-
Notifications
You must be signed in to change notification settings - Fork 14
/
Copy pathpe.grammar
1677 lines (1599 loc) · 122 KB
/
pe.grammar
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
<?xml version="1.0" encoding="UTF-8"?>
<ufwb version="1.17">
<grammar name="Portable Executable" start="id:2" author="ape" fileextension="exe,dll" uti="com.microsoft.windows-executable">
<description>Grammar for PE (.exe, .dll) files</description>
<scripts>
<script name="UnixTime" type="DataType" id="193">
<description>Unix Time</description>
<source language="Python"># Unix time
from datetime import datetime, timedelta
def parseByteRange(element, byteView, bitPos, bitLength, results):
"""parseByteRange method"""
timeStamp = byteView.readUnsignedInt(bitPos//8, 4, ENDIAN_LITTLE)
value = Value()
if (timeStamp != 0):
dt = datetime.fromtimestamp(timeStamp)
dtAdjusted = dt - timedelta(hours=0)
dateString = dtAdjusted.strftime("%Y-%m-%d %H:%M:%S")
value.setString(dateString)
else:
value.setString("<not set>")
results.addElement(element, 4, 0, value)
return 4
</source>
</script>
</scripts>
<structure name="EXE file" id="2" extends="id:3" encoding="ISO_8859-1:1987" endian="little" signed="no">
<structure name="MS-DOS-2-Section" id="4">
<string name="e_magic" id="5" fillcolor="FF7D78" type="fixed-length" length="2">
<description>Magic number</description>
<fixedvalues>
<fixedvalue name="NT" value="PE"/>
<fixedvalue name="MZ" value="MZ"/>
</fixedvalues>
</string>
<number name="e_cblp" id="6" fillcolor="FFD478" type="integer" length="2">
<description>Bytes on last page of file</description>
</number>
<number name="e_cp" id="7" fillcolor="FEFC78" type="integer" length="2">
<description>Pages in file</description>
</number>
<number name="e_crlc" id="8" fillcolor="D4FB78" type="integer" length="2">
<description>Relocations</description>
</number>
<number name="e_cparhdr" id="9" fillcolor="72FA78" type="integer" length="2">
<description>Size of header in paragraphs</description>
</number>
<number name="e_minalloc" id="10" fillcolor="72FCD5" type="integer" length="2">
<description>Minimum extra paragraphs needed</description>
</number>
<number name="e_maxalloc" id="11" fillcolor="73FDFF" type="integer" length="2">
<description>Maximum extra paragraphs needed</description>
</number>
<number name="e_ss" id="12" fillcolor="75D5FF" type="integer" length="2">
<description>Initial (relative) SS value</description>
</number>
<number name="e_sp" id="13" fillcolor="7980FF" type="integer" length="2">
<description>Initial SP value</description>
</number>
<number name="e_csum" id="14" fillcolor="D783FF" type="integer" length="2">
<description>Checksum</description>
</number>
<number name="e_ip" id="15" fillcolor="FF84FF" type="integer" length="2">
<description>Initial IP value</description>
</number>
<number name="e_cs" id="16" fillcolor="FF89D8" type="integer" length="2">
<description>Initial (relative) CS value</description>
</number>
<number name="e_lfarlc" id="17" fillcolor="FF2600" type="integer" length="2">
<description>File address of relocation table </description>
</number>
<number name="e_ovno" id="18" fillcolor="FF9300" type="integer" length="2">
<description>Overlay number</description>
</number>
<number name="e_res" id="19" fillcolor="FEFB00" repeatmax="4" type="integer" length="2">
<description>Reserved words </description>
</number>
<number name="e_oemid" id="20" fillcolor="8DF900" type="integer" length="2">
<description>OEM identifier (for e_oeminfo) </description>
</number>
<number name="e_oeminfo" id="21" fillcolor="00F900" type="integer" length="2">
<description>OEM information; e_oemid specific </description>
</number>
<number name="e_res2" id="22" fillcolor="00FCFF" repeatmax="10" type="integer" length="2">
<description>Reserved words </description>
</number>
<offset name="e_lfanew" id="24" fillcolor="0096FF" length="4" references="id:23" follownullreference="no">
<description>File address of new exe header </description>
</offset>
</structure>
</structure>
<structure name="PE-Signature" id="23" extends="id:3" encoding="ISO_8859-1:1987" signed="no">
<binary name="Signature" mustmatch="yes" id="27" fillcolor="FF40FF" length="4">
<fixedvalues>
<fixedvalue name="PE" value="50450000"/>
</fixedvalues>
</binary>
<number name="MachineType" id="28" fillcolor="FFD478" type="integer" length="2" display="hex">
<description>The number that identifies the type of target machine</description>
<fixedvalues>
<fixedvalue name="Unknown" value="0x0"/>
<fixedvalue name="Matsushita AM33" value="0x1D3"/>
<fixedvalue name="AMD64 x64" value="0x8664"/>
<fixedvalue name="ARM little endian" value="0x1C0"/>
<fixedvalue name="ARMv7 (or higher) Thumb mode only" value="0x1C4"/>
<fixedvalue name="ARMv8 in 64-bit mode" value="0xAA64"/>
<fixedvalue name="EFI byte code" value="0xEBC"/>
<fixedvalue name="Intel 386 or later and compatible processors" value="0x14C"/>
<fixedvalue name="Intel Itanium processor family" value="0x200"/>
<fixedvalue name="Mitsubishi M32R little endian" value="0x9041"/>
<fixedvalue name="MIPS16" value="0x266"/>
<fixedvalue name="MIPS with FPU" value="0x366"/>
<fixedvalue name="MIPS16 with FPU" value="0x466"/>
<fixedvalue name="Power PC little endian" value="0x1F0"/>
<fixedvalue name="Power PC with floating point support" value="0x1F1"/>
<fixedvalue name="MIPS little endian" value="0x166"/>
<fixedvalue name="Hitachi SH3" value="0x1A2"/>
<fixedvalue name="Hitachi SH3 DSP" value="0x1A3"/>
<fixedvalue name="Hitachi SH4" value="0x1A6"/>
<fixedvalue name="Hitachi SH5" value="0x1A8"/>
<fixedvalue name="ARM or Thumb (interworking)" value="0x1C2"/>
<fixedvalue name="MIPS little-endian WCE v2" value="0x169"/>
</fixedvalues>
</number>
<number name="NumberOfSections" id="29" fillcolor="929000" type="integer" length="2">
<description>The number of sections. This indicates the size of the section table, which immediately follows the headers</description>
</number>
<custom name="TimeDateStamp" id="30" fillcolor="D4FB78" length="4" script="id:193"/>
<offset name="PointerToSymbolTable" id="32" fillcolor="009192" length="4" references="id:31" follownullreference="no">
<description>The file offset of the COFF symbol table, or zero if no COFF symbol table is present. This value should be zero for an image because COFF debugging information is deprecated</description>
</offset>
<number name="NumberOfSymbols" id="33" fillcolor="D4FB78" type="integer" length="4">
<description>The number of entries in the symbol table. This data can be used to locate the string table, which immediately follows the symbol table. This value should be zero for an image because COFF debugging information is deprecated</description>
</number>
<number name="SizeOfOptionalHeader" id="34" fillcolor="75D5FF" type="integer" length="2">
<description>The size of the optional header, which is required for executable files but not for object files. This value should be zero for an object file</description>
</number>
<number name="Characteristics" id="35" fillcolor="D783FF" type="integer" length="2" display="hex">
<description>The flags that indicate the attributes of the file</description>
<mask name="IMAGE_FILE_RELOCS_STRIPPED" value="0x1">
<fixedvalue name="Image only, Windows CE, and Windows NT and later" value="0x1"/>
</mask>
<mask name="IMAGE_FILE_EXECUTABLE_IMAGE" value="0x2">
<fixedvalue name="File is executable" value="0x2"/>
</mask>
<mask name="IMAGE_FILE_LINE_NUMS_STRIPPED" value="0x4">
<fixedvalue name="COFF line numbers have been removed" value="0x4"/>
</mask>
<mask name="IMAGE_FILE_LOCAL_SYMS_STRIPPED" value="0x8">
<fixedvalue name="COFF symbol table entries for local symbols have been removed" value="0x8"/>
</mask>
<mask name="IMAGE_FILE_AGGRESSIVE_WS_TRIM" value="0x10">
<fixedvalue name="Obsolete. Aggressively trim working set" value="0x10"/>
</mask>
<mask name="IMAGE_FILE_LARGE_ADDRESS_AWARE" value="0x20">
<fixedvalue name="Application can handle > 2 GB addresses" value="0x20"/>
</mask>
<mask name="Reserved" value="0x40">
<fixedvalue name="This flag is reserved for future use" value="0x40"/>
</mask>
<mask name="IMAGE_FILE_BYTES_REVERSED_LO" value="0x80">
<fixedvalue name="Little endian" value="0x80"/>
</mask>
<mask name="IMAGE_FILE_32BIT_MACHINE" value="0x100">
<fixedvalue name="Machine is based on a 32-bit-word architecture" value="0x100"/>
</mask>
<mask name="IMAGE_FILE_DEBUG_STRIPPED" value="0x200">
<fixedvalue name="Debugging information is removed from the image file" value="0x200"/>
</mask>
<mask name="IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP" value="0x400">
<fixedvalue name="If the image is on removable media, fully load it and copy it to the swap file" value="0x400"/>
</mask>
<mask name="IMAGE_FILE_NET_RUN_FROM_SWAP" value="0x800">
<fixedvalue name="If the image is on network media, fully load it and copy it to the swap file" value="0x800"/>
</mask>
<mask name="IMAGE_FILE_SYSTEM" value="0x1000">
<fixedvalue name="The image file is a system file, not a user program" value="0x1000"/>
</mask>
<mask name="IMAGE_FILE_DLL" value="0x2000">
<fixedvalue name="The image file is a dynamic-link library (DLL)" value="0x2000"/>
</mask>
<mask name="IMAGE_FILE_UP_SYSTEM_ONLY" value="0x4000">
<fixedvalue name="The file should be run only on a uniprocessor machine" value="0x4000"/>
</mask>
<mask name="IMAGE_FILE_BYTES_REVERSED_HI" value="0x8000">
<fixedvalue name="Big endian" value="0x8000"/>
</mask>
</number>
<structure name="OptionalHeader" id="36" length="0" alignment="0" order="variable">
<structref name="PE32" id="38" repeatmin="0" structure="id:37"/>
<structref name="PE32+" id="40" repeatmin="0" structure="id:39"/>
<structref name="Generic" id="42" repeatmin="0" structure="id:41"/>
</structure>
<structure name="SectionTable" id="44" repeatmax="NumberOfSections">
<description>Each row of the section table is, in effect, a section header. This table immediately follows the optional header, if any. This positioning is required because the file header does not contain a direct pointer to the section table. Instead, the location of the section table is determined by calculating the location of the first byte after the headers. Make sure to use the size of the optional header as specified in the file header.
The number of entries in the section table is given by the NumberOfSections field in the file header. Entries in the section table are numbered starting from one (1). The code and data memory section entries are in the order chosen by the linker.
In an image file, the VAs for sections must be assigned by the linker so that they are in ascending order and adjacent, and they must be a multiple of the SectionAlignment value in the optional header. </description>
<structure name="Selector" id="45" order="variable">
<structref name="ImportDataSectionHeader" id="47" repeatmin="0" structure="id:46"/>
<structref name="RelocationsSectionHeader" id="335" repeatmin="0" structure="id:294"/>
<structref name="ResourceSectionHeader" id="49" repeatmin="0" structure="id:48"/>
<structref name="SectionHeader" id="51" repeatmin="0" structure="id:50"/>
</structure>
</structure>
</structure>
<structure name="Defaults" id="3" encoding="ISO_8859-1:1987" endian="little" signed="no"/>
<structure name="CoffSymbolTable" id="31" encoding="ISO_8859-1:1987" endian="big" signed="no">
<structure name="Symbol" id="56">
<string name="Name" id="57" type="fixed-length" length="8" encoding="UTF-8">
<description>The name of the symbol, represented by a union of three structures. An array of 8 bytes is used if the name is not more than 8 bytes long</description>
</string>
<number name="Value" id="58" type="integer" length="4">
<description>The value that is associated with the symbol. The interpretation of this field depends on SectionNumber and StorageClass. A typical meaning is the relocatable address</description>
</number>
<number name="SectionNumber" id="59" type="integer" length="2" signed="yes">
<description>The signed integer that identifies the section, using a one-based index into the section table</description>
<fixedvalues>
<fixedvalue name="IMAGE_SYM_UNDEFINED" value="0"/>
<fixedvalue name="IMAGE_SYM_ABSOLUTE" value="-1"/>
<fixedvalue name="IMAGE_SYM_DEBUG" value="-2"/>
</fixedvalues>
</number>
<number name="Type" id="60" type="integer" length="2">
<description>A number that represents type. Microsoft tools set this field to 0x20 (function) or 0x0 (not a function)</description>
<fixedvalues>
<fixedvalue name="IMAGE_SYM_TYPE_NULL" value="0"/>
<fixedvalue name="IMAGE_SYM_TYPE_VOID" value="1"/>
<fixedvalue name="IMAGE_SYM_TYPE_CHAR" value="2"/>
<fixedvalue name="IMAGE_SYM_TYPE_SHORT" value="3"/>
<fixedvalue name="IMAGE_SYM_TYPE_INT" value="4"/>
<fixedvalue name="IMAGE_SYM_TYPE_LONG" value="5"/>
<fixedvalue name="IMAGE_SYM_TYPE_FLOAT" value="6"/>
<fixedvalue name="IMAGE_SYM_TYPE_DOUBLE" value="7"/>
<fixedvalue name="IMAGE_SYM_TYPE_STRUCT" value="8"/>
<fixedvalue name="IMAGE_SYM_TYPE_UNION" value="9"/>
<fixedvalue name="IMAGE_SYM_TYPE_ENUM" value="10"/>
<fixedvalue name="IMAGE_SYM_TYPE_MOE" value="11"/>
<fixedvalue name="IMAGE_SYM_TYPE_BYTE" value="12"/>
<fixedvalue name="IMAGE_SYM_TYPE_WORD" value="13"/>
<fixedvalue name="IMAGE_SYM_TYPE_UINT" value="14"/>
<fixedvalue name="IMAGE_SYM_TYPE_DWORD" value="15"/>
</fixedvalues>
</number>
<number name="StorageClass" id="61" type="integer" length="1" signed="yes">
<description>An enumerated value that represents storage class</description>
<fixedvalues>
<fixedvalue name="IMAGE_SYM_CLASS_END_OF_FUNCTION" value="-1"/>
<fixedvalue name="IMAGE_SYM_CLASS_NULL" value="0"/>
<fixedvalue name="IMAGE_SYM_CLASS_AUTOMATIC" value="1"/>
<fixedvalue name="IMAGE_SYM_CLASS_EXTERNAL" value="2"/>
<fixedvalue name="IMAGE_SYM_CLASS_STATIC" value="3"/>
<fixedvalue name="IMAGE_SYM_CLASS_REGISTER" value="4"/>
<fixedvalue name="IMAGE_SYM_CLASS_EXTERNAL_DEF" value="5"/>
<fixedvalue name="IMAGE_SYM_CLASS_LABEL" value="6"/>
<fixedvalue name="IMAGE_SYM_CLASS_UNDEFINED_LABEL" value="7"/>
<fixedvalue name="IMAGE_SYM_CLASS_MEMBER_OF_STRUCT" value="8"/>
<fixedvalue name="IMAGE_SYM_CLASS_ARGUMENT" value="9"/>
<fixedvalue name="IMAGE_SYM_CLASS_STRUCT_TAG" value="10"/>
<fixedvalue name="IMAGE_SYM_CLASS_MEMBER_OF_UNION" value="11"/>
<fixedvalue name="IMAGE_SYM_CLASS_UNION_TAG" value="12"/>
<fixedvalue name="IMAGE_SYM_CLASS_TYPE_DEFINITION" value="13"/>
<fixedvalue name="IMAGE_SYM_CLASS_UNDEFINED_STATIC" value="14"/>
<fixedvalue name="IMAGE_SYM_CLASS_ENUM_TAG" value="15"/>
<fixedvalue name="IMAGE_SYM_CLASS_MEMBER_OF_ENUM" value="16"/>
<fixedvalue name="IMAGE_SYM_CLASS_REGISTER_PARAM" value="17"/>
<fixedvalue name="IMAGE_SYM_CLASS_BIT_FIELD" value="18"/>
<fixedvalue name="IMAGE_SYM_CLASS_BLOCK" value="100"/>
<fixedvalue name="IMAGE_SYM_CLASS_FUNCTION" value="101"/>
<fixedvalue name="IMAGE_SYM_CLASS_END_OF_STRUCT" value="102"/>
<fixedvalue name="IMAGE_SYM_CLASS_FILE" value="103"/>
<fixedvalue name="IMAGE_SYM_CLASS_SECTION" value="104"/>
<fixedvalue name="IMAGE_SYM_CLASS_WEAK_EXTERNAL" value="105"/>
<fixedvalue name="IMAGE_SYM_CLASS_CLR_TOKEN" value="107"/>
</fixedvalues>
</number>
<number name="NumberOfAuxSymbols" id="62" type="integer" length="1">
<description>The number of auxiliary symbol table entries that follow this record</description>
</number>
<structure name="AuxRecord" id="63" repeat="id:62"/>
</structure>
</structure>
<structure name="OptionalHeader" id="41" length="SizeOfOptionalHeader" extends="id:3">
<number name="MagicNumber" mustmatch="yes" id="67" fillcolor="FF84FF" type="integer" length="2" display="hex">
<description>The unsigned integer that identifies the state of the image file. The most common number is 0x10B, which identifies it as a normal executable file. 0x107 identifies it as a ROM image, and 0x20B identifies it as a PE32+ executable</description>
</number>
<number name="MajorLinkerVersion" id="68" fillcolor="72FA78" type="integer" length="1">
<description>The linker major version number</description>
</number>
<number name="MinorLinkerVersion" id="69" fillcolor="FF7D78" type="integer" length="1">
<description>The linker minor version number</description>
</number>
<number name="SizeOfCode" id="70" fillcolor="FEFB00" type="integer" length="4">
<description>The size of the code (text) section, or the sum of all code sections if there are multiple sections</description>
</number>
<number name="SizeOfInitializedData" id="71" fillcolor="8DF900" type="integer" length="4">
<description>The size of the initialized data section, or the sum of all such sections if there are multiple data sections</description>
</number>
<number name="SizeOfUninitializedData" id="72" fillcolor="0096FF" type="integer" length="4">
<description>The size of the uninitialized data section (BSS), or the sum of all such sections if there are multiple BSS sections</description>
</number>
<number name="AddressOfEntryPoint" id="73" fillcolor="FF40FF" type="integer" length="4">
<description>The address of the entry point relative to the image base when the executable file is loaded into memory. For program images, this is the starting address. For device drivers, this is the address of the initialization function. An entry point is optional for DLLs. When no entry point is present, this field must be zero</description>
</number>
<number name="BaseOfCode" id="74" fillcolor="73FDFF" type="integer" length="4">
<description>The address that is relative to the image base of the beginning-of-code section when it is loaded into memory</description>
</number>
</structure>
<structure name="OptionalHeaderPE32" id="37" length="SizeOfOptionalHeader" alignment="0" extends="id:41" encoding="ISO_8859-1:1987" endian="big" signed="no">
<number name="MagicNumber" id="76" type="integer">
<description>PE32+ images allow for a 64-bit address space while limiting the image size to 2 gigabytes. Other PE32+ modifications are addressed in their respective sections</description>
<fixedvalues>
<fixedvalue name="PE32" value="0x10B"/>
</fixedvalues>
</number>
<number name="MajorLinkerVersion" id="77" type="integer">
<description>The linker major version number</description>
</number>
<number name="MinorLinkerVersion" id="78" type="integer">
<description>The linker minor version number</description>
</number>
<number name="SizeOfCode" id="79" type="integer">
<description>The size of the code (text) section, or the sum of all code sections if there are multiple sections</description>
</number>
<number name="SizeOfInitializedData" id="80" type="integer">
<description>The size of the initialized data section, or the sum of all such sections if there are multiple data sections</description>
</number>
<number name="SizeOfUninitializedData" id="81" type="integer">
<description>The size of the uninitialized data section (BSS), or the sum of all such sections if there are multiple BSS sections</description>
</number>
<number name="AddressOfEntryPoint" id="82" type="integer" display="hex">
<description>The address of the entry point relative to the image base when the executable file is loaded into memory. For program images, this is the starting address. For device drivers, this is the address of the initialization function. An entry point is optional for DLLs. When no entry point is present, this field must be zero</description>
</number>
<number name="BaseOfCode" id="83" type="integer" display="hex">
<description>The address that is relative to the image base of the beginning-of-code section when it is loaded into memory</description>
</number>
<number name="BaseOfData" id="84" fillcolor="00FA92" type="integer" length="4" display="hex">
<description>The address that is relative to the image base of the beginning-of-data section when it is loaded into memory</description>
</number>
<structref name="WindowsSpecific" id="86" repeatmin="0" structure="id:85"/>
<structref name="ExportTable" id="88" repeatmin="0" structure="id:87"/>
<structref name="ImportTable" id="89" repeatmin="0" structure="id:87"/>
<structref name="ResourceTable" id="90" repeatmin="0" structure="id:87"/>
<structref name="ExceptionTable" id="91" repeatmin="0" structure="id:87"/>
<structref name="CertificateTable" id="92" repeatmin="0" structure="id:87"/>
<structref name="BaseRelocationTable" id="93" repeatmin="0" structure="id:87"/>
<structref name="Debug" id="94" repeatmin="0" structure="id:87"/>
<structref name="Architecture" id="95" repeatmin="0" structure="id:87"/>
<structref name="GlobalPtr" id="96" repeatmin="0" structure="id:87"/>
<structref name="TLS_Table" id="97" repeatmin="0" structure="id:87"/>
<structref name="LoadConfigTable" id="98" repeatmin="0" structure="id:87"/>
<structref name="BoundImport" id="99" repeatmin="0" structure="id:87"/>
<structref name="IAT" id="100" repeatmin="0" structure="id:87"/>
<structref name="DelayImportDescriptor" id="101" repeatmin="0" structure="id:87"/>
<structref name="CLR_RuntimeHeader" id="102" repeatmin="0" structure="id:87"/>
<structref name="Reserved" id="103" repeatmin="0" structure="id:87"/>
</structure>
<structure name="OptionalHeaderPE32+" id="39" extends="id:41">
<number name="MagicNumber" id="105" type="integer">
<description>PE32+ images allow for a 64-bit address space while limiting the image size to 2 gigabytes. Other PE32+ modifications are addressed in their respective sections</description>
<fixedvalues>
<fixedvalue name="PE32+" value="0x20B"/>
</fixedvalues>
</number>
<number name="MajorLinkerVersion" id="106" type="integer">
<description>The linker major version number</description>
</number>
<number name="MinorLinkerVersion" id="107" type="integer">
<description>The linker minor version number</description>
</number>
<number name="SizeOfCode" id="108" type="integer">
<description>The size of the code (text) section, or the sum of all code sections if there are multiple sections</description>
</number>
<number name="SizeOfInitializedData" id="109" type="integer">
<description>The size of the initialized data section, or the sum of all such sections if there are multiple data sections</description>
</number>
<number name="SizeOfUninitializedData" id="110" type="integer">
<description>The size of the uninitialized data section (BSS), or the sum of all such sections if there are multiple BSS sections</description>
</number>
<number name="AddressOfEntryPoint" id="111" type="integer">
<description>The address of the entry point relative to the image base when the executable file is loaded into memory. For program images, this is the starting address. For device drivers, this is the address of the initialization function. An entry point is optional for DLLs. When no entry point is present, this field must be zero</description>
</number>
<number name="BaseOfCode" id="112" type="integer">
<description>The address that is relative to the image base of the beginning-of-code section when it is loaded into memory</description>
</number>
<structref name="WindowsSpecific" id="114" structure="id:113"/>
<structref name="ExportTable" id="115" structure="id:87"/>
<structref name="ImportTable" id="116" structure="id:87"/>
<structref name="ResourceTable" id="117" structure="id:87"/>
<structref name="ExceptionTable" id="118" structure="id:87"/>
<structref name="CertificateTable" id="119" structure="id:87"/>
<structref name="BaseRelocationTable" id="120" structure="id:87"/>
<structref name="Debug" id="121" structure="id:87"/>
<structref name="Architecture" id="122" structure="id:87"/>
<structref name="GlobalPtr" id="123" structure="id:87"/>
<structref name="TLS_Table" id="124" structure="id:87"/>
<structref name="LoadConfigTable" id="125" structure="id:87"/>
<structref name="BoundImport" id="126" structure="id:87"/>
<structref name="IAT" id="127" structure="id:87"/>
<structref name="DelayImportDescriptor" id="128" structure="id:87"/>
<structref name="CLR_RuntimeHeader" id="129" structure="id:87"/>
<structref name="Reserved" id="130" structure="id:87"/>
</structure>
<structure name="WindowsSpecific" id="132" extends="id:3">
<description>The next 21 fields are an extension to the COFF optional header format. They contain additional information that is required by the linker and loader in Windows</description>
<number name="ImageBase" id="133" fillcolor="FF89D8" type="integer" length="4" display="hex">
<description>The preferred address of the first byte of image when loaded into memory; must be a multiple of 64 K. The default for DLLs is 0x10000000. The default for Windows CE EXEs is 0x00010000. The default for Windows NT, Windows 2000, Windows XP, Windows 95, Windows 98, and Windows Me is 0x00400000</description>
</number>
<number name="SectionAlignment" id="134" fillcolor="FF84FF" type="integer" length="4" display="hex">
<description>The alignment (in bytes) of sections when they are loaded into memory. It must be greater than or equal to FileAlignment. The default is the page size for the architecture</description>
</number>
<number name="FileAlignment" id="135" fillcolor="D783FF" type="integer" length="4" display="hex">
<description>The alignment factor (in bytes) that is used to align the raw data of sections in the image file. The value should be a power of 2 between 512 and 64 K, inclusive. The default is 512. If the SectionAlignment is less than the architecture’s page size, then FileAlignment must match SectionAlignment</description>
</number>
<number name="MajorOperatingSystemVersion" id="136" fillcolor="7980FF" type="integer" length="2">
<description>The major version number of the required operating system</description>
</number>
<number name="MinorOperatingSystemVersion" id="137" fillcolor="75D5FF" type="integer" length="2">
<description>The minor version number of the required operating system</description>
</number>
<number name="MajorImageVersion" id="138" fillcolor="73FDFF" type="integer" length="2">
<description>The major version number of the image</description>
</number>
<number name="MinorImageVersion" id="139" fillcolor="72FCD5" type="integer" length="2">
<description>The minor version number of the image</description>
</number>
<number name="MajorSubsystemVersion" id="140" fillcolor="72FA78" type="integer" length="2">
<description>The major version number of the subsystem</description>
</number>
<number name="MinorSubsystemVersion" id="141" fillcolor="D4FB78" type="integer" length="2">
<description>The minor version number of the subsystem</description>
</number>
<number name="Win32VersionValue" id="142" fillcolor="FEFC78" type="integer" length="4">
<description>Reserved, must be zero</description>
</number>
<number name="SizeOfImage" id="143" fillcolor="FFD478" type="integer" length="4" display="hex">
<description>The size (in bytes) of the image, including all headers, as the image is loaded in memory. It must be a multiple of SectionAlignment</description>
</number>
<number name="SizeOfHeaders" id="144" fillcolor="FF7D78" type="integer" length="4" display="hex">
<description>The combined size of an MS‑DOS stub, PE header, and section headers rounded up to a multiple of FileAlignment</description>
</number>
<number name="CheckSum" id="145" fillcolor="FF2F92" type="integer" length="4" display="hex">
<description>The image file checksum. The algorithm for computing the checksum is incorporated into IMAGHELP.DLL. The following are checked for validation at load time: all drivers, any DLL loaded at boot time, and any DLL that is loaded into a critical Windows process</description>
</number>
<number name="Subsystem" id="146" fillcolor="FF40FF" type="integer" length="2">
<description>The subsystem that is required to run this image. For more information, see “Windows Subsystem” later in this specification</description>
<fixedvalues>
<fixedvalue name="An unknown subsystem" value="0"/>
<fixedvalue name="Device drivers and native Windows processes" value="1"/>
<fixedvalue name="The Windows graphical user interface (GUI) subsystem" value="2"/>
<fixedvalue name="The Windows character subsystem" value="3"/>
<fixedvalue name="The Posix character subsystem" value="7"/>
<fixedvalue name="Windows CE" value="9"/>
<fixedvalue name="An Extensible Firmware Interface (EFI) application" value="10"/>
<fixedvalue name="An EFI driver with boot services" value="11"/>
<fixedvalue name="An EFI driver with run-time services" value="12"/>
<fixedvalue name="An EFI ROM image" value="13"/>
<fixedvalue name="XBOX" value="14"/>
</fixedvalues>
</number>
<number name="DllCharacteristics" id="147" fillcolor="9437FF" type="integer" length="2" display="hex">
<mask name="Reserved" value="0x100F">
<fixedvalue name="Reserved" value="0x1"/>
<fixedvalue name="Reserved" value="0x2"/>
<fixedvalue name="Reserved" value="0x4"/>
<fixedvalue name="Reserved" value="0x8"/>
<fixedvalue name="Reserved" value="0x1000"/>
</mask>
<mask name="IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE" value="0x40">
<fixedvalue name="DLL can be relocated at load tim" value="0x40"/>
</mask>
<mask name="IMAGE_DLL_CHARACTERISTICS_FORCE_INTEGRITY" value="0x80">
<fixedvalue name="Code Integrity checks are enforced" value="0x80"/>
</mask>
<mask name="IMAGE_DLL_CHARACTERISTICS_NX_COMPAT" value="0x100">
<fixedvalue name="Image is NX compatible" value="0x100"/>
</mask>
<mask name="IMAGE_DLLCHARACTERISTICS_NO_ISOLATION" value="0x200">
<fixedvalue name="Isolation aware, but do not isolate the image" value="0x200"/>
</mask>
<mask name="IMAGE_DLLCHARACTERISTICS_ NO_SEH" value="0x400">
<fixedvalue name="Does not use structured exception (SE) handling. No SE handler may be called in this image" value="0x400"/>
</mask>
<mask name="IMAGE_DLLCHARACTERISTICS_ NO_BIND" value="0x800">
<fixedvalue name="Do not bind the image" value="0x800"/>
</mask>
<mask name="IMAGE_DLLCHARACTERISTICS_ WDM_DRIVER" value="0x2000">
<fixedvalue name="A WDM driver" value="0x2000"/>
</mask>
<mask name="IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE" value="0x8000">
<fixedvalue name="Terminal Server aware" value="0x8000"/>
</mask>
</number>
<number name="SizeOfStackReserve" id="148" fillcolor="0096FF" type="integer" length="4" display="hex">
<description>The size of the stack to reserve. Only SizeOfStackCommit is committed; the rest is made available one page at a time until the reserve size is reached</description>
</number>
<number name="SizeOfStackCommit" id="149" fillcolor="00FCFF" type="integer" length="4" display="hex">
<description>The size of the stack to commit</description>
</number>
<number name="SizeOfHeapReserve" id="150" fillcolor="00FA92" type="integer" length="4" display="hex">
<description>The size of the local heap space to reserve. Only SizeOfHeapCommit is committed; the rest is made available one page at a time until the reserve size is reached</description>
</number>
<number name="SizeOfHeapCommit" id="151" fillcolor="00F900" type="integer" length="4" display="hex">
<description>The size of the local heap space to commit</description>
</number>
<number name="LoaderFlags" id="152" fillcolor="8DF900" type="integer" length="4" display="hex">
<description>Reserved, must be zero</description>
</number>
<number name="NumberOfRvaAndSizes" id="153" fillcolor="FEFB00" type="integer" length="4">
<description>The number of data-directory entries in the remainder of the optional header. Each describes a location and size</description>
</number>
</structure>
<structure name="WindowsSpecificPE32" id="85" extends="id:132">
<number name="ImageBase" id="155" type="integer">
<description>The preferred address of the first byte of image when loaded into memory; must be a multiple of 64 K. The default for DLLs is 0x10000000. The default for Windows CE EXEs is 0x00010000. The default for Windows NT, Windows 2000, Windows XP, Windows 95, Windows 98, and Windows Me is 0x00400000</description>
</number>
<number name="SectionAlignment" id="156" type="integer">
<description>The alignment (in bytes) of sections when they are loaded into memory. It must be greater than or equal to FileAlignment. The default is the page size for the architecture</description>
</number>
<number name="FileAlignment" id="157" type="integer">
<description>The alignment factor (in bytes) that is used to align the raw data of sections in the image file. The value should be a power of 2 between 512 and 64 K, inclusive. The default is 512. If the SectionAlignment is less than the architecture’s page size, then FileAlignment must match SectionAlignment</description>
</number>
<number name="MajorOperatingSystemVersion" id="158" type="integer">
<description>The major version number of the required operating system</description>
</number>
<number name="MinorOperatingSystemVersion" id="159" type="integer">
<description>The minor version number of the required operating system</description>
</number>
<number name="MajorImageVersion" id="160" type="integer">
<description>The major version number of the image</description>
</number>
<number name="MinorImageVersion" id="161" type="integer">
<description>The minor version number of the image</description>
</number>
<number name="MajorSubsystemVersion" id="162" type="integer">
<description>The major version number of the subsystem</description>
</number>
<number name="MinorSubsystemVersion" id="163" type="integer">
<description>The minor version number of the subsystem</description>
</number>
<number name="Win32VersionValue" id="164" type="integer">
<description>Reserved, must be zero</description>
</number>
<number name="SizeOfImage" id="165" type="integer">
<description>The size (in bytes) of the image, including all headers, as the image is loaded in memory. It must be a multiple of SectionAlignment</description>
</number>
<number name="SizeOfHeaders" id="166" type="integer">
<description>The combined size of an MS‑DOS stub, PE header, and section headers rounded up to a multiple of FileAlignment</description>
</number>
<number name="CheckSum" id="167" type="integer">
<description>The image file checksum. The algorithm for computing the checksum is incorporated into IMAGHELP.DLL. The following are checked for validation at load time: all drivers, any DLL loaded at boot time, and any DLL that is loaded into a critical Windows process</description>
</number>
<number name="Subsystem" id="168" type="integer">
<description>The subsystem that is required to run this image. For more information, see “Windows Subsystem” later in this specification</description>
</number>
<number name="DllCharacteristics" id="169" type="integer">
<mask name="Reserved" value="0x100F">
<fixedvalue name="Reserved" value="0x1"/>
<fixedvalue name="Reserved" value="0x2"/>
<fixedvalue name="Reserved" value="0x4"/>
<fixedvalue name="Reserved" value="0x8"/>
<fixedvalue name="Reserved" value="0x1000"/>
</mask>
<mask name="IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE" value="0x40">
<fixedvalue name="DLL can be relocated at load tim" value="0x40"/>
</mask>
<mask name="IMAGE_DLL_CHARACTERISTICS_FORCE_INTEGRITY" value="0x80">
<fixedvalue name="Code Integrity checks are enforced" value="0x80"/>
</mask>
<mask name="IMAGE_DLL_CHARACTERISTICS_NX_COMPAT" value="0x100">
<fixedvalue name="Image is NX compatible" value="0x100"/>
</mask>
<mask name="IMAGE_DLLCHARACTERISTICS_NO_ISOLATION" value="0x200">
<fixedvalue name="Isolation aware, but do not isolate the image" value="0x200"/>
</mask>
<mask name="IMAGE_DLLCHARACTERISTICS_ NO_SEH" value="0x400">
<fixedvalue name="Does not use structured exception (SE) handling. No SE handler may be called in this image" value="0x400"/>
</mask>
<mask name="IMAGE_DLLCHARACTERISTICS_ NO_BIND" value="0x800">
<fixedvalue name="Do not bind the image" value="0x800"/>
</mask>
<mask name="IMAGE_DLLCHARACTERISTICS_ WDM_DRIVER" value="0x2000">
<fixedvalue name="A WDM driver" value="0x2000"/>
</mask>
<mask name="IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE" value="0x8000">
<fixedvalue name="Terminal Server aware" value="0x8000"/>
</mask>
</number>
<number name="SizeOfStackReserve" id="170" type="integer">
<description>The size of the stack to reserve. Only SizeOfStackCommit is committed; the rest is made available one page at a time until the reserve size is reached</description>
</number>
<number name="SizeOfStackCommit" id="171" type="integer">
<description>The size of the stack to commit</description>
</number>
<number name="SizeOfHeapReserve" id="172" type="integer">
<description>The size of the local heap space to reserve. Only SizeOfHeapCommit is committed; the rest is made available one page at a time until the reserve size is reached</description>
</number>
<number name="SizeOfHeapCommit" id="173" type="integer">
<description>The size of the local heap space to commit</description>
</number>
<number name="LoaderFlags" id="174" type="integer">
<description>Reserved, must be zero</description>
</number>
<number name="NumberOfRvaAndSizes" id="175" type="integer">
<description>The number of data-directory entries in the remainder of the optional header. Each describes a location and size</description>
</number>
</structure>
<structure name="WindowsSpecificPE32+" id="113" extends="id:132">
<number name="ImageBase" id="177" type="integer" length="8">
<description>The preferred address of the first byte of image when loaded into memory; must be a multiple of 64 K. The default for DLLs is 0x10000000. The default for Windows CE EXEs is 0x00010000. The default for Windows NT, Windows 2000, Windows XP, Windows 95, Windows 98, and Windows Me is 0x00400000</description>
</number>
<number name="SectionAlignment" id="178" type="integer">
<description>The alignment (in bytes) of sections when they are loaded into memory. It must be greater than or equal to FileAlignment. The default is the page size for the architecture</description>
</number>
<number name="FileAlignment" id="179" type="integer">
<description>The alignment factor (in bytes) that is used to align the raw data of sections in the image file. The value should be a power of 2 between 512 and 64 K, inclusive. The default is 512. If the SectionAlignment is less than the architecture’s page size, then FileAlignment must match SectionAlignment</description>
</number>
<number name="MajorOperatingSystemVersion" id="180" type="integer">
<description>The major version number of the required operating system</description>
</number>
<number name="MinorOperatingSystemVersion" id="181" type="integer">
<description>The minor version number of the required operating system</description>
</number>
<number name="MajorImageVersion" id="182" type="integer">
<description>The major version number of the image</description>
</number>
<number name="MinorImageVersion" id="183" type="integer">
<description>The minor version number of the image</description>
</number>
<number name="MajorSubsystemVersion" id="184" type="integer">
<description>The major version number of the subsystem</description>
</number>
<number name="MinorSubsystemVersion" id="185" type="integer">
<description>The minor version number of the subsystem</description>
</number>
<number name="Win32VersionValue" id="186" type="integer">
<description>Reserved, must be zero</description>
</number>
<number name="SizeOfImage" id="187" type="integer">
<description>The size (in bytes) of the image, including all headers, as the image is loaded in memory. It must be a multiple of SectionAlignment</description>
</number>
<number name="SizeOfHeaders" id="188" type="integer">
<description>The combined size of an MS‑DOS stub, PE header, and section headers rounded up to a multiple of FileAlignment</description>
</number>
<number name="CheckSum" id="189" type="integer">
<description>The image file checksum. The algorithm for computing the checksum is incorporated into IMAGHELP.DLL. The following are checked for validation at load time: all drivers, any DLL loaded at boot time, and any DLL that is loaded into a critical Windows process</description>
</number>
<number name="Subsystem" id="190" type="integer">
<description>The subsystem that is required to run this image. For more information, see “Windows Subsystem” later in this specification</description>
</number>
<number name="DllCharacteristics" id="191" type="integer">
<mask name="Reserved" value="0x100F">
<fixedvalue name="Reserved" value="0x1"/>
<fixedvalue name="Reserved" value="0x2"/>
<fixedvalue name="Reserved" value="0x4"/>
<fixedvalue name="Reserved" value="0x8"/>
<fixedvalue name="Reserved" value="0x1000"/>
</mask>
<mask name="IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE" value="0x40">
<fixedvalue name="DLL can be relocated at load tim" value="0x40"/>
</mask>
<mask name="IMAGE_DLL_CHARACTERISTICS_FORCE_INTEGRITY" value="0x80">
<fixedvalue name="Code Integrity checks are enforced" value="0x80"/>
</mask>
<mask name="IMAGE_DLL_CHARACTERISTICS_NX_COMPAT" value="0x100">
<fixedvalue name="Image is NX compatible" value="0x100"/>
</mask>
<mask name="IMAGE_DLLCHARACTERISTICS_NO_ISOLATION" value="0x200">
<fixedvalue name="Isolation aware, but do not isolate the image" value="0x200"/>
</mask>
<mask name="IMAGE_DLLCHARACTERISTICS_ NO_SEH" value="0x400">
<fixedvalue name="Does not use structured exception (SE) handling. No SE handler may be called in this image" value="0x400"/>
</mask>
<mask name="IMAGE_DLLCHARACTERISTICS_ NO_BIND" value="0x800">
<fixedvalue name="Do not bind the image" value="0x800"/>
</mask>
<mask name="IMAGE_DLLCHARACTERISTICS_ WDM_DRIVER" value="0x2000">
<fixedvalue name="A WDM driver" value="0x2000"/>
</mask>
<mask name="IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE" value="0x8000">
<fixedvalue name="Terminal Server aware" value="0x8000"/>
</mask>
</number>
<number name="SizeOfStackReserve" id="192" type="integer" length="8">
<description>The size of the stack to reserve. Only SizeOfStackCommit is committed; the rest is made available one page at a time until the reserve size is reached</description>
</number>
<number name="SizeOfStackCommit" id="193" type="integer" length="8">
<description>The size of the stack to commit</description>
</number>
<number name="SizeOfHeapReserve" id="194" type="integer" length="8">
<description>The size of the local heap space to reserve. Only SizeOfHeapCommit is committed; the rest is made available one page at a time until the reserve size is reached</description>
</number>
<number name="SizeOfHeapCommit" id="195" type="integer" length="8">
<description>The size of the local heap space to commit</description>
</number>
<number name="LoaderFlags" id="196" type="integer">
<description>Reserved, must be zero</description>
</number>
<number name="NumberOfRvaAndSizes" id="197" type="integer">
<description>The number of data-directory entries in the remainder of the optional header. Each describes a location and size</description>
</number>
</structure>
<structure name="DataDirectory" id="87" extends="id:3" valueexpression="VirtualAddress">
<description>Address/size pairs for special tables that are found in the image file and are used by the operating system (for example, the import table and the export table)</description>
<number name="VirtualAddress" id="199" fillcolor="00FA92" type="integer" length="4" display="hex"/>
<number name="Size" id="200" fillcolor="75D5FF" type="integer" length="4"/>
</structure>
<structure name="RawData" id="202" extends="id:3" encoding="ISO_8859-1:1987" endian="big" signed="no">
<binary name="Data" id="203" fillcolor="FFD478" length="remaining"/>
</structure>
<structure name="LineNumbers" id="210" encoding="ISO_8859-1:1987" endian="big" signed="no">
<description>COFF line numbers are no longer produced and, in the future, will not be consumed. COFF line numbers indicate the relationship between code and line numbers in source files. The Microsoft format for COFF line numbers is similar to standard COFF, but it has been extended to allow a single section to relate to line numbers in multiple source files.
COFF line numbers consist of an array of fixed-length records. The location (file offset) and size of the array are specified in the section header.
</description>
<number name="Type" id="211" type="integer" length="4">
<description>This is a union of two fields: SymbolTableIndex and VirtualAddress. Whether SymbolTableIndex or RVA is used depends on the value of Linenumber</description>
</number>
<number name="Linenumber" id="212" type="integer" length="2">
<description>When nonzero, this field specifies a one-based line number. When zero, the Type field is interpreted as a symbol table index for a function</description>
</number>
</structure>
<structure name="SectionHeader" id="50" repeat="id:29" extends="id:3">
<binary name="Name" mustmatch="yes" id="214" fillcolor="FEFB00" length="8">
<description>An 8-byte, null-padded UTF-8 encoded string. If the string is exactly 8 characters long, there is no terminating null. For longer names, this field contains a slash (/) that is followed by an ASCII representation of a decimal number that is an offset into the string table. Executable images do not use a string table and do not support section names longer than 8 characters. Long names in object files are truncated if they are emitted to an executable file.
The “$” character (dollar sign) has a special interpretation in section names in object files. When determining the image section that will contain the contents of an object section, the linker discards the “$” and all characters that follow it. Thus, an object section named .text$X actually contributes to the .text section in the image. However, the characters following the “$” determine the ordering of the contributions to the image section. All contributions with the same object-section name are allocated contiguously in the image, and the blocks of contributions are sorted in lexical order by object-section name. Therefore, everything in object files with section name .text$X ends up together, after the .text$W contributions and before the .text$Y contributions. The section name in an image file never contains a “$” character </description>
</binary>
<number name="VirtualSize" id="215" fillcolor="8DF900" type="integer" length="4">
<description>The total size of the section when loaded into memory. If this value is greater than SizeOfRawData, the section is zero-padded. This field is valid only for executable images and should be set to zero for object files</description>
</number>
<number name="VirtualAddress" id="216" fillcolor="00FCFF" type="integer" length="4" display="hex">
<description>For executable images, the address of the first byte of the section relative to the image base when the section is loaded into memory. For object files, this field is the address of the first byte before relocation is applied; for simplicity, compilers should set this to zero. Otherwise, it is an arbitrary value that is subtracted from offsets during relocation</description>
</number>
<number name="SizeOfRawData" id="217" fillcolor="FF84FF" type="integer" length="4" display="hex">
<description>The size of the section (for object files) or the size of the initialized data on disk (for image files). For executable images, this must be a multiple of FileAlignment from the optional header. If this is less than VirtualSize, the remainder of the section is zero-filled. Because the SizeOfRawData field is rounded but the VirtualSize field is not, it is possible for SizeOfRawData to be greater than VirtualSize as well. When a section contains only uninitialized data, this field should be zero</description>
</number>
<offset name="PointerToRawData" id="218" fillcolor="D783FF" length="4" references="id:202" referenced-size="id:217" follownullreference="no">
<description>The file pointer to the first page of the section within the COFF file. For executable images, this must be a multiple of FileAlignment from the optional header. For object files, the value should be aligned on a 4‑byte boundary for best performance. When a section contains only uninitialized data, this field should be zero</description>
</offset>
<offset name="PointerToRelocations" id="219" fillcolor="75D5FF" length="4" references="id:205" follownullreference="no">
<description>The file pointer to the beginning of relocation entries for the section. This is set to zero for executable images or if there are no relocations</description>
</offset>
<offset name="PointerToLineNumbers" id="220" fillcolor="FFD478" length="4" references="id:210" follownullreference="no">
<description>The file pointer to the beginning of line-number entries for the section. This is set to zero if there are no COFF line numbers. This value should be zero for an image because COFF debugging information is deprecated</description>
</offset>
<number name="NumberOfRelocations" id="221" fillcolor="FF7D78" type="integer" length="2">
<description>The number of relocation entries for the section. This is set to zero for executable images</description>
</number>
<number name="NumberOfLinenumbers" id="222" fillcolor="7980FF" type="integer" length="2">
<description>The number of line-number entries for the section. This value should be zero for an image because COFF debugging information is deprecated</description>
</number>
<number name="Characteristics" id="223" fillcolor="FF9300" type="integer" length="4" display="hex">
<description>The flags that describe the characteristics of the section
IMAGE_SCN_LNK_NRELOC_OVFL indicates that the count of relocations for the section exceeds the 16 bits that are reserved for it in the section header. If the bit is set and the NumberOfRelocations field in the section header is 0xffff, the actual relocation count is stored in the 32-bit VirtualAddress field of the first relocation. It is an error if IMAGE_SCN_LNK_NRELOC_OVFL is set and there are fewer than 0xffff relocations in the section
</description>
<mask name="Reserved" value="0x42F"/>
<mask name="IMAGE_SCN_TYPE_NO_PAD" value="0x8">
<fixedvalue name="The section should not be padded to the next boundary" value="0x8"/>
</mask>
<mask name="IMAGE_SCN_CNT_CODE" value="0x20">
<fixedvalue name="The section contains executable code" value="0x20"/>
</mask>
<mask name="IMAGE_SCN_CNT_INITIALIZED_DATA" value="0x40">
<fixedvalue name="The section contains initialized data" value="0x40"/>
</mask>
<mask name="IMAGE_SCN_CNT_UNINITIALIZED_DATA" value="0x80">
<fixedvalue name="The section contains uninitialized data" value="0x80"/>
</mask>
<mask name="IMAGE_SCN_LNK_OTHER" value="0x100">
<fixedvalue name="Reserved for future use" value="0x100"/>
</mask>
<mask name="IMAGE_SCN_LNK_INFO" value="0x200">
<fixedvalue name="The section contains comments or other information" value="0x200"/>
</mask>
<mask name="IMAGE_SCN_LNK_REMOVE" value="0x800">
<fixedvalue name="The section will not become part of the image" value="0x800"/>
</mask>
<mask name="IMAGE_SCN_LNK_COMDAT" value="0x1000">
<fixedvalue name="The section contains COMDAT data" value="0x1000"/>
</mask>
<mask name="IMAGE_SCN_GPREL" value="0x8000">
<fixedvalue name="The section contains data referenced through the global pointer (GP)" value="0x8000"/>
</mask>
<mask name="IMAGE_SCN_MEM_PURGEABLE" value="0x20000">
<fixedvalue name="Reserved for future use" value="0x4E20"/>
</mask>
<mask name="IMAGE_SCN_MEM_16BIT" value="0x20000">
<fixedvalue name="For ARM machine types, the section contains Thumb code" value="0x20000"/>
</mask>
<mask name="IMAGE_SCN_MEM_LOCKED" value="0x40000">
<fixedvalue name="Reserved for future use" value="0x40000"/>
</mask>
<mask name="IMAGE_SCN_MEM_PRELOAD" value="0x80000">
<fixedvalue name="Reserved for future use" value="0x80000"/>
</mask>
<mask name="IMAGE_SCN_ALIGN_1BYTES" value="0x100000">
<fixedvalue name="Align data on a 1-byte boundary" value="0x186A0"/>
</mask>
<mask name="IMAGE_SCN_ALIGN_2BYTES" value="0x200000">
<fixedvalue name="Align data on a 2-byte boundary" value="0x200000"/>
</mask>
<mask name="IMAGE_SCN_ALIGN_4BYTES" value="0x300000">
<fixedvalue name="Align data on a 4-byte boundary" value="0x300000"/>
</mask>
<mask name="IMAGE_SCN_ALIGN_8BYTES" value="0x400000">
<fixedvalue name="Align data on an 8-byte boundary" value="0x400000"/>
</mask>
<mask name="IMAGE_SCN_ALIGN_16BYTES" value="0x500000">
<fixedvalue name="Align data on a 16-byte boundary" value="0x500000"/>
</mask>
<mask name="IMAGE_SCN_ALIGN_32BYTES" value="0x600000">
<fixedvalue name="Align data on a 32-byte boundary" value="0x600000"/>
</mask>
<mask name="IMAGE_SCN_ALIGN_64BYTES" value="0x700000">
<fixedvalue name="Align data on a 64-byte boundary" value="0x700000"/>
</mask>
<mask name="IMAGE_SCN_ALIGN_128BYTES" value="0x800000">
<fixedvalue name="Align data on a 128-byte boundary" value="0x800000"/>
</mask>
<mask name="IMAGE_SCN_ALIGN_256BYTES" value="0x900000">
<fixedvalue name="Align data on a 256-byte boundary" value="0x900000"/>
</mask>
<mask name="IMAGE_SCN_ALIGN_512BYTES" value="0xA00000">
<fixedvalue name="Align data on a 512-byte boundary" value="0xA00000"/>
</mask>
<mask name="IMAGE_SCN_ALIGN_1024BYTES" value="0xB00000">
<fixedvalue name="Align data on a 1024-byte boundary" value="0xB00000"/>
</mask>
<mask name="IMAGE_SCN_ALIGN_2048BYTES" value="0xC00000">
<fixedvalue name="Align data on a 2048-byte boundary" value="0xC00000"/>
</mask>
<mask name="IMAGE_SCN_ALIGN_4096BYTES" value="0xD00000">
<fixedvalue name="Align data on a 4096-byte boundary" value="0xD00000"/>
</mask>
<mask name="IMAGE_SCN_ALIGN_8192BYTES" value="0xE00000">
<fixedvalue name="Align data on a 8192-byte boundary" value="0xE00000"/>
</mask>
<mask name="IMAGE_SCN_LNK_NRELOC_OVFL" value="0x1000000">
<fixedvalue name="The section contains extended relocations" value="0x1000000"/>
</mask>
<mask name="IMAGE_SCN_MEM_DISCARDABLE" value="0x2000000">
<fixedvalue name="The section can be discarded as needed" value="0x2000000"/>
</mask>
<mask name="IMAGE_SCN_MEM_NOT_CACHED" value="0x4000000">
<fixedvalue name="The section cannot be cached" value="0x4000000"/>
</mask>
<mask name="IMAGE_SCN_MEM_NOT_PAGED" value="0x8000000">
<fixedvalue name="The section is not pageable" value="0x8000000"/>
</mask>
<mask name="IMAGE_SCN_MEM_SHARED" value="0x10000000">
<fixedvalue name="The section can be shared in memory" value="0x10000000"/>
</mask>
<mask name="IMAGE_SCN_MEM_EXECUTE" value="0x20000000">
<fixedvalue name="The section can be executed as code" value="0x20000000"/>
</mask>
</number>
</structure>
<structure name="ImportDataSectionHeader" id="46" extends="id:50">
<binary name="Name" id="225" length="8">
<description>An 8-byte, null-padded UTF-8 encoded string. If the string is exactly 8 characters long, there is no terminating null. For longer names, this field contains a slash (/) that is followed by an ASCII representation of a decimal number that is an offset into the string table. Executable images do not use a string table and do not support section names longer than 8 characters. Long names in object files are truncated if they are emitted to an executable file.
The “$” character (dollar sign) has a special interpretation in section names in object files. When determining the image section that will contain the contents of an object section, the linker discards the “$” and all characters that follow it. Thus, an object section named .text$X actually contributes to the .text section in the image. However, the characters following the “$” determine the ordering of the contributions to the image section. All contributions with the same object-section name are allocated contiguously in the image, and the blocks of contributions are sorted in lexical order by object-section name. Therefore, everything in object files with section name .text$X ends up together, after the .text$W contributions and before the .text$Y contributions. The section name in an image file never contains a “$” character </description>
<fixedvalues>
<fixedvalue name=".idata" value="2E69646174610000"/>
</fixedvalues>
</binary>
<number name="VirtualSize" id="226" type="integer">
<description>The total size of the section when loaded into memory. If this value is greater than SizeOfRawData, the section is zero-padded. This field is valid only for executable images and should be set to zero for object files</description>
</number>
<number name="VirtualAddress" id="227" type="integer">
<description>For executable images, the address of the first byte of the section relative to the image base when the section is loaded into memory. For object files, this field is the address of the first byte before relocation is applied; for simplicity, compilers should set this to zero. Otherwise, it is an arbitrary value that is subtracted from offsets during relocation</description>
</number>
<number name="SizeOfRawData" id="228" type="integer">
<description>The size of the section (for object files) or the size of the initialized data on disk (for image files). For executable images, this must be a multiple of FileAlignment from the optional header. If this is less than VirtualSize, the remainder of the section is zero-filled. Because the SizeOfRawData field is rounded but the VirtualSize field is not, it is possible for SizeOfRawData to be greater than VirtualSize as well. When a section contains only uninitialized data, this field should be zero</description>
</number>
<offset name="PointerToRawData" id="230" references="id:229" referenced-size="id:228">
<description>The file pointer to the first page of the section within the COFF file. For executable images, this must be a multiple of FileAlignment from the optional header. For object files, the value should be aligned on a 4‑byte boundary for best performance. When a section contains only uninitialized data, this field should be zero</description>
</offset>
<offset name="PointerToRelocations" id="231" references="id:205">
<description>The file pointer to the beginning of relocation entries for the section. This is set to zero for executable images or if there are no relocations</description>
</offset>
<offset name="PointerToLineNumbers" id="232" references="id:210">
<description>The file pointer to the beginning of line-number entries for the section. This is set to zero if there are no COFF line numbers. This value should be zero for an image because COFF debugging information is deprecated</description>
</offset>
<number name="NumberOfRelocations" id="233" type="integer">
<description>The number of relocation entries for the section. This is set to zero for executable images</description>
</number>
<number name="NumberOfLinenumbers" id="234" type="integer">
<description>The number of line-number entries for the section. This value should be zero for an image because COFF debugging information is deprecated</description>
</number>
<number name="Characteristics" id="235" type="integer">
<description>The flags that describe the characteristics of the section
IMAGE_SCN_LNK_NRELOC_OVFL indicates that the count of relocations for the section exceeds the 16 bits that are reserved for it in the section header. If the bit is set and the NumberOfRelocations field in the section header is 0xffff, the actual relocation count is stored in the 32-bit VirtualAddress field of the first relocation. It is an error if IMAGE_SCN_LNK_NRELOC_OVFL is set and there are fewer than 0xffff relocations in the section
</description>
<mask name="Reserved" value="0x42F"/>
<mask name="IMAGE_SCN_TYPE_NO_PAD" value="0x8">
<fixedvalue name="The section should not be padded to the next boundary" value="0x8"/>
</mask>
<mask name="IMAGE_SCN_CNT_CODE" value="0x20">
<fixedvalue name="The section contains executable code" value="0x20"/>
</mask>
<mask name="IMAGE_SCN_CNT_INITIALIZED_DATA" value="0x40">
<fixedvalue name="The section contains initialized data" value="0x40"/>
</mask>
<mask name="IMAGE_SCN_CNT_UNINITIALIZED_DATA" value="0x80">
<fixedvalue name="The section contains uninitialized data" value="0x80"/>
</mask>
<mask name="IMAGE_SCN_LNK_OTHER" value="0x100">
<fixedvalue name="Reserved for future use" value="0x100"/>
</mask>
<mask name="IMAGE_SCN_LNK_INFO" value="0x200">
<fixedvalue name="The section contains comments or other information" value="0x200"/>
</mask>
<mask name="IMAGE_SCN_LNK_REMOVE" value="0x800">
<fixedvalue name="The section will not become part of the image" value="0x800"/>
</mask>
<mask name="IMAGE_SCN_LNK_COMDAT" value="0x1000">
<fixedvalue name="The section contains COMDAT data" value="0x1000"/>
</mask>
<mask name="IMAGE_SCN_GPREL" value="0x8000">
<fixedvalue name="The section contains data referenced through the global pointer (GP)" value="0x8000"/>
</mask>
<mask name="IMAGE_SCN_MEM_PURGEABLE" value="0x20000">
<fixedvalue name="Reserved for future use" value="0x4E20"/>
</mask>
<mask name="IMAGE_SCN_MEM_16BIT" value="0x20000">
<fixedvalue name="For ARM machine types, the section contains Thumb code" value="0x20000"/>
</mask>
<mask name="IMAGE_SCN_MEM_LOCKED" value="0x40000">
<fixedvalue name="Reserved for future use" value="0x40000"/>
</mask>
<mask name="IMAGE_SCN_MEM_PRELOAD" value="0x80000">
<fixedvalue name="Reserved for future use" value="0x80000"/>
</mask>
<mask name="IMAGE_SCN_ALIGN_1BYTES" value="0x100000">
<fixedvalue name="Align data on a 1-byte boundary" value="0x186A0"/>
</mask>
<mask name="IMAGE_SCN_ALIGN_2BYTES" value="0x200000">
<fixedvalue name="Align data on a 2-byte boundary" value="0x200000"/>
</mask>
<mask name="IMAGE_SCN_ALIGN_4BYTES" value="0x300000">
<fixedvalue name="Align data on a 4-byte boundary" value="0x300000"/>
</mask>
<mask name="IMAGE_SCN_ALIGN_8BYTES" value="0x400000">
<fixedvalue name="Align data on an 8-byte boundary" value="0x400000"/>
</mask>
<mask name="IMAGE_SCN_ALIGN_16BYTES" value="0x500000">
<fixedvalue name="Align data on a 16-byte boundary" value="0x500000"/>
</mask>
<mask name="IMAGE_SCN_ALIGN_32BYTES" value="0x600000">
<fixedvalue name="Align data on a 32-byte boundary" value="0x600000"/>
</mask>
<mask name="IMAGE_SCN_ALIGN_64BYTES" value="0x700000">
<fixedvalue name="Align data on a 64-byte boundary" value="0x700000"/>
</mask>
<mask name="IMAGE_SCN_ALIGN_128BYTES" value="0x800000">
<fixedvalue name="Align data on a 128-byte boundary" value="0x800000"/>
</mask>
<mask name="IMAGE_SCN_ALIGN_256BYTES" value="0x900000">
<fixedvalue name="Align data on a 256-byte boundary" value="0x900000"/>
</mask>
<mask name="IMAGE_SCN_ALIGN_512BYTES" value="0xA00000">
<fixedvalue name="Align data on a 512-byte boundary" value="0xA00000"/>
</mask>
<mask name="IMAGE_SCN_ALIGN_1024BYTES" value="0xB00000">
<fixedvalue name="Align data on a 1024-byte boundary" value="0xB00000"/>
</mask>
<mask name="IMAGE_SCN_ALIGN_2048BYTES" value="0xC00000">
<fixedvalue name="Align data on a 2048-byte boundary" value="0xC00000"/>
</mask>
<mask name="IMAGE_SCN_ALIGN_4096BYTES" value="0xD00000">
<fixedvalue name="Align data on a 4096-byte boundary" value="0xD00000"/>
</mask>
<mask name="IMAGE_SCN_ALIGN_8192BYTES" value="0xE00000">
<fixedvalue name="Align data on a 8192-byte boundary" value="0xE00000"/>
</mask>
<mask name="IMAGE_SCN_LNK_NRELOC_OVFL" value="0x1000000">
<fixedvalue name="The section contains extended relocations" value="0x1000000"/>
</mask>
<mask name="IMAGE_SCN_MEM_DISCARDABLE" value="0x2000000">
<fixedvalue name="The section can be discarded as needed" value="0x2000000"/>
</mask>
<mask name="IMAGE_SCN_MEM_NOT_CACHED" value="0x4000000">
<fixedvalue name="The section cannot be cached" value="0x4000000"/>
</mask>
<mask name="IMAGE_SCN_MEM_NOT_PAGED" value="0x8000000">
<fixedvalue name="The section is not pageable" value="0x8000000"/>
</mask>
<mask name="IMAGE_SCN_MEM_SHARED" value="0x10000000">
<fixedvalue name="The section can be shared in memory" value="0x10000000"/>
</mask>
<mask name="IMAGE_SCN_MEM_EXECUTE" value="0x20000000">
<fixedvalue name="The section can be executed as code" value="0x20000000"/>
</mask>
</number>