unit ExeImages; interface uses Windows, Classes; const IMAGE_DOS_SIGNATURE = $5A4D; { MZ } IMAGE_OS2_SIGNATURE = $454E; { NE } IMAGE_OS2_SIGNATURE_LE = $454C; { LE } IMAGE_VXD_SIGNATURE = $454C; { LE } IMAGE_NT_SIGNATURE = $00004550; { PE00 } DosHeaderFieldsNames: array[0..30] of string = ( 'e_magic', 'e_cblp', 'e_cp', 'e_crlc', 'e_cparhdr', 'e_minalloc', 'e_maxalloc', 'e_ss', 'e_sp', 'e_csum', 'e_ip', 'e_cs', 'e_lfarlc', 'e_ovno', 'e_res[0]', 'e_res[1]', 'e_res[2]', 'e_res[3]', 'e_oemid', 'e_oeminfo', 'e_res2[0]', 'e_res2[1]', 'e_res2[2]', 'e_res2[3]', 'e_res2[4]', 'e_res2[5]', 'e_res2[6]', 'e_res2[7]', 'e_res2[8]', 'e_res2[9]', 'e_lfanew' ); DosHeaderTypesNames: array[0..30] of string = ( 'WORD', 'WORD', 'WORD', 'WORD', 'WORD', 'WORD', 'WORD', 'WORD', 'WORD', 'WORD', 'WORD', 'WORD', 'WORD', 'WORD', 'WORD', 'WORD', 'WORD', 'WORD', 'WORD', 'WORD', 'WORD', 'WORD', 'WORD', 'WORD', 'WORD', 'WORD', 'WORD', 'WORD', 'WORD', 'WORD', 'LONG' //<-- LongInt ); DosHeaderFieldsDesc: array[0..30] of string = ( 'Magic number', 'Bytes on last page of file', 'Pages in file', 'Relocations', 'Size of header in paragraphs', 'Minimum extra paragraphs needed', 'Maximum extra paragraphs needed', 'Initial (relative) SS value', 'Initial SP value', 'Checksum', 'Initial IP value', 'Initial (relative) CS value', 'File address of relocation table', 'Overlay number', '(Reserved)', '(Reserved)', '(Reserved)', '(Reserved)', 'OEM identifier (for e_oeminfo)', 'OEM information (e_oemid specific)', '(Reserved)', '(Reserved)', '(Reserved)', '(Reserved)', '(Reserved)', '(Reserved)', '(Reserved)', '(Reserved)', '(Reserved)', '(Reserved)', 'File address of PE header' ); CoffHeaderFieldsNames: array[0..6] of string = ( 'Machine', 'NumberOfSections', 'TimeDateStamp', 'PointerToSymbolTable', 'NumberOfSymbols', 'SizeOfOptionalHeader', 'Characteristics' ); CoffHeaderTypesNames: array[0..6] of string = ( 'WORD', 'WORD', 'DWORD', 'DWORD', 'DWORD', 'WORD', 'WORD' ); CoffHeaderFieldsDesc: array[0..6] of string = ( 'Number identifying type of target machine', 'Number of sections', 'Time and date the file was created', 'File offset of the COFF symbol table or 0 if none is present', 'Number of entries in the symbol table', 'Size of the optional header', 'Flags indicating attributes of the file' ); OptionalHeaderFieldsNames: array[0..45] of string = ( 'Magic', 'MajorLinkerVersion', 'MinorLinkerVersion', 'SizeOfCode', 'SizeOfInitializedData', 'SizeOfUninitializedData', 'AddressOfEntryPoint', 'BaseOfCode', 'BaseOfData', 'ImageBase', 'SectionAlignment', 'FileAlignment', 'MajorOperatingSystemVersion', 'MinorOperatingSystemVersion', 'MajorImageVersion', 'MinorImageVersion', 'MajorSubsystemVersion', 'MinorSubsystemVersion', 'Win32VersionValue', 'SizeOfImage', 'SizeOfHeaders', 'CheckSum', 'Subsystem', 'DllCharacteristics', 'SizeOfStackReserve', 'SizeOfStackCommit', 'SizeOfHeapReserve', 'SizeOfHeapCommit', 'LoaderFlags', 'NumberOfRvaAndSizes', 'DataDirectory [0]', 'DataDirectory [1]', 'DataDirectory [2]', 'DataDirectory [3]', 'DataDirectory [4]', 'DataDirectory [5]', 'DataDirectory [6]', 'DataDirectory [7]', 'DataDirectory [8]', 'DataDirectory [9]', 'DataDirectory [10]', 'DataDirectory [11]', 'DataDirectory [12]', 'DataDirectory [13]', 'DataDirectory [14]', 'DataDirectory [15]' ); pt = 'pointer'; OptionalHeaderTypesNames: array[0..45] of string = ( 'WORD', 'BYTE', 'BYTE', 'DWORD', 'DWORD', 'DWORD', 'DWORD', 'DWORD', 'DWORD', 'DWORD', 'DWORD', 'DWORD', 'WORD', 'WORD', 'WORD', 'WORD', 'WORD', 'WORD', 'DWORD', 'DWORD', 'DWORD', 'DWORD', 'WORD', 'WORD', 'DWORD', 'DWORD', 'DWORD', 'DWORD', 'DWORD', 'DWORD', pt, pt, pt, pt, pt, pt, pt, pt, pt, pt, pt, pt, pt, pt, pt, pt ); OptionalHeaderFieldsDesc: array[0..45] of string = ( 'Magic number', 'Linker major version number', 'Linker minor version number', 'Size of CODE section, or the sum of all CODE sections', 'Size of Initialized Data section, or the sum of all such sections', 'Size of Uninitialized Data section (BSS), or the sum of all such sections', 'Address of entry point, relative to image base', 'Address of beginning of CODE section, relative to image base', 'Address of beginning of DATA section, relative to image base', 'Preferred address of first byte of image when loades into memory', 'Alignment of sections when loaded into memory (in bytes)', 'Alignment factor used to align the raw data of sections in the image file (in bytes)', 'Major version number of required OS', 'Minor version number of required OS', 'Major version number of image', 'Minor version number of image', 'Major version number of subsystem', 'Minor version number of subsystem', '(Reserved)', 'Size of image (in bytes)', 'Size of MS-DOS stub, PE Header, and section headers rounded to a multiple of FileAlignment', 'Image file checksum', 'Subsystem required to run the image', 'DLL characteristics', 'Size of stack to reserve', 'Size of stack to commit', 'Size of local heap space to reserve', 'Size of local heap space to commit', '(Obsolete)', 'Number of data-dictionary entries', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '' ); ResourceDataEntryFieldsNames: array[0..3] of string = ( 'OffsetToData', 'Size', 'CodePage', 'Reserved' ); ResourceDataEntryTypesNames: array[0..3] of string = ( 'DWORD', 'DWORD', 'DWORD', 'DWORD' ); ResourceDataEntryFieldsDesc: array[0..3] of string = ( 'Address of a unit of resource data in the Resource Data area', 'Size of the resource data pointed to by the OffsetToData', 'Code Page used to decode code point values within the resource data', '(Reserved)' ); NamesOfDirectories: array[0..15] of string = ('Export', 'Import', 'Resource', 'Exception', 'Security', 'Base Reloc', 'Debug', 'Copyright', 'Global Ptr', 'TLS', 'Load Config', 'Bound Import', 'IAT', 'COM', 'Delay Import', '(reserved)'); type PImageDosHeader = ^TImageDosHeader; PIMAGE_DOS_HEADER = ^TImageDosHeader; {EXTERNALSYM _IMAGE_DOS_HEADER} _IMAGE_DOS_HEADER = packed record { DOS .EXE header } e_magic: Word; { Magic number } e_cblp: Word; { Bytes on last page of file } e_cp: Word; { Pages in file } e_crlc: Word; { Relocations } e_cparhdr: Word; { Size of header in paragraphs } e_minalloc: Word; { Minimum extra paragraphs needed } e_maxalloc: Word; { Maximum extra paragraphs needed } e_ss: Word; { Initial (relative) SS value } e_sp: Word; { Initial SP value } e_csum: Word; { Checksum } e_ip: Word; { Initial IP value } e_cs: Word; { Initial (relative) CS value } e_lfarlc: Word; { File address of relocation table } e_ovno: Word; { Overlay number } e_res: array[0..3] of Word; { Reserved words } e_oemid: Word; { OEM identifier (for e_oeminfo) } e_oeminfo: Word; { OEM information; e_oemid specific} e_res2: array[0..9] of Word; { Reserved words } e_lfanew: LongInt; { File address of PE header } end; TImageDosHeader = _IMAGE_DOS_HEADER; {$EXTERNALSYM IMAGE_DOS_HEADER} IMAGE_DOS_HEADER = _IMAGE_DOS_HEADER; PImageFileHeader = ^TImageFileHeader; PIMAGE_FILE_HEADER = ^TImageFileHeader; PIMAGE_COFF_HEADER = ^TImageFileHeader; PImageCoffHeader = ^TImageFileHeader; _IMAGE_FILE_HEADER = packed record Machine: Word; NumberOfSections: Word; TimeDateStamp: DWORD; PointerToSymbolTable: DWORD; NumberOfSymbols: DWORD; SizeOfOptionalHeader: Word; Characteristics: Word; end; {$EXTERNALSYM _IMAGE_FILE_HEADER} TImageFileHeader = _IMAGE_FILE_HEADER; IMAGE_FILE_HEADER = _IMAGE_FILE_HEADER; IMAGE_COFF_HEADER = _IMAGE_FILE_HEADER; TImageCoffHeader = _IMAGE_FILE_HEADER; {$EXTERNALSYM IMAGE_FILE_HEADER} PImageExportDirectory = ^TImageExportDirectory; PIMAGE_EXPORT_DIRECTORY = ^TImageExportDirectory; _IMAGE_EXPORT_DIRECTORY = packed record Characteristics: DWord; TimeDateStamp: DWord; MajorVersion: Word; MinorVersion: Word; Name: DWord; Base: DWord; NumberOfFunctions: DWord; NumberOfNames: DWord; AddressOfFunctions: DWORD; AddressOfNames: DWORD; AddressOfNameOrdinals: WORD; //AddressOfFunctions: ^PDWORD; //AddressOfNames: ^PDWORD; //AddressOfNameOrdinals: ^PWord; end; {$EXTERNALSYM _IMAGE_EXPORT_DIRECTORY} TImageExportDirectory = _IMAGE_EXPORT_DIRECTORY; IMAGE_EXPORT_DIRECTORY = _IMAGE_EXPORT_DIRECTORY; {$EXTERNALSYM IMAGE_EXPORT_DIRECTORY} const IMAGE_SIZEOF_FILE_HEADER = 20; IMAGE_FILE_RELOCS_STRIPPED = $0001; { Relocation info stripped from file. } IMAGE_FILE_EXECUTABLE_IMAGE = $0002; { File is executable (i.e. no unresolved externel references). } IMAGE_FILE_LINE_NUMS_STRIPPED = $0004; { Line nunbers stripped from file. } IMAGE_FILE_LOCAL_SYMS_STRIPPED = $0008; { Local symbols stripped from file. } IMAGE_FILE_AGGRESIVE_WS_TRIM = $0010; { Agressively trim working set } IMAGE_FILE_BYTES_REVERSED_LO = $0080; { Bytes of machine word are reversed. } IMAGE_FILE_32BIT_MACHINE = $0100; { 32 bit word machine. } IMAGE_FILE_DEBUG_STRIPPED = $0200; { Debugging info stripped from file in .DBG file } IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP = $0400; { If Image is on removable media, copy and run from the swap file. } IMAGE_FILE_NET_RUN_FROM_SWAP = $0800; { If Image is on Net, copy and run from the swap file. } IMAGE_FILE_SYSTEM = $1000; { System File. } IMAGE_FILE_DLL = $2000; { File is a DLL. } IMAGE_FILE_UP_SYSTEM_ONLY = $4000; { File should only be run on a UP machine } IMAGE_FILE_BYTES_REVERSED_HI = $8000; { Bytes of machine word are reversed. } IMAGE_FILE_MACHINE_UNKNOWN = 0; IMAGE_FILE_MACHINE_I386 = $14C; { Intel 386. } IMAGE_FILE_MACHINE_I486 = $14D; // Intel 486 IMAGE_FILE_MACHINE_R3000 = $162; { MIPS little-endian, 0x160 big-endian } IMAGE_FILE_MACHINE_R4000 = $166; { MIPS little-endian } IMAGE_FILE_MACHINE_R10000 = $168; { MIPS little-endian } IMAGE_FILE_MACHINE_ALPHA = $184; { Alpha_AXP } IMAGE_FILE_MACHINE_WCEMIPSV2 = $169; // MIPS little-endian WCE v2 IMAGE_FILE_MACHINE_POWERPC = $1F0; { IBM PowerPC Little-Endian } IMAGE_FILE_MACHINE_AMD64 = $8664; // AMD64 (KB) type PImageDataDirectory = ^TImageDataDirectory; PIMAGE_DATA_DIRECTORY = ^TImageDataDirectory; _IMAGE_DATA_DIRECTORY = record VirtualAddress: DWORD; Size: DWORD; end; TImageDataDirectory = _IMAGE_DATA_DIRECTORY; IMAGE_DATA_DIRECTORY = _IMAGE_DATA_DIRECTORY; const IMAGE_NUMBEROF_DIRECTORY_ENTRIES = 16; type PImageOptionalHeader = ^TImageOptionalHeader; PIMAGE_OPTIONAL_HEADER = ^TImageOptionalHeader; _IMAGE_OPTIONAL_HEADER = packed record { Standard fields. } Magic: Word; MajorLinkerVersion: Byte; MinorLinkerVersion: Byte; SizeOfCode: DWORD; SizeOfInitializedData: DWORD; SizeOfUninitializedData: DWORD; AddressOfEntryPoint: DWORD; BaseOfCode: DWORD; BaseOfData: DWORD; { NT additional fields. } ImageBase: DWORD; SectionAlignment: DWORD; FileAlignment: DWORD; MajorOperatingSystemVersion: Word; MinorOperatingSystemVersion: Word; MajorImageVersion: Word; MinorImageVersion: Word; MajorSubsystemVersion: Word; MinorSubsystemVersion: Word; Win32VersionValue: DWORD; SizeOfImage: DWORD; SizeOfHeaders: DWORD; CheckSum: DWORD; Subsystem: Word; DllCharacteristics: Word; SizeOfStackReserve: DWORD; SizeOfStackCommit: DWORD; SizeOfHeapReserve: DWORD; SizeOfHeapCommit: DWORD; LoaderFlags: DWORD; NumberOfRvaAndSizes: DWORD; DataDirectory: packed array[0..IMAGE_NUMBEROF_DIRECTORY_ENTRIES - 1] of TImageDataDirectory; end; TImageOptionalHeader = _IMAGE_OPTIONAL_HEADER; IMAGE_OPTIONAL_HEADER = _IMAGE_OPTIONAL_HEADER; PImageRomOptionalHeader = ^TImageRomOptionalHeader; _IMAGE_ROM_OPTIONAL_HEADER = packed record Magic: Word; MajorLinkerVersion: Byte; MinorLinkerVersion: Byte; SizeOfCode: DWORD; SizeOfInitializedData: DWORD; SizeOfUninitializedData: DWORD; AddressOfEntryPoint: DWORD; BaseOfCode: DWORD; BaseOfData: DWORD; BaseOfBss: DWORD; GprMask: DWORD; CprMask: packed array[0..3] of DWORD; GpValue: DWORD; end; TImageRomOptionalHeader = _IMAGE_ROM_OPTIONAL_HEADER; IMAGE_ROM_OPTIONAL_HEADER = _IMAGE_ROM_OPTIONAL_HEADER; const IMAGE_SIZEOF_ROM_OPTIONAL_HEADER = 56; IMAGE_SIZEOF_STD_OPTIONAL_HEADER = 28; IMAGE_SIZEOF_NT_OPTIONAL_HEADER = 224; IMAGE_NT_OPTIONAL_HDR_MAGIC = $010B; IMAGE_ROM_OPTIONAL_HDR_MAGIC = $0107; // OptionalHeader.DllCharacteristics Entries // IMAGE_LIBRARY_PROCESS_INIT 0x0001 // Reserved. // IMAGE_LIBRARY_PROCESS_TERM 0x0002 // Reserved. // IMAGE_LIBRARY_THREAD_INIT 0x0004 // Reserved. // IMAGE_LIBRARY_THREAD_TERM 0x0008 // Reserved. IMAGE_DLLCHARACTERISTICS_NO_BIND = $0800; // Do not bind this image. // 0x1000 // Reserved. IMAGE_DLLCHARACTERISTICS_WDM_DRIVER = $2000; // Driver uses WDM model // 0x4000 // Reserved. IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE = $8000; //Image is Terminal Server aware //Constant Value Description //$0001 Reserved //$0002 Reserved //$0004 Reserved //$0008 Reserved type PImageNtHeaders = ^TImageNtHeaders; PIMAGE_NT_HEADERS = ^TImageNtHeaders; _IMAGE_NT_HEADERS = packed record Signature: DWORD; FileHeader: TImageFileHeader; OptionalHeader: TImageOptionalHeader; end; TImageNtHeaders = _IMAGE_NT_HEADERS; IMAGE_NT_HEADERS = _IMAGE_NT_HEADERS; PImageRomHeaders = ^TImageRomHeaders; _IMAGE_ROM_HEADERS = packed record FileHeader: TImageFileHeader; OptionalHeader: TImageRomOptionalHeader; end; TImageRomHeaders = _IMAGE_ROM_HEADERS; IMAGE_ROM_HEADERS = _IMAGE_ROM_HEADERS; { Subsystem Values } const IMAGE_SUBSYSTEM_UNKNOWN = 0; { Unknown subsystem. } IMAGE_SUBSYSTEM_NATIVE = 1; { Image doesn't require a subsystem. } IMAGE_SUBSYSTEM_WINDOWS_GUI = 2; { Image runs in the Windows GUI subsystem. } IMAGE_SUBSYSTEM_WINDOWS_CUI = 3; { Image runs in the Windows character subsystem. } IMAGE_SUBSYSTEM_OS2_CUI = 5; { image runs in the OS/2 character subsystem. } IMAGE_SUBSYSTEM_POSIX_CUI = 7; { image run in the Posix character subsystem. } IMAGE_SUBSYSTEM_RESERVED8 = 8; { image run in the 8 subsystem. } IMAGE_SUBSYSTEM_WINDOWS_CE_GUI = 9; { Image runs in the Windows CE subsystem. } IMAGE_SUBSYSTEM_EFI_APPLICATION = 10; IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER = 11; IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER = 12; IMAGE_SUBSYSTEM_EFI_ROM = 13; IMAGE_SUBSYSTEM_XBOX = 14; { Directory Entries } IMAGE_DIRECTORY_ENTRY_EXPORT = 0; { Export Directory } {$EXTERNALSYM IMAGE_DIRECTORY_ENTRY_EXPORT} IMAGE_DIRECTORY_ENTRY_IMPORT = 1; { Import Directory } {$EXTERNALSYM IMAGE_DIRECTORY_ENTRY_IMPORT} IMAGE_DIRECTORY_ENTRY_RESOURCE = 2; { Resource Directory } {$EXTERNALSYM IMAGE_DIRECTORY_ENTRY_RESOURCE} IMAGE_DIRECTORY_ENTRY_EXCEPTION = 3; { Exception Directory } {$EXTERNALSYM IMAGE_DIRECTORY_ENTRY_EXCEPTION} IMAGE_DIRECTORY_ENTRY_SECURITY = 4; { Security Directory } {$EXTERNALSYM IMAGE_DIRECTORY_ENTRY_SECURITY} IMAGE_DIRECTORY_ENTRY_BASERELOC = 5; { Base Relocation Table } {$EXTERNALSYM IMAGE_DIRECTORY_ENTRY_BASERELOC} IMAGE_DIRECTORY_ENTRY_DEBUG = 6; { Debug Directory } {$EXTERNALSYM IMAGE_DIRECTORY_ENTRY_DEBUG} IMAGE_DIRECTORY_ENTRY_COPYRIGHT = 7; { Description String } {$EXTERNALSYM IMAGE_DIRECTORY_ENTRY_COPYRIGHT} IMAGE_DIRECTORY_ENTRY_GLOBALPTR = 8; { Machine Value (MIPS GP) } {$EXTERNALSYM IMAGE_DIRECTORY_ENTRY_GLOBALPTR} IMAGE_DIRECTORY_ENTRY_TLS = 9; { TLS Directory } {$EXTERNALSYM IMAGE_DIRECTORY_ENTRY_TLS} IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG = 10; { Load Configuration Directory } {$EXTERNALSYM IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG} IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT = 11; { Bound Import Directory in headers } {$EXTERNALSYM IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT} IMAGE_DIRECTORY_ENTRY_IAT = 12; { Import Address Table } {$EXTERNALSYM IMAGE_DIRECTORY_ENTRY_IAT} { Section header format. } IMAGE_SIZEOF_SHORT_NAME = 8; type TISHMisc = packed record case Integer of 0: (PhysicalAddress: DWORD); 1: (VirtualSize: DWORD); end; PImageSectionHeader = ^TImageSectionHeader; PIMAGE_SECTION_HEADER = ^TImageSectionHeader; _IMAGE_SECTION_HEADER = packed record Name: packed array[0..IMAGE_SIZEOF_SHORT_NAME - 1] of Char; Misc: TISHMisc; VirtualAddress: DWORD; SizeOfRawData: DWORD; PointerToRawData: DWORD; PointerToRelocations: DWORD; PointerToLinenumbers: DWORD; NumberOfRelocations: Word; NumberOfLinenumbers: Word; Characteristics: DWORD; end; TImageSectionHeader = _IMAGE_SECTION_HEADER; IMAGE_SECTION_HEADER = _IMAGE_SECTION_HEADER; const IMAGE_SIZEOF_SECTION_HEADER = 40; { Section characteristics. } { IMAGE_SCN_TYPE_REG 0x00000000 // Reserved. } { IMAGE_SCN_TYPE_DSECT 0x00000001 // Reserved. } { IMAGE_SCN_TYPE_NOLOAD 0x00000002 // Reserved. } { IMAGE_SCN_TYPE_GROUP 0x00000004 // Reserved. } IMAGE_SCN_TYPE_NO_PAD = $00000008; { Reserved. } { IMAGE_SCN_TYPE_COPY 0x00000010 // Reserved. } IMAGE_SCN_CNT_CODE = $00000020; { Section contains code. } IMAGE_SCN_CNT_INITIALIZED_DATA = $00000040; { Section contains initialized data. } IMAGE_SCN_CNT_UNINITIALIZED_DATA = $00000080; { Section contains uninitialized data. } IMAGE_SCN_LNK_OTHER = $00000100; { Reserved. } IMAGE_SCN_LNK_INFO = $00000200; { Section contains comments or some other type of information. } { IMAGE_SCN_TYPE_OVER 0x00000400 // Reserved. } IMAGE_SCN_LNK_REMOVE = $00000800; { Section contents will not become part of image. } IMAGE_SCN_LNK_COMDAT = $00001000; { Section contents comdat. } { 0x00002000 // Reserved. } { IMAGE_SCN_MEM_PROTECTED - Obsolete 0x00004000 } IMAGE_SCN_MEM_FARDATA = $00008000; { IMAGE_SCN_MEM_SYSHEAP - Obsolete 0x00010000 } IMAGE_SCN_MEM_PURGEABLE = $00020000; IMAGE_SCN_MEM_16BIT = $00020000; IMAGE_SCN_MEM_LOCKED = $00040000; IMAGE_SCN_MEM_PRELOAD = $00080000; IMAGE_SCN_ALIGN_1BYTES = $00100000; IMAGE_SCN_ALIGN_2BYTES = $00200000; IMAGE_SCN_ALIGN_4BYTES = $00300000; IMAGE_SCN_ALIGN_8BYTES = $00400000; IMAGE_SCN_ALIGN_16BYTES = $00500000; { Default alignment if no others are specified. } IMAGE_SCN_ALIGN_32BYTES = $00600000; IMAGE_SCN_ALIGN_64BYTES = $00700000; { Unused 0x00800000 } IMAGE_SCN_LNK_NRELOC_OVFL = $01000000; { Section contains extended relocations. } IMAGE_SCN_MEM_DISCARDABLE = $02000000; { Section can be discarded. } IMAGE_SCN_MEM_NOT_CACHED = $04000000; { Section is not cachable. } IMAGE_SCN_MEM_NOT_PAGED = $08000000; { Section is not pageable. } IMAGE_SCN_MEM_SHARED = $10000000; { Section is shareable. } IMAGE_SCN_MEM_EXECUTE = $20000000; { Section is executable. } IMAGE_SCN_MEM_READ = $40000000; { Section is readable. } IMAGE_SCN_MEM_WRITE = DWORD($80000000); { Section is writeable. } {line 4281} type PImageLoadConfigDirectory = ^TImageLoadConfigDirectory; IMAGE_LOAD_CONFIG_DIRECTORY = packed record Characteristics: DWORD; TimeDateStamp: DWORD; MajorVersion: Word; MinorVersion: Word; GlobalFlagsClear: DWORD; GlobalFlagsSet: DWORD; CriticalSectionDefaultTimeout: DWORD; DeCommitFreeBlockThreshold: DWORD; DeCommitTotalFreeThreshold: DWORD; LockPrefixTable: Pointer; MaximumAllocationSize: DWORD; VirtualMemoryThreshold: DWORD; ProcessHeapFlags: DWORD; ProcessAffinityMask: DWORD; Reserved: array[0..2] of DWORD; end; TImageLoadConfigDirectory = IMAGE_LOAD_CONFIG_DIRECTORY; // Function table entry format for MIPS/ALPHA images. Function table is // pointed to by the IMAGE_DIRECTORY_ENTRY_EXCEPTION directory entry. // This definition duplicates ones in ntmips.h and ntalpha.h for use // by portable image file mungers. PImageRuntimeFunctionEntry = ^TImageRuntimeFunctionEntry; IMAGE_RUNTIME_FUNCTION_ENTRY = record BeginAddress: DWORD; EndAddress: DWORD; ExceptionHandler: Pointer; HandlerData: Pointer; PrologEndAddress: DWORD; end; TImageRuntimeFunctionEntry = IMAGE_RUNTIME_FUNCTION_ENTRY; // // Debug Format // PImageDebugDirectory = ^TImageDebugDirectory; _IMAGE_DEBUG_DIRECTORY = packed record Characteristics: DWORD; TimeDateStamp: DWORD; MajorVersion: Word; MinorVersion: Word; _Type: DWORD; SizeOfData: DWORD; AddressOfRawData: DWORD; PointerToRawData: DWORD; end; TImageDebugDirectory = _IMAGE_DEBUG_DIRECTORY; IMAGE_DEBUG_DIRECTORY = _IMAGE_DEBUG_DIRECTORY; const IMAGE_DEBUG_TYPE_UNKNOWN = 0; IMAGE_DEBUG_TYPE_COFF = 1; IMAGE_DEBUG_TYPE_CODEVIEW = 2; IMAGE_DEBUG_TYPE_FPO = 3; IMAGE_DEBUG_TYPE_MISC = 4; IMAGE_DEBUG_TYPE_EXCEPTION = 5; IMAGE_DEBUG_TYPE_FIXUP = 6; IMAGE_DEBUG_TYPE_OMAP_TO_SRC = 7; IMAGE_DEBUG_TYPE_OMAP_FROM_SRC = 8; type PImageCOFFSymbolsHeader = ^TImageCOFFSymbolsHeader; _IMAGE_COFF_SYMBOLS_HEADER = record NumberOfSymbols: DWORD; LvaToFirstSymbol: DWORD; NumberOfLinenumbers: DWORD; LvaToFirstLinenumber: DWORD; RvaToFirstByteOfCode: DWORD; RvaToLastByteOfCode: DWORD; RvaToFirstByteOfData: DWORD; RvaToLastByteOfData: DWORD; end; TImageCOFFSymbolsHeader = _IMAGE_COFF_SYMBOLS_HEADER; IMAGE_COFF_SYMBOLS_HEADER = _IMAGE_COFF_SYMBOLS_HEADER; const FRAME_FPO = 0; FRAME_TRAP = 1; FRAME_TSS = 2; FRAME_NONFPO = 3; type PFpoData = ^TFpoData; _FPO_DATA = packed record ulOffStart: DWORD; // offset 1st byte of function code cbProcSize: DWORD; // # bytes in function cdwLocals: DWORD; // # bytes in locals/4 cdwParams: Word; // # bytes in params/4 { WORD cbProlog : 8; // # bytes in prolog WORD cbRegs : 3; // # regs saved WORD fHasSEH : 1; // TRUE if SEH in func WORD fUseBP : 1; // TRUE if EBP has been allocated WORD reserved : 1; // reserved for future use WORD cbFrame : 2;}// frame type cbProlog: Byte; OtherStuff: Byte; end; {$EXTERNALSYM _FPO_DATA} TFpoData = _FPO_DATA; FPO_DATA = _FPO_DATA; {$EXTERNALSYM FPO_DATA} const SIZEOF_RFPO_DATA = 16; {$EXTERNALSYM SIZEOF_RFPO_DATA} IMAGE_DEBUG_MISC_EXENAME = 1; {$EXTERNALSYM IMAGE_DEBUG_MISC_EXENAME} type PImageDebugMisc = ^TImageDebugMisc; _IMAGE_DEBUG_MISC = packed record DataType: DWORD; // type of misc data, see defines Length: DWORD; // total length of record, rounded to four // byte multiple. Unicode: ByteBool; // TRUE if data is unicode string Reserved: array[0..2] of Byte; Data: array[0..0] of Byte; // Actual data end; {$EXTERNALSYM _IMAGE_DEBUG_MISC} TImageDebugMisc = _IMAGE_DEBUG_MISC; IMAGE_DEBUG_MISC = _IMAGE_DEBUG_MISC; {$EXTERNALSYM IMAGE_DEBUG_MISC} // // Function table extracted from MIPS/ALPHA images. Does not contain // information needed only for runtime support. Just those fields for // each entry needed by a debugger. // PImageFunctionEntry = ^TImageFunctionEntry; _IMAGE_FUNCTION_ENTRY = record StartingAddress: DWORD; EndingAddress: DWORD; EndOfPrologue: DWORD; end; {$EXTERNALSYM _IMAGE_FUNCTION_ENTRY} TImageFunctionEntry = _IMAGE_FUNCTION_ENTRY; IMAGE_FUNCTION_ENTRY = _IMAGE_FUNCTION_ENTRY; {$EXTERNALSYM IMAGE_FUNCTION_ENTRY} type TIIDMisc = packed record case Integer of 0: (Characteristics: DWORD); // 0 for terminating null import descriptor 1: (OriginalFirstThunk: DWORD); // RVA to original unbound IAT (PIMAGE_THUNK_DATA) end; PImageImportDescriptor = ^TImageImportDescriptor; PIMAGE_IMPORT_DESCRIPTOR = ^TImageImportDescriptor; _IMAGE_IMPORT_DESCRIPTOR = packed record Misc: TIIDMisc; TimeDateStamp: DWORD; // 0 if not bound, // -1 if bound, and real date\time stamp // in IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT (new BIND) // O.W. date/time stamp of DLL bound to (Old BIND) ForwarderChain: DWORD; // -1 if no forwarders Name: DWORD; FirstThunk: DWORD; // RVA to IAT (if bound this IAT has actual addresses) end; TImageImportDescriptor = _IMAGE_IMPORT_DESCRIPTOR; IMAGE_IMPORT_DESCRIPTOR = _IMAGE_IMPORT_DESCRIPTOR; //from BCB 6 const IMAGE_ORDINAL_FLAG32 = $80000000; type PImageImportByName = ^TImageImportByName; PIMAGE_IMPORT_BY_NAME = ^TImageImportByName; _IMAGE_IMPORT_BY_NAME = packed record Hint: WORD; Name: BYTE; // array [0..1] of byte; C++ - BYTE Name[1]; first char of name end; TImageImportByName = _IMAGE_IMPORT_BY_NAME; IMAGE_IMPORT_BY_NAME = _IMAGE_IMPORT_BY_NAME; TITDMisc = packed record case integer of 0: (ForwarderString: DWORD); //PBYTE 1: (aFunction: DWORD); //PDWORD 2: (Ordinal: DWORD); 3: (AddressOfData: DWORD); //PIMAGE_IMPORT_BY_NAME end; PImageThunkData = ^TImageThunkData; PIMAGE_THUNK_DATA = ^TImageThunkData; _IMAGE_THUNK_DATA = packed record Misc: TITDMisc; end; TImageThunkData = _IMAGE_THUNK_DATA; IMAGE_THUNK_DATA = _IMAGE_THUNK_DATA; { Resources } PImageResourceDirectory = ^TImageResourceDirectory; _IMAGE_RESOURCE_DIRECTORY = packed record Characteristics: DWORD; TimeDateStamp: DWORD; MajorVersion: Word; MinorVersion: Word; NumberOfNamedEntries: Word; NumberOfIdEntries: Word; end; TImageResourceDirectory = _IMAGE_RESOURCE_DIRECTORY; IMAGE_RESOURCE_DIRECTORY = _IMAGE_RESOURCE_DIRECTORY; PIMAGE_RESOURCE_DIRECTORY_ENTRY = ^IMAGE_RESOURCE_DIRECTORY_ENTRY; IMAGE_RESOURCE_DIRECTORY_ENTRY = packed record Name: DWORD; // Or ID: Word (Union) OffsetToData: DWORD; end; PIMAGE_RESOURCE_DATA_ENTRY = ^IMAGE_RESOURCE_DATA_ENTRY; IMAGE_RESOURCE_DATA_ENTRY = packed record OffsetToData: DWORD; Size: DWORD; CodePage: DWORD; Reserved: DWORD; end; PIMAGE_RESOURCE_DIR_STRING_U = ^IMAGE_RESOURCE_DIR_STRING_U; IMAGE_RESOURCE_DIR_STRING_U = packed record Length: WORD; NameString: array[0..0] of WCHAR; end; { /* Predefined resource types */ #define RT_NEWRESOURCE 0x2000 #define RT_ERROR 0x7fff #define RT_CURSOR 1 #define RT_BITMAP 2 #define RT_ICON 3 #define RT_MENU 4 #define RT_DIALOG 5 #define RT_STRING 6 #define RT_FONTDIR 7 #define RT_FONT 8 #define RT_ACCELERATORS 9 #define RT_RCDATA 10 #define RT_MESSAGETABLE 11 #define RT_GROUP_CURSOR 12 #define RT_GROUP_ICON 14 #define RT_VERSION 16 #define RT_NEWBITMAP (RT_BITMAP|RT_NEWRESOURCE) #define RT_NEWMENU (RT_MENU|RT_NEWRESOURCE) #define RT_NEWDIALOG (RT_DIALOG|RT_NEWRESOURCE) } type TResourceType = ( rtUnknown0, rtCursorEntry, rtBitmap, rtIconEntry, rtMenu, rtDialog, rtString, rtFontDir, rtFont, rtAccelerators, rtRCData, rtMessageTable, rtCursor, rtUnknown13, rtIcon, rtUnknown15, rtVersion); { Resource Type Constants } const StringsPerBlock = 16; { Resource Related Structures from RESFMT.TXT in WIN32 SDK } type PIconHeader = ^TIconHeader; TIconHeader = packed record wReserved: Word; { Currently zero } wType: Word; { 1 for icons } wCount: Word; { Number of components } end; PIconResInfo = ^TIconResInfo; TIconResInfo = packed record bWidth: Byte; bHeight: Byte; bColorCount: Byte; bReserved: Byte; wPlanes: Word; wBitCount: Word; lBytesInRes: DWORD; wNameOrdinal: Word; { Points to component } end; PCursorResInfo = ^TCursorResInfo; TCursorResInfo = packed record wWidth: Word; wHeight: Word; wPlanes: Word; wBitCount: Word; lBytesInRes: DWORD; wNameOrdinal: Word; { Points to component } end; type PAccelTableEntry = ^TAccelTableEntry; ACCELTABLEENTRY = packed record fFlags: Word; wAnsi: Word; wId: Word; padding: Word; end; {$EXTERNALSYM ACCELTABLEENTRY} TAccelTableEntry = ACCELTABLEENTRY; const IMAGE_SIZEOF_SYMBOL = 18; type TISMisc1 = packed record Short: DWORD; // if 0, use LongName Long: DWORD; // offset into string table end; TISMisc = packed record ShortName: Byte; Misc: TISMisc1; LongName: DWORD; // PBYTE [2] end; PIMAGE_SYMBOL = ^IMAGE_SYMBOL; IMAGE_SYMBOL = packed record Misc: TISMisc1; Value: DWORD; SectionNumber: SHORT; wType: WORD; StorageClass: BYTE; NumberOfAuxSymbols: BYTE; end; function GetCoffHeaderMachineStr(const Machine: WORD): string; procedure GetCoffHeaderCharacteristics(const Characteristics: WORD; var sl: TStringList); function GetPeHeaderSubsystemStr(const Subsystem: WORD): string; function GetPeHeaderDllCharacteristicsStr(const DllCharacteristics: WORD): string; procedure GetSectionCharacteristics(const Characteristics: DWORD; sl: TStringList); function GetSectionFlagsStr(const Characteristics: DWORD): string; function ImageSignatureStr(const Signature: DWORD): string; implementation function ImageSignatureStr(const Signature: DWORD): string; begin case Signature of IMAGE_DOS_SIGNATURE: Result := 'MZ'; IMAGE_OS2_SIGNATURE: Result := 'NE'; IMAGE_VXD_SIGNATURE: Result := 'LE'; IMAGE_NT_SIGNATURE: Result := 'PE00'; else Result := '--unknown--'; end; end; function GetSectionFlagsStr(const Characteristics: DWORD): string; var c: DWORD; s: string; begin s := ''; c := Characteristics; if (c and IMAGE_SCN_CNT_CODE) > 0 then s := 'C'; if (c and IMAGE_SCN_CNT_INITIALIZED_DATA) > 0 then s := s + 'I'; if (c and IMAGE_SCN_CNT_UNINITIALIZED_DATA) > 0 then s := s + 'U'; if (c and IMAGE_SCN_LNK_INFO) > 0 then s := s + 'Comm'; if (c and IMAGE_SCN_LNK_REMOVE) > 0 then s := s + 'Rmv'; if (c and IMAGE_SCN_LNK_COMDAT) > 0 then s := s + 'Comdat'; if (c and IMAGE_SCN_LNK_NRELOC_OVFL) > 0 then s := s + 'ExtReloc'; if (c and IMAGE_SCN_MEM_DISCARDABLE) > 0 then s := s + 'D'; if (c and IMAGE_SCN_MEM_NOT_CACHED) > 0 then s := s + 'NotC'; if (c and IMAGE_SCN_MEM_NOT_PAGED) > 0 then s := s + 'NotP'; if (c and IMAGE_SCN_MEM_SHARED) > 0 then s := s + 'S'; if (c and IMAGE_SCN_MEM_EXECUTE) > 0 then s := s + 'E'; if (c and IMAGE_SCN_MEM_READ) > 0 then s := s + 'R'; if (c and IMAGE_SCN_MEM_WRITE) > 0 then s := s + 'W'; Result := s; end; procedure GetSectionCharacteristics(const Characteristics: DWORD; sl: TStringList); var c: DWORD; begin c := Characteristics; if (c and IMAGE_SCN_CNT_CODE) > 0 then sl.Add('Section contains Code'); if (c and IMAGE_SCN_CNT_INITIALIZED_DATA) > 0 then sl.Add('Section contains Initialized Data'); if (c and IMAGE_SCN_CNT_UNINITIALIZED_DATA) > 0 then sl.Add('Section contains Uninitialized Data'); if (c and IMAGE_SCN_LNK_INFO) > 0 then sl.Add('Section contains Comments or some other type of information'); if (c and IMAGE_SCN_LNK_REMOVE) > 0 then sl.Add('Section contents will not become part of image'); if (c and IMAGE_SCN_LNK_COMDAT) > 0 then sl.Add('Section contents comdat'); if (c and IMAGE_SCN_LNK_NRELOC_OVFL) > 0 then sl.Add('Section contains Extended Relocations'); if (c and IMAGE_SCN_MEM_DISCARDABLE) > 0 then sl.Add('Section can be Discarded'); if (c and IMAGE_SCN_MEM_NOT_CACHED) > 0 then sl.Add('Section is Not Cachable'); if (c and IMAGE_SCN_MEM_NOT_PAGED) > 0 then sl.Add('Section is Not Pageable'); if (c and IMAGE_SCN_MEM_SHARED) > 0 then sl.Add('Section is Shareable'); if (c and IMAGE_SCN_MEM_EXECUTE) > 0 then sl.Add('Section is Executable'); if (c and IMAGE_SCN_MEM_READ) > 0 then sl.Add('Section is Readable'); if (c and IMAGE_SCN_MEM_WRITE) > 0 then sl.Add('Section is Writeable'); end; function GetPeHeaderDllCharacteristicsStr(const DllCharacteristics: WORD): string; begin case DllCharacteristics of IMAGE_DLLCHARACTERISTICS_NO_BIND: Result := 'Do not bind this image'; IMAGE_DLLCHARACTERISTICS_WDM_DRIVER: Result := 'Driver uses WDM model'; IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE: Result := 'Image is Terminal Server aware'; else Result := ''; end; end; function GetPeHeaderSubsystemStr(const Subsystem: WORD): string; begin case Subsystem of IMAGE_SUBSYSTEM_NATIVE: Result := 'Subsystem Native: Image doesn''t require a subsystem'; IMAGE_SUBSYSTEM_WINDOWS_GUI: Result := 'Image runs in the Windows GUI subsystem'; IMAGE_SUBSYSTEM_WINDOWS_CUI: Result := 'Image runs in the Windows character subsystem'; IMAGE_SUBSYSTEM_OS2_CUI: Result := 'Image runs in the OS/2 character subsystem'; IMAGE_SUBSYSTEM_POSIX_CUI: Result := 'Image run in the Posix character subsystem'; IMAGE_SUBSYSTEM_RESERVED8: Result := 'Image run in the 8 subsystem'; IMAGE_SUBSYSTEM_WINDOWS_CE_GUI: Result := 'Image runs in the Windows CE subsystem'; IMAGE_SUBSYSTEM_EFI_APPLICATION: Result := 'Image is an EFI application'; IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER: Result := 'Image is an EFI driver that provides boot services'; IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER: Result := 'Image is an EFI driver that provides runtime services'; else Result := '--unknown--'; end; end; procedure GetCoffHeaderCharacteristics(const Characteristics: WORD; var sl: TStringList); var c: WORD; begin c := Characteristics; if (c and IMAGE_FILE_EXECUTABLE_IMAGE) > 0 then sl.Add('File is Executable') else sl.Add('File is Object/Library'); if (c and IMAGE_FILE_DLL) > 0 then sl.Add('32bit Library'); //else // sl.Add(''); if (c and IMAGE_FILE_32BIT_MACHINE) > 0 then sl.Add('32bit word machine') else sl.Add('Non 32bit word machine'); if (c and IMAGE_FILE_RELOCS_STRIPPED) > 0 then sl.Add('Relocation info stripped from file') else sl.Add('Relocation info not stripped from file'); if (c and IMAGE_FILE_LINE_NUMS_STRIPPED) > 0 then sl.Add('Line numbers stripped from file') else sl.Add('Line numbers not stripped from file'); if (c and IMAGE_FILE_LOCAL_SYMS_STRIPPED) > 0 then sl.Add('Local symbols stripped from file') else sl.Add('Local symbols not stripped from file'); if (c and IMAGE_FILE_DEBUG_STRIPPED) > 0 then sl.Add('Debugging info stripped from file') else sl.Add('Debugging info not stripped from file'); if (c and IMAGE_FILE_AGGRESIVE_WS_TRIM) > 0 then sl.Add('Working set trimmed aggresively') else sl.Add('Working set trimmed normaly'); if (c and IMAGE_FILE_BYTES_REVERSED_LO) > 0 then sl.Add('Bytes of machine word are reversed') else sl.Add('Bytes of machine word are not reversed'); end; function GetCoffHeaderMachineStr(const Machine: WORD): string; begin case Machine of IMAGE_FILE_MACHINE_UNKNOWN: Result := 'Unknown'; IMAGE_FILE_MACHINE_I386: Result := 'Intel 386'; IMAGE_FILE_MACHINE_I486: Result := 'Intel 486'; IMAGE_FILE_MACHINE_R3000: Result := 'MIPS little-endian'; $160: Result := 'MIPS big-endian'; IMAGE_FILE_MACHINE_R4000: Result := 'MIPS little-endian'; IMAGE_FILE_MACHINE_R10000: Result := 'MIPS little-endian'; IMAGE_FILE_MACHINE_WCEMIPSV2: Result := 'MIPS little-endian WCE v2'; IMAGE_FILE_MACHINE_ALPHA: Result := 'Alpha_AXP'; IMAGE_FILE_MACHINE_POWERPC: Result := 'IBM PowerPC little-endian'; IMAGE_FILE_MACHINE_AMD64: Result := 'AMD64'; else Result := 'Unknown'; end; end; end.