内核重载
ntimage.h
/*++ BUILD Version: 0004 // Increment this if a change has global effects
Copyright (c) Microsoft Corporation. All rights reserved.
You may only use this code if you agree to the terms of the Windows Research Kernel Source Code License agreement (see License.txt).
If you do not agree to the terms, do not use the code.
Module Name:
ntimage.h
Abstract:
This is the include file that describes all image structures.
--*/
#ifndef _NTIMAGE_
#define _NTIMAGE_
#if _MSC_VER > 1000
#pragma once
#endif
//
// Define the linker version number. This is temporary to aid
// in debugging with people trying to load images built with
// an older linker. This is not required in the final product.
//
#define IMAGE_MAJOR_LINKER_VERSION 2
// begin_winnt
//
// Image Format
//
#include "pshpack4.h" // 4 byte packing is the default
#define IMAGE_DOS_SIGNATURE 0x5A4D // MZ
#define IMAGE_OS2_SIGNATURE 0x454E // NE
#define IMAGE_OS2_SIGNATURE_LE 0x454C // LE
#define IMAGE_VXD_SIGNATURE 0x454C // LE
#define IMAGE_NT_SIGNATURE 0x00004550 // PE00
#include "pshpack2.h" // 16 bit headers are 2 byte packed
typedef struct _IMAGE_DOS_HEADER { // DOS .EXE header
USHORT e_magic; // Magic number
USHORT e_cblp; // Bytes on last page of file
USHORT e_cp; // Pages in file
USHORT e_crlc; // Relocations
USHORT e_cparhdr; // Size of header in paragraphs
USHORT e_minalloc; // Minimum extra paragraphs needed
USHORT e_maxalloc; // Maximum extra paragraphs needed
USHORT e_ss; // Initial (relative) SS value
USHORT e_sp; // Initial SP value
USHORT e_csum; // Checksum
USHORT e_ip; // Initial IP value
USHORT e_cs; // Initial (relative) CS value
USHORT e_lfarlc; // File address of relocation table
USHORT e_ovno; // Overlay number
USHORT e_res[4]; // Reserved words
USHORT e_oemid; // OEM identifier (for e_oeminfo)
USHORT e_oeminfo; // OEM information; e_oemid specific
USHORT e_res2[10]; // Reserved words
LONG e_lfanew; // File address of new exe header
} IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER;
typedef struct _IMAGE_OS2_HEADER { // OS/2 .EXE header
USHORT ne_magic; // Magic number
CHAR ne_ver; // Version number
CHAR ne_rev; // Revision number
USHORT ne_enttab; // Offset of Entry Table
USHORT ne_cbenttab; // Number of bytes in Entry Table
LONG ne_crc; // Checksum of whole file
USHORT ne_flags; // Flag word
USHORT ne_autodata; // Automatic data segment number
USHORT ne_heap; // Initial heap allocation
USHORT ne_stack; // Initial stack allocation
LONG ne_csip; // Initial CS:IP setting
LONG ne_sssp; // Initial SS:SP setting
USHORT ne_cseg; // Count of file segments
USHORT ne_cmod; // Entries in Module Reference Table
USHORT ne_cbnrestab; // Size of non-resident name table
USHORT ne_segtab; // Offset of Segment Table
USHORT ne_rsrctab; // Offset of Resource Table
USHORT ne_restab; // Offset of resident name table
USHORT ne_modtab; // Offset of Module Reference Table
USHORT ne_imptab; // Offset of Imported Names Table
LONG ne_nrestab; // Offset of Non-resident Names Table
USHORT ne_cmovent; // Count of movable entries
USHORT ne_align; // Segment alignment shift count
USHORT ne_cres; // Count of resource segments
UCHAR ne_exetyp; // Target Operating system
UCHAR ne_flagsothers; // Other .EXE flags
USHORT ne_pretthunks; // offset to return thunks
USHORT ne_psegrefbytes; // offset to segment ref. bytes
USHORT ne_swaparea; // Minimum code swap area size
USHORT ne_expver; // Expected Windows version number
} IMAGE_OS2_HEADER, *PIMAGE_OS2_HEADER;
typedef struct _IMAGE_VXD_HEADER { // Windows VXD header
USHORT e32_magic; // Magic number
UCHAR e32_border; // The byte ordering for the VXD
UCHAR e32_worder; // The word ordering for the VXD
ULONG e32_level; // The EXE format level for now = 0
USHORT e32_cpu; // The CPU type
USHORT e32_os; // The OS type
ULONG e32_ver; // Module version
ULONG e32_mflags; // Module flags
ULONG e32_mpages; // Module # pages
ULONG e32_startobj; // Object # for instruction pointer
ULONG e32_eip; // Extended instruction pointer
ULONG e32_stackobj; // Object # for stack pointer
ULONG e32_esp; // Extended stack pointer
ULONG e32_pagesize; // VXD page size
ULONG e32_lastpagesize; // Last page size in VXD
ULONG e32_fixupsize; // Fixup section size
ULONG e32_fixupsum; // Fixup section checksum
ULONG e32_ldrsize; // Loader section size
ULONG e32_ldrsum; // Loader section checksum
ULONG e32_objtab; // Object table offset
ULONG e32_objcnt; // Number of objects in module
ULONG e32_objmap; // Object page map offset
ULONG e32_itermap; // Object iterated data map offset
ULONG e32_rsrctab; // Offset of Resource Table
ULONG e32_rsrccnt; // Number of resource entries
ULONG e32_restab; // Offset of resident name table
ULONG e32_enttab; // Offset of Entry Table
ULONG e32_dirtab; // Offset of Module Directive Table
ULONG e32_dircnt; // Number of module directives
ULONG e32_fpagetab; // Offset of Fixup Page Table
ULONG e32_frectab; // Offset of Fixup Record Table
ULONG e32_impmod; // Offset of Import Module Name Table
ULONG e32_impmodcnt; // Number of entries in Import Module Name Table
ULONG e32_impproc; // Offset of Import Procedure Name Table
ULONG e32_pagesum; // Offset of Per-Page Checksum Table
ULONG e32_datapage; // Offset of Enumerated Data Pages
ULONG e32_preload; // Number of preload pages
ULONG e32_nrestab; // Offset of Non-resident Names Table
ULONG e32_cbnrestab; // Size of Non-resident Name Table
ULONG e32_nressum; // Non-resident Name Table Checksum
ULONG e32_autodata; // Object # for automatic data object
ULONG e32_debuginfo; // Offset of the debugging information
ULONG e32_debuglen; // The length of the debugging info. in bytes
ULONG e32_instpreload; // Number of instance pages in preload section of VXD file
ULONG e32_instdemand; // Number of instance pages in demand load section of VXD file
ULONG e32_heapsize; // Size of heap - for 16-bit apps
UCHAR e32_res3[12]; // Reserved words
ULONG e32_winresoff;
ULONG e32_winreslen;
USHORT e32_devid; // Device ID for VxD
USHORT e32_ddkver; // DDK version for VxD
} IMAGE_VXD_HEADER, *PIMAGE_VXD_HEADER;
#include "poppack.h" // Back to 4 byte packing
//
// File header format.
//
typedef struct _IMAGE_FILE_HEADER {
USHORT Machine;
USHORT NumberOfSections;
ULONG TimeDateStamp;
ULONG PointerToSymbolTable;
ULONG NumberOfSymbols;
USHORT SizeOfOptionalHeader;
USHORT Characteristics;
} IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;
#define IMAGE_SIZEOF_FILE_HEADER 20
#define IMAGE_FILE_RELOCS_STRIPPED 0x0001 // Relocation info stripped from file.
#define IMAGE_FILE_EXECUTABLE_IMAGE 0x0002 // File is executable (i.e. no unresolved external references).
#define IMAGE_FILE_LINE_NUMS_STRIPPED 0x0004 // Line nunbers stripped from file.
#define IMAGE_FILE_LOCAL_SYMS_STRIPPED 0x0008 // Local symbols stripped from file.
#define IMAGE_FILE_AGGRESIVE_WS_TRIM 0x0010 // Agressively trim working set
#define IMAGE_FILE_LARGE_ADDRESS_AWARE 0x0020 // App can handle >2gb addresses
#define IMAGE_FILE_BYTES_REVERSED_LO 0x0080 // Bytes of machine word are reversed.
#define IMAGE_FILE_32BIT_MACHINE 0x0100 // 32 bit word machine.
#define IMAGE_FILE_DEBUG_STRIPPED 0x0200 // Debugging info stripped from file in .DBG file
#define IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP 0x0400 // If Image is on removable media, copy and run from the swap file.
#define IMAGE_FILE_NET_RUN_FROM_SWAP 0x0800 // If Image is on Net, copy and run from the swap file.
#define IMAGE_FILE_SYSTEM 0x1000 // System File.
#define IMAGE_FILE_DLL 0x2000 // File is a DLL.
#define IMAGE_FILE_UP_SYSTEM_ONLY 0x4000 // File should only be run on a UP machine
#define IMAGE_FILE_BYTES_REVERSED_HI 0x8000 // Bytes of machine word are reversed.
#define IMAGE_FILE_MACHINE_UNKNOWN 0
#define IMAGE_FILE_MACHINE_I386 0x014c // Intel 386.
#define IMAGE_FILE_MACHINE_R3000 0x0162 // MIPS little-endian, 0x160 big-endian
#define IMAGE_FILE_MACHINE_R4000 0x0166 // MIPS little-endian
#define IMAGE_FILE_MACHINE_R10000 0x0168 // MIPS little-endian
#define IMAGE_FILE_MACHINE_WCEMIPSV2 0x0169 // MIPS little-endian WCE v2
#define IMAGE_FILE_MACHINE_ALPHA 0x0184 // Alpha_AXP
#define IMAGE_FILE_MACHINE_SH3 0x01a2 // SH3 little-endian
#define IMAGE_FILE_MACHINE_SH3DSP 0x01a3
#define IMAGE_FILE_MACHINE_SH3E 0x01a4 // SH3E little-endian
#define IMAGE_FILE_MACHINE_SH4 0x01a6 // SH4 little-endian
#define IMAGE_FILE_MACHINE_SH5 0x01a8 // SH5
#define IMAGE_FILE_MACHINE_ARM 0x01c0 // ARM Little-Endian
#define IMAGE_FILE_MACHINE_THUMB 0x01c2
#define IMAGE_FILE_MACHINE_AM33 0x01d3
#define IMAGE_FILE_MACHINE_POWERPC 0x01F0 // IBM PowerPC Little-Endian
#define IMAGE_FILE_MACHINE_POWERPCFP 0x01f1
#define IMAGE_FILE_MACHINE_IA64 0x0200 // Intel 64
#define IMAGE_FILE_MACHINE_MIPS16 0x0266 // MIPS
#define IMAGE_FILE_MACHINE_ALPHA64 0x0284 // ALPHA64
#define IMAGE_FILE_MACHINE_MIPSFPU 0x0366 // MIPS
#define IMAGE_FILE_MACHINE_MIPSFPU16 0x0466 // MIPS
#define IMAGE_FILE_MACHINE_AXP64 IMAGE_FILE_MACHINE_ALPHA64
#define IMAGE_FILE_MACHINE_TRICORE 0x0520 // Infineon
#define IMAGE_FILE_MACHINE_CEF 0x0CEF
#define IMAGE_FILE_MACHINE_EBC 0x0EBC // EFI Byte Code
#define IMAGE_FILE_MACHINE_AMD64 0x8664 // AMD64 (K8)
#define IMAGE_FILE_MACHINE_M32R 0x9041 // M32R little-endian
#define IMAGE_FILE_MACHINE_CEE 0xC0EE
//
// Directory format.
//
typedef struct _IMAGE_DATA_DIRECTORY {
ULONG VirtualAddress;
ULONG Size;
} IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY;
#define IMAGE_NUMBEROF_DIRECTORY_ENTRIES 16
//
// Optional header format.
//
typedef struct _IMAGE_OPTIONAL_HEADER {
//
// Standard fields.
//
USHORT Magic;
UCHAR MajorLinkerVersion;
UCHAR MinorLinkerVersion;
ULONG SizeOfCode;
ULONG SizeOfInitializedData;
ULONG SizeOfUninitializedData;
ULONG AddressOfEntryPoint;
ULONG BaseOfCode;
ULONG BaseOfData;
//
// NT additional fields.
//
ULONG ImageBase;
ULONG SectionAlignment;
ULONG FileAlignment;
USHORT MajorOperatingSystemVersion;
USHORT MinorOperatingSystemVersion;
USHORT MajorImageVersion;
USHORT MinorImageVersion;
USHORT MajorSubsystemVersion;
USHORT MinorSubsystemVersion;
ULONG Win32VersionValue;
ULONG SizeOfImage;
ULONG SizeOfHeaders;
ULONG CheckSum;
USHORT Subsystem;
USHORT DllCharacteristics;
ULONG SizeOfStackReserve;
ULONG SizeOfStackCommit;
ULONG SizeOfHeapReserve;
ULONG SizeOfHeapCommit;
ULONG LoaderFlags;
ULONG NumberOfRvaAndSizes;
IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
} IMAGE_OPTIONAL_HEADER32, *PIMAGE_OPTIONAL_HEADER32;
typedef struct _IMAGE_ROM_OPTIONAL_HEADER {
USHORT Magic;
UCHAR MajorLinkerVersion;
UCHAR MinorLinkerVersion;
ULONG SizeOfCode;
ULONG SizeOfInitializedData;
ULONG SizeOfUninitializedData;
ULONG AddressOfEntryPoint;
ULONG BaseOfCode;
ULONG BaseOfData;
ULONG BaseOfBss;
ULONG GprMask;
ULONG CprMask[4];
ULONG GpValue;
} IMAGE_ROM_OPTIONAL_HEADER, *PIMAGE_ROM_OPTIONAL_HEADER;
typedef struct _IMAGE_OPTIONAL_HEADER64 {
USHORT Magic;
UCHAR MajorLinkerVersion;
UCHAR MinorLinkerVersion;
ULONG SizeOfCode;
ULONG SizeOfInitializedData;
ULONG SizeOfUninitializedData;
ULONG AddressOfEntryPoint;
ULONG BaseOfCode;
ULONGLONG ImageBase;
ULONG SectionAlignment;
ULONG FileAlignment;
USHORT MajorOperatingSystemVersion;
USHORT MinorOperatingSystemVersion;
USHORT MajorImageVersion;
USHORT MinorImageVersion;
USHORT MajorSubsystemVersion;
USHORT MinorSubsystemVersion;
ULONG Win32VersionValue;
ULONG SizeOfImage;
ULONG SizeOfHeaders;
ULONG CheckSum;
USHORT Subsystem;
USHORT DllCharacteristics;
ULONGLONG SizeOfStackReserve;
ULONGLONG SizeOfStackCommit;
ULONGLONG SizeOfHeapReserve;
ULONGLONG SizeOfHeapCommit;
ULONG LoaderFlags;
ULONG NumberOfRvaAndSizes;
IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
} IMAGE_OPTIONAL_HEADER64, *PIMAGE_OPTIONAL_HEADER64;
#define IMAGE_SIZEOF_ROM_OPTIONAL_HEADER 56
#define IMAGE_SIZEOF_STD_OPTIONAL_HEADER 28
#define IMAGE_SIZEOF_NT_OPTIONAL32_HEADER 224
#define IMAGE_SIZEOF_NT_OPTIONAL64_HEADER 240
#define IMAGE_NT_OPTIONAL_HDR32_MAGIC 0x10b
#define IMAGE_NT_OPTIONAL_HDR64_MAGIC 0x20b
#define IMAGE_ROM_OPTIONAL_HDR_MAGIC 0x107
#ifdef _WIN64
typedef IMAGE_OPTIONAL_HEADER64 IMAGE_OPTIONAL_HEADER;
typedef PIMAGE_OPTIONAL_HEADER64 PIMAGE_OPTIONAL_HEADER;
#define IMAGE_SIZEOF_NT_OPTIONAL_HEADER IMAGE_SIZEOF_NT_OPTIONAL64_HEADER
#define IMAGE_NT_OPTIONAL_HDR_MAGIC IMAGE_NT_OPTIONAL_HDR64_MAGIC
#else
typedef IMAGE_OPTIONAL_HEADER32 IMAGE_OPTIONAL_HEADER;
typedef PIMAGE_OPTIONAL_HEADER32 PIMAGE_OPTIONAL_HEADER;
#define IMAGE_SIZEOF_NT_OPTIONAL_HEADER IMAGE_SIZEOF_NT_OPTIONAL32_HEADER
#define IMAGE_NT_OPTIONAL_HDR_MAGIC IMAGE_NT_OPTIONAL_HDR32_MAGIC
#endif
typedef struct _IMAGE_NT_HEADERS64 {
ULONG Signature;
IMAGE_FILE_HEADER FileHeader;
IMAGE_OPTIONAL_HEADER64 OptionalHeader;
} IMAGE_NT_HEADERS64, *PIMAGE_NT_HEADERS64;
typedef struct _IMAGE_NT_HEADERS {
ULONG Signature;
IMAGE_FILE_HEADER FileHeader;
IMAGE_OPTIONAL_HEADER32 OptionalHeader;
} IMAGE_NT_HEADERS32, *PIMAGE_NT_HEADERS32;
typedef struct _IMAGE_ROM_HEADERS {
IMAGE_FILE_HEADER FileHeader;
IMAGE_ROM_OPTIONAL_HEADER OptionalHeader;
} IMAGE_ROM_HEADERS, *PIMAGE_ROM_HEADERS;
#ifdef _WIN64
typedef IMAGE_NT_HEADERS64 IMAGE_NT_HEADERS;
typedef PIMAGE_NT_HEADERS64 PIMAGE_NT_HEADERS;
#else
typedef IMAGE_NT_HEADERS32 IMAGE_NT_HEADERS;
typedef PIMAGE_NT_HEADERS32 PIMAGE_NT_HEADERS;
#endif
// IMAGE_FIRST_SECTION doesn't need 32/64 versions since the file header is the same either way.
#define IMAGE_FIRST_SECTION( ntheader ) ((PIMAGE_SECTION_HEADER) \
((ULONG_PTR)ntheader + \
FIELD_OFFSET( IMAGE_NT_HEADERS, OptionalHeader ) + \
((PIMAGE_NT_HEADERS)(ntheader))->FileHeader.SizeOfOptionalHeader \
))
// Subsystem Values
#define IMAGE_SUBSYSTEM_UNKNOWN 0 // Unknown subsystem.
#define IMAGE_SUBSYSTEM_NATIVE 1 // Image doesn't require a subsystem.
#define IMAGE_SUBSYSTEM_WINDOWS_GUI 2 // Image runs in the Windows GUI subsystem.
#define IMAGE_SUBSYSTEM_WINDOWS_CUI 3 // Image runs in the Windows character subsystem.
// end_winnt
// reserved 4 // Old Windows CE subsystem.
// begin_winnt
#define IMAGE_SUBSYSTEM_OS2_CUI 5 // image runs in the OS/2 character subsystem.
#define IMAGE_SUBSYSTEM_POSIX_CUI 7 // image runs in the Posix character subsystem.
#define IMAGE_SUBSYSTEM_NATIVE_WINDOWS 8 // image is a native Win9x driver.
#define IMAGE_SUBSYSTEM_WINDOWS_CE_GUI 9 // Image runs in the Windows CE subsystem.
#define IMAGE_SUBSYSTEM_EFI_APPLICATION 10 //
#define IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER 11 //
#define IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER 12 //
#define IMAGE_SUBSYSTEM_EFI_ROM 13
#define IMAGE_SUBSYSTEM_XBOX 14
// DllCharacteristics Entries
// IMAGE_LIBRARY_PROCESS_INIT 0x0001 // Reserved.
// IMAGE_LIBRARY_PROCESS_TERM 0x0002 // Reserved.
// IMAGE_LIBRARY_THREAD_INIT 0x0004 // Reserved.
// IMAGE_LIBRARY_THREAD_TERM 0x0008 // Reserved.
#define IMAGE_DLLCHARACTERISTICS_NO_ISOLATION 0x0200 // Image understands isolation and doesn't want it
#define IMAGE_DLLCHARACTERISTICS_NO_SEH 0x0400 // Image does not use SEH. No SE handler may reside in this image
#define IMAGE_DLLCHARACTERISTICS_NO_BIND 0x0800 // Do not bind this image.
// 0x1000 // Reserved.
#define IMAGE_DLLCHARACTERISTICS_WDM_DRIVER 0x2000 // Driver uses WDM model
// 0x4000 // Reserved.
#define IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE 0x8000
// end_winnt
#define IMAGE_DLLCHARACTERISTICS_X86_THUNK 0x1000 // Image is a Wx86 Thunk DLL
// Note: The Borland linker sets IMAGE_LIBRARY_xxx flags in DllCharacteristics
// LoaderFlags Values
#define IMAGE_LOADER_FLAGS_COMPLUS 0x00000001 // COM+ image
#define IMAGE_LOADER_FLAGS_SYSTEM_GLOBAL 0x01000000 // Global subsections apply across TS sessions.
// begin_winnt
// Directory Entries
#define IMAGE_DIRECTORY_ENTRY_EXPORT 0 // Export Directory
#define IMAGE_DIRECTORY_ENTRY_IMPORT 1 // Import Directory
#define IMAGE_DIRECTORY_ENTRY_RESOURCE 2 // Resource Directory
#define IMAGE_DIRECTORY_ENTRY_EXCEPTION 3 // Exception Directory
#define IMAGE_DIRECTORY_ENTRY_SECURITY 4 // Security Directory
#define IMAGE_DIRECTORY_ENTRY_BASERELOC 5 // Base Relocation Table
#define IMAGE_DIRECTORY_ENTRY_DEBUG 6 // Debug Directory
// IMAGE_DIRECTORY_ENTRY_COPYRIGHT 7 // (X86 usage)
#define IMAGE_DIRECTORY_ENTRY_ARCHITECTURE 7 // Architecture Specific Data
#define IMAGE_DIRECTORY_ENTRY_GLOBALPTR 8 // RVA of GP
#define IMAGE_DIRECTORY_ENTRY_TLS 9 // TLS Directory
#define IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 10 // Load Configuration Directory
#define IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 11 // Bound Import Directory in headers
#define IMAGE_DIRECTORY_ENTRY_IAT 12 // Import Address Table
#define IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 13 // Delay Load Import Descriptors
#define IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 14 // COM Runtime descriptor
//
// Non-COFF Object file header
//
typedef struct ANON_OBJECT_HEADER {
USHORT Sig1; // Must be IMAGE_FILE_MACHINE_UNKNOWN
USHORT Sig2; // Must be 0xffff
USHORT Version; // >= 1 (implies the CLSID field is present)
USHORT Machine;
ULONG TimeDateStamp;
CLSID ClassID; // Used to invoke CoCreateInstance
ULONG SizeOfData; // Size of data that follows the header
} ANON_OBJECT_HEADER;
//
// Section header format.
//
#define IMAGE_SIZEOF_SHORT_NAME 8
typedef struct _IMAGE_SECTION_HEADER {
UCHAR Name[IMAGE_SIZEOF_SHORT_NAME];
union {
ULONG PhysicalAddress;
ULONG VirtualSize;
} Misc;
ULONG VirtualAddress;
ULONG SizeOfRawData;
ULONG PointerToRawData;
ULONG PointerToRelocations;
ULONG PointerToLinenumbers;
USHORT NumberOfRelocations;
USHORT NumberOfLinenumbers;
ULONG Characteristics;
} IMAGE_SECTION_HEADER, *PIMAGE_SECTION_HEADER;
#define IMAGE_SIZEOF_SECTION_HEADER 40
//
// Section characteristics.
//
// IMAGE_SCN_TYPE_REG 0x00000000 // Reserved.
// IMAGE_SCN_TYPE_DSECT 0x00000001 // Reserved.
// IMAGE_SCN_TYPE_NOLOAD 0x00000002 // Reserved.
// IMAGE_SCN_TYPE_GROUP 0x00000004 // Reserved.
#define IMAGE_SCN_TYPE_NO_PAD 0x00000008 // Reserved.
// IMAGE_SCN_TYPE_COPY 0x00000010 // Reserved.
#define IMAGE_SCN_CNT_CODE 0x00000020 // Section contains code.
#define IMAGE_SCN_CNT_INITIALIZED_DATA 0x00000040 // Section contains initialized data.
#define IMAGE_SCN_CNT_UNINITIALIZED_DATA 0x00000080 // Section contains uninitialized data.
#define IMAGE_SCN_LNK_OTHER 0x00000100 // Reserved.
#define IMAGE_SCN_LNK_INFO 0x00000200 // Section contains comments or some other type of information.
// IMAGE_SCN_TYPE_OVER 0x00000400 // Reserved.
#define IMAGE_SCN_LNK_REMOVE 0x00000800 // Section contents will not become part of image.
#define IMAGE_SCN_LNK_COMDAT 0x00001000 // Section contents comdat.
// 0x00002000 // Reserved.
// IMAGE_SCN_MEM_PROTECTED - Obsolete 0x00004000
#define IMAGE_SCN_NO_DEFER_SPEC_EXC 0x00004000 // Reset speculative exceptions handling bits in the TLB entries for this section.
#define IMAGE_SCN_GPREL 0x00008000 // Section content can be accessed relative to GP
#define IMAGE_SCN_MEM_FARDATA 0x00008000
// IMAGE_SCN_MEM_SYSHEAP - Obsolete 0x00010000
#define IMAGE_SCN_MEM_PURGEABLE 0x00020000
#define IMAGE_SCN_MEM_16BIT 0x00020000
#define IMAGE_SCN_MEM_LOCKED 0x00040000
#define IMAGE_SCN_MEM_PRELOAD 0x00080000
#define IMAGE_SCN_ALIGN_1BYTES 0x00100000 //
#define IMAGE_SCN_ALIGN_2BYTES 0x00200000 //
#define IMAGE_SCN_ALIGN_4BYTES 0x00300000 //
#define IMAGE_SCN_ALIGN_8BYTES 0x00400000 //
#define IMAGE_SCN_ALIGN_16BYTES 0x00500000 // Default alignment if no others are specified.
#define IMAGE_SCN_ALIGN_32BYTES 0x00600000 //
#define IMAGE_SCN_ALIGN_64BYTES 0x00700000 //
#define IMAGE_SCN_ALIGN_128BYTES 0x00800000 //
#define IMAGE_SCN_ALIGN_256BYTES 0x00900000 //
#define IMAGE_SCN_ALIGN_512BYTES 0x00A00000 //
#define IMAGE_SCN_ALIGN_1024BYTES 0x00B00000 //
#define IMAGE_SCN_ALIGN_2048BYTES 0x00C00000 //
#define IMAGE_SCN_ALIGN_4096BYTES 0x00D00000 //
#define IMAGE_SCN_ALIGN_8192BYTES 0x00E00000 //
// Unused 0x00F00000
#define IMAGE_SCN_ALIGN_MASK 0x00F00000
#define IMAGE_SCN_LNK_NRELOC_OVFL 0x01000000 // Section contains extended relocations.
#define IMAGE_SCN_MEM_DISCARDABLE 0x02000000 // Section can be discarded.
#define IMAGE_SCN_MEM_NOT_CACHED 0x04000000 // Section is not cachable.
#define IMAGE_SCN_MEM_NOT_PAGED 0x08000000 // Section is not pageable.
#define IMAGE_SCN_MEM_SHARED 0x10000000 // Section is shareable.
#define IMAGE_SCN_MEM_EXECUTE 0x20000000 // Section is executable.
#define IMAGE_SCN_MEM_READ 0x40000000 // Section is readable.
#define IMAGE_SCN_MEM_WRITE 0x80000000 // Section is writeable.
//
// TLS Characteristic Flags
//
#define IMAGE_SCN_SCALE_INDEX 0x00000001 // Tls index is scaled
#include "pshpack2.h" // Symbols, relocs, and linenumbers are 2 byte packed
//
// Symbol format.
//
typedef struct _IMAGE_SYMBOL {
union {
UCHAR ShortName[8];
struct {
ULONG Short; // if 0, use LongName
ULONG Long; // offset into string table
} Name;
ULONG LongName[2]; // PUCHAR[2]
} N;
ULONG Value;
SHORT SectionNumber;
USHORT Type;
UCHAR StorageClass;
UCHAR NumberOfAuxSymbols;
} IMAGE_SYMBOL;
typedef IMAGE_SYMBOL UNALIGNED *PIMAGE_SYMBOL;
#define IMAGE_SIZEOF_SYMBOL 18
//
// Section values.
//
// Symbols have a section number of the section in which they are
// defined. Otherwise, section numbers have the following meanings:
//
#define IMAGE_SYM_UNDEFINED (SHORT)0 // Symbol is undefined or is common.
#define IMAGE_SYM_ABSOLUTE (SHORT)-1 // Symbol is an absolute value.
#define IMAGE_SYM_DEBUG (SHORT)-2 // Symbol is a special debug item.
#define IMAGE_SYM_SECTION_MAX 0xFEFF // Values 0xFF00-0xFFFF are special
//
// Type (fundamental) values.
//
#define IMAGE_SYM_TYPE_NULL 0x0000 // no type.
#define IMAGE_SYM_TYPE_VOID 0x0001 //
#define IMAGE_SYM_TYPE_CHAR 0x0002 // type character.
#define IMAGE_SYM_TYPE_SHORT 0x0003 // type short integer.
#define IMAGE_SYM_TYPE_INT 0x0004 //
#define IMAGE_SYM_TYPE_LONG 0x0005 //
#define IMAGE_SYM_TYPE_FLOAT 0x0006 //
#define IMAGE_SYM_TYPE_DOUBLE 0x0007 //
#define IMAGE_SYM_TYPE_STRUCT 0x0008 //
#define IMAGE_SYM_TYPE_UNION 0x0009 //
#define IMAGE_SYM_TYPE_ENUM 0x000A // enumeration.
#define IMAGE_SYM_TYPE_MOE 0x000B // member of enumeration.
#define IMAGE_SYM_TYPE_UCHAR 0x000C //
#define IMAGE_SYM_TYPE_USHORT 0x000D //
#define IMAGE_SYM_TYPE_UINT 0x000E //
#define IMAGE_SYM_TYPE_ULONG 0x000F //
#define IMAGE_SYM_TYPE_PCODE 0x8000 //
//
// Type (derived) values.
//
#define IMAGE_SYM_DTYPE_NULL 0 // no derived type.
#define IMAGE_SYM_DTYPE_POINTER 1 // pointer.
#define IMAGE_SYM_DTYPE_FUNCTION 2 // function.
#define IMAGE_SYM_DTYPE_ARRAY 3 // array.
//
// Storage classes.
//
#define IMAGE_SYM_CLASS_END_OF_FUNCTION (UCHAR)-1
#define IMAGE_SYM_CLASS_NULL 0x0000
#define IMAGE_SYM_CLASS_AUTOMATIC 0x0001
#define IMAGE_SYM_CLASS_EXTERNAL 0x0002
#define IMAGE_SYM_CLASS_STATIC 0x0003
#define IMAGE_SYM_CLASS_REGISTER 0x0004
#define IMAGE_SYM_CLASS_EXTERNAL_DEF 0x0005
#define IMAGE_SYM_CLASS_LABEL 0x0006
#define IMAGE_SYM_CLASS_UNDEFINED_LABEL 0x0007
#define IMAGE_SYM_CLASS_MEMBER_OF_STRUCT 0x0008
#define IMAGE_SYM_CLASS_ARGUMENT 0x0009
#define IMAGE_SYM_CLASS_STRUCT_TAG 0x000A
#define IMAGE_SYM_CLASS_MEMBER_OF_UNION 0x000B
#define IMAGE_SYM_CLASS_UNION_TAG 0x000C
#define IMAGE_SYM_CLASS_TYPE_DEFINITION 0x000D
#define IMAGE_SYM_CLASS_UNDEFINED_STATIC 0x000E
#define IMAGE_SYM_CLASS_ENUM_TAG 0x000F
#define IMAGE_SYM_CLASS_MEMBER_OF_ENUM 0x0010
#define IMAGE_SYM_CLASS_REGISTER_PARAM 0x0011
#define IMAGE_SYM_CLASS_BIT_FIELD 0x0012
#define IMAGE_SYM_CLASS_FAR_EXTERNAL 0x0044 //
#define IMAGE_SYM_CLASS_BLOCK 0x0064
#define IMAGE_SYM_CLASS_FUNCTION 0x0065
#define IMAGE_SYM_CLASS_END_OF_STRUCT 0x0066
#define IMAGE_SYM_CLASS_FILE 0x0067
// new
#define IMAGE_SYM_CLASS_SECTION 0x0068
#define IMAGE_SYM_CLASS_WEAK_EXTERNAL 0x0069
#define IMAGE_SYM_CLASS_CLR_TOKEN 0x006B
// type packing constants
#define N_BTMASK 0x000F
#define N_TMASK 0x0030
#define N_TMASK1 0x00C0
#define N_TMASK2 0x00F0
#define N_BTSHFT 4
#define N_TSHIFT 2
// MACROS
// Basic Type of x
#define BTYPE(x) ((x) & N_BTMASK)
// Is x a pointer?
#ifndef ISPTR
#define ISPTR(x) (((x) & N_TMASK) == (IMAGE_SYM_DTYPE_POINTER << N_BTSHFT))
#endif
// Is x a function?
#ifndef ISFCN
#define ISFCN(x) (((x) & N_TMASK) == (IMAGE_SYM_DTYPE_FUNCTION << N_BTSHFT))
#endif
// Is x an array?
#ifndef ISARY
#define ISARY(x) (((x) & N_TMASK) == (IMAGE_SYM_DTYPE_ARRAY << N_BTSHFT))
#endif
// Is x a structure, union, or enumeration TAG?
#ifndef ISTAG
#define ISTAG(x) ((x)==IMAGE_SYM_CLASS_STRUCT_TAG || (x)==IMAGE_SYM_CLASS_UNION_TAG || (x)==IMAGE_SYM_CLASS_ENUM_TAG)
#endif
#ifndef INCREF
#define INCREF(x) ((((x)&~N_BTMASK)<>N_TSHIFT)&~N_BTMASK)|((x)&N_BTMASK))
#endif
//
// Auxiliary entry format.
//
typedef union _IMAGE_AUX_SYMBOL {
struct {
ULONG TagIndex; // struct, union, or enum tag index
union {
struct {
USHORT Linenumber; // declaration line number
USHORT Size; // size of struct, union, or enum
} LnSz;
ULONG TotalSize;
} Misc;
union {
struct { // if ISFCN, tag, or .bb
ULONG PointerToLinenumber;
ULONG PointerToNextFunction;
} Function;
struct { // if ISARY, up to 4 dimen.
USHORT Dimension[4];
} Array;
} FcnAry;
USHORT TvIndex; // tv index
} Sym;
struct {
UCHAR Name[IMAGE_SIZEOF_SYMBOL];
} File;
struct {
ULONG Length; // section length
USHORT NumberOfRelocations; // number of relocation entries
USHORT NumberOfLinenumbers; // number of line numbers
ULONG CheckSum; // checksum for communal
SHORT Number; // section number to associate with
UCHAR Selection; // communal selection type
} Section;
} IMAGE_AUX_SYMBOL;
typedef IMAGE_AUX_SYMBOL UNALIGNED *PIMAGE_AUX_SYMBOL;
#define IMAGE_SIZEOF_AUX_SYMBOL 18
typedef enum IMAGE_AUX_SYMBOL_TYPE {
IMAGE_AUX_SYMBOL_TYPE_TOKEN_DEF = 1,
} IMAGE_AUX_SYMBOL_TYPE;
#include
typedef struct IMAGE_AUX_SYMBOL_TOKEN_DEF {
UCHAR bAuxType; // IMAGE_AUX_SYMBOL_TYPE
UCHAR bReserved; // Must be 0
ULONG SymbolTableIndex;
UCHAR rgbReserved[12]; // Must be 0
} IMAGE_AUX_SYMBOL_TOKEN_DEF;
typedef IMAGE_AUX_SYMBOL_TOKEN_DEF UNALIGNED *PIMAGE_AUX_SYMBOL_TOKEN_DEF;
#include
//
// Communal selection types.
//
#define IMAGE_COMDAT_SELECT_NODUPLICATES 1
#define IMAGE_COMDAT_SELECT_ANY 2
#define IMAGE_COMDAT_SELECT_SAME_SIZE 3
#define IMAGE_COMDAT_SELECT_EXACT_MATCH 4
#define IMAGE_COMDAT_SELECT_ASSOCIATIVE 5
#define IMAGE_COMDAT_SELECT_LARGEST 6
#define IMAGE_COMDAT_SELECT_NEWEST 7
#define IMAGE_WEAK_EXTERN_SEARCH_NOLIBRARY 1
#define IMAGE_WEAK_EXTERN_SEARCH_LIBRARY 2
#define IMAGE_WEAK_EXTERN_SEARCH_ALIAS 3
//
// Relocation format.
//
typedef struct _IMAGE_RELOCATION {
union {
ULONG VirtualAddress;
ULONG RelocCount; // Set to the real count when IMAGE_SCN_LNK_NRELOC_OVFL is set
};
ULONG SymbolTableIndex;
USHORT Type;
} IMAGE_RELOCATION;
typedef IMAGE_RELOCATION UNALIGNED *PIMAGE_RELOCATION;
#define IMAGE_SIZEOF_RELOCATION 10
//
// I386 relocation types.
//
#define IMAGE_REL_I386_ABSOLUTE 0x0000 // Reference is absolute, no relocation is necessary
#define IMAGE_REL_I386_DIR16 0x0001 // Direct 16-bit reference to the symbols virtual address
#define IMAGE_REL_I386_REL16 0x0002 // PC-relative 16-bit reference to the symbols virtual address
#define IMAGE_REL_I386_DIR32 0x0006 // Direct 32-bit reference to the symbols virtual address
#define IMAGE_REL_I386_DIR32NB 0x0007 // Direct 32-bit reference to the symbols virtual address, base not included
#define IMAGE_REL_I386_SEG12 0x0009 // Direct 16-bit reference to the segment-selector bits of a 32-bit virtual address
#define IMAGE_REL_I386_SECTION 0x000A
#define IMAGE_REL_I386_SECREL 0x000B
#define IMAGE_REL_I386_TOKEN 0x000C // clr token
#define IMAGE_REL_I386_SECREL7 0x000D // 7 bit offset from base of section containing target
#define IMAGE_REL_I386_REL32 0x0014 // PC-relative 32-bit reference to the symbols virtual address
//
// MIPS relocation types.
//
#define IMAGE_REL_MIPS_ABSOLUTE 0x0000 // Reference is absolute, no relocation is necessary
#define IMAGE_REL_MIPS_REFHALF 0x0001
#define IMAGE_REL_MIPS_REFWORD 0x0002
#define IMAGE_REL_MIPS_JMPADDR 0x0003
#define IMAGE_REL_MIPS_REFHI 0x0004
#define IMAGE_REL_MIPS_REFLO 0x0005
#define IMAGE_REL_MIPS_GPREL 0x0006
#define IMAGE_REL_MIPS_LITERAL 0x0007
#define IMAGE_REL_MIPS_SECTION 0x000A
#define IMAGE_REL_MIPS_SECREL 0x000B
#define IMAGE_REL_MIPS_SECRELLO 0x000C // Low 16-bit section relative reference (used for >32k TLS)
#define IMAGE_REL_MIPS_SECRELHI 0x000D // High 16-bit section relative reference (used for >32k TLS)
#define IMAGE_REL_MIPS_TOKEN 0x000E // clr token
#define IMAGE_REL_MIPS_JMPADDR16 0x0010
#define IMAGE_REL_MIPS_REFWORDNB 0x0022
#define IMAGE_REL_MIPS_PAIR 0x0025
//
// Alpha Relocation types.
//
#define IMAGE_REL_ALPHA_ABSOLUTE 0x0000
#define IMAGE_REL_ALPHA_REFLONG 0x0001
#define IMAGE_REL_ALPHA_REFQUAD 0x0002
#define IMAGE_REL_ALPHA_GPREL32 0x0003
#define IMAGE_REL_ALPHA_LITERAL 0x0004
#define IMAGE_REL_ALPHA_LITUSE 0x0005
#define IMAGE_REL_ALPHA_GPDISP 0x0006
#define IMAGE_REL_ALPHA_BRADDR 0x0007
#define IMAGE_REL_ALPHA_HINT 0x0008
#define IMAGE_REL_ALPHA_INLINE_REFLONG 0x0009
#define IMAGE_REL_ALPHA_REFHI 0x000A
#define IMAGE_REL_ALPHA_REFLO 0x000B
#define IMAGE_REL_ALPHA_PAIR 0x000C
#define IMAGE_REL_ALPHA_MATCH 0x000D
#define IMAGE_REL_ALPHA_SECTION 0x000E
#define IMAGE_REL_ALPHA_SECREL 0x000F
#define IMAGE_REL_ALPHA_REFLONGNB 0x0010
#define IMAGE_REL_ALPHA_SECRELLO 0x0011 // Low 16-bit section relative reference
#define IMAGE_REL_ALPHA_SECRELHI 0x0012 // High 16-bit section relative reference
#define IMAGE_REL_ALPHA_REFQ3 0x0013 // High 16 bits of 48 bit reference
#define IMAGE_REL_ALPHA_REFQ2 0x0014 // Middle 16 bits of 48 bit reference
#define IMAGE_REL_ALPHA_REFQ1 0x0015 // Low 16 bits of 48 bit reference
#define IMAGE_REL_ALPHA_GPRELLO 0x0016 // Low 16-bit GP relative reference
#define IMAGE_REL_ALPHA_GPRELHI 0x0017 // High 16-bit GP relative reference
//
// IBM PowerPC relocation types.
//
#define IMAGE_REL_PPC_ABSOLUTE 0x0000 // NOP
#define IMAGE_REL_PPC_ADDR64 0x0001 // 64-bit address
#define IMAGE_REL_PPC_ADDR32 0x0002 // 32-bit address
#define IMAGE_REL_PPC_ADDR24 0x0003 // 26-bit address, shifted left 2 (branch absolute)
#define IMAGE_REL_PPC_ADDR16 0x0004 // 16-bit address
#define IMAGE_REL_PPC_ADDR14 0x0005 // 16-bit address, shifted left 2 (load doubleword)
#define IMAGE_REL_PPC_REL24 0x0006 // 26-bit PC-relative offset, shifted left 2 (branch relative)
#define IMAGE_REL_PPC_REL14 0x0007 // 16-bit PC-relative offset, shifted left 2 (br cond relative)
#define IMAGE_REL_PPC_TOCREL16 0x0008 // 16-bit offset from TOC base
#define IMAGE_REL_PPC_TOCREL14 0x0009 // 16-bit offset from TOC base, shifted left 2 (load doubleword)
#define IMAGE_REL_PPC_ADDR32NB 0x000A // 32-bit addr w/o image base
#define IMAGE_REL_PPC_SECREL 0x000B // va of containing section (as in an image sectionhdr)
#define IMAGE_REL_PPC_SECTION 0x000C // sectionheader number
#define IMAGE_REL_PPC_IFGLUE 0x000D // substitute TOC restore instruction iff symbol is glue code
#define IMAGE_REL_PPC_IMGLUE 0x000E // symbol is glue code; virtual address is TOC restore instruction
#define IMAGE_REL_PPC_SECREL16 0x000F // va of containing section (limited to 16 bits)
#define IMAGE_REL_PPC_REFHI 0x0010
#define IMAGE_REL_PPC_REFLO 0x0011
#define IMAGE_REL_PPC_PAIR 0x0012
#define IMAGE_REL_PPC_SECRELLO 0x0013 // Low 16-bit section relative reference (used for >32k TLS)
#define IMAGE_REL_PPC_SECRELHI 0x0014 // High 16-bit section relative reference (used for >32k TLS)
#define IMAGE_REL_PPC_GPREL 0x0015
#define IMAGE_REL_PPC_TOKEN 0x0016 // clr token
#define IMAGE_REL_PPC_TYPEMASK 0x00FF // mask to isolate above values in IMAGE_RELOCATION.Type
// Flag bits in IMAGE_RELOCATION.TYPE
#define IMAGE_REL_PPC_NEG 0x0100 // subtract reloc value rather than adding it
#define IMAGE_REL_PPC_BRTAKEN 0x0200 // fix branch prediction bit to predict branch taken
#define IMAGE_REL_PPC_BRNTAKEN 0x0400 // fix branch prediction bit to predict branch not taken
#define IMAGE_REL_PPC_TOCDEFN 0x0800 // toc slot defined in file (or, data in toc)
//
// Hitachi SH3 relocation types.
//
#define IMAGE_REL_SH3_ABSOLUTE 0x0000 // No relocation
#define IMAGE_REL_SH3_DIRECT16 0x0001 // 16 bit direct
#define IMAGE_REL_SH3_DIRECT32 0x0002 // 32 bit direct
#define IMAGE_REL_SH3_DIRECT8 0x0003 // 8 bit direct, -128..255
#define IMAGE_REL_SH3_DIRECT8_WORD 0x0004 // 8 bit direct .W (0 ext.)
#define IMAGE_REL_SH3_DIRECT8_LONG 0x0005 // 8 bit direct .L (0 ext.)
#define IMAGE_REL_SH3_DIRECT4 0x0006 // 4 bit direct (0 ext.)
#define IMAGE_REL_SH3_DIRECT4_WORD 0x0007 // 4 bit direct .W (0 ext.)
#define IMAGE_REL_SH3_DIRECT4_LONG 0x0008 // 4 bit direct .L (0 ext.)
#define IMAGE_REL_SH3_PCREL8_WORD 0x0009 // 8 bit PC relative .W
#define IMAGE_REL_SH3_PCREL8_LONG 0x000A // 8 bit PC relative .L
#define IMAGE_REL_SH3_PCREL12_WORD 0x000B // 12 LSB PC relative .W
#define IMAGE_REL_SH3_STARTOF_SECTION 0x000C // Start of EXE section
#define IMAGE_REL_SH3_SIZEOF_SECTION 0x000D // Size of EXE section
#define IMAGE_REL_SH3_SECTION 0x000E // Section table index
#define IMAGE_REL_SH3_SECREL 0x000F // Offset within section
#define IMAGE_REL_SH3_DIRECT32_NB 0x0010 // 32 bit direct not based
#define IMAGE_REL_SH3_GPREL4_LONG 0x0011 // GP-relative addressing
#define IMAGE_REL_SH3_TOKEN 0x0012 // clr token
#define IMAGE_REL_ARM_ABSOLUTE 0x0000 // No relocation required
#define IMAGE_REL_ARM_ADDR32 0x0001 // 32 bit address
#define IMAGE_REL_ARM_ADDR32NB 0x0002 // 32 bit address w/o image base
#define IMAGE_REL_ARM_BRANCH24 0x0003 // 24 bit offset << 2 & sign ext.
#define IMAGE_REL_ARM_BRANCH11 0x0004 // Thumb: 2 11 bit offsets
#define IMAGE_REL_ARM_TOKEN 0x0005 // clr token
#define IMAGE_REL_ARM_GPREL12 0x0006 // GP-relative addressing (ARM)
#define IMAGE_REL_ARM_GPREL7 0x0007 // GP-relative addressing (Thumb)
#define IMAGE_REL_ARM_BLX24 0x0008
#define IMAGE_REL_ARM_BLX11 0x0009
#define IMAGE_REL_ARM_SECTION 0x000E // Section table index
#define IMAGE_REL_ARM_SECREL 0x000F // Offset within section
#define IMAGE_REL_AM_ABSOLUTE 0x0000
#define IMAGE_REL_AM_ADDR32 0x0001
#define IMAGE_REL_AM_ADDR32NB 0x0002
#define IMAGE_REL_AM_CALL32 0x0003
#define IMAGE_REL_AM_FUNCINFO 0x0004
#define IMAGE_REL_AM_REL32_1 0x0005
#define IMAGE_REL_AM_REL32_2 0x0006
#define IMAGE_REL_AM_SECREL 0x0007
#define IMAGE_REL_AM_SECTION 0x0008
#define IMAGE_REL_AM_TOKEN 0x0009
//
// x64 relocations
//
#define IMAGE_REL_AMD64_ABSOLUTE 0x0000 // Reference is absolute, no relocation is necessary
#define IMAGE_REL_AMD64_ADDR64 0x0001 // 64-bit address (VA).
#define IMAGE_REL_AMD64_ADDR32 0x0002 // 32-bit address (VA).
#define IMAGE_REL_AMD64_ADDR32NB 0x0003 // 32-bit address w/o image base (RVA).
#define IMAGE_REL_AMD64_REL32 0x0004 // 32-bit relative address from byte following reloc
#define IMAGE_REL_AMD64_REL32_1 0x0005 // 32-bit relative address from byte distance 1 from reloc
#define IMAGE_REL_AMD64_REL32_2 0x0006 // 32-bit relative address from byte distance 2 from reloc
#define IMAGE_REL_AMD64_REL32_3 0x0007 // 32-bit relative address from byte distance 3 from reloc
#define IMAGE_REL_AMD64_REL32_4 0x0008 // 32-bit relative address from byte distance 4 from reloc
#define IMAGE_REL_AMD64_REL32_5 0x0009 // 32-bit relative address from byte distance 5 from reloc
#define IMAGE_REL_AMD64_SECTION 0x000A // Section index
#define IMAGE_REL_AMD64_SECREL 0x000B // 32 bit offset from base of section containing target
#define IMAGE_REL_AMD64_SECREL7 0x000C // 7 bit unsigned offset from base of section containing target
#define IMAGE_REL_AMD64_TOKEN 0x000D // 32 bit metadata token
#define IMAGE_REL_AMD64_SREL32 0x000E // 32 bit signed span-dependent value emitted into object
#define IMAGE_REL_AMD64_PAIR 0x000F
#define IMAGE_REL_AMD64_SSPAN32 0x0010 // 32 bit signed span-dependent value applied at link time
//
// IA64 relocation types.
//
#define IMAGE_REL_IA64_ABSOLUTE 0x0000
#define IMAGE_REL_IA64_IMM14 0x0001
#define IMAGE_REL_IA64_IMM22 0x0002
#define IMAGE_REL_IA64_IMM64 0x0003
#define IMAGE_REL_IA64_DIR32 0x0004
#define IMAGE_REL_IA64_DIR64 0x0005
#define IMAGE_REL_IA64_PCREL21B 0x0006
#define IMAGE_REL_IA64_PCREL21M 0x0007
#define IMAGE_REL_IA64_PCREL21F 0x0008
#define IMAGE_REL_IA64_GPREL22 0x0009
#define IMAGE_REL_IA64_LTOFF22 0x000A
#define IMAGE_REL_IA64_SECTION 0x000B
#define IMAGE_REL_IA64_SECREL22 0x000C
#define IMAGE_REL_IA64_SECREL64I 0x000D
#define IMAGE_REL_IA64_SECREL32 0x000E
//
#define IMAGE_REL_IA64_DIR32NB 0x0010
#define IMAGE_REL_IA64_SREL14 0x0011
#define IMAGE_REL_IA64_SREL22 0x0012
#define IMAGE_REL_IA64_SREL32 0x0013
#define IMAGE_REL_IA64_UREL32 0x0014
#define IMAGE_REL_IA64_PCREL60X 0x0015 // This is always a BRL and never converted
#define IMAGE_REL_IA64_PCREL60B 0x0016 // If possible, convert to MBB bundle with NOP.B in slot 1
#define IMAGE_REL_IA64_PCREL60F 0x0017 // If possible, convert to MFB bundle with NOP.F in slot 1
#define IMAGE_REL_IA64_PCREL60I 0x0018 // If possible, convert to MIB bundle with NOP.I in slot 1
#define IMAGE_REL_IA64_PCREL60M 0x0019 // If possible, convert to MMB bundle with NOP.M in slot 1
#define IMAGE_REL_IA64_IMMGPREL64 0x001A
#define IMAGE_REL_IA64_TOKEN 0x001B // clr token
#define IMAGE_REL_IA64_GPREL32 0x001C
#define IMAGE_REL_IA64_ADDEND 0x001F
//
// CEF relocation types.
//
#define IMAGE_REL_CEF_ABSOLUTE 0x0000 // Reference is absolute, no relocation is necessary
#define IMAGE_REL_CEF_ADDR32 0x0001 // 32-bit address (VA).
#define IMAGE_REL_CEF_ADDR64 0x0002 // 64-bit address (VA).
#define IMAGE_REL_CEF_ADDR32NB 0x0003 // 32-bit address w/o image base (RVA).
#define IMAGE_REL_CEF_SECTION 0x0004 // Section index
#define IMAGE_REL_CEF_SECREL 0x0005 // 32 bit offset from base of section containing target
#define IMAGE_REL_CEF_TOKEN 0x0006 // 32 bit metadata token
//
// clr relocation types.
//
#define IMAGE_REL_CEE_ABSOLUTE 0x0000 // Reference is absolute, no relocation is necessary
#define IMAGE_REL_CEE_ADDR32 0x0001 // 32-bit address (VA).
#define IMAGE_REL_CEE_ADDR64 0x0002 // 64-bit address (VA).
#define IMAGE_REL_CEE_ADDR32NB 0x0003 // 32-bit address w/o image base (RVA).
#define IMAGE_REL_CEE_SECTION 0x0004 // Section index
#define IMAGE_REL_CEE_SECREL 0x0005 // 32 bit offset from base of section containing target
#define IMAGE_REL_CEE_TOKEN 0x0006 // 32 bit metadata token
#define IMAGE_REL_M32R_ABSOLUTE 0x0000 // No relocation required
#define IMAGE_REL_M32R_ADDR32 0x0001 // 32 bit address
#define IMAGE_REL_M32R_ADDR32NB 0x0002 // 32 bit address w/o image base
#define IMAGE_REL_M32R_ADDR24 0x0003 // 24 bit address
#define IMAGE_REL_M32R_GPREL16 0x0004 // GP relative addressing
#define IMAGE_REL_M32R_PCREL24 0x0005 // 24 bit offset << 2 & sign ext.
#define IMAGE_REL_M32R_PCREL16 0x0006 // 16 bit offset << 2 & sign ext.
#define IMAGE_REL_M32R_PCREL8 0x0007 // 8 bit offset << 2 & sign ext.
#define IMAGE_REL_M32R_REFHALF 0x0008 // 16 MSBs
#define IMAGE_REL_M32R_REFHI 0x0009 // 16 MSBs; adj for LSB sign ext.
#define IMAGE_REL_M32R_REFLO 0x000A // 16 LSBs
#define IMAGE_REL_M32R_PAIR 0x000B // Link HI and LO
#define IMAGE_REL_M32R_SECTION 0x000C // Section table index
#define IMAGE_REL_M32R_SECREL32 0x000D // 32 bit section relative reference
#define IMAGE_REL_M32R_TOKEN 0x000E // clr token
#define EXT_IMM64(Value, Address, Size, InstPos, ValPos) /* Intel-IA64-Filler */ \
Value |= (((ULONGLONG)((*(Address) >> InstPos) & (((ULONGLONG)1 << Size) - 1))) << ValPos) // Intel-IA64-Filler
#define INS_IMM64(Value, Address, Size, InstPos, ValPos) /* Intel-IA64-Filler */\
*(PULONG)Address = (*(PULONG)Address & ~(((1 << Size) - 1) << InstPos)) | /* Intel-IA64-Filler */\
((ULONG)((((ULONGLONG)Value >> ValPos) & (((ULONGLONG)1 << Size) - 1))) << InstPos) // Intel-IA64-Filler
#define EMARCH_ENC_I17_IMM7B_INST_WORD_X 3 // Intel-IA64-Filler
#define EMARCH_ENC_I17_IMM7B_SIZE_X 7 // Intel-IA64-Filler
#define EMARCH_ENC_I17_IMM7B_INST_WORD_POS_X 4 // Intel-IA64-Filler
#define EMARCH_ENC_I17_IMM7B_VAL_POS_X 0 // Intel-IA64-Filler
#define EMARCH_ENC_I17_IMM9D_INST_WORD_X 3 // Intel-IA64-Filler
#define EMARCH_ENC_I17_IMM9D_SIZE_X 9 // Intel-IA64-Filler
#define EMARCH_ENC_I17_IMM9D_INST_WORD_POS_X 18 // Intel-IA64-Filler
#define EMARCH_ENC_I17_IMM9D_VAL_POS_X 7 // Intel-IA64-Filler
#define EMARCH_ENC_I17_IMM5C_INST_WORD_X 3 // Intel-IA64-Filler
#define EMARCH_ENC_I17_IMM5C_SIZE_X 5 // Intel-IA64-Filler
#define EMARCH_ENC_I17_IMM5C_INST_WORD_POS_X 13 // Intel-IA64-Filler
#define EMARCH_ENC_I17_IMM5C_VAL_POS_X 16 // Intel-IA64-Filler
#define EMARCH_ENC_I17_IC_INST_WORD_X 3 // Intel-IA64-Filler
#define EMARCH_ENC_I17_IC_SIZE_X 1 // Intel-IA64-Filler
#define EMARCH_ENC_I17_IC_INST_WORD_POS_X 12 // Intel-IA64-Filler
#define EMARCH_ENC_I17_IC_VAL_POS_X 21 // Intel-IA64-Filler
#define EMARCH_ENC_I17_IMM41a_INST_WORD_X 1 // Intel-IA64-Filler
#define EMARCH_ENC_I17_IMM41a_SIZE_X 10 // Intel-IA64-Filler
#define EMARCH_ENC_I17_IMM41a_INST_WORD_POS_X 14 // Intel-IA64-Filler
#define EMARCH_ENC_I17_IMM41a_VAL_POS_X 22 // Intel-IA64-Filler
#define EMARCH_ENC_I17_IMM41b_INST_WORD_X 1 // Intel-IA64-Filler
#define EMARCH_ENC_I17_IMM41b_SIZE_X 8 // Intel-IA64-Filler
#define EMARCH_ENC_I17_IMM41b_INST_WORD_POS_X 24 // Intel-IA64-Filler
#define EMARCH_ENC_I17_IMM41b_VAL_POS_X 32 // Intel-IA64-Filler
#define EMARCH_ENC_I17_IMM41c_INST_WORD_X 2 // Intel-IA64-Filler
#define EMARCH_ENC_I17_IMM41c_SIZE_X 23 // Intel-IA64-Filler
#define EMARCH_ENC_I17_IMM41c_INST_WORD_POS_X 0 // Intel-IA64-Filler
#define EMARCH_ENC_I17_IMM41c_VAL_POS_X 40 // Intel-IA64-Filler
#define EMARCH_ENC_I17_SIGN_INST_WORD_X 3 // Intel-IA64-Filler
#define EMARCH_ENC_I17_SIGN_SIZE_X 1 // Intel-IA64-Filler
#define EMARCH_ENC_I17_SIGN_INST_WORD_POS_X 27 // Intel-IA64-Filler
#define EMARCH_ENC_I17_SIGN_VAL_POS_X 63 // Intel-IA64-Filler
#define X3_OPCODE_INST_WORD_X 3 // Intel-IA64-Filler
#define X3_OPCODE_SIZE_X 4 // Intel-IA64-Filler
#define X3_OPCODE_INST_WORD_POS_X 28 // Intel-IA64-Filler
#define X3_OPCODE_SIGN_VAL_POS_X 0 // Intel-IA64-Filler
#define X3_I_INST_WORD_X 3 // Intel-IA64-Filler
#define X3_I_SIZE_X 1 // Intel-IA64-Filler
#define X3_I_INST_WORD_POS_X 27 // Intel-IA64-Filler
#define X3_I_SIGN_VAL_POS_X 59 // Intel-IA64-Filler
#define X3_D_WH_INST_WORD_X 3 // Intel-IA64-Filler
#define X3_D_WH_SIZE_X 3 // Intel-IA64-Filler
#define X3_D_WH_INST_WORD_POS_X 24 // Intel-IA64-Filler
#define X3_D_WH_SIGN_VAL_POS_X 0 // Intel-IA64-Filler
#define X3_IMM20_INST_WORD_X 3 // Intel-IA64-Filler
#define X3_IMM20_SIZE_X 20 // Intel-IA64-Filler
#define X3_IMM20_INST_WORD_POS_X 4 // Intel-IA64-Filler
#define X3_IMM20_SIGN_VAL_POS_X 0 // Intel-IA64-Filler
#define X3_IMM39_1_INST_WORD_X 2 // Intel-IA64-Filler
#define X3_IMM39_1_SIZE_X 23 // Intel-IA64-Filler
#define X3_IMM39_1_INST_WORD_POS_X 0 // Intel-IA64-Filler
#define X3_IMM39_1_SIGN_VAL_POS_X 36 // Intel-IA64-Filler
#define X3_IMM39_2_INST_WORD_X 1 // Intel-IA64-Filler
#define X3_IMM39_2_SIZE_X 16 // Intel-IA64-Filler
#define X3_IMM39_2_INST_WORD_POS_X 16 // Intel-IA64-Filler
#define X3_IMM39_2_SIGN_VAL_POS_X 20 // Intel-IA64-Filler
#define X3_P_INST_WORD_X 3 // Intel-IA64-Filler
#define X3_P_SIZE_X 4 // Intel-IA64-Filler
#define X3_P_INST_WORD_POS_X 0 // Intel-IA64-Filler
#define X3_P_SIGN_VAL_POS_X 0 // Intel-IA64-Filler
#define X3_TMPLT_INST_WORD_X 0 // Intel-IA64-Filler
#define X3_TMPLT_SIZE_X 4 // Intel-IA64-Filler
#define X3_TMPLT_INST_WORD_POS_X 0 // Intel-IA64-Filler
#define X3_TMPLT_SIGN_VAL_POS_X 0 // Intel-IA64-Filler
#define X3_BTYPE_QP_INST_WORD_X 2 // Intel-IA64-Filler
#define X3_BTYPE_QP_SIZE_X 9 // Intel-IA64-Filler
#define X3_BTYPE_QP_INST_WORD_POS_X 23 // Intel-IA64-Filler
#define X3_BTYPE_QP_INST_VAL_POS_X 0 // Intel-IA64-Filler
#define X3_EMPTY_INST_WORD_X 1 // Intel-IA64-Filler
#define X3_EMPTY_SIZE_X 2 // Intel-IA64-Filler
#define X3_EMPTY_INST_WORD_POS_X 14 // Intel-IA64-Filler
#define X3_EMPTY_INST_VAL_POS_X 0 // Intel-IA64-Filler
//
// Line number format.
//
typedef struct _IMAGE_LINENUMBER {
union {
ULONG SymbolTableIndex; // Symbol table index of function name if Linenumber is 0.
ULONG VirtualAddress; // Virtual address of line number.
} Type;
USHORT Linenumber; // Line number.
} IMAGE_LINENUMBER;
typedef IMAGE_LINENUMBER UNALIGNED *PIMAGE_LINENUMBER;
#define IMAGE_SIZEOF_LINENUMBER 6
#include "poppack.h" // Back to 4 byte packing
//
// Based relocation format.
//
typedef struct _IMAGE_BASE_RELOCATION {
ULONG VirtualAddress;
ULONG SizeOfBlock;
USHORT TypeOffset[1];
} IMAGE_BASE_RELOCATION;
typedef IMAGE_BASE_RELOCATION UNALIGNED * PIMAGE_BASE_RELOCATION;
#define IMAGE_SIZEOF_BASE_RELOCATION 8
//
// Based relocation types.
//
#define IMAGE_REL_BASED_ABSOLUTE 0
#define IMAGE_REL_BASED_HIGH 1
#define IMAGE_REL_BASED_LOW 2
#define IMAGE_REL_BASED_HIGHLOW 3
#define IMAGE_REL_BASED_HIGHADJ 4
#define IMAGE_REL_BASED_MIPS_JMPADDR 5
// end_winnt
#define IMAGE_REL_BASED_SECTION 6
#define IMAGE_REL_BASED_REL32 7
// IMAGE_REL_BASED_VXD_RELATIVE 8
// begin_winnt
#define IMAGE_REL_BASED_MIPS_JMPADDR16 9
#define IMAGE_REL_BASED_IA64_IMM64 9
#define IMAGE_REL_BASED_DIR64 10
//
// Archive format.
//
#define IMAGE_ARCHIVE_START_SIZE 8
#define IMAGE_ARCHIVE_START "!\n"
#define IMAGE_ARCHIVE_END "`\n"
#define IMAGE_ARCHIVE_PAD "\n"
#define IMAGE_ARCHIVE_LINKER_MEMBER "/ "
#define IMAGE_ARCHIVE_LONGNAMES_MEMBER "// "
typedef struct _IMAGE_ARCHIVE_MEMBER_HEADER {
UCHAR Name[16]; // File member name - `/' terminated.
UCHAR Date[12]; // File member date - decimal.
UCHAR UserID[6]; // File member user id - decimal.
UCHAR GroupID[6]; // File member group id - decimal.
UCHAR Mode[8]; // File member mode - octal.
UCHAR Size[10]; // File member size - decimal.
UCHAR EndHeader[2]; // String to end header.
} IMAGE_ARCHIVE_MEMBER_HEADER, *PIMAGE_ARCHIVE_MEMBER_HEADER;
#define IMAGE_SIZEOF_ARCHIVE_MEMBER_HDR 60
//
// DLL support.
//
//
// Export Format
//
typedef struct _IMAGE_EXPORT_DIRECTORY {
ULONG Characteristics;
ULONG TimeDateStamp;
USHORT MajorVersion;
USHORT MinorVersion;
ULONG Name;
ULONG Base;
ULONG NumberOfFunctions;
ULONG NumberOfNames;
ULONG AddressOfFunctions; // RVA from base of image
ULONG AddressOfNames; // RVA from base of image
ULONG AddressOfNameOrdinals; // RVA from base of image
} IMAGE_EXPORT_DIRECTORY, *PIMAGE_EXPORT_DIRECTORY;
//
// Import Format
//
typedef struct _IMAGE_IMPORT_BY_NAME {
USHORT Hint;
UCHAR Name[1];
} IMAGE_IMPORT_BY_NAME, *PIMAGE_IMPORT_BY_NAME;
#include "pshpack8.h" // Use align 8 for the 64-bit IAT.
typedef struct _IMAGE_THUNK_DATA64 {
union {
ULONGLONG ForwarderString; // PUCHAR
ULONGLONG Function; // PULONG
ULONGLONG Ordinal;
ULONGLONG AddressOfData; // PIMAGE_IMPORT_BY_NAME
} u1;
} IMAGE_THUNK_DATA64;
typedef IMAGE_THUNK_DATA64 * PIMAGE_THUNK_DATA64;
#include "poppack.h" // Back to 4 byte packing
typedef struct _IMAGE_THUNK_DATA32 {
union {
ULONG ForwarderString; // PUCHAR
ULONG Function; // PULONG
ULONG Ordinal;
ULONG AddressOfData; // PIMAGE_IMPORT_BY_NAME
} u1;
} IMAGE_THUNK_DATA32;
typedef IMAGE_THUNK_DATA32 * PIMAGE_THUNK_DATA32;
#define IMAGE_ORDINAL_FLAG64 0x8000000000000000
#define IMAGE_ORDINAL_FLAG32 0x80000000
#define IMAGE_ORDINAL64(Ordinal) (Ordinal & 0xffff)
#define IMAGE_ORDINAL32(Ordinal) (Ordinal & 0xffff)
#define IMAGE_SNAP_BY_ORDINAL64(Ordinal) ((Ordinal & IMAGE_ORDINAL_FLAG64) != 0)
#define IMAGE_SNAP_BY_ORDINAL32(Ordinal) ((Ordinal & IMAGE_ORDINAL_FLAG32) != 0)
//
// Thread Local Storage
//
typedef VOID
(NTAPI *PIMAGE_TLS_CALLBACK) (
PVOID DllHandle,
ULONG Reason,
PVOID Reserved
);
typedef struct _IMAGE_TLS_DIRECTORY64 {
ULONGLONG StartAddressOfRawData;
ULONGLONG EndAddressOfRawData;
ULONGLONG AddressOfIndex; // PULONG
ULONGLONG AddressOfCallBacks; // PIMAGE_TLS_CALLBACK *;
ULONG SizeOfZeroFill;
ULONG Characteristics;
} IMAGE_TLS_DIRECTORY64;
typedef IMAGE_TLS_DIRECTORY64 * PIMAGE_TLS_DIRECTORY64;
typedef struct _IMAGE_TLS_DIRECTORY32 {
ULONG StartAddressOfRawData;
ULONG EndAddressOfRawData;
ULONG AddressOfIndex; // PULONG
ULONG AddressOfCallBacks; // PIMAGE_TLS_CALLBACK *
ULONG SizeOfZeroFill;
ULONG Characteristics;
} IMAGE_TLS_DIRECTORY32;
typedef IMAGE_TLS_DIRECTORY32 * PIMAGE_TLS_DIRECTORY32;
#ifdef _WIN64
#define IMAGE_ORDINAL_FLAG IMAGE_ORDINAL_FLAG64
#define IMAGE_ORDINAL(Ordinal) IMAGE_ORDINAL64(Ordinal)
typedef IMAGE_THUNK_DATA64 IMAGE_THUNK_DATA;
typedef PIMAGE_THUNK_DATA64 PIMAGE_THUNK_DATA;
#define IMAGE_SNAP_BY_ORDINAL(Ordinal) IMAGE_SNAP_BY_ORDINAL64(Ordinal)
typedef IMAGE_TLS_DIRECTORY64 IMAGE_TLS_DIRECTORY;
typedef PIMAGE_TLS_DIRECTORY64 PIMAGE_TLS_DIRECTORY;
#else
#define IMAGE_ORDINAL_FLAG IMAGE_ORDINAL_FLAG32
#define IMAGE_ORDINAL(Ordinal) IMAGE_ORDINAL32(Ordinal)
typedef IMAGE_THUNK_DATA32 IMAGE_THUNK_DATA;
typedef PIMAGE_THUNK_DATA32 PIMAGE_THUNK_DATA;
#define IMAGE_SNAP_BY_ORDINAL(Ordinal) IMAGE_SNAP_BY_ORDINAL32(Ordinal)
typedef IMAGE_TLS_DIRECTORY32 IMAGE_TLS_DIRECTORY;
typedef PIMAGE_TLS_DIRECTORY32 PIMAGE_TLS_DIRECTORY;
#endif
typedef struct _IMAGE_IMPORT_DESCRIPTOR {
union {
ULONG Characteristics; // 0 for terminating null import descriptor
ULONG OriginalFirstThunk; // RVA to original unbound IAT (PIMAGE_THUNK_DATA)
};
ULONG TimeDateStamp; // 0 if not bound,
// -1 if bound, and real date\time stamp
// in IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT (new BIND)
// O.W. date/time stamp of DLL bound to (Old BIND)
ULONG ForwarderChain; // -1 if no forwarders
ULONG Name;
ULONG FirstThunk; // RVA to IAT (if bound this IAT has actual addresses)
} IMAGE_IMPORT_DESCRIPTOR;
typedef IMAGE_IMPORT_DESCRIPTOR UNALIGNED *PIMAGE_IMPORT_DESCRIPTOR;
//
// New format import descriptors pointed to by DataDirectory[ IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT ]
//
typedef struct _IMAGE_BOUND_IMPORT_DESCRIPTOR {
ULONG TimeDateStamp;
USHORT OffsetModuleName;
USHORT NumberOfModuleForwarderRefs;
// Array of zero or more IMAGE_BOUND_FORWARDER_REF follows
} IMAGE_BOUND_IMPORT_DESCRIPTOR, *PIMAGE_BOUND_IMPORT_DESCRIPTOR;
typedef struct _IMAGE_BOUND_FORWARDER_REF {
ULONG TimeDateStamp;
USHORT OffsetModuleName;
USHORT Reserved;
} IMAGE_BOUND_FORWARDER_REF, *PIMAGE_BOUND_FORWARDER_REF;
//
// Resource Format.
//
//
// Resource directory consists of two counts, following by a variable length
// array of directory entries. The first count is the number of entries at
// beginning of the array that have actual names associated with each entry.
// The entries are in ascending order, case insensitive strings. The second
// count is the number of entries that immediately follow the named entries.
// This second count identifies the number of entries that have 16-bit integer
// Ids as their name. These entries are also sorted in ascending order.
//
// This structure allows fast lookup by either name or number, but for any
// given resource entry only one form of lookup is supported, not both.
// This is consistant with the syntax of the .RC file and the .RES file.
//
typedef struct _IMAGE_RESOURCE_DIRECTORY {
ULONG Characteristics;
ULONG TimeDateStamp;
USHORT MajorVersion;
USHORT MinorVersion;
USHORT NumberOfNamedEntries;
USHORT NumberOfIdEntries;
// IMAGE_RESOURCE_DIRECTORY_ENTRY DirectoryEntries[];
} IMAGE_RESOURCE_DIRECTORY, *PIMAGE_RESOURCE_DIRECTORY;
#define IMAGE_RESOURCE_NAME_IS_STRING 0x80000000
#define IMAGE_RESOURCE_DATA_IS_DIRECTORY 0x80000000
//
// Each directory contains the 32-bit Name of the entry and an offset,
// relative to the beginning of the resource directory of the data associated
// with this directory entry. If the name of the entry is an actual text
// string instead of an integer Id, then the high order bit of the name field
// is set to one and the low order 31-bits are an offset, relative to the
// beginning of the resource directory of the string, which is of type
// IMAGE_RESOURCE_DIRECTORY_STRING. Otherwise the high bit is clear and the
// low-order 16-bits are the integer Id that identify this resource directory
// entry. If the directory entry is yet another resource directory (i.e. a
// subdirectory), then the high order bit of the offset field will be
// set to indicate this. Otherwise the high bit is clear and the offset
// field points to a resource data entry.
//
typedef struct _IMAGE_RESOURCE_DIRECTORY_ENTRY {
union {
struct {
ULONG NameOffset:31;
ULONG NameIsString:1;
};
ULONG Name;
USHORT Id;
};
union {
ULONG OffsetToData;
struct {
ULONG OffsetToDirectory:31;
ULONG DataIsDirectory:1;
};
};
} IMAGE_RESOURCE_DIRECTORY_ENTRY, *PIMAGE_RESOURCE_DIRECTORY_ENTRY;
//
// For resource directory entries that have actual string names, the Name
// field of the directory entry points to an object of the following type.
// All of these string objects are stored together after the last resource
// directory entry and before the first resource data object. This minimizes
// the impact of these variable length objects on the alignment of the fixed
// size directory entry objects.
//
typedef struct _IMAGE_RESOURCE_DIRECTORY_STRING {
USHORT Length;
CHAR NameString[ 1 ];
} IMAGE_RESOURCE_DIRECTORY_STRING, *PIMAGE_RESOURCE_DIRECTORY_STRING;
typedef struct _IMAGE_RESOURCE_DIR_STRING_U {
USHORT Length;
WCHAR NameString[ 1 ];
} IMAGE_RESOURCE_DIR_STRING_U, *PIMAGE_RESOURCE_DIR_STRING_U;
//
// Each resource data entry describes a leaf node in the resource directory
// tree. It contains an offset, relative to the beginning of the resource
// directory of the data for the resource, a size field that gives the number
// of bytes of data at that offset, a CodePage that should be used when
// decoding code point values within the resource data. Typically for new
// applications the code page would be the unicode code page.
//
typedef struct _IMAGE_RESOURCE_DATA_ENTRY {
ULONG OffsetToData;
ULONG Size;
ULONG CodePage;
ULONG Reserved;
} IMAGE_RESOURCE_DATA_ENTRY, *PIMAGE_RESOURCE_DATA_ENTRY;
//
// Load Configuration Directory Entry
//
typedef struct {
ULONG Size;
ULONG TimeDateStamp;
USHORT MajorVersion;
USHORT MinorVersion;
ULONG GlobalFlagsClear;
ULONG GlobalFlagsSet;
ULONG CriticalSectionDefaultTimeout;
ULONG DeCommitFreeBlockThreshold;
ULONG DeCommitTotalFreeThreshold;
ULONG LockPrefixTable; // VA
ULONG MaximumAllocationSize;
ULONG VirtualMemoryThreshold;
ULONG ProcessHeapFlags;
ULONG ProcessAffinityMask;
USHORT CSDVersion;
USHORT Reserved1;
ULONG EditList; // VA
ULONG SecurityCookie; // VA
ULONG SEHandlerTable; // VA
ULONG SEHandlerCount;
} IMAGE_LOAD_CONFIG_DIRECTORY32, *PIMAGE_LOAD_CONFIG_DIRECTORY32;
typedef struct {
ULONG Size;
ULONG TimeDateStamp;
USHORT MajorVersion;
USHORT MinorVersion;
ULONG GlobalFlagsClear;
ULONG GlobalFlagsSet;
ULONG CriticalSectionDefaultTimeout;
ULONGLONG DeCommitFreeBlockThreshold;
ULONGLONG DeCommitTotalFreeThreshold;
ULONGLONG LockPrefixTable; // VA
ULONGLONG MaximumAllocationSize;
ULONGLONG VirtualMemoryThreshold;
ULONGLONG ProcessAffinityMask;
ULONG ProcessHeapFlags;
USHORT CSDVersion;
USHORT Reserved1;
ULONGLONG EditList; // VA
ULONGLONG SecurityCookie; // VA
ULONGLONG SEHandlerTable; // VA
ULONGLONG SEHandlerCount;
} IMAGE_LOAD_CONFIG_DIRECTORY64, *PIMAGE_LOAD_CONFIG_DIRECTORY64;
#ifdef _WIN64
typedef IMAGE_LOAD_CONFIG_DIRECTORY64 IMAGE_LOAD_CONFIG_DIRECTORY;
typedef PIMAGE_LOAD_CONFIG_DIRECTORY64 PIMAGE_LOAD_CONFIG_DIRECTORY;
#else
typedef IMAGE_LOAD_CONFIG_DIRECTORY32 IMAGE_LOAD_CONFIG_DIRECTORY;
typedef PIMAGE_LOAD_CONFIG_DIRECTORY32 PIMAGE_LOAD_CONFIG_DIRECTORY;
#endif
//
// WIN CE Exception table format
//
//
// Function table entry format. Function table is pointed to by the
// IMAGE_DIRECTORY_ENTRY_EXCEPTION directory entry.
//
typedef struct _IMAGE_CE_RUNTIME_FUNCTION_ENTRY {
ULONG FuncStart;
ULONG PrologLen : 8;
ULONG FuncLen : 22;
ULONG ThirtyTwoBit : 1;
ULONG ExceptionFlag : 1;
} IMAGE_CE_RUNTIME_FUNCTION_ENTRY, * PIMAGE_CE_RUNTIME_FUNCTION_ENTRY;
typedef struct _IMAGE_ALPHA64_RUNTIME_FUNCTION_ENTRY {
ULONGLONG BeginAddress;
ULONGLONG EndAddress;
ULONGLONG ExceptionHandler;
ULONGLONG HandlerData;
ULONGLONG PrologEndAddress;
} IMAGE_ALPHA64_RUNTIME_FUNCTION_ENTRY, *PIMAGE_ALPHA64_RUNTIME_FUNCTION_ENTRY;
typedef struct _IMAGE_ALPHA_RUNTIME_FUNCTION_ENTRY {
ULONG BeginAddress;
ULONG EndAddress;
ULONG ExceptionHandler;
ULONG HandlerData;
ULONG PrologEndAddress;
} IMAGE_ALPHA_RUNTIME_FUNCTION_ENTRY, *PIMAGE_ALPHA_RUNTIME_FUNCTION_ENTRY;
typedef struct _IMAGE_RUNTIME_FUNCTION_ENTRY {
ULONG BeginAddress;
ULONG EndAddress;
ULONG UnwindInfoAddress;
} _IMAGE_RUNTIME_FUNCTION_ENTRY, *_PIMAGE_RUNTIME_FUNCTION_ENTRY;
typedef _IMAGE_RUNTIME_FUNCTION_ENTRY IMAGE_IA64_RUNTIME_FUNCTION_ENTRY;
typedef _PIMAGE_RUNTIME_FUNCTION_ENTRY PIMAGE_IA64_RUNTIME_FUNCTION_ENTRY;
typedef _IMAGE_RUNTIME_FUNCTION_ENTRY IMAGE_RUNTIME_FUNCTION_ENTRY;
typedef _PIMAGE_RUNTIME_FUNCTION_ENTRY PIMAGE_RUNTIME_FUNCTION_ENTRY;
//
// Debug Format
//
typedef struct _IMAGE_DEBUG_DIRECTORY {
ULONG Characteristics;
ULONG TimeDateStamp;
USHORT MajorVersion;
USHORT MinorVersion;
ULONG Type;
ULONG SizeOfData;
ULONG AddressOfRawData;
ULONG PointerToRawData;
} IMAGE_DEBUG_DIRECTORY, *PIMAGE_DEBUG_DIRECTORY;
#define IMAGE_DEBUG_TYPE_UNKNOWN 0
#define IMAGE_DEBUG_TYPE_COFF 1
#define IMAGE_DEBUG_TYPE_CODEVIEW 2
#define IMAGE_DEBUG_TYPE_FPO 3
#define IMAGE_DEBUG_TYPE_MISC 4
#define IMAGE_DEBUG_TYPE_EXCEPTION 5
#define IMAGE_DEBUG_TYPE_FIXUP 6
#define IMAGE_DEBUG_TYPE_OMAP_TO_SRC 7
#define IMAGE_DEBUG_TYPE_OMAP_FROM_SRC 8
#define IMAGE_DEBUG_TYPE_BORLAND 9
#define IMAGE_DEBUG_TYPE_RESERVED10 10
#define IMAGE_DEBUG_TYPE_CLSID 11
// end_winnt
// IMAGE_DEBUG_TYPE values > 0x7FFFFFFF are reserved for BBT
// begin_winnt
typedef struct _IMAGE_COFF_SYMBOLS_HEADER {
ULONG NumberOfSymbols;
ULONG LvaToFirstSymbol;
ULONG NumberOfLinenumbers;
ULONG LvaToFirstLinenumber;
ULONG RvaToFirstByteOfCode;
ULONG RvaToLastByteOfCode;
ULONG RvaToFirstByteOfData;
ULONG RvaToLastByteOfData;
} IMAGE_COFF_SYMBOLS_HEADER, *PIMAGE_COFF_SYMBOLS_HEADER;
#define FRAME_FPO 0
#define FRAME_TRAP 1
#define FRAME_TSS 2
#define FRAME_NONFPO 3
typedef struct _FPO_DATA {
ULONG ulOffStart; // offset 1st byte of function code
ULONG cbProcSize; // # bytes in function
ULONG cdwLocals; // # bytes in locals/4
USHORT cdwParams; // # bytes in params/4
USHORT cbProlog : 8; // # bytes in prolog
USHORT cbRegs : 3; // # regs saved
USHORT fHasSEH : 1; // TRUE if SEH in func
USHORT fUseBP : 1; // TRUE if EBP has been allocated
USHORT reserved : 1; // reserved for future use
USHORT cbFrame : 2; // frame type
} FPO_DATA, *PFPO_DATA;
#define SIZEOF_RFPO_DATA 16
#define IMAGE_DEBUG_MISC_EXENAME 1
typedef struct _IMAGE_DEBUG_MISC {
ULONG DataType; // type of misc data, see defines
ULONG Length; // total length of record, rounded to four
// byte multiple.
BOOLEAN Unicode; // TRUE if data is unicode string
UCHAR Reserved[ 3 ];
UCHAR Data[ 1 ]; // Actual data
} IMAGE_DEBUG_MISC, *PIMAGE_DEBUG_MISC;
//
// Function table extracted from MIPS/ALPHA/IA64 images. Does not contain
// information needed only for runtime support. Just those fields for
// each entry needed by a debugger.
//
typedef struct _IMAGE_FUNCTION_ENTRY {
ULONG StartingAddress;
ULONG EndingAddress;
ULONG EndOfPrologue;
} IMAGE_FUNCTION_ENTRY, *PIMAGE_FUNCTION_ENTRY;
typedef struct _IMAGE_FUNCTION_ENTRY64 {
ULONGLONG StartingAddress;
ULONGLONG EndingAddress;
union {
ULONGLONG EndOfPrologue;
ULONGLONG UnwindInfoAddress;
};
} IMAGE_FUNCTION_ENTRY64, *PIMAGE_FUNCTION_ENTRY64;
//
// Debugging information can be stripped from an image file and placed
// in a separate .DBG file, whose file name part is the same as the
// image file name part (e.g. symbols for CMD.EXE could be stripped
// and placed in CMD.DBG). This is indicated by the IMAGE_FILE_DEBUG_STRIPPED
// flag in the Characteristics field of the file header. The beginning of
// the .DBG file contains the following structure which captures certain
// information from the image file. This allows a debug to proceed even if
// the original image file is not accessable. This header is followed by
// zero of more IMAGE_SECTION_HEADER structures, followed by zero or more
// IMAGE_DEBUG_DIRECTORY structures. The latter structures and those in
// the image file contain file offsets relative to the beginning of the
// .DBG file.
//
// If symbols have been stripped from an image, the IMAGE_DEBUG_MISC structure
// is left in the image file, but not mapped. This allows a debugger to
// compute the name of the .DBG file, from the name of the image in the
// IMAGE_DEBUG_MISC structure.
//
typedef struct _IMAGE_SEPARATE_DEBUG_HEADER {
USHORT Signature;
USHORT Flags;
USHORT Machine;
USHORT Characteristics;
ULONG TimeDateStamp;
ULONG CheckSum;
ULONG ImageBase;
ULONG SizeOfImage;
ULONG NumberOfSections;
ULONG ExportedNamesSize;
ULONG DebugDirectorySize;
ULONG SectionAlignment;
ULONG Reserved[2];
} IMAGE_SEPARATE_DEBUG_HEADER, *PIMAGE_SEPARATE_DEBUG_HEADER;
typedef struct _NON_PAGED_DEBUG_INFO {
USHORT Signature;
USHORT Flags;
ULONG Size;
USHORT Machine;
USHORT Characteristics;
ULONG TimeDateStamp;
ULONG CheckSum;
ULONG SizeOfImage;
ULONGLONG ImageBase;
} NON_PAGED_DEBUG_INFO, *PNON_PAGED_DEBUG_INFO;
#define IMAGE_SEPARATE_DEBUG_SIGNATURE 0x4944
#define NON_PAGED_DEBUG_SIGNATURE 0x494E
#define IMAGE_SEPARATE_DEBUG_FLAGS_MASK 0x8000
#define IMAGE_SEPARATE_DEBUG_MISMATCH 0x8000 // when DBG was updated, the
// old checksum didn't match.
//
// The .arch section is made up of headers, each describing an amask position/value
// pointing to an array of IMAGE_ARCHITECTURE_ENTRY's. Each "array" (both the header
// and entry arrays) are terminated by a quadword of 0xffffffffL.
//
// NOTE: There may be quadwords of 0 sprinkled around and must be skipped.
//
typedef struct _ImageArchitectureHeader {
unsigned int AmaskValue: 1; // 1 -> code section depends on mask bit
// 0 -> new instruction depends on mask bit
int :7; // MBZ
unsigned int AmaskShift: 8; // Amask bit in question for this fixup
int :16; // MBZ
ULONG FirstEntryRVA; // RVA into .arch section to array of ARCHITECTURE_ENTRY's
} IMAGE_ARCHITECTURE_HEADER, *PIMAGE_ARCHITECTURE_HEADER;
typedef struct _ImageArchitectureEntry {
ULONG FixupInstRVA; // RVA of instruction to fixup
ULONG NewInst; // fixup instruction (see alphaops.h)
} IMAGE_ARCHITECTURE_ENTRY, *PIMAGE_ARCHITECTURE_ENTRY;
#include "poppack.h" // Back to the initial value
// The following structure defines the new import object. Note the values of the first two fields,
// which must be set as stated in order to differentiate old and new import members.
// Following this structure, the linker emits two null-terminated strings used to recreate the
// import at the time of use. The first string is the import's name, the second is the dll's name.
#define IMPORT_OBJECT_HDR_SIG2 0xffff
typedef struct IMPORT_OBJECT_HEADER {
USHORT Sig1; // Must be IMAGE_FILE_MACHINE_UNKNOWN
USHORT Sig2; // Must be IMPORT_OBJECT_HDR_SIG2.
USHORT Version;
USHORT Machine;
ULONG TimeDateStamp; // Time/date stamp
ULONG SizeOfData; // particularly useful for incremental links
union {
USHORT Ordinal; // if grf & IMPORT_OBJECT_ORDINAL
USHORT Hint;
};
USHORT Type : 2; // IMPORT_TYPE
USHORT NameType : 3; // IMPORT_NAME_TYPE
USHORT Reserved : 11; // Reserved. Must be zero.
} IMPORT_OBJECT_HEADER;
typedef enum IMPORT_OBJECT_TYPE
{
IMPORT_OBJECT_CODE = 0,
IMPORT_OBJECT_DATA = 1,
IMPORT_OBJECT_CONST = 2,
} IMPORT_OBJECT_TYPE;
typedef enum IMPORT_OBJECT_NAME_TYPE
{
IMPORT_OBJECT_ORDINAL = 0, // Import by ordinal
IMPORT_OBJECT_NAME = 1, // Import name == public symbol name.
IMPORT_OBJECT_NAME_NO_PREFIX = 2, // Import name == public symbol name skipping leading ?, @, or optionally _.
IMPORT_OBJECT_NAME_UNDECORATE = 3, // Import name == public symbol name skipping leading ?, @, or optionally _
// and truncating at first @
} IMPORT_OBJECT_NAME_TYPE;
// end_winnt
// The structure is used by the NT loader for clr URT support. It
// is a duplicate of the definition in corhdr.h.
// begin_winnt
#ifndef __IMAGE_COR20_HEADER_DEFINED__
#define __IMAGE_COR20_HEADER_DEFINED__
typedef enum ReplacesCorHdrNumericDefines
{
// COM+ Header entry point flags.
COMIMAGE_FLAGS_ILONLY =0x00000001,
COMIMAGE_FLAGS_32BITREQUIRED =0x00000002,
COMIMAGE_FLAGS_IL_LIBRARY =0x00000004,
COMIMAGE_FLAGS_STRONGNAMESIGNED =0x00000008,
COMIMAGE_FLAGS_TRACKDEBUGDATA =0x00010000,
// Version flags for image.
COR_VERSION_MAJOR_V2 =2,
COR_VERSION_MAJOR =COR_VERSION_MAJOR_V2,
COR_VERSION_MINOR =0,
COR_DELETED_NAME_LENGTH =8,
COR_VTABLEGAP_NAME_LENGTH =8,
// Maximum size of a NativeType descriptor.
NATIVE_TYPE_MAX_CB =1,
COR_ILMETHOD_SECT_SMALL_MAX_DATASIZE=0xFF,
// #defines for the MIH FLAGS
IMAGE_COR_MIH_METHODRVA =0x01,
IMAGE_COR_MIH_EHRVA =0x02,
IMAGE_COR_MIH_BASICBLOCK =0x08,
// V-table constants
COR_VTABLE_32BIT =0x01, // V-table slots are 32-bits in size.
COR_VTABLE_64BIT =0x02, // V-table slots are 64-bits in size.
COR_VTABLE_FROM_UNMANAGED =0x04, // If set, transition from unmanaged.
COR_VTABLE_CALL_MOST_DERIVED =0x10, // Call most derived method described by
// EATJ constants
IMAGE_COR_EATJ_THUNK_SIZE =32, // Size of a jump thunk reserved range.
// Max name lengths
MAX_CLASS_NAME =1024,
MAX_PACKAGE_NAME =1024,
} ReplacesCorHdrNumericDefines;
// COM+ 2.0 header structure.
typedef struct IMAGE_COR20_HEADER
{
// Header versioning
ULONG cb;
USHORT MajorRuntimeVersion;
USHORT MinorRuntimeVersion;
// Symbol table and startup information
IMAGE_DATA_DIRECTORY MetaData;
ULONG Flags;
ULONG EntryPointToken;
// Binding information
IMAGE_DATA_DIRECTORY Resources;
IMAGE_DATA_DIRECTORY StrongNameSignature;
// Regular fixup and binding information
IMAGE_DATA_DIRECTORY CodeManagerTable;
IMAGE_DATA_DIRECTORY VTableFixups;
IMAGE_DATA_DIRECTORY ExportAddressTableJumps;
// Precompiled image info (internal use only - set to zero)
IMAGE_DATA_DIRECTORY ManagedNativeHeader;
} IMAGE_COR20_HEADER, *PIMAGE_COR20_HEADER;
#endif // __IMAGE_COR20_HEADER_DEFINED__
//
// End Image Format
//
// end_winnt
typedef IMAGE_OS2_HEADER UNALIGNED * PUIMAGE_OS2_HEADER;
typedef IMAGE_IMPORT_DESCRIPTOR UNALIGNED CONST *PCIMAGE_IMPORT_DESCRIPTOR;
typedef CONST IMAGE_BOUND_IMPORT_DESCRIPTOR *PCIMAGE_BOUND_IMPORT_DESCRIPTOR;
typedef CONST IMAGE_BOUND_FORWARDER_REF *PCIMAGE_BOUND_FORWARDER_REF;
typedef CONST IMAGE_IMPORT_BY_NAME *PCIMAGE_IMPORT_BY_NAME;
typedef CONST IMAGE_THUNK_DATA *PCIMAGE_THUNK_DATA;
typedef CONST IMAGE_THUNK_DATA32 *PCIMAGE_THUNK_DATA32;
typedef CONST IMAGE_THUNK_DATA64 *PCIMAGE_THUNK_DATA64;
typedef CONST IMAGE_TLS_DIRECTORY *PCIMAGE_TLS_DIRECTORY;
typedef CONST IMAGE_TLS_DIRECTORY32 *PCIMAGE_TLS_DIRECTORY32;
typedef CONST IMAGE_TLS_DIRECTORY64 *PCIMAGE_TLS_DIRECTORY64;
typedef CONST IMAGE_EXPORT_DIRECTORY *PCIMAGE_EXPORT_DIRECTORY;
typedef CONST IMAGE_SECTION_HEADER *PCIMAGE_SECTION_HEADER;
#endif // _NTIMAGE_
Driver.c
#include "ntddk.h"
#include "ntimage.h"
#pragma pack(1)
typedef struct ServiceDescriptorEntry {
unsigned int *ServiceTableBase;
unsigned int *ServiceCounterTableBase;
unsigned int NumberOfServices;
unsigned char *ParamTableBase;
} ServiceDescriptorTableEntry_t, *PServiceDescriptorTableEntry_t;
#pragma pack()
__declspec(dllimport) ServiceDescriptorTableEntry_t KeServiceDescriptorTable;
ServiceDescriptorTableEntry_t *pNewSSDT;
ULONG h_org_NtOpenProcess;
ULONG addr_hookaddr=0;
ULONG jmp_ret;
ULONG OrigImage=0x804D8000;
typedef
NTSTATUS (*NTOPENPROCESS) (
__out PHANDLE ProcessHandle,
__in ACCESS_MASK DesiredAccess,
__in POBJECT_ATTRIBUTES ObjectAttributes,
__in_opt PCLIENT_ID ClientId
);
void PageProtectOn()
{
__asm{//恢复内存保护
mov eax,cr0
or eax,10000h
mov cr0,eax
sti
}
}
void PageProtectOff()
{
__asm{//去掉内存保护
cli
mov eax,cr0
and eax,not 10000h
mov cr0,eax
}
}
ULONG display(ULONG ServiceTableBase,ULONG FuncIndex,ULONG OrigFuncAddress)
{
if (ServiceTableBase==(ULONG)KeServiceDescriptorTable.ServiceTableBase)
{//比较当前调用的进程是不是ce
if (!strcmp((char*)PsGetCurrentProcess()+0x174,"cheatengine-i38"))
{
return pNewSSDT->ServiceTableBase[FuncIndex];
}
}
return OrigFuncAddress;
}
__declspec(naked)
void MyKiFastCallEntry()
{
__asm
{
pushad
pushfd
push ebx
push eax
push edi
call display
//再返回前修改堆栈里的数据
mov [esp+0x14],eax
popfd
popad
//恢复以前的代码,以便内核正常运行
sub esp,ecx
shr ecx,2
jmp jmp_ret
}
}
void hook_KiFastCallEntry()
{
UCHAR jmp_code[5];
jmp_code[0]=0xe9;
//计算jmp_code
*(ULONG *)&jmp_code[1]=(ULONG)MyKiFastCallEntry-5-addr_hookaddr;
//计算返回jmp
jmp_ret = addr_hookaddr + 5;
PageProtectOff();
//inline hook
RtlCopyMemory((PVOID)addr_hookaddr,jmp_code,5);
PageProtectOn();
}
NTSTATUS h_NtOpenProcess (
__out PHANDLE ProcessHandle,
__in ACCESS_MASK DesiredAccess,
__in POBJECT_ATTRIBUTES ObjectAttributes,
__in_opt PCLIENT_ID ClientId
)
{
ULONG retaddr;
UCHAR *p=NULL;
int i=0;
__asm
{
pushad
mov eax,[ebp+0x04]
mov retaddr,eax
popad
}
p=(UCHAR *)retaddr;
for(i=0;i<100;i++)
{
if(*p==0x2b&&*(p+1)==0xe1&&*(p+2)==0xc1&&*(p+3)==0xe9&&*(p+4)==0x02)
{
addr_hookaddr=(ULONG)p;
break;
}
else
{
p--;
}
}
if(addr_hookaddr==0)
{
KdPrint(("%x",retaddr));
KdPrint(("Find addr_hookaddr failed!"));
}
else
{
KdPrint(("You Have Find The Addr_hookaddr!"));
PageProtectOff();
KeServiceDescriptorTable.ServiceTableBase[122] =(unsigned int ) h_org_NtOpenProcess;
PageProtectOn();
hook_KiFastCallEntry();
}
return ((NTOPENPROCESS)h_org_NtOpenProcess)(ProcessHandle,DesiredAccess,ObjectAttributes,ClientId);
}
void Hook_NtOpenProcess()
{
h_org_NtOpenProcess = KeServiceDescriptorTable.ServiceTableBase[122];
PageProtectOff();
KeServiceDescriptorTable.ServiceTableBase[122] = (unsigned int)h_NtOpenProcess;
PageProtectOn();
}
void UnHook_KiFastCallEntry()
{
UCHAR org_code[]={0x2b,0xe1,0xc1,0xe9,0x2};
if(addr_hookaddr!=0)
{
PageProtectOff();
RtlCopyMemory((PVOID)addr_hookaddr,org_code,5);
PageProtectOn();
}
}
void UnHookNtOpenProcess()
{
if(addr_hookaddr)
return;
PageProtectOff();
KeServiceDescriptorTable.ServiceTableBase[122]=(unsigned int )h_org_NtOpenProcess;
PageProtectOn();
}
VOID SetNewSSDT(PVOID pNewImage)
{
ULONG uIndex;
ULONG uNewKernelInc,uOffset;
//新内核地址-老内核地址,得到相对偏移
uNewKernelInc = (ULONG)pNewImage -OrigImage;
//老内核的ssdt指针加上相对偏移,得到新内核的ssdt指针
pNewSSDT = (ServiceDescriptorTableEntry_t *)((ULONG)&KeServiceDescriptorTable + uNewKernelInc);
if (!MmIsAddressValid(pNewSSDT))
{
KdPrint(("pNewSSDT is unaviable!"));
return;
}
//由于数量是一个数值,因此不必作相对偏移
pNewSSDT->NumberOfServices = KeServiceDescriptorTable.NumberOfServices;
//计算相对函数地址
uOffset = (ULONG)KeServiceDescriptorTable.ServiceTableBase -OrigImage;
//得到新的ssdt函数表地址
pNewSSDT->ServiceTableBase = (unsigned int*)((ULONG)pNewImage + uOffset);
if (!MmIsAddressValid(pNewSSDT->ServiceTableBase))
{
KdPrint(("pNewSSDT->ServiceTableBase: %X",pNewSSDT->ServiceTableBase));
return;
}
//依次遍历
for (uIndex = 0;uIndexNumberOfServices;uIndex++)
{//新的函数地址再加上相对加载地址,得到现在的ssdt函数地址
pNewSSDT->ServiceTableBase[uIndex] += uNewKernelInc;
}
}
void FixBaseRelocTable(PVOID pNewImage)
{
ULONG uIndex;
ULONG uRelocTableSize;
ULONG OriginalImageBase;
ULONG Type;
ULONG *uRelocAddress;
PIMAGE_DOS_HEADER pImageDosHeader;
PIMAGE_NT_HEADERS pImageNtHeader;
IMAGE_DATA_DIRECTORY ImageDataDirectory;
IMAGE_BASE_RELOCATION *pImageBaseRelocation;
//将新内核地址作为一个PE文件头,依次向下,目的是寻找重定位表结构
pImageDosHeader=(PIMAGE_DOS_HEADER)pNewImage;
//定位到IMAGE_NT_HEADER
pImageNtHeader=(PIMAGE_NT_HEADERS)((ULONG)pNewImage+pImageDosHeader->e_lfanew);
//获取内核文件的imagebase,以便后面做偏移修改。
OriginalImageBase=pImageNtHeader->OptionalHeader.ImageBase;
//定位到数据目录
ImageDataDirectory = pImageNtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC];
//定位到重定位表结构
pImageBaseRelocation = (PIMAGE_BASE_RELOCATION)(ImageDataDirectory.VirtualAddress + (ULONG)pNewImage);
if (pImageBaseRelocation==NULL)
{
return;
}
while (pImageBaseRelocation->SizeOfBlock)
{ //计算需要修改的地址的个数
uRelocTableSize=(pImageBaseRelocation->SizeOfBlock-8)/2;
//循环遍历
for (uIndex=0;uIndexTypeOffset[uIndex]>>12;
if (Type==3)
{
//修改地址,相对地址加上一个新内核地址,使其成为一个实际地址
uRelocAddress=(ULONG *)((ULONG)(pImageBaseRelocation->TypeOffset[uIndex]&0x0fff)+pImageBaseRelocation->VirtualAddress+(ULONG)pNewImage);
//再加上内核首地址到imagebase的偏移
*uRelocAddress=*uRelocAddress+(OrigImage-OriginalImageBase);
}
}
//进行下一个重定位表的修改
pImageBaseRelocation=(IMAGE_BASE_RELOCATION *)((ULONG)pImageBaseRelocation+pImageBaseRelocation->SizeOfBlock);
}
}
void LoadKernel()
{
NTSTATUS status;
UNICODE_STRING uFileName;
HANDLE hFile;
OBJECT_ATTRIBUTES ObjAttr;
IO_STATUS_BLOCK IoStatusBlock;
LARGE_INTEGER FileOffset;
ULONG retsize;
PVOID lpVirtualPointer;
ULONG uLoop;
ULONG SectionVirtualAddress,SectionSize;
IMAGE_DOS_HEADER ImageDosHeader;
IMAGE_NT_HEADERS ImageNtHeader;
IMAGE_SECTION_HEADER *lpImageSectionHeader;
InitializeObjectAttributes(&ObjAttr,\
&uFileName,\
OBJ_CASE_INSENSITIVE,\
NULL,\
NULL);
RtlInitUnicodeString(&uFileName,L"\\??\\C:\\WINDOWS\\system32\\ntkrnlpa.exe");
//打开文件
status = ZwCreateFile(\
&hFile,\
FILE_ALL_ACCESS,\
&ObjAttr,\
&IoStatusBlock,\
0,\
FILE_ATTRIBUTE_NORMAL,\
FILE_SHARE_READ,\
FILE_OPEN,\
FILE_NON_DIRECTORY_FILE,\
NULL,\
0);
if(!NT_SUCCESS(status))
{
KdPrint(("CreateFile Failed!"));
return;
}
//读取DOS头
FileOffset.QuadPart = 0;
status = ZwReadFile(hFile,\
NULL,\
NULL,\
NULL,\
&IoStatusBlock,\
&ImageDosHeader,\
sizeof(IMAGE_DOS_HEADER),\
&FileOffset,\
0);
if(!NT_SUCCESS(status))
{
KdPrint(("Read ImageDosHeader Failed!"));
ZwClose(hFile);
return;
}
//读取NT头
FileOffset.QuadPart = ImageDosHeader.e_lfanew;
status = ZwReadFile(hFile,\
NULL,\
NULL,\
NULL,\
&IoStatusBlock,\
&ImageNtHeader,\
sizeof(IMAGE_NT_HEADERS),\
&FileOffset,\
0);
if(!NT_SUCCESS(status))
{
KdPrint(("Read ImageNtHeaders Failed!"));
ZwClose(hFile);
return;
}
//读取区表
lpImageSectionHeader = (IMAGE_SECTION_HEADER *)ExAllocatePool(NonPagedPool,\
sizeof(IMAGE_SECTION_HEADER)*ImageNtHeader.FileHeader.NumberOfSections);
FileOffset.QuadPart += sizeof(IMAGE_NT_HEADERS);
status = ZwReadFile(hFile,\
NULL,\
NULL,\
NULL,\
&IoStatusBlock,\
lpImageSectionHeader,\
sizeof(IMAGE_SECTION_HEADER)*ImageNtHeader.FileHeader.NumberOfSections,\
&FileOffset,\
0);
if(!NT_SUCCESS(status))
{
KdPrint(("Read ImageSectionHeader Failed!"));
ExFreePool(lpImageSectionHeader);
ZwClose(hFile);
return;
}
//COPY数据到内存
lpVirtualPointer = ExAllocatePool(NonPagedPool,\
ImageNtHeader.OptionalHeader.SizeOfImage);
if(lpVirtualPointer == 0)
{
KdPrint(("lpVirtualPointer Alloc space Failed!"));
ZwClose(hFile);
return;
}
memset(lpVirtualPointer,0,ImageNtHeader.OptionalHeader.SizeOfImage);
//COPY DOS头
RtlCopyMemory(lpVirtualPointer,\
&ImageDosHeader,\
sizeof(IMAGE_DOS_HEADER));
//COPY NT头
RtlCopyMemory((PVOID)((ULONG)lpVirtualPointer+ImageDosHeader.e_lfanew),\
&ImageNtHeader,\
sizeof(IMAGE_NT_HEADERS));
//COPY 区表
RtlCopyMemory((PVOID)((ULONG)lpVirtualPointer+ImageDosHeader.e_lfanew+sizeof(IMAGE_NT_HEADERS)),\
lpImageSectionHeader,\
sizeof(IMAGE_SECTION_HEADER)*ImageNtHeader.FileHeader.NumberOfSections);
//依次COPY 各区段数据
for(uLoop = 0;uLoop < ImageNtHeader.FileHeader.NumberOfSections;uLoop++)
{
SectionVirtualAddress = lpImageSectionHeader[uLoop].VirtualAddress;//对应区段相对偏移
if(lpImageSectionHeader[uLoop].Misc.VirtualSize > lpImageSectionHeader[uLoop].SizeOfRawData)
SectionSize = lpImageSectionHeader[uLoop].Misc.VirtualSize;//取最大的占用空间
else
SectionSize = lpImageSectionHeader[uLoop].SizeOfRawData;
FileOffset.QuadPart = lpImageSectionHeader[uLoop].PointerToRawData;//对应区段的超始地址
status = ZwReadFile(hFile,\
NULL,\
NULL,\
NULL,\
&IoStatusBlock,\
(PVOID)((ULONG)lpVirtualPointer+SectionVirtualAddress),\
SectionSize,\
&FileOffset,\
0);
if(!NT_SUCCESS(status))
{
KdPrint(("SectionData Read Failed!"));
ExFreePool(lpImageSectionHeader);
ExFreePool(lpVirtualPointer);
ZwClose(hFile);
return;
}
}
ExFreePool(lpImageSectionHeader);//释放区段内存空间
KdPrint(("lpVirtualPointer: %X",lpVirtualPointer));
FixBaseRelocTable(lpVirtualPointer);
SetNewSSDT(lpVirtualPointer);
ZwClose(hFile);//关闭句柄
}
void DriverUnload(PDRIVER_OBJECT pDriverObject)
{
UnHook_KiFastCallEntry();
UnHookNtOpenProcess();
DbgPrint("Driver Unload Success !");
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject,PUNICODE_STRING pRegsiterPath)
{
DbgPrint("This is My First Driver!");
LoadKernel();
Hook_NtOpenProcess();
pDriverObject->DriverUnload = DriverUnload;
return STATUS_SUCCESS;
}