using System;
using System.Runtime.InteropServices;
using Vanara.Extensions;
using Vanara.InteropServices;
namespace Vanara.PInvoke
{
public static partial class DbgHelp
{
/// A LIST_ENTRY structure describes an entry in a doubly linked list or serves as the header for such a list.
///
/// A LIST_ENTRY structure that describes the list head must have been initialized by calling InitializeListHead.
///
/// A driver can access the Flink or Blink members of a LIST_ENTRY, but the members must only be updated by the
/// system routines supplied for this purpose.
///
///
/// For more information about how to use LIST_ENTRY structures to implement a doubly linked list, see Singly and Doubly
/// Linked Lists.
///
///
// https://docs.microsoft.com/en-us/windows/win32/api/ntdef/ns-ntdef-list_entry typedef struct _LIST_ENTRY { struct _LIST_ENTRY
// *Flink; struct _LIST_ENTRY *Blink; } LIST_ENTRY, *PLIST_ENTRY, PRLIST_ENTRY;
[PInvokeData("ntdef.h", MSDNShortId = "NS:ntdef._LIST_ENTRY")]
[StructLayout(LayoutKind.Sequential)]
public struct LIST_ENTRY
{
///
///
/// For a LIST_ENTRY structure that serves as a list entry, the Flink member points to the next entry in the list
/// or to the list header if there is no next entry in the list.
///
///
/// For a LIST_ENTRY structure that serves as the list header, the Flink member points to the first entry in the
/// list or to the LIST_ENTRY structure itself if the list is empty.
///
///
public IntPtr Flink;
///
///
/// For a LIST_ENTRY structure that serves as a list entry, the Blink member points to the previous entry in the
/// list or to the list header if there is no previous entry in the list.
///
///
/// For a LIST_ENTRY structure that serves as the list header, the Blink member points to the last entry in the
/// list or to the LIST_ENTRY structure itself if the list is empty.
///
///
public IntPtr Blink;
}
/// The format of the debugging information. This member can be one of the following values.
[PInvokeData("winnt.h", MSDNShortId = "NS:winnt._IMAGE_DEBUG_DIRECTORY")]
public enum IMAGE_DEBUG_TYPE
{
/// Unknown value, ignored by all tools.
IMAGE_DEBUG_TYPE_UNKNOWN = 0,
///
/// COFF debugging information (line numbers, symbol table, and string table). This type of debugging information is also
/// pointed to by fields in the file headers.
///
IMAGE_DEBUG_TYPE_COFF = 1,
/// CodeView debugging information. The format of the data block is described by the CodeView 4.0 specification.
IMAGE_DEBUG_TYPE_CODEVIEW = 2,
///
/// Frame pointer omission (FPO) information. This information tells the debugger how to interpret nonstandard stack frames,
/// which use the EBP register for a purpose other than as a frame pointer.
///
IMAGE_DEBUG_TYPE_FPO = 3,
/// Miscellaneous information.
IMAGE_DEBUG_TYPE_MISC = 4,
/// Exception information.
IMAGE_DEBUG_TYPE_EXCEPTION = 5,
/// Fixup information.
IMAGE_DEBUG_TYPE_FIXUP = 6,
/// Borland debugging information.
IMAGE_DEBUG_TYPE_BORLAND = 9,
///
IMAGE_DEBUG_TYPE_OMAP_TO_SRC = 7,
///
IMAGE_DEBUG_TYPE_OMAP_FROM_SRC = 8,
///
IMAGE_DEBUG_TYPE_RESERVED10 = 10,
///
IMAGE_DEBUG_TYPE_CLSID = 11,
///
IMAGE_DEBUG_TYPE_VC_FEATURE = 12,
///
IMAGE_DEBUG_TYPE_POGO = 13,
///
IMAGE_DEBUG_TYPE_ILTCG = 14,
///
IMAGE_DEBUG_TYPE_MPX = 15,
///
IMAGE_DEBUG_TYPE_REPRO = 16,
///
IMAGE_DEBUG_TYPE_EX_DLLCHARACTERISTICS = 20,
}
/// The index number of the desired directory entry.
[PInvokeData("winnt.h")]
public enum IMAGE_DIRECTORY_ENTRY : ushort
{
/// Architecture-specific data
MAGE_DIRECTORY_ENTRY_ARCHITECTURE = 7,
/// Base relocation table
IMAGE_DIRECTORY_ENTRY_BASERELOC = 5,
/// Bound import directory
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT = 11,
/// COM descriptor table
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR = 14,
/// Debug directory
IMAGE_DIRECTORY_ENTRY_DEBUG = 6,
/// Delay import table
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT = 13,
/// Exception directory
IMAGE_DIRECTORY_ENTRY_EXCEPTION = 3,
/// Export directory
[CorrespondingType(typeof(IMAGE_EXPORT_DIRECTORY), CorrespondingAction.Get)]
IMAGE_DIRECTORY_ENTRY_EXPORT = 0,
/// The relative virtual address of global pointer
IMAGE_DIRECTORY_ENTRY_GLOBALPTR = 8,
/// Import address table
IMAGE_DIRECTORY_ENTRY_IAT = 12,
/// Import directory
IMAGE_DIRECTORY_ENTRY_IMPORT = 1,
/// Load configuration directory
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG = 10,
/// Resource directory
IMAGE_DIRECTORY_ENTRY_RESOURCE = 2,
/// Security directory
IMAGE_DIRECTORY_ENTRY_SECURITY = 4,
/// Thread local storage directory
IMAGE_DIRECTORY_ENTRY_TLS = 9,
}
/// The DLL characteristics of the image.
[PInvokeData("winnt.h", MSDNShortId = "NS:winnt._IMAGE_OPTIONAL_HEADER")]
public enum IMAGE_DLLCHARACTERISTICS : ushort
{
/// The DLL can be relocated at load time.
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE = 0x0040,
///
/// Code integrity checks are forced. If you set this flag and a section contains only uninitialized data, set the
/// PointerToRawData member of IMAGE_SECTION_HEADER for that section to zero; otherwise, the image will fail to load because the
/// digital signature cannot be verified.
///
IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY = 0x0080,
/// The image is compatible with data execution prevention (DEP).
IMAGE_DLLCHARACTERISTICS_NX_COMPAT = 0x0100,
/// The image is isolation aware, but should not be isolated.
IMAGE_DLLCHARACTERISTICS_NO_ISOLATION = 0x0200,
/// The image does not use structured exception handling (SEH). No handlers can be called in this image.
IMAGE_DLLCHARACTERISTICS_NO_SEH = 0x0400,
/// Do not bind the image.
IMAGE_DLLCHARACTERISTICS_NO_BIND = 0x0800,
/// A WDM driver.
IMAGE_DLLCHARACTERISTICS_WDM_DRIVER = 0x2000,
/// The image is terminal server aware.
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE = 0x8000,
}
/// The characteristics of the image.
[PInvokeData("winnt.h", MSDNShortId = "NS:winnt._IMAGE_FILE_HEADER")]
[Flags]
public enum IMAGE_FILE : ushort
{
///
/// Relocation information was stripped from the file. The file must be loaded at its preferred base address. If the base
/// address is not available, the loader reports an error.
///
IMAGE_FILE_RELOCS_STRIPPED = 0x0001,
/// The file is executable (there are no unresolved external references).
IMAGE_FILE_EXECUTABLE_IMAGE = 0x0002,
/// COFF line numbers were stripped from the file.
IMAGE_FILE_LINE_NUMS_STRIPPED = 0x0004,
/// COFF symbol table entries were stripped from file.
IMAGE_FILE_LOCAL_SYMS_STRIPPED = 0x0008,
/// Aggressively trim the working set. This value is obsolete.
IMAGE_FILE_AGGRESIVE_WS_TRIM = 0x0010,
/// The application can handle addresses larger than 2 GB.
IMAGE_FILE_LARGE_ADDRESS_AWARE = 0x0020,
/// The bytes of the word are reversed. This flag is obsolete.
IMAGE_FILE_BYTES_REVERSED_LO = 0x0080,
/// The computer supports 32-bit words.
IMAGE_FILE_32BIT_MACHINE = 0x0100,
/// Debugging information was removed and stored separately in another file.
IMAGE_FILE_DEBUG_STRIPPED = 0x0200,
/// If the image is on removable media, copy it to and run it from the swap file.
IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP = 0x0400,
/// If the image is on the network, copy it to and run it from the swap file.
IMAGE_FILE_NET_RUN_FROM_SWAP = 0x0800,
/// The image is a system file.
IMAGE_FILE_SYSTEM = 0x1000,
/// The image is a DLL file. While it is an executable file, it cannot be run directly.
IMAGE_FILE_DLL = 0x2000,
/// The file should be run only on a uniprocessor computer.
IMAGE_FILE_UP_SYSTEM_ONLY = 0x4000,
/// The bytes of the word are reversed. This flag is obsolete.
IMAGE_FILE_BYTES_REVERSED_HI = 0x8000,
}
/// Represents the stack frame layout for a function on an x86 computer when frame pointer omission (FPO) optimization is used. The structure is used to locate the base of the call frame.
// https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-fpo_data
// typedef struct _FPO_DATA { DWORD ulOffStart; DWORD cbProcSize; DWORD cdwLocals; WORD cdwParams; WORD cbProlog : 8; WORD cbRegs : 3; WORD fHasSEH : 1; WORD fUseBP : 1; WORD reserved : 1; WORD cbFrame : 2; } FPO_DATA, *PFPO_DATA;
[PInvokeData("winnt.h", MSDNShortId = "NS:winnt._FPO_DATA")]
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Ansi)]
public struct FPO_DATA
{
/// The offset of the first byte of the function code.
public uint ulOffStart;
/// The number of bytes in the function.
public uint cbProcSize;
/// The number of local variables.
public uint cdwLocals;
/// The size of the parameters, in DWORDs.
public ushort cdwParams;
private ushort flags;
#pragma warning disable IDE1006 // Naming Styles
/// The number of bytes in the function prolog code.
public ushort cbProlog
{
get => BitHelper.GetBits(flags, 0, 8);
set => BitHelper.SetBits(ref flags, 0, 8, value);
}
/// The number of registers saved.
public ushort cbRegs
{
get => BitHelper.GetBits(flags, 8, 3);
set => BitHelper.SetBits(ref flags, 8, 3, value);
}
/// A variable that indicates whether the function uses structured exception handling.
public bool fHasSEH
{
get => BitHelper.GetBit(flags, 11);
set => BitHelper.SetBit(ref flags, 11, value);
}
/// A variable that indicates whether the EBP register has been allocated.
public bool fUseBP
{
get => BitHelper.GetBit(flags, 12);
set => BitHelper.SetBit(ref flags, 12, value);
}
/// Reserved for future use.
public bool reserved
{
get => BitHelper.GetBit(flags, 13);
set => BitHelper.SetBit(ref flags, 13, value);
}
///
/// A variable that indicates the frame type.
///
///
/// Type
/// Meaning
///
/// -
/// FRAME_FPO 0
/// FPO frame
///
/// -
/// FRAME_NONFPO 3
/// Non-FPO frame
///
/// -
/// FRAME_TRAP 1
/// Trap frame
///
/// -
/// FRAME_TSS 2
/// TSS frame
///
///
///
public FRAME cbFrame
{
get => (FRAME)BitHelper.GetBits(flags, 14, 2);
set => BitHelper.SetBits(ref flags, 14, 2, (ushort)value);
}
#pragma warning restore IDE1006 // Naming Styles
}
/// Represents an entry in the function table on 64-bit Windows.
// https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-runtime_function
// typedef struct _IMAGE_RUNTIME_FUNCTION_ENTRY { DWORD BeginAddress; DWORD EndAddress; union { DWORD UnwindInfoAddress; DWORD UnwindData; } DUMMYUNIONNAME; } RUNTIME_FUNCTION, *PRUNTIME_FUNCTION, _IMAGE_RUNTIME_FUNCTION_ENTRY, *_PIMAGE_RUNTIME_FUNCTION_ENTRY;
[PInvokeData("winnt.h", MSDNShortId = "NS:winnt._IMAGE_RUNTIME_FUNCTION_ENTRY")]
[StructLayout(LayoutKind.Explicit)]
public struct IMAGE_RUNTIME_FUNCTION_ENTRY
{
/// The address of the start of the function.
[FieldOffset(0)]
public uint BeginAddress;
/// The address of the end of the function.
[FieldOffset(4)]
public uint EndAddress;
/// The address of the unwind information for the function.
[FieldOffset(8)]
public uint UnwindInfoAddress;
///
[FieldOffset(8)]
public uint UnwindData;
}
///
/// The architecture type of the computer. An image file can only be run on the specified computer or a system that emulates the
/// specified computer.
///
[PInvokeData("winnt.h", MSDNShortId = "NS:winnt._IMAGE_FILE_HEADER")]
public enum IMAGE_FILE_MACHINE : ushort
{
///
IMAGE_FILE_MACHINE_AXP64 = IMAGE_FILE_MACHINE_ALPHA64,
/// Unknown
IMAGE_FILE_MACHINE_UNKNOWN = 0,
/// Useful for indicating we want to interact with the host and not a WoW guest.
IMAGE_FILE_MACHINE_TARGET_HOST = 0x0001,
/// Intel 386.
IMAGE_FILE_MACHINE_I386 = 0x014c,
/// MIPS little-endian, 0x160 big-endian
IMAGE_FILE_MACHINE_R3000 = 0x0162,
/// MIPS little-endian
IMAGE_FILE_MACHINE_R4000 = 0x0166,
/// MIPS little-endian
IMAGE_FILE_MACHINE_R10000 = 0x0168,
/// MIPS little-endian WCE v2
IMAGE_FILE_MACHINE_WCEMIPSV2 = 0x0169,
/// Alpha_AXP
IMAGE_FILE_MACHINE_ALPHA = 0x0184,
/// SH3 little-endian
IMAGE_FILE_MACHINE_SH3 = 0x01a2,
///
IMAGE_FILE_MACHINE_SH3DSP = 0x01a3,
/// SH3E little-endian
IMAGE_FILE_MACHINE_SH3E = 0x01a4,
/// SH4 little-endian
IMAGE_FILE_MACHINE_SH4 = 0x01a6,
/// SH5
IMAGE_FILE_MACHINE_SH5 = 0x01a8,
/// ARM Little-Endian
IMAGE_FILE_MACHINE_ARM = 0x01c0,
/// ARM Thumb/Thumb-2 Little-Endian
IMAGE_FILE_MACHINE_THUMB = 0x01c2,
/// ARM Thumb-2 Little-Endian
IMAGE_FILE_MACHINE_ARMNT = 0x01c4,
///
IMAGE_FILE_MACHINE_AM33 = 0x01d3,
/// IBM PowerPC Little-Endian
IMAGE_FILE_MACHINE_POWERPC = 0x01F0,
///
IMAGE_FILE_MACHINE_POWERPCFP = 0x01f1,
/// Intel 64
IMAGE_FILE_MACHINE_IA64 = 0x0200,
/// MIPS
IMAGE_FILE_MACHINE_MIPS16 = 0x0266,
/// ALPHA64
IMAGE_FILE_MACHINE_ALPHA64 = 0x0284,
/// MIPS
IMAGE_FILE_MACHINE_MIPSFPU = 0x0366,
/// MIPS
IMAGE_FILE_MACHINE_MIPSFPU16 = 0x0466,
/// Infineon
IMAGE_FILE_MACHINE_TRICORE = 0x0520,
///
IMAGE_FILE_MACHINE_CEF = 0x0CEF,
/// EFI Byte Code
IMAGE_FILE_MACHINE_EBC = 0x0EBC,
/// AMD64 (K8)
IMAGE_FILE_MACHINE_AMD64 = 0x8664,
/// M32R little-endian
IMAGE_FILE_MACHINE_M32R = 0x9041,
/// ARM64 Little-Endian
IMAGE_FILE_MACHINE_ARM64 = 0xAA64,
///
IMAGE_FILE_MACHINE_CEE = 0xC0EE,
}
/// The state of the image file.
[PInvokeData("winnt.h", MSDNShortId = "NS:winnt._IMAGE_OPTIONAL_HEADER")]
public enum IMAGE_OPTIONAL_MAGIC : ushort
{
/// The file is an executable image.
IMAGE_NT_OPTIONAL_HDR32_MAGIC = 0x10b,
/// The file is an executable image.
IMAGE_NT_OPTIONAL_HDR64_MAGIC = 0x20b,
/// The file is a ROM image.
IMAGE_ROM_OPTIONAL_HDR_MAGIC = 0x107,
}
/// The characteristics of the image.
[PInvokeData("winnt.h", MSDNShortId = "NS:winnt._IMAGE_SECTION_HEADER")]
[Flags]
public enum IMAGE_SCN : uint
{
/// The section should not be padded to the next boundary. This flag is obsolete and is replaced by IMAGE_SCN_ALIGN_1BYTES.
IMAGE_SCN_TYPE_NO_PAD = 0x00000008,
/// The section contains executable code.
IMAGE_SCN_CNT_CODE = 0x00000020,
/// The section contains initialized data.
IMAGE_SCN_CNT_INITIALIZED_DATA = 0x00000040,
/// The section contains uninitialized data.
IMAGE_SCN_CNT_UNINITIALIZED_DATA = 0x00000080,
/// Reserved.
IMAGE_SCN_LNK_OTHER = 0x00000100,
/// The section contains comments or other information. This is valid only for object files.
IMAGE_SCN_LNK_INFO = 0x00000200,
/// The section will not become part of the image. This is valid only for object files.
IMAGE_SCN_LNK_REMOVE = 0x00000800,
/// The section contains COMDAT data. This is valid only for object files.
IMAGE_SCN_LNK_COMDAT = 0x00001000,
/// Reset speculative exceptions handling bits in the TLB entries for this section.
IMAGE_SCN_NO_DEFER_SPEC_EXC = 0x00004000,
/// The section contains data referenced through the global pointer.
IMAGE_SCN_GPREL = 0x00008000,
/// Reserved.
IMAGE_SCN_MEM_PURGEABLE = 0x00020000,
/// Reserved.
IMAGE_SCN_MEM_LOCKED = 0x00040000,
/// Reserved.
IMAGE_SCN_MEM_PRELOAD = 0x00080000,
/// Align data on a 1-byte boundary. This is valid only for object files.
IMAGE_SCN_ALIGN_1BYTES = 0x00100000,
/// Align data on a 2-byte boundary. This is valid only for object files.
IMAGE_SCN_ALIGN_2BYTES = 0x00200000,
/// Align data on a 4-byte boundary. This is valid only for object files.
IMAGE_SCN_ALIGN_4BYTES = 0x00300000,
/// Align data on a 8-byte boundary. This is valid only for object files.
IMAGE_SCN_ALIGN_8BYTES = 0x00400000,
/// Align data on a 16-byte boundary. This is valid only for object files.
IMAGE_SCN_ALIGN_16BYTES = 0x00500000,
/// Align data on a 32-byte boundary. This is valid only for object files.
IMAGE_SCN_ALIGN_32BYTES = 0x00600000,
/// Align data on a 64-byte boundary. This is valid only for object files.
IMAGE_SCN_ALIGN_64BYTES = 0x00700000,
/// Align data on a 128-byte boundary. This is valid only for object files.
IMAGE_SCN_ALIGN_128BYTES = 0x00800000,
/// Align data on a 256-byte boundary. This is valid only for object files.
IMAGE_SCN_ALIGN_256BYTES = 0x00900000,
/// Align data on a 512-byte boundary. This is valid only for object files.
IMAGE_SCN_ALIGN_512BYTES = 0x00A00000,
/// Align data on a 1024-byte boundary. This is valid only for object files.
IMAGE_SCN_ALIGN_1024BYTES = 0x00B00000,
/// Align data on a 2048-byte boundary. This is valid only for object files.
IMAGE_SCN_ALIGN_2048BYTES = 0x00C00000,
/// Align data on a 4096-byte boundary. This is valid only for object files.
IMAGE_SCN_ALIGN_4096BYTES = 0x00D00000,
/// Align data on a 8192-byte boundary. This is valid only for object files.
IMAGE_SCN_ALIGN_8192BYTES = 0x00E00000,
///
/// The section contains extended relocations. The count of relocations for the section exceeds the 16 bits that is reserved for
/// it in the section header. If the NumberOfRelocations field in the section header is 0xffff, the actual relocation count is
/// stored in the VirtualAddress field of the first relocation. It is an error if IMAGE_SCN_LNK_NRELOC_OVFL is set and there are
/// fewer than 0xffff relocations in the section.
///
IMAGE_SCN_LNK_NRELOC_OVFL = 0x01000000,
/// The section can be discarded as needed.
IMAGE_SCN_MEM_DISCARDABLE = 0x02000000,
/// The section cannot be cached.
IMAGE_SCN_MEM_NOT_CACHED = 0x04000000,
/// The section cannot be paged.
IMAGE_SCN_MEM_NOT_PAGED = 0x08000000,
/// The section can be shared in memory.
IMAGE_SCN_MEM_SHARED = 0x10000000,
/// The section can be executed as code.
IMAGE_SCN_MEM_EXECUTE = 0x20000000,
/// The section can be read.
IMAGE_SCN_MEM_READ = 0x40000000,
/// The section can be written to.
IMAGE_SCN_MEM_WRITE = 0x80000000,
}
/// The subsystem required to run this image.
[PInvokeData("winnt.h", MSDNShortId = "NS:winnt._IMAGE_OPTIONAL_HEADER")]
public enum IMAGE_SUBSYSTEM : ushort
{
/// Unknown subsystem.
IMAGE_SUBSYSTEM_UNKNOWN = 0,
/// No subsystem required (device drivers and native system processes).
IMAGE_SUBSYSTEM_NATIVE = 1,
/// Windows graphical user interface (GUI) subsystem.
IMAGE_SUBSYSTEM_WINDOWS_GUI = 2,
/// Windows character-mode user interface (CUI) subsystem.
IMAGE_SUBSYSTEM_WINDOWS_CUI = 3,
/// OS/2 CUI subsystem.
IMAGE_SUBSYSTEM_OS2_CUI = 5,
/// POSIX CUI subsystem.
IMAGE_SUBSYSTEM_POSIX_CUI = 7,
/// Windows CE system.
IMAGE_SUBSYSTEM_WINDOWS_CE_GUI = 9,
/// Extensible Firmware Interface (EFI) application.
IMAGE_SUBSYSTEM_EFI_APPLICATION = 10,
/// EFI driver with boot services.
IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER = 11,
/// EFI driver with run-time services.
IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER = 12,
/// EFI ROM image.
IMAGE_SUBSYSTEM_EFI_ROM = 13,
/// Xbox system.
IMAGE_SUBSYSTEM_XBOX = 14,
/// Boot application.
IMAGE_SUBSYSTEM_WINDOWS_BOOT_APPLICATION = 16,
}
/// Represents the COFF symbols header.
// https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-image_coff_symbols_header typedef struct
// _IMAGE_COFF_SYMBOLS_HEADER { DWORD NumberOfSymbols; DWORD LvaToFirstSymbol; DWORD NumberOfLinenumbers; DWORD
// LvaToFirstLinenumber; DWORD RvaToFirstByteOfCode; DWORD RvaToLastByteOfCode; DWORD RvaToFirstByteOfData; DWORD
// RvaToLastByteOfData; } IMAGE_COFF_SYMBOLS_HEADER, *PIMAGE_COFF_SYMBOLS_HEADER;
[PInvokeData("winnt.h", MSDNShortId = "NS:winnt._IMAGE_COFF_SYMBOLS_HEADER")]
[StructLayout(LayoutKind.Sequential)]
public struct IMAGE_COFF_SYMBOLS_HEADER
{
/// The number of symbols.
public uint NumberOfSymbols;
/// The virtual address of the first symbol.
public uint LvaToFirstSymbol;
/// The number of line-number entries.
public uint NumberOfLinenumbers;
/// The virtual address of the first line-number entry.
public uint LvaToFirstLinenumber;
/// The relative virtual address of the first byte of code.
public uint RvaToFirstByteOfCode;
/// The relative virtual address of the last byte of code.
public uint RvaToLastByteOfCode;
/// The relative virtual address of the first byte of data.
public uint RvaToFirstByteOfData;
/// The relative virtual address of the last byte of data.
public uint RvaToLastByteOfData;
}
/// Represents the data directory.
///
/// The following is a list of the data directories. Offsets are relative to the beginning of the optional header.
///
///
/// Offset (PE/PE32+)
/// Description
///
/// -
/// 96/112
/// Export table address and size
///
/// -
/// 104/120
/// Import table address and size
///
/// -
/// 112/128
/// Resource table address and size
///
/// -
/// 120/136
/// Exception table address and size
///
/// -
/// 128/144
/// Certificate table address and size
///
/// -
/// 136/152
/// Base relocation table address and size
///
/// -
/// 144/160
/// Debugging information starting address and size
///
/// -
/// 152/168
/// Architecture-specific data address and size
///
/// -
/// 160/176
/// Global pointer register relative virtual address
///
/// -
/// 168/184
/// Thread local storage (TLS) table address and size
///
/// -
/// 176/192
/// Load configuration table address and size
///
/// -
/// 184/200
/// Bound import table address and size
///
/// -
/// 192/208
/// Import address table address and size
///
/// -
/// 200/216
/// Delay import descriptor address and size
///
/// -
/// 208/224
/// The CLR header address and size
///
/// -
/// 216/232
/// Reserved
///
///
///
// https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-image_data_directory typedef struct _IMAGE_DATA_DIRECTORY {
// DWORD VirtualAddress; DWORD Size; } IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY;
[PInvokeData("winnt.h", MSDNShortId = "NS:winnt._IMAGE_DATA_DIRECTORY")]
[StructLayout(LayoutKind.Sequential)]
public struct IMAGE_DATA_DIRECTORY
{
/// The relative virtual address of the table.
public uint VirtualAddress;
/// The size of the table, in bytes.
public uint Size;
}
/// Represents the debug directory format.
// https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-image_debug_directory typedef struct _IMAGE_DEBUG_DIRECTORY {
// DWORD Characteristics; DWORD TimeDateStamp; WORD MajorVersion; WORD MinorVersion; DWORD Type; DWORD SizeOfData; DWORD
// AddressOfRawData; DWORD PointerToRawData; } IMAGE_DEBUG_DIRECTORY, *PIMAGE_DEBUG_DIRECTORY;
[PInvokeData("winnt.h", MSDNShortId = "NS:winnt._IMAGE_DEBUG_DIRECTORY")]
[StructLayout(LayoutKind.Sequential)]
public struct IMAGE_DEBUG_DIRECTORY
{
/// Reserved.
public uint Characteristics;
/// The ime and date the debugging information was created.
public uint TimeDateStamp;
/// The major version number of the debugging information format.
public ushort MajorVersion;
/// The minor version number of the debugging information format.
public ushort MinorVersion;
///
/// The format of the debugging information. This member can be one of the following values.
///
///
/// Constant
/// Meaning
///
/// -
/// IMAGE_DEBUG_TYPE_UNKNOWN 0
/// Unknown value, ignored by all tools.
///
/// -
/// IMAGE_DEBUG_TYPE_COFF 1
///
/// COFF debugging information (line numbers, symbol table, and string table). This type of debugging information is also
/// pointed to by fields in the file headers.
///
///
/// -
/// IMAGE_DEBUG_TYPE_CODEVIEW 2
/// CodeView debugging information. The format of the data block is described by the CodeView 4.0 specification.
///
/// -
/// IMAGE_DEBUG_TYPE_FPO 3
///
/// Frame pointer omission (FPO) information. This information tells the debugger how to interpret nonstandard stack frames,
/// which use the EBP register for a purpose other than as a frame pointer.
///
///
/// -
/// IMAGE_DEBUG_TYPE_MISC 4
/// Miscellaneous information.
///
/// -
/// IMAGE_DEBUG_TYPE_EXCEPTION 5
/// Exception information.
///
/// -
/// IMAGE_DEBUG_TYPE_FIXUP 6
/// Fixup information.
///
/// -
/// IMAGE_DEBUG_TYPE_BORLAND 9
/// Borland debugging information.
///
///
///
public IMAGE_DEBUG_TYPE Type;
/// The size of the debugging information, in bytes. This value does not include the debug directory itself.
public uint SizeOfData;
/// The address of the debugging information when the image is loaded, relative to the image base.
public uint AddressOfRawData;
/// A file pointer to the debugging information.
public uint PointerToRawData;
}
/// Undocumented.
[PInvokeData("winnt.h")]
[StructLayout(LayoutKind.Sequential)]
public struct IMAGE_EXPORT_DIRECTORY
{
#pragma warning disable CS1591 // Missing XML comment for publicly visible type or member
public uint Characteristics;
public uint TimeDateStamp;
public ushort MajorVersion;
public ushort MinorVersion;
public uint Name;
public uint Base;
public uint NumberOfFunctions;
public uint NumberOfNames;
public uint AddressOfFunctions; // RVA from base of image
public uint AddressOfNames; // RVA from base of image
public uint AddressOfNameOrdinals; // RVA from base of image
#pragma warning restore CS1591 // Missing XML comment for publicly visible type or member
}
/// Represents the COFF header format.
// https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-image_file_header typedef struct _IMAGE_FILE_HEADER { WORD
// Machine; WORD NumberOfSections; DWORD TimeDateStamp; DWORD PointerToSymbolTable; DWORD NumberOfSymbols; WORD
// SizeOfOptionalHeader; WORD Characteristics; } IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;
[PInvokeData("winnt.h", MSDNShortId = "NS:winnt._IMAGE_FILE_HEADER")]
[StructLayout(LayoutKind.Sequential)]
public struct IMAGE_FILE_HEADER
{
///
///
/// The architecture type of the computer. An image file can only be run on the specified computer or a system that emulates the
/// specified computer. This member can be one of the following values.
///
///
///
/// Value
/// Meaning
///
/// -
/// IMAGE_FILE_MACHINE_I386 0x014c
/// x86
///
/// -
/// IMAGE_FILE_MACHINE_IA64 0x0200
/// Intel Itanium
///
/// -
/// IMAGE_FILE_MACHINE_AMD64 0x8664
/// x64
///
///
///
public IMAGE_FILE_MACHINE Machine;
///
/// The number of sections. This indicates the size of the section table, which immediately follows the headers. Note that the
/// Windows loader limits the number of sections to 96.
///
public ushort NumberOfSections;
///
/// The low 32 bits of the time stamp of the image. This represents the date and time the image was created by the linker. The
/// value is represented in the number of seconds elapsed since midnight (00:00:00), January 1, 1970, Universal Coordinated
/// Time, according to the system clock.
///
public uint TimeDateStamp;
/// The offset of the symbol table, in bytes, or zero if no COFF symbol table exists.
public uint PointerToSymbolTable;
/// The number of symbols in the symbol table.
public uint NumberOfSymbols;
/// The size of the optional header, in bytes. This value should be 0 for object files.
public ushort SizeOfOptionalHeader;
///
/// The characteristics of the image. This member can be one or more of the following values.
///
///
/// Value
/// Meaning
///
/// -
/// IMAGE_FILE_RELOCS_STRIPPED 0x0001
///
/// Relocation information was stripped from the file. The file must be loaded at its preferred base address. If the base
/// address is not available, the loader reports an error.
///
///
/// -
/// IMAGE_FILE_EXECUTABLE_IMAGE 0x0002
/// The file is executable (there are no unresolved external references).
///
/// -
/// IMAGE_FILE_LINE_NUMS_STRIPPED 0x0004
/// COFF line numbers were stripped from the file.
///
/// -
/// IMAGE_FILE_LOCAL_SYMS_STRIPPED 0x0008
/// COFF symbol table entries were stripped from file.
///
/// -
/// IMAGE_FILE_AGGRESIVE_WS_TRIM 0x0010
/// Aggressively trim the working set. This value is obsolete.
///
/// -
/// IMAGE_FILE_LARGE_ADDRESS_AWARE 0x0020
/// The application can handle addresses larger than 2 GB.
///
/// -
/// IMAGE_FILE_BYTES_REVERSED_LO 0x0080
/// The bytes of the word are reversed. This flag is obsolete.
///
/// -
/// IMAGE_FILE_32BIT_MACHINE 0x0100
/// The computer supports 32-bit words.
///
/// -
/// IMAGE_FILE_DEBUG_STRIPPED 0x0200
/// Debugging information was removed and stored separately in another file.
///
/// -
/// IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP 0x0400
/// If the image is on removable media, copy it to and run it from the swap file.
///
/// -
/// IMAGE_FILE_NET_RUN_FROM_SWAP 0x0800
/// If the image is on the network, copy it to and run it from the swap file.
///
/// -
/// IMAGE_FILE_SYSTEM 0x1000
/// The image is a system file.
///
/// -
/// IMAGE_FILE_DLL 0x2000
/// The image is a DLL file. While it is an executable file, it cannot be run directly.
///
/// -
/// IMAGE_FILE_UP_SYSTEM_ONLY 0x4000
/// The file should be run only on a uniprocessor computer.
///
/// -
/// IMAGE_FILE_BYTES_REVERSED_HI 0x8000
/// The bytes of the word are reversed. This flag is obsolete.
///
///
///
public IMAGE_FILE Characteristics;
}
/// Represents an entry in the function table.
///
/// The following definition exists for 64-bit support.
///
/// typedef struct _IMAGE_FUNCTION_ENTRY64 { ULONGLONG StartingAddress; ULONGLONG EndingAddress; union { ULONGLONG EndOfPrologue; ULONGLONG UnwindInfoAddress; }; } IMAGE_FUNCTION_ENTRY64, *PIMAGE_FUNCTION_ENTRY64;
///
///
// https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-image_function_entry typedef struct _IMAGE_FUNCTION_ENTRY {
// DWORD StartingAddress; DWORD EndingAddress; DWORD EndOfPrologue; } IMAGE_FUNCTION_ENTRY, *PIMAGE_FUNCTION_ENTRY;
[PInvokeData("winnt.h", MSDNShortId = "NS:winnt._IMAGE_FUNCTION_ENTRY")]
[StructLayout(LayoutKind.Sequential)]
public struct IMAGE_FUNCTION_ENTRY
{
/// The image address of the start of the function.
public uint StartingAddress;
/// The image address of the end of the function.
public uint EndingAddress;
/// The image address of the end of the prologue code.
public uint EndOfPrologue;
}
/// Undocumented.
[PInvokeData("winnt.h")]
[StructLayout(LayoutKind.Sequential)]
public struct IMAGE_LOAD_CONFIG_CODE_INTEGRITY
{
/// Flags to indicate if CI information is available, etc.
public ushort Flags;
/// 0xFFFF means not available
public ushort Catalog;
///
public uint CatalogOffset;
/// Additional bitmask to be defined later
public uint Reserved;
}
/// Contains the load configuration data of an image.
///
///
/// If _WIN64 is defined, then IMAGE_LOAD_CONFIG_DIRECTORY is defined as IMAGE_LOAD_CONFIG_DIRECTORY64.
/// However, if _WIN64 is not defined, then IMAGE_LOAD_CONFIG_DIRECTORY is defined as IMAGE_LOAD_CONFIG_DIRECTORY32.
///
///
/// typedef struct { DWORD Size; DWORD TimeDateStamp; WORD MajorVersion; WORD MinorVersion; DWORD GlobalFlagsClear; DWORD GlobalFlagsSet; DWORD CriticalSectionDefaultTimeout; DWORD DeCommitFreeBlockThreshold; DWORD DeCommitTotalFreeThreshold; DWORD LockPrefixTable; // VA DWORD MaximumAllocationSize; DWORD VirtualMemoryThreshold; DWORD ProcessHeapFlags; DWORD ProcessAffinityMask; WORD CSDVersion; WORD Reserved1; DWORD EditList; // VA DWORD SecurityCookie; // VA DWORD SEHandlerTable; // VA DWORD SEHandlerCount; } IMAGE_LOAD_CONFIG_DIRECTORY32, *PIMAGE_LOAD_CONFIG_DIRECTORY32;
///
///
// https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-image_load_config_directory32 typedef struct
// _IMAGE_LOAD_CONFIG_DIRECTORY32 { DWORD Size; DWORD TimeDateStamp; WORD MajorVersion; WORD MinorVersion; DWORD GlobalFlagsClear;
// DWORD GlobalFlagsSet; DWORD CriticalSectionDefaultTimeout; DWORD DeCommitFreeBlockThreshold; DWORD DeCommitTotalFreeThreshold;
// DWORD LockPrefixTable; DWORD MaximumAllocationSize; DWORD VirtualMemoryThreshold; DWORD ProcessHeapFlags; DWORD
// ProcessAffinityMask; WORD CSDVersion; WORD DependentLoadFlags; DWORD EditList; DWORD SecurityCookie; DWORD SEHandlerTable; DWORD
// SEHandlerCount; DWORD GuardCFCheckFunctionPointer; DWORD GuardCFDispatchFunctionPointer; DWORD GuardCFFunctionTable; DWORD
// GuardCFFunctionCount; DWORD GuardFlags; IMAGE_LOAD_CONFIG_CODE_INTEGRITY CodeIntegrity; DWORD GuardAddressTakenIatEntryTable;
// DWORD GuardAddressTakenIatEntryCount; DWORD GuardLongJumpTargetTable; DWORD GuardLongJumpTargetCount; DWORD
// DynamicValueRelocTable; DWORD CHPEMetadataPointer; DWORD GuardRFFailureRoutine; DWORD GuardRFFailureRoutineFunctionPointer; DWORD
// DynamicValueRelocTableOffset; WORD DynamicValueRelocTableSection; WORD Reserved2; DWORD GuardRFVerifyStackPointerFunctionPointer;
// DWORD HotPatchTableOffset; DWORD Reserved3; DWORD EnclaveConfigurationPointer; DWORD VolatileMetadataPointer; DWORD
// GuardEHContinuationTable; DWORD GuardEHContinuationCount; } IMAGE_LOAD_CONFIG_DIRECTORY32, *PIMAGE_LOAD_CONFIG_DIRECTORY32;
[PInvokeData("winnt.h", MSDNShortId = "NS:winnt._IMAGE_LOAD_CONFIG_DIRECTORY32")]
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Auto)]
public struct IMAGE_LOAD_CONFIG_DIRECTORY32
{
/// The size of the structure. For Windows XP, the size must be specified as 64 for x86 images.
public uint Size;
///
/// The date and time stamp value. The value is represented in the number of seconds elapsed since midnight (00:00:00), January
/// 1, 1970, Universal Coordinated Time, according to the system clock. The time stamp can be printed using the C run-time (CRT)
/// function ctime.
///
public uint TimeDateStamp;
/// The major version number.
public ushort MajorVersion;
/// The minor version number.
public ushort MinorVersion;
/// The global flags that control system behavior. For more information, see Gflags.exe.
public uint GlobalFlagsClear;
/// The global flags that control system behavior. For more information, see Gflags.exe.
public uint GlobalFlagsSet;
/// The critical section default time-out value.
public uint CriticalSectionDefaultTimeout;
///
/// The size of the minimum block that must be freed before it is freed (de-committed), in bytes. This value is advisory.
///
public uint DeCommitFreeBlockThreshold;
///
/// The size of the minimum total memory that must be freed in the process heap before it is freed (de-committed), in bytes.
/// This value is advisory.
///
public uint DeCommitTotalFreeThreshold;
///
/// The VA of a list of addresses where the LOCK prefix is used. These will be replaced by NOP on single-processor systems. This
/// member is available only for x86.
///
public uint LockPrefixTable;
/// The maximum allocation size, in bytes. This member is obsolete and is used only for debugging purposes.
public uint MaximumAllocationSize;
/// The maximum block size that can be allocated from heap segments, in bytes.
public uint VirtualMemoryThreshold;
/// The process heap flags. For more information, see HeapCreate.
public uint ProcessHeapFlags;
///
/// The process affinity mask. For more information, see GetProcessAffinityMask. This member is available only for .exe files.
///
public uint ProcessAffinityMask;
/// The service pack version.
public ushort CSDVersion;
///
public ushort DependentLoadFlags;
/// Reserved for use by the system.
public uint EditList;
/// A pointer to a cookie that is used by Visual C++ or GS implementation.
public uint SecurityCookie;
///
/// The VA of the sorted table of RVAs of each valid, unique handler in the image. This member is available only for x86.
///
public uint SEHandlerTable;
/// The count of unique handlers in the table. This member is available only for x86.
public uint SEHandlerCount;
///
public uint GuardCFCheckFunctionPointer;
///
public uint GuardCFDispatchFunctionPointer;
///
public uint GuardCFFunctionTable;
///
public uint GuardCFFunctionCount;
///
public uint GuardFlags;
///
public IMAGE_LOAD_CONFIG_CODE_INTEGRITY CodeIntegrity;
///
public uint GuardAddressTakenIatEntryTable;
///
public uint GuardAddressTakenIatEntryCount;
///
public uint GuardLongJumpTargetTable;
///
public uint GuardLongJumpTargetCount;
///
public uint DynamicValueRelocTable;
///
public uint CHPEMetadataPointer;
///
public uint GuardRFFailureRoutine;
///
public uint GuardRFFailureRoutineFunctionPointer;
///
public uint DynamicValueRelocTableOffset;
///
public ushort DynamicValueRelocTableSection;
///
public ushort Reserved2;
///
public uint GuardRFVerifyStackPointerFunctionPointer;
///
public uint HotPatchTableOffset;
///
public uint Reserved3;
///
public uint EnclaveConfigurationPointer;
///
public uint VolatileMetadataPointer;
///
public uint GuardEHContinuationTable;
///
public uint GuardEHContinuationCount;
}
/// Contains the load configuration data of an image.
///
///
/// If _WIN64 is defined, then IMAGE_LOAD_CONFIG_DIRECTORY is defined as IMAGE_LOAD_CONFIG_DIRECTORY64.
/// However, if _WIN64 is not defined, then IMAGE_LOAD_CONFIG_DIRECTORY is defined as IMAGE_LOAD_CONFIG_DIRECTORY32.
///
///
/// typedef struct { DWORD Size; DWORD TimeDateStamp; WORD MajorVersion; WORD MinorVersion; DWORD GlobalFlagsClear; DWORD GlobalFlagsSet; DWORD CriticalSectionDefaultTimeout; DWORD DeCommitFreeBlockThreshold; DWORD DeCommitTotalFreeThreshold; DWORD LockPrefixTable; // VA DWORD MaximumAllocationSize; DWORD VirtualMemoryThreshold; DWORD ProcessHeapFlags; DWORD ProcessAffinityMask; WORD CSDVersion; WORD Reserved1; DWORD EditList; // VA DWORD SecurityCookie; // VA DWORD SEHandlerTable; // VA DWORD SEHandlerCount; } IMAGE_LOAD_CONFIG_DIRECTORY32, *PIMAGE_LOAD_CONFIG_DIRECTORY32;
///
///
// https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-image_load_config_directory64 typedef struct
// _IMAGE_LOAD_CONFIG_DIRECTORY64 { DWORD Size; DWORD TimeDateStamp; WORD MajorVersion; WORD MinorVersion; DWORD GlobalFlagsClear;
// DWORD GlobalFlagsSet; DWORD CriticalSectionDefaultTimeout; ULONGLONG DeCommitFreeBlockThreshold; ULONGLONG
// DeCommitTotalFreeThreshold; ULONGLONG LockPrefixTable; ULONGLONG MaximumAllocationSize; ULONGLONG VirtualMemoryThreshold;
// ULONGLONG ProcessAffinityMask; DWORD ProcessHeapFlags; WORD CSDVersion; WORD DependentLoadFlags; ULONGLONG EditList; ULONGLONG
// SecurityCookie; ULONGLONG SEHandlerTable; ULONGLONG SEHandlerCount; ULONGLONG GuardCFCheckFunctionPointer; ULONGLONG
// GuardCFDispatchFunctionPointer; ULONGLONG GuardCFFunctionTable; ULONGLONG GuardCFFunctionCount; DWORD GuardFlags;
// IMAGE_LOAD_CONFIG_CODE_INTEGRITY CodeIntegrity; ULONGLONG GuardAddressTakenIatEntryTable; ULONGLONG
// GuardAddressTakenIatEntryCount; ULONGLONG GuardLongJumpTargetTable; ULONGLONG GuardLongJumpTargetCount; ULONGLONG
// DynamicValueRelocTable; ULONGLONG CHPEMetadataPointer; ULONGLONG GuardRFFailureRoutine; ULONGLONG
// GuardRFFailureRoutineFunctionPointer; DWORD DynamicValueRelocTableOffset; WORD DynamicValueRelocTableSection; WORD Reserved2;
// ULONGLONG GuardRFVerifyStackPointerFunctionPointer; DWORD HotPatchTableOffset; DWORD Reserved3; ULONGLONG
// EnclaveConfigurationPointer; ULONGLONG VolatileMetadataPointer; ULONGLONG GuardEHContinuationTable; ULONGLONG
// GuardEHContinuationCount; } IMAGE_LOAD_CONFIG_DIRECTORY64, *PIMAGE_LOAD_CONFIG_DIRECTORY64;
[PInvokeData("winnt.h", MSDNShortId = "NS:winnt._IMAGE_LOAD_CONFIG_DIRECTORY64")]
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Auto)]
public struct IMAGE_LOAD_CONFIG_DIRECTORY64
{
/// The size of the structure. For Windows XP, the size must be specified as 64 for x86 images.
public uint Size;
///
/// The date and time stamp value. The value is represented in the number of seconds elapsed since midnight (00:00:00), January
/// 1, 1970, Universal Coordinated Time, according to the system clock. The time stamp can be printed using the C run-time (CRT)
/// function ctime.
///
public uint TimeDateStamp;
/// The major version number.
public ushort MajorVersion;
/// The minor version number.
public ushort MinorVersion;
/// The global flags that control system behavior. For more information, see Gflags.exe.
public uint GlobalFlagsClear;
/// The global flags that control system behavior. For more information, see Gflags.exe.
public uint GlobalFlagsSet;
/// The critical section default time-out value.
public uint CriticalSectionDefaultTimeout;
///
/// The size of the minimum block that must be freed before it is freed (de-committed), in bytes. This value is advisory.
///
public ulong DeCommitFreeBlockThreshold;
///
/// The size of the minimum total memory that must be freed in the process heap before it is freed (de-committed), in bytes.
/// This value is advisory.
///
public ulong DeCommitTotalFreeThreshold;
///
/// The VA of a list of addresses where the LOCK prefix is used. These will be replaced by NOP on single-processor systems. This
/// member is available only for x86.
///
public ulong LockPrefixTable;
/// The maximum allocation size, in bytes. This member is obsolete and is used only for debugging purposes.
public ulong MaximumAllocationSize;
/// The maximum block size that can be allocated from heap segments, in bytes.
public ulong VirtualMemoryThreshold;
///
/// The process affinity mask. For more information, see GetProcessAffinityMask. This member is available only for .exe files.
///
public ulong ProcessAffinityMask;
/// The process heap flags. For more information, see HeapCreate.
public uint ProcessHeapFlags;
/// The service pack version.
public ushort CSDVersion;
///
public ushort DependentLoadFlags;
/// Reserved for use by the system.
public ulong EditList;
/// A pointer to a cookie that is used by Visual C++ or GS implementation.
public ulong SecurityCookie;
///
/// The VA of the sorted table of RVAs of each valid, unique handler in the image. This member is available only for x86.
///
public ulong SEHandlerTable;
/// The count of unique handlers in the table. This member is available only for x86.
public ulong SEHandlerCount;
///
public ulong GuardCFCheckFunctionPointer;
///
public ulong GuardCFDispatchFunctionPointer;
///
public ulong GuardCFFunctionTable;
///
public ulong GuardCFFunctionCount;
///
public uint GuardFlags;
///
public IMAGE_LOAD_CONFIG_CODE_INTEGRITY CodeIntegrity;
///
public ulong GuardAddressTakenIatEntryTable;
///
public ulong GuardAddressTakenIatEntryCount;
///
public ulong GuardLongJumpTargetTable;
///
public ulong GuardLongJumpTargetCount;
///
public ulong DynamicValueRelocTable;
///
public ulong CHPEMetadataPointer;
///
public ulong GuardRFFailureRoutine;
///
public ulong GuardRFFailureRoutineFunctionPointer;
///
public uint DynamicValueRelocTableOffset;
///
public ushort DynamicValueRelocTableSection;
///
public ushort Reserved2;
///
public ulong GuardRFVerifyStackPointerFunctionPointer;
///
public uint HotPatchTableOffset;
///
public uint Reserved3;
///
public ulong EnclaveConfigurationPointer;
///
public ulong VolatileMetadataPointer;
///
public ulong GuardEHContinuationTable;
///
public ulong GuardEHContinuationCount;
}
/// Represents the PE header format.
///
///
/// The actual structure in WinNT.h is named IMAGE_NT_HEADERS32 and IMAGE_NT_HEADERS is defined as
/// IMAGE_NT_HEADERS32. However, if _WIN64 is defined, then IMAGE_NT_HEADERS is defined as IMAGE_NT_HEADERS64.
///
///
/// typedef struct _IMAGE_NT_HEADERS64 { DWORD Signature; IMAGE_FILE_HEADER FileHeader; IMAGE_OPTIONAL_HEADER64 OptionalHeader; } IMAGE_NT_HEADERS64, *PIMAGE_NT_HEADERS64;
///
///
// https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-image_nt_headers32 typedef struct _IMAGE_NT_HEADERS { DWORD
// Signature; IMAGE_FILE_HEADER FileHeader; IMAGE_OPTIONAL_HEADER32 OptionalHeader; } IMAGE_NT_HEADERS32, *PIMAGE_NT_HEADERS32;
[PInvokeData("winnt.h", MSDNShortId = "NS:winnt._IMAGE_NT_HEADERS")]
[StructLayout(LayoutKind.Sequential)]
public struct IMAGE_NT_HEADERS
{
/// A 4-byte signature identifying the file as a PE image. The bytes are "PE\0\0".
public uint Signature;
/// An IMAGE_FILE_HEADER structure that specifies the file header.
public IMAGE_FILE_HEADER FileHeader;
/// An IMAGE_OPTIONAL_HEADER structure that specifies the optional file header.
public IMAGE_OPTIONAL_HEADER OptionalHeader;
}
/// Represents the optional header format.
///
/// The number of directories is not fixed. Check the NumberOfRvaAndSizes member before looking for a specific directory.
///
/// The actual structure in WinNT.h is named IMAGE_OPTIONAL_HEADER32 and IMAGE_OPTIONAL_HEADER is defined as
/// IMAGE_OPTIONAL_HEADER32. However, if _WIN64 is defined, then IMAGE_OPTIONAL_HEADER is defined as IMAGE_OPTIONAL_HEADER64.
///
///
/// typedef struct _IMAGE_OPTIONAL_HEADER64 { WORD Magic; BYTE MajorLinkerVersion; BYTE MinorLinkerVersion; DWORD SizeOfCode; DWORD SizeOfInitializedData; DWORD SizeOfUninitializedData; DWORD AddressOfEntryPoint; DWORD BaseOfCode; ULONGLONG ImageBase; DWORD SectionAlignment; DWORD FileAlignment; WORD MajorOperatingSystemVersion; WORD MinorOperatingSystemVersion; WORD MajorImageVersion; WORD MinorImageVersion; WORD MajorSubsystemVersion; WORD MinorSubsystemVersion; DWORD Win32VersionValue; DWORD SizeOfImage; DWORD SizeOfHeaders; DWORD CheckSum; WORD Subsystem; WORD DllCharacteristics; ULONGLONG SizeOfStackReserve; ULONGLONG SizeOfStackCommit; ULONGLONG SizeOfHeapReserve; ULONGLONG SizeOfHeapCommit; DWORD LoaderFlags; DWORD NumberOfRvaAndSizes; IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES]; } IMAGE_OPTIONAL_HEADER64, *PIMAGE_OPTIONAL_HEADER64;
///
///
// https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-image_optional_header32 typedef struct _IMAGE_OPTIONAL_HEADER {
// WORD Magic; BYTE MajorLinkerVersion; BYTE MinorLinkerVersion; DWORD SizeOfCode; DWORD SizeOfInitializedData; DWORD
// SizeOfUninitializedData; DWORD AddressOfEntryPoint; DWORD BaseOfCode; DWORD BaseOfData; DWORD ImageBase; DWORD SectionAlignment;
// DWORD FileAlignment; WORD MajorOperatingSystemVersion; WORD MinorOperatingSystemVersion; WORD MajorImageVersion; WORD
// MinorImageVersion; WORD MajorSubsystemVersion; WORD MinorSubsystemVersion; DWORD Win32VersionValue; DWORD SizeOfImage; DWORD
// SizeOfHeaders; DWORD CheckSum; WORD Subsystem; WORD DllCharacteristics; DWORD SizeOfStackReserve; DWORD SizeOfStackCommit; DWORD
// SizeOfHeapReserve; DWORD SizeOfHeapCommit; DWORD LoaderFlags; DWORD NumberOfRvaAndSizes; IMAGE_DATA_DIRECTORY
// DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES]; } IMAGE_OPTIONAL_HEADER32, *PIMAGE_OPTIONAL_HEADER32;
[PInvokeData("winnt.h", MSDNShortId = "NS:winnt._IMAGE_OPTIONAL_HEADER")]
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Auto)]
public unsafe struct IMAGE_OPTIONAL_HEADER
{
///
/// The state of the image file. This member can be one of the following values.
///
///
/// Value
/// Meaning
///
/// -
/// IMAGE_NT_OPTIONAL_HDR_MAGIC
///
/// The file is an executable image. This value is defined as IMAGE_NT_OPTIONAL_HDR32_MAGIC in a 32-bit application and as
/// IMAGE_NT_OPTIONAL_HDR64_MAGIC in a 64-bit application.
///
///
/// -
/// IMAGE_NT_OPTIONAL_HDR32_MAGIC 0x10b
/// The file is an executable image.
///
/// -
/// IMAGE_NT_OPTIONAL_HDR64_MAGIC 0x20b
/// The file is an executable image.
///
/// -
/// IMAGE_ROM_OPTIONAL_HDR_MAGIC 0x107
/// The file is a ROM image.
///
///
///
public IMAGE_OPTIONAL_MAGIC Magic;
/// The major version number of the linker.
public byte MajorLinkerVersion;
/// The minor version number of the linker.
public byte MinorLinkerVersion;
/// The size of the code section, in bytes, or the sum of all such sections if there are multiple code sections.
public uint SizeOfCode;
///
/// The size of the initialized data section, in bytes, or the sum of all such sections if there are multiple initialized data sections.
///
public uint SizeOfInitializedData;
///
/// The size of the uninitialized data section, in bytes, or the sum of all such sections if there are multiple uninitialized
/// data sections.
///
public uint SizeOfUninitializedData;
///
/// A pointer to the entry point function, relative to the image base address. For executable files, this is the starting
/// address. For device drivers, this is the address of the initialization function. The entry point function is optional for
/// DLLs. When no entry point is present, this member is zero.
///
public uint AddressOfEntryPoint;
/// A pointer to the beginning of the code section, relative to the image base.
public uint BaseOfCode;
/// A pointer to the beginning of the data section, relative to the image base.
public uint BaseOfData;
///
/// The preferred address of the first byte of the image when it is loaded in memory. This value is a multiple of 64K bytes. The
/// default value for DLLs is 0x10000000. The default value for applications is 0x00400000, except on Windows CE where it is 0x00010000.
///
public uint ImageBase;
///
/// The alignment of sections loaded in memory, in bytes. This value must be greater than or equal to the FileAlignment
/// member. The default value is the page size for the system.
///
public uint SectionAlignment;
///
/// The alignment of the raw data of sections in the image file, in bytes. The value should be a power of 2 between 512 and 64K
/// (inclusive). The default is 512. If the SectionAlignment member is less than the system page size, this member must
/// be the same as SectionAlignment.
///
public uint FileAlignment;
/// The major version number of the required operating system.
public ushort MajorOperatingSystemVersion;
/// The minor version number of the required operating system.
public ushort MinorOperatingSystemVersion;
/// The major version number of the image.
public ushort MajorImageVersion;
/// The minor version number of the image.
public ushort MinorImageVersion;
/// The major version number of the subsystem.
public ushort MajorSubsystemVersion;
/// The minor version number of the subsystem.
public ushort MinorSubsystemVersion;
/// This member is reserved and must be 0.
public uint Win32VersionValue;
/// The size of the image, in bytes, including all headers. Must be a multiple of SectionAlignment.
public uint SizeOfImage;
///
///
/// The combined size of the following items, rounded to a multiple of the value specified in the FileAlignment member.
///
///
/// -
/// e_lfanew member of IMAGE_DOS_HEADER
///
/// -
/// 4 byte signature
///
/// -
/// size of IMAGE_FILE_HEADER
///
/// -
/// size of optional header
///
/// -
/// size of all section headers
///
///
///
public uint SizeOfHeaders;
///
/// The image file checksum. The following files are validated at load time: all drivers, any DLL loaded at boot time, and any
/// DLL loaded into a critical system process.
///
public uint CheckSum;
///
/// The subsystem required to run this image. The following values are defined.
///
///
/// Value
/// Meaning
///
/// -
/// IMAGE_SUBSYSTEM_UNKNOWN 0
/// Unknown subsystem.
///
/// -
/// IMAGE_SUBSYSTEM_NATIVE 1
/// No subsystem required (device drivers and native system processes).
///
/// -
/// IMAGE_SUBSYSTEM_WINDOWS_GUI 2
/// Windows graphical user interface (GUI) subsystem.
///
/// -
/// IMAGE_SUBSYSTEM_WINDOWS_CUI 3
/// Windows character-mode user interface (CUI) subsystem.
///
/// -
/// IMAGE_SUBSYSTEM_OS2_CUI 5
/// OS/2 CUI subsystem.
///
/// -
/// IMAGE_SUBSYSTEM_POSIX_CUI 7
/// POSIX CUI subsystem.
///
/// -
/// IMAGE_SUBSYSTEM_WINDOWS_CE_GUI 9
/// Windows CE system.
///
/// -
/// IMAGE_SUBSYSTEM_EFI_APPLICATION 10
/// Extensible Firmware Interface (EFI) application.
///
/// -
/// IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER 11
/// EFI driver with boot services.
///
/// -
/// IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER 12
/// EFI driver with run-time services.
///
/// -
/// IMAGE_SUBSYSTEM_EFI_ROM 13
/// EFI ROM image.
///
/// -
/// IMAGE_SUBSYSTEM_XBOX 14
/// Xbox system.
///
/// -
/// IMAGE_SUBSYSTEM_WINDOWS_BOOT_APPLICATION 16
/// Boot application.
///
///
///
public IMAGE_SUBSYSTEM Subsystem;
///
/// The DLL characteristics of the image. The following values are defined.
///
///
/// Value
/// Meaning
///
/// -
/// 0x0001
/// Reserved.
///
/// -
/// 0x0002
/// Reserved.
///
/// -
/// 0x0004
/// Reserved.
///
/// -
/// 0x0008
/// Reserved.
///
/// -
/// IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE 0x0040
/// The DLL can be relocated at load time.
///
/// -
/// IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY 0x0080
///
/// Code integrity checks are forced. If you set this flag and a section contains only uninitialized data, set the
/// PointerToRawData member of IMAGE_SECTION_HEADER for that section to zero; otherwise, the image will fail to load because the
/// digital signature cannot be verified.
///
///
/// -
/// IMAGE_DLLCHARACTERISTICS_NX_COMPAT 0x0100
/// The image is compatible with data execution prevention (DEP).
///
/// -
/// IMAGE_DLLCHARACTERISTICS_NO_ISOLATION 0x0200
/// The image is isolation aware, but should not be isolated.
///
/// -
/// IMAGE_DLLCHARACTERISTICS_NO_SEH 0x0400
/// The image does not use structured exception handling (SEH). No handlers can be called in this image.
///
/// -
/// IMAGE_DLLCHARACTERISTICS_NO_BIND 0x0800
/// Do not bind the image.
///
/// -
/// 0x1000
/// Reserved.
///
/// -
/// IMAGE_DLLCHARACTERISTICS_WDM_DRIVER 0x2000
/// A WDM driver.
///
/// -
/// 0x4000
/// Reserved.
///
/// -
/// IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE 0x8000
/// The image is terminal server aware.
///
///
///
public IMAGE_DLLCHARACTERISTICS DllCharacteristics;
///
/// The number of bytes to reserve for the stack. Only the memory specified by the SizeOfStackCommit member is committed
/// at load time; the rest is made available one page at a time until this reserve size is reached.
///
public uint SizeOfStackReserve;
/// The number of bytes to commit for the stack.
public uint SizeOfStackCommit;
///
/// The number of bytes to reserve for the local heap. Only the memory specified by the SizeOfHeapCommit member is
/// committed at load time; the rest is made available one page at a time until this reserve size is reached.
///
public uint SizeOfHeapReserve;
/// The number of bytes to commit for the local heap.
public uint SizeOfHeapCommit;
/// This member is obsolete.
public uint LoaderFlags;
///
/// The number of directory entries in the remainder of the optional header. Each entry describes a location and size.
///
public uint NumberOfRvaAndSizes;
//[MarshalAs(UnmanagedType.ByValArray, SizeConst = 16 /*IMAGE_NUMBEROF_DIRECTORY_ENTRIES*/)]
private fixed ulong _DataDirectory[16];
///
/// A pointer to the first IMAGE_DATA_DIRECTORY structure in the data directory.
/// The index number of the desired directory entry. This parameter can be one of the following values.
///
///
/// Value
/// Meaning
///
/// -
/// IMAGE_DIRECTORY_ENTRY_ARCHITECTURE 7
/// Architecture-specific data
///
/// -
/// IMAGE_DIRECTORY_ENTRY_BASERELOC 5
/// Base relocation table
///
/// -
/// IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 11
/// Bound import directory
///
/// -
/// IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 14
/// COM descriptor table
///
/// -
/// IMAGE_DIRECTORY_ENTRY_DEBUG 6
/// Debug directory
///
/// -
/// IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 13
/// Delay import table
///
/// -
/// IMAGE_DIRECTORY_ENTRY_EXCEPTION 3
/// Exception directory
///
/// -
/// IMAGE_DIRECTORY_ENTRY_EXPORT 0
/// Export directory
///
/// -
/// IMAGE_DIRECTORY_ENTRY_GLOBALPTR 8
/// The relative virtual address of global pointer
///
/// -
/// IMAGE_DIRECTORY_ENTRY_IAT 12
/// Import address table
///
/// -
/// IMAGE_DIRECTORY_ENTRY_IMPORT 1
/// Import directory
///
/// -
/// IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 10
/// Load configuration directory
///
/// -
/// IMAGE_DIRECTORY_ENTRY_RESOURCE 2
/// Resource directory
///
/// -
/// IMAGE_DIRECTORY_ENTRY_SECURITY 4
/// Security directory
///
/// -
/// IMAGE_DIRECTORY_ENTRY_TLS 9
/// Thread local storage directory
///
///
///
public IMAGE_DATA_DIRECTORY[] DataDirectory
{
get
{
unsafe
{
fixed (void* dd = _DataDirectory)
{
return ((IntPtr)dd).ToArray(16);
}
}
}
set
{
if (value is null || value.Length != 16)
throw new ArgumentOutOfRangeException(nameof(DataDirectory), "Must be an array with 16 elements.");
unsafe
{
fixed (IMAGE_DATA_DIRECTORY* v = value)
fixed (void* dd = _DataDirectory)
{
((IntPtr)v).CopyTo((IntPtr)dd, sizeof(ulong) * 16);
}
}
}
}
}
/// Represents the image section header format.
// https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-image_section_header typedef struct _IMAGE_SECTION_HEADER {
// BYTE Name[IMAGE_SIZEOF_SHORT_NAME]; union { DWORD PhysicalAddress; DWORD VirtualSize; } Misc; DWORD VirtualAddress; DWORD
// SizeOfRawData; DWORD PointerToRawData; DWORD PointerToRelocations; DWORD PointerToLinenumbers; WORD NumberOfRelocations; WORD
// NumberOfLinenumbers; DWORD Characteristics; } IMAGE_SECTION_HEADER, *PIMAGE_SECTION_HEADER;
[PInvokeData("winnt.h", MSDNShortId = "NS:winnt._IMAGE_SECTION_HEADER")]
[StructLayout(LayoutKind.Sequential)]
public struct IMAGE_SECTION_HEADER
{
///
/// An 8-byte, null-padded UTF-8 string. There is no terminating null character if the string is exactly eight characters long.
/// For longer names, this member contains a forward slash (/) followed by an ASCII representation of a decimal number that is
/// an offset into the string table. Executable images do not use a string table and do not support section names longer than
/// eight characters.
///
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 8 /*IMAGE_SIZEOF_SHORT_NAME*/)]
public byte[] Name;
///
public MISC Misc;
///
/// The address of the first byte of the section when loaded into memory, relative to the image base. For object files, this is
/// the address of the first byte before relocation is applied.
///
public uint VirtualAddress;
///
/// The size of the initialized data on disk, in bytes. This value must be a multiple of the FileAlignment member of the
/// IMAGE_OPTIONAL_HEADER structure. If this value is less than the VirtualSize member, the remainder of the section is
/// filled with zeroes. If the section contains only uninitialized data, the member is zero.
///
public uint SizeOfRawData;
///
/// A file pointer to the first page within the COFF file. This value must be a multiple of the FileAlignment member of
/// the IMAGE_OPTIONAL_HEADER structure. If a section contains only uninitialized data, set this member is zero.
///
public uint PointerToRawData;
///
/// A file pointer to the beginning of the relocation entries for the section. If there are no relocations, this value is zero.
///
public uint PointerToRelocations;
///
/// A file pointer to the beginning of the line-number entries for the section. If there are no COFF line numbers, this value is zero.
///
public uint PointerToLinenumbers;
/// The number of relocation entries for the section. This value is zero for executable images.
public ushort NumberOfRelocations;
/// The number of line-number entries for the section.
public ushort NumberOfLinenumbers;
///
/// The characteristics of the image. The following values are defined.
///
///
/// Flag
/// Meaning
///
/// -
/// 0x00000000
/// Reserved.
///
/// -
/// 0x00000001
/// Reserved.
///
/// -
/// 0x00000002
/// Reserved.
///
/// -
/// 0x00000004
/// Reserved.
///
/// -
/// IMAGE_SCN_TYPE_NO_PAD 0x00000008
/// The section should not be padded to the next boundary. This flag is obsolete and is replaced by IMAGE_SCN_ALIGN_1BYTES.
///
/// -
/// 0x00000010
/// Reserved.
///
/// -
/// IMAGE_SCN_CNT_CODE 0x00000020
/// The section contains executable code.
///
/// -
/// IMAGE_SCN_CNT_INITIALIZED_DATA 0x00000040
/// The section contains initialized data.
///
/// -
/// IMAGE_SCN_CNT_UNINITIALIZED_DATA 0x00000080
/// The section contains uninitialized data.
///
/// -
/// IMAGE_SCN_LNK_OTHER 0x00000100
/// Reserved.
///
/// -
/// IMAGE_SCN_LNK_INFO 0x00000200
/// The section contains comments or other information. This is valid only for object files.
///
/// -
/// 0x00000400
/// Reserved.
///
/// -
/// IMAGE_SCN_LNK_REMOVE 0x00000800
/// The section will not become part of the image. This is valid only for object files.
///
/// -
/// IMAGE_SCN_LNK_COMDAT 0x00001000
/// The section contains COMDAT data. This is valid only for object files.
///
/// -
/// 0x00002000
/// Reserved.
///
/// -
/// IMAGE_SCN_NO_DEFER_SPEC_EXC 0x00004000
/// Reset speculative exceptions handling bits in the TLB entries for this section.
///
/// -
/// IMAGE_SCN_GPREL 0x00008000
/// The section contains data referenced through the global pointer.
///
/// -
/// 0x00010000
/// Reserved.
///
/// -
/// IMAGE_SCN_MEM_PURGEABLE 0x00020000
/// Reserved.
///
/// -
/// IMAGE_SCN_MEM_LOCKED 0x00040000
/// Reserved.
///
/// -
/// IMAGE_SCN_MEM_PRELOAD 0x00080000
/// Reserved.
///
/// -
/// IMAGE_SCN_ALIGN_1BYTES 0x00100000
/// Align data on a 1-byte boundary. This is valid only for object files.
///
/// -
/// IMAGE_SCN_ALIGN_2BYTES 0x00200000
/// Align data on a 2-byte boundary. This is valid only for object files.
///
/// -
/// IMAGE_SCN_ALIGN_4BYTES 0x00300000
/// Align data on a 4-byte boundary. This is valid only for object files.
///
/// -
/// IMAGE_SCN_ALIGN_8BYTES 0x00400000
/// Align data on a 8-byte boundary. This is valid only for object files.
///
/// -
/// IMAGE_SCN_ALIGN_16BYTES 0x00500000
/// Align data on a 16-byte boundary. This is valid only for object files.
///
/// -
/// IMAGE_SCN_ALIGN_32BYTES 0x00600000
/// Align data on a 32-byte boundary. This is valid only for object files.
///
/// -
/// IMAGE_SCN_ALIGN_64BYTES 0x00700000
/// Align data on a 64-byte boundary. This is valid only for object files.
///
/// -
/// IMAGE_SCN_ALIGN_128BYTES 0x00800000
/// Align data on a 128-byte boundary. This is valid only for object files.
///
/// -
/// IMAGE_SCN_ALIGN_256BYTES 0x00900000
/// Align data on a 256-byte boundary. This is valid only for object files.
///
/// -
/// IMAGE_SCN_ALIGN_512BYTES 0x00A00000
/// Align data on a 512-byte boundary. This is valid only for object files.
///
/// -
/// IMAGE_SCN_ALIGN_1024BYTES 0x00B00000
/// Align data on a 1024-byte boundary. This is valid only for object files.
///
/// -
/// IMAGE_SCN_ALIGN_2048BYTES 0x00C00000
/// Align data on a 2048-byte boundary. This is valid only for object files.
///
/// -
/// IMAGE_SCN_ALIGN_4096BYTES 0x00D00000
/// Align data on a 4096-byte boundary. This is valid only for object files.
///
/// -
/// IMAGE_SCN_ALIGN_8192BYTES 0x00E00000
/// Align data on a 8192-byte boundary. This is valid only for object files.
///
/// -
/// IMAGE_SCN_LNK_NRELOC_OVFL 0x01000000
///
/// The section contains extended relocations. The count of relocations for the section exceeds the 16 bits that is reserved for
/// it in the section header. If the NumberOfRelocations field in the section header is 0xffff, the actual relocation count is
/// stored in the VirtualAddress field of the first relocation. It is an error if IMAGE_SCN_LNK_NRELOC_OVFL is set and there are
/// fewer than 0xffff relocations in the section.
///
///
/// -
/// IMAGE_SCN_MEM_DISCARDABLE 0x02000000
/// The section can be discarded as needed.
///
/// -
/// IMAGE_SCN_MEM_NOT_CACHED 0x04000000
/// The section cannot be cached.
///
/// -
/// IMAGE_SCN_MEM_NOT_PAGED 0x08000000
/// The section cannot be paged.
///
/// -
/// IMAGE_SCN_MEM_SHARED 0x10000000
/// The section can be shared in memory.
///
/// -
/// IMAGE_SCN_MEM_EXECUTE 0x20000000
/// The section can be executed as code.
///
/// -
/// IMAGE_SCN_MEM_READ 0x40000000
/// The section can be read.
///
/// -
/// IMAGE_SCN_MEM_WRITE 0x80000000
/// The section can be written to.
///
///
///
public IMAGE_SCN Characteristics;
///
[StructLayout(LayoutKind.Explicit)]
public struct MISC
{
/// The file address.
[FieldOffset(0)]
public uint PhysicalAddress;
///
/// The total size of the section when loaded into memory, in bytes. If this value is greater than the SizeOfRawData
/// member, the section is filled with zeroes. This field is valid only for executable images and should be set to 0 for
/// object files.
///
[FieldOffset(0)]
public uint VirtualSize;
}
}
}
}