sean-m
/
Vanara
mirror of https://github.com/dahall/Vanara.git
1
0
Fork 0
Code Issues Releases Wiki Activity
Vanara/PInvoke/DbgHelp/WinNT.cs

2093 lines
79 KiB
C#
Raw Blame History

using System;
using System.Runtime.InteropServices;
using Vanara.Extensions;
using Vanara.InteropServices;
namespace Vanara.PInvoke
{
public static partial class DbgHelp
{
/// <summary>A <c>LIST_ENTRY</c> structure describes an entry in a doubly linked list or serves as the header for such a list.</summary>
/// <remarks>
/// <para>A <c>LIST_ENTRY</c> structure that describes the list head must have been initialized by calling InitializeListHead.</para>
/// <para>
/// A driver can access the <c>Flink</c> or <c>Blink</c> members of a <c>LIST_ENTRY</c>, but the members must only be updated by the
/// system routines supplied for this purpose.
/// </para>
/// <para>
/// For more information about how to use <c>LIST_ENTRY</c> structures to implement a doubly linked list, see Singly and Doubly
/// Linked Lists.
/// </para>
/// </remarks>
// https://docs.microsoft.com/en-us/windows/win32/api/ntdef/ns-ntdef-list_entry typedef struct _LIST_ENTRY { struct _LIST_ENTRY
// *Flink; struct _LIST_ENTRY *Blink; } LIST_ENTRY, *PLIST_ENTRY, PRLIST_ENTRY;
[PInvokeData("ntdef.h", MSDNShortId = "NS:ntdef._LIST_ENTRY")]
[StructLayout(LayoutKind.Sequential)]
public struct LIST_ENTRY
{
/// <summary>
/// <para>
/// For a <c>LIST_ENTRY</c> structure that serves as a list entry, the <c>Flink</c> member points to the next entry in the list
/// or to the list header if there is no next entry in the list.
/// </para>
/// <para>
/// For a <c>LIST_ENTRY</c> structure that serves as the list header, the <c>Flink</c> member points to the first entry in the
/// list or to the LIST_ENTRY structure itself if the list is empty.
/// </para>
/// </summary>
public IntPtr Flink;
/// <summary>
/// <para>
/// For a <c>LIST_ENTRY</c> structure that serves as a list entry, the <c>Blink</c> member points to the previous entry in the
/// list or to the list header if there is no previous entry in the list.
/// </para>
/// <para>
/// For a <c>LIST_ENTRY</c> structure that serves as the list header, the <c>Blink</c> member points to the last entry in the
/// list or to the <c>LIST_ENTRY</c> structure itself if the list is empty.
/// </para>
/// </summary>
public IntPtr Blink;
}
/// <summary>The format of the debugging information. This member can be one of the following values.</summary>
[PInvokeData("winnt.h", MSDNShortId = "NS:winnt._IMAGE_DEBUG_DIRECTORY")]
public enum IMAGE_DEBUG_TYPE
{
/// <summary>Unknown value, ignored by all tools.</summary>
IMAGE_DEBUG_TYPE_UNKNOWN = 0,
/// <summary>
/// COFF debugging information (line numbers, symbol table, and string table). This type of debugging information is also
/// pointed to by fields in the file headers.
/// </summary>
IMAGE_DEBUG_TYPE_COFF = 1,
/// <summary>CodeView debugging information. The format of the data block is described by the CodeView 4.0 specification.</summary>
IMAGE_DEBUG_TYPE_CODEVIEW = 2,
/// <summary>
/// Frame pointer omission (FPO) information. This information tells the debugger how to interpret nonstandard stack frames,
/// which use the EBP register for a purpose other than as a frame pointer.
/// </summary>
IMAGE_DEBUG_TYPE_FPO = 3,
/// <summary>Miscellaneous information.</summary>
IMAGE_DEBUG_TYPE_MISC = 4,
/// <summary>Exception information.</summary>
IMAGE_DEBUG_TYPE_EXCEPTION = 5,
/// <summary>Fixup information.</summary>
IMAGE_DEBUG_TYPE_FIXUP = 6,
/// <summary>Borland debugging information.</summary>
IMAGE_DEBUG_TYPE_BORLAND = 9,
/// <summary/>
IMAGE_DEBUG_TYPE_OMAP_TO_SRC = 7,
/// <summary/>
IMAGE_DEBUG_TYPE_OMAP_FROM_SRC = 8,
/// <summary/>
IMAGE_DEBUG_TYPE_RESERVED10 = 10,
/// <summary/>
IMAGE_DEBUG_TYPE_CLSID = 11,
/// <summary/>
IMAGE_DEBUG_TYPE_VC_FEATURE = 12,
/// <summary/>
IMAGE_DEBUG_TYPE_POGO = 13,
/// <summary/>
IMAGE_DEBUG_TYPE_ILTCG = 14,
/// <summary/>
IMAGE_DEBUG_TYPE_MPX = 15,
/// <summary/>
IMAGE_DEBUG_TYPE_REPRO = 16,
/// <summary/>
IMAGE_DEBUG_TYPE_EX_DLLCHARACTERISTICS = 20,
}
/// <summary>The index number of the desired directory entry.</summary>
[PInvokeData("winnt.h")]
public enum IMAGE_DIRECTORY_ENTRY : ushort
{
/// <summary>Architecture-specific data</summary>
MAGE_DIRECTORY_ENTRY_ARCHITECTURE = 7,
/// <summary>Base relocation table</summary>
IMAGE_DIRECTORY_ENTRY_BASERELOC = 5,
/// <summary>Bound import directory</summary>
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT = 11,
/// <summary>COM descriptor table</summary>
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR = 14,
/// <summary>Debug directory</summary>
IMAGE_DIRECTORY_ENTRY_DEBUG = 6,
/// <summary>Delay import table</summary>
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT = 13,
/// <summary>Exception directory</summary>
IMAGE_DIRECTORY_ENTRY_EXCEPTION = 3,
/// <summary>Export directory</summary>
[CorrespondingType(typeof(IMAGE_EXPORT_DIRECTORY), CorrespondingAction.Get)]
IMAGE_DIRECTORY_ENTRY_EXPORT = 0,
/// <summary>The relative virtual address of global pointer</summary>
IMAGE_DIRECTORY_ENTRY_GLOBALPTR = 8,
/// <summary>Import address table</summary>
IMAGE_DIRECTORY_ENTRY_IAT = 12,
/// <summary>Import directory</summary>
IMAGE_DIRECTORY_ENTRY_IMPORT = 1,
/// <summary>Load configuration directory</summary>
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG = 10,
/// <summary>Resource directory</summary>
IMAGE_DIRECTORY_ENTRY_RESOURCE = 2,
/// <summary>Security directory</summary>
IMAGE_DIRECTORY_ENTRY_SECURITY = 4,
/// <summary>Thread local storage directory</summary>
IMAGE_DIRECTORY_ENTRY_TLS = 9,
}
/// <summary>The DLL characteristics of the image.</summary>
[PInvokeData("winnt.h", MSDNShortId = "NS:winnt._IMAGE_OPTIONAL_HEADER")]
public enum IMAGE_DLLCHARACTERISTICS : ushort
{
/// <summary>The DLL can be relocated at load time.</summary>
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE = 0x0040,
/// <summary>
/// Code integrity checks are forced. If you set this flag and a section contains only uninitialized data, set the
/// PointerToRawData member of IMAGE_SECTION_HEADER for that section to zero; otherwise, the image will fail to load because the
/// digital signature cannot be verified.
/// </summary>
IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY = 0x0080,
/// <summary>The image is compatible with data execution prevention (DEP).</summary>
IMAGE_DLLCHARACTERISTICS_NX_COMPAT = 0x0100,
/// <summary>The image is isolation aware, but should not be isolated.</summary>
IMAGE_DLLCHARACTERISTICS_NO_ISOLATION = 0x0200,
/// <summary>The image does not use structured exception handling (SEH). No handlers can be called in this image.</summary>
IMAGE_DLLCHARACTERISTICS_NO_SEH = 0x0400,
/// <summary>Do not bind the image.</summary>
IMAGE_DLLCHARACTERISTICS_NO_BIND = 0x0800,
/// <summary>A WDM driver.</summary>
IMAGE_DLLCHARACTERISTICS_WDM_DRIVER = 0x2000,
/// <summary>The image is terminal server aware.</summary>
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE = 0x8000,
}
/// <summary>The characteristics of the image.</summary>
[PInvokeData("winnt.h", MSDNShortId = "NS:winnt._IMAGE_FILE_HEADER")]
[Flags]
public enum IMAGE_FILE : ushort
{
/// <summary>
/// Relocation information was stripped from the file. The file must be loaded at its preferred base address. If the base
/// address is not available, the loader reports an error.
/// </summary>
IMAGE_FILE_RELOCS_STRIPPED = 0x0001,
/// <summary>The file is executable (there are no unresolved external references).</summary>
IMAGE_FILE_EXECUTABLE_IMAGE = 0x0002,
/// <summary>COFF line numbers were stripped from the file.</summary>
IMAGE_FILE_LINE_NUMS_STRIPPED = 0x0004,
/// <summary>COFF symbol table entries were stripped from file.</summary>
IMAGE_FILE_LOCAL_SYMS_STRIPPED = 0x0008,
/// <summary>Aggressively trim the working set. This value is obsolete.</summary>
IMAGE_FILE_AGGRESIVE_WS_TRIM = 0x0010,
/// <summary>The application can handle addresses larger than 2 GB.</summary>
IMAGE_FILE_LARGE_ADDRESS_AWARE = 0x0020,
/// <summary>The bytes of the word are reversed. This flag is obsolete.</summary>
IMAGE_FILE_BYTES_REVERSED_LO = 0x0080,
/// <summary>The computer supports 32-bit words.</summary>
IMAGE_FILE_32BIT_MACHINE = 0x0100,
/// <summary>Debugging information was removed and stored separately in another file.</summary>
IMAGE_FILE_DEBUG_STRIPPED = 0x0200,
/// <summary>If the image is on removable media, copy it to and run it from the swap file.</summary>
IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP = 0x0400,
/// <summary>If the image is on the network, copy it to and run it from the swap file.</summary>
IMAGE_FILE_NET_RUN_FROM_SWAP = 0x0800,
/// <summary>The image is a system file.</summary>
IMAGE_FILE_SYSTEM = 0x1000,
/// <summary>The image is a DLL file. While it is an executable file, it cannot be run directly.</summary>
IMAGE_FILE_DLL = 0x2000,
/// <summary>The file should be run only on a uniprocessor computer.</summary>
IMAGE_FILE_UP_SYSTEM_ONLY = 0x4000,
/// <summary>The bytes of the word are reversed. This flag is obsolete.</summary>
IMAGE_FILE_BYTES_REVERSED_HI = 0x8000,
}
/// <summary>Represents the stack frame layout for a function on an x86 computer when frame pointer omission (FPO) optimization is used. The structure is used to locate the base of the call frame.</summary>
// https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-fpo_data
// typedef struct _FPO_DATA { DWORD ulOffStart; DWORD cbProcSize; DWORD cdwLocals; WORD cdwParams; WORD cbProlog : 8; WORD cbRegs : 3; WORD fHasSEH : 1; WORD fUseBP : 1; WORD reserved : 1; WORD cbFrame : 2; } FPO_DATA, *PFPO_DATA;
[PInvokeData("winnt.h", MSDNShortId = "NS:winnt._FPO_DATA")]
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Ansi)]
public struct FPO_DATA
{
/// <summary>The offset of the first byte of the function code.</summary>
public uint ulOffStart;
/// <summary>The number of bytes in the function.</summary>
public uint cbProcSize;
/// <summary>The number of local variables.</summary>
public uint cdwLocals;
/// <summary>The size of the parameters, in <c>DWORD</c>s.</summary>
public ushort cdwParams;
private ushort flags;
#pragma warning disable IDE1006 // Naming Styles
/// <summary>The number of bytes in the function prolog code.</summary>
public ushort cbProlog
{
get => BitHelper.GetBits(flags, 0, 8);
set => BitHelper.SetBits(ref flags, 0, 8, value);
}
/// <summary>The number of registers saved.</summary>
public ushort cbRegs
{
get => BitHelper.GetBits(flags, 8, 3);
set => BitHelper.SetBits(ref flags, 8, 3, value);
}
/// <summary>A variable that indicates whether the function uses structured exception handling.</summary>
public bool fHasSEH
{
get => BitHelper.GetBit(flags, 11);
set => BitHelper.SetBit(ref flags, 11, value);
}
/// <summary>A variable that indicates whether the EBP register has been allocated.</summary>
public bool fUseBP
{
get => BitHelper.GetBit(flags, 12);
set => BitHelper.SetBit(ref flags, 12, value);
}
/// <summary>Reserved for future use.</summary>
public bool reserved
{
get => BitHelper.GetBit(flags, 13);
set => BitHelper.SetBit(ref flags, 13, value);
}
/// <summary>
/// <para>A variable that indicates the frame type.</para>
/// <list type="table">
/// <listheader>
/// <term>Type</term>
/// <term>Meaning</term>
/// </listheader>
/// <item>
/// <term>FRAME_FPO 0</term>
/// <term>FPO frame</term>
/// </item>
/// <item>
/// <term>FRAME_NONFPO 3</term>
/// <term>Non-FPO frame</term>
/// </item>
/// <item>
/// <term>FRAME_TRAP 1</term>
/// <term>Trap frame</term>
/// </item>
/// <item>
/// <term>FRAME_TSS 2</term>
/// <term>TSS frame</term>
/// </item>
/// </list>
/// </summary>
public FRAME cbFrame
{
get => (FRAME)BitHelper.GetBits(flags, 14, 2);
set => BitHelper.SetBits(ref flags, 14, 2, (ushort)value);
}
#pragma warning restore IDE1006 // Naming Styles
}
/// <summary>Represents an entry in the function table on 64-bit Windows.</summary>
// https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-runtime_function
// typedef struct _IMAGE_RUNTIME_FUNCTION_ENTRY { DWORD BeginAddress; DWORD EndAddress; union { DWORD UnwindInfoAddress; DWORD UnwindData; } DUMMYUNIONNAME; } RUNTIME_FUNCTION, *PRUNTIME_FUNCTION, _IMAGE_RUNTIME_FUNCTION_ENTRY, *_PIMAGE_RUNTIME_FUNCTION_ENTRY;
[PInvokeData("winnt.h", MSDNShortId = "NS:winnt._IMAGE_RUNTIME_FUNCTION_ENTRY")]
[StructLayout(LayoutKind.Explicit)]
public struct IMAGE_RUNTIME_FUNCTION_ENTRY
{
/// <summary>The address of the start of the function.</summary>
[FieldOffset(0)]
public uint BeginAddress;
/// <summary>The address of the end of the function.</summary>
[FieldOffset(4)]
public uint EndAddress;
/// <summary>The address of the unwind information for the function.</summary>
[FieldOffset(8)]
public uint UnwindInfoAddress;
/// <summary />
[FieldOffset(8)]
public uint UnwindData;
}
/// <summary>
/// The architecture type of the computer. An image file can only be run on the specified computer or a system that emulates the
/// specified computer.
/// </summary>
[PInvokeData("winnt.h", MSDNShortId = "NS:winnt._IMAGE_FILE_HEADER")]
public enum IMAGE_FILE_MACHINE : ushort
{
/// <summary/>
IMAGE_FILE_MACHINE_AXP64 = IMAGE_FILE_MACHINE_ALPHA64,
/// <summary>Unknown</summary>
IMAGE_FILE_MACHINE_UNKNOWN = 0,
/// <summary>Useful for indicating we want to interact with the host and not a WoW guest.</summary>
IMAGE_FILE_MACHINE_TARGET_HOST = 0x0001,
/// <summary>Intel 386.</summary>
IMAGE_FILE_MACHINE_I386 = 0x014c,
/// <summary>MIPS little-endian, 0x160 big-endian</summary>
IMAGE_FILE_MACHINE_R3000 = 0x0162,
/// <summary>MIPS little-endian</summary>
IMAGE_FILE_MACHINE_R4000 = 0x0166,
/// <summary>MIPS little-endian</summary>
IMAGE_FILE_MACHINE_R10000 = 0x0168,
/// <summary>MIPS little-endian WCE v2</summary>
IMAGE_FILE_MACHINE_WCEMIPSV2 = 0x0169,
/// <summary>Alpha_AXP</summary>
IMAGE_FILE_MACHINE_ALPHA = 0x0184,
/// <summary>SH3 little-endian</summary>
IMAGE_FILE_MACHINE_SH3 = 0x01a2,
/// <summary/>
IMAGE_FILE_MACHINE_SH3DSP = 0x01a3,
/// <summary>SH3E little-endian</summary>
IMAGE_FILE_MACHINE_SH3E = 0x01a4,
/// <summary>SH4 little-endian</summary>
IMAGE_FILE_MACHINE_SH4 = 0x01a6,
/// <summary>SH5</summary>
IMAGE_FILE_MACHINE_SH5 = 0x01a8,
/// <summary>ARM Little-Endian</summary>
IMAGE_FILE_MACHINE_ARM = 0x01c0,
/// <summary>ARM Thumb/Thumb-2 Little-Endian</summary>
IMAGE_FILE_MACHINE_THUMB = 0x01c2,
/// <summary>ARM Thumb-2 Little-Endian</summary>
IMAGE_FILE_MACHINE_ARMNT = 0x01c4,
/// <summary/>
IMAGE_FILE_MACHINE_AM33 = 0x01d3,
/// <summary>IBM PowerPC Little-Endian</summary>
IMAGE_FILE_MACHINE_POWERPC = 0x01F0,
/// <summary/>
IMAGE_FILE_MACHINE_POWERPCFP = 0x01f1,
/// <summary>Intel 64</summary>
IMAGE_FILE_MACHINE_IA64 = 0x0200,
/// <summary>MIPS</summary>
IMAGE_FILE_MACHINE_MIPS16 = 0x0266,
/// <summary>ALPHA64</summary>
IMAGE_FILE_MACHINE_ALPHA64 = 0x0284,
/// <summary>MIPS</summary>
IMAGE_FILE_MACHINE_MIPSFPU = 0x0366,
/// <summary>MIPS</summary>
IMAGE_FILE_MACHINE_MIPSFPU16 = 0x0466,
/// <summary>Infineon</summary>
IMAGE_FILE_MACHINE_TRICORE = 0x0520,
/// <summary/>
IMAGE_FILE_MACHINE_CEF = 0x0CEF,
/// <summary>EFI Byte Code</summary>
IMAGE_FILE_MACHINE_EBC = 0x0EBC,
/// <summary>AMD64 (K8)</summary>
IMAGE_FILE_MACHINE_AMD64 = 0x8664,
/// <summary>M32R little-endian</summary>
IMAGE_FILE_MACHINE_M32R = 0x9041,
/// <summary>ARM64 Little-Endian</summary>
IMAGE_FILE_MACHINE_ARM64 = 0xAA64,
/// <summary/>
IMAGE_FILE_MACHINE_CEE = 0xC0EE,
}
/// <summary>The state of the image file.</summary>
[PInvokeData("winnt.h", MSDNShortId = "NS:winnt._IMAGE_OPTIONAL_HEADER")]
public enum IMAGE_OPTIONAL_MAGIC : ushort
{
/// <summary>The file is an executable image.</summary>
IMAGE_NT_OPTIONAL_HDR32_MAGIC = 0x10b,
/// <summary>The file is an executable image.</summary>
IMAGE_NT_OPTIONAL_HDR64_MAGIC = 0x20b,
/// <summary>The file is a ROM image.</summary>
IMAGE_ROM_OPTIONAL_HDR_MAGIC = 0x107,
}
/// <summary>The characteristics of the image.</summary>
[PInvokeData("winnt.h", MSDNShortId = "NS:winnt._IMAGE_SECTION_HEADER")]
[Flags]
public enum IMAGE_SCN : uint
{
/// <summary>The section should not be padded to the next boundary. This flag is obsolete and is replaced by IMAGE_SCN_ALIGN_1BYTES.</summary>
IMAGE_SCN_TYPE_NO_PAD = 0x00000008,
/// <summary>The section contains executable code.</summary>
IMAGE_SCN_CNT_CODE = 0x00000020,
/// <summary>The section contains initialized data.</summary>
IMAGE_SCN_CNT_INITIALIZED_DATA = 0x00000040,
/// <summary>The section contains uninitialized data.</summary>
IMAGE_SCN_CNT_UNINITIALIZED_DATA = 0x00000080,
/// <summary>Reserved.</summary>
IMAGE_SCN_LNK_OTHER = 0x00000100,
/// <summary>The section contains comments or other information. This is valid only for object files.</summary>
IMAGE_SCN_LNK_INFO = 0x00000200,
/// <summary>The section will not become part of the image. This is valid only for object files.</summary>
IMAGE_SCN_LNK_REMOVE = 0x00000800,
/// <summary>The section contains COMDAT data. This is valid only for object files.</summary>
IMAGE_SCN_LNK_COMDAT = 0x00001000,
/// <summary>Reset speculative exceptions handling bits in the TLB entries for this section.</summary>
IMAGE_SCN_NO_DEFER_SPEC_EXC = 0x00004000,
/// <summary>The section contains data referenced through the global pointer.</summary>
IMAGE_SCN_GPREL = 0x00008000,
/// <summary>Reserved.</summary>
IMAGE_SCN_MEM_PURGEABLE = 0x00020000,
/// <summary>Reserved.</summary>
IMAGE_SCN_MEM_LOCKED = 0x00040000,
/// <summary>Reserved.</summary>
IMAGE_SCN_MEM_PRELOAD = 0x00080000,
/// <summary>Align data on a 1-byte boundary. This is valid only for object files.</summary>
IMAGE_SCN_ALIGN_1BYTES = 0x00100000,
/// <summary>Align data on a 2-byte boundary. This is valid only for object files.</summary>
IMAGE_SCN_ALIGN_2BYTES = 0x00200000,
/// <summary>Align data on a 4-byte boundary. This is valid only for object files.</summary>
IMAGE_SCN_ALIGN_4BYTES = 0x00300000,
/// <summary>Align data on a 8-byte boundary. This is valid only for object files.</summary>
IMAGE_SCN_ALIGN_8BYTES = 0x00400000,
/// <summary>Align data on a 16-byte boundary. This is valid only for object files.</summary>
IMAGE_SCN_ALIGN_16BYTES = 0x00500000,
/// <summary>Align data on a 32-byte boundary. This is valid only for object files.</summary>
IMAGE_SCN_ALIGN_32BYTES = 0x00600000,
/// <summary>Align data on a 64-byte boundary. This is valid only for object files.</summary>
IMAGE_SCN_ALIGN_64BYTES = 0x00700000,
/// <summary>Align data on a 128-byte boundary. This is valid only for object files.</summary>
IMAGE_SCN_ALIGN_128BYTES = 0x00800000,
/// <summary>Align data on a 256-byte boundary. This is valid only for object files.</summary>
IMAGE_SCN_ALIGN_256BYTES = 0x00900000,
/// <summary>Align data on a 512-byte boundary. This is valid only for object files.</summary>
IMAGE_SCN_ALIGN_512BYTES = 0x00A00000,
/// <summary>Align data on a 1024-byte boundary. This is valid only for object files.</summary>
IMAGE_SCN_ALIGN_1024BYTES = 0x00B00000,
/// <summary>Align data on a 2048-byte boundary. This is valid only for object files.</summary>
IMAGE_SCN_ALIGN_2048BYTES = 0x00C00000,
/// <summary>Align data on a 4096-byte boundary. This is valid only for object files.</summary>
IMAGE_SCN_ALIGN_4096BYTES = 0x00D00000,
/// <summary>Align data on a 8192-byte boundary. This is valid only for object files.</summary>
IMAGE_SCN_ALIGN_8192BYTES = 0x00E00000,
/// <summary>
/// The section contains extended relocations. The count of relocations for the section exceeds the 16 bits that is reserved for
/// it in the section header. If the NumberOfRelocations field in the section header is 0xffff, the actual relocation count is
/// stored in the VirtualAddress field of the first relocation. It is an error if IMAGE_SCN_LNK_NRELOC_OVFL is set and there are
/// fewer than 0xffff relocations in the section.
/// </summary>
IMAGE_SCN_LNK_NRELOC_OVFL = 0x01000000,
/// <summary>The section can be discarded as needed.</summary>
IMAGE_SCN_MEM_DISCARDABLE = 0x02000000,
/// <summary>The section cannot be cached.</summary>
IMAGE_SCN_MEM_NOT_CACHED = 0x04000000,
/// <summary>The section cannot be paged.</summary>
IMAGE_SCN_MEM_NOT_PAGED = 0x08000000,
/// <summary>The section can be shared in memory.</summary>
IMAGE_SCN_MEM_SHARED = 0x10000000,
/// <summary>The section can be executed as code.</summary>
IMAGE_SCN_MEM_EXECUTE = 0x20000000,
/// <summary>The section can be read.</summary>
IMAGE_SCN_MEM_READ = 0x40000000,
/// <summary>The section can be written to.</summary>
IMAGE_SCN_MEM_WRITE = 0x80000000,
}
/// <summary>The subsystem required to run this image.</summary>
[PInvokeData("winnt.h", MSDNShortId = "NS:winnt._IMAGE_OPTIONAL_HEADER")]
public enum IMAGE_SUBSYSTEM : ushort
{
/// <summary>Unknown subsystem.</summary>
IMAGE_SUBSYSTEM_UNKNOWN = 0,
/// <summary>No subsystem required (device drivers and native system processes).</summary>
IMAGE_SUBSYSTEM_NATIVE = 1,
/// <summary>Windows graphical user interface (GUI) subsystem.</summary>
IMAGE_SUBSYSTEM_WINDOWS_GUI = 2,
/// <summary>Windows character-mode user interface (CUI) subsystem.</summary>
IMAGE_SUBSYSTEM_WINDOWS_CUI = 3,
/// <summary>OS/2 CUI subsystem.</summary>
IMAGE_SUBSYSTEM_OS2_CUI = 5,
/// <summary>POSIX CUI subsystem.</summary>
IMAGE_SUBSYSTEM_POSIX_CUI = 7,
/// <summary>Windows CE system.</summary>
IMAGE_SUBSYSTEM_WINDOWS_CE_GUI = 9,
/// <summary>Extensible Firmware Interface (EFI) application.</summary>
IMAGE_SUBSYSTEM_EFI_APPLICATION = 10,
/// <summary>EFI driver with boot services.</summary>
IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER = 11,
/// <summary>EFI driver with run-time services.</summary>
IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER = 12,
/// <summary>EFI ROM image.</summary>
IMAGE_SUBSYSTEM_EFI_ROM = 13,
/// <summary>Xbox system.</summary>
IMAGE_SUBSYSTEM_XBOX = 14,
/// <summary>Boot application.</summary>
IMAGE_SUBSYSTEM_WINDOWS_BOOT_APPLICATION = 16,
}
/// <summary>Represents the COFF symbols header.</summary>
// https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-image_coff_symbols_header typedef struct
// _IMAGE_COFF_SYMBOLS_HEADER { DWORD NumberOfSymbols; DWORD LvaToFirstSymbol; DWORD NumberOfLinenumbers; DWORD
// LvaToFirstLinenumber; DWORD RvaToFirstByteOfCode; DWORD RvaToLastByteOfCode; DWORD RvaToFirstByteOfData; DWORD
// RvaToLastByteOfData; } IMAGE_COFF_SYMBOLS_HEADER, *PIMAGE_COFF_SYMBOLS_HEADER;
[PInvokeData("winnt.h", MSDNShortId = "NS:winnt._IMAGE_COFF_SYMBOLS_HEADER")]
[StructLayout(LayoutKind.Sequential)]
public struct IMAGE_COFF_SYMBOLS_HEADER
{
/// <summary>The number of symbols.</summary>
public uint NumberOfSymbols;
/// <summary>The virtual address of the first symbol.</summary>
public uint LvaToFirstSymbol;
/// <summary>The number of line-number entries.</summary>
public uint NumberOfLinenumbers;
/// <summary>The virtual address of the first line-number entry.</summary>
public uint LvaToFirstLinenumber;
/// <summary>The relative virtual address of the first byte of code.</summary>
public uint RvaToFirstByteOfCode;
/// <summary>The relative virtual address of the last byte of code.</summary>
public uint RvaToLastByteOfCode;
/// <summary>The relative virtual address of the first byte of data.</summary>
public uint RvaToFirstByteOfData;
/// <summary>The relative virtual address of the last byte of data.</summary>
public uint RvaToLastByteOfData;
}
/// <summary>Represents the data directory.</summary>
/// <remarks>
/// <para>The following is a list of the data directories. Offsets are relative to the beginning of the optional header.</para>
/// <list type="table">
/// <listheader>
/// <term>Offset (PE/PE32+)</term>
/// <term>Description</term>
/// </listheader>
/// <item>
/// <term>96/112</term>
/// <term>Export table address and size</term>
/// </item>
/// <item>
/// <term>104/120</term>
/// <term>Import table address and size</term>
/// </item>
/// <item>
/// <term>112/128</term>
/// <term>Resource table address and size</term>
/// </item>
/// <item>
/// <term>120/136</term>
/// <term>Exception table address and size</term>
/// </item>
/// <item>
/// <term>128/144</term>
/// <term>Certificate table address and size</term>
/// </item>
/// <item>
/// <term>136/152</term>
/// <term>Base relocation table address and size</term>
/// </item>
/// <item>
/// <term>144/160</term>
/// <term>Debugging information starting address and size</term>
/// </item>
/// <item>
/// <term>152/168</term>
/// <term>Architecture-specific data address and size</term>
/// </item>
/// <item>
/// <term>160/176</term>
/// <term>Global pointer register relative virtual address</term>
/// </item>
/// <item>
/// <term>168/184</term>
/// <term>Thread local storage (TLS) table address and size</term>
/// </item>
/// <item>
/// <term>176/192</term>
/// <term>Load configuration table address and size</term>
/// </item>
/// <item>
/// <term>184/200</term>
/// <term>Bound import table address and size</term>
/// </item>
/// <item>
/// <term>192/208</term>
/// <term>Import address table address and size</term>
/// </item>
/// <item>
/// <term>200/216</term>
/// <term>Delay import descriptor address and size</term>
/// </item>
/// <item>
/// <term>208/224</term>
/// <term>The CLR header address and size</term>
/// </item>
/// <item>
/// <term>216/232</term>
/// <term>Reserved</term>
/// </item>
/// </list>
/// </remarks>
// https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-image_data_directory typedef struct _IMAGE_DATA_DIRECTORY {
// DWORD VirtualAddress; DWORD Size; } IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY;
[PInvokeData("winnt.h", MSDNShortId = "NS:winnt._IMAGE_DATA_DIRECTORY")]
[StructLayout(LayoutKind.Sequential)]
public struct IMAGE_DATA_DIRECTORY
{
/// <summary>The relative virtual address of the table.</summary>
public uint VirtualAddress;
/// <summary>The size of the table, in bytes.</summary>
public uint Size;
}
/// <summary>Represents the debug directory format.</summary>
// https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-image_debug_directory typedef struct _IMAGE_DEBUG_DIRECTORY {
// DWORD Characteristics; DWORD TimeDateStamp; WORD MajorVersion; WORD MinorVersion; DWORD Type; DWORD SizeOfData; DWORD
// AddressOfRawData; DWORD PointerToRawData; } IMAGE_DEBUG_DIRECTORY, *PIMAGE_DEBUG_DIRECTORY;
[PInvokeData("winnt.h", MSDNShortId = "NS:winnt._IMAGE_DEBUG_DIRECTORY")]
[StructLayout(LayoutKind.Sequential)]
public struct IMAGE_DEBUG_DIRECTORY
{
/// <summary>Reserved.</summary>
public uint Characteristics;
/// <summary>The ime and date the debugging information was created.</summary>
public uint TimeDateStamp;
/// <summary>The major version number of the debugging information format.</summary>
public ushort MajorVersion;
/// <summary>The minor version number of the debugging information format.</summary>
public ushort MinorVersion;
/// <summary>
/// <para>The format of the debugging information. This member can be one of the following values.</para>
/// <list type="table">
/// <listheader>
/// <term>Constant</term>
/// <term>Meaning</term>
/// </listheader>
/// <item>
/// <term>IMAGE_DEBUG_TYPE_UNKNOWN 0</term>
/// <term>Unknown value, ignored by all tools.</term>
/// </item>
/// <item>
/// <term>IMAGE_DEBUG_TYPE_COFF 1</term>
/// <term>
/// COFF debugging information (line numbers, symbol table, and string table). This type of debugging information is also
/// pointed to by fields in the file headers.
/// </term>
/// </item>
/// <item>
/// <term>IMAGE_DEBUG_TYPE_CODEVIEW 2</term>
/// <term>CodeView debugging information. The format of the data block is described by the CodeView 4.0 specification.</term>
/// </item>
/// <item>
/// <term>IMAGE_DEBUG_TYPE_FPO 3</term>
/// <term>
/// Frame pointer omission (FPO) information. This information tells the debugger how to interpret nonstandard stack frames,
/// which use the EBP register for a purpose other than as a frame pointer.
/// </term>
/// </item>
/// <item>
/// <term>IMAGE_DEBUG_TYPE_MISC 4</term>
/// <term>Miscellaneous information.</term>
/// </item>
/// <item>
/// <term>IMAGE_DEBUG_TYPE_EXCEPTION 5</term>
/// <term>Exception information.</term>
/// </item>
/// <item>
/// <term>IMAGE_DEBUG_TYPE_FIXUP 6</term>
/// <term>Fixup information.</term>
/// </item>
/// <item>
/// <term>IMAGE_DEBUG_TYPE_BORLAND 9</term>
/// <term>Borland debugging information.</term>
/// </item>
/// </list>
/// </summary>
public IMAGE_DEBUG_TYPE Type;
/// <summary>The size of the debugging information, in bytes. This value does not include the debug directory itself.</summary>
public uint SizeOfData;
/// <summary>The address of the debugging information when the image is loaded, relative to the image base.</summary>
public uint AddressOfRawData;
/// <summary>A file pointer to the debugging information.</summary>
public uint PointerToRawData;
}
/// <summary>Undocumented.</summary>
[PInvokeData("winnt.h")]
[StructLayout(LayoutKind.Sequential)]
public struct IMAGE_EXPORT_DIRECTORY
{
#pragma warning disable CS1591 // Missing XML comment for publicly visible type or member
public uint Characteristics;
public uint TimeDateStamp;
public ushort MajorVersion;
public ushort MinorVersion;
public uint Name;
public uint Base;
public uint NumberOfFunctions;
public uint NumberOfNames;
public uint AddressOfFunctions; // RVA from base of image
public uint AddressOfNames; // RVA from base of image
public uint AddressOfNameOrdinals; // RVA from base of image
#pragma warning restore CS1591 // Missing XML comment for publicly visible type or member
}
/// <summary>Represents the COFF header format.</summary>
// https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-image_file_header typedef struct _IMAGE_FILE_HEADER { WORD
// Machine; WORD NumberOfSections; DWORD TimeDateStamp; DWORD PointerToSymbolTable; DWORD NumberOfSymbols; WORD
// SizeOfOptionalHeader; WORD Characteristics; } IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;
[PInvokeData("winnt.h", MSDNShortId = "NS:winnt._IMAGE_FILE_HEADER")]
[StructLayout(LayoutKind.Sequential)]
public struct IMAGE_FILE_HEADER
{
/// <summary>
/// <para>
/// The architecture type of the computer. An image file can only be run on the specified computer or a system that emulates the
/// specified computer. This member can be one of the following values.
/// </para>
/// <list type="table">
/// <listheader>
/// <term>Value</term>
/// <term>Meaning</term>
/// </listheader>
/// <item>
/// <term>IMAGE_FILE_MACHINE_I386 0x014c</term>
/// <term>x86</term>
/// </item>
/// <item>
/// <term>IMAGE_FILE_MACHINE_IA64 0x0200</term>
/// <term>Intel Itanium</term>
/// </item>
/// <item>
/// <term>IMAGE_FILE_MACHINE_AMD64 0x8664</term>
/// <term>x64</term>
/// </item>
/// </list>
/// </summary>
public IMAGE_FILE_MACHINE Machine;
/// <summary>
/// The number of sections. This indicates the size of the section table, which immediately follows the headers. Note that the
/// Windows loader limits the number of sections to 96.
/// </summary>
public ushort NumberOfSections;
/// <summary>
/// The low 32 bits of the time stamp of the image. This represents the date and time the image was created by the linker. The
/// value is represented in the number of seconds elapsed since midnight (00:00:00), January 1, 1970, Universal Coordinated
/// Time, according to the system clock.
/// </summary>
public uint TimeDateStamp;
/// <summary>The offset of the symbol table, in bytes, or zero if no COFF symbol table exists.</summary>
public uint PointerToSymbolTable;
/// <summary>The number of symbols in the symbol table.</summary>
public uint NumberOfSymbols;
/// <summary>The size of the optional header, in bytes. This value should be 0 for object files.</summary>
public ushort SizeOfOptionalHeader;
/// <summary>
/// <para>The characteristics of the image. This member can be one or more of the following values.</para>
/// <list type="table">
/// <listheader>
/// <term>Value</term>
/// <term>Meaning</term>
/// </listheader>
/// <item>
/// <term>IMAGE_FILE_RELOCS_STRIPPED 0x0001</term>
/// <term>
/// Relocation information was stripped from the file. The file must be loaded at its preferred base address. If the base
/// address is not available, the loader reports an error.
/// </term>
/// </item>
/// <item>
/// <term>IMAGE_FILE_EXECUTABLE_IMAGE 0x0002</term>
/// <term>The file is executable (there are no unresolved external references).</term>
/// </item>
/// <item>
/// <term>IMAGE_FILE_LINE_NUMS_STRIPPED 0x0004</term>
/// <term>COFF line numbers were stripped from the file.</term>
/// </item>
/// <item>
/// <term>IMAGE_FILE_LOCAL_SYMS_STRIPPED 0x0008</term>
/// <term>COFF symbol table entries were stripped from file.</term>
/// </item>
/// <item>
/// <term>IMAGE_FILE_AGGRESIVE_WS_TRIM 0x0010</term>
/// <term>Aggressively trim the working set. This value is obsolete.</term>
/// </item>
/// <item>
/// <term>IMAGE_FILE_LARGE_ADDRESS_AWARE 0x0020</term>
/// <term>The application can handle addresses larger than 2 GB.</term>
/// </item>
/// <item>
/// <term>IMAGE_FILE_BYTES_REVERSED_LO 0x0080</term>
/// <term>The bytes of the word are reversed. This flag is obsolete.</term>
/// </item>
/// <item>
/// <term>IMAGE_FILE_32BIT_MACHINE 0x0100</term>
/// <term>The computer supports 32-bit words.</term>
/// </item>
/// <item>
/// <term>IMAGE_FILE_DEBUG_STRIPPED 0x0200</term>
/// <term>Debugging information was removed and stored separately in another file.</term>
/// </item>
/// <item>
/// <term>IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP 0x0400</term>
/// <term>If the image is on removable media, copy it to and run it from the swap file.</term>
/// </item>
/// <item>
/// <term>IMAGE_FILE_NET_RUN_FROM_SWAP 0x0800</term>
/// <term>If the image is on the network, copy it to and run it from the swap file.</term>
/// </item>
/// <item>
/// <term>IMAGE_FILE_SYSTEM 0x1000</term>
/// <term>The image is a system file.</term>
/// </item>
/// <item>
/// <term>IMAGE_FILE_DLL 0x2000</term>
/// <term>The image is a DLL file. While it is an executable file, it cannot be run directly.</term>
/// </item>
/// <item>
/// <term>IMAGE_FILE_UP_SYSTEM_ONLY 0x4000</term>
/// <term>The file should be run only on a uniprocessor computer.</term>
/// </item>
/// <item>
/// <term>IMAGE_FILE_BYTES_REVERSED_HI 0x8000</term>
/// <term>The bytes of the word are reversed. This flag is obsolete.</term>
/// </item>
/// </list>
/// </summary>
public IMAGE_FILE Characteristics;
}
/// <summary>Represents an entry in the function table.</summary>
/// <remarks>
/// <para>The following definition exists for 64-bit support.</para>
/// <para>
/// <code>typedef struct _IMAGE_FUNCTION_ENTRY64 { ULONGLONG StartingAddress; ULONGLONG EndingAddress; union { ULONGLONG EndOfPrologue; ULONGLONG UnwindInfoAddress; }; } IMAGE_FUNCTION_ENTRY64, *PIMAGE_FUNCTION_ENTRY64;</code>
/// </para>
/// </remarks>
// https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-image_function_entry typedef struct _IMAGE_FUNCTION_ENTRY {
// DWORD StartingAddress; DWORD EndingAddress; DWORD EndOfPrologue; } IMAGE_FUNCTION_ENTRY, *PIMAGE_FUNCTION_ENTRY;
[PInvokeData("winnt.h", MSDNShortId = "NS:winnt._IMAGE_FUNCTION_ENTRY")]
[StructLayout(LayoutKind.Sequential)]
public struct IMAGE_FUNCTION_ENTRY
{
/// <summary>The image address of the start of the function.</summary>
public uint StartingAddress;
/// <summary>The image address of the end of the function.</summary>
public uint EndingAddress;
/// <summary>The image address of the end of the prologue code.</summary>
public uint EndOfPrologue;
}
/// <summary>Undocumented.</summary>
[PInvokeData("winnt.h")]
[StructLayout(LayoutKind.Sequential)]
public struct IMAGE_LOAD_CONFIG_CODE_INTEGRITY
{
/// <summary>Flags to indicate if CI information is available, etc.</summary>
public ushort Flags;
/// <summary>0xFFFF means not available</summary>
public ushort Catalog;
/// <summary/>
public uint CatalogOffset;
/// <summary>Additional bitmask to be defined later</summary>
public uint Reserved;
}
/// <summary>Contains the load configuration data of an image.</summary>
/// <remarks>
/// <para>
/// If <c>_WIN64</c> is defined, then <c>IMAGE_LOAD_CONFIG_DIRECTORY</c> is defined as <c>IMAGE_LOAD_CONFIG_DIRECTORY64</c>.
/// However, if <c>_WIN64</c> is not defined, then <c>IMAGE_LOAD_CONFIG_DIRECTORY</c> is defined as <c>IMAGE_LOAD_CONFIG_DIRECTORY32</c>.
/// </para>
/// <para>
/// <code>typedef struct { DWORD Size; DWORD TimeDateStamp; WORD MajorVersion; WORD MinorVersion; DWORD GlobalFlagsClear; DWORD GlobalFlagsSet; DWORD CriticalSectionDefaultTimeout; DWORD DeCommitFreeBlockThreshold; DWORD DeCommitTotalFreeThreshold; DWORD LockPrefixTable; // VA DWORD MaximumAllocationSize; DWORD VirtualMemoryThreshold; DWORD ProcessHeapFlags; DWORD ProcessAffinityMask; WORD CSDVersion; WORD Reserved1; DWORD EditList; // VA DWORD SecurityCookie; // VA DWORD SEHandlerTable; // VA DWORD SEHandlerCount; } IMAGE_LOAD_CONFIG_DIRECTORY32, *PIMAGE_LOAD_CONFIG_DIRECTORY32;</code>
/// </para>
/// </remarks>
// https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-image_load_config_directory32 typedef struct
// _IMAGE_LOAD_CONFIG_DIRECTORY32 { DWORD Size; DWORD TimeDateStamp; WORD MajorVersion; WORD MinorVersion; DWORD GlobalFlagsClear;
// DWORD GlobalFlagsSet; DWORD CriticalSectionDefaultTimeout; DWORD DeCommitFreeBlockThreshold; DWORD DeCommitTotalFreeThreshold;
// DWORD LockPrefixTable; DWORD MaximumAllocationSize; DWORD VirtualMemoryThreshold; DWORD ProcessHeapFlags; DWORD
// ProcessAffinityMask; WORD CSDVersion; WORD DependentLoadFlags; DWORD EditList; DWORD SecurityCookie; DWORD SEHandlerTable; DWORD
// SEHandlerCount; DWORD GuardCFCheckFunctionPointer; DWORD GuardCFDispatchFunctionPointer; DWORD GuardCFFunctionTable; DWORD
// GuardCFFunctionCount; DWORD GuardFlags; IMAGE_LOAD_CONFIG_CODE_INTEGRITY CodeIntegrity; DWORD GuardAddressTakenIatEntryTable;
// DWORD GuardAddressTakenIatEntryCount; DWORD GuardLongJumpTargetTable; DWORD GuardLongJumpTargetCount; DWORD
// DynamicValueRelocTable; DWORD CHPEMetadataPointer; DWORD GuardRFFailureRoutine; DWORD GuardRFFailureRoutineFunctionPointer; DWORD
// DynamicValueRelocTableOffset; WORD DynamicValueRelocTableSection; WORD Reserved2; DWORD GuardRFVerifyStackPointerFunctionPointer;
// DWORD HotPatchTableOffset; DWORD Reserved3; DWORD EnclaveConfigurationPointer; DWORD VolatileMetadataPointer; DWORD
// GuardEHContinuationTable; DWORD GuardEHContinuationCount; } IMAGE_LOAD_CONFIG_DIRECTORY32, *PIMAGE_LOAD_CONFIG_DIRECTORY32;
[PInvokeData("winnt.h", MSDNShortId = "NS:winnt._IMAGE_LOAD_CONFIG_DIRECTORY32")]
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Auto)]
public struct IMAGE_LOAD_CONFIG_DIRECTORY32
{
/// <summary>The size of the structure. For Windows XP, the size must be specified as 64 for x86 images.</summary>
public uint Size;
/// <summary>
/// The date and time stamp value. The value is represented in the number of seconds elapsed since midnight (00:00:00), January
/// 1, 1970, Universal Coordinated Time, according to the system clock. The time stamp can be printed using the C run-time (CRT)
/// function <c>ctime</c>.
/// </summary>
public uint TimeDateStamp;
/// <summary>The major version number.</summary>
public ushort MajorVersion;
/// <summary>The minor version number.</summary>
public ushort MinorVersion;
/// <summary>The global flags that control system behavior. For more information, see Gflags.exe.</summary>
public uint GlobalFlagsClear;
/// <summary>The global flags that control system behavior. For more information, see Gflags.exe.</summary>
public uint GlobalFlagsSet;
/// <summary>The critical section default time-out value.</summary>
public uint CriticalSectionDefaultTimeout;
/// <summary>
/// The size of the minimum block that must be freed before it is freed (de-committed), in bytes. This value is advisory.
/// </summary>
public uint DeCommitFreeBlockThreshold;
/// <summary>
/// The size of the minimum total memory that must be freed in the process heap before it is freed (de-committed), in bytes.
/// This value is advisory.
/// </summary>
public uint DeCommitTotalFreeThreshold;
/// <summary>
/// The VA of a list of addresses where the LOCK prefix is used. These will be replaced by NOP on single-processor systems. This
/// member is available only for x86.
/// </summary>
public uint LockPrefixTable;
/// <summary>The maximum allocation size, in bytes. This member is obsolete and is used only for debugging purposes.</summary>
public uint MaximumAllocationSize;
/// <summary>The maximum block size that can be allocated from heap segments, in bytes.</summary>
public uint VirtualMemoryThreshold;
/// <summary>The process heap flags. For more information, see HeapCreate.</summary>
public uint ProcessHeapFlags;
/// <summary>
/// The process affinity mask. For more information, see GetProcessAffinityMask. This member is available only for .exe files.
/// </summary>
public uint ProcessAffinityMask;
/// <summary>The service pack version.</summary>
public ushort CSDVersion;
/// <summary/>
public ushort DependentLoadFlags;
/// <summary>Reserved for use by the system.</summary>
public uint EditList;
/// <summary>A pointer to a cookie that is used by Visual C++ or GS implementation.</summary>
public uint SecurityCookie;
/// <summary>
/// The VA of the sorted table of RVAs of each valid, unique handler in the image. This member is available only for x86.
/// </summary>
public uint SEHandlerTable;
/// <summary>The count of unique handlers in the table. This member is available only for x86.</summary>
public uint SEHandlerCount;
/// <summary/>
public uint GuardCFCheckFunctionPointer;
/// <summary/>
public uint GuardCFDispatchFunctionPointer;
/// <summary/>
public uint GuardCFFunctionTable;
/// <summary/>
public uint GuardCFFunctionCount;
/// <summary/>
public uint GuardFlags;
/// <summary/>
public IMAGE_LOAD_CONFIG_CODE_INTEGRITY CodeIntegrity;
/// <summary/>
public uint GuardAddressTakenIatEntryTable;
/// <summary/>
public uint GuardAddressTakenIatEntryCount;
/// <summary/>
public uint GuardLongJumpTargetTable;
/// <summary/>
public uint GuardLongJumpTargetCount;
/// <summary/>
public uint DynamicValueRelocTable;
/// <summary/>
public uint CHPEMetadataPointer;
/// <summary/>
public uint GuardRFFailureRoutine;
/// <summary/>
public uint GuardRFFailureRoutineFunctionPointer;
/// <summary/>
public uint DynamicValueRelocTableOffset;
/// <summary/>
public ushort DynamicValueRelocTableSection;
/// <summary/>
public ushort Reserved2;
/// <summary/>
public uint GuardRFVerifyStackPointerFunctionPointer;
/// <summary/>
public uint HotPatchTableOffset;
/// <summary/>
public uint Reserved3;
/// <summary/>
public uint EnclaveConfigurationPointer;
/// <summary/>
public uint VolatileMetadataPointer;
/// <summary/>
public uint GuardEHContinuationTable;
/// <summary/>
public uint GuardEHContinuationCount;
}
/// <summary>Contains the load configuration data of an image.</summary>
/// <remarks>
/// <para>
/// If <c>_WIN64</c> is defined, then <c>IMAGE_LOAD_CONFIG_DIRECTORY</c> is defined as <c>IMAGE_LOAD_CONFIG_DIRECTORY64</c>.
/// However, if <c>_WIN64</c> is not defined, then <c>IMAGE_LOAD_CONFIG_DIRECTORY</c> is defined as <c>IMAGE_LOAD_CONFIG_DIRECTORY32</c>.
/// </para>
/// <para>
/// <code>typedef struct { DWORD Size; DWORD TimeDateStamp; WORD MajorVersion; WORD MinorVersion; DWORD GlobalFlagsClear; DWORD GlobalFlagsSet; DWORD CriticalSectionDefaultTimeout; DWORD DeCommitFreeBlockThreshold; DWORD DeCommitTotalFreeThreshold; DWORD LockPrefixTable; // VA DWORD MaximumAllocationSize; DWORD VirtualMemoryThreshold; DWORD ProcessHeapFlags; DWORD ProcessAffinityMask; WORD CSDVersion; WORD Reserved1; DWORD EditList; // VA DWORD SecurityCookie; // VA DWORD SEHandlerTable; // VA DWORD SEHandlerCount; } IMAGE_LOAD_CONFIG_DIRECTORY32, *PIMAGE_LOAD_CONFIG_DIRECTORY32;</code>
/// </para>
/// </remarks>
// https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-image_load_config_directory64 typedef struct
// _IMAGE_LOAD_CONFIG_DIRECTORY64 { DWORD Size; DWORD TimeDateStamp; WORD MajorVersion; WORD MinorVersion; DWORD GlobalFlagsClear;
// DWORD GlobalFlagsSet; DWORD CriticalSectionDefaultTimeout; ULONGLONG DeCommitFreeBlockThreshold; ULONGLONG
// DeCommitTotalFreeThreshold; ULONGLONG LockPrefixTable; ULONGLONG MaximumAllocationSize; ULONGLONG VirtualMemoryThreshold;
// ULONGLONG ProcessAffinityMask; DWORD ProcessHeapFlags; WORD CSDVersion; WORD DependentLoadFlags; ULONGLONG EditList; ULONGLONG
// SecurityCookie; ULONGLONG SEHandlerTable; ULONGLONG SEHandlerCount; ULONGLONG GuardCFCheckFunctionPointer; ULONGLONG
// GuardCFDispatchFunctionPointer; ULONGLONG GuardCFFunctionTable; ULONGLONG GuardCFFunctionCount; DWORD GuardFlags;
// IMAGE_LOAD_CONFIG_CODE_INTEGRITY CodeIntegrity; ULONGLONG GuardAddressTakenIatEntryTable; ULONGLONG
// GuardAddressTakenIatEntryCount; ULONGLONG GuardLongJumpTargetTable; ULONGLONG GuardLongJumpTargetCount; ULONGLONG
// DynamicValueRelocTable; ULONGLONG CHPEMetadataPointer; ULONGLONG GuardRFFailureRoutine; ULONGLONG
// GuardRFFailureRoutineFunctionPointer; DWORD DynamicValueRelocTableOffset; WORD DynamicValueRelocTableSection; WORD Reserved2;
// ULONGLONG GuardRFVerifyStackPointerFunctionPointer; DWORD HotPatchTableOffset; DWORD Reserved3; ULONGLONG
// EnclaveConfigurationPointer; ULONGLONG VolatileMetadataPointer; ULONGLONG GuardEHContinuationTable; ULONGLONG
// GuardEHContinuationCount; } IMAGE_LOAD_CONFIG_DIRECTORY64, *PIMAGE_LOAD_CONFIG_DIRECTORY64;
[PInvokeData("winnt.h", MSDNShortId = "NS:winnt._IMAGE_LOAD_CONFIG_DIRECTORY64")]
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Auto)]
public struct IMAGE_LOAD_CONFIG_DIRECTORY64
{
/// <summary>The size of the structure. For Windows XP, the size must be specified as 64 for x86 images.</summary>
public uint Size;
/// <summary>
/// The date and time stamp value. The value is represented in the number of seconds elapsed since midnight (00:00:00), January
/// 1, 1970, Universal Coordinated Time, according to the system clock. The time stamp can be printed using the C run-time (CRT)
/// function <c>ctime</c>.
/// </summary>
public uint TimeDateStamp;
/// <summary>The major version number.</summary>
public ushort MajorVersion;
/// <summary>The minor version number.</summary>
public ushort MinorVersion;
/// <summary>The global flags that control system behavior. For more information, see Gflags.exe.</summary>
public uint GlobalFlagsClear;
/// <summary>The global flags that control system behavior. For more information, see Gflags.exe.</summary>
public uint GlobalFlagsSet;
/// <summary>The critical section default time-out value.</summary>
public uint CriticalSectionDefaultTimeout;
/// <summary>
/// The size of the minimum block that must be freed before it is freed (de-committed), in bytes. This value is advisory.
/// </summary>
public ulong DeCommitFreeBlockThreshold;
/// <summary>
/// The size of the minimum total memory that must be freed in the process heap before it is freed (de-committed), in bytes.
/// This value is advisory.
/// </summary>
public ulong DeCommitTotalFreeThreshold;
/// <summary>
/// The VA of a list of addresses where the LOCK prefix is used. These will be replaced by NOP on single-processor systems. This
/// member is available only for x86.
/// </summary>
public ulong LockPrefixTable;
/// <summary>The maximum allocation size, in bytes. This member is obsolete and is used only for debugging purposes.</summary>
public ulong MaximumAllocationSize;
/// <summary>The maximum block size that can be allocated from heap segments, in bytes.</summary>
public ulong VirtualMemoryThreshold;
/// <summary>
/// The process affinity mask. For more information, see GetProcessAffinityMask. This member is available only for .exe files.
/// </summary>
public ulong ProcessAffinityMask;
/// <summary>The process heap flags. For more information, see HeapCreate.</summary>
public uint ProcessHeapFlags;
/// <summary>The service pack version.</summary>
public ushort CSDVersion;
/// <summary/>
public ushort DependentLoadFlags;
/// <summary>Reserved for use by the system.</summary>
public ulong EditList;
/// <summary>A pointer to a cookie that is used by Visual C++ or GS implementation.</summary>
public ulong SecurityCookie;
/// <summary>
/// The VA of the sorted table of RVAs of each valid, unique handler in the image. This member is available only for x86.
/// </summary>
public ulong SEHandlerTable;
/// <summary>The count of unique handlers in the table. This member is available only for x86.</summary>
public ulong SEHandlerCount;
/// <summary/>
public ulong GuardCFCheckFunctionPointer;
/// <summary/>
public ulong GuardCFDispatchFunctionPointer;
/// <summary/>
public ulong GuardCFFunctionTable;
/// <summary/>
public ulong GuardCFFunctionCount;
/// <summary/>
public uint GuardFlags;
/// <summary/>
public IMAGE_LOAD_CONFIG_CODE_INTEGRITY CodeIntegrity;
/// <summary/>
public ulong GuardAddressTakenIatEntryTable;
/// <summary/>
public ulong GuardAddressTakenIatEntryCount;
/// <summary/>
public ulong GuardLongJumpTargetTable;
/// <summary/>
public ulong GuardLongJumpTargetCount;
/// <summary/>
public ulong DynamicValueRelocTable;
/// <summary/>
public ulong CHPEMetadataPointer;
/// <summary/>
public ulong GuardRFFailureRoutine;
/// <summary/>
public ulong GuardRFFailureRoutineFunctionPointer;
/// <summary/>
public uint DynamicValueRelocTableOffset;
/// <summary/>
public ushort DynamicValueRelocTableSection;
/// <summary/>
public ushort Reserved2;
/// <summary/>
public ulong GuardRFVerifyStackPointerFunctionPointer;
/// <summary/>
public uint HotPatchTableOffset;
/// <summary/>
public uint Reserved3;
/// <summary/>
public ulong EnclaveConfigurationPointer;
/// <summary/>
public ulong VolatileMetadataPointer;
/// <summary/>
public ulong GuardEHContinuationTable;
/// <summary/>
public ulong GuardEHContinuationCount;
}
/// <summary>Represents the PE header format.</summary>
/// <remarks>
/// <para>
/// The actual structure in WinNT.h is named <c>IMAGE_NT_HEADERS32</c> and <c>IMAGE_NT_HEADERS</c> is defined as
/// <c>IMAGE_NT_HEADERS32</c>. However, if _WIN64 is defined, then <c>IMAGE_NT_HEADERS</c> is defined as <c>IMAGE_NT_HEADERS64</c>.
/// </para>
/// <para>
/// <code>typedef struct _IMAGE_NT_HEADERS64 { DWORD Signature; IMAGE_FILE_HEADER FileHeader; IMAGE_OPTIONAL_HEADER64 OptionalHeader; } IMAGE_NT_HEADERS64, *PIMAGE_NT_HEADERS64;</code>
/// </para>
/// </remarks>
// https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-image_nt_headers32 typedef struct _IMAGE_NT_HEADERS { DWORD
// Signature; IMAGE_FILE_HEADER FileHeader; IMAGE_OPTIONAL_HEADER32 OptionalHeader; } IMAGE_NT_HEADERS32, *PIMAGE_NT_HEADERS32;
[PInvokeData("winnt.h", MSDNShortId = "NS:winnt._IMAGE_NT_HEADERS")]
[StructLayout(LayoutKind.Sequential)]
public struct IMAGE_NT_HEADERS
{
/// <summary>A 4-byte signature identifying the file as a PE image. The bytes are "PE\0\0".</summary>
public uint Signature;
/// <summary>An IMAGE_FILE_HEADER structure that specifies the file header.</summary>
public IMAGE_FILE_HEADER FileHeader;
/// <summary>An IMAGE_OPTIONAL_HEADER structure that specifies the optional file header.</summary>
public IMAGE_OPTIONAL_HEADER OptionalHeader;
}
/// <summary>Represents the optional header format.</summary>
/// <remarks>
/// <para>The number of directories is not fixed. Check the <c>NumberOfRvaAndSizes</c> member before looking for a specific directory.</para>
/// <para>
/// The actual structure in WinNT.h is named <c>IMAGE_OPTIONAL_HEADER32</c> and <c>IMAGE_OPTIONAL_HEADER</c> is defined as
/// <c>IMAGE_OPTIONAL_HEADER32</c>. However, if <c>_WIN64</c> is defined, then <c>IMAGE_OPTIONAL_HEADER</c> is defined as <c>IMAGE_OPTIONAL_HEADER64</c>.
/// </para>
/// <para>
/// <code>typedef struct _IMAGE_OPTIONAL_HEADER64 { WORD Magic; BYTE MajorLinkerVersion; BYTE MinorLinkerVersion; DWORD SizeOfCode; DWORD SizeOfInitializedData; DWORD SizeOfUninitializedData; DWORD AddressOfEntryPoint; DWORD BaseOfCode; ULONGLONG ImageBase; DWORD SectionAlignment; DWORD FileAlignment; WORD MajorOperatingSystemVersion; WORD MinorOperatingSystemVersion; WORD MajorImageVersion; WORD MinorImageVersion; WORD MajorSubsystemVersion; WORD MinorSubsystemVersion; DWORD Win32VersionValue; DWORD SizeOfImage; DWORD SizeOfHeaders; DWORD CheckSum; WORD Subsystem; WORD DllCharacteristics; ULONGLONG SizeOfStackReserve; ULONGLONG SizeOfStackCommit; ULONGLONG SizeOfHeapReserve; ULONGLONG SizeOfHeapCommit; DWORD LoaderFlags; DWORD NumberOfRvaAndSizes; IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES]; } IMAGE_OPTIONAL_HEADER64, *PIMAGE_OPTIONAL_HEADER64;</code>
/// </para>
/// </remarks>
// https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-image_optional_header32 typedef struct _IMAGE_OPTIONAL_HEADER {
// WORD Magic; BYTE MajorLinkerVersion; BYTE MinorLinkerVersion; DWORD SizeOfCode; DWORD SizeOfInitializedData; DWORD
// SizeOfUninitializedData; DWORD AddressOfEntryPoint; DWORD BaseOfCode; DWORD BaseOfData; DWORD ImageBase; DWORD SectionAlignment;
// DWORD FileAlignment; WORD MajorOperatingSystemVersion; WORD MinorOperatingSystemVersion; WORD MajorImageVersion; WORD
// MinorImageVersion; WORD MajorSubsystemVersion; WORD MinorSubsystemVersion; DWORD Win32VersionValue; DWORD SizeOfImage; DWORD
// SizeOfHeaders; DWORD CheckSum; WORD Subsystem; WORD DllCharacteristics; DWORD SizeOfStackReserve; DWORD SizeOfStackCommit; DWORD
// SizeOfHeapReserve; DWORD SizeOfHeapCommit; DWORD LoaderFlags; DWORD NumberOfRvaAndSizes; IMAGE_DATA_DIRECTORY
// DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES]; } IMAGE_OPTIONAL_HEADER32, *PIMAGE_OPTIONAL_HEADER32;
[PInvokeData("winnt.h", MSDNShortId = "NS:winnt._IMAGE_OPTIONAL_HEADER")]
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Auto)]
public unsafe struct IMAGE_OPTIONAL_HEADER
{
/// <summary>
/// <para>The state of the image file. This member can be one of the following values.</para>
/// <list type="table">
/// <listheader>
/// <term>Value</term>
/// <term>Meaning</term>
/// </listheader>
/// <item>
/// <term>IMAGE_NT_OPTIONAL_HDR_MAGIC</term>
/// <term>
/// The file is an executable image. This value is defined as IMAGE_NT_OPTIONAL_HDR32_MAGIC in a 32-bit application and as
/// IMAGE_NT_OPTIONAL_HDR64_MAGIC in a 64-bit application.
/// </term>
/// </item>
/// <item>
/// <term>IMAGE_NT_OPTIONAL_HDR32_MAGIC 0x10b</term>
/// <term>The file is an executable image.</term>
/// </item>
/// <item>
/// <term>IMAGE_NT_OPTIONAL_HDR64_MAGIC 0x20b</term>
/// <term>The file is an executable image.</term>
/// </item>
/// <item>
/// <term>IMAGE_ROM_OPTIONAL_HDR_MAGIC 0x107</term>
/// <term>The file is a ROM image.</term>
/// </item>
/// </list>
/// </summary>
public IMAGE_OPTIONAL_MAGIC Magic;
/// <summary>The major version number of the linker.</summary>
public byte MajorLinkerVersion;
/// <summary>The minor version number of the linker.</summary>
public byte MinorLinkerVersion;
/// <summary>The size of the code section, in bytes, or the sum of all such sections if there are multiple code sections.</summary>
public uint SizeOfCode;
/// <summary>
/// The size of the initialized data section, in bytes, or the sum of all such sections if there are multiple initialized data sections.
/// </summary>
public uint SizeOfInitializedData;
/// <summary>
/// The size of the uninitialized data section, in bytes, or the sum of all such sections if there are multiple uninitialized
/// data sections.
/// </summary>
public uint SizeOfUninitializedData;
/// <summary>
/// A pointer to the entry point function, relative to the image base address. For executable files, this is the starting
/// address. For device drivers, this is the address of the initialization function. The entry point function is optional for
/// DLLs. When no entry point is present, this member is zero.
/// </summary>
public uint AddressOfEntryPoint;
/// <summary>A pointer to the beginning of the code section, relative to the image base.</summary>
public uint BaseOfCode;
/// <summary>A pointer to the beginning of the data section, relative to the image base.</summary>
public uint BaseOfData;
/// <summary>
/// The preferred address of the first byte of the image when it is loaded in memory. This value is a multiple of 64K bytes. The
/// default value for DLLs is 0x10000000. The default value for applications is 0x00400000, except on Windows CE where it is 0x00010000.
/// </summary>
public uint ImageBase;
/// <summary>
/// The alignment of sections loaded in memory, in bytes. This value must be greater than or equal to the <c>FileAlignment</c>
/// member. The default value is the page size for the system.
/// </summary>
public uint SectionAlignment;
/// <summary>
/// The alignment of the raw data of sections in the image file, in bytes. The value should be a power of 2 between 512 and 64K
/// (inclusive). The default is 512. If the <c>SectionAlignment</c> member is less than the system page size, this member must
/// be the same as <c>SectionAlignment</c>.
/// </summary>
public uint FileAlignment;
/// <summary>The major version number of the required operating system.</summary>
public ushort MajorOperatingSystemVersion;
/// <summary>The minor version number of the required operating system.</summary>
public ushort MinorOperatingSystemVersion;
/// <summary>The major version number of the image.</summary>
public ushort MajorImageVersion;
/// <summary>The minor version number of the image.</summary>
public ushort MinorImageVersion;
/// <summary>The major version number of the subsystem.</summary>
public ushort MajorSubsystemVersion;
/// <summary>The minor version number of the subsystem.</summary>
public ushort MinorSubsystemVersion;
/// <summary>This member is reserved and must be 0.</summary>
public uint Win32VersionValue;
/// <summary>The size of the image, in bytes, including all headers. Must be a multiple of <c>SectionAlignment</c>.</summary>
public uint SizeOfImage;
/// <summary>
/// <para>
/// The combined size of the following items, rounded to a multiple of the value specified in the <c>FileAlignment</c> member.
/// </para>
/// <list type="bullet">
/// <item>
/// <term><c>e_lfanew</c> member of <c>IMAGE_DOS_HEADER</c></term>
/// </item>
/// <item>
/// <term>4 byte signature</term>
/// </item>
/// <item>
/// <term>size of IMAGE_FILE_HEADER</term>
/// </item>
/// <item>
/// <term>size of optional header</term>
/// </item>
/// <item>
/// <term>size of all section headers</term>
/// </item>
/// </list>
/// </summary>
public uint SizeOfHeaders;
/// <summary>
/// The image file checksum. The following files are validated at load time: all drivers, any DLL loaded at boot time, and any
/// DLL loaded into a critical system process.
/// </summary>
public uint CheckSum;
/// <summary>
/// <para>The subsystem required to run this image. The following values are defined.</para>
/// <list type="table">
/// <listheader>
/// <term>Value</term>
/// <term>Meaning</term>
/// </listheader>
/// <item>
/// <term>IMAGE_SUBSYSTEM_UNKNOWN 0</term>
/// <term>Unknown subsystem.</term>
/// </item>
/// <item>
/// <term>IMAGE_SUBSYSTEM_NATIVE 1</term>
/// <term>No subsystem required (device drivers and native system processes).</term>
/// </item>
/// <item>
/// <term>IMAGE_SUBSYSTEM_WINDOWS_GUI 2</term>
/// <term>Windows graphical user interface (GUI) subsystem.</term>
/// </item>
/// <item>
/// <term>IMAGE_SUBSYSTEM_WINDOWS_CUI 3</term>
/// <term>Windows character-mode user interface (CUI) subsystem.</term>
/// </item>
/// <item>
/// <term>IMAGE_SUBSYSTEM_OS2_CUI 5</term>
/// <term>OS/2 CUI subsystem.</term>
/// </item>
/// <item>
/// <term>IMAGE_SUBSYSTEM_POSIX_CUI 7</term>
/// <term>POSIX CUI subsystem.</term>
/// </item>
/// <item>
/// <term>IMAGE_SUBSYSTEM_WINDOWS_CE_GUI 9</term>
/// <term>Windows CE system.</term>
/// </item>
/// <item>
/// <term>IMAGE_SUBSYSTEM_EFI_APPLICATION 10</term>
/// <term>Extensible Firmware Interface (EFI) application.</term>
/// </item>
/// <item>
/// <term>IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER 11</term>
/// <term>EFI driver with boot services.</term>
/// </item>
/// <item>
/// <term>IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER 12</term>
/// <term>EFI driver with run-time services.</term>
/// </item>
/// <item>
/// <term>IMAGE_SUBSYSTEM_EFI_ROM 13</term>
/// <term>EFI ROM image.</term>
/// </item>
/// <item>
/// <term>IMAGE_SUBSYSTEM_XBOX 14</term>
/// <term>Xbox system.</term>
/// </item>
/// <item>
/// <term>IMAGE_SUBSYSTEM_WINDOWS_BOOT_APPLICATION 16</term>
/// <term>Boot application.</term>
/// </item>
/// </list>
/// </summary>
public IMAGE_SUBSYSTEM Subsystem;
/// <summary>
/// <para>The DLL characteristics of the image. The following values are defined.</para>
/// <list type="table">
/// <listheader>
/// <term>Value</term>
/// <term>Meaning</term>
/// </listheader>
/// <item>
/// <term>0x0001</term>
/// <term>Reserved.</term>
/// </item>
/// <item>
/// <term>0x0002</term>
/// <term>Reserved.</term>
/// </item>
/// <item>
/// <term>0x0004</term>
/// <term>Reserved.</term>
/// </item>
/// <item>
/// <term>0x0008</term>
/// <term>Reserved.</term>
/// </item>
/// <item>
/// <term>IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE 0x0040</term>
/// <term>The DLL can be relocated at load time.</term>
/// </item>
/// <item>
/// <term>IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY 0x0080</term>
/// <term>
/// Code integrity checks are forced. If you set this flag and a section contains only uninitialized data, set the
/// PointerToRawData member of IMAGE_SECTION_HEADER for that section to zero; otherwise, the image will fail to load because the
/// digital signature cannot be verified.
/// </term>
/// </item>
/// <item>
/// <term>IMAGE_DLLCHARACTERISTICS_NX_COMPAT 0x0100</term>
/// <term>The image is compatible with data execution prevention (DEP).</term>
/// </item>
/// <item>
/// <term>IMAGE_DLLCHARACTERISTICS_NO_ISOLATION 0x0200</term>
/// <term>The image is isolation aware, but should not be isolated.</term>
/// </item>
/// <item>
/// <term>IMAGE_DLLCHARACTERISTICS_NO_SEH 0x0400</term>
/// <term>The image does not use structured exception handling (SEH). No handlers can be called in this image.</term>
/// </item>
/// <item>
/// <term>IMAGE_DLLCHARACTERISTICS_NO_BIND 0x0800</term>
/// <term>Do not bind the image.</term>
/// </item>
/// <item>
/// <term>0x1000</term>
/// <term>Reserved.</term>
/// </item>
/// <item>
/// <term>IMAGE_DLLCHARACTERISTICS_WDM_DRIVER 0x2000</term>
/// <term>A WDM driver.</term>
/// </item>
/// <item>
/// <term>0x4000</term>
/// <term>Reserved.</term>
/// </item>
/// <item>
/// <term>IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE 0x8000</term>
/// <term>The image is terminal server aware.</term>
/// </item>
/// </list>
/// </summary>
public IMAGE_DLLCHARACTERISTICS DllCharacteristics;
/// <summary>
/// The number of bytes to reserve for the stack. Only the memory specified by the <c>SizeOfStackCommit</c> member is committed
/// at load time; the rest is made available one page at a time until this reserve size is reached.
/// </summary>
public uint SizeOfStackReserve;
/// <summary>The number of bytes to commit for the stack.</summary>
public uint SizeOfStackCommit;
/// <summary>
/// The number of bytes to reserve for the local heap. Only the memory specified by the <c>SizeOfHeapCommit</c> member is
/// committed at load time; the rest is made available one page at a time until this reserve size is reached.
/// </summary>
public uint SizeOfHeapReserve;
/// <summary>The number of bytes to commit for the local heap.</summary>
public uint SizeOfHeapCommit;
/// <summary>This member is obsolete.</summary>
public uint LoaderFlags;
/// <summary>
/// The number of directory entries in the remainder of the optional header. Each entry describes a location and size.
/// </summary>
public uint NumberOfRvaAndSizes;
//[MarshalAs(UnmanagedType.ByValArray, SizeConst = 16 /*IMAGE_NUMBEROF_DIRECTORY_ENTRIES*/)]
private fixed ulong _DataDirectory[16];
/// <summary>
/// <para>A pointer to the first IMAGE_DATA_DIRECTORY structure in the data directory.</para>
/// <para>The index number of the desired directory entry. This parameter can be one of the following values.</para>
/// <list type="table">
/// <listheader>
/// <term>Value</term>
/// <term>Meaning</term>
/// </listheader>
/// <item>
/// <term>IMAGE_DIRECTORY_ENTRY_ARCHITECTURE 7</term>
/// <term>Architecture-specific data</term>
/// </item>
/// <item>
/// <term>IMAGE_DIRECTORY_ENTRY_BASERELOC 5</term>
/// <term>Base relocation table</term>
/// </item>
/// <item>
/// <term>IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 11</term>
/// <term>Bound import directory</term>
/// </item>
/// <item>
/// <term>IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 14</term>
/// <term>COM descriptor table</term>
/// </item>
/// <item>
/// <term>IMAGE_DIRECTORY_ENTRY_DEBUG 6</term>
/// <term>Debug directory</term>
/// </item>
/// <item>
/// <term>IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 13</term>
/// <term>Delay import table</term>
/// </item>
/// <item>
/// <term>IMAGE_DIRECTORY_ENTRY_EXCEPTION 3</term>
/// <term>Exception directory</term>
/// </item>
/// <item>
/// <term>IMAGE_DIRECTORY_ENTRY_EXPORT 0</term>
/// <term>Export directory</term>
/// </item>
/// <item>
/// <term>IMAGE_DIRECTORY_ENTRY_GLOBALPTR 8</term>
/// <term>The relative virtual address of global pointer</term>
/// </item>
/// <item>
/// <term>IMAGE_DIRECTORY_ENTRY_IAT 12</term>
/// <term>Import address table</term>
/// </item>
/// <item>
/// <term>IMAGE_DIRECTORY_ENTRY_IMPORT 1</term>
/// <term>Import directory</term>
/// </item>
/// <item>
/// <term>IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 10</term>
/// <term>Load configuration directory</term>
/// </item>
/// <item>
/// <term>IMAGE_DIRECTORY_ENTRY_RESOURCE 2</term>
/// <term>Resource directory</term>
/// </item>
/// <item>
/// <term>IMAGE_DIRECTORY_ENTRY_SECURITY 4</term>
/// <term>Security directory</term>
/// </item>
/// <item>
/// <term>IMAGE_DIRECTORY_ENTRY_TLS 9</term>
/// <term>Thread local storage directory</term>
/// </item>
/// </list>
/// </summary>
public IMAGE_DATA_DIRECTORY[] DataDirectory
{
get
{
unsafe
{
fixed (void* dd = _DataDirectory)
{
return ((IntPtr)dd).ToArray<IMAGE_DATA_DIRECTORY>(16);
}
}
}
set
{
if (value is null || value.Length != 16)
throw new ArgumentOutOfRangeException(nameof(DataDirectory), "Must be an array with 16 elements.");
unsafe
{
fixed (IMAGE_DATA_DIRECTORY* v = value)
fixed (void* dd = _DataDirectory)
{
((IntPtr)v).CopyTo((IntPtr)dd, sizeof(ulong) * 16);
}
}
}
}
}
/// <summary>Represents the image section header format.</summary>
// https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-image_section_header typedef struct _IMAGE_SECTION_HEADER {
// BYTE Name[IMAGE_SIZEOF_SHORT_NAME]; union { DWORD PhysicalAddress; DWORD VirtualSize; } Misc; DWORD VirtualAddress; DWORD
// SizeOfRawData; DWORD PointerToRawData; DWORD PointerToRelocations; DWORD PointerToLinenumbers; WORD NumberOfRelocations; WORD
// NumberOfLinenumbers; DWORD Characteristics; } IMAGE_SECTION_HEADER, *PIMAGE_SECTION_HEADER;
[PInvokeData("winnt.h", MSDNShortId = "NS:winnt._IMAGE_SECTION_HEADER")]
[StructLayout(LayoutKind.Sequential)]
public struct IMAGE_SECTION_HEADER
{
/// <summary>
/// An 8-byte, null-padded UTF-8 string. There is no terminating null character if the string is exactly eight characters long.
/// For longer names, this member contains a forward slash (/) followed by an ASCII representation of a decimal number that is
/// an offset into the string table. Executable images do not use a string table and do not support section names longer than
/// eight characters.
/// </summary>
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 8 /*IMAGE_SIZEOF_SHORT_NAME*/)]
public byte[] Name;
/// <summary/>
public MISC Misc;
/// <summary>
/// The address of the first byte of the section when loaded into memory, relative to the image base. For object files, this is
/// the address of the first byte before relocation is applied.
/// </summary>
public uint VirtualAddress;
/// <summary>
/// The size of the initialized data on disk, in bytes. This value must be a multiple of the <c>FileAlignment</c> member of the
/// IMAGE_OPTIONAL_HEADER structure. If this value is less than the <c>VirtualSize</c> member, the remainder of the section is
/// filled with zeroes. If the section contains only uninitialized data, the member is zero.
/// </summary>
public uint SizeOfRawData;
/// <summary>
/// A file pointer to the first page within the COFF file. This value must be a multiple of the <c>FileAlignment</c> member of
/// the IMAGE_OPTIONAL_HEADER structure. If a section contains only uninitialized data, set this member is zero.
/// </summary>
public uint PointerToRawData;
/// <summary>
/// A file pointer to the beginning of the relocation entries for the section. If there are no relocations, this value is zero.
/// </summary>
public uint PointerToRelocations;
/// <summary>
/// A file pointer to the beginning of the line-number entries for the section. If there are no COFF line numbers, this value is zero.
/// </summary>
public uint PointerToLinenumbers;
/// <summary>The number of relocation entries for the section. This value is zero for executable images.</summary>
public ushort NumberOfRelocations;
/// <summary>The number of line-number entries for the section.</summary>
public ushort NumberOfLinenumbers;
/// <summary>
/// <para>The characteristics of the image. The following values are defined.</para>
/// <list type="table">
/// <listheader>
/// <term>Flag</term>
/// <term>Meaning</term>
/// </listheader>
/// <item>
/// <term>0x00000000</term>
/// <term>Reserved.</term>
/// </item>
/// <item>
/// <term>0x00000001</term>
/// <term>Reserved.</term>
/// </item>
/// <item>
/// <term>0x00000002</term>
/// <term>Reserved.</term>
/// </item>
/// <item>
/// <term>0x00000004</term>
/// <term>Reserved.</term>
/// </item>
/// <item>
/// <term>IMAGE_SCN_TYPE_NO_PAD 0x00000008</term>
/// <term>The section should not be padded to the next boundary. This flag is obsolete and is replaced by IMAGE_SCN_ALIGN_1BYTES.</term>
/// </item>
/// <item>
/// <term>0x00000010</term>
/// <term>Reserved.</term>
/// </item>
/// <item>
/// <term>IMAGE_SCN_CNT_CODE 0x00000020</term>
/// <term>The section contains executable code.</term>
/// </item>
/// <item>
/// <term>IMAGE_SCN_CNT_INITIALIZED_DATA 0x00000040</term>
/// <term>The section contains initialized data.</term>
/// </item>
/// <item>
/// <term>IMAGE_SCN_CNT_UNINITIALIZED_DATA 0x00000080</term>
/// <term>The section contains uninitialized data.</term>
/// </item>
/// <item>
/// <term>IMAGE_SCN_LNK_OTHER 0x00000100</term>
/// <term>Reserved.</term>
/// </item>
/// <item>
/// <term>IMAGE_SCN_LNK_INFO 0x00000200</term>
/// <term>The section contains comments or other information. This is valid only for object files.</term>
/// </item>
/// <item>
/// <term>0x00000400</term>
/// <term>Reserved.</term>
/// </item>
/// <item>
/// <term>IMAGE_SCN_LNK_REMOVE 0x00000800</term>
/// <term>The section will not become part of the image. This is valid only for object files.</term>
/// </item>
/// <item>
/// <term>IMAGE_SCN_LNK_COMDAT 0x00001000</term>
/// <term>The section contains COMDAT data. This is valid only for object files.</term>
/// </item>
/// <item>
/// <term>0x00002000</term>
/// <term>Reserved.</term>
/// </item>
/// <item>
/// <term>IMAGE_SCN_NO_DEFER_SPEC_EXC 0x00004000</term>
/// <term>Reset speculative exceptions handling bits in the TLB entries for this section.</term>
/// </item>
/// <item>
/// <term>IMAGE_SCN_GPREL 0x00008000</term>
/// <term>The section contains data referenced through the global pointer.</term>
/// </item>
/// <item>
/// <term>0x00010000</term>
/// <term>Reserved.</term>
/// </item>
/// <item>
/// <term>IMAGE_SCN_MEM_PURGEABLE 0x00020000</term>
/// <term>Reserved.</term>
/// </item>
/// <item>
/// <term>IMAGE_SCN_MEM_LOCKED 0x00040000</term>
/// <term>Reserved.</term>
/// </item>
/// <item>
/// <term>IMAGE_SCN_MEM_PRELOAD 0x00080000</term>
/// <term>Reserved.</term>
/// </item>
/// <item>
/// <term>IMAGE_SCN_ALIGN_1BYTES 0x00100000</term>
/// <term>Align data on a 1-byte boundary. This is valid only for object files.</term>
/// </item>
/// <item>
/// <term>IMAGE_SCN_ALIGN_2BYTES 0x00200000</term>
/// <term>Align data on a 2-byte boundary. This is valid only for object files.</term>
/// </item>
/// <item>
/// <term>IMAGE_SCN_ALIGN_4BYTES 0x00300000</term>
/// <term>Align data on a 4-byte boundary. This is valid only for object files.</term>
/// </item>
/// <item>
/// <term>IMAGE_SCN_ALIGN_8BYTES 0x00400000</term>
/// <term>Align data on a 8-byte boundary. This is valid only for object files.</term>
/// </item>
/// <item>
/// <term>IMAGE_SCN_ALIGN_16BYTES 0x00500000</term>
/// <term>Align data on a 16-byte boundary. This is valid only for object files.</term>
/// </item>
/// <item>
/// <term>IMAGE_SCN_ALIGN_32BYTES 0x00600000</term>
/// <term>Align data on a 32-byte boundary. This is valid only for object files.</term>
/// </item>
/// <item>
/// <term>IMAGE_SCN_ALIGN_64BYTES 0x00700000</term>
/// <term>Align data on a 64-byte boundary. This is valid only for object files.</term>
/// </item>
/// <item>
/// <term>IMAGE_SCN_ALIGN_128BYTES 0x00800000</term>
/// <term>Align data on a 128-byte boundary. This is valid only for object files.</term>
/// </item>
/// <item>
/// <term>IMAGE_SCN_ALIGN_256BYTES 0x00900000</term>
/// <term>Align data on a 256-byte boundary. This is valid only for object files.</term>
/// </item>
/// <item>
/// <term>IMAGE_SCN_ALIGN_512BYTES 0x00A00000</term>
/// <term>Align data on a 512-byte boundary. This is valid only for object files.</term>
/// </item>
/// <item>
/// <term>IMAGE_SCN_ALIGN_1024BYTES 0x00B00000</term>
/// <term>Align data on a 1024-byte boundary. This is valid only for object files.</term>
/// </item>
/// <item>
/// <term>IMAGE_SCN_ALIGN_2048BYTES 0x00C00000</term>
/// <term>Align data on a 2048-byte boundary. This is valid only for object files.</term>
/// </item>
/// <item>
/// <term>IMAGE_SCN_ALIGN_4096BYTES 0x00D00000</term>
/// <term>Align data on a 4096-byte boundary. This is valid only for object files.</term>
/// </item>
/// <item>
/// <term>IMAGE_SCN_ALIGN_8192BYTES 0x00E00000</term>
/// <term>Align data on a 8192-byte boundary. This is valid only for object files.</term>
/// </item>
/// <item>
/// <term>IMAGE_SCN_LNK_NRELOC_OVFL 0x01000000</term>
/// <term>
/// The section contains extended relocations. The count of relocations for the section exceeds the 16 bits that is reserved for
/// it in the section header. If the NumberOfRelocations field in the section header is 0xffff, the actual relocation count is
/// stored in the VirtualAddress field of the first relocation. It is an error if IMAGE_SCN_LNK_NRELOC_OVFL is set and there are
/// fewer than 0xffff relocations in the section.
/// </term>
/// </item>
/// <item>
/// <term>IMAGE_SCN_MEM_DISCARDABLE 0x02000000</term>
/// <term>The section can be discarded as needed.</term>
/// </item>
/// <item>
/// <term>IMAGE_SCN_MEM_NOT_CACHED 0x04000000</term>
/// <term>The section cannot be cached.</term>
/// </item>
/// <item>
/// <term>IMAGE_SCN_MEM_NOT_PAGED 0x08000000</term>
/// <term>The section cannot be paged.</term>
/// </item>
/// <item>
/// <term>IMAGE_SCN_MEM_SHARED 0x10000000</term>
/// <term>The section can be shared in memory.</term>
/// </item>
/// <item>
/// <term>IMAGE_SCN_MEM_EXECUTE 0x20000000</term>
/// <term>The section can be executed as code.</term>
/// </item>
/// <item>
/// <term>IMAGE_SCN_MEM_READ 0x40000000</term>
/// <term>The section can be read.</term>
/// </item>
/// <item>
/// <term>IMAGE_SCN_MEM_WRITE 0x80000000</term>
/// <term>The section can be written to.</term>
/// </item>
/// </list>
/// </summary>
public IMAGE_SCN Characteristics;
/// <summary/>
[StructLayout(LayoutKind.Explicit)]
public struct MISC
{
/// <summary>The file address.</summary>
[FieldOffset(0)]
public uint PhysicalAddress;
/// <summary>
/// The total size of the section when loaded into memory, in bytes. If this value is greater than the <c>SizeOfRawData</c>
/// member, the section is filled with zeroes. This field is valid only for executable images and should be set to 0 for
/// object files.
/// </summary>
[FieldOffset(0)]
public uint VirtualSize;
}
}
}
}
Reference in New Issue View Git Blame Copy Permalink