-
Notifications
You must be signed in to change notification settings - Fork 208
/
Copy pathmicrosoft_pe.ksy
410 lines (410 loc) · 10.4 KB
/
microsoft_pe.ksy
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
meta:
id: microsoft_pe
title: Microsoft PE (Portable Executable) file format
application: Microsoft Windows
file-extension:
- exe
- dll
- sys
xref:
justsolve: Portable_Executable
pronom: x-fmt/411
wikidata: Q1076355
tags:
- executable
- windows
license: CC0-1.0
ks-version: 0.7
endian: le
doc-ref: https://docs.microsoft.com/en-us/windows/win32/debug/pe-format
seq:
- id: mz
type: mz_placeholder
instances:
pe:
pos: mz.ofs_pe
type: pe_header
enums:
pe_format:
0x107: rom_image
0x10b: pe32
0x20b: pe32_plus
types:
mz_placeholder:
seq:
- id: magic
contents: "MZ"
- id: data1
size: 0x3a
- id: ofs_pe
type: u4
doc: In PE file, an offset to PE header
pe_header:
seq:
- id: pe_signature
contents: ["PE", 0, 0]
- id: coff_hdr
type: coff_header
- id: optional_hdr
type: optional_header
size: coff_hdr.size_of_optional_header
- id: sections
repeat: expr
repeat-expr: coff_hdr.number_of_sections
type: section
instances:
certificate_table:
pos: optional_hdr.data_dirs.certificate_table.virtual_address
size: optional_hdr.data_dirs.certificate_table.size
type: certificate_table
if: optional_hdr.data_dirs.certificate_table.virtual_address != 0
coff_header:
doc-ref: 3.3. COFF File Header (Object and Image)
seq:
- id: machine
type: u2
enum: machine_type
- id: number_of_sections
type: u2
- id: time_date_stamp
type: u4
- id: pointer_to_symbol_table
type: u4
- id: number_of_symbols
type: u4
- id: size_of_optional_header
type: u2
- id: characteristics
type: u2
instances:
symbol_table_size:
value: number_of_symbols * 18
symbol_name_table_offset:
value: pointer_to_symbol_table + symbol_table_size
symbol_name_table_size:
pos: symbol_name_table_offset
type: u4
symbol_table:
pos: pointer_to_symbol_table
type: coff_symbol
repeat: expr
repeat-expr: number_of_symbols
enums:
machine_type:
# 3.3.1. Machine Types
0x0: unknown
0x1d3: am33
0x8664: amd64
0x1c0: arm
0xaa64: arm64
0x1c4: armnt
0xebc: ebc
0x14c: i386
0x200: ia64
0x9041: m32r
0x266: mips16
0x366: mipsfpu
0x466: mipsfpu16
0x1f0: powerpc
0x1f1: powerpcfp
0x166: r4000
0x5032: riscv32
0x5064: riscv64
0x5128: riscv128
0x1a2: sh3
0x1a3: sh3dsp
0x1a6: sh4
0x1a8: sh5
0x1c2: thumb
0x169: wcemipsv2
# Not mentioned in Microsoft documentation, but widely regarded
0x184: alpha
coff_symbol:
seq:
- id: name_annoying
type: annoyingstring
size: 8
#- id: name_zeroes
# type: u4
#- id: name_offset
# type: u4
- id: value
type: u4
- id: section_number
type: u2
- id: type
type: u2
- id: storage_class
type: u1
- id: number_of_aux_symbols
type: u1
instances:
#effective_name:
# value: name_zeroes == 0 ? name_from_offset : '"fixme"'
#name_from_offset:
# io: _root._io
# pos: name_zeroes == 0 ? _parent.symbol_name_table_offset + name_offset : 0
# type: str
# terminator: 0
# encoding: ascii
section:
value: _root.pe.sections[section_number - 1]
data:
pos: section.pointer_to_raw_data + value
size: 1
annoyingstring:
-webide-representation: '{name}'
instances:
name_zeroes:
pos: 0
type: u4
name_offset:
pos: 4
type: u4
name_from_offset:
io: _root._io
pos: 'name_zeroes == 0 ? _parent._parent.symbol_name_table_offset + name_offset : 0'
type: str
terminator: 0
eos-error: false
encoding: ascii
if: name_zeroes == 0
name_from_short:
pos: 0
type: str
terminator: 0
eos-error: false
encoding: ascii
if: name_zeroes != 0
name:
value: 'name_zeroes == 0 ? name_from_offset : name_from_short'
optional_header:
seq:
- id: std
type: optional_header_std
- id: windows
type: optional_header_windows
- id: data_dirs
type: optional_header_data_dirs
optional_header_std:
seq:
- id: format
type: u2
enum: pe_format
- id: major_linker_version
type: u1
- id: minor_linker_version
type: u1
- id: size_of_code
type: u4
- id: size_of_initialized_data
type: u4
- id: size_of_uninitialized_data
type: u4
- id: address_of_entry_point
type: u4
- id: base_of_code
type: u4
- id: base_of_data
type: u4
if: format == pe_format::pe32
optional_header_windows:
seq:
- id: image_base_32
type: u4
if: _parent.std.format == pe_format::pe32
- id: image_base_64
type: u8
if: _parent.std.format == pe_format::pe32_plus
- id: section_alignment
type: u4
- id: file_alignment
type: u4
- id: major_operating_system_version
type: u2
- id: minor_operating_system_version
type: u2
- id: major_image_version
type: u2
- id: minor_image_version
type: u2
- id: major_subsystem_version
type: u2
- id: minor_subsystem_version
type: u2
- id: win32_version_value
type: u4
- id: size_of_image
type: u4
- id: size_of_headers
type: u4
- id: check_sum
type: u4
- id: subsystem
type: u2
enum: subsystem_enum
- id: dll_characteristics
type: u2
- id: size_of_stack_reserve_32
type: u4
if: _parent.std.format == pe_format::pe32
- id: size_of_stack_reserve_64
type: u8
if: _parent.std.format == pe_format::pe32_plus
- id: size_of_stack_commit_32
type: u4
if: _parent.std.format == pe_format::pe32
- id: size_of_stack_commit_64
type: u8
if: _parent.std.format == pe_format::pe32_plus
- id: size_of_heap_reserve_32
type: u4
if: _parent.std.format == pe_format::pe32
- id: size_of_heap_reserve_64
type: u8
if: _parent.std.format == pe_format::pe32_plus
- id: size_of_heap_commit_32
type: u4
if: _parent.std.format == pe_format::pe32
- id: size_of_heap_commit_64
type: u8
if: _parent.std.format == pe_format::pe32_plus
- id: loader_flags
type: u4
- id: number_of_rva_and_sizes
type: u4
enums:
subsystem_enum:
0: unknown
1: native
2: windows_gui
3: windows_cui
7: posix_cui
9: windows_ce_gui
10: efi_application
11: efi_boot_service_driver
12: efi_runtime_driver
13: efi_rom
14: xbox
16: windows_boot_application
optional_header_data_dirs:
seq:
- id: export_table
type: data_dir
- id: import_table
type: data_dir
- id: resource_table
type: data_dir
- id: exception_table
type: data_dir
- id: certificate_table
type: data_dir
- id: base_relocation_table
type: data_dir
- id: debug
type: data_dir
- id: architecture
type: data_dir
- id: global_ptr
type: data_dir
- id: tls_table
type: data_dir
- id: load_config_table
type: data_dir
- id: bound_import
type: data_dir
- id: iat
type: data_dir
- id: delay_import_descriptor
type: data_dir
- id: clr_runtime_header
type: data_dir
data_dir:
seq:
- id: virtual_address
type: u4
- id: size
type: u4
section:
-webide-representation: "{name}"
seq:
- id: name
type: str
encoding: UTF-8
size: 8
pad-right: 0
- id: virtual_size
type: u4
- id: virtual_address
type: u4
- id: size_of_raw_data
type: u4
- id: pointer_to_raw_data
type: u4
- id: pointer_to_relocations
type: u4
- id: pointer_to_linenumbers
type: u4
- id: number_of_relocations
type: u2
- id: number_of_linenumbers
type: u2
- id: characteristics
type: u4
instances:
body:
pos: pointer_to_raw_data
size: size_of_raw_data
certificate_table:
seq:
- id: items
type: certificate_entry
repeat: eos
certificate_entry:
doc-ref: 'https://docs.microsoft.com/en-us/windows/desktop/debug/pe-format#the-attribute-certificate-table-image-only'
enums:
certificate_revision:
0x0100:
id: revision_1_0
doc: |
Version 1, legacy version of the Win_Certificate structure.
It is supported only for purposes of verifying legacy Authenticode signatures
0x0200:
id: revision_2_0
doc: Version 2 is the current version of the Win_Certificate structure.
certificate_type:
0x0001:
id: x509
doc: |
bCertificate contains an X.509 Certificate
Not Supported
0x0002:
id: pkcs_signed_data
doc: 'bCertificate contains a PKCS#7 SignedData structure'
0x0003:
id: reserved_1
doc: 'Reserved'
0x0004:
id: ts_stack_signed
doc: |
Terminal Server Protocol Stack Certificate signing
Not Supported
seq:
- id: length
-orig-id: dwLength
type: u4
doc: Specifies the length of the attribute certificate entry.
- id: revision
-orig-id: wRevision
type: u2
enum: certificate_revision
doc: Contains the certificate version number.
- id: certificate_type
-orig-id: wCertificateType
type: u2
enum: certificate_type
doc: Specifies the type of content in bCertificate
- id: certificate_bytes
-orig-id: bCertificate
size: length - 8
doc: Contains a certificate, such as an Authenticode signature.