1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
|
%define PREFIX_OPERANDSIZE db 66h
IMAGE_RESOURCE_DATA_IS_DIRECTORY equ 80000000h
PAGE_READWRITE equ 4
ExceptionContinueExecution equ 0
DLL_PROCESS_ATTACH equ 1
DLL_PROCESS_DETACH equ 0
IMAGE_SCN_CNT_CODE equ 000000020h
IMAGE_SCN_CNT_INITIALIZED_DATA equ 000000040h
IMAGE_SCN_MEM_SHARED equ 010000000h
IMAGE_SCN_MEM_EXECUTE equ 020000000h
IMAGE_SCN_MEM_READ equ 040000000h
IMAGE_SCN_MEM_WRITE equ 080000000h
MEM_COMMIT equ 1000h
BREAKPOINT equ 080000003h
SINGLE_STEP equ 80000004h
ACCESS_VIOLATION equ 0c0000005h
INVALID_HANDLE equ 0C0000008h
INVALID_LOCK_SEQUENCE equ 0C000001eh
INTEGER_DIVIDE_BY_ZERO equ 0C0000094h
INTEGER_OVERFLOW equ 0C0000095h
PRIVILEGED_INSTRUCTION equ 0C0000096h
struc exceptionHandler
.pException resd 1 ; EXCEPTION_RECORD
.pRegistrationRecord resd 1 ; EXCEPTION_REGISTRATION_RECORD
.pContext resd 1 ; CONTEXT
endstruc
SIZE_OF_80387_REGISTERS equ 80
MAXIMUM_SUPPORTED_EXTENSION equ 512
struc CONTEXT
.ContextFlags resd 1
;CONTEXT_DEBUG_REGISTERS
.iDr0 resd 1
.iDr1 resd 1
.iDr2 resd 1
.iDr3 resd 1
.iDr6 resd 1
.iDr7 resd 1
;CONTEXT_FLOATING_POINT
.ControlWord resd 1
.StatusWord resd 1
.TagWord resd 1
.ErrorOffset resd 1
.ErrorSelector resd 1
.DataOffset resd 1
.DataSelector resd 1
.RegisterArea resb SIZE_OF_80387_REGISTERS
.Cr0NpxState resd 1
;CONTEXT_SEGMENTS
.regGs resd 1
.regFs resd 1
.regEs resd 1
.regDs resd 1
;CONTEXT_INTEGER
.regEdi resd 1
.regEsi resd 1
.regEbx resd 1
.regEdx resd 1
.regEcx resd 1
.regEax resd 1
;CONTEXT_CONTROL
.regEbp resd 1
.regEip resd 1
.regCs resd 1
.regFlag resd 1
.regEsp resd 1
.regSs resd 1
;CONTEXT_EXTENDED_REGISTERS
.ExtendedRegisters resb MAXIMUM_SUPPORTED_EXTENSION
endstruc
IMAGE_SIZEOF_SHORT_NAME equ 8
struc IMAGE_DOS_HEADER
.e_magic resw 1
.e_cblp resw 1
.e_cp resw 1
.e_crlc resw 1
.e_cparhdr resw 1
.e_minalloc resw 1
.e_maxalloc resw 1
.e_ss resw 1
.e_sp resw 1
.e_csum resw 1
.e_ip resw 1
.e_cs resw 1
.e_lfarlc resw 1
.e_ovno resw 1
.e_res resw 4
.e_oemid resw 1
.e_oeminfo resw 1
.e_res2 resw 10
.e_lfanew resd 1
endstruc
struc IMAGE_NT_HEADERS
.Signature resd 1
; .FileHeader resb IMAGE_FILE_HEADER_size
; .OptionalHeader resb IMAGE_OPTIONAL_HEADER32_size
endstruc
struc IMAGE_FILE_HEADER
.Machine resw 1
.NumberOfSections resw 1
.TimeDateStamp resd 1
.PointerToSymbolTable resd 1
.NumberOfSymbols resd 1
.SizeOfOptionalHeader resw 1
.Characteristics resw 1
endstruc
IMAGE_FILE_MACHINE_I386 equ 014ch
IMAGE_FILE_DLL equ 02000h
IMAGE_NT_OPTIONAL_HDR32_MAGIC equ 010bh
struc IMAGE_OPTIONAL_HEADER32
.Magic resw 1
.MajorLinkerVersion resb 1
.MinorLinkerVersion resb 1
.SizeOfCode resd 1
.SizeOfInitializedData resd 1
.SizeOfUninitializedData resd 1
.AddressOfEntryPoint resd 1
.BaseOfCode resd 1
.BaseOfData resd 1
.ImageBase resd 1
.SectionAlignment resd 1
.FileAlignment resd 1
.MajorOperatingSystemVersion resw 1
.MinorOperatingSystemVersion resw 1
.MajorImageVersion resw 1
.MinorImageVersion resw 1
.MajorSubsystemVersion resw 1
.MinorSubsystemVersion resw 1
.Win32VersionValue resd 1
.SizeOfImage resd 1
.SizeOfHeaders resd 1
.CheckSum resd 1
.Subsystem resw 1
.DllCharacteristics resw 1
.SizeOfStackReserve resd 1
.SizeOfStackCommit resd 1
.SizeOfHeapReserve resd 1
.SizeOfHeapCommit resd 1
.LoaderFlags resd 1
.NumberOfRvaAndSizes resd 1
.DataDirectory resb 0
endstruc
struc IMAGE_DATA_DIRECTORY
VirtualAddress resd 1
isize resd 1
endstruc
struc IMAGE_DATA_DIRECTORY_16
.ExportsVA resd 1
.ExportsSize resd 1
.ImportsVA resd 1
.ImportsSize resd 1
.ResourceVA resd 1
.ResourceSize resd 1
.Exception resd 2
.Security resd 2
.FixupsVA resd 1
.FixupsSize resd 1
.DebugVA resd 1
.DebugSize resd 1
.Description resd 2
.MIPS resd 2
.TLSVA resd 1
.TLSSize resd 1
.Load resd 2
.BoundImportsVA resd 1
.BoundImportsSize resd 1
.IATVA resd 1
.IATSize resd 1
.DelayImportsVA resd 1
.DelayImportsSize resd 1
.COM resd 2
.reserved resd 2
endstruc
struc IMAGE_SECTION_HEADER
.Name resb IMAGE_SIZEOF_SHORT_NAME
.VirtualSize resd 1
.VirtualAddress resd 1
.SizeOfRawData resd 1
.PointerToRawData resd 1
.PointerToRelocations resd 1
.PointerToLinenumbers resd 1
.NumberOfRelocations resw 1
.NumberOfLinenumbers resw 1
.Characteristics resd 1
endstruc
IMAGE_SUBSYSTEM_WINDOWS_CUI equ 3
IMAGE_SUBSYSTEM_WINDOWS_GUI equ 2
IMAGE_FILE_RELOCS_STRIPPED equ 00001h
IMAGE_FILE_EXECUTABLE_IMAGE equ 00002h
IMAGE_FILE_LINE_NUMS_STRIPPED equ 00004h
IMAGE_FILE_LOCAL_SYMS_STRIPPED equ 00008h
IMAGE_FILE_32BIT_MACHINE equ 00100h
%macro _ 0
nop
%endmacro
%macro _c 0
int3
align 4, int3
%endmacro
%macro _d 0
db 0
align 16, db 0
%endmacro
%macro setSEH 1
push %1
push dword [fs:0]
mov [fs:0], esp
%endmacro
%macro clearSEH 0
pop dword [fs:0]
add esp, 4
%endmacro
struc IMAGE_OPTIONAL_HEADER64
.Magic resw 1
.MajorLinkerVersion resb 1
.MinorLinkerVersion resb 1
.SizeOfCode resd 1
.SizeOfInitializedData resd 1
.SizeOfUninitializedData resd 1
.AddressOfEntryPoint resd 1
.BaseOfCode resd 1
.ImageBase resq 1
.SectionAlignment resd 1
.FileAlignment resd 1
.MajorOperatingSystemVersion resw 1
.MinorOperatingSystemVersion resw 1
.MajorImageVersion resw 1
.MinorImageVersion resw 1
.MajorSubsystemVersion resw 1
.MinorSubsystemVersion resw 1
.Win32VersionValue resd 1
.SizeOfImage resd 1
.SizeOfHeaders resd 1
.CheckSum resd 1
.Subsystem resw 1
.DllCharacteristics resw 1
.SizeOfStackReserve resq 1
.SizeOfStackCommit resq 1
.SizeOfHeapReserve resq 1
.SizeOfHeapCommit resq 1
.LoaderFlags resd 1
.NumberOfRvaAndSizes resd 1
.DataDirectory resb 0
endstruc
IMAGE_FILE_MACHINE_AMD64 equ 8664h
IMAGE_NT_OPTIONAL_HDR64_MAGIC equ 020bh
IMAGE_REL_BASED_ABSOLUTE equ 0 ; used for padding
IMAGE_REL_BASED_HIGH equ 1
IMAGE_REL_BASED_LOW equ 2 ; does nothing
IMAGE_REL_BASED_HIGHLOW equ 3 ;
IMAGE_REL_BASED_HIGHADJ equ 4 ; takes an argument but actually does nothing
IMAGE_REL_BASED_MIPS_JMPADDR equ 5 ; until W7 only
IMAGE_REL_BASED_SECTION equ 6 ; until W7 only ; does nothing anyway
IMAGE_REL_BASED_REL32 equ 7 ; until W7 only ; does nothing anyway
; 8 is always rejected, historically
IMAGE_REL_BASED_MIPS_JMPADDR16 equ 9
IMAGE_REL_BASED_IA64_IMM64 equ 9
IMAGE_REL_BASED_DIR64 equ 10
IMAGE_REL_BASED_HIGH3ADJ equ 11 ; Win2k only
CR equ 0dh
EOF equ 1ah
LF equ 0ah
struc IMAGE_RESOURCE_DIRECTORY
.Characteristics resd 1
.TimeDateStamp resd 1
.MajorVersion resw 1
.MinorVersion resw 1
.NumberOfNamedEntries resw 1
.NumberOfIdEntries resw 1
endstruc
struc IMAGE_RESOURCE_DIRECTORY_ENTRY
.NameID resd 1
.OffsetToData resd 1
endstruc
struc IMAGE_RESOURCE_DATA_ENTRY
.OffsetToData resd 1
.Size1 resd 1
.CodePage resd 1
.Reserved resd 1
endstruc
struc _IMAGE_DELAY_IMPORT_DESCRIPTOR
.grAttrs resd 1 ; attributes
.rvaDLLName resd 1 ; RVA to dll name
.rvaHmod resd 1 ; RVA of module handle
.rvaIAT resd 1 ; RVA of the IAT
.rvaINT resd 1 ; RVA of the INT
.rvaBoundIAT resd 1 ; RVA of the optional bound IAT
.rvaUnloadIAT resd 1 ; RVA of optional copy of original IAT
.dwTimeStamp resd 1 ; 0 if not bound
endstruc
struc TRUNC_OPTIONAL_HEADER32
.Magic resw 1
.MajorLinkerVersion resb 1
.MinorLinkerVersion resb 1
.SizeOfCode resd 1
.SizeOfInitializedData resd 1
.SizeOfUninitializedData resd 1
.AddressOfEntryPoint resd 1
.BaseOfCode resd 1
.BaseOfData resd 1
.ImageBase resd 1
.SectionAlignment resd 1
.FileAlignment resd 1
.MajorOperatingSystemVersion resw 1
.MinorOperatingSystemVersion resw 1
.MajorImageVersion resw 1
.MinorImageVersion resw 1
.MajorSubsystemVersion resw 1
.MinorSubsystemVersion resw 1
.Win32VersionValue resd 1
.SizeOfImage resd 1
.SizeOfHeaders resd 1
.CheckSum resd 1
.Subsystem resb 1 ; truncated as a byte
; no more data
endstruc
struc VS_FIXEDFILEINFO
.dwSignature resd 1
.dwStrucVersion resd 1
.dwFileVersionMS resd 1
.dwFileVersionLS resd 1
.dwProductVersionMS resd 1
.dwProductVersionLS resd 1
.dwFileFlagsMask resd 1
.dwFileFlags resd 1
.dwFileOS resd 1
.dwFileType resd 1
.dwFileSubtype resd 1
.dwFileDateMS resd 1
.dwFileDateLS resd 1
endstruc
CREATEPROCESS_MANIFEST_RESOURCE_ID EQU 1
ISOLATIONAWARE_MANIFEST_RESOURCE_ID EQU 2
ISOLATIONAWARE_NOSTATICIMPORT_MANIFEST_RESOURCE_ID EQU 3
struc ACTCTX ; typedef struct tagACTCTX {
.cbSize resd 1 ; ULONG cbSize;
.dwFlags resd 1 ; DWORD dwFlags;
.lpSource resd 1 ; LPCWSTR lpSource;
.wProcessorArchitecture resw 1 ; USHORT wProcessorArchitecture;
.wLangId resw 1 ; LANGID wLangId;
.lpAssemblyDirectory resd 1 ; LPCTSTR lpAssemblyDirectory;
.lpResourceName resd 1 ; LPCTSTR lpResourceName;
.lpApplicationName resd 1 ; LPCTSTR lpApplicationName;
.hModule resd 1 ; HMODULE hModule;
endstruc ; } ACTCTX, *PACTCTX;
ACTCTX_FLAG_PROCESSOR_ARCHITECTURE_VALID equ 1
ACTCTX_FLAG_LANGID_VALID equ 2
ACTCTX_FLAG_ASSEMBLY_DIRECTORY_VALID equ 4
ACTCTX_FLAG_RESOURCE_NAME_VALID equ 8
ACTCTX_FLAG_SET_PROCESS_DEFAULT equ 16
ACTCTX_FLAG_APPLICATION_NAME_VALID equ 32
ACTCTX_FLAG_HMODULE_VALID equ 128
; widechar string macro
%macro WIDE 1
%assign %%__i 1
%strlen %%__len %1
%rep %%__len
%substr %%__c %1 %%__i
db %%__c
db 0
%assign %%__i %%__i + 1
%endrep
db 0, 0
%endmacro
%macro _widestr_no0 1
%assign %%__i 1
%strlen %%__len %1
%rep %%__len
%substr %%__c %1 %%__i
db %%__c
db 0
%assign %%__i %%__i + 1
%endrep
%endmacro
%macro __string 2
%%string:
dw %%SLEN
dw %%VALLEN / 2 ; dammit !
dw 1 ; text type
WIDE %1
align 4, db 0
%%val:
WIDE %2
%%VALLEN equ $ - %%val
align 4, db 0
%%SLEN equ $ - %%string
%endmacro
struc RUNTIME_FUNCTION
.FunctionStart resd 1
.FunctionEnd resd 1
.UnwindInfo resd 1
endstruc
struc UNWIND_INFO
.Ver3_Flags resb 1 ; versions and flags
.PrologSize resb 1
.CntUnwindCodes resb 1
.FrReg_FrRegOff resb 1 ; frame register and offsets
; dd ExceptionHandler or FunctionEntry
; ExceptionData
endstruc
struc UNWIND_CODE
.PrologOff resb 1
.OpCode_OpInfo resb 1 ; operation code and info
endstruc
UNW_FLAG_EHANDLER equ 1
struc IMAGE_DEBUG_DIRECTORY
.Characteristics resd 1
.TimeDateStamp resd 1
.MajorVersion resw 1
.MinorVersion resw 1
.Type resd 1
.SizeOfData resd 1
.AddressOfRawData resd 1
.PointerToRawData resd 1
endstruc
IMAGE_DEBUG_TYPE_COFF equ 1
IMAGE_DEBUG_TYPE_CODEVIEW equ 2
IMAGE_DEBUG_TYPE_MISC equ 4
SYMOPT_DEBUG equ 080000000h
struc IMAGE_EXPORT_DIRECTORY
.Characteristics resd 1
.TimeDateStamp resd 1
.MajorVersion resw 1
.MinorVersion resw 1
.nName resd 1
.nBase resd 1
.NumberOfFunctions resd 1
.NumberOfNames resd 1
.AddressOfFunctions resd 1
.AddressOfNames resd 1
.AddressOfNameOrdinals resd 1
endstruc
struc IMAGE_IMPORT_DESCRIPTOR
.OriginalFirstThunk resd 1 ; Characteristics
.TimeDateStamp resd 1
.ForwarderChain resd 1
.Name1 resd 1
.FirstThunk resd 1
endstruc
%macro _import_descriptor 1
istruc IMAGE_IMPORT_DESCRIPTOR
at IMAGE_IMPORT_DESCRIPTOR.OriginalFirstThunk, dd %1_hintnames - IMAGEBASE
at IMAGE_IMPORT_DESCRIPTOR.Name1 , dd %1 - IMAGEBASE
at IMAGE_IMPORT_DESCRIPTOR.FirstThunk , dd %1_iat - IMAGEBASE
iend
%endmacro
struc IMAGE_LOAD_CONFIG_DIRECTORY32
.Size resd 1
.TimeDateStamp resd 1
.MajorVersion resw 1
.MinorVersion resw 1
.GlobalFlagsClear resd 1
.GlobalFlagsSet resd 1
.CriticalSectionDefaultTimeout resd 1
.DeCommitFreeBlockThreshold resd 1
.DeCommitTotalFreeThreshold resd 1
.LockPrefixTable resd 1 ; VA
.MaximumAllocationSize resd 1
.VirtualMemoryThreshold resd 1
.ProcessHeapFlags resd 1
.ProcessAffinityMask resd 1
.CSDVersion resw 1
.Reserved1 resw 1
.EditList resd 1 ; VA
.SecurityCookie resd 1 ; VA
.SEHandlerTable resd 1 ; VA
.SEHandlerCount resd 1
.GuardCFCheckFunctionPointer resd 1 ; VA
.Reserved2 resd 1
.GuardCFFunctionTable resd 1 ; VA
.GuardCFFunctionCount resd 1
.GuardFlags resd 1
endstruc
struc IMAGE_LOAD_CONFIG_DIRECTORY64
.Size resd 1
.TimeDateStamp resd 1
.MajorVersion resw 1
.MinorVersion resw 1
.GlobalFlagsClear resd 1
.GlobalFlagsSet resd 1
.CriticalSectionDefaultTimeout resd 1
.DeCommitFreeBlockThreshold resq 1
.DeCommitTotalFreeThreshold resq 1
.LockPrefixTable resq 1 ; VA
.MaximumAllocationSize resq 1
.VirtualMemoryThreshold resq 1
.ProcessAffinityMask resq 1
.ProcessHeapFlags resd 1
.CSDVersion resw 1
.Reserved1 resw 1
.EditList resq 1 ; VA
.SecurityCookie resq 1 ; VA
.SEHandlerTable resq 1 ; VA
.SEHandlerCount resq 1
.GuardCFCheckFunctionPointer resq 1 ; VA
.Reserved2 resq 1
.GuardCFFunctionTable resq 1 ; VA
.GuardCFFunctionCount resq 1
.GuardFlags resd 1
endstruc
RT_ICON equ 3
RT_STRING equ 6
RT_GROUP_ICON equ 14
RT_VERSION equ 16
RT_MANIFEST equ 24
struc GRPICONDIR
.idReserved resw 1 ; always 0 - enforced
.idType resw 1 ; always 1 for icons
.idCount resw 1
endstruc
struc GRPICONDIRENTRY
.bWidth resb 1
.bHeight resb 1
.bColorCount resb 1
.bReserved resb 1
.wPlanes resw 1
.wBitCount resw 1
.dwBytesInRes resd 1
.nId resw 1
endstruc
%macro _resourceDirectoryEntry 2
istruc IMAGE_RESOURCE_DIRECTORY_ENTRY
at IMAGE_RESOURCE_DIRECTORY_ENTRY.NameID, dd %1
at IMAGE_RESOURCE_DIRECTORY_ENTRY.OffsetToData, dd IMAGE_RESOURCE_DATA_IS_DIRECTORY | (%2 - Directory_Entry_Resource)
iend
%endmacro
%macro _resource_tree 3 ; ID, Offset, Size
istruc IMAGE_RESOURCE_DIRECTORY
at IMAGE_RESOURCE_DIRECTORY.NumberOfIdEntries, dw 1
iend
istruc IMAGE_RESOURCE_DIRECTORY_ENTRY
at IMAGE_RESOURCE_DIRECTORY_ENTRY.NameID, dd %1
at IMAGE_RESOURCE_DIRECTORY_ENTRY.OffsetToData, dd IMAGE_RESOURCE_DATA_IS_DIRECTORY | (%%language - Directory_Entry_Resource)
iend
%%language:
istruc IMAGE_RESOURCE_DIRECTORY
at IMAGE_RESOURCE_DIRECTORY.NumberOfIdEntries, dw 1
iend
istruc IMAGE_RESOURCE_DIRECTORY_ENTRY
; language doesn't matter
at IMAGE_RESOURCE_DIRECTORY_ENTRY.OffsetToData, dd %%entry - Directory_Entry_Resource
iend
%%entry:
istruc IMAGE_RESOURCE_DATA_ENTRY
at IMAGE_RESOURCE_DATA_ENTRY.OffsetToData, dd %2 - IMAGEBASE
at IMAGE_RESOURCE_DATA_ENTRY.Size1, dd %3
iend
%endmacro
RichKey EQU 092033d19h
struc IMAGE_TLS_DIRECTORY32
.StartAddressOfRawData resd 1
.EndAddressOfRawData resd 1
.AddressOfIndex resd 1
.AddressOfCallBacks resd 1
.SizeOfZeroFill resd 1
.Characteristics resd 1
endstruc
struc IMAGE_TLS_DIRECTORY64
.StartAddressOfRawData resq 1
.EndAddressOfRawData resq 1
.AddressOfIndex resq 1
.AddressOfCallBacks resq 1
.SizeOfZeroFill resd 1
.Characteristics resd 1
endstruc
struc IMAGE_BOUND_IMPORT_DESCRIPTOR
.TimeDateStamp resd 1
.OffsetModuleName resw 1
.NumberOfModulesForwarderRefs resw 1
endstruc
struc WIN_CERTIFICATE
.dwLength resd 1
.wRevision resw 1
.wCertificateType resw 1
.bCertificate resb 0
endstruc
struc IMAGE_BASE_RELOCATION
.VirtualAddress resd 1
.SizeOfBlock resd 1
endstruc
; can't make a struct of that one with Yasm :(
%macro _IMAGE_IMPORT_BY_NAME 1
.Hint dw 0
.Name db %1, 0
%endmacro
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE equ 0040h
IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY equ 0080h
IMAGE_DLLCHARACTERISTICS_NX_COMPAT equ 0100h
IMAGE_DLLCHARACTERISTICS_NO_SEH equ 0400h
IMAGE_DLLCHARACTERISTICS_APPCONTAINER equ 1000h ; W8
IMAGE_DLLCHARACTERISTICS_GUARD_CF equ 4000h ; W8.1
FLG_SHOW_LDR_SNAPS equ 2
MB_OK equ 00000000h
MB_ICONASTERISK equ 00000040h
MB_APPLMODAL equ 00000000h
LOAD_LIBRARY_AS_DATAFILE equ 000000002h
IMAGE_GUARD_CF_INSTRUMENTED equ 000000100h ;Module performs control flow integrity checks using system-supplied support
IMAGE_GUARD_CFW_INSTRUMENTED equ 000000200h ;Module performs control flow and write integrity checks
IMAGE_GUARD_CF_FUNCTION_TABLE_PRESENT equ 000000400h ;Module contains valid control flow target metadata
IMAGE_GUARD_SECURITY_COOKIE_UNUSED equ 000000800h ;Module does not make use of the /GS security cookie
COOKIE_DEFAULT equ 0bb40e64eh
|
