diff --git a/BurnOutSharp.Models/PortableExecutable/Enums.cs b/BurnOutSharp.Models/PortableExecutable/Enums.cs
index 8cfc0652..9c09cbdd 100644
--- a/BurnOutSharp.Models/PortableExecutable/Enums.cs
+++ b/BurnOutSharp.Models/PortableExecutable/Enums.cs
@@ -449,6 +449,74 @@ namespace BurnOutSharp.Models.PortableExecutable
IMAGE_DLLCHARACTERISTICS_EX_CET_COMPAT = 0x0001,
}
+ [Flags]
+ public enum GuardFlags : uint
+ {
+ ///
+ /// Module performs control flow integrity checks using
+ /// system-supplied support.
+ ///
+ IMAGE_GUARD_CF_INSTRUMENTED = 0x00000100,
+
+ ///
+ /// Module performs control flow and write integrity checks.
+ ///
+ IMAGE_GUARD_CFW_INSTRUMENTED = 0x00000200,
+
+ ///
+ /// Module contains valid control flow target metadata.
+ ///
+ IMAGE_GUARD_CF_FUNCTION_TABLE_PRESENT = 0x00000400,
+
+ ///
+ /// Module does not make use of the /GS security cookie.
+ ///
+ IMAGE_GUARD_SECURITY_COOKIE_UNUSED = 0x00000800,
+
+ ///
+ /// Module supports read only delay load IAT.
+ ///
+ IMAGE_GUARD_PROTECT_DELAYLOAD_IAT = 0x00001000,
+
+ ///
+ /// Delayload import table in its own .didat section (with
+ /// nothing else in it) that can be freely reprotected.
+ ///
+ IMAGE_GUARD_DELAYLOAD_IAT_IN_ITS_OWN_SECTION = 0x00002000,
+
+ ///
+ /// Module contains suppressed export information. This also
+ /// infers that the address taken IAT table is also present
+ /// in the load config.
+ ///
+ IMAGE_GUARD_CF_EXPORT_SUPPRESSION_INFO_PRESENT = 0x00004000,
+
+ ///
+ /// Module enables suppression of exports.
+ ///
+ IMAGE_GUARD_CF_ENABLE_EXPORT_SUPPRESSION = 0x00008000,
+
+ ///
+ /// Module contains longjmp target information.
+ ///
+ IMAGE_GUARD_CF_LONGJUMP_TABLE_PRESENT = 0x00010000,
+
+ ///
+ /// Mask for the subfield that contains the stride of Control
+ /// Flow Guard function table entries (that is, the additional
+ /// count of bytes per table entry).
+ ///
+ IMAGE_GUARD_CF_FUNCTION_TABLE_SIZE_MASK = 0xF0000000,
+
+ ///
+ /// Additionally, the Windows SDK winnt.h header defines this
+ /// macro for the amount of bits to right-shift the GuardFlags
+ /// value to right-justify the Control Flow Guard function table
+ /// stride:
+ ///
+ IMAGE_GUARD_CF_FUNCTION_TABLE_SIZE_SHIFT = 28,
+ }
+
public enum ImportType : ushort
{
///
diff --git a/BurnOutSharp.Models/PortableExecutable/Executable.cs b/BurnOutSharp.Models/PortableExecutable/Executable.cs
index b8d22d1d..a4797960 100644
--- a/BurnOutSharp.Models/PortableExecutable/Executable.cs
+++ b/BurnOutSharp.Models/PortableExecutable/Executable.cs
@@ -56,7 +56,7 @@ namespace BurnOutSharp.Models.PortableExecutable
///
public DelayLoadDirectoryTableEntry[] DelayLoadDirectoryTable { get; set; }
- // TODO: Left off at "The Load Configuration Structure (Image Only)"
+ // TODO: Left off at "The .rsrc Section"
// TODO: Implement and/or document the following non-modeled parts:
// - Grouped Sections (Object Only)
@@ -81,6 +81,5 @@ namespace BurnOutSharp.Models.PortableExecutable
// - Import Address Table
// - The .pdata Section [Multiple formats per entry]
// - TLS Callback Functions
- //
}
}
diff --git a/BurnOutSharp.Models/PortableExecutable/LoadConfigurationDirectory.cs b/BurnOutSharp.Models/PortableExecutable/LoadConfigurationDirectory.cs
new file mode 100644
index 00000000..44f5bfb1
--- /dev/null
+++ b/BurnOutSharp.Models/PortableExecutable/LoadConfigurationDirectory.cs
@@ -0,0 +1,343 @@
+namespace BurnOutSharp.Models.PortableExecutable
+{
+ ///
+ /// The data directory entry for a pre-reserved SEH load configuration
+ /// structure must specify a particular size of the load configuration
+ /// structure because the operating system loader always expects it to
+ /// be a certain value. In that regard, the size is really only a
+ /// version check. For compatibility with Windows XP and earlier versions
+ /// of Windows, the size must be 64 for x86 images.
+ ///
+ ///
+ public class LoadConfigurationDirectory
+ {
+ ///
+ /// Flags that indicate attributes of the file, currently unused.
+ ///
+ public uint Characteristics;
+
+ ///
+ /// Date and time stamp value. The value is represented in the number of
+ /// seconds that have elapsed since midnight (00:00:00), January 1, 1970,
+ /// Universal Coordinated Time, according to the system clock. The time
+ /// stamp can be printed by using the C runtime (CRT) time function.
+ ///
+ public uint TimeDateStamp;
+
+ ///
+ /// Major version number.
+ ///
+ public ushort MajorVersion;
+
+ ///
+ /// Minor version number.
+ ///
+ public ushort MinorVersion;
+
+ ///
+ /// The global loader flags to clear for this process as the loader starts
+ /// the process.
+ ///
+ public uint GlobalFlagsClear;
+
+ ///
+ /// The global loader flags to set for this process as the loader starts
+ /// the process.
+ ///
+ public uint GlobalFlagsSet;
+
+ ///
+ /// The default timeout value to use for this process's critical sections
+ /// that are abandoned.
+ ///
+ public uint CriticalSectionDefaultTimeout;
+
+ #region DeCommitFreeBlockThreshold
+
+ ///
+ /// Memory that must be freed before it is returned to the system, in bytes.
+ ///
+ public uint DeCommitFreeBlockThreshold_PE32;
+
+ ///
+ /// Memory that must be freed before it is returned to the system, in bytes.
+ ///
+ public ulong DeCommitFreeBlockThreshold_PE32Plus;
+
+ #endregion
+
+ #region DeCommitTotalFreeThreshold
+
+ ///
+ /// Total amount of free memory, in bytes.
+ ///
+ public uint DeCommitTotalFreeThreshold_PE32;
+
+ ///
+ /// Total amount of free memory, in bytes.
+ ///
+ public ulong DeCommitTotalFreeThreshold_PE32Plus;
+
+ #endregion
+
+ #region LockPrefixTable
+
+ ///
+ /// [x86 only] The VA of a list of addresses where the LOCK prefix is used so
+ /// that they can be replaced with NOP on single processor machines.
+ ///
+ public uint LockPrefixTable_PE32;
+
+ ///
+ /// [x86 only] The VA of a list of addresses where the LOCK prefix is used so
+ /// that they can be replaced with NOP on single processor machines.
+ ///
+ public ulong LockPrefixTable_PE32Plus;
+
+ #endregion
+
+ #region MaximumAllocationSize
+
+ ///
+ /// Maximum allocation size, in bytes.
+ ///
+ public uint MaximumAllocationSize_PE32;
+
+ ///
+ /// Maximum allocation size, in bytes.
+ ///
+ public ulong MaximumAllocationSize_PE32Plus;
+
+ #endregion
+
+ #region VirtualMemoryThreshold
+
+ ///
+ /// Maximum virtual memory size, in bytes.
+ ///
+ public uint VirtualMemoryThreshold_PE32;
+
+ ///
+ /// Maximum virtual memory size, in bytes.
+ ///
+ public ulong VirtualMemoryThreshold_PE32Plus;
+
+ #endregion
+
+ #region ProcessAffinityMask
+
+ ///
+ /// Setting this field to a non-zero value is equivalent to calling
+ /// SetProcessAffinityMask with this value during process startup (.exe only)
+ ///
+ public uint ProcessAffinityMask_PE32;
+
+ ///
+ /// Setting this field to a non-zero value is equivalent to calling
+ /// SetProcessAffinityMask with this value during process startup (.exe only)
+ ///
+ public ulong ProcessAffinityMask_PE32Plus;
+
+ #endregion
+
+ ///
+ /// Process heap flags that correspond to the first argument of the
+ /// HeapCreate function. These flags apply to the process heap that
+ /// is created during process startup.
+ ///
+ public uint ProcessHeapFlags;
+
+ ///
+ /// The service pack version identifier.
+ ///
+ public ushort CSDVersion;
+
+ ///
+ /// Must be zero.
+ ///
+ public ushort Reserved;
+
+ #region EditList
+
+ ///
+ /// Reserved for use by the system.
+ ///
+ public uint EditList_PE32;
+
+ ///
+ /// Reserved for use by the system.
+ ///
+ public ulong EditList_PE32Plus;
+
+ #endregion
+
+ #region SecurityCookie
+
+ ///
+ /// A pointer to a cookie that is used by Visual C++ or GS implementation.
+ ///
+ public uint SecurityCookie_PE32;
+
+ ///
+ /// A pointer to a cookie that is used by Visual C++ or GS implementation.
+ ///
+ public ulong SecurityCookie_PE32Plus;
+
+ #endregion
+
+ #region SEHandlerTable
+
+ ///
+ /// [x86 only] The VA of the sorted table of RVAs of each valid, unique
+ /// SE handler in the image.
+ ///
+ public uint SEHandlerTable_PE32;
+
+ ///
+ /// [x86 only] The VA of the sorted table of RVAs of each valid, unique
+ /// SE handler in the image.
+ ///
+ public ulong SEHandlerTable_PE32Plus;
+
+ #endregion
+
+ #region SEHandlerCount
+
+ ///
+ /// [x86 only] The count of unique handlers in the table.
+ ///
+ public uint SEHandlerCount_PE32;
+
+ ///
+ /// [x86 only] The count of unique handlers in the table.
+ ///
+ public ulong SEHandlerCount_PE32Plus;
+
+ #endregion
+
+ #region GuardCFCheckFunctionPointer
+
+ ///
+ /// The VA where Control Flow Guard check-function pointer is stored.
+ ///
+ public uint GuardCFCheckFunctionPointer_PE32;
+
+ ///
+ /// The VA where Control Flow Guard check-function pointer is stored.
+ ///
+ public ulong GuardCFCheckFunctionPointer_PE32Plus;
+
+ #endregion
+
+ #region GuardCFDispatchFunctionPointer
+
+ ///
+ /// The VA where Control Flow Guard dispatch-function pointer is stored.
+ ///
+ public uint GuardCFDispatchFunctionPointer_PE32;
+
+ ///
+ /// The VA where Control Flow Guard dispatch-function pointer is stored.
+ ///
+ public ulong GuardCFDispatchFunctionPointer_PE32Plus;
+
+ #endregion
+
+ #region GuardCFFunctionTable
+
+ ///
+ /// The VA of the sorted table of RVAs of each Control Flow Guard
+ /// function in the image.
+ ///
+ public uint GuardCFFunctionTable_PE32;
+
+ ///
+ /// The VA of the sorted table of RVAs of each Control Flow Guard
+ /// function in the image.
+ ///
+ public ulong GuardCFFunctionTable_PE32Plus;
+
+ #endregion
+
+ #region GuardCFFunctionCount
+
+ ///
+ /// The count of unique RVAs in the above table.
+ ///
+ public uint GuardCFFunctionCount_PE32;
+
+ ///
+ /// The count of unique RVAs in the above table.
+ ///
+ public ulong GuardCFFunctionCount_PE32Plus;
+
+ #endregion
+
+ ///
+ /// Control Flow Guard related flags.
+ ///
+ public GuardFlags GuardFlags;
+
+ ///
+ /// Code integrity information.
+ ///
+ /// 12 bytes
+ public byte[] CodeIntegrity;
+
+ #region GuardAddressTakenIatEntryTable
+
+ ///
+ /// The VA where Control Flow Guard address taken IAT table is stored.
+ ///
+ public uint GuardAddressTakenIatEntryTable_PE32;
+
+ ///
+ /// The VA where Control Flow Guard address taken IAT table is stored.
+ ///
+ public ulong GuardAddressTakenIatEntryTable_PE32Plus;
+
+ #endregion
+
+ #region GuardAddressTakenIatEntryCount
+
+ ///
+ /// The count of unique RVAs in the above table.
+ ///
+ public uint GuardAddressTakenIatEntryCount_PE32;
+
+ ///
+ /// The count of unique RVAs in the above table.
+ ///
+ public ulong GuardAddressTakenIatEntryCount_PE32Plus;
+
+ #endregion
+
+ #region GuardLongJumpTargetTable
+
+ ///
+ /// The VA where Control Flow Guard long jump target table is stored.
+ ///
+ public uint GuardLongJumpTargetTable_PE32;
+
+ ///
+ /// The VA where Control Flow Guard long jump target table is stored.
+ ///
+ public ulong GuardLongJumpTargetTable_PE32Plus;
+
+ #endregion
+
+ #region GuardLongJumpTargetCount
+
+ ///
+ /// The count of unique RVAs in the above table.
+ ///
+ public uint GuardLongJumpTargetCount_PE32;
+
+ ///
+ /// The count of unique RVAs in the above table.
+ ///
+ public ulong GuardLongJumpTargetCount_PE32Plus;
+
+ #endregion
+ }
+}
diff --git a/BurnOutSharp.Models/PortableExecutable/OptionalHeader.cs b/BurnOutSharp.Models/PortableExecutable/OptionalHeader.cs
index a251fe5a..fdf4932a 100644
--- a/BurnOutSharp.Models/PortableExecutable/OptionalHeader.cs
+++ b/BurnOutSharp.Models/PortableExecutable/OptionalHeader.cs
@@ -103,8 +103,7 @@
/// for Windows CE EXEs is 0x00010000. The default for Windows NT, Windows 2000,
/// Windows XP, Windows 95, Windows 98, and Windows Me is 0x00400000.
///
- /// PE32
- public uint ImageBasePE32;
+ public uint ImageBase_PE32;
///
/// The preferred address of the first byte of image when loaded into memory;
@@ -112,8 +111,7 @@
/// for Windows CE EXEs is 0x00010000. The default for Windows NT, Windows 2000,
/// Windows XP, Windows 95, Windows 98, and Windows Me is 0x00400000.
///
- /// PE32+
- public ulong ImageBasePE32Plus;
+ public ulong ImageBase_PE32Plus;
#endregion
@@ -203,13 +201,13 @@
/// The size of the stack to reserve. Only SizeOfStackCommit is committed; the rest
/// is made available one page at a time until the reserve size is reached.
///
- public uint SizeOfStackReservePE32;
+ public uint SizeOfStackReserve_PE32;
///
/// The size of the stack to reserve. Only SizeOfStackCommit is committed; the rest
/// is made available one page at a time until the reserve size is reached.
///
- public ulong SizeOfStackReservePE32Plus;
+ public ulong SizeOfStackReserve_PE32Plus;
#endregion
@@ -218,12 +216,12 @@
///
/// The size of the stack to commit.
///
- public uint SizeOfStackCommitPE32;
+ public uint SizeOfStackCommit_PE32;
///
/// The size of the stack to commit.
///
- public ulong SizeOfStackCommitPE32Plus;
+ public ulong SizeOfStackCommit_PE32Plus;
#endregion
@@ -234,14 +232,14 @@
/// committed; the rest is made available one page at a time until the reserve
/// size is reached.
///
- public uint SizeOfHeapReservePE32;
+ public uint SizeOfHeapReserve_PE32;
///
/// The size of the local heap space to reserve. Only SizeOfHeapCommit is
/// committed; the rest is made available one page at a time until the reserve
/// size is reached.
///
- public ulong SizeOfHeapReservePE32Plus;
+ public ulong SizeOfHeapReserve_PE32Plus;
#endregion
@@ -250,12 +248,12 @@
///
/// The size of the local heap space to commit.
///
- public uint SizeOfHeapCommitPE32;
+ public uint SizeOfHeapCommit_PE32;
///
/// The size of the local heap space to commit.
///
- public ulong SizeOfHeapCommitPE32Plus;
+ public ulong SizeOfHeapCommit_PE32Plus;
#endregion
diff --git a/BurnOutSharp.Models/PortableExecutable/TLSDirectory.cs b/BurnOutSharp.Models/PortableExecutable/TLSDirectory.cs
index 354694f7..1e0883bc 100644
--- a/BurnOutSharp.Models/PortableExecutable/TLSDirectory.cs
+++ b/BurnOutSharp.Models/PortableExecutable/TLSDirectory.cs
@@ -12,7 +12,7 @@
/// address is not an RVA; it is an address for which there should be a base
/// relocation in the .reloc section.
///
- public uint RawDataStartVAPE32;
+ public uint RawDataStartVA_PE32;
///
/// The starting address of the TLS template. The template is a block of data
@@ -21,7 +21,7 @@
/// address is not an RVA; it is an address for which there should be a base
/// relocation in the .reloc section.
///
- public ulong RawDataStartVAPE32Plus;
+ public ulong RawDataStartVA_PE32Plus;
#endregion
@@ -31,13 +31,13 @@
/// The address of the last byte of the TLS, except for the zero fill. As
/// with the Raw Data Start VA field, this is a VA, not an RVA.
///
- public uint RawDataEndVAPE32;
+ public uint RawDataEndVA_PE32;
///
/// The address of the last byte of the TLS, except for the zero fill. As
/// with the Raw Data Start VA field, this is a VA, not an RVA.
///
- public ulong RawDataEndVAPE32Plus;
+ public ulong RawDataEndVA_PE32Plus;
#endregion
@@ -48,14 +48,14 @@
/// location is in an ordinary data section, so it can be given a symbolic
/// name that is accessible to the program.
///
- public uint AddressOfIndexPE32;
+ public uint AddressOfIndex_PE32;
///
/// The location to receive the TLS index, which the loader assigns. This
/// location is in an ordinary data section, so it can be given a symbolic
/// name that is accessible to the program.
///
- public ulong AddressOfIndexPE32Plus;
+ public ulong AddressOfIndex_PE32Plus;
#endregion
@@ -66,14 +66,14 @@
/// null-terminated, so if no callback function is supported, this field
/// points to 4 bytes set to zero.
///
- public uint AddressOfCallbacksPE32;
+ public uint AddressOfCallbacks_PE32;
///
/// The pointer to an array of TLS callback functions. The array is
/// null-terminated, so if no callback function is supported, this field
/// points to 4 bytes set to zero.
///
- public ulong AddressOfCallbacksPE32Plus;
+ public ulong AddressOfCallbacks_PE32Plus;
#endregion