-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathnt196pe.h
317 lines (283 loc) · 8.06 KB
/
nt196pe.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
/*
* PROJECT: PE Converter for NT PDK v1.196 (September 1991) and PDK October 1991
* LICENSE: GPL-2.0+ (https://spdx.org/licenses/GPL-2.0+)
* PURPOSE: Old PE Format Type definitions used in NT PDK v1.196.
* COPYRIGHT: Copyright 2021-2022 Hermès Bélusca-Maïto
*
* These definitions have been extracted from the
* embedded debug symbols in the \I386\DEBUG\I386KD.EXE
* executable of the NT PDK v1.196 release.
*/
#ifndef _NT196PE_H_
#define _NT196PE_H_
#pragma once
/* The usual IMAGE_DOS_HEADER, but using its "legacy" name */
typedef struct _IMAGE_DOS_HEADER _DOS_IMAGE_HEADER, DOS_IMAGE_HEADER, *PDOS_IMAGE_HEADER;
/*
* This structure is the equivalent of the newer
*
* typedef struct _IMAGE_DATA_DIRECTORY
* {
* ULONG VirtualAddress;
* ULONG Size;
* } IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY;
*/
typedef struct _IMAGE_SPECIAL_DIRECTORY
{
ULONG RVA;
ULONG Size;
} IMAGE_SPECIAL_DIRECTORY, *PIMAGE_SPECIAL_DIRECTORY;
/* The old version of IMAGE_NUMBEROF_DIRECTORY_ENTRIES */
#define IMAGE_NUMBEROF_SPECIAL_DIRECTORY_ENTRIES 7
// #define IMAGE_NUMBEROF_DIRECTORY_ENTRIES 9 // <-- for the "old" new PE (see ProcessPEImage()).
/*
* Old NT Subsystems values.
*
* These are the values of the IMAGE_HEADER::SubSystem field,
* that match those mapped from the 'SubSystemType=' option in the
* CSRSS command line (and stored in the CsrSubSystemType variable).
* Compare them with the new IMAGE_SUBSYSTEM_xxx ones.
* Note also that there is no distinction between Windows GUI and CUI.
*/
#define OLD_IMAGE_SUBSYSTEM_UNKNOWN 0
#define OLD_IMAGE_SUBSYSTEM_OS2 1
#define OLD_IMAGE_SUBSYSTEM_WINDOWS 2
// 3 is undefined
#define OLD_IMAGE_SUBSYSTEM_NATIVE 4
#define OLD_IMAGE_SUBSYSTEM_POSIX 5
/*
* This structure is an old version for the combination of
* IMAGE_NT_HEADERS + IMAGE_FILE_HEADER + IMAGE_OPTIONAL_HEADER.
*/
typedef struct _IMAGE_HEADER
{
ULONG SignatureBytes;
UCHAR Endian;
UCHAR Reserved1;
USHORT CPUType;
USHORT OSType;
USHORT SubSystem;
USHORT OSMajor;
USHORT OSMinor;
USHORT LinkerMajor;
USHORT LinkerMinor;
USHORT UserMajor;
USHORT UserMinor;
ULONG ModuleFlags;
ULONG Reserved2;
ULONG FileCheckSum;
ULONG EntryPointRVA;
ULONG ImageBase;
ULONG ImageSize;
ULONG HeaderSize;
ULONG FileAlign;
ULONG PageSize;
ULONG TimeStamp;
ULONG StackReserve;
ULONG StackCommit;
ULONG HeapReserve;
ULONG HeapCommit;
ULONG NumberOfObjects;
ULONG ObjectTableRVA;
ULONG NumberOfDirectives;
ULONG DirectiveTableRVA;
ULONG Reserved3;
ULONG Reserved4;
ULONG Reserved5;
ULONG NumberOfSpecialRVAs;
IMAGE_SPECIAL_DIRECTORY DataDirectory[IMAGE_NUMBEROF_SPECIAL_DIRECTORY_ENTRIES];
/*
* These are the first 9 PE directories:
* Export IMAGE_DIRECTORY_ENTRY_EXPORT
* Import IMAGE_DIRECTORY_ENTRY_IMPORT
* Resource IMAGE_DIRECTORY_ENTRY_RESOURCE
* Exception IMAGE_DIRECTORY_ENTRY_EXCEPTION
* Security IMAGE_DIRECTORY_ENTRY_SECURITY
* Relocations IMAGE_DIRECTORY_ENTRY_BASERELOC
* Debug IMAGE_DIRECTORY_ENTRY_DEBUG
****
* ImageDescription IMAGE_DIRECTORY_ENTRY_COPYRIGHT (x86-specific) / IMAGE_DIRECTORY_ENTRY_ARCHITECTURE
* MachineSpecific IMAGE_DIRECTORY_ENTRY_GLOBALPTR
*/
} IMAGE_HEADER, *PIMAGE_HEADER;
/*
* This structure is an old version
* of the newer IMAGE_SECTION_HEADER.
*/
typedef struct _IMAGE_OBJECT_HEADER
{
ULONG RVA;
ULONG VirtualSize;
ULONG SeekOffset;
ULONG OnDiskSize;
ULONG ObjectFlags;
ULONG Reserved;
} IMAGE_OBJECT_HEADER, *PIMAGE_OBJECT_HEADER;
/*
* This structure can be viewed as an old version
* of the newer IMAGE_DEBUG_DIRECTORY.
*/
typedef struct _COFF_DEBUG_DIRECTORY
{
ULONG Characteristics;
ULONG VersionStamp;
ULONG SizeOfData;
ULONG Type;
ULONG AddressOfRawData;
ULONG PointerToRawData;
} COFF_DEBUG_DIRECTORY, *PCOFF_DEBUG_DIRECTORY;
/*
* The usual IMAGE_COFF_SYMBOLS_HEADER, but using its "legacy" name.
* It should be noted that both LvaToFirstSymbol and LvaToFirstLinenumber
* are relative to the beginning of their corresponding info structure.
*/
typedef struct _IMAGE_COFF_SYMBOLS_HEADER _COFF_DEBUG_INFO, COFF_DEBUG_INFO, *PCOFF_DEBUG_INFO;
/*
* Supplementary old NT PE/COFF structures extracted from I386KD.EXE
* but not currently used in the converter.
*/
#if 0
typedef struct _COFF_FILE_HEADER
{
USHORT TargetMachine;
USHORT NumberOfSections;
ULONG TimeDateStamp;
ULONG PointerToSymbolTable;
ULONG NumberOfSymbols;
USHORT SizeOfOptionalHeader;
USHORT Characteristics;
} COFF_FILE_HEADER, *PCOFF_FILE_HEADER;
typedef struct _COFF_DATA_DIRECTORY
{
ULONG VirtualAddress;
ULONG Size;
} COFF_DATA_DIRECTORY, *PCOFF_DATA_DIRECTORY;
typedef struct _COFF_OPTIONAL_HEADER
{
USHORT TargetVersionStamp;
USHORT LinkerVersionStamp;
ULONG SizeOfCode;
ULONG SizeOfInitializedData;
ULONG SizeOfUninitializedData;
ULONG AddressOfEntryPoint;
ULONG BaseOfCode;
ULONG BaseOfData;
ULONG ImageBase;
ULONG ImageAlignment;
ULONG FileAlignment;
USHORT TargetOperatingSystem;
USHORT TargetSubsystem;
ULONG ImageVersionStamp;
ULONG SizeOfImage;
ULONG SizeOfHeaders;
ULONG SizeOfHeapReserve;
ULONG SizeOfHeapCommit;
ULONG SizeOfStackReserve;
ULONG SizeOfStackCommit;
ULONG ZeroBits;
ULONG CheckSum;
COFF_DATA_DIRECTORY DataDirectory[7];
ULONG AdditionalMachineValues[8];
} COFF_OPTIONAL_HEADER, *PCOFF_OPTIONAL_HEADER;
#ifndef IMAGE_SIZEOF_SHORT_NAME
#define IMAGE_SIZEOF_SHORT_NAME 8
#endif
/*
* This structure is almost identical to the newer IMAGE_SECTION_HEADER,
* except that it does not unionize PhysicalAddress with VirtualSize.
*/
typedef struct _COFF_STD_SECTION_HEADER
{
UCHAR Name[IMAGE_SIZEOF_SHORT_NAME];
ULONG PhysicalAddress;
ULONG VirtualAddress;
ULONG SizeOfRawData;
ULONG PointerToRawData;
ULONG PointerToRelocations;
ULONG PointerToLinenumbers;
USHORT NumberOfRelocations;
USHORT NumberOfLinenumbers;
ULONG Characteristics;
} COFF_STD_SECTION_HEADER, *PCOFF_STD_SECTION_HEADER;
/* Same definition as IMAGE_SYMBOL */
typedef struct _COFF_SYMBOL_TABLE
{
union
{
UCHAR ShortName[8];
struct
{
ULONG Short;
ULONG Long;
} Name;
ULONG LongName[2];
} N;
ULONG Value;
SHORT SectionNumber;
USHORT Type;
UCHAR StorageClass;
UCHAR NumberOfAuxSymbols;
USHORT Pad;
} COFF_SYMBOL_TABLE, *PCOFF_SYMBOL_TABLE;
typedef struct _COFF_LINENUMBER
{
union
{
ULONG SymbolTableIndex;
ULONG VirtualAddress;
} Type;
USHORT Linenumber;
} COFF_LINENUMBER, *PCOFF_LINENUMBER;
/*
* From I386KD and deciphered thanks mainly to
* https://github.com/LuaDist/tcc/blob/master/coff.h
* and to http://osr507doc.sco.com/en/topics/COFF_AuxEntryDecl.html
* This is a sliglthy older version of the IMAGE_AUX_SYMBOL structure.
*/
typedef union _COFF_AUX_SYMBOL_TABLE
{
struct
{
ULONG TagIndex;
union
{
struct
{
USHORT Linenumber;
USHORT Size;
} x_lnsz;
ULONG SizeOfFunction;
} x_misc;
union
{
// AUX_SYMBOL_F2
struct
{
ULONG PointerToLinenumber;
ULONG PointerToNextFunction;
} x_fcn;
struct
{
#define DIMNUM 4
USHORT x_dimen[DIMNUM];
}
x_ary;
} x_fcnary;
USHORT x_tvndx;
USHORT Pad;
} x_sym;
struct
{
#define FILNMLEN 14
CHAR x_fname[FILNMLEN];
} x_file;
struct
{
ULONG x_scnlen;
USHORT x_nreloc;
USHORT x_nlinno;
} x_scn;
} COFF_AUX_SYMBOL_TABLE, *PCOFF_AUX_SYMBOL_TABLE;
// typedef IMAGE_AUX_SYMBOL UNALIGNED *PIMAGE_AUX_SYMBOL;
#endif
#endif /* _NT196PE_H_ */