1 /*
2  *  Copyright (C) 2007 Christophe Grenier <grenier@cgsecurity.org>
3  *  Copyright (C) 2004 - 2005 Tomasz Kojm <tkojm@clamav.net>
4  *
5  *  Implementation (header structures) based on the PE format description
6  *  by B. Luevelsmeyer
7  *
8  *  This program is free software; you can redistribute it and/or modify
9  *  it under the terms of the GNU General Public License as published by
10  *  the Free Software Foundation; either version 2 of the License, or
11  *  (at your option) any later version.
12  *
13  *  This program is distributed in the hope that it will be useful,
14  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
15  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
16  *  GNU General Public License for more details.
17  *
18  *  You should have received a copy of the GNU General Public License
19  *  along with this program; if not, write to the Free Software
20  *  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
21  *  MA 02110-1301, USA.
22  */
23 #ifndef __PE_H
24 #define __PE_H
25 
26 #define IMAGE_NT_SIGNATURE	    0x00004550
27 #define IMAGE_WIN16_SIGNATURE	    0x0000454e
28 
29 struct dos_image_file_hdr
30 {
31     uint16_t magic;         // Magic number
32     uint16_t bytes_in_last_block;
33     uint16_t blocks_in_file;
34     uint16_t num_relocs;
35     uint16_t header_paragraphs;
36     uint16_t min_extra_paragraphs;
37     uint16_t max_extra_paragraphs;
38     uint16_t ss;
39     uint16_t sp;
40     uint16_t checksum;
41     uint16_t ip;
42     uint16_t cs;
43     uint16_t reloc_table_offset;
44     uint16_t overlay_number;
45     uint16_t e_res[4];        // Reserved words
46     uint16_t e_oemid;         // OEM identifier (for e_oeminfo)
47     uint16_t e_oeminfo;       // OEM information; e_oemid specific
48     uint16_t e_res2[10];      // Reserved words
49     uint32_t e_lfanew;        // File address of new exe header
50 } __attribute__ ((gcc_struct, __packed__));
51 
52 struct exe_reloc{
53   uint16_t offset;
54   uint16_t segment;
55 } __attribute__ ((gcc_struct, __packed__));
56 
57 struct pe_image_file_hdr {
58     uint32_t Magic;
59     uint16_t Machine;
60     uint16_t NumberOfSections;
61     uint32_t TimeDateStamp;		    /* unreliable */
62     uint32_t PointerToSymbolTable;	    /* debug */
63     uint32_t NumberOfSymbols;		    /* debug */
64     uint16_t SizeOfOptionalHeader;	    /* == 224 */
65     uint16_t Characteristics;
66 } __attribute__ ((gcc_struct, __packed__));
67 
68 struct pe_image_data_dir {
69   uint32_t VirtualAddress;
70   uint32_t Size;
71 } __attribute__ ((gcc_struct, __packed__));
72 
73 struct pe_image_optional_hdr32 {
74   uint16_t Magic;
75   uint8_t  MajorLinkerVersion;		    /* unreliable */
76   uint8_t  MinorLinkerVersion;		    /* unreliable */
77   uint32_t SizeOfCode;			    /* unreliable */
78   uint32_t SizeOfInitializedData;		    /* unreliable */
79   uint32_t SizeOfUninitializedData;		    /* unreliable */
80   uint32_t AddressOfEntryPoint;
81   uint32_t BaseOfCode;
82   uint32_t BaseOfData;
83   uint32_t ImageBase;				    /* multiple of 64 KB */
84   uint32_t SectionAlignment;			    /* usually 32 or 4096 */
85   uint32_t FileAlignment;			    /* usually 32 or 512 */
86   uint16_t MajorOperatingSystemVersion;	    /* not used */
87   uint16_t MinorOperatingSystemVersion;	    /* not used */
88   uint16_t MajorImageVersion;			    /* unreliable */
89   uint16_t MinorImageVersion;			    /* unreliable */
90   uint16_t MajorSubsystemVersion;
91   uint16_t MinorSubsystemVersion;
92   uint32_t Win32VersionValue;			    /* ? */
93   uint32_t SizeOfImage;
94   uint32_t SizeOfHeaders;
95   uint32_t CheckSum;				    /* NT drivers only */
96   uint16_t Subsystem;
97   uint16_t DllCharacteristics;
98   uint32_t SizeOfStackReserve;
99   uint32_t SizeOfStackCommit;
100   uint32_t SizeOfHeapReserve;
101   uint32_t SizeOfHeapCommit;
102   uint32_t LoaderFlags;			    /* ? */
103   uint32_t NumberOfRvaAndSizes;		    /* unreliable */
104   struct pe_image_data_dir DataDirectory[16];
105 } __attribute__ ((gcc_struct, __packed__));
106 
107 struct pe_image_optional_hdr64 {
108   uint16_t Magic;
109   uint8_t  MajorLinkerVersion;		    /* unreliable */
110   uint8_t  MinorLinkerVersion;		    /* unreliable */
111   uint32_t SizeOfCode;			    /* unreliable */
112   uint32_t SizeOfInitializedData;		    /* unreliable */
113   uint32_t SizeOfUninitializedData;		    /* unreliable */
114   uint32_t AddressOfEntryPoint;
115   uint32_t BaseOfCode;
116   uint64_t ImageBase;				    /* multiple of 64 KB */
117   uint32_t SectionAlignment;			    /* usually 32 or 4096 */
118   uint32_t FileAlignment;			    /* usually 32 or 512 */
119   uint16_t MajorOperatingSystemVersion;	    /* not used */
120   uint16_t MinorOperatingSystemVersion;	    /* not used */
121   uint16_t MajorImageVersion;			    /* unreliable */
122   uint16_t MinorImageVersion;			    /* unreliable */
123   uint16_t MajorSubsystemVersion;
124   uint16_t MinorSubsystemVersion;
125   uint32_t Win32VersionValue;			    /* ? */
126   uint32_t SizeOfImage;
127   uint32_t SizeOfHeaders;
128   uint32_t CheckSum;				    /* NT drivers only */
129   uint16_t Subsystem;
130   uint16_t DllCharacteristics;
131   uint64_t SizeOfStackReserve;
132   uint64_t SizeOfStackCommit;
133   uint64_t SizeOfHeapReserve;
134   uint64_t SizeOfHeapCommit;
135   uint32_t LoaderFlags;			    /* ? */
136   uint32_t NumberOfRvaAndSizes;		    /* unreliable */
137   struct pe_image_data_dir DataDirectory[16];
138 } __attribute__ ((gcc_struct, __packed__));
139 
140 struct pe_image_section_hdr {
141   uint8_t Name[8];			    /* may not end with NULL */
142   /*
143      union {
144      uint32_t PhysicalAddress;
145      uint32_t VirtualSize;
146      } AddrSize;
147    */
148   uint32_t VirtualSize;
149   uint32_t VirtualAddress;
150   uint32_t SizeOfRawData;		    /* multiple of FileAlignment */
151   uint32_t PointerToRawData;		    /* offset to the section's data */
152   uint32_t PointerToRelocations;	    /* object files only */
153   uint32_t PointerToLinenumbers;	    /* object files only */
154   uint16_t NumberOfRelocations;	    /* object files only */
155   uint16_t NumberOfLinenumbers;	    /* object files only */
156   uint32_t Characteristics;
157 } __attribute__ ((gcc_struct, __packed__));
158 
159 #define IMAGE_SIZEOF_SYMBOL 18
160 
161 #ifndef IMAGE_NT_OPTIONAL_HDR_MAGIC
162 #define IMAGE_NT_OPTIONAL_HDR_MAGIC 0x10b
163 #endif
164 #ifndef IMAGE_NT_OPTIONAL_HDR64_MAGIC
165 #define IMAGE_NT_OPTIONAL_HDR64_MAGIC 0x20b
166 #endif
167 
168 #if 0
169 struct pe_image_symbol_hdr {
170   union {
171     uin8_t    ShortName[8];
172     struct {
173       DWORD   Short;     // If 0, use LongName.
174       DWORD   Long;      // Offset into string table.
175     } Name;
176     Puin8_t   LongName[2];
177   } N;
178   DWORD   Value;
179   uin16_t   SectionNumber;
180   WORD    Type;
181   uin8_t    StorageClass;
182   uin8_t    NumberOfAuxSymbols;
183 } __attribute__ ((gcc_struct, __packed__));
184 #endif
185 
186 #endif
187