystemVersion; 288 ut16 MinorOperatingSystemVersion; 289 ut16 MajorImageVersion; 290 ut16 MinorImageVersion; 291 ut16 MajorSubsystemVersion; 292 ut16 MinorSubsystemVersion; 293 ut32 Win32VersionValue; 294 ut32 SizeOfImage; 295 ut32 SizeOfHeaders; 296 ut32 CheckSum; 297 ut16 Subsystem; 298 ut16 DllCharacteristics; 299 ut32 SizeOfStackReserve; 300 ut32 SizeOfStackCommit; 301 ut32 SizeOfHeapReserve; 302 ut32 SizeOfHeapCommit; 303 ut32 LoaderFlags; 304 ut32 NumberOfRvaAndSizes; 305 Pe32_image_data_directory DataDirectory[PE_IMAGE_DIRECTORY_ENTRIES]; 306 } Pe32_image_optional_header; 307 308 typedef struct { 309 /* Standard fields */ 310 ut16 Magic; 311 ut8 MajorLinkerVersion; 312 ut8 MinorLinkerVersion; 313 ut32 SizeOfCode; 314 ut32 SizeOfInitializedData; 315 ut32 SizeOfUninitializedData; 316 ut32 AddressOfEntryPoint; 317 ut32 BaseOfCode; 318 /* NT additional fields */ 319 ut64 ImageBase; 320 ut32 SectionAlignment; 321 ut32 FileAlignment; 322 ut16 MajorOperatingSystemVersion; 323 ut16 MinorOperatingSystemVersion; 324 ut16 MajorImageVersion; 325 ut16 MinorImageVersion; 326 ut16 MajorSubsystemVersion; 327 ut16 MinorSubsystemVersion; 328 ut32 Win32VersionValue; 329 ut32 SizeOfImage; 330 ut32 SizeOfHeaders; 331 ut32 CheckSum; 332 ut16 Subsystem; 333 ut16 DllCharacteristics; 334 ut64 SizeOfStackReserve; 335 ut64 SizeOfStackCommit; 336 ut64 SizeOfHeapReserve; 337 ut64 SizeOfHeapCommit; 338 ut32 LoaderFlags; 339 ut32 NumberOfRvaAndSizes; 340 Pe64_image_data_directory DataDirectory[PE_IMAGE_DIRECTORY_ENTRIES]; 341 } Pe64_image_optional_header; 342 343 typedef struct { 344 ut32 HeaderSize; 345 ut16 MajorRuntimeVersion; 346 ut16 MinorRuntimeVersion; 347 ut32 MetaDataDirectoryAddress; 348 ut32 MetaDataDirectorySize; 349 ut32 Flags; 350 ut32 EntryPointToken; 351 ut32 ResourcesDirectoryAddress; 352 ut32 ResourcesDirectorySize; 353 ut32 StrongNameSignatureAddress; 354 ut32 StrongNameSignatureSize; 355 ut32 CodeManagerTableAddress; 356 ut32 CodeManagerTableSize; 357 ut32 VTableFixupsAddress; 358 ut32 VTableFixupsSize; 359 ut32 ExportAddressTableJumpsAddress; 360 ut32 ExportAddressTableJumpsSize; 361 ut32 ManagedNativeHeaderAddress; 362 ut32 ManagedNativeHeaderSize; 363 } Pe32_image_clr_header, Pe64_image_clr_header; 364 365 typedef struct { 366 ut64 Signature; 367 ut16 MajorVersion; 368 ut16 MinorVersion; 369 ut32 Reserved; 370 ut32 VersionStringLength; 371 char* VersionString; 372 ut16 Flags; 373 ut16 NumberOfStreams; 374 } Pe32_image_metadata_header, Pe64_image_metadata_header; 375 376 typedef struct { 377 ut32 Offset; 378 ut32 Size; 379 char* Name; 380 } Pe32_image_metadata_stream, Pe64_image_metadata_stream; 381 382 typedef struct { 383 ut16 productId; 384 ut16 minVersion; 385 ut32 timesUsed; 386 char *productName; 387 } Pe_image_rich_entry; 388 389 #define PE_IMAGE_SIZEOF_SHORT_NAME 8 390 391 #define PE_IMAGE_SCN_MEM_SHARED 0x10000000 392 #define PE_IMAGE_SCN_MEM_EXECUTE 0x20000000 393 #define PE_IMAGE_SCN_MEM_READ 0x40000000 394 #define PE_IMAGE_SCN_MEM_WRITE 0x80000000 395 396 typedef struct { 397 ut8 Name[PE_IMAGE_SIZEOF_SHORT_NAME]; 398 union { 399 ut32 PhysicalAddress; 400 ut32 VirtualSize; 401 } Misc; 402 ut32 VirtualAddress; 403 ut32 SizeOfRawData; 404 ut32 PointerToRawData; 405 ut32 PointerToRelocations; 406 ut32 PointerToLinenumbers; 407 ut16 NumberOfRelocations; 408 ut16 NumberOfLinenumbers; 409 ut32 Characteristics; 410 } Pe32_image_section_header, Pe64_image_section_header; 411 412 typedef struct { 413 ut32 Characteristics; 414 ut32 TimeDateStamp; 415 ut16 MajorVersion; 416 ut16 MinorVersion; 417 ut32 Name; 418 ut32 Base; 419 ut32 NumberOfFunctions; 420 ut32 NumberOfNames; 421 ut32 AddressOfFunctions; 422 ut32 AddressOfNames; 423 ut32 AddressOfOrdinals; 424 } Pe32_image_export_directory, Pe64_image_export_directory; 425 426 typedef struct { 427 ut32 Characteristics; 428 ut32 TimeDateStamp; 429 ut32 ForwarderChain; 430 ut32 Name; 431 ut32 FirstThunk; 432 } Pe32_image_import_directory, Pe64_image_import_directory; 433 434 typedef struct { 435 ut32 Attributes; 436 ut32 Name; 437 ut32 ModulePlugin; 438 ut32 DelayImportAddressTable; 439 ut32 DelayImportNameTable; 440 ut32 BoundDelayImportTable; 441 ut32 UnloadDelayImportTable; 442 ut32 TimeStamp; 443 } Pe32_image_delay_import_directory, Pe64_image_delay_import_directory; 444 445 typedef struct { 446 ut32 StartAddressOfRawData; 447 ut32 EndAddressOfRawData; 448 ut32 AddressOfIndex; 449 ut32 AddressOfCallBacks; 450 ut32 SizeOfZeroFill; 451 ut32 Characteristics; 452 } Pe32_image_tls_directory, Pe64_image_tls_directory; 453 454 typedef struct { 455 ut32 dwLength; 456 ut16 wRevision; 457 ut16 wCertificateType; 458 ut8 *bCertificate; 459 } Pe_certificate; 460 461 typedef struct { 462 ut32 length; 463 Pe_certificate **certificates; 464 } Pe_image_security_directory; 465 466 #define PE_WIN_CERT_REVISION_1_0 0x0100 467 #define PE_WIN_CERT_REVISION_2_0 0x0200 468 469 #define PE_WIN_CERT_TYPE_X509 0x0001 470 #define PE_WIN_CERT_TYPE_PKCS_SIGNED_DATA 0x0002 471 #define PE_WIN_CERT_TYPE_RESERVED_1 0x0003 472 #define PE_WIN_CERT_TYPE_TS_STACK_SIGNED 0x0004 473 474 typedef struct { 475 ut32 Signature; 476 Pe32_image_file_header file_header; 477 Pe32_image_optional_header optional_header; 478 } Pe32_image_nt_headers; 479 480 typedef struct { 481 ut32 Signature; 482 Pe64_image_file_header file_header; 483 Pe64_image_optional_header optional_header; 484 } Pe64_image_nt_headers; 485 486 typedef struct { 487 ut32 Characteristics; 488 ut32 TimeDateStamp; 489 ut16 MajorVersion; 490 ut16 MinorVersion; 491 ut32 Type; 492 ut32 SizeOfData; 493 ut32 AddressOfRawData; 494 ut32 PointerToRawData; 495 } Pe32_image_debug_directory_entry, Pe64_image_debug_directory_entry; 496 497 typedef struct { 498 ut32 Characteristics; 499 ut32 TimeDateStamp; 500 ut16 MajorVersion; 501 ut16 MinorVersion; 502 ut16 NumberOfNamedEntries; 503 ut16 NumberOfIdEntries; 504 } Pe_image_resource_directory; 505 506 typedef struct { 507 union { 508 // struct { 509 // ut32 NameOffset: 31; 510 // ut32 NameIsString: 1; 511 // } s; 512 // ut16 Id; 513 ut32 Name; 514 } u1; 515 union { 516 // struct { 517 // ut32 OffsetToDirectory: 31; 518 // ut32 DataIsDirectory: 1; 519 // } s; 520 ut32 OffsetToData; 521 } u2; 522 } Pe_image_resource_directory_entry; 523 524 // Pe_image_resource_directory_string is unused. Did not find any PE with ASCII resource name. 525 // Refer to https://msdn.microsoft.com/en-us/library/ms809762.aspx 526 // "Peering Inside the PE: A Tour of the Win32 Portable Executable File Format" 527 // "Yes, even PE files intended for non-UNICODE Win32 implementations use UNICODE here." 528 typedef struct { 529 ut16 Length; 530 char* NameString; 531 } Pe_image_resource_directory_string; 532 533 typedef struct { 534 ut16 Length; 535 ut16* NameString; 536 } Pe_image_resource_directory_string_u; 537 538 typedef struct { 539 ut32 OffsetToData; 540 ut32 Size; 541 ut32 CodePage; 542 ut32 Reserved; 543 } Pe_image_resource_data_entry; 544 545 546 //resource types 547 #define R_PE_MAX_RESOURCES 2056 548 #define PE_RESOURCE_ENTRY_CURSOR 1 549 #define PE_RESOURCE_ENTRY_BITMAP 2 550 #define PE_RESOURCE_ENTRY_ICON 3 551 #define PE_RESOURCE_ENTRY_MENU 4 552 #define PE_RESOURCE_ENTRY_DIALOG 5 553 #define PE_RESOURCE_ENTRY_STRING 6 554 #define PE_RESOURCE_ENTRY_FONTDIR 7 555 #define PE_RESOURCE_ENTRY_FONT 8 556 #define PE_RESOURCE_ENTRY_ACCELERATOR 9 557 #define PE_RESOURCE_ENTRY_RCDATA 10 558 #define PE_RESOURCE_ENTRY_MESSAGETABLE 11 559 #define PE_RESOURCE_ENTRY_GROUP_CURSOR 12 560 #define PE_RESOURCE_ENTRY_GROUP_ICON 14 561 #define PE_RESOURCE_ENTRY_VERSION 16 562 #define PE_RESOURCE_ENTRY_DLGINCLUDE 17 563 #define PE_RESOURCE_ENTRY_PLUGPLAY 19 564 #define PE_RESOURCE_ENTRY_VXD 20 565 #define PE_RESOURCE_ENTRY_ANICURSOR 21 566 #define PE_RESOURCE_ENTRY_ANIICON 22 567 #define PE_RESOURCE_ENTRY_HTML 23 568 #define PE_RESOURCE_ENTRY_MANIFEST 24 569 570 #define STRINGFILEINFO_TEXT "StringFileInfo" 571 #define TRANSLATION_TEXT "Translation" 572 #define VARFILEINFO_TEXT "VarFileInfo" 573 #define VS_VERSION_INFO_TEXT "VS_VERSION_INFO" 574 575 #define STRINGFILEINFO_TEXT_LEN sizeof(STRINGFILEINFO_TEXT) 576 #define TRANSLATION_TEXT_LEN sizeof(TRANSLATION_TEXT) 577 #define VARFILEINFO_TEXT_LEN sizeof(VARFILEINFO_TEXT) 578 #define VS_VERSION_INFO_TEXT_LEN sizeof(VS_VERSION_INFO_TEXT) 579 580 #define EIGHT_HEX_DIG_UTF_16_LEN ((8 + 1) * 2) 581 582 #define STRINGFILEINFO_UTF_16 "S\0t\0r\0i\0n\0g\0F\0i\0l\0e\0I\0n\0f\0o\0\0" 583 #define TRANSLATION_UTF_16 "T\0r\0a\0n\0s\0l\0a\0t\0i\0o\0n\0\0" 584 #define VARFILEINFO_UTF_16 "V\0a\0r\0F\0i\0l\0e\0I\0n\0f\0o\0\0" 585 #define VS_VERSION_INFO_UTF_16 "V\0S\0_\0V\0E\0R\0S\0I\0O\0N\0_\0I\0N\0F\0O\0\0" 586 587 #define STRINGFILEINFO_UTF_16_LEN sizeof (STRINGFILEINFO_UTF_16) 588 #define TRANSLATION_UTF_16_LEN sizeof (TRANSLATION_UTF_16) 589 #define VARFILEINFO_UTF_16_LEN sizeof (VARFILEINFO_UTF_16) 590 #define VS_VERSION_INFO_UTF_16_LEN sizeof (VS_VERSION_INFO_UTF_16) 591 592 typedef struct { 593 ut16 wLength; //The length, in bytes, of this String structure. 594 ut16 wValueLength; //The size, in words, of the Value member. 595 ut16 wType; //1 text; 0 binary 596 ut16 wKeyLen; 597 ut16* szKey; //An arbitrary Unicode string 598 //ut16 Padding; 599 ut16* Value; //A zero-terminated string. 600 } String; 601 602 typedef struct { 603 ut16 wLength; //The length, in bytes, of this StringTable structure, including all structures indicated by the Children member. 604 ut16 wValueLength; //always 0 605 ut16 wType; //1 text; 0 binary 606 ut16* szKey; 607 //An 8-digit hexadecimal number stored as a Unicode string. 608 //The four most significant digits represent the language identifier. 609 //The four least significant digits represent the code page for which the data is formatted 610 //ut16 Padding; 611 ut32 numOfChildren; 612 String** Children; //An array of one or more String structures 613 } StringTable; 614 615 typedef struct { 616 ut16 wLength; //The length, in bytes, of the entire StringFileInfo block, including all structures indicated by the Children member. 617 ut16 wValueLength; //always 0 618 ut16 wType; //1 text; 0 binary 619 ut16* szKey; //L"StringFileInfo" 620 //ut16 Padding; 621 ut32 numOfChildren; 622 StringTable** Children; //An array of one or more StringTable structures 623 } StringFileInfo; 624 625 typedef struct { 626 ut16 wLength; //The length, in bytes, of the Var structure. (with pad) 627 ut16 wValueLength; //The length, in bytes, of the Value member. 628 ut16 wType; //1 text; 0 binary 629 ut16* szKey; //L"Translation" 630 //ut16 Padding; 631 ut32 numOfValues; 632 ut32* Value; //An array of one or more values that are language and code page identifier pairs 633 } Var; 634 635 typedef struct { 636 ut16 wLength; //The length, in bytes, of the entire VarFileInfo block, including all structures indicated by the Children member. (with pad) 637 ut16 wValueLength; //always 0 638 ut16 wType; //1 text; 0 binary 639 ut16* szKey; //L"VarFileInfo" 640 //ut16 Padding; 641 ut32 numOfChildren; 642 Var** Children; //Typically contains a list of languages that the application or DLL supports. 643 } VarFileInfo; 644 645 #define PE_VS_FF_DEBUG 0x00000001L 646 #define PE_VS_FF_PRERELEASE 0x00000002L 647 #define PE_VS_FF_PATCHED 0x00000004L 648 #define PE_VS_FF_PRIVATEBUILD 0x00000008L 649 #define PE_VS_FF_INFOINFERRED 0x00000010L 650 #define PE_VS_FF_SPECIALBUILD 0x00000020L 651 652 #define PE_VOS_DOS 0x00010000L 653 #define PE_VOS_NT 0x00040000L 654 #define PE_VOS__WINDOWS16 0x00000001L 655 #define PE_VOS__WINDOWS32 0x00000004L 656 #define PE_VOS_OS216 0x00020000L 657 #define PE_VOS_OS232 0x00030000L 658 #define PE_VOS__PM16 0x00000002L 659 #define PE_VOS__PM32 0x00000003L 660 #define PE_VOS_UNKNOWN 0x00000000L 661 662 #define PE_VOS_DOS_WINDOWS16 0x00010001L 663 #define PE_VOS_DOS_WINDOWS32 0x00010004L 664 #define PE_VOS_NT_WINDOWS32 0x00040004L 665 #define PE_VOS_OS216_PM16 0x00020002L 666 #define PE_VOS_OS232_PM32 0x00030003L 667 668 #define PE_VFT_APP 0x00000001L 669 #define PE_VFT_DLL 0x00000002L 670 #define PE_VFT_DRV 0x00000003L 671 #define PE_VFT_FONT 0x00000004L 672 #define PE_VFT_STATIC_LIB 0x00000007L 673 #define PE_VFT_UNKNOWN 0x00000000L 674 #define PE_VFT_VXD 0x00000005L 675 676 #define PE_VFT2_DRV_COMM 0x0000000AL 677 #define PE_VFT2_DRV_DISPLAY 0x00000004L 678 #define PE_VFT2_DRV_INSTALLABLE 0x00000008L 679 #define PE_VFT2_DRV_KEYBOARD 0x00000002L 680 #define PE_VFT2_DRV_LANGUAGE 0x00000003L 681 #define PE_VFT2_DRV_MOUSE 0x00000005L 682 #define PE_VFT2_DRV_NETWORK 0x00000006L 683 #define PE_VFT2_DRV_PRINTER 0x00000001L 684 #define PE_VFT2_DRV_SOUND 0x00000009L 685 #define PE_VFT2_DRV_SYSTEM 0x00000007L 686 #define PE_VFT2_DRV_VERSIONED_PRINTER 0x0000000CL 687 #define PE_VFT2_UNKNOWN 0x00000000L 688 689 #define PE_VFT2_FONT_RASTER 0x00000001L 690 #define PE_VFT2_FONT_TRUETYPE 0x00000003L 691 #define PE_VFT2_FONT_VECTOR 0x00000002L 692 #define PE_VFT2_UNKNOWN 0x00000000L 693 694 typedef struct { 695 ut32 dwSignature; //Contains the value 0xFEEF04BD 696 ut32 dwStrucVersion; 697 ut32 dwFileVersionMS; 698 ut32 dwFileVersionLS; 699 ut32 dwProductVersionMS; 700 ut32 dwProductVersionLS; 701 ut32 dwFileFlagsMask; 702 ut32 dwFileFlags; 703 ut32 dwFileOS; 704 ut32 dwFileType; 705 ut32 dwFileSubtype; 706 ut32 dwFileDateMS; 707 ut32 dwFileDateLS; 708 } PE_VS_FIXEDFILEINFO; 709 710 typedef struct { 711 ut16 wLength; //whole structure size (padding not included (in case of multiply version info structures)) 712 ut16 wValueLength; //if 0 there is no Value 713 ut16 wType; //1 text; 0 binary 714 ut16* szKey; //L"VS_VERSION_INFO" 715 //ut16 Padding1; //pad for 32 boundary 716 PE_VS_FIXEDFILEINFO* Value; 717 //ut16 Padding2; //pad for 32 boundary 718 VarFileInfo* varFileInfo; //0 or 1 elements 719 StringFileInfo* stringFileInfo; //0 or 1 elements 720 } PE_VS_VERSIONINFO; 721 722 // Specific for x64 SEH 723 724 typedef enum { 725 UWOP_PUSH_NONVOL = 0, /* info == register number */ 726 UWOP_ALLOC_LARGE, /* no info, alloc size in next 2 slots */ 727 UWOP_ALLOC_SMALL, /* info == size of allocation / 8 - 1 */ 728 UWOP_SET_FPREG, /* no info, FP = RSP + UNWIND_INFO.FPRegOffset*16 */ 729 UWOP_SAVE_NONVOL, /* info == register number, offset in next slot */ 730 UWOP_SAVE_NONVOL_FAR, /* info == register number, offset in next 2 slots */ 731 UWOP_SAVE_XMM128 = 8, /* info == XMM reg number, offset in next slot */ 732 UWOP_SAVE_XMM128_FAR, /* info == XMM reg number, offset in next 2 slots */ 733 UWOP_PUSH_MACHFRAME /* info == 0: no error-code, 1: error-code */ 734 } PE64_UNWIND_CODE_OPS; 735 736 #define PE64_UNW_FLAG_NHANDLER 0 737 #define PE64_UNW_FLAG_EHANDLER 1 738 #define PE64_UNW_FLAG_UHANDLER 2 739 #define PE64_UNW_FLAG_CHAININFO 4 740 741 typedef struct { 742 ut32 BeginAddress; // Function start address 743 ut32 EndAddress; // Function end address 744 union { 745 ut32 UnwindInfoAddress; 746 ut32 UnwindData; 747 }; 748 } PE64_RUNTIME_FUNCTION; 749 750 typedef union { 751 struct { 752 ut8 CodeOffset; 753 ut8 UnwindOp : 4; 754 ut8 OpInfo : 4; 755 }; 756 ut16 FrameOffset; 757 } PE64_UNWIND_CODE; 758 759 typedef struct { 760 ut8 Version : 3; 761 ut8 Flags : 5; 762 ut8 SizeOfProlog; 763 ut8 CountOfCodes; 764 ut8 FrameRegister : 4; 765 ut8 FrameOffset : 4; 766 PE64_UNWIND_CODE UnwindCode[]; 767 /* 768 union { 769 ut32 ExceptionHandler; // if (flags & UNW_FLAG_EHANDLER) 770 PE64_RUNTIME_FUNCTION FunctionEntry; // else if (flags & UNW_FLAG_CHAININFO) 771 }; 772 ut32 ExceptionData[]; // if (flags & UNW_FLAG_EHANDLER) 773 */ 774 } PE64_UNWIND_INFO; 775 776 typedef struct { 777 ut32 BeginAddress; 778 ut32 EndAddress; 779 ut32 HandlerAddress; 780 ut32 JumpTarget; 781 } PE64_SCOPE_RECORD; 782 783 typedef struct { 784 ut32 Count; 785 PE64_SCOPE_RECORD ScopeRecord[]; 786 } PE64_SCOPE_TABLE; 787 788 int Pe32_read_dos_header(RBuffer *b, Pe32_image_dos_header *header); 789 int Pe32_read_nt_headers(RBuffer *b, ut64 addr, Pe32_image_nt_headers *headers); 790 int Pe32_read_image_section_header(RBuffer *b, ut64 addr, Pe32_image_section_header *section_header); 791 void Pe32_write_image_section_header(RBuffer *b, ut64 addr, Pe32_image_section_header *section_header); 792 793 int Pe64_read_dos_header(RBuffer *b, Pe64_image_dos_header *header); 794 int Pe64_read_nt_headers(RBuffer *b, ut64 addr, Pe64_image_nt_headers *headers); 795 int Pe64_read_image_section_header(RBuffer *b, ut64 addr, Pe64_image_section_header *section_header); 796 void Pe64_write_image_section_header(RBuffer *b, ut64 addr, Pe64_image_section_header *section_header); 797 798 #endif 799