1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
|
#ifndef PERK_META_H
#define PERK_META_H
#ifdef __cplusplus
extern "C" {
#endif
#include <stdint.h>
enum pe_abi {
PE_ABI_UNSUPPORTED,
PE_ABI_PE32,
PE_ABI_PE64,
PE_ABI_CAP
};
enum pe_subtype {
PE_SUBTYPE_UNRECOGNIZED,
PE_SUBTYPE_DLL,
PE_SUBTYPE_EXE,
PE_SUBTYPE_OBJ,
PE_SUBTYPE_CAP
};
enum pe_framework {
PE_FRAMEWORK_UNKNOWN,
PE_FRAMEWORK_FREESTD,
PE_FRAMEWORK_PSXSCL,
PE_FRAMEWORK_MIDIPIX,
PE_FRAMEWORK_CYGONE,
PE_FRAMEWORK_CYGWIN,
PE_FRAMEWORK_MINGW,
PE_FRAMEWORK_MSYS,
PE_FRAMEWORK_SUACON,
PE_FRAMEWORK_WINCON,
PE_FRAMEWORK_WINCLI,
PE_FRAMEWORK_WIN32,
PE_FRAMEWORK_CAP
};
/* generic block info / image directory header */
struct pe_block {
uint32_t dh_rva;
uint32_t dh_size;
};
/* image dos header */
struct pe_meta_image_dos_hdr {
unsigned char dos_magic[2];
uint16_t dos_cblp;
uint16_t dos_cp;
uint16_t dos_crlc;
uint16_t dos_cparhdr;
uint16_t dos_minalloc;
uint16_t dos_maxalloc;
uint16_t dos_ss;
uint16_t dos_sp;
uint16_t dos_csum;
uint16_t dos_ip;
uint16_t dos_cs;
uint16_t dos_lfarlc;
uint16_t dos_ovno;
uint16_t dos_res[4];
uint16_t dos_oemid;
uint16_t dos_oeminfo;
uint16_t dos_res2[10];
uint32_t dos_lfanew;
};
/* pe/coff file header */
struct pe_meta_coff_file_hdr {
unsigned char cfh_signature[4];
uint16_t cfh_machine;
uint16_t cfh_num_of_sections;
uint32_t cfh_time_date_stamp;
uint32_t cfh_ptr_to_sym_tbl;
uint32_t cfh_num_of_syms;
uint16_t cfh_size_of_opt_hdr;
uint16_t cfh_characteristics;
uint32_t cfh_ptr_to_str_tbl;
uint32_t cfh_size_of_str_tbl;
};
/* image optional header */
struct pe_meta_opt_hdr_std {
uint16_t coh_magic;
uint8_t coh_major_linker_ver;
uint8_t coh_minor_linker_ver;
uint32_t coh_size_of_code;
uint32_t coh_size_of_inited_data;
uint32_t coh_size_of_uninited_data;
uint32_t coh_entry_point;
uint32_t coh_base_of_code;
};
struct pe_meta_opt_hdr_align {
uint32_t coh_section_align;
uint32_t coh_file_align;
};
struct pe_meta_opt_hdr_vers {
uint16_t coh_major_os_ver;
uint16_t coh_minor_os_ver;
uint16_t coh_major_image_ver;
uint16_t coh_minor_image_ver;
uint16_t coh_major_subsys_ver;
uint16_t coh_minor_subsys_ver;
uint32_t coh_win32_ver;
};
struct pe_meta_opt_hdr_img {
uint32_t coh_size_of_image;
uint32_t coh_size_of_headers;
uint32_t coh_checksum;
uint16_t coh_subsystem;
uint16_t coh_dll_characteristics;
};
struct pe_meta_opt_hdr_ldr {
uint32_t coh_loader_flags;
uint32_t coh_rva_and_sizes;
};
struct pe_meta_opt_hdr_dirs {
struct pe_block coh_export_tbl;
struct pe_block coh_import_tbl;
struct pe_block coh_resource_tbl;
struct pe_block coh_exception_tbl;
struct pe_block coh_certificate_tbl;
struct pe_block coh_base_reloc_tbl;
struct pe_block coh_debug;
struct pe_block coh_arch;
struct pe_block coh_global_ptr;
struct pe_block coh_tls_tbl;
struct pe_block coh_load_config_tbl;
struct pe_block coh_bound_import;
struct pe_block coh_iat;
struct pe_block coh_delay_import_descriptor;
struct pe_block coh_clr_runtime_hdr;
struct pe_block coh_reserved;
};
struct pe_meta_opt_hdr_mem_32 {
uint32_t coh_base_of_data;
uint32_t coh_image_base;
uint32_t coh_size_of_stack_reserve;
uint32_t coh_size_of_stack_commit;
uint32_t coh_size_of_heap_reserve;
uint32_t coh_size_of_heap_commit;
};
struct pe_meta_opt_hdr_mem_64 {
uint64_t coh_image_base;
uint64_t coh_size_of_stack_reserve;
uint64_t coh_size_of_stack_commit;
uint64_t coh_size_of_heap_reserve;
uint64_t coh_size_of_heap_commit;
};
struct pe_meta_opt_hdr_mem {
uint64_t coh_base_of_data;
uint64_t coh_image_base;
uint64_t coh_size_of_stack_reserve;
uint64_t coh_size_of_stack_commit;
uint64_t coh_size_of_heap_reserve;
uint64_t coh_size_of_heap_commit;
};
struct pe_meta_opt_hdr {
struct pe_meta_opt_hdr_std oh_std;
struct pe_meta_opt_hdr_vers oh_vers;
struct pe_meta_opt_hdr_align oh_align;
struct pe_meta_opt_hdr_img oh_img;
struct pe_meta_opt_hdr_ldr oh_ldr;
struct pe_meta_opt_hdr_mem oh_mem;
struct pe_meta_opt_hdr_dirs oh_dirs;
};
/* section header */
struct pe_meta_sec_hdr {
char sh_name[16];
char * sh_long_name;
uint32_t sh_virtual_size;
uint32_t sh_virtual_addr;
uint32_t sh_size_of_raw_data;
uint32_t sh_ptr_to_raw_data;
uint32_t sh_ptr_to_relocs;
uint32_t sh_ptr_to_line_nums;
uint16_t sh_num_of_relocs;
uint16_t sh_num_of_line_nums;
uint32_t sh_characteristics;
};
/* .edata section header*/
struct pe_meta_export_hdr {
uint32_t eh_virtual_addr;
uint32_t eh_export_flags;
uint32_t eh_time_date_stamp;
uint16_t eh_major_ver;
uint16_t eh_minor_ver;
uint32_t eh_name_rva;
uint32_t eh_ordinal_base;
uint32_t eh_addr_tbl_entries;
uint32_t eh_num_of_name_ptrs;
uint32_t eh_export_addr_tbl_rva;
uint32_t eh_name_ptr_rva;
uint32_t eh_ordinal_tbl_rva;
};
/* export rva */
union pe_meta_export_addr_tbl {
uint32_t ee_export_rva;
uint32_t ee_forwarder_rva;
};
/* image: import directory table entry */
struct pe_meta_import_hdr {
uint32_t ih_virtual_addr;
uint32_t ih_import_lookup_tbl_rva;
uint32_t ih_time_date_stamp;
uint32_t ih_forwarder_chain;
uint32_t ih_name_rva;
uint32_t ih_import_addr_tbl_rva;
uint32_t ih_count;
char * ih_name;
struct pe_meta_import_lookup * ih_items;
union pe_raw_import_lookup * ih_aitems;
};
/* image: import table entry lookup item */
struct pe_meta_import_lookup {
union {
uint64_t ii_import_lookup_entry_64;
uint32_t ii_import_lookup_entry_32;
} u;
uint32_t ii_hint_name_tbl_rva;
uint32_t ii_flag;
uint16_t ii_ordinal;
uint16_t ii_hint;
char * ii_name;
};
/* coff: symbol table entry */
struct pe_meta_coff_symbol {
char cs_name[24];
char * cs_long_name;
uint32_t cs_value;
int16_t cs_section_number;
uint16_t cs_type;
unsigned char cs_storage_class;
unsigned char cs_num_of_aux_symbols;
};
#ifdef __cplusplus
}
#endif
#endif
|