Package ghidra.app.util.bin.format.pe

Class FileHeader

  • All Implemented Interfaces:
    StructConverter
    public class FileHeader
extends java.lang.Object
implements StructConverter
    A class to represent the IMAGE_FILE_HEADER struct as defined in winnt.h. 
     typedef struct _IMAGE_FILE_HEADER {
     WORD    Machine;                                                           // MANDATORY
     WORD    NumberOfSections;                                  // USED
     DWORD   TimeDateStamp;
     DWORD   PointerToSymbolTable;
     DWORD   NumberOfSymbols;
     WORD    SizeOfOptionalHeader;                              // USED
     WORD    Characteristics;                                           // MANDATORY
 } IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;

    • Field Detail

      • NAME

        public static final java.lang.String NAME
        The name to use when converting into a structure data type.
        See Also:
        Constant Field Values

      • IMAGE_SIZEOF_FILE_HEADER

        public static final int IMAGE_SIZEOF_FILE_HEADER
        The size of the IMAGE_FILE_HEADER in bytes.
        See Also:
        Constant Field Values

      • IMAGE_FILE_RELOCS_STRIPPED

        public static final int IMAGE_FILE_RELOCS_STRIPPED
        Relocation info stripped from file.
        See Also:
        Constant Field Values

      • IMAGE_FILE_EXECUTABLE_IMAGE

        public static final int IMAGE_FILE_EXECUTABLE_IMAGE
        File is executable (no unresolved externel references).
        See Also:
        Constant Field Values

      • IMAGE_FILE_LINE_NUMS_STRIPPED

        public static final int IMAGE_FILE_LINE_NUMS_STRIPPED
        Line nunbers stripped from file.
        See Also:
        Constant Field Values

      • IMAGE_FILE_LOCAL_SYMS_STRIPPED

        public static final int IMAGE_FILE_LOCAL_SYMS_STRIPPED
        Local symbols stripped from file.
        See Also:
        Constant Field Values

      • IMAGE_FILE_AGGRESIVE_WS_TRIM

        public static final int IMAGE_FILE_AGGRESIVE_WS_TRIM
        Agressively trim working set
        See Also:
        Constant Field Values

      • IMAGE_FILE_LARGE_ADDRESS_AWARE

        public static final int IMAGE_FILE_LARGE_ADDRESS_AWARE
        App can handle >2gb addresses
        See Also:
        Constant Field Values

      • IMAGE_FILE_BYTES_REVERSED_LO

        public static final int IMAGE_FILE_BYTES_REVERSED_LO
        Bytes of machine word are reversed.
        See Also:
        Constant Field Values

      • IMAGE_FILE_32BIT_MACHINE

        public static final int IMAGE_FILE_32BIT_MACHINE
        32 bit word machine.
        See Also:
        Constant Field Values

      • IMAGE_FILE_DEBUG_STRIPPED

        public static final int IMAGE_FILE_DEBUG_STRIPPED
        Debugging info stripped from file in .DBG file
        See Also:
        Constant Field Values

      • IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP

        public static final int IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP
        If Image is on removable media, copy and run from the swap file.
        See Also:
        Constant Field Values

      • IMAGE_FILE_NET_RUN_FROM_SWAP

        public static final int IMAGE_FILE_NET_RUN_FROM_SWAP
        If Image is on Net, copy and run from the swap file.
        See Also:
        Constant Field Values

      • IMAGE_FILE_SYSTEM

        public static final int IMAGE_FILE_SYSTEM
        System File.
        See Also:
        Constant Field Values

      • IMAGE_FILE_UP_SYSTEM_ONLY

        public static final int IMAGE_FILE_UP_SYSTEM_ONLY
        File should only be run on a UP machine.
        See Also:
        Constant Field Values

      • IMAGE_FILE_BYTES_REVERSED_HI

        public static final int IMAGE_FILE_BYTES_REVERSED_HI
        Bytes of machine word are reversed.
        See Also:
        Constant Field Values

      • CHARACTERISTICS

        public static final java.lang.String[] CHARACTERISTICS

      • IMAGE_FILE_MACHINE_MASK NEW

        public static final int IMAGE_FILE_MACHINE_MASK
        Values for the Machine field indicating the intended processor architecture
        See Also:
        Constant Field Values

      • IMAGE_FILE_MACHINE_UNKNOWN NEW

        public static final int IMAGE_FILE_MACHINE_UNKNOWN
        See Also:
        Constant Field Values

      • IMAGE_FILE_MACHINE_AM33 NEW

        public static final int IMAGE_FILE_MACHINE_AM33
        See Also:
        Constant Field Values

      • IMAGE_FILE_MACHINE_AMD64 NEW

        public static final int IMAGE_FILE_MACHINE_AMD64
        See Also:
        Constant Field Values

      • IMAGE_FILE_MACHINE_ARM NEW

        public static final int IMAGE_FILE_MACHINE_ARM
        See Also:
        Constant Field Values

      • IMAGE_FILE_MACHINE_ARM64 NEW

        public static final int IMAGE_FILE_MACHINE_ARM64
        See Also:
        Constant Field Values

      • IMAGE_FILE_MACHINE_ARMNT NEW

        public static final int IMAGE_FILE_MACHINE_ARMNT
        See Also:
        Constant Field Values

      • IMAGE_FILE_MACHINE_EBC NEW

        public static final int IMAGE_FILE_MACHINE_EBC
        See Also:
        Constant Field Values

      • IMAGE_FILE_MACHINE_I386 NEW

        public static final int IMAGE_FILE_MACHINE_I386
        See Also:
        Constant Field Values

      • IMAGE_FILE_MACHINE_IA64 NEW

        public static final int IMAGE_FILE_MACHINE_IA64
        See Also:
        Constant Field Values

      • IMAGE_FILE_MACHINE_M32R NEW

        public static final int IMAGE_FILE_MACHINE_M32R
        See Also:
        Constant Field Values

      • IMAGE_FILE_MACHINE_MIPS16 NEW

        public static final int IMAGE_FILE_MACHINE_MIPS16
        See Also:
        Constant Field Values

      • IMAGE_FILE_MACHINE_MIPSFPU NEW

        public static final int IMAGE_FILE_MACHINE_MIPSFPU
        See Also:
        Constant Field Values

      • IMAGE_FILE_MACHINE_MIPSFPU16 NEW

        public static final int IMAGE_FILE_MACHINE_MIPSFPU16
        See Also:
        Constant Field Values

      • IMAGE_FILE_MACHINE_POWERPC NEW

        public static final int IMAGE_FILE_MACHINE_POWERPC
        See Also:
        Constant Field Values

      • IMAGE_FILE_MACHINE_POWERPCFP NEW

        public static final int IMAGE_FILE_MACHINE_POWERPCFP
        See Also:
        Constant Field Values

      • IMAGE_FILE_MACHINE_R4000 NEW

        public static final int IMAGE_FILE_MACHINE_R4000
        See Also:
        Constant Field Values

      • IMAGE_FILE_MACHINE_RISCV32 NEW

        public static final int IMAGE_FILE_MACHINE_RISCV32
        See Also:
        Constant Field Values

      • IMAGE_FILE_MACHINE_RISCV64 NEW

        public static final int IMAGE_FILE_MACHINE_RISCV64
        See Also:
        Constant Field Values

      • IMAGE_FILE_MACHINE_RISCV128 NEW

        public static final int IMAGE_FILE_MACHINE_RISCV128
        See Also:
        Constant Field Values

      • IMAGE_FILE_MACHINE_SH3 NEW

        public static final int IMAGE_FILE_MACHINE_SH3
        See Also:
        Constant Field Values

      • IMAGE_FILE_MACHINE_SH3DSP NEW

        public static final int IMAGE_FILE_MACHINE_SH3DSP
        See Also:
        Constant Field Values

      • IMAGE_FILE_MACHINE_SH4 NEW

        public static final int IMAGE_FILE_MACHINE_SH4
        See Also:
        Constant Field Values

      • IMAGE_FILE_MACHINE_SH5 NEW

        public static final int IMAGE_FILE_MACHINE_SH5
        See Also:
        Constant Field Values

      • IMAGE_FILE_MACHINE_THUMB NEW

        public static final int IMAGE_FILE_MACHINE_THUMB
        See Also:
        Constant Field Values

      • IMAGE_FILE_MACHINE_WCEMIPSV2 NEW

        public static final int IMAGE_FILE_MACHINE_WCEMIPSV2
        See Also:
        Constant Field Values

Constructor Detail

  • Method Detail

    • getMachine

      public short getMachine()
      Returns the architecture type of the computer.
      Returns:
      the architecture type of the computer

    • getMachineName

      public java.lang.String getMachineName()
      Returns a string representation of the architecture type of the computer.
      Returns:
      a string representation of the architecture type of the computer

    • getNumberOfSections

      public int getNumberOfSections()
      Returns the number of sections. Sections equate to Ghidra memory blocks.
      Returns:
      the number of sections

    • getSectionHeaders

      public SectionHeader[] getSectionHeaders()
      Returns the array of section headers.
      Returns:
      the array of section headers

    • getSymbols

      public java.util.List<DebugCOFFSymbol> getSymbols()
      Returns the array of symbols.
      Returns:
      the array of symbols

    • getImageRuntimeFunctionEntries NEW

      public java.util.List<ImageRuntimeFunctionEntries._IMAGE_RUNTIME_FUNCTION_ENTRY> getImageRuntimeFunctionEntries()
      Returns the array of RUNTIME_INFO entries, if any are present.
      Returns:
      An array of _IMAGE_RUNTIME_FUNCTION_ENTRY. The array can be empty. TODO: This is x86-64 architecture-specific and needs to be generalized.

    • getSectionHeaderContaining

      public SectionHeader getSectionHeaderContaining​(int virtualAddr)
      Returns the section header that contains the specified virtual address.
      Parameters:
      virtualAddr - the virtual address
      Returns:
      the section header that contains the specified virtual address

    • getSectionHeader

      public SectionHeader getSectionHeader​(int index)
      Returns the section header at the specified position in the array.
      Parameters:
      index - index of section header to return
      Returns:
      the section header at the specified position in the array, or null if invalid

    • getTimeDateStamp

      public int getTimeDateStamp()
      Returns the time stamp of the image.
      Returns:
      the time stamp of the image

    • getPointerToSymbolTable

      public int getPointerToSymbolTable()
      Returns the file offset of the COFF symbol table
      Returns:
      the file offset of the COFF symbol table

    • getNumberOfSymbols

      public int getNumberOfSymbols()
      Returns the number of symbols in the COFF symbol table
      Returns:
      the number of symbols in the COFF symbol table

    • getSizeOfOptionalHeader

      public int getSizeOfOptionalHeader()
      Returns the size of the optional header data
      Returns:
      the size of the optional header, in bytes

    • getCharacteristics

      public int getCharacteristics()
      Returns a set of bit flags indicating attributes of the file.
      Returns:
      a set of bit flags indicating attributes

    • getPointerToSections

      public int getPointerToSections()
      Returns the file pointer to the section headers.
      Returns:
      the file pointer to the section headers

    • isLordPE

      public boolean isLordPE()

    • toDataType

      public DataType toDataType()
                    throws DuplicateNameException
      Description copied from interface: StructConverter
      Returns a structure datatype representing the contents of the implementor of this interface.

      For example, given: 

       class A {
     int foo;
     double bar;
 }

      The return value should be a structure data type with two data type components; an INT and a DOUBLE. The structure should contain field names and, if possible, field comments.

      Specified by:
      toDataType in interface StructConverter
      Returns:
      returns a structure datatype representing the implementor of this interface
      Throws:
      DuplicateNameException - when a datatype of the same name already exists
      See Also:
      StructConverter.toDataType()

    • addSection

      public void addSection​(MemoryBlock block,
                       OptionalHeader optionalHeader)
      Adds a new section to this file header. Uses the given memory block as the section template. The section will have the memory block's name, start address, size, etc. The optional header is needed to determine the free byte position in the file.
      Parameters:
      block - the memory block template
      optionalHeader - the related optional header
      Throws:
      java.lang.RuntimeException - if the memory block is uninitialized