diff --git a/format/all/all.fqtest b/format/all/all.fqtest index 90814acc27..d6f0fc81e6 100644 --- a/format/all/all.fqtest +++ b/format/all/all.fqtest @@ -23,6 +23,7 @@ $ fq -n _registry.groups.probe "ogg", "pcap", "pcapng", + "pe", "png", "tar", "tiff", @@ -76,6 +77,7 @@ bytes Raw bytes bzip2 bzip2 compression caff Live2D Cubism archive cbor Concise Binary Object Representation +coff Common Object File Format csv Comma separated values dns DNS packet dns_tcp DNS packet (TCP) @@ -127,12 +129,14 @@ mpeg_pes MPEG Packetized elementary stream mpeg_pes_packet MPEG Packetized elementary stream packet mpeg_spu Sub Picture Unit (DVD subtitle) mpeg_ts MPEG Transport Stream +msdos_stub MS-DOS Stub msgpack MessagePack ogg OGG file ogg_page OGG page opus_packet Opus packet pcap PCAP packet capture pcapng PCAPNG packet capture +pe Portable Executable pg_btree PostgreSQL btree index file pg_control PostgreSQL control file pg_heap PostgreSQL heap file diff --git a/format/all/all.go b/format/all/all.go index a8a29c51d1..7b8d2bbf17 100644 --- a/format/all/all.go +++ b/format/all/all.go @@ -42,6 +42,7 @@ import ( _ "github.com/wader/fq/format/ogg" _ "github.com/wader/fq/format/opus" _ "github.com/wader/fq/format/pcap" + _ "github.com/wader/fq/format/pe" _ "github.com/wader/fq/format/png" _ "github.com/wader/fq/format/postgres" _ "github.com/wader/fq/format/prores" diff --git a/format/format.go b/format/format.go index 1e54af9a50..7cfe396980 100644 --- a/format/format.go +++ b/format/format.go @@ -89,6 +89,7 @@ var ( Bzip2 = &decode.Group{Name: "bzip2"} CAFF = &decode.Group{Name: "caff"} CBOR = &decode.Group{Name: "cbor"} + COFF = &decode.Group{Name: "coff"} CSV = &decode.Group{Name: "csv"} DNS = &decode.Group{Name: "dns"} DNS_TCP = &decode.Group{Name: "dns_tcp"} @@ -137,16 +138,18 @@ var ( MP4 = &decode.Group{Name: "mp4"} MPEG_ASC = &decode.Group{Name: "mpeg_asc"} MPEG_ES = &decode.Group{Name: "mpeg_es"} - MPES_PES = &decode.Group{Name: "mpeg_pes"} + MPEG_PES = &decode.Group{Name: "mpeg_pes"} MPEG_PES_Packet = &decode.Group{Name: "mpeg_pes_packet"} MPEG_SPU = &decode.Group{Name: "mpeg_spu"} MPEG_TS = &decode.Group{Name: "mpeg_ts"} + MSDOS_Stub = &decode.Group{Name: "msdos_stub"} MsgPack = &decode.Group{Name: "msgpack"} Ogg = &decode.Group{Name: "ogg"} Ogg_Page = &decode.Group{Name: "ogg_page"} Opus_Packet = &decode.Group{Name: "opus_packet"} PCAP = &decode.Group{Name: "pcap"} PCAPNG = &decode.Group{Name: "pcapng"} + PE = &decode.Group{Name: "pe"} Pg_BTree = &decode.Group{Name: "pg_btree"} Pg_Control = &decode.Group{Name: "pg_control"} Pg_Heap = &decode.Group{Name: "pg_heap"} @@ -396,3 +399,11 @@ type Pg_Heap_In struct { type Pg_BTree_In struct { Page int `doc:"First page number in file, default is 0"` } + +type MS_DOS_Out struct { + LFANew int // logical file address for the New Executable header +} + +type COFF_In struct { + FilePointerOffset int `doc:"File pointer offset"` +} diff --git a/format/mpeg/mpeg_pes.go b/format/mpeg/mpeg_pes.go index 88e2c85191..0a80b8b688 100644 --- a/format/mpeg/mpeg_pes.go +++ b/format/mpeg/mpeg_pes.go @@ -16,7 +16,7 @@ var mpegSpuGroup decode.Group func init() { interp.RegisterFormat( - format.MPES_PES, + format.MPEG_PES, &decode.Format{ Description: "MPEG Packetized elementary stream", DecodeFn: pesDecode, diff --git a/format/pe/coff.go b/format/pe/coff.go new file mode 100644 index 0000000000..f010aaa000 --- /dev/null +++ b/format/pe/coff.go @@ -0,0 +1,635 @@ +package pe + +// string table: +// .coff.pointer_to_symbol_table as $off | .coff.number_of_symbols as $n | ($off+($n*18)) as $o | (tobytes[$o:$o+4] | explode | reverse |tobytes | tonumber) as $s | tobytes[$o:$o+$s] | dd + +// https://osandamalith.com/2020/07/19/exploring-the-ms-dos-stub/ +// https://learn.microsoft.com/en-us/windows/win32/debug/pe-format +// https://upload.wikimedia.org/wikipedia/commons/1/1b/Portable_Executable_32_bit_Structure_in_SVG_fixed.svg + +import ( + "encoding/binary" + "strconv" + "strings" + "time" + + "github.com/wader/fq/format" + "github.com/wader/fq/pkg/decode" + "github.com/wader/fq/pkg/interp" + "github.com/wader/fq/pkg/scalar" +) + +// TODO: probe? + +func init() { + interp.RegisterFormat( + format.COFF, + &decode.Format{ + Description: "Common Object File Format", + DecodeFn: peCoffStubDecode, + DefaultInArg: format.COFF_In{ + FilePointerOffset: 0, + }, + }) +} + +const ( + peFormat32 = 0x10b + peFormat32Plus = 0x20b +) + +var peFormatNames = scalar.UintMapSymStr{ + peFormat32: "pe32", + peFormat32Plus: "pe32+", +} + +const ( + MachineTypeUNKNOWN = 0x0 + MachineTypeALPHA = 0x184 + MachineTypeALPHA64 = 0x284 + MachineTypeAM33 = 0x1d3 + MachineTypeAMD64 = 0x8664 + MachineTypeARM = 0x1c0 + MachineTypeARM64 = 0xaa64 + MachineTypeARMNT = 0x1c4 + MachineTypeAXP64 = 0x284 + MachineTypeEBC = 0xebc + MachineTypeI386 = 0x14c + MachineTypeIA64 = 0x200 + MachineTypeLOONGARCH32 = 0x6232 + MachineTypeLOONGARCH64 = 0x6264 + MachineTypeM32R = 0x9041 + MachineTypeMIPS16 = 0x266 + MachineTypeMIPSFPU = 0x366 + MachineTypeMIPSFPU16 = 0x466 + MachineTypePOWERPC = 0x1f0 + MachineTypePOWERPCFP = 0x1f1 + MachineTypeR4000 = 0x166 + MachineTypeRISCV32 = 0x5032 + MachineTypeRISCV64 = 0x5064 + MachineTypeRISCV128 = 0x5128 + MachineTypeSH3 = 0x1a2 + MachineTypeSH3DSP = 0x1a3 + MachineTypeSH4 = 0x1a6 + MachineTypeSH5 = 0x1a8 + MachineTypeTHUMB = 0x1c2 + MachineTypeWCEMIPSV2 = 0x169 +) + +var MachineTypeNames = scalar.UintMap{ + MachineTypeUNKNOWN: {Sym: "unknown", Description: "The content of this field is assumed to be applicable to any machine type"}, + MachineTypeALPHA: {Sym: "alpha", Description: "Alpha AXP, 32-bit address space"}, + MachineTypeALPHA64: {Sym: "alpha64", Description: "Alpha 64, 64-bit address space"}, + MachineTypeAM33: {Sym: "am33", Description: "Matsushita AM33"}, + MachineTypeAMD64: {Sym: "amd64", Description: "x64"}, + MachineTypeARM: {Sym: "arm", Description: "ARM little endian"}, + MachineTypeARM64: {Sym: "arm64", Description: "ARM64 little endian"}, + MachineTypeARMNT: {Sym: "armnt", Description: "ARM Thumb-2 little endian"}, + //MachineTypeAXP64: {Sym: "AXP64", Description: "AXP 64 (Same as Alpha 64)"}, + MachineTypeEBC: {Sym: "ebc", Description: "EFI byte code"}, + MachineTypeI386: {Sym: "i386", Description: "Intel 386 or later processors and compatible processors"}, + MachineTypeIA64: {Sym: "ia64", Description: "Intel Itanium processor family"}, + MachineTypeLOONGARCH32: {Sym: "loongarch32", Description: "LoongArch 32-bit processor family"}, + MachineTypeLOONGARCH64: {Sym: "loongarch64", Description: "LoongArch 64-bit processor family"}, + MachineTypeM32R: {Sym: "m32r", Description: "Mitsubishi M32R little endian"}, + MachineTypeMIPS16: {Sym: "mips16", Description: "MIPS16"}, + MachineTypeMIPSFPU: {Sym: "mipsfpu", Description: "MIPS with FPU"}, + MachineTypeMIPSFPU16: {Sym: "mipsfpu16", Description: "MIPS16 with FPU"}, + MachineTypePOWERPC: {Sym: "powerpc", Description: "Power PC little endian"}, + MachineTypePOWERPCFP: {Sym: "powerpcfp", Description: "Power PC with floating point support"}, + MachineTypeR4000: {Sym: "r4000", Description: "MIPS little endian"}, + MachineTypeRISCV32: {Sym: "riscv32", Description: "RISC-V 32-bit address space"}, + MachineTypeRISCV64: {Sym: "riscv64", Description: "RISC-V 64-bit address space"}, + MachineTypeRISCV128: {Sym: "riscv128", Description: "RISC-V 128-bit address space"}, + MachineTypeSH3: {Sym: "sh3", Description: "Hitachi SH3"}, + MachineTypeSH3DSP: {Sym: "sh3dsp", Description: "Hitachi SH3 DSP"}, + MachineTypeSH4: {Sym: "sh4", Description: "Hitachi SH4"}, + MachineTypeSH5: {Sym: "sh5", Description: "Hitachi SH5"}, + MachineTypeTHUMB: {Sym: "thumb", Description: "Thumb"}, + MachineTypeWCEMIPSV2: {Sym: "wcemipsv2", Description: "MIPS little-endian WCE v2"}, +} + +const ( + SubSystemUNKNOWN = 0 + SubSystemNATIVE = 1 + SubSystemWINDOWS_GUI = 2 + SubSystemWINDOWS_CUI = 3 + SubSystemOS2_CUI = 5 + SubSystemPOSIX_CUI = 7 + SubSystemNATIVE_WINDOWS = 8 + SubSystemWINDOWS_CE_GUI = 9 + SubSystemEFI_APPLICATION = 10 + SubSystemEFI_BOOT_SERVICE_DRIVER = 11 + SubSystemEFI_RUNTIME_DRIVER = 12 + SubSystemEFI_ROM = 13 + SubSystemXBOX = 14 + SubSystemWINDOWS_BOOT_APPLICATION = 16 +) + +var subSystemNames = scalar.UintMap{ + SubSystemUNKNOWN: {Sym: "unknown", Description: "An unknown subsystem"}, + SubSystemNATIVE: {Sym: "native", Description: "Device drivers and native Windows processes"}, + SubSystemWINDOWS_GUI: {Sym: "windows_gui", Description: "The Windows graphical user interface (GUI) subsystem"}, + SubSystemWINDOWS_CUI: {Sym: "windows_cui", Description: "The Windows character subsystem"}, + SubSystemOS2_CUI: {Sym: "os2_cui", Description: "The OS/2 character subsystem"}, + SubSystemPOSIX_CUI: {Sym: "posix_cui", Description: "The Posix character subsystem"}, + SubSystemNATIVE_WINDOWS: {Sym: "native_windows", Description: "Native Win9x driver"}, + SubSystemWINDOWS_CE_GUI: {Sym: "windows_ce_gui", Description: "Windows CE"}, + SubSystemEFI_APPLICATION: {Sym: "efi_application", Description: "An Extensible Firmware Interface (EFI) application"}, + SubSystemEFI_BOOT_SERVICE_DRIVER: {Sym: "efi_boot_service_driver", Description: "An EFI driver with boot services"}, + SubSystemEFI_RUNTIME_DRIVER: {Sym: "efi_runtime_driver", Description: "An EFI driver with run-time services"}, + SubSystemEFI_ROM: {Sym: "efi_rom", Description: "An EFI ROM image"}, + SubSystemXBOX: {Sym: "xbox", Description: "XBOX"}, + SubSystemWINDOWS_BOOT_APPLICATION: {Sym: "windows_boot_application", Description: "Windows boot application."}, +} + +const ( + symClassEndOfFunction = 0xff // A special symbol that represents the end of function, for debugging purposes. + symClassNull = 0 // No assigned storage class. + symClassAutomatic = 1 // The automatic (stack) variable. The Value field specifies the stack frame offset. + symClassExternal = 2 // A value that Microsoft tools use for external symbols. The Value field indicates the size if the section number is IMAGE_SYM_UNDEFINED (0). If the section number is not zero, then the Value field specifies the offset within the section. + symClassStati = 3 // The offset of the symbol within the section. If the Value field is zero, then the symbol represents a section name. + symClassRegister = 4 // A register variable. The Value field specifies the register number. + symClassExternalDef = 5 // A symbol that is defined externally. + symClassLabel = 6 // A code label that is defined within the module. The Value field specifies the offset of the symbol within the section. + symClassUndefinedLabel = 7 // A reference to a code label that is not defined. + symClassMemberOfStruct = 8 // The structure member. The Value field specifies the n th member. + symClassArgument = 9 // A formal argument (parameter) of a function. The Value field specifies the n th argument. + symClassStructTag = 10 // The structure tag-name entry. + symClassMemberOfUnion = 11 // A union member. The Value field specifies the n th member. + symClassUnionTag = 12 // The Union tag-name entry. + symClassTypeDefinition = 13 // A Typedef entry. + symClassUndefinedStatic = 14 // A static data declaration. + symClassEnumTag = 15 // An enumerated type tagname entry. + symClassMemberOfEnum = 16 // A member of an enumeration. The Value field specifies the n th member. + symClassRegisterParam = 17 // A register parameter. + symClassBitField = 18 // A bit-field reference. The Value field specifies the n th bit in the bit field. + symClassBlock = 100 // A .bb (beginning of block) or .eb (end of block) record. The Value field is the relocatable address of the code location. + symClassFunction = 101 // A value that Microsoft tools use for symbol records that define the extent of a function: begin function (.bf ), end function ( .ef ), and lines in function ( .lf ). For .lf records, the Value field gives the number of source lines in the function. For .ef records, the Value field gives the size of the function code. + symClassEndOfStruct = 102 // An end-of-structure entry. + symClassFile = 103 // A value that Microsoft tools, as well as traditional COFF format, use for the source-file symbol record. The symbol is followed by auxiliary records that name the file. + symClassSection = 104 // A definition of a section (Microsoft tools use STATIC storage class instead). + symClassWeakExternal = 105 // A weak external. For more information, see Auxiliary Format 3: Weak Externals. + symClassClrToken = 107 // A CLR token symbol. The name is an ASCII string that consists of the hexadecimal value of the token. For more information, see CLR Token Definition (Object Only). +) + +var symClassNames = scalar.UintMap{ + symClassEndOfFunction: {Sym: "end_of_function", Description: "A special symbol that represents the end of function, for debugging purposes."}, + symClassNull: {Sym: "null", Description: "No assigned storage class."}, + symClassAutomatic: {Sym: "automatic", Description: "The automatic (stack) variable. The Value field specifies the stack frame offset."}, + symClassExternal: {Sym: "external", Description: "A value that Microsoft tools use for external symbols. The Value field indicates the size if the section number is IMAGE_SYM_UNDEFINED (0). If the section number is not zero, then the Value field specifies the offset within the section."}, + symClassStati: {Sym: "stati", Description: "The offset of the symbol within the section. If the Value field is zero, then the symbol represents a section name."}, + symClassRegister: {Sym: "register", Description: "A register variable. The Value field specifies the register number."}, + symClassExternalDef: {Sym: "external_def", Description: "A symbol that is defined externally."}, + symClassLabel: {Sym: "label", Description: "A code label that is defined within the module. The Value field specifies the offset of the symbol within the section."}, + symClassUndefinedLabel: {Sym: "undefined_label", Description: "A reference to a code label that is not defined."}, + symClassMemberOfStruct: {Sym: "member_of_struct", Description: "The structure member. The Value field specifies the n th member."}, + symClassArgument: {Sym: "argument", Description: "A formal argument (parameter) of a function. The Value field specifies the n th argument."}, + symClassStructTag: {Sym: "struct_tag", Description: "The structure tag-name entry."}, + symClassMemberOfUnion: {Sym: "member_of_union", Description: "A union member. The Value field specifies the n th member."}, + symClassUnionTag: {Sym: "union_tag", Description: "The Union tag-name entry."}, + symClassTypeDefinition: {Sym: "type_definition", Description: "A Typedef entry."}, + symClassUndefinedStatic: {Sym: "undefined_static", Description: "A static data declaration."}, + symClassEnumTag: {Sym: "enum_tag", Description: "An enumerated type tagname entry."}, + symClassMemberOfEnum: {Sym: "member_of_enum", Description: "A member of an enumeration. The Value field specifies the n th member."}, + symClassRegisterParam: {Sym: "register_param", Description: "A register parameter."}, + symClassBitField: {Sym: "bit_field", Description: "A bit-field reference. The Value field specifies the n th bit in the bit field."}, + symClassBlock: {Sym: "block", Description: "A .bb (beginning of block) or .eb (end of block) record. The Value field is the relocatable address of the code location."}, + symClassFunction: {Sym: "function", Description: "A value that Microsoft tools use for symbol records that define the extent of a function: begin function (.bf ), end function ( .ef ), and lines in function ( .lf ). For .lf records, the Value field gives the number of source lines in the function. For .ef records, the Value field gives the size of the function code."}, + symClassEndOfStruct: {Sym: "end_of_struct", Description: "An end-of-structure entry."}, + symClassFile: {Sym: "file", Description: "A value that Microsoft tools, as well as traditional COFF format, use for the source-file symbol record. The symbol is followed by auxiliary records that name the file."}, + symClassSection: {Sym: "section", Description: "A definition of a section (Microsoft tools use STATIC storage class instead)."}, + symClassWeakExternal: {Sym: "weak_external", Description: "A weak external. For more information, see Auxiliary Format 3: Weak Externals."}, + symClassClrToken: {Sym: "clr_token", Description: "A CLR token symbol. The name is an ASCII string that consists of the hexadecimal value of the token. For more information, see CLR Token Definition (Object Only)."}, +} + +const ( + symTypeNull = 0 + symTypeVoid = 1 + symTypeChar = 2 + symTypeShort = 3 + symTypeInt = 4 + symTypeLong = 5 + symTypeFloat = 6 + symTypeDouble = 7 + symTypeStruct = 8 + symTypeUnion = 9 + symTypeEnum = 10 + symTypeMoe = 11 + symTypeByte = 12 + symTypeWord = 13 + symTypeUint = 14 + symTypeDword = 15 +) + +var symBaseTypeNames = scalar.UintMap{ + symTypeNull: {Sym: "sym_type_null", Description: "No type information or unknown base type. Microsoft tools use this setting"}, + symTypeVoid: {Sym: "sym_type_void", Description: "No valid type; used with void pointers and functions"}, + symTypeChar: {Sym: "sym_type_char", Description: "A character (signed byte)"}, + symTypeShort: {Sym: "sym_type_short", Description: "A 2-byte signed integer"}, + symTypeInt: {Sym: "sym_type_int", Description: "A natural integer type (normally 4 bytes in Windows)"}, + symTypeLong: {Sym: "sym_type_long", Description: "A 4-byte signed integer"}, + symTypeFloat: {Sym: "sym_type_float", Description: "A 4-byte floating-point number"}, + symTypeDouble: {Sym: "sym_type_double", Description: "An 8-byte floating-point number"}, + symTypeStruct: {Sym: "sym_type_struct", Description: "A structure"}, + symTypeUnion: {Sym: "sym_type_union", Description: "A union"}, + symTypeEnum: {Sym: "sym_type_enum", Description: "An enumerated type"}, + symTypeMoe: {Sym: "sym_type_moe", Description: "A member of enumeration (a specific value)"}, + symTypeByte: {Sym: "sym_type_byte", Description: "A byte; unsigned 1-byte integer"}, + symTypeWord: {Sym: "sym_type_word", Description: "A word; unsigned 2-byte integer"}, + symTypeUint: {Sym: "sym_type_uint", Description: "An unsigned integer of natural size (normally, 4 bytes)"}, + symTypeDword: {Sym: "sym_type_dword", Description: "An unsigned 4-byte integer"}, +} + +const ( + symDtypeNull = 0 + symDtypePointer = 1 + symDtypeFunction = 2 + symDtypeArray = 3 +) + +var symBaseDTypeNames = scalar.UintMap{ + symDtypeNull: {Sym: "dtype_null", Description: "No derived type; the symbol is a simple scalar variable."}, + symDtypePointer: {Sym: "dtype_pointer", Description: "The symbol is a pointer to base type."}, + symDtypeFunction: {Sym: "dtype_function", Description: "The symbol is a function that returns a base type."}, + symDtypeArray: {Sym: "dtype_array", Description: "The symbol is an array of base type."}, +} + +// type stringTable []string + +// func (m stringTable) MapStr(s scalar.Str) (scalar.Str, error) { +// if s.Actual == "" || s.Actual[0] != '/' { +// return s, nil +// } +// un, err := strconv.ParseUint(s.Actual[1:], 10, 64) +// if err != nil { +// // ignore error +// //nolint: nilerr +// return s, nil +// } +// n := int(un) +// if n >= len(m) { +// return s, nil +// } + +// s.Sym = m[n] + +// return s, nil +// } + +func strIndexNull(idx int, s string) string { + if idx > len(s) { + return "" + } + i := strings.IndexByte(s[idx:], 0) + if i == -1 { + return s + } + return s[idx : idx+i] +} + +type stringTable string + +func (m stringTable) MapStr(s scalar.Str) (scalar.Str, error) { + if s.Actual[0] == '/' { + // /### section name + + s.Actual = strings.TrimRight(s.Actual, "\x00") + + un, err := strconv.ParseUint(s.Actual[1:], 10, 64) + if err != nil { + // ignore error + //nolint: nilerr + return s, nil + } + n := int(un) - 4 + + s.Sym = strIndexNull(n, string(m)) + + return s, nil + } else if s.Actual[0:4] == "\x00\x00\x00\x00" { + // \0\0\0\0LE32 symbol name + n := binary.LittleEndian.Uint32([]byte(s.Actual)[4:8]) - 4 + s.Sym = strIndexNull(int(n), string(m)) + } else { + // right null padded + s.Actual = strings.TrimRight(s.Actual, "\x00") + } + + return s, nil +} + +func peCoffStubDecode(d *decode.D) any { + var pci format.COFF_In + d.ArgAs(&pci) + + d.Endian = decode.LittleEndian + + d.FieldRawLen("signature", 4*8, d.AssertBitBuf([]byte("PE\x00\x00"))) + d.FieldU16("machine", MachineTypeNames, scalar.UintHex) + numberOfSections := d.FieldU16("number_of_sections") + d.FieldU32("time_date_stamp", scalar.UintActualUnixTime(time.RFC3339)) + pointerToSymbolTable := d.FieldU32("pointer_to_symbol_table", scalar.UintHex) + numberOfSymbols := d.FieldU32("number_of_symbols") + sizeOfOptionalHeader := d.FieldU16("size_of_optional_header") + d.FieldStruct("characteristics", func(d *decode.D) { + // TODO: wrong byte order + d.FieldBool("bytes_reversed_hi") // 0x8000 // Big endian: the MSB precedes the LSB in memory. This flag is deprecated and should be zero. + d.FieldBool("up_system_only") // 0x4000 // The file should be run only on a uniprocessor machine. + d.FieldBool("dll") // 0x2000 // The image file is a dynamic-link library (DLL). Such files are considered executable files for almost all purposes, although they cannot be directly run. + d.FieldBool("system") // 0x1000 // The image file is a system file, not a user program. + d.FieldBool("net_run_from_swap") // 0x0800 // If the image is on network media, fully load it and copy it to the swap file. + d.FieldBool("removable_run_from_swap") // 0x0400 // If the image is on removable media, fully load it and copy it to the swap file. + d.FieldBool("debug_stripped") // 0x0200 // Debugging information is removed from the image file. + d.FieldBool("32bit_machine") // 0x0100 // Machine is based on a 32-bit-word architecture. + d.FieldBool("bytes_reversed_lo") // 0x0080 // Little endian: the least significant bit (LSB) precedes the most significant bit (MSB) in memory. This flag is deprecated and should be zero. + d.FieldBool("reserved") // 0x0040 // This flag is reserved for future use. + d.FieldBool("large_address_aware") // 0x0020 // Application can handle > 2-GB addresses. + d.FieldBool("aggressive_ws_trim") // 0x0010 // Obsolete. Aggressively trim working set. This flag is deprecated for Windows 2000 and later and must be zero. + d.FieldBool("local_syms_stripped") // 0x0008 // COFF symbol table entries for local symbols have been removed. This flag is deprecated and should be zero. + d.FieldBool("line_nums_stripped") // 0x0004 // COFF line numbers have been removed. This flag is deprecated and should be zero. + d.FieldBool("executable_image") // 0x0002 // Image only. This indicates that the image file is valid and can be run. If this flag is not set, it indicates a linker error. + d.FieldBool("relocs_stripped") // 0x0001 // Image only, Windows CE, and Microsoft Windows NT and later. This indicates that the file does not contain base relocations and must therefore be loaded at its preferred base address. If the base address is not available, the loader reports an error. The default behavior of the linker is to strip base relocations from executable (EXE) files. + }) + + if pointerToSymbolTable != 0 { + pointerToSymbolTable -= uint64(pci.FilePointerOffset) + } + stringTablePos := (int64(pointerToSymbolTable) + int64(numberOfSymbols)*18) * 8 + + var stringTableMapper stringTable + if stringTablePos < d.Len()+4*8 { + d.SeekAbs(stringTablePos, func(d *decode.D) { + stringTableSize := d.U32() - 4 + if stringTableSize*8 > uint64(d.BitsLeft()) { + return + } + stringTableMapper = stringTable(d.UTF8(int(stringTableSize))) + // d.FramedFn(int64(stringTableSize)*8, func(d *decode.D) { + // for !d.End() { + // stringTable = append(stringTable, d.UTF8Null()) + // } + // }) + }) + } + + // how to know if image only? windows specific? + if sizeOfOptionalHeader > 0 { + d.FieldStruct("optional_header", func(d *decode.D) { + d.FramedFn(int64(sizeOfOptionalHeader)*8, func(d *decode.D) { + peFormat := d.FieldU16("format", peFormatNames, scalar.UintHex) + d.FieldU8("major_linker_version") + d.FieldU8("minor_linker_version") + d.FieldU32("size_of_code") + d.FieldU32("size_of_initialized_data") + d.FieldU32("size_of_uninitialized_data") + d.FieldU32("address_of_entry_point", scalar.UintHex) + d.FieldU32("base_of_code", scalar.UintHex) + addrSize := 64 + if peFormat == peFormat32 { + d.FieldU32("base_of_data", scalar.UintHex) + addrSize = 32 + } + + d.FieldU("image_base", addrSize, scalar.UintHex) + d.FieldU32("section_alignment") + d.FieldU32("file_alignment") + d.FieldU16("major_os_version") + d.FieldU16("minor_os_version") + d.FieldU16("major_image_version") + d.FieldU16("minor_image_version") + d.FieldU16("major_subsystem_version") + d.FieldU16("minor_subsystem_version") + d.FieldU32("win32_version") + d.FieldU32("size_of_image") + d.FieldU32("size_of_headers") + d.FieldU32("chunk_sum", scalar.UintHex) + d.FieldU16("subsystem", subSystemNames) + d.FieldStruct("dll_characteristics", func(d *decode.D) { + d.FieldBool("force_integrity") // Code Integrity checks are enforced. + d.FieldBool("dynamic_base") // DLL can be relocated at load time. + d.FieldBool("high_entropy_va") // Image can handle a high entropy 64-bit virtual address space. + d.FieldBool("reserved0") // ?? + d.FieldBool("reserved1") + d.FieldBool("reserved2") + d.FieldBool("reserved3") + d.FieldBool("reserved4") + + d.FieldBool("terminal_server_aware") // Terminal Server aware. + d.FieldBool("guard_cf") // Image supports Control Flow Guard. + d.FieldBool("wdm_driver") // A WDM driver. + d.FieldBool("appcontainer") // Image must execute in an AppContainer. + d.FieldBool("no_bind") // Do not bind the image. + d.FieldBool("no_seh") // Does not use structured exception (SE) handling. No SE handler may be called in this image. + d.FieldBool("no_isolation") // Isolation aware, but do not isolate the image. + d.FieldBool("nx_compat") // Image is NX compatible. + }) + d.FieldU("size_of_track_reserve", addrSize) + d.FieldU("size_of_stack_commit", addrSize) + d.FieldU("size_of_heap_reserve", addrSize) + d.FieldU("size_of_heap_commit", addrSize) + d.FieldU32("loader_flags") + d.FieldU32("number_of_rva_and_sizes") + + d.FieldU32("export_table_address", scalar.UintHex) //The export table address and size. For more information see .edata Section (Image Only). + d.FieldU32("export_table_size") + d.FieldU32("import_table_address", scalar.UintHex) //The import table address and size. For more information, see The .idata Section. + d.FieldU32("import_table_size") + d.FieldU32("resource_table_address", scalar.UintHex) //The resource table address and size. For more information, see The .rsrc Section. + d.FieldU32("resource_table_size") + d.FieldU32("exception_table_address", scalar.UintHex) //The exception table address and size. For more information, see The .pdata Section. + d.FieldU32("exception_table_size") + d.FieldU32("certificate_table_address", scalar.UintHex) //The attribute certificate table address and size. For more information, see The Attribute Certificate Table (Image Only). + d.FieldU32("certificate_table_size") + d.FieldU32("base_relocation_table_address", scalar.UintHex) //The base relocation table address and size. For more information, see The .reloc Section (Image Only). + d.FieldU32("base_relocation_table_size") + d.FieldU32("debug_address", scalar.UintHex) //The debug data starting address and size. For more information, see The .debug Section. + d.FieldU32("debug_size") + d.FieldU64("architecture") //Reserved, must be 0 + d.FieldU64("global_ptr", scalar.UintHex) //The RVA of the value to be stored in the global pointer register. The size member of this structure must be set to zero. + d.FieldU32("tls_table_address", scalar.UintHex) //The thread local storage (TLS) table address and size. For more information, see The .tls Section. + d.FieldU32("tls_table_size") + d.FieldU32("load_config_table_address", scalar.UintHex) //The load configuration table address and size. For more information, see The Load Configuration Structure (Image Only). + d.FieldU32("load_config_table_size") + d.FieldU32("bound_import_address", scalar.UintHex) //The bound import table address and size. + d.FieldU32("bound_import_size") + d.FieldU32("iat_address", scalar.UintHex) //The import address table address and size. For more information, see Import Address Table. + d.FieldU32("iat_size") + d.FieldU32("delay_import_descriptor_address", scalar.UintHex) //The delay import descriptor address and size. For more information, see Delay-Load Import Tables (Image Only). + d.FieldU32("delay_import_descriptor_size") + d.FieldU32("clr_runtime_header_address", scalar.UintHex) //The CLR runtime header address and size. For more information, see The .cormeta Section (Object Only). + d.FieldU32("clr_runtime_header_size") + d.FieldU64("reserved") //must be zero + + // TODO: where? + /*numberOfRvaAndSizes :=*/ + /* + d.FieldArray("data_directories", func(d *decode.D) { + for i := 0; i < int(numberOfRvaAndSizes); i++ { + d.FieldStruct("data_directory", func(d *decode.D) { + d.FieldU32("virtual_address", scalar.UintHex) + d.FieldU32("size") + }) + } + }) + */ + + d.FieldRawLen("unknown", d.BitsLeft()) + }) + }) + } + + // TODO: section_alignment? + + d.FieldArray("sections", func(d *decode.D) { + for i := uint64(0); i < numberOfSections; i++ { + d.FieldStruct("section", func(d *decode.D) { + d.FieldUTF8("name", 8, stringTableMapper) // An 8-byte, null-padded UTF-8 encoded string. If the string is exactly 8 characters long, there is no terminating null. For longer names, this field contains a slash (/) that is followed by an ASCII representation of a decimal number that is an offset into the string table. Executable images do not use a string table and do not support section names longer than 8 characters. Long names in object files are truncated if they are emitted to an executable file. + d.FieldU32("virtual_size") // The total size of the section when loaded into memory. If this value is greater than SizeOfRawData, the section is zero-padded. This field is valid only for executable images and should be set to zero for object files. + d.FieldU32("virtual_address", scalar.UintHex) // For executable images, the address of the first byte of the section relative to the image base when the section is loaded into memory. For object files, this field is the address of the first byte before relocation is applied; for simplicity, compilers should set this to zero. Otherwise, it is an arbitrary value that is subtracted from offsets during relocation. + sizeOfRawData := d.FieldU32("size_of_raw_data") // The size of the section (for object files) or the size of the initialized data on disk (for image files). For executable images, this must be a multiple of FileAlignment from the optional header. If this is less than VirtualSize, the remainder of the section is zero-filled. Because the SizeOfRawData field is rounded but the VirtualSize field is not, it is possible for SizeOfRawData to be greater than VirtualSize as well. When a section contains only uninitialized data, this field should be zero. + pointerToRawData := d.FieldU32("pointer_to_raw_data", scalar.UintHex) // The file pointer to the first page of the section within the COFF file. For executable images, this must be a multiple of FileAlignment from the optional header. For object files, the value should be aligned on a 4-byte boundary for best performance. When a section contains only uninitialized data, this field should be zero. + d.FieldU32("pointer_to_relocations", scalar.UintHex) // The file pointer to the beginning of relocation entries for the section. This is set to zero for executable images or if there are no relocations. + d.FieldU32("pointer_to_line_numbers", scalar.UintHex) // The file pointer to the beginning of line-number entries for the section. This is set to zero if there are no COFF line numbers. This value should be zero for an image because COFF debugging information is deprecated. + d.FieldU16("number_of_relocations") // The number of relocation entries for the section. This is set to zero for executable images. + d.FieldU16("number_of_line_numbers") // The number of line-number entries for the section. This value should be zero for an image because COFF debugging information is deprecated. + + d.FieldStruct("characteristics", func(d *decode.D) { + + // 32 bit LE flags + + d.FieldBool("cnt_uninitialized_data") // The section contains uninitialized data. + d.FieldBool("cnt_initialized_data") // The section contains initialized data. + d.FieldBool("cnt_code") // The section contains executable code. + d.FieldBool("reserved") // Reserved for future use. + d.FieldBool("type_no_pad") // The section should not be padded to the next boundary. This flag is obsolete and is replaced by IMAGE_SCN_ALIGN_1BYTES. This is valid only for object files. + d.FieldBool("reserved0") // Reserved for future use. + d.FieldBool("reserved1") // Reserved for future use. + d.FieldBool("reserved2") // Reserved for future use. + + d.FieldBool("gprel") // The section contains data referenced through the global pointer (GP). + d.FieldBool("unknown0") // ?? + d.FieldBool("unknown1") // ?? + d.FieldBool("lnk_comdat") // The section contains COMDAT data. For more information, see COMDAT Sections (Object Only). This is valid only for object files. + d.FieldBool("lnk_remove") // The section will not become part of the image. This is valid only for object files. + d.FieldBool("reserved3") // Reserved for future use. + d.FieldBool("lnk_info") // The section contains comments or other information. The .drectve section has this type. This is valid for object files only. + d.FieldBool("lnk_other") // Reserved for future use. + + d.FieldBool("align_128bytes") // Align data on a 128-byte boundary. Valid only for object files. + d.FieldBool("align_8bytes") // Align data on an 8-byte boundary. Valid only for object files. + d.FieldBool("align_2bytes") // Align data on a 2-byte boundary. Valid only for object files. + d.FieldBool("align_1bytes") // Align data on a 1-byte boundary. Valid only for object files. + d.FieldBool("mem_preload") // Reserved for future use. + d.FieldBool("mem_locked") // Reserved for future use. + d.FieldBool("mem_16bit") // Reserved for future use. + d.FieldBool("mem_purgeable") // Reserved for future use. TODO was 0x00020000 in docnumberOfSymbols + + d.FieldBool("mem_write") // The section can be written to. + d.FieldBool("mem_read") // The section can be read. + d.FieldBool("mem_execute") // The section can be executed as code. + d.FieldBool("mem_shared") // The section can be shared in memory. + d.FieldBool("mem_not_paged") // The section is not pageable. + d.FieldBool("mem_not_cached") // The section cannot be cached. + d.FieldBool("mem_discardable") // The section can be discarded as needed. + d.FieldBool("lnk_nreloc_ovfl") // The section contains extended relocations. + + // IMAGE_SCN_ALIGN_4BYTES 0x00300000 Align data on a 4-byte boundary. Valid only for object files. + // IMAGE_SCN_ALIGN_16BYTES 0x00500000 Align data on a 16-byte boundary. Valid only for object files. + // IMAGE_SCN_ALIGN_32BYTES 0x00600000 Align data on a 32-byte boundary. Valid only for object files. + // IMAGE_SCN_ALIGN_64BYTES 0x00700000 Align data on a 64-byte boundary. Valid only for object files. + // IMAGE_SCN_ALIGN_256BYTES 0x00900000 Align data on a 256-byte boundary. Valid only for object files. + // IMAGE_SCN_ALIGN_512BYTES 0x00A00000 Align data on a 512-byte boundary. Valid only for object files. + // IMAGE_SCN_ALIGN_1024BYTES 0x00B00000 Align data on a 1024-byte boundary. Valid only for object files. + // IMAGE_SCN_ALIGN_2048BYTES 0x00C00000 Align data on a 2048-byte boundary. Valid only for object files. + // IMAGE_SCN_ALIGN_4096BYTES 0x00D00000 Align data on a 4096-byte boundary. Valid only for object files. + // IMAGE_SCN_ALIGN_8192BYTES 0x00E00000 Align data on an 8192-byte boundary. Valid only for object files. + + // d.FieldBool("reserved") // Reserved for future use. + // d.FieldBool("reserved") // Reserved for future use. + // d.FieldBool("reserved") // Reserved for future use. + // d.FieldBool("type_no_pad") // The section should not be padded to the next boundary. This flag is obsolete and is replaced by IMAGE_SCN_ALIGN_1BYTES. This is valid only for object files. + // d.FieldBool("reserved") // Reserved for future use. + // d.FieldBool("cnt_code") // The section contains executable code. + // d.FieldBool("cnt_initialized_data") // The section contains initialized data. + // d.FieldBool("cnt_uninitialized_data") // The section contains uninitialized data. + + // d.FieldBool("lnk_other") // Reserved for future use. + // d.FieldBool("lnk_info") // The section contains comments or other information. The .drectve section has this type. This is valid for object files only. + // d.FieldBool("reserved") // Reserved for future use. + // d.FieldBool("lnk_remove") // The section will not become part of the image. This is valid only for object files. + // d.FieldBool("lnk_comdat") // The section contains COMDAT data. For more information, see COMDAT Sections (Object Only). This is valid only for object files. + // d.FieldBool("unknown") // The section contains data referenced through the global pointer (GP). + // d.FieldBool("unknown") // The section contains data referenced through the global pointer (GP). + // d.FieldBool("gprel") // The section contains data referenced through the global pointer (GP). + + // d.FieldBool("mem_purgeable") // Reserved for future use. TODO was 0x00020000 in docnumberOfSymbols + // d.FieldBool("mem_16bit") // Reserved for future use. + // d.FieldBool("mem_locked") // Reserved for future use. + // d.FieldBool("mem_preload") // Reserved for future use. + // d.FieldBool("align_1bytes") // Align data on a 1-byte boundary. Valid only for object files. + // d.FieldBool("align_2bytes") // Align data on a 2-byte boundary. Valid only for object files. + // d.FieldBool("align_8bytes") // Align data on an 8-byte boundary. Valid only for object files. + // d.FieldBool("align_128bytes") // Align data on a 128-byte boundary. Valid only for object files. + + // d.FieldBool("lnk_nreloc_ovfl") // The section contains extended relocations. + // d.FieldBool("mem_discardable") // The section can be discarded as needed. + // d.FieldBool("mem_not_cached") // The section cannot be cached. + // d.FieldBool("mem_not_paged") // The section is not pageable. + // d.FieldBool("mem_shared") // The section can be shared in memory. + // d.FieldBool("mem_execute") // The section can be executed as code. + // d.FieldBool("mem_read") // The section can be read. + // d.FieldBool("mem_write") // The section can be written to. + + }) + + if pointerToRawData != 0 { + pointerToRawData -= uint64(pci.FilePointerOffset) + d.SeekAbs(int64(pointerToRawData)*8, func(d *decode.D) { + d.FieldRawLen("data", int64(sizeOfRawData)*8) + }) + } + }) + } + }) + + // var stringTableMapperPos int64 + + // TODO: if pointerToSymbolTable != 0? + + if pointerToSymbolTable != 0 { + d.FieldArray("symbol_table", func(d *decode.D) { + d.SeekAbs(int64(pointerToSymbolTable*8), func(d *decode.D) { + for i := uint64(0); i < numberOfSymbols; i++ { + d.FieldStruct("symbol", func(d *decode.D) { + // TODO: name + d.FieldUTF8("name", 8, stringTableMapper) // The name of the symbol, represented by a union of three structures. An array of 8 bytes is used if the name is not more than 8 bytes long. For more information, see Symbol Name Representation. + d.FieldU32("value") // The value that is associated with the symbol. The interpretation of this field depends on SectionNumber and StorageClass. A typical meaning is the relocatable address. + d.FieldU16("section_number") // The signed integer that identifies the section, using a one-based index into the section table. Some values have special meaning, as defined in section 5.4.2, "Section Number Values." + d.FieldU8("base_type", symBaseTypeNames) + d.FieldU8("complex_type", symBaseDTypeNames) + d.FieldU8("storage_class", symClassNames) // An enumerated value that represents storage class. For more information, see Storage Class. + d.FieldU8("number_of_aux_symbols") // The number of auxiliary symbol table entries that follow this record. + }) + } + // stringTablePos = d.Pos() + }) + }) + + d.SeekAbs(stringTablePos, func(d *decode.D) { + // TODO: if pos != 0? + d.FieldStruct("string_table", func(d *decode.D) { + stringTableSize := d.FieldU32("size") - 4 + d.FramedFn(int64(stringTableSize*8), func(d *decode.D) { + d.FieldArray("entries", func(d *decode.D) { + for !d.End() { + d.FieldUTF8Null("entry") + } + }) + }) + }) + }) + } + + return nil +} diff --git a/format/pe/msdos_stub.go b/format/pe/msdos_stub.go new file mode 100644 index 0000000000..77275e58b1 --- /dev/null +++ b/format/pe/msdos_stub.go @@ -0,0 +1,58 @@ +package pe + +// https://osandamalith.com/2020/07/19/exploring-the-ms-dos-stub/ + +import ( + "github.com/wader/fq/format" + "github.com/wader/fq/pkg/decode" + "github.com/wader/fq/pkg/interp" + "github.com/wader/fq/pkg/scalar" +) + +// TODO: probe? + +func init() { + interp.RegisterFormat( + format.MSDOS_Stub, + &decode.Format{ + Description: "MS-DOS Stub", + DecodeFn: msDosStubDecode, + }) +} + +func msDosStubDecode(d *decode.D) any { + d.Endian = decode.LittleEndian + + d.FieldU16("e_magic", scalar.UintDescription("Magic number"), d.UintAssert(0x5a4d), scalar.UintHex) + d.FieldU16("e_cblp", scalar.UintDescription("Bytes on last page of file")) + d.FieldU16("e_cp", scalar.UintDescription("Pages in file")) + d.FieldU16("e_crlc", scalar.UintDescription("Relocations")) + d.FieldU16("e_cparhdr", scalar.UintDescription("Size of header in paragraphs")) + d.FieldU16("e_minalloc", scalar.UintDescription("Minimum extra paragraphs needed")) + d.FieldU16("e_maxalloc", scalar.UintDescription("Maximum extra paragraphs needed")) + d.FieldU16("e_ss", scalar.UintDescription("Initial (relative) SS value")) + d.FieldU16("e_sp", scalar.UintDescription("Initial SP value")) + d.FieldU16("e_csum", scalar.UintDescription("Checksum")) + d.FieldU16("e_ip", scalar.UintDescription("Initial IP value")) + d.FieldU16("e_cs", scalar.UintDescription("Initial (relative) CS value")) + d.FieldU16("e_lfarlc", scalar.UintDescription("File address of relocation table")) + d.FieldU16("e_ovno", scalar.UintDescription("Overlay number")) + d.FieldRawLen("e_res", 4*16, scalar.BitBufDescription("Reserved words")) + d.FieldU16("e_oemid", scalar.UintDescription("OEM identifier (for e_oeminfo)")) + d.FieldU16("e_oeminfo", scalar.UintDescription("OEM information; e_oemid specific")) + d.FieldRawLen("e_res2", 10*16, scalar.BitBufDescription("Reserved words")) + lfanew := d.FieldU32("e_lfanew", scalar.UintDescription("File address of new exe header")) + + // TODO: x86 format in the future + d.FieldRawLen("stub", 64*8, scalar.BitBufDescription("Sub program")) + + subEndPos := d.Pos() + + // TODO: is not padding i guess? + padding := lfanew*8 - uint64(subEndPos) + d.FieldRawLen("padding", int64(padding)) + + return format.MS_DOS_Out{ + LFANew: int(lfanew), + } +} diff --git a/format/pe/pe.go b/format/pe/pe.go new file mode 100644 index 0000000000..e5d04382eb --- /dev/null +++ b/format/pe/pe.go @@ -0,0 +1,42 @@ +package pe + +// https://osandamalith.com/2020/07/19/exploring-the-ms-dos-stub/ + +import ( + "fmt" + + "github.com/wader/fq/format" + "github.com/wader/fq/pkg/decode" + "github.com/wader/fq/pkg/interp" +) + +// TODO: probe? +// TODO: not pe_ prefix for format names? + +var msDosStubGroup decode.Group +var coffGroup decode.Group + +func init() { + interp.RegisterFormat( + format.PE, + &decode.Format{ + Description: "Portable Executable", + Groups: []*decode.Group{format.Probe}, + Dependencies: []decode.Dependency{ + {Groups: []*decode.Group{format.MSDOS_Stub}, Out: &msDosStubGroup}, + {Groups: []*decode.Group{format.COFF}, Out: &coffGroup}, + }, + DecodeFn: peDecode, + }) +} + +func peDecode(d *decode.D) any { + _, v := d.FieldFormat("ms_dos_stub", &msDosStubGroup, nil) + msDOSOut, ok := v.(format.MS_DOS_Out) + if !ok { + panic(fmt.Sprintf("expected MS_DOS_Out got %#+v", v)) + } + d.FieldFormat("coff", &coffGroup, format.COFF_In{FilePointerOffset: msDOSOut.LFANew}) + + return nil +} diff --git a/format/pe/testdata/README.md b/format/pe/testdata/README.md new file mode 100644 index 0000000000..f1f47bdb0e --- /dev/null +++ b/format/pe/testdata/README.md @@ -0,0 +1,6 @@ +PE sample from https://github.com/JonathanSalwan/binary-samples under MIT license + +```sh +for i in pe-*; do echo "\$ fq dv $i" > $i.fqtest ; done +``` + diff --git a/format/pe/testdata/pe-Windows-ARMv7-Thumb2LE-HelloWorld b/format/pe/testdata/pe-Windows-ARMv7-Thumb2LE-HelloWorld new file mode 100755 index 0000000000..dd9a51b7bb Binary files /dev/null and b/format/pe/testdata/pe-Windows-ARMv7-Thumb2LE-HelloWorld differ diff --git a/format/pe/testdata/pe-Windows-ARMv7-Thumb2LE-HelloWorld.fqtest b/format/pe/testdata/pe-Windows-ARMv7-Thumb2LE-HelloWorld.fqtest new file mode 100644 index 0000000000..33de13846a --- /dev/null +++ b/format/pe/testdata/pe-Windows-ARMv7-Thumb2LE-HelloWorld.fqtest @@ -0,0 +1,403 @@ +$ fq dv pe-Windows-ARMv7-Thumb2LE-HelloWorld + |00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f|0123456789abcdef|.{}: pe-Windows-ARMv7-Thumb2LE-HelloWorld (pe) 0x0-0x19ff.7 (6656) + |00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f|0123456789abcdef| ms_dos_stub{}: (msdos_stub) 0x0-0xf7.7 (248) +0x0000|4d 5a |MZ | e_magic: 0x5a4d (valid) 0x0-0x1.7 (2) +0x0000| 90 00 | .. | e_cblp: 144 (Bytes on last page of file) 0x2-0x3.7 (2) +0x0000| 03 00 | .. | e_cp: 3 (Pages in file) 0x4-0x5.7 (2) +0x0000| 00 00 | .. | e_crlc: 0 (Relocations) 0x6-0x7.7 (2) +0x0000| 04 00 | .. | e_cparhdr: 4 (Size of header in paragraphs) 0x8-0x9.7 (2) +0x0000| 00 00 | .. | e_minalloc: 0 (Minimum extra paragraphs needed) 0xa-0xb.7 (2) +0x0000| ff ff | .. | e_maxalloc: 65535 (Maximum extra paragraphs needed) 0xc-0xd.7 (2) +0x0000| 00 00| ..| e_ss: 0 (Initial (relative) SS value) 0xe-0xf.7 (2) +0x0010|b8 00 |.. | e_sp: 184 (Initial SP value) 0x10-0x11.7 (2) +0x0010| 00 00 | .. | e_csum: 0 (Checksum) 0x12-0x13.7 (2) +0x0010| 00 00 | .. | e_ip: 0 (Initial IP value) 0x14-0x15.7 (2) +0x0010| 00 00 | .. | e_cs: 0 (Initial (relative) CS value) 0x16-0x17.7 (2) +0x0010| 40 00 | @. | e_lfarlc: 64 (File address of relocation table) 0x18-0x19.7 (2) +0x0010| 00 00 | .. | e_ovno: 0 (Overlay number) 0x1a-0x1b.7 (2) +0x0010| 00 00 00 00| ....| e_res: raw bits (Reserved words) 0x1c-0x23.7 (8) +0x0020|00 00 00 00 |.... | +0x0020| 00 00 | .. | e_oemid: 0 (OEM identifier (for e_oeminfo)) 0x24-0x25.7 (2) +0x0020| 00 00 | .. | e_oeminfo: 0 (OEM information; e_oemid specific) 0x26-0x27.7 (2) +0x0020| 00 00 00 00 00 00 00 00| ........| e_res2: raw bits (Reserved words) 0x28-0x3b.7 (20) +0x0030|00 00 00 00 00 00 00 00 00 00 00 00 |............ | +0x0030| f8 00 00 00| ....| e_lfanew: 248 (File address of new exe header) 0x3c-0x3f.7 (4) +0x0040|0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68|........!..L.!Th| stub: raw bits (Sub program) 0x40-0x7f.7 (64) +* |until 0x7f.7 (64) | | +0x0080|56 18 6d ac 12 79 03 ff 12 79 03 ff 12 79 03 ff|V.m..y...y...y..| padding: raw bits 0x80-0xf7.7 (120) +* |until 0xf7.7 (120) | | + |00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f|0123456789abcdef| coff{}: (coff) 0xf8-0x19ff.7 (6408) +0x00f0| 50 45 00 00 | PE.. | signature: raw bits (valid) 0xf8-0xfb.7 (4) +0x00f0| c4 01 | .. | machine: "armnt" (0x1c4) (ARM Thumb-2 little endian) 0xfc-0xfd.7 (2) +0x00f0| 06 00| ..| number_of_sections: 6 0xfe-0xff.7 (2) +0x0100|0d aa 6f 53 |..oS | time_date_stamp: 1399826957 (2014-05-11T16:49:17Z) 0x100-0x103.7 (4) +0x0100| 00 00 00 00 | .... | pointer_to_symbol_table: 0x0 0x104-0x107.7 (4) +0x0100| 00 00 00 00 | .... | number_of_symbols: 0 0x108-0x10b.7 (4) +0x0100| e0 00 | .. | size_of_optional_header: 224 0x10c-0x10d.7 (2) + | | | characteristics{}: 0x10e-0x10f.7 (2) +0x0100| 22 | " | bytes_reversed_hi: false 0x10e-0x10e (0.1) +0x0100| 22 | " | up_system_only: false 0x10e.1-0x10e.1 (0.1) +0x0100| 22 | " | dll: true 0x10e.2-0x10e.2 (0.1) +0x0100| 22 | " | system: false 0x10e.3-0x10e.3 (0.1) +0x0100| 22 | " | net_run_from_swap: false 0x10e.4-0x10e.4 (0.1) +0x0100| 22 | " | removable_run_from_swap: false 0x10e.5-0x10e.5 (0.1) +0x0100| 22 | " | debug_stripped: true 0x10e.6-0x10e.6 (0.1) +0x0100| 22 | " | 32bit_machine: false 0x10e.7-0x10e.7 (0.1) +0x0100| 01| .| bytes_reversed_lo: false 0x10f-0x10f (0.1) +0x0100| 01| .| reserved: false 0x10f.1-0x10f.1 (0.1) +0x0100| 01| .| large_address_aware: false 0x10f.2-0x10f.2 (0.1) +0x0100| 01| .| aggressive_ws_trim: false 0x10f.3-0x10f.3 (0.1) +0x0100| 01| .| local_syms_stripped: false 0x10f.4-0x10f.4 (0.1) +0x0100| 01| .| line_nums_stripped: false 0x10f.5-0x10f.5 (0.1) +0x0100| 01| .| executable_image: false 0x10f.6-0x10f.6 (0.1) +0x0100| 01| .| relocs_stripped: true 0x10f.7-0x10f.7 (0.1) + | | | optional_header{}: 0x110-0x1ef.7 (224) +0x0110|0b 01 |.. | format: "pe32" (0x10b) 0x110-0x111.7 (2) +0x0110| 0b | . | major_linker_version: 11 0x112-0x112.7 (1) +0x0110| 00 | . | minor_linker_version: 0 0x113-0x113.7 (1) +0x0110| 00 08 00 00 | .... | size_of_code: 2048 0x114-0x117.7 (4) +0x0110| 00 10 00 00 | .... | size_of_initialized_data: 4096 0x118-0x11b.7 (4) +0x0110| 00 00 00 00| ....| size_of_uninitialized_data: 0 0x11c-0x11f.7 (4) +0x0120|e5 12 00 00 |.... | address_of_entry_point: 0x12e5 0x120-0x123.7 (4) +0x0120| 00 10 00 00 | .... | base_of_code: 0x1000 0x124-0x127.7 (4) +0x0120| 00 20 00 00 | . .. | base_of_data: 0x2000 0x128-0x12b.7 (4) +0x0120| 00 00 40 00| ..@.| image_base: 0x400000 0x12c-0x12f.7 (4) +0x0130|00 10 00 00 |.... | section_alignment: 4096 0x130-0x133.7 (4) +0x0130| 00 02 00 00 | .... | file_alignment: 512 0x134-0x137.7 (4) +0x0130| 06 00 | .. | major_os_version: 6 0x138-0x139.7 (2) +0x0130| 02 00 | .. | minor_os_version: 2 0x13a-0x13b.7 (2) +0x0130| 00 00 | .. | major_image_version: 0 0x13c-0x13d.7 (2) +0x0130| 00 00| ..| minor_image_version: 0 0x13e-0x13f.7 (2) +0x0140|06 00 |.. | major_subsystem_version: 6 0x140-0x141.7 (2) +0x0140| 02 00 | .. | minor_subsystem_version: 2 0x142-0x143.7 (2) +0x0140| 00 00 00 00 | .... | win32_version: 0 0x144-0x147.7 (4) +0x0140| 00 70 00 00 | .p.. | size_of_image: 28672 0x148-0x14b.7 (4) +0x0140| 00 04 00 00| ....| size_of_headers: 1024 0x14c-0x14f.7 (4) +0x0150|00 00 00 00 |.... | chunk_sum: 0x0 0x150-0x153.7 (4) +0x0150| 03 00 | .. | subsystem: "windows_cui" (3) (The Windows character subsystem) 0x154-0x155.7 (2) + | | | dll_characteristics{}: 0x156-0x157.7 (2) +0x0150| 40 | @ | force_integrity: false 0x156-0x156 (0.1) +0x0150| 40 | @ | dynamic_base: true 0x156.1-0x156.1 (0.1) +0x0150| 40 | @ | high_entropy_va: false 0x156.2-0x156.2 (0.1) +0x0150| 40 | @ | reserved0: false 0x156.3-0x156.3 (0.1) +0x0150| 40 | @ | reserved1: false 0x156.4-0x156.4 (0.1) +0x0150| 40 | @ | reserved2: false 0x156.5-0x156.5 (0.1) +0x0150| 40 | @ | reserved3: false 0x156.6-0x156.6 (0.1) +0x0150| 40 | @ | reserved4: false 0x156.7-0x156.7 (0.1) +0x0150| 81 | . | terminal_server_aware: true 0x157-0x157 (0.1) +0x0150| 81 | . | guard_cf: false 0x157.1-0x157.1 (0.1) +0x0150| 81 | . | wdm_driver: false 0x157.2-0x157.2 (0.1) +0x0150| 81 | . | appcontainer: false 0x157.3-0x157.3 (0.1) +0x0150| 81 | . | no_bind: false 0x157.4-0x157.4 (0.1) +0x0150| 81 | . | no_seh: false 0x157.5-0x157.5 (0.1) +0x0150| 81 | . | no_isolation: false 0x157.6-0x157.6 (0.1) +0x0150| 81 | . | nx_compat: true 0x157.7-0x157.7 (0.1) +0x0150| 00 00 10 00 | .... | size_of_track_reserve: 1048576 0x158-0x15b.7 (4) +0x0150| 00 10 00 00| ....| size_of_stack_commit: 4096 0x15c-0x15f.7 (4) +0x0160|00 00 10 00 |.... | size_of_heap_reserve: 1048576 0x160-0x163.7 (4) +0x0160| 00 10 00 00 | .... | size_of_heap_commit: 4096 0x164-0x167.7 (4) +0x0160| 00 00 00 00 | .... | loader_flags: 0 0x168-0x16b.7 (4) +0x0160| 10 00 00 00| ....| number_of_rva_and_sizes: 16 0x16c-0x16f.7 (4) +0x0170|00 00 00 00 |.... | export_table_address: 0x0 0x170-0x173.7 (4) +0x0170| 00 00 00 00 | .... | export_table_size: 0 0x174-0x177.7 (4) +0x0170| f4 21 00 00 | .!.. | import_table_address: 0x21f4 0x178-0x17b.7 (4) +0x0170| 3c 00 00 00| <...| import_table_size: 60 0x17c-0x17f.7 (4) +0x0180|00 50 00 00 |.P.. | resource_table_address: 0x5000 0x180-0x183.7 (4) +0x0180| e0 01 00 00 | .... | resource_table_size: 480 0x184-0x187.7 (4) +0x0180| 00 40 00 00 | .@.. | exception_table_address: 0x4000 0x188-0x18b.7 (4) +0x0180| 90 00 00 00| ....| exception_table_size: 144 0x18c-0x18f.7 (4) +0x0190|00 00 00 00 |.... | certificate_table_address: 0x0 0x190-0x193.7 (4) +0x0190| 00 00 00 00 | .... | certificate_table_size: 0 0x194-0x197.7 (4) +0x0190| 00 60 00 00 | .`.. | base_relocation_table_address: 0x6000 0x198-0x19b.7 (4) +0x0190| a8 00 00 00| ....| base_relocation_table_size: 168 0x19c-0x19f.7 (4) +0x01a0|a0 20 00 00 |. .. | debug_address: 0x20a0 0x1a0-0x1a3.7 (4) +0x01a0| 38 00 00 00 | 8... | debug_size: 56 0x1a4-0x1a7.7 (4) +0x01a0| 00 00 00 00 00 00 00 00| ........| architecture: 0 0x1a8-0x1af.7 (8) +0x01b0|00 00 00 00 00 00 00 00 |........ | global_ptr: 0x0 0x1b0-0x1b7.7 (8) +0x01b0| 00 00 00 00 | .... | tls_table_address: 0x0 0x1b8-0x1bb.7 (4) +0x01b0| 00 00 00 00| ....| tls_table_size: 0 0x1bc-0x1bf.7 (4) +0x01c0|00 00 00 00 |.... | load_config_table_address: 0x0 0x1c0-0x1c3.7 (4) +0x01c0| 00 00 00 00 | .... | load_config_table_size: 0 0x1c4-0x1c7.7 (4) +0x01c0| 00 00 00 00 | .... | bound_import_address: 0x0 0x1c8-0x1cb.7 (4) +0x01c0| 00 00 00 00| ....| bound_import_size: 0 0x1cc-0x1cf.7 (4) +0x01d0|00 20 00 00 |. .. | iat_address: 0x2000 0x1d0-0x1d3.7 (4) +0x01d0| 80 00 00 00 | .... | iat_size: 128 0x1d4-0x1d7.7 (4) +0x01d0| 00 00 00 00 | .... | delay_import_descriptor_address: 0x0 0x1d8-0x1db.7 (4) +0x01d0| 00 00 00 00| ....| delay_import_descriptor_size: 0 0x1dc-0x1df.7 (4) +0x01e0|00 00 00 00 |.... | clr_runtime_header_address: 0x0 0x1e0-0x1e3.7 (4) +0x01e0| 00 00 00 00 | .... | clr_runtime_header_size: 0 0x1e4-0x1e7.7 (4) +0x01e0| 00 00 00 00 00 00 00 00| ........| reserved: 0 0x1e8-0x1ef.7 (8) + | | | unknown: raw bits 0x1f0-NA (0) + | | | sections[0:6]: 0x1f0-0x19ff.7 (6160) + | | | [0]{}: section 0x1f0-0xbff.7 (2576) +0x01f0|2e 74 65 78 74 00 00 00 |.text... | name: ".text" 0x1f0-0x1f7.7 (8) +0x01f0| 94 06 00 00 | .... | virtual_size: 1684 0x1f8-0x1fb.7 (4) +0x01f0| 00 10 00 00| ....| virtual_address: 0x1000 0x1fc-0x1ff.7 (4) +0x0200|00 08 00 00 |.... | size_of_raw_data: 2048 0x200-0x203.7 (4) +0x0200| 00 04 00 00 | .... | pointer_to_raw_data: 0x400 0x204-0x207.7 (4) +0x0200| 00 00 00 00 | .... | pointer_to_relocations: 0x0 0x208-0x20b.7 (4) +0x0200| 00 00 00 00| ....| pointer_to_line_numbers: 0x0 0x20c-0x20f.7 (4) +0x0210|00 00 |.. | number_of_relocations: 0 0x210-0x211.7 (2) +0x0210| 00 00 | .. | number_of_line_numbers: 0 0x212-0x213.7 (2) + | | | characteristics{}: 0x214-0x217.7 (4) +0x0210| 20 | | cnt_uninitialized_data: false 0x214-0x214 (0.1) +0x0210| 20 | | cnt_initialized_data: false 0x214.1-0x214.1 (0.1) +0x0210| 20 | | cnt_code: true 0x214.2-0x214.2 (0.1) +0x0210| 20 | | reserved: false 0x214.3-0x214.3 (0.1) +0x0210| 20 | | type_no_pad: false 0x214.4-0x214.4 (0.1) +0x0210| 20 | | reserved0: false 0x214.5-0x214.5 (0.1) +0x0210| 20 | | reserved1: false 0x214.6-0x214.6 (0.1) +0x0210| 20 | | reserved2: false 0x214.7-0x214.7 (0.1) +0x0210| 00 | . | gprel: false 0x215-0x215 (0.1) +0x0210| 00 | . | unknown0: false 0x215.1-0x215.1 (0.1) +0x0210| 00 | . | unknown1: false 0x215.2-0x215.2 (0.1) +0x0210| 00 | . | lnk_comdat: false 0x215.3-0x215.3 (0.1) +0x0210| 00 | . | lnk_remove: false 0x215.4-0x215.4 (0.1) +0x0210| 00 | . | reserved3: false 0x215.5-0x215.5 (0.1) +0x0210| 00 | . | lnk_info: false 0x215.6-0x215.6 (0.1) +0x0210| 00 | . | lnk_other: false 0x215.7-0x215.7 (0.1) +0x0210| 00 | . | align_128bytes: false 0x216-0x216 (0.1) +0x0210| 00 | . | align_8bytes: false 0x216.1-0x216.1 (0.1) +0x0210| 00 | . | align_2bytes: false 0x216.2-0x216.2 (0.1) +0x0210| 00 | . | align_1bytes: false 0x216.3-0x216.3 (0.1) +0x0210| 00 | . | mem_preload: false 0x216.4-0x216.4 (0.1) +0x0210| 00 | . | mem_locked: false 0x216.5-0x216.5 (0.1) +0x0210| 00 | . | mem_16bit: false 0x216.6-0x216.6 (0.1) +0x0210| 00 | . | mem_purgeable: false 0x216.7-0x216.7 (0.1) +0x0210| 60 | ` | mem_write: false 0x217-0x217 (0.1) +0x0210| 60 | ` | mem_read: true 0x217.1-0x217.1 (0.1) +0x0210| 60 | ` | mem_execute: true 0x217.2-0x217.2 (0.1) +0x0210| 60 | ` | mem_shared: false 0x217.3-0x217.3 (0.1) +0x0210| 60 | ` | mem_not_paged: false 0x217.4-0x217.4 (0.1) +0x0210| 60 | ` | mem_not_cached: false 0x217.5-0x217.5 (0.1) +0x0210| 60 | ` | mem_discardable: false 0x217.6-0x217.6 (0.1) +0x0210| 60 | ` | lnk_nreloc_ovfl: false 0x217.7-0x217.7 (0.1) +0x0400|2d e9 00 48 eb 46 42 f2 78 03 c0 f2 40 03 42 f2|-..H.FB.x...@.B.| data: raw bits 0x400-0xbff.7 (2048) +* |until 0xbff.7 (2048) | | + | | | [1]{}: section 0x218-0x11ff.7 (4072) +0x0210| 2e 72 64 61 74 61 00 00| .rdata..| name: ".rdata" 0x218-0x21f.7 (8) +0x0220|ae 04 00 00 |.... | virtual_size: 1198 0x220-0x223.7 (4) +0x0220| 00 20 00 00 | . .. | virtual_address: 0x2000 0x224-0x227.7 (4) +0x0220| 00 06 00 00 | .... | size_of_raw_data: 1536 0x228-0x22b.7 (4) +0x0220| 00 0c 00 00| ....| pointer_to_raw_data: 0xc00 0x22c-0x22f.7 (4) +0x0230|00 00 00 00 |.... | pointer_to_relocations: 0x0 0x230-0x233.7 (4) +0x0230| 00 00 00 00 | .... | pointer_to_line_numbers: 0x0 0x234-0x237.7 (4) +0x0230| 00 00 | .. | number_of_relocations: 0 0x238-0x239.7 (2) +0x0230| 00 00 | .. | number_of_line_numbers: 0 0x23a-0x23b.7 (2) + | | | characteristics{}: 0x23c-0x23f.7 (4) +0x0230| 40 | @ | cnt_uninitialized_data: false 0x23c-0x23c (0.1) +0x0230| 40 | @ | cnt_initialized_data: true 0x23c.1-0x23c.1 (0.1) +0x0230| 40 | @ | cnt_code: false 0x23c.2-0x23c.2 (0.1) +0x0230| 40 | @ | reserved: false 0x23c.3-0x23c.3 (0.1) +0x0230| 40 | @ | type_no_pad: false 0x23c.4-0x23c.4 (0.1) +0x0230| 40 | @ | reserved0: false 0x23c.5-0x23c.5 (0.1) +0x0230| 40 | @ | reserved1: false 0x23c.6-0x23c.6 (0.1) +0x0230| 40 | @ | reserved2: false 0x23c.7-0x23c.7 (0.1) +0x0230| 00 | . | gprel: false 0x23d-0x23d (0.1) +0x0230| 00 | . | unknown0: false 0x23d.1-0x23d.1 (0.1) +0x0230| 00 | . | unknown1: false 0x23d.2-0x23d.2 (0.1) +0x0230| 00 | . | lnk_comdat: false 0x23d.3-0x23d.3 (0.1) +0x0230| 00 | . | lnk_remove: false 0x23d.4-0x23d.4 (0.1) +0x0230| 00 | . | reserved3: false 0x23d.5-0x23d.5 (0.1) +0x0230| 00 | . | lnk_info: false 0x23d.6-0x23d.6 (0.1) +0x0230| 00 | . | lnk_other: false 0x23d.7-0x23d.7 (0.1) +0x0230| 00 | . | align_128bytes: false 0x23e-0x23e (0.1) +0x0230| 00 | . | align_8bytes: false 0x23e.1-0x23e.1 (0.1) +0x0230| 00 | . | align_2bytes: false 0x23e.2-0x23e.2 (0.1) +0x0230| 00 | . | align_1bytes: false 0x23e.3-0x23e.3 (0.1) +0x0230| 00 | . | mem_preload: false 0x23e.4-0x23e.4 (0.1) +0x0230| 00 | . | mem_locked: false 0x23e.5-0x23e.5 (0.1) +0x0230| 00 | . | mem_16bit: false 0x23e.6-0x23e.6 (0.1) +0x0230| 00 | . | mem_purgeable: false 0x23e.7-0x23e.7 (0.1) +0x0230| 40| @| mem_write: false 0x23f-0x23f (0.1) +0x0230| 40| @| mem_read: true 0x23f.1-0x23f.1 (0.1) +0x0230| 40| @| mem_execute: false 0x23f.2-0x23f.2 (0.1) +0x0230| 40| @| mem_shared: false 0x23f.3-0x23f.3 (0.1) +0x0230| 40| @| mem_not_paged: false 0x23f.4-0x23f.4 (0.1) +0x0230| 40| @| mem_not_cached: false 0x23f.5-0x23f.5 (0.1) +0x0230| 40| @| mem_discardable: false 0x23f.6-0x23f.6 (0.1) +0x0230| 40| @| lnk_nreloc_ovfl: false 0x23f.7-0x23f.7 (0.1) +0x0c00|74 24 00 00 5e 24 00 00 48 24 00 00 2e 24 00 00|t$..^$..H$...$..| data: raw bits 0xc00-0x11ff.7 (1536) +* |until 0x11ff.7 (1536) | | + | | | [2]{}: section 0x240-0x13ff.7 (4544) +0x0240|2e 64 61 74 61 00 00 00 |.data... | name: ".data" 0x240-0x247.7 (8) +0x0240| 4c 02 00 00 | L... | virtual_size: 588 0x248-0x24b.7 (4) +0x0240| 00 30 00 00| .0..| virtual_address: 0x3000 0x24c-0x24f.7 (4) +0x0250|00 02 00 00 |.... | size_of_raw_data: 512 0x250-0x253.7 (4) +0x0250| 00 12 00 00 | .... | pointer_to_raw_data: 0x1200 0x254-0x257.7 (4) +0x0250| 00 00 00 00 | .... | pointer_to_relocations: 0x0 0x258-0x25b.7 (4) +0x0250| 00 00 00 00| ....| pointer_to_line_numbers: 0x0 0x25c-0x25f.7 (4) +0x0260|00 00 |.. | number_of_relocations: 0 0x260-0x261.7 (2) +0x0260| 00 00 | .. | number_of_line_numbers: 0 0x262-0x263.7 (2) + | | | characteristics{}: 0x264-0x267.7 (4) +0x0260| 40 | @ | cnt_uninitialized_data: false 0x264-0x264 (0.1) +0x0260| 40 | @ | cnt_initialized_data: true 0x264.1-0x264.1 (0.1) +0x0260| 40 | @ | cnt_code: false 0x264.2-0x264.2 (0.1) +0x0260| 40 | @ | reserved: false 0x264.3-0x264.3 (0.1) +0x0260| 40 | @ | type_no_pad: false 0x264.4-0x264.4 (0.1) +0x0260| 40 | @ | reserved0: false 0x264.5-0x264.5 (0.1) +0x0260| 40 | @ | reserved1: false 0x264.6-0x264.6 (0.1) +0x0260| 40 | @ | reserved2: false 0x264.7-0x264.7 (0.1) +0x0260| 00 | . | gprel: false 0x265-0x265 (0.1) +0x0260| 00 | . | unknown0: false 0x265.1-0x265.1 (0.1) +0x0260| 00 | . | unknown1: false 0x265.2-0x265.2 (0.1) +0x0260| 00 | . | lnk_comdat: false 0x265.3-0x265.3 (0.1) +0x0260| 00 | . | lnk_remove: false 0x265.4-0x265.4 (0.1) +0x0260| 00 | . | reserved3: false 0x265.5-0x265.5 (0.1) +0x0260| 00 | . | lnk_info: false 0x265.6-0x265.6 (0.1) +0x0260| 00 | . | lnk_other: false 0x265.7-0x265.7 (0.1) +0x0260| 00 | . | align_128bytes: false 0x266-0x266 (0.1) +0x0260| 00 | . | align_8bytes: false 0x266.1-0x266.1 (0.1) +0x0260| 00 | . | align_2bytes: false 0x266.2-0x266.2 (0.1) +0x0260| 00 | . | align_1bytes: false 0x266.3-0x266.3 (0.1) +0x0260| 00 | . | mem_preload: false 0x266.4-0x266.4 (0.1) +0x0260| 00 | . | mem_locked: false 0x266.5-0x266.5 (0.1) +0x0260| 00 | . | mem_16bit: false 0x266.6-0x266.6 (0.1) +0x0260| 00 | . | mem_purgeable: false 0x266.7-0x266.7 (0.1) +0x0260| c0 | . | mem_write: true 0x267-0x267 (0.1) +0x0260| c0 | . | mem_read: true 0x267.1-0x267.1 (0.1) +0x0260| c0 | . | mem_execute: false 0x267.2-0x267.2 (0.1) +0x0260| c0 | . | mem_shared: false 0x267.3-0x267.3 (0.1) +0x0260| c0 | . | mem_not_paged: false 0x267.4-0x267.4 (0.1) +0x0260| c0 | . | mem_not_cached: false 0x267.5-0x267.5 (0.1) +0x0260| c0 | . | mem_discardable: false 0x267.6-0x267.6 (0.1) +0x0260| c0 | . | lnk_nreloc_ovfl: false 0x267.7-0x267.7 (0.1) +0x1200|4e e6 40 bb b1 19 bf 44 ff ff ff ff 01 00 00 00|N.@....D........| data: raw bits 0x1200-0x13ff.7 (512) +* |until 0x13ff.7 (512) | | + | | | [3]{}: section 0x268-0x15ff.7 (5016) +0x0260| 2e 70 64 61 74 61 00 00| .pdata..| name: ".pdata" 0x268-0x26f.7 (8) +0x0270|90 00 00 00 |.... | virtual_size: 144 0x270-0x273.7 (4) +0x0270| 00 40 00 00 | .@.. | virtual_address: 0x4000 0x274-0x277.7 (4) +0x0270| 00 02 00 00 | .... | size_of_raw_data: 512 0x278-0x27b.7 (4) +0x0270| 00 14 00 00| ....| pointer_to_raw_data: 0x1400 0x27c-0x27f.7 (4) +0x0280|00 00 00 00 |.... | pointer_to_relocations: 0x0 0x280-0x283.7 (4) +0x0280| 00 00 00 00 | .... | pointer_to_line_numbers: 0x0 0x284-0x287.7 (4) +0x0280| 00 00 | .. | number_of_relocations: 0 0x288-0x289.7 (2) +0x0280| 00 00 | .. | number_of_line_numbers: 0 0x28a-0x28b.7 (2) + | | | characteristics{}: 0x28c-0x28f.7 (4) +0x0280| 40 | @ | cnt_uninitialized_data: false 0x28c-0x28c (0.1) +0x0280| 40 | @ | cnt_initialized_data: true 0x28c.1-0x28c.1 (0.1) +0x0280| 40 | @ | cnt_code: false 0x28c.2-0x28c.2 (0.1) +0x0280| 40 | @ | reserved: false 0x28c.3-0x28c.3 (0.1) +0x0280| 40 | @ | type_no_pad: false 0x28c.4-0x28c.4 (0.1) +0x0280| 40 | @ | reserved0: false 0x28c.5-0x28c.5 (0.1) +0x0280| 40 | @ | reserved1: false 0x28c.6-0x28c.6 (0.1) +0x0280| 40 | @ | reserved2: false 0x28c.7-0x28c.7 (0.1) +0x0280| 00 | . | gprel: false 0x28d-0x28d (0.1) +0x0280| 00 | . | unknown0: false 0x28d.1-0x28d.1 (0.1) +0x0280| 00 | . | unknown1: false 0x28d.2-0x28d.2 (0.1) +0x0280| 00 | . | lnk_comdat: false 0x28d.3-0x28d.3 (0.1) +0x0280| 00 | . | lnk_remove: false 0x28d.4-0x28d.4 (0.1) +0x0280| 00 | . | reserved3: false 0x28d.5-0x28d.5 (0.1) +0x0280| 00 | . | lnk_info: false 0x28d.6-0x28d.6 (0.1) +0x0280| 00 | . | lnk_other: false 0x28d.7-0x28d.7 (0.1) +0x0280| 00 | . | align_128bytes: false 0x28e-0x28e (0.1) +0x0280| 00 | . | align_8bytes: false 0x28e.1-0x28e.1 (0.1) +0x0280| 00 | . | align_2bytes: false 0x28e.2-0x28e.2 (0.1) +0x0280| 00 | . | align_1bytes: false 0x28e.3-0x28e.3 (0.1) +0x0280| 00 | . | mem_preload: false 0x28e.4-0x28e.4 (0.1) +0x0280| 00 | . | mem_locked: false 0x28e.5-0x28e.5 (0.1) +0x0280| 00 | . | mem_16bit: false 0x28e.6-0x28e.6 (0.1) +0x0280| 00 | . | mem_purgeable: false 0x28e.7-0x28e.7 (0.1) +0x0280| 40| @| mem_write: false 0x28f-0x28f (0.1) +0x0280| 40| @| mem_read: true 0x28f.1-0x28f.1 (0.1) +0x0280| 40| @| mem_execute: false 0x28f.2-0x28f.2 (0.1) +0x0280| 40| @| mem_shared: false 0x28f.3-0x28f.3 (0.1) +0x0280| 40| @| mem_not_paged: false 0x28f.4-0x28f.4 (0.1) +0x0280| 40| @| mem_not_cached: false 0x28f.5-0x28f.5 (0.1) +0x0280| 40| @| mem_discardable: false 0x28f.6-0x28f.6 (0.1) +0x0280| 40| @| lnk_nreloc_ovfl: false 0x28f.7-0x28f.7 (0.1) +0x1400|01 10 00 00 41 60 3f 00 35 10 00 00 70 21 00 00|....A`?.5...p!..| data: raw bits 0x1400-0x15ff.7 (512) +* |until 0x15ff.7 (512) | | + | | | [4]{}: section 0x290-0x17ff.7 (5488) +0x0290|2e 72 73 72 63 00 00 00 |.rsrc... | name: ".rsrc" 0x290-0x297.7 (8) +0x0290| e0 01 00 00 | .... | virtual_size: 480 0x298-0x29b.7 (4) +0x0290| 00 50 00 00| .P..| virtual_address: 0x5000 0x29c-0x29f.7 (4) +0x02a0|00 02 00 00 |.... | size_of_raw_data: 512 0x2a0-0x2a3.7 (4) +0x02a0| 00 16 00 00 | .... | pointer_to_raw_data: 0x1600 0x2a4-0x2a7.7 (4) +0x02a0| 00 00 00 00 | .... | pointer_to_relocations: 0x0 0x2a8-0x2ab.7 (4) +0x02a0| 00 00 00 00| ....| pointer_to_line_numbers: 0x0 0x2ac-0x2af.7 (4) +0x02b0|00 00 |.. | number_of_relocations: 0 0x2b0-0x2b1.7 (2) +0x02b0| 00 00 | .. | number_of_line_numbers: 0 0x2b2-0x2b3.7 (2) + | | | characteristics{}: 0x2b4-0x2b7.7 (4) +0x02b0| 40 | @ | cnt_uninitialized_data: false 0x2b4-0x2b4 (0.1) +0x02b0| 40 | @ | cnt_initialized_data: true 0x2b4.1-0x2b4.1 (0.1) +0x02b0| 40 | @ | cnt_code: false 0x2b4.2-0x2b4.2 (0.1) +0x02b0| 40 | @ | reserved: false 0x2b4.3-0x2b4.3 (0.1) +0x02b0| 40 | @ | type_no_pad: false 0x2b4.4-0x2b4.4 (0.1) +0x02b0| 40 | @ | reserved0: false 0x2b4.5-0x2b4.5 (0.1) +0x02b0| 40 | @ | reserved1: false 0x2b4.6-0x2b4.6 (0.1) +0x02b0| 40 | @ | reserved2: false 0x2b4.7-0x2b4.7 (0.1) +0x02b0| 00 | . | gprel: false 0x2b5-0x2b5 (0.1) +0x02b0| 00 | . | unknown0: false 0x2b5.1-0x2b5.1 (0.1) +0x02b0| 00 | . | unknown1: false 0x2b5.2-0x2b5.2 (0.1) +0x02b0| 00 | . | lnk_comdat: false 0x2b5.3-0x2b5.3 (0.1) +0x02b0| 00 | . | lnk_remove: false 0x2b5.4-0x2b5.4 (0.1) +0x02b0| 00 | . | reserved3: false 0x2b5.5-0x2b5.5 (0.1) +0x02b0| 00 | . | lnk_info: false 0x2b5.6-0x2b5.6 (0.1) +0x02b0| 00 | . | lnk_other: false 0x2b5.7-0x2b5.7 (0.1) +0x02b0| 00 | . | align_128bytes: false 0x2b6-0x2b6 (0.1) +0x02b0| 00 | . | align_8bytes: false 0x2b6.1-0x2b6.1 (0.1) +0x02b0| 00 | . | align_2bytes: false 0x2b6.2-0x2b6.2 (0.1) +0x02b0| 00 | . | align_1bytes: false 0x2b6.3-0x2b6.3 (0.1) +0x02b0| 00 | . | mem_preload: false 0x2b6.4-0x2b6.4 (0.1) +0x02b0| 00 | . | mem_locked: false 0x2b6.5-0x2b6.5 (0.1) +0x02b0| 00 | . | mem_16bit: false 0x2b6.6-0x2b6.6 (0.1) +0x02b0| 00 | . | mem_purgeable: false 0x2b6.7-0x2b6.7 (0.1) +0x02b0| 40 | @ | mem_write: false 0x2b7-0x2b7 (0.1) +0x02b0| 40 | @ | mem_read: true 0x2b7.1-0x2b7.1 (0.1) +0x02b0| 40 | @ | mem_execute: false 0x2b7.2-0x2b7.2 (0.1) +0x02b0| 40 | @ | mem_shared: false 0x2b7.3-0x2b7.3 (0.1) +0x02b0| 40 | @ | mem_not_paged: false 0x2b7.4-0x2b7.4 (0.1) +0x02b0| 40 | @ | mem_not_cached: false 0x2b7.5-0x2b7.5 (0.1) +0x02b0| 40 | @ | mem_discardable: false 0x2b7.6-0x2b7.6 (0.1) +0x02b0| 40 | @ | lnk_nreloc_ovfl: false 0x2b7.7-0x2b7.7 (0.1) +0x1600|00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00|................| data: raw bits 0x1600-0x17ff.7 (512) +* |until 0x17ff.7 (512) | | + | | | [5]{}: section 0x2b8-0x19ff.7 (5960) +0x02b0| 2e 72 65 6c 6f 63 00 00| .reloc..| name: ".reloc" 0x2b8-0x2bf.7 (8) +0x02c0|9e 01 00 00 |.... | virtual_size: 414 0x2c0-0x2c3.7 (4) +0x02c0| 00 60 00 00 | .`.. | virtual_address: 0x6000 0x2c4-0x2c7.7 (4) +0x02c0| 00 02 00 00 | .... | size_of_raw_data: 512 0x2c8-0x2cb.7 (4) +0x02c0| 00 18 00 00| ....| pointer_to_raw_data: 0x1800 0x2cc-0x2cf.7 (4) +0x02d0|00 00 00 00 |.... | pointer_to_relocations: 0x0 0x2d0-0x2d3.7 (4) +0x02d0| 00 00 00 00 | .... | pointer_to_line_numbers: 0x0 0x2d4-0x2d7.7 (4) +0x02d0| 00 00 | .. | number_of_relocations: 0 0x2d8-0x2d9.7 (2) +0x02d0| 00 00 | .. | number_of_line_numbers: 0 0x2da-0x2db.7 (2) + | | | characteristics{}: 0x2dc-0x2df.7 (4) +0x02d0| 40 | @ | cnt_uninitialized_data: false 0x2dc-0x2dc (0.1) +0x02d0| 40 | @ | cnt_initialized_data: true 0x2dc.1-0x2dc.1 (0.1) +0x02d0| 40 | @ | cnt_code: false 0x2dc.2-0x2dc.2 (0.1) +0x02d0| 40 | @ | reserved: false 0x2dc.3-0x2dc.3 (0.1) +0x02d0| 40 | @ | type_no_pad: false 0x2dc.4-0x2dc.4 (0.1) +0x02d0| 40 | @ | reserved0: false 0x2dc.5-0x2dc.5 (0.1) +0x02d0| 40 | @ | reserved1: false 0x2dc.6-0x2dc.6 (0.1) +0x02d0| 40 | @ | reserved2: false 0x2dc.7-0x2dc.7 (0.1) +0x02d0| 00 | . | gprel: false 0x2dd-0x2dd (0.1) +0x02d0| 00 | . | unknown0: false 0x2dd.1-0x2dd.1 (0.1) +0x02d0| 00 | . | unknown1: false 0x2dd.2-0x2dd.2 (0.1) +0x02d0| 00 | . | lnk_comdat: false 0x2dd.3-0x2dd.3 (0.1) +0x02d0| 00 | . | lnk_remove: false 0x2dd.4-0x2dd.4 (0.1) +0x02d0| 00 | . | reserved3: false 0x2dd.5-0x2dd.5 (0.1) +0x02d0| 00 | . | lnk_info: false 0x2dd.6-0x2dd.6 (0.1) +0x02d0| 00 | . | lnk_other: false 0x2dd.7-0x2dd.7 (0.1) +0x02d0| 00 | . | align_128bytes: false 0x2de-0x2de (0.1) +0x02d0| 00 | . | align_8bytes: false 0x2de.1-0x2de.1 (0.1) +0x02d0| 00 | . | align_2bytes: false 0x2de.2-0x2de.2 (0.1) +0x02d0| 00 | . | align_1bytes: false 0x2de.3-0x2de.3 (0.1) +0x02d0| 00 | . | mem_preload: false 0x2de.4-0x2de.4 (0.1) +0x02d0| 00 | . | mem_locked: false 0x2de.5-0x2de.5 (0.1) +0x02d0| 00 | . | mem_16bit: false 0x2de.6-0x2de.6 (0.1) +0x02d0| 00 | . | mem_purgeable: false 0x2de.7-0x2de.7 (0.1) +0x02d0| 42| B| mem_write: false 0x2df-0x2df (0.1) +0x02d0| 42| B| mem_read: true 0x2df.1-0x2df.1 (0.1) +0x02d0| 42| B| mem_execute: false 0x2df.2-0x2df.2 (0.1) +0x02d0| 42| B| mem_shared: false 0x2df.3-0x2df.3 (0.1) +0x02d0| 42| B| mem_not_paged: false 0x2df.4-0x2df.4 (0.1) +0x02d0| 42| B| mem_not_cached: false 0x2df.5-0x2df.5 (0.1) +0x02d0| 42| B| mem_discardable: true 0x2df.6-0x2df.6 (0.1) +0x02d0| 42| B| lnk_nreloc_ovfl: false 0x2df.7-0x2df.7 (0.1) +0x1800|00 10 00 00 94 00 00 00 06 70 0e 70 30 30 58 30|.........p.p00X0| data: raw bits 0x1800-0x19ff.7 (512) +* |until 0x19ff.7 (end) (512) | | +0x02e0|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|................| gap0: raw bits 0x2e0-0x3ff.7 (288) +* |until 0x3ff.7 (288) | | diff --git a/format/pe/testdata/pe-Windows-x64-cmd b/format/pe/testdata/pe-Windows-x64-cmd new file mode 100755 index 0000000000..dca94f437e Binary files /dev/null and b/format/pe/testdata/pe-Windows-x64-cmd differ diff --git a/format/pe/testdata/pe-Windows-x64-cmd.fqtest b/format/pe/testdata/pe-Windows-x64-cmd.fqtest new file mode 100644 index 0000000000..c26af8173c --- /dev/null +++ b/format/pe/testdata/pe-Windows-x64-cmd.fqtest @@ -0,0 +1,403 @@ +$ fq dv pe-Windows-x64-cmd + |00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f|0123456789abcdef|.{}: pe-Windows-x64-cmd (pe) 0x0-0x543ff.7 (345088) + |00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f|0123456789abcdef| ms_dos_stub{}: (msdos_stub) 0x0-0xef.7 (240) +0x00000|4d 5a |MZ | e_magic: 0x5a4d (valid) 0x0-0x1.7 (2) +0x00000| 90 00 | .. | e_cblp: 144 (Bytes on last page of file) 0x2-0x3.7 (2) +0x00000| 03 00 | .. | e_cp: 3 (Pages in file) 0x4-0x5.7 (2) +0x00000| 00 00 | .. | e_crlc: 0 (Relocations) 0x6-0x7.7 (2) +0x00000| 04 00 | .. | e_cparhdr: 4 (Size of header in paragraphs) 0x8-0x9.7 (2) +0x00000| 00 00 | .. | e_minalloc: 0 (Minimum extra paragraphs needed) 0xa-0xb.7 (2) +0x00000| ff ff | .. | e_maxalloc: 65535 (Maximum extra paragraphs needed) 0xc-0xd.7 (2) +0x00000| 00 00| ..| e_ss: 0 (Initial (relative) SS value) 0xe-0xf.7 (2) +0x00010|b8 00 |.. | e_sp: 184 (Initial SP value) 0x10-0x11.7 (2) +0x00010| 00 00 | .. | e_csum: 0 (Checksum) 0x12-0x13.7 (2) +0x00010| 00 00 | .. | e_ip: 0 (Initial IP value) 0x14-0x15.7 (2) +0x00010| 00 00 | .. | e_cs: 0 (Initial (relative) CS value) 0x16-0x17.7 (2) +0x00010| 40 00 | @. | e_lfarlc: 64 (File address of relocation table) 0x18-0x19.7 (2) +0x00010| 00 00 | .. | e_ovno: 0 (Overlay number) 0x1a-0x1b.7 (2) +0x00010| 00 00 00 00| ....| e_res: raw bits (Reserved words) 0x1c-0x23.7 (8) +0x00020|00 00 00 00 |.... | +0x00020| 00 00 | .. | e_oemid: 0 (OEM identifier (for e_oeminfo)) 0x24-0x25.7 (2) +0x00020| 00 00 | .. | e_oeminfo: 0 (OEM information; e_oemid specific) 0x26-0x27.7 (2) +0x00020| 00 00 00 00 00 00 00 00| ........| e_res2: raw bits (Reserved words) 0x28-0x3b.7 (20) +0x00030|00 00 00 00 00 00 00 00 00 00 00 00 |............ | +0x00030| f0 00 00 00| ....| e_lfanew: 240 (File address of new exe header) 0x3c-0x3f.7 (4) +0x00040|0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68|........!..L.!Th| stub: raw bits (Sub program) 0x40-0x7f.7 (64) +* |until 0x7f.7 (64) | | +0x00080|4d 7c a4 8a 09 1d ca d9 09 1d ca d9 09 1d ca d9|M|..............| padding: raw bits 0x80-0xef.7 (112) +* |until 0xef.7 (112) | | + |00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f|0123456789abcdef| coff{}: (coff) 0xf0-0x543ff.7 (344848) +0x000f0|50 45 00 00 |PE.. | signature: raw bits (valid) 0xf0-0xf3.7 (4) +0x000f0| 64 86 | d. | machine: "amd64" (0x8664) (x64) 0xf4-0xf5.7 (2) +0x000f0| 06 00 | .. | number_of_sections: 6 0xf6-0xf7.7 (2) +0x000f0| e5 98 e7 4c | ...L | time_date_stamp: 1290246373 (2010-11-20T09:46:13Z) 0xf8-0xfb.7 (4) +0x000f0| 00 00 00 00| ....| pointer_to_symbol_table: 0x0 0xfc-0xff.7 (4) +0x00100|00 00 00 00 |.... | number_of_symbols: 0 0x100-0x103.7 (4) +0x00100| f0 00 | .. | size_of_optional_header: 240 0x104-0x105.7 (2) + | | | characteristics{}: 0x106-0x107.7 (2) +0x00100| 22 | " | bytes_reversed_hi: false 0x106-0x106 (0.1) +0x00100| 22 | " | up_system_only: false 0x106.1-0x106.1 (0.1) +0x00100| 22 | " | dll: true 0x106.2-0x106.2 (0.1) +0x00100| 22 | " | system: false 0x106.3-0x106.3 (0.1) +0x00100| 22 | " | net_run_from_swap: false 0x106.4-0x106.4 (0.1) +0x00100| 22 | " | removable_run_from_swap: false 0x106.5-0x106.5 (0.1) +0x00100| 22 | " | debug_stripped: true 0x106.6-0x106.6 (0.1) +0x00100| 22 | " | 32bit_machine: false 0x106.7-0x106.7 (0.1) +0x00100| 00 | . | bytes_reversed_lo: false 0x107-0x107 (0.1) +0x00100| 00 | . | reserved: false 0x107.1-0x107.1 (0.1) +0x00100| 00 | . | large_address_aware: false 0x107.2-0x107.2 (0.1) +0x00100| 00 | . | aggressive_ws_trim: false 0x107.3-0x107.3 (0.1) +0x00100| 00 | . | local_syms_stripped: false 0x107.4-0x107.4 (0.1) +0x00100| 00 | . | line_nums_stripped: false 0x107.5-0x107.5 (0.1) +0x00100| 00 | . | executable_image: false 0x107.6-0x107.6 (0.1) +0x00100| 00 | . | relocs_stripped: false 0x107.7-0x107.7 (0.1) + | | | optional_header{}: 0x108-0x1f7.7 (240) +0x00100| 0b 02 | .. | format: "pe32+" (0x20b) 0x108-0x109.7 (2) +0x00100| 09 | . | major_linker_version: 9 0x10a-0x10a.7 (1) +0x00100| 00 | . | minor_linker_version: 0 0x10b-0x10b.7 (1) +0x00100| 00 72 02 00| .r..| size_of_code: 160256 0x10c-0x10f.7 (4) +0x00110|00 ce 02 00 |.... | size_of_initialized_data: 183808 0x110-0x113.7 (4) +0x00110| 00 00 00 00 | .... | size_of_uninitialized_data: 0 0x114-0x117.7 (4) +0x00110| b4 90 00 00 | .... | address_of_entry_point: 0x90b4 0x118-0x11b.7 (4) +0x00110| 00 10 00 00| ....| base_of_code: 0x1000 0x11c-0x11f.7 (4) +0x00120|00 00 d0 4a 00 00 00 00 |...J.... | image_base: 0x4ad00000 0x120-0x127.7 (8) +0x00120| 00 10 00 00 | .... | section_alignment: 4096 0x128-0x12b.7 (4) +0x00120| 00 02 00 00| ....| file_alignment: 512 0x12c-0x12f.7 (4) +0x00130|06 00 |.. | major_os_version: 6 0x130-0x131.7 (2) +0x00130| 01 00 | .. | minor_os_version: 1 0x132-0x133.7 (2) +0x00130| 06 00 | .. | major_image_version: 6 0x134-0x135.7 (2) +0x00130| 01 00 | .. | minor_image_version: 1 0x136-0x137.7 (2) +0x00130| 06 00 | .. | major_subsystem_version: 6 0x138-0x139.7 (2) +0x00130| 01 00 | .. | minor_subsystem_version: 1 0x13a-0x13b.7 (2) +0x00130| 00 00 00 00| ....| win32_version: 0 0x13c-0x13f.7 (4) +0x00140|00 90 05 00 |.... | size_of_image: 364544 0x140-0x143.7 (4) +0x00140| 00 04 00 00 | .... | size_of_headers: 1024 0x144-0x147.7 (4) +0x00140| ec bd 05 00 | .... | chunk_sum: 0x5bdec 0x148-0x14b.7 (4) +0x00140| 03 00 | .. | subsystem: "windows_cui" (3) (The Windows character subsystem) 0x14c-0x14d.7 (2) + | | | dll_characteristics{}: 0x14e-0x14f.7 (2) +0x00140| 40 | @ | force_integrity: false 0x14e-0x14e (0.1) +0x00140| 40 | @ | dynamic_base: true 0x14e.1-0x14e.1 (0.1) +0x00140| 40 | @ | high_entropy_va: false 0x14e.2-0x14e.2 (0.1) +0x00140| 40 | @ | reserved0: false 0x14e.3-0x14e.3 (0.1) +0x00140| 40 | @ | reserved1: false 0x14e.4-0x14e.4 (0.1) +0x00140| 40 | @ | reserved2: false 0x14e.5-0x14e.5 (0.1) +0x00140| 40 | @ | reserved3: false 0x14e.6-0x14e.6 (0.1) +0x00140| 40 | @ | reserved4: false 0x14e.7-0x14e.7 (0.1) +0x00140| 81| .| terminal_server_aware: true 0x14f-0x14f (0.1) +0x00140| 81| .| guard_cf: false 0x14f.1-0x14f.1 (0.1) +0x00140| 81| .| wdm_driver: false 0x14f.2-0x14f.2 (0.1) +0x00140| 81| .| appcontainer: false 0x14f.3-0x14f.3 (0.1) +0x00140| 81| .| no_bind: false 0x14f.4-0x14f.4 (0.1) +0x00140| 81| .| no_seh: false 0x14f.5-0x14f.5 (0.1) +0x00140| 81| .| no_isolation: false 0x14f.6-0x14f.6 (0.1) +0x00140| 81| .| nx_compat: true 0x14f.7-0x14f.7 (0.1) +0x00150|00 00 10 00 00 00 00 00 |........ | size_of_track_reserve: 1048576 0x150-0x157.7 (8) +0x00150| 00 c0 0f 00 00 00 00 00| ........| size_of_stack_commit: 1032192 0x158-0x15f.7 (8) +0x00160|00 00 10 00 00 00 00 00 |........ | size_of_heap_reserve: 1048576 0x160-0x167.7 (8) +0x00160| 00 10 00 00 00 00 00 00| ........| size_of_heap_commit: 4096 0x168-0x16f.7 (8) +0x00170|00 00 00 00 |.... | loader_flags: 0 0x170-0x173.7 (4) +0x00170| 10 00 00 00 | .... | number_of_rva_and_sizes: 16 0x174-0x177.7 (4) +0x00170| 00 00 00 00 | .... | export_table_address: 0x0 0x178-0x17b.7 (4) +0x00170| 00 00 00 00| ....| export_table_size: 0 0x17c-0x17f.7 (4) +0x00180|58 a7 02 00 |X... | import_table_address: 0x2a758 0x180-0x183.7 (4) +0x00180| 64 00 00 00 | d... | import_table_size: 100 0x184-0x187.7 (4) +0x00180| 00 f0 04 00 | .... | resource_table_address: 0x4f000 0x188-0x18b.7 (4) +0x00180| 58 84 00 00| X...| resource_table_size: 33880 0x18c-0x18f.7 (4) +0x00190|00 c0 04 00 |.... | exception_table_address: 0x4c000 0x190-0x193.7 (4) +0x00190| dc 26 00 00 | .&.. | exception_table_size: 9948 0x194-0x197.7 (4) +0x00190| 00 00 00 00 | .... | certificate_table_address: 0x0 0x198-0x19b.7 (4) +0x00190| 00 00 00 00| ....| certificate_table_size: 0 0x19c-0x19f.7 (4) +0x001a0|00 80 05 00 |.... | base_relocation_table_address: 0x58000 0x1a0-0x1a3.7 (4) +0x001a0| 24 01 00 00 | $... | base_relocation_table_size: 292 0x1a4-0x1a7.7 (4) +0x001a0| 70 80 02 00 | p... | debug_address: 0x28070 0x1a8-0x1ab.7 (4) +0x001a0| 38 00 00 00| 8...| debug_size: 56 0x1ac-0x1af.7 (4) +0x001b0|00 00 00 00 00 00 00 00 |........ | architecture: 0 0x1b0-0x1b7.7 (8) +0x001b0| 00 00 00 00 00 00 00 00| ........| global_ptr: 0x0 0x1b8-0x1bf.7 (8) +0x001c0|00 00 00 00 |.... | tls_table_address: 0x0 0x1c0-0x1c3.7 (4) +0x001c0| 00 00 00 00 | .... | tls_table_size: 0 0x1c4-0x1c7.7 (4) +0x001c0| 00 00 00 00 | .... | load_config_table_address: 0x0 0x1c8-0x1cb.7 (4) +0x001c0| 00 00 00 00| ....| load_config_table_size: 0 0x1cc-0x1cf.7 (4) +0x001d0|e8 02 00 00 |.... | bound_import_address: 0x2e8 0x1d0-0x1d3.7 (4) +0x001d0| 9c 00 00 00 | .... | bound_import_size: 156 0x1d4-0x1d7.7 (4) +0x001d0| 00 90 02 00 | .... | iat_address: 0x29000 0x1d8-0x1db.7 (4) +0x001d0| 48 07 00 00| H...| iat_size: 1864 0x1dc-0x1df.7 (4) +0x001e0|2c a4 02 00 |,... | delay_import_descriptor_address: 0x2a42c 0x1e0-0x1e3.7 (4) +0x001e0| a0 00 00 00 | .... | delay_import_descriptor_size: 160 0x1e4-0x1e7.7 (4) +0x001e0| 00 00 00 00 | .... | clr_runtime_header_address: 0x0 0x1e8-0x1eb.7 (4) +0x001e0| 00 00 00 00| ....| clr_runtime_header_size: 0 0x1ec-0x1ef.7 (4) +0x001f0|00 00 00 00 00 00 00 00 |........ | reserved: 0 0x1f0-0x1f7.7 (8) + | | | unknown: raw bits 0x1f8-NA (0) + | | | sections[0:6]: 0x1f8-0x543ff.7 (344584) + | | | [0]{}: section 0x1f8-0x275ff.7 (160776) +0x001f0| 2e 74 65 78 74 00 00 00| .text...| name: ".text" 0x1f8-0x1ff.7 (8) +0x00200|cc 70 02 00 |.p.. | virtual_size: 159948 0x200-0x203.7 (4) +0x00200| 00 10 00 00 | .... | virtual_address: 0x1000 0x204-0x207.7 (4) +0x00200| 00 72 02 00 | .r.. | size_of_raw_data: 160256 0x208-0x20b.7 (4) +0x00200| 00 04 00 00| ....| pointer_to_raw_data: 0x400 0x20c-0x20f.7 (4) +0x00210|00 00 00 00 |.... | pointer_to_relocations: 0x0 0x210-0x213.7 (4) +0x00210| 00 00 00 00 | .... | pointer_to_line_numbers: 0x0 0x214-0x217.7 (4) +0x00210| 00 00 | .. | number_of_relocations: 0 0x218-0x219.7 (2) +0x00210| 00 00 | .. | number_of_line_numbers: 0 0x21a-0x21b.7 (2) + | | | characteristics{}: 0x21c-0x21f.7 (4) +0x00210| 20 | | cnt_uninitialized_data: false 0x21c-0x21c (0.1) +0x00210| 20 | | cnt_initialized_data: false 0x21c.1-0x21c.1 (0.1) +0x00210| 20 | | cnt_code: true 0x21c.2-0x21c.2 (0.1) +0x00210| 20 | | reserved: false 0x21c.3-0x21c.3 (0.1) +0x00210| 20 | | type_no_pad: false 0x21c.4-0x21c.4 (0.1) +0x00210| 20 | | reserved0: false 0x21c.5-0x21c.5 (0.1) +0x00210| 20 | | reserved1: false 0x21c.6-0x21c.6 (0.1) +0x00210| 20 | | reserved2: false 0x21c.7-0x21c.7 (0.1) +0x00210| 00 | . | gprel: false 0x21d-0x21d (0.1) +0x00210| 00 | . | unknown0: false 0x21d.1-0x21d.1 (0.1) +0x00210| 00 | . | unknown1: false 0x21d.2-0x21d.2 (0.1) +0x00210| 00 | . | lnk_comdat: false 0x21d.3-0x21d.3 (0.1) +0x00210| 00 | . | lnk_remove: false 0x21d.4-0x21d.4 (0.1) +0x00210| 00 | . | reserved3: false 0x21d.5-0x21d.5 (0.1) +0x00210| 00 | . | lnk_info: false 0x21d.6-0x21d.6 (0.1) +0x00210| 00 | . | lnk_other: false 0x21d.7-0x21d.7 (0.1) +0x00210| 00 | . | align_128bytes: false 0x21e-0x21e (0.1) +0x00210| 00 | . | align_8bytes: false 0x21e.1-0x21e.1 (0.1) +0x00210| 00 | . | align_2bytes: false 0x21e.2-0x21e.2 (0.1) +0x00210| 00 | . | align_1bytes: false 0x21e.3-0x21e.3 (0.1) +0x00210| 00 | . | mem_preload: false 0x21e.4-0x21e.4 (0.1) +0x00210| 00 | . | mem_locked: false 0x21e.5-0x21e.5 (0.1) +0x00210| 00 | . | mem_16bit: false 0x21e.6-0x21e.6 (0.1) +0x00210| 00 | . | mem_purgeable: false 0x21e.7-0x21e.7 (0.1) +0x00210| 60| `| mem_write: false 0x21f-0x21f (0.1) +0x00210| 60| `| mem_read: true 0x21f.1-0x21f.1 (0.1) +0x00210| 60| `| mem_execute: true 0x21f.2-0x21f.2 (0.1) +0x00210| 60| `| mem_shared: false 0x21f.3-0x21f.3 (0.1) +0x00210| 60| `| mem_not_paged: false 0x21f.4-0x21f.4 (0.1) +0x00210| 60| `| mem_not_cached: false 0x21f.5-0x21f.5 (0.1) +0x00210| 60| `| mem_discardable: false 0x21f.6-0x21f.6 (0.1) +0x00210| 60| `| lnk_nreloc_ovfl: false 0x21f.7-0x21f.7 (0.1) +0x00400|48 3b 0d c1 d1 02 00 0f 85 24 51 01 00 48 c1 c1|H;.......$Q..H..| data: raw bits 0x400-0x275ff.7 (160256) +* |until 0x275ff.7 (160256) | | + | | | [1]{}: section 0x220-0x2bfff.7 (179680) +0x00220|2e 72 64 61 74 61 00 00 |.rdata.. | name: ".rdata" 0x220-0x227.7 (8) +0x00220| 10 49 00 00 | .I.. | virtual_size: 18704 0x228-0x22b.7 (4) +0x00220| 00 90 02 00| ....| virtual_address: 0x29000 0x22c-0x22f.7 (4) +0x00230|00 4a 00 00 |.J.. | size_of_raw_data: 18944 0x230-0x233.7 (4) +0x00230| 00 76 02 00 | .v.. | pointer_to_raw_data: 0x27600 0x234-0x237.7 (4) +0x00230| 00 00 00 00 | .... | pointer_to_relocations: 0x0 0x238-0x23b.7 (4) +0x00230| 00 00 00 00| ....| pointer_to_line_numbers: 0x0 0x23c-0x23f.7 (4) +0x00240|00 00 |.. | number_of_relocations: 0 0x240-0x241.7 (2) +0x00240| 00 00 | .. | number_of_line_numbers: 0 0x242-0x243.7 (2) + | | | characteristics{}: 0x244-0x247.7 (4) +0x00240| 40 | @ | cnt_uninitialized_data: false 0x244-0x244 (0.1) +0x00240| 40 | @ | cnt_initialized_data: true 0x244.1-0x244.1 (0.1) +0x00240| 40 | @ | cnt_code: false 0x244.2-0x244.2 (0.1) +0x00240| 40 | @ | reserved: false 0x244.3-0x244.3 (0.1) +0x00240| 40 | @ | type_no_pad: false 0x244.4-0x244.4 (0.1) +0x00240| 40 | @ | reserved0: false 0x244.5-0x244.5 (0.1) +0x00240| 40 | @ | reserved1: false 0x244.6-0x244.6 (0.1) +0x00240| 40 | @ | reserved2: false 0x244.7-0x244.7 (0.1) +0x00240| 00 | . | gprel: false 0x245-0x245 (0.1) +0x00240| 00 | . | unknown0: false 0x245.1-0x245.1 (0.1) +0x00240| 00 | . | unknown1: false 0x245.2-0x245.2 (0.1) +0x00240| 00 | . | lnk_comdat: false 0x245.3-0x245.3 (0.1) +0x00240| 00 | . | lnk_remove: false 0x245.4-0x245.4 (0.1) +0x00240| 00 | . | reserved3: false 0x245.5-0x245.5 (0.1) +0x00240| 00 | . | lnk_info: false 0x245.6-0x245.6 (0.1) +0x00240| 00 | . | lnk_other: false 0x245.7-0x245.7 (0.1) +0x00240| 00 | . | align_128bytes: false 0x246-0x246 (0.1) +0x00240| 00 | . | align_8bytes: false 0x246.1-0x246.1 (0.1) +0x00240| 00 | . | align_2bytes: false 0x246.2-0x246.2 (0.1) +0x00240| 00 | . | align_1bytes: false 0x246.3-0x246.3 (0.1) +0x00240| 00 | . | mem_preload: false 0x246.4-0x246.4 (0.1) +0x00240| 00 | . | mem_locked: false 0x246.5-0x246.5 (0.1) +0x00240| 00 | . | mem_16bit: false 0x246.6-0x246.6 (0.1) +0x00240| 00 | . | mem_purgeable: false 0x246.7-0x246.7 (0.1) +0x00240| 40 | @ | mem_write: false 0x247-0x247 (0.1) +0x00240| 40 | @ | mem_read: true 0x247.1-0x247.1 (0.1) +0x00240| 40 | @ | mem_execute: false 0x247.2-0x247.2 (0.1) +0x00240| 40 | @ | mem_shared: false 0x247.3-0x247.3 (0.1) +0x00240| 40 | @ | mem_not_paged: false 0x247.4-0x247.4 (0.1) +0x00240| 40 | @ | mem_not_cached: false 0x247.5-0x247.5 (0.1) +0x00240| 40 | @ | mem_discardable: false 0x247.6-0x247.6 (0.1) +0x00240| 40 | @ | lnk_nreloc_ovfl: false 0x247.7-0x247.7 (0.1) +0x27600|00 10 6a 75 ff 07 00 00 e0 10 6a 75 ff 07 00 00|..ju......ju....| data: raw bits 0x27600-0x2bfff.7 (18944) +* |until 0x2bfff.7 (18944) | | + | | | [2]{}: section 0x248-0x493ff.7 (299448) +0x00240| 2e 64 61 74 61 00 00 00| .data...| name: ".data" 0x248-0x24f.7 (8) +0x00250|98 d3 01 00 |.... | virtual_size: 119704 0x250-0x253.7 (4) +0x00250| 00 e0 02 00 | .... | virtual_address: 0x2e000 0x254-0x257.7 (4) +0x00250| 00 d4 01 00 | .... | size_of_raw_data: 119808 0x258-0x25b.7 (4) +0x00250| 00 c0 02 00| ....| pointer_to_raw_data: 0x2c000 0x25c-0x25f.7 (4) +0x00260|00 00 00 00 |.... | pointer_to_relocations: 0x0 0x260-0x263.7 (4) +0x00260| 00 00 00 00 | .... | pointer_to_line_numbers: 0x0 0x264-0x267.7 (4) +0x00260| 00 00 | .. | number_of_relocations: 0 0x268-0x269.7 (2) +0x00260| 00 00 | .. | number_of_line_numbers: 0 0x26a-0x26b.7 (2) + | | | characteristics{}: 0x26c-0x26f.7 (4) +0x00260| 40 | @ | cnt_uninitialized_data: false 0x26c-0x26c (0.1) +0x00260| 40 | @ | cnt_initialized_data: true 0x26c.1-0x26c.1 (0.1) +0x00260| 40 | @ | cnt_code: false 0x26c.2-0x26c.2 (0.1) +0x00260| 40 | @ | reserved: false 0x26c.3-0x26c.3 (0.1) +0x00260| 40 | @ | type_no_pad: false 0x26c.4-0x26c.4 (0.1) +0x00260| 40 | @ | reserved0: false 0x26c.5-0x26c.5 (0.1) +0x00260| 40 | @ | reserved1: false 0x26c.6-0x26c.6 (0.1) +0x00260| 40 | @ | reserved2: false 0x26c.7-0x26c.7 (0.1) +0x00260| 00 | . | gprel: false 0x26d-0x26d (0.1) +0x00260| 00 | . | unknown0: false 0x26d.1-0x26d.1 (0.1) +0x00260| 00 | . | unknown1: false 0x26d.2-0x26d.2 (0.1) +0x00260| 00 | . | lnk_comdat: false 0x26d.3-0x26d.3 (0.1) +0x00260| 00 | . | lnk_remove: false 0x26d.4-0x26d.4 (0.1) +0x00260| 00 | . | reserved3: false 0x26d.5-0x26d.5 (0.1) +0x00260| 00 | . | lnk_info: false 0x26d.6-0x26d.6 (0.1) +0x00260| 00 | . | lnk_other: false 0x26d.7-0x26d.7 (0.1) +0x00260| 00 | . | align_128bytes: false 0x26e-0x26e (0.1) +0x00260| 00 | . | align_8bytes: false 0x26e.1-0x26e.1 (0.1) +0x00260| 00 | . | align_2bytes: false 0x26e.2-0x26e.2 (0.1) +0x00260| 00 | . | align_1bytes: false 0x26e.3-0x26e.3 (0.1) +0x00260| 00 | . | mem_preload: false 0x26e.4-0x26e.4 (0.1) +0x00260| 00 | . | mem_locked: false 0x26e.5-0x26e.5 (0.1) +0x00260| 00 | . | mem_16bit: false 0x26e.6-0x26e.6 (0.1) +0x00260| 00 | . | mem_purgeable: false 0x26e.7-0x26e.7 (0.1) +0x00260| c0| .| mem_write: true 0x26f-0x26f (0.1) +0x00260| c0| .| mem_read: true 0x26f.1-0x26f.1 (0.1) +0x00260| c0| .| mem_execute: false 0x26f.2-0x26f.2 (0.1) +0x00260| c0| .| mem_shared: false 0x26f.3-0x26f.3 (0.1) +0x00260| c0| .| mem_not_paged: false 0x26f.4-0x26f.4 (0.1) +0x00260| c0| .| mem_not_cached: false 0x26f.5-0x26f.5 (0.1) +0x00260| c0| .| mem_discardable: false 0x26f.6-0x26f.6 (0.1) +0x00260| c0| .| lnk_nreloc_ovfl: false 0x26f.7-0x26f.7 (0.1) +0x2c000|80 bf d0 4a 00 00 00 00 8c bf d0 4a 00 00 00 00|...J.......J....| data: raw bits 0x2c000-0x493ff.7 (119808) +* |until 0x493ff.7 (119808) | | + | | | [3]{}: section 0x270-0x4bbff.7 (309648) +0x00270|2e 70 64 61 74 61 00 00 |.pdata.. | name: ".pdata" 0x270-0x277.7 (8) +0x00270| dc 26 00 00 | .&.. | virtual_size: 9948 0x278-0x27b.7 (4) +0x00270| 00 c0 04 00| ....| virtual_address: 0x4c000 0x27c-0x27f.7 (4) +0x00280|00 28 00 00 |.(.. | size_of_raw_data: 10240 0x280-0x283.7 (4) +0x00280| 00 94 04 00 | .... | pointer_to_raw_data: 0x49400 0x284-0x287.7 (4) +0x00280| 00 00 00 00 | .... | pointer_to_relocations: 0x0 0x288-0x28b.7 (4) +0x00280| 00 00 00 00| ....| pointer_to_line_numbers: 0x0 0x28c-0x28f.7 (4) +0x00290|00 00 |.. | number_of_relocations: 0 0x290-0x291.7 (2) +0x00290| 00 00 | .. | number_of_line_numbers: 0 0x292-0x293.7 (2) + | | | characteristics{}: 0x294-0x297.7 (4) +0x00290| 40 | @ | cnt_uninitialized_data: false 0x294-0x294 (0.1) +0x00290| 40 | @ | cnt_initialized_data: true 0x294.1-0x294.1 (0.1) +0x00290| 40 | @ | cnt_code: false 0x294.2-0x294.2 (0.1) +0x00290| 40 | @ | reserved: false 0x294.3-0x294.3 (0.1) +0x00290| 40 | @ | type_no_pad: false 0x294.4-0x294.4 (0.1) +0x00290| 40 | @ | reserved0: false 0x294.5-0x294.5 (0.1) +0x00290| 40 | @ | reserved1: false 0x294.6-0x294.6 (0.1) +0x00290| 40 | @ | reserved2: false 0x294.7-0x294.7 (0.1) +0x00290| 00 | . | gprel: false 0x295-0x295 (0.1) +0x00290| 00 | . | unknown0: false 0x295.1-0x295.1 (0.1) +0x00290| 00 | . | unknown1: false 0x295.2-0x295.2 (0.1) +0x00290| 00 | . | lnk_comdat: false 0x295.3-0x295.3 (0.1) +0x00290| 00 | . | lnk_remove: false 0x295.4-0x295.4 (0.1) +0x00290| 00 | . | reserved3: false 0x295.5-0x295.5 (0.1) +0x00290| 00 | . | lnk_info: false 0x295.6-0x295.6 (0.1) +0x00290| 00 | . | lnk_other: false 0x295.7-0x295.7 (0.1) +0x00290| 00 | . | align_128bytes: false 0x296-0x296 (0.1) +0x00290| 00 | . | align_8bytes: false 0x296.1-0x296.1 (0.1) +0x00290| 00 | . | align_2bytes: false 0x296.2-0x296.2 (0.1) +0x00290| 00 | . | align_1bytes: false 0x296.3-0x296.3 (0.1) +0x00290| 00 | . | mem_preload: false 0x296.4-0x296.4 (0.1) +0x00290| 00 | . | mem_locked: false 0x296.5-0x296.5 (0.1) +0x00290| 00 | . | mem_16bit: false 0x296.6-0x296.6 (0.1) +0x00290| 00 | . | mem_purgeable: false 0x296.7-0x296.7 (0.1) +0x00290| 40 | @ | mem_write: false 0x297-0x297 (0.1) +0x00290| 40 | @ | mem_read: true 0x297.1-0x297.1 (0.1) +0x00290| 40 | @ | mem_execute: false 0x297.2-0x297.2 (0.1) +0x00290| 40 | @ | mem_shared: false 0x297.3-0x297.3 (0.1) +0x00290| 40 | @ | mem_not_paged: false 0x297.4-0x297.4 (0.1) +0x00290| 40 | @ | mem_not_cached: false 0x297.5-0x297.5 (0.1) +0x00290| 40 | @ | mem_discardable: false 0x297.6-0x297.6 (0.1) +0x00290| 40 | @ | lnk_nreloc_ovfl: false 0x297.7-0x297.7 (0.1) +0x49400|40 10 00 00 ab 10 00 00 f0 cb 02 00 cc 10 00 00|@...............| data: raw bits 0x49400-0x4bbff.7 (10240) +* |until 0x4bbff.7 (10240) | | + | | | [4]{}: section 0x298-0x541ff.7 (343912) +0x00290| 2e 72 73 72 63 00 00 00| .rsrc...| name: ".rsrc" 0x298-0x29f.7 (8) +0x002a0|58 84 00 00 |X... | virtual_size: 33880 0x2a0-0x2a3.7 (4) +0x002a0| 00 f0 04 00 | .... | virtual_address: 0x4f000 0x2a4-0x2a7.7 (4) +0x002a0| 00 86 00 00 | .... | size_of_raw_data: 34304 0x2a8-0x2ab.7 (4) +0x002a0| 00 bc 04 00| ....| pointer_to_raw_data: 0x4bc00 0x2ac-0x2af.7 (4) +0x002b0|00 00 00 00 |.... | pointer_to_relocations: 0x0 0x2b0-0x2b3.7 (4) +0x002b0| 00 00 00 00 | .... | pointer_to_line_numbers: 0x0 0x2b4-0x2b7.7 (4) +0x002b0| 00 00 | .. | number_of_relocations: 0 0x2b8-0x2b9.7 (2) +0x002b0| 00 00 | .. | number_of_line_numbers: 0 0x2ba-0x2bb.7 (2) + | | | characteristics{}: 0x2bc-0x2bf.7 (4) +0x002b0| 40 | @ | cnt_uninitialized_data: false 0x2bc-0x2bc (0.1) +0x002b0| 40 | @ | cnt_initialized_data: true 0x2bc.1-0x2bc.1 (0.1) +0x002b0| 40 | @ | cnt_code: false 0x2bc.2-0x2bc.2 (0.1) +0x002b0| 40 | @ | reserved: false 0x2bc.3-0x2bc.3 (0.1) +0x002b0| 40 | @ | type_no_pad: false 0x2bc.4-0x2bc.4 (0.1) +0x002b0| 40 | @ | reserved0: false 0x2bc.5-0x2bc.5 (0.1) +0x002b0| 40 | @ | reserved1: false 0x2bc.6-0x2bc.6 (0.1) +0x002b0| 40 | @ | reserved2: false 0x2bc.7-0x2bc.7 (0.1) +0x002b0| 00 | . | gprel: false 0x2bd-0x2bd (0.1) +0x002b0| 00 | . | unknown0: false 0x2bd.1-0x2bd.1 (0.1) +0x002b0| 00 | . | unknown1: false 0x2bd.2-0x2bd.2 (0.1) +0x002b0| 00 | . | lnk_comdat: false 0x2bd.3-0x2bd.3 (0.1) +0x002b0| 00 | . | lnk_remove: false 0x2bd.4-0x2bd.4 (0.1) +0x002b0| 00 | . | reserved3: false 0x2bd.5-0x2bd.5 (0.1) +0x002b0| 00 | . | lnk_info: false 0x2bd.6-0x2bd.6 (0.1) +0x002b0| 00 | . | lnk_other: false 0x2bd.7-0x2bd.7 (0.1) +0x002b0| 00 | . | align_128bytes: false 0x2be-0x2be (0.1) +0x002b0| 00 | . | align_8bytes: false 0x2be.1-0x2be.1 (0.1) +0x002b0| 00 | . | align_2bytes: false 0x2be.2-0x2be.2 (0.1) +0x002b0| 00 | . | align_1bytes: false 0x2be.3-0x2be.3 (0.1) +0x002b0| 00 | . | mem_preload: false 0x2be.4-0x2be.4 (0.1) +0x002b0| 00 | . | mem_locked: false 0x2be.5-0x2be.5 (0.1) +0x002b0| 00 | . | mem_16bit: false 0x2be.6-0x2be.6 (0.1) +0x002b0| 00 | . | mem_purgeable: false 0x2be.7-0x2be.7 (0.1) +0x002b0| 40| @| mem_write: false 0x2bf-0x2bf (0.1) +0x002b0| 40| @| mem_read: true 0x2bf.1-0x2bf.1 (0.1) +0x002b0| 40| @| mem_execute: false 0x2bf.2-0x2bf.2 (0.1) +0x002b0| 40| @| mem_shared: false 0x2bf.3-0x2bf.3 (0.1) +0x002b0| 40| @| mem_not_paged: false 0x2bf.4-0x2bf.4 (0.1) +0x002b0| 40| @| mem_not_cached: false 0x2bf.5-0x2bf.5 (0.1) +0x002b0| 40| @| mem_discardable: false 0x2bf.6-0x2bf.6 (0.1) +0x002b0| 40| @| lnk_nreloc_ovfl: false 0x2bf.7-0x2bf.7 (0.1) +0x4bc00|00 00 00 00 00 00 00 00 00 00 00 00 01 00 04 00|................| data: raw bits 0x4bc00-0x541ff.7 (34304) +* |until 0x541ff.7 (34304) | | + | | | [5]{}: section 0x2c0-0x543ff.7 (344384) +0x002c0|2e 72 65 6c 6f 63 00 00 |.reloc.. | name: ".reloc" 0x2c0-0x2c7.7 (8) +0x002c0| 24 01 00 00 | $... | virtual_size: 292 0x2c8-0x2cb.7 (4) +0x002c0| 00 80 05 00| ....| virtual_address: 0x58000 0x2cc-0x2cf.7 (4) +0x002d0|00 02 00 00 |.... | size_of_raw_data: 512 0x2d0-0x2d3.7 (4) +0x002d0| 00 42 05 00 | .B.. | pointer_to_raw_data: 0x54200 0x2d4-0x2d7.7 (4) +0x002d0| 00 00 00 00 | .... | pointer_to_relocations: 0x0 0x2d8-0x2db.7 (4) +0x002d0| 00 00 00 00| ....| pointer_to_line_numbers: 0x0 0x2dc-0x2df.7 (4) +0x002e0|00 00 |.. | number_of_relocations: 0 0x2e0-0x2e1.7 (2) +0x002e0| 00 00 | .. | number_of_line_numbers: 0 0x2e2-0x2e3.7 (2) + | | | characteristics{}: 0x2e4-0x2e7.7 (4) +0x002e0| 40 | @ | cnt_uninitialized_data: false 0x2e4-0x2e4 (0.1) +0x002e0| 40 | @ | cnt_initialized_data: true 0x2e4.1-0x2e4.1 (0.1) +0x002e0| 40 | @ | cnt_code: false 0x2e4.2-0x2e4.2 (0.1) +0x002e0| 40 | @ | reserved: false 0x2e4.3-0x2e4.3 (0.1) +0x002e0| 40 | @ | type_no_pad: false 0x2e4.4-0x2e4.4 (0.1) +0x002e0| 40 | @ | reserved0: false 0x2e4.5-0x2e4.5 (0.1) +0x002e0| 40 | @ | reserved1: false 0x2e4.6-0x2e4.6 (0.1) +0x002e0| 40 | @ | reserved2: false 0x2e4.7-0x2e4.7 (0.1) +0x002e0| 00 | . | gprel: false 0x2e5-0x2e5 (0.1) +0x002e0| 00 | . | unknown0: false 0x2e5.1-0x2e5.1 (0.1) +0x002e0| 00 | . | unknown1: false 0x2e5.2-0x2e5.2 (0.1) +0x002e0| 00 | . | lnk_comdat: false 0x2e5.3-0x2e5.3 (0.1) +0x002e0| 00 | . | lnk_remove: false 0x2e5.4-0x2e5.4 (0.1) +0x002e0| 00 | . | reserved3: false 0x2e5.5-0x2e5.5 (0.1) +0x002e0| 00 | . | lnk_info: false 0x2e5.6-0x2e5.6 (0.1) +0x002e0| 00 | . | lnk_other: false 0x2e5.7-0x2e5.7 (0.1) +0x002e0| 00 | . | align_128bytes: false 0x2e6-0x2e6 (0.1) +0x002e0| 00 | . | align_8bytes: false 0x2e6.1-0x2e6.1 (0.1) +0x002e0| 00 | . | align_2bytes: false 0x2e6.2-0x2e6.2 (0.1) +0x002e0| 00 | . | align_1bytes: false 0x2e6.3-0x2e6.3 (0.1) +0x002e0| 00 | . | mem_preload: false 0x2e6.4-0x2e6.4 (0.1) +0x002e0| 00 | . | mem_locked: false 0x2e6.5-0x2e6.5 (0.1) +0x002e0| 00 | . | mem_16bit: false 0x2e6.6-0x2e6.6 (0.1) +0x002e0| 00 | . | mem_purgeable: false 0x2e6.7-0x2e6.7 (0.1) +0x002e0| 42 | B | mem_write: false 0x2e7-0x2e7 (0.1) +0x002e0| 42 | B | mem_read: true 0x2e7.1-0x2e7.1 (0.1) +0x002e0| 42 | B | mem_execute: false 0x2e7.2-0x2e7.2 (0.1) +0x002e0| 42 | B | mem_shared: false 0x2e7.3-0x2e7.3 (0.1) +0x002e0| 42 | B | mem_not_paged: false 0x2e7.4-0x2e7.4 (0.1) +0x002e0| 42 | B | mem_not_cached: false 0x2e7.5-0x2e7.5 (0.1) +0x002e0| 42 | B | mem_discardable: true 0x2e7.6-0x2e7.6 (0.1) +0x002e0| 42 | B | lnk_nreloc_ovfl: false 0x2e7.7-0x2e7.7 (0.1) +0x54200|00 90 02 00 14 00 00 00 10 aa 18 aa 30 aa c0 ae|............0...| data: raw bits 0x54200-0x543ff.7 (512) +* |until 0x543ff.7 (end) (512) | | +0x002e0| 37 c8 e7 4c 40 00 01 00| 7..L@...| gap0: raw bits 0x2e8-0x3ff.7 (280) +0x002f0|f9 c8 e7 4c 4b 00 00 00 f9 c8 e7 4c 4b 00 00 00|...LK......LK...| +* |until 0x3ff.7 (280) | | diff --git a/format/pe/testdata/pe-Windows-x86-cmd b/format/pe/testdata/pe-Windows-x86-cmd new file mode 100755 index 0000000000..9dc724d1ef Binary files /dev/null and b/format/pe/testdata/pe-Windows-x86-cmd differ diff --git a/format/pe/testdata/pe-Windows-x86-cmd.fqtest b/format/pe/testdata/pe-Windows-x86-cmd.fqtest new file mode 100644 index 0000000000..9707901e64 --- /dev/null +++ b/format/pe/testdata/pe-Windows-x86-cmd.fqtest @@ -0,0 +1,313 @@ +$ fq dv pe-Windows-x86-cmd + |00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f|0123456789abcdef|.{}: pe-Windows-x86-cmd (pe) 0x0-0x499ff.7 (301568) + |00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f|0123456789abcdef| ms_dos_stub{}: (msdos_stub) 0x0-0xd7.7 (216) +0x00000|4d 5a |MZ | e_magic: 0x5a4d (valid) 0x0-0x1.7 (2) +0x00000| 90 00 | .. | e_cblp: 144 (Bytes on last page of file) 0x2-0x3.7 (2) +0x00000| 03 00 | .. | e_cp: 3 (Pages in file) 0x4-0x5.7 (2) +0x00000| 00 00 | .. | e_crlc: 0 (Relocations) 0x6-0x7.7 (2) +0x00000| 04 00 | .. | e_cparhdr: 4 (Size of header in paragraphs) 0x8-0x9.7 (2) +0x00000| 00 00 | .. | e_minalloc: 0 (Minimum extra paragraphs needed) 0xa-0xb.7 (2) +0x00000| ff ff | .. | e_maxalloc: 65535 (Maximum extra paragraphs needed) 0xc-0xd.7 (2) +0x00000| 00 00| ..| e_ss: 0 (Initial (relative) SS value) 0xe-0xf.7 (2) +0x00010|b8 00 |.. | e_sp: 184 (Initial SP value) 0x10-0x11.7 (2) +0x00010| 00 00 | .. | e_csum: 0 (Checksum) 0x12-0x13.7 (2) +0x00010| 00 00 | .. | e_ip: 0 (Initial IP value) 0x14-0x15.7 (2) +0x00010| 00 00 | .. | e_cs: 0 (Initial (relative) CS value) 0x16-0x17.7 (2) +0x00010| 40 00 | @. | e_lfarlc: 64 (File address of relocation table) 0x18-0x19.7 (2) +0x00010| 00 00 | .. | e_ovno: 0 (Overlay number) 0x1a-0x1b.7 (2) +0x00010| 00 00 00 00| ....| e_res: raw bits (Reserved words) 0x1c-0x23.7 (8) +0x00020|00 00 00 00 |.... | +0x00020| 00 00 | .. | e_oemid: 0 (OEM identifier (for e_oeminfo)) 0x24-0x25.7 (2) +0x00020| 00 00 | .. | e_oeminfo: 0 (OEM information; e_oemid specific) 0x26-0x27.7 (2) +0x00020| 00 00 00 00 00 00 00 00| ........| e_res2: raw bits (Reserved words) 0x28-0x3b.7 (20) +0x00030|00 00 00 00 00 00 00 00 00 00 00 00 |............ | +0x00030| d8 00 00 00| ....| e_lfanew: 216 (File address of new exe header) 0x3c-0x3f.7 (4) +0x00040|0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68|........!..L.!Th| stub: raw bits (Sub program) 0x40-0x7f.7 (64) +* |until 0x7f.7 (64) | | +0x00080|de 72 92 b9 9a 13 fc ea 9a 13 fc ea 9a 13 fc ea|.r..............| padding: raw bits 0x80-0xd7.7 (88) +* |until 0xd7.7 (88) | | + |00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f|0123456789abcdef| coff{}: (coff) 0xd8-0x499ff.7 (301352) +0x000d0| 50 45 00 00 | PE.. | signature: raw bits (valid) 0xd8-0xdb.7 (4) +0x000d0| 4c 01 | L. | machine: "i386" (0x14c) (Intel 386 or later processors and compatible processors) 0xdc-0xdd.7 (2) +0x000d0| 04 00| ..| number_of_sections: 4 0xde-0xdf.7 (2) +0x000e0|9e c1 5b 4a |..[J | time_date_stamp: 1247527326 (2009-07-13T23:22:06Z) 0xe0-0xe3.7 (4) +0x000e0| 00 00 00 00 | .... | pointer_to_symbol_table: 0x0 0xe4-0xe7.7 (4) +0x000e0| 00 00 00 00 | .... | number_of_symbols: 0 0xe8-0xeb.7 (4) +0x000e0| e0 00 | .. | size_of_optional_header: 224 0xec-0xed.7 (2) + | | | characteristics{}: 0xee-0xef.7 (2) +0x000e0| 02 | . | bytes_reversed_hi: false 0xee-0xee (0.1) +0x000e0| 02 | . | up_system_only: false 0xee.1-0xee.1 (0.1) +0x000e0| 02 | . | dll: false 0xee.2-0xee.2 (0.1) +0x000e0| 02 | . | system: false 0xee.3-0xee.3 (0.1) +0x000e0| 02 | . | net_run_from_swap: false 0xee.4-0xee.4 (0.1) +0x000e0| 02 | . | removable_run_from_swap: false 0xee.5-0xee.5 (0.1) +0x000e0| 02 | . | debug_stripped: true 0xee.6-0xee.6 (0.1) +0x000e0| 02 | . | 32bit_machine: false 0xee.7-0xee.7 (0.1) +0x000e0| 00| .| bytes_reversed_lo: false 0xef-0xef (0.1) +0x000e0| 00| .| reserved: false 0xef.1-0xef.1 (0.1) +0x000e0| 00| .| large_address_aware: false 0xef.2-0xef.2 (0.1) +0x000e0| 00| .| aggressive_ws_trim: false 0xef.3-0xef.3 (0.1) +0x000e0| 00| .| local_syms_stripped: false 0xef.4-0xef.4 (0.1) +0x000e0| 00| .| line_nums_stripped: false 0xef.5-0xef.5 (0.1) +0x000e0| 00| .| executable_image: false 0xef.6-0xef.6 (0.1) +0x000e0| 00| .| relocs_stripped: false 0xef.7-0xef.7 (0.1) + | | | optional_header{}: 0xf0-0x1cf.7 (224) +0x000f0|0b 01 |.. | format: "pe32" (0x10b) 0xf0-0xf1.7 (2) +0x000f0| 09 | . | major_linker_version: 9 0xf2-0xf2.7 (1) +0x000f0| 00 | . | minor_linker_version: 0 0xf3-0xf3.7 (1) +0x000f0| 00 2a 02 00 | .*.. | size_of_code: 141824 0xf4-0xf7.7 (4) +0x000f0| 00 6c 02 00 | .l.. | size_of_initialized_data: 158720 0xf8-0xfb.7 (4) +0x000f0| 00 00 00 00| ....| size_of_uninitialized_data: 0 0xfc-0xff.7 (4) +0x00100|dc 60 00 00 |.`.. | address_of_entry_point: 0x60dc 0x100-0x103.7 (4) +0x00100| 00 10 00 00 | .... | base_of_code: 0x1000 0x104-0x107.7 (4) +0x00100| 00 20 02 00 | . .. | base_of_data: 0x22000 0x108-0x10b.7 (4) +0x00100| 00 00 d0 4a| ...J| image_base: 0x4ad00000 0x10c-0x10f.7 (4) +0x00110|00 10 00 00 |.... | section_alignment: 4096 0x110-0x113.7 (4) +0x00110| 00 02 00 00 | .... | file_alignment: 512 0x114-0x117.7 (4) +0x00110| 06 00 | .. | major_os_version: 6 0x118-0x119.7 (2) +0x00110| 01 00 | .. | minor_os_version: 1 0x11a-0x11b.7 (2) +0x00110| 06 00 | .. | major_image_version: 6 0x11c-0x11d.7 (2) +0x00110| 01 00| ..| minor_image_version: 1 0x11e-0x11f.7 (2) +0x00120|06 00 |.. | major_subsystem_version: 6 0x120-0x121.7 (2) +0x00120| 01 00 | .. | minor_subsystem_version: 1 0x122-0x123.7 (2) +0x00120| 00 00 00 00 | .... | win32_version: 0 0x124-0x127.7 (4) +0x00120| 00 c0 04 00 | .... | size_of_image: 311296 0x128-0x12b.7 (4) +0x00120| 00 04 00 00| ....| size_of_headers: 1024 0x12c-0x12f.7 (4) +0x00130|8f b1 04 00 |.... | chunk_sum: 0x4b18f 0x130-0x133.7 (4) +0x00130| 03 00 | .. | subsystem: "windows_cui" (3) (The Windows character subsystem) 0x134-0x135.7 (2) + | | | dll_characteristics{}: 0x136-0x137.7 (2) +0x00130| 00 | . | force_integrity: false 0x136-0x136 (0.1) +0x00130| 00 | . | dynamic_base: false 0x136.1-0x136.1 (0.1) +0x00130| 00 | . | high_entropy_va: false 0x136.2-0x136.2 (0.1) +0x00130| 00 | . | reserved0: false 0x136.3-0x136.3 (0.1) +0x00130| 00 | . | reserved1: false 0x136.4-0x136.4 (0.1) +0x00130| 00 | . | reserved2: false 0x136.5-0x136.5 (0.1) +0x00130| 00 | . | reserved3: false 0x136.6-0x136.6 (0.1) +0x00130| 00 | . | reserved4: false 0x136.7-0x136.7 (0.1) +0x00130| 81 | . | terminal_server_aware: true 0x137-0x137 (0.1) +0x00130| 81 | . | guard_cf: false 0x137.1-0x137.1 (0.1) +0x00130| 81 | . | wdm_driver: false 0x137.2-0x137.2 (0.1) +0x00130| 81 | . | appcontainer: false 0x137.3-0x137.3 (0.1) +0x00130| 81 | . | no_bind: false 0x137.4-0x137.4 (0.1) +0x00130| 81 | . | no_seh: false 0x137.5-0x137.5 (0.1) +0x00130| 81 | . | no_isolation: false 0x137.6-0x137.6 (0.1) +0x00130| 81 | . | nx_compat: true 0x137.7-0x137.7 (0.1) +0x00130| 00 00 10 00 | .... | size_of_track_reserve: 1048576 0x138-0x13b.7 (4) +0x00130| 00 d0 0f 00| ....| size_of_stack_commit: 1036288 0x13c-0x13f.7 (4) +0x00140|00 00 10 00 |.... | size_of_heap_reserve: 1048576 0x140-0x143.7 (4) +0x00140| 00 10 00 00 | .... | size_of_heap_commit: 4096 0x144-0x147.7 (4) +0x00140| 00 00 00 00 | .... | loader_flags: 0 0x148-0x14b.7 (4) +0x00140| 10 00 00 00| ....| number_of_rva_and_sizes: 16 0x14c-0x14f.7 (4) +0x00150|00 00 00 00 |.... | export_table_address: 0x0 0x150-0x153.7 (4) +0x00150| 00 00 00 00 | .... | export_table_size: 0 0x154-0x157.7 (4) +0x00150| e0 25 02 00 | .%.. | import_table_address: 0x225e0 0x158-0x15b.7 (4) +0x00150| 64 00 00 00| d...| import_table_size: 100 0x15c-0x15f.7 (4) +0x00160|00 10 04 00 |.... | resource_table_address: 0x41000 0x160-0x163.7 (4) +0x00160| 48 84 00 00 | H... | resource_table_size: 33864 0x164-0x167.7 (4) +0x00160| 00 00 00 00 | .... | exception_table_address: 0x0 0x168-0x16b.7 (4) +0x00160| 00 00 00 00| ....| exception_table_size: 0 0x16c-0x16f.7 (4) +0x00170|00 00 00 00 |.... | certificate_table_address: 0x0 0x170-0x173.7 (4) +0x00170| 00 00 00 00 | .... | certificate_table_size: 0 0x174-0x177.7 (4) +0x00170| 00 a0 04 00 | .... | base_relocation_table_address: 0x4a000 0x178-0x17b.7 (4) +0x00170| 1c 1b 00 00| ....| base_relocation_table_size: 6940 0x17c-0x17f.7 (4) +0x00180|68 39 02 00 |h9.. | debug_address: 0x23968 0x180-0x183.7 (4) +0x00180| 38 00 00 00 | 8... | debug_size: 56 0x184-0x187.7 (4) +0x00180| 00 00 00 00 00 00 00 00| ........| architecture: 0 0x188-0x18f.7 (8) +0x00190|00 00 00 00 00 00 00 00 |........ | global_ptr: 0x0 0x190-0x197.7 (8) +0x00190| 00 00 00 00 | .... | tls_table_address: 0x0 0x198-0x19b.7 (4) +0x00190| 00 00 00 00| ....| tls_table_size: 0 0x19c-0x19f.7 (4) +0x001a0|90 bb 01 00 |.... | load_config_table_address: 0x1bb90 0x1a0-0x1a3.7 (4) +0x001a0| 40 00 00 00 | @... | load_config_table_size: 64 0x1a4-0x1a7.7 (4) +0x001a0| 70 02 00 00 | p... | bound_import_address: 0x270 0x1a8-0x1ab.7 (4) +0x001a0| 94 00 00 00| ....| bound_import_size: 148 0x1ac-0x1af.7 (4) +0x001b0|00 10 00 00 |.... | iat_address: 0x1000 0x1b0-0x1b3.7 (4) +0x001b0| 98 03 00 00 | .... | iat_size: 920 0x1b4-0x1b7.7 (4) +0x001b0| fc 22 02 00 | .".. | delay_import_descriptor_address: 0x222fc 0x1b8-0x1bb.7 (4) +0x001b0| a0 00 00 00| ....| delay_import_descriptor_size: 160 0x1bc-0x1bf.7 (4) +0x001c0|00 00 00 00 |.... | clr_runtime_header_address: 0x0 0x1c0-0x1c3.7 (4) +0x001c0| 00 00 00 00 | .... | clr_runtime_header_size: 0 0x1c4-0x1c7.7 (4) +0x001c0| 00 00 00 00 00 00 00 00| ........| reserved: 0 0x1c8-0x1cf.7 (8) + | | | unknown: raw bits 0x1d0-NA (0) + | | | sections[0:4]: 0x1d0-0x499ff.7 (301104) + | | | [0]{}: section 0x1d0-0x22dff.7 (142384) +0x001d0|2e 74 65 78 74 00 00 00 |.text... | name: ".text" 0x1d0-0x1d7.7 (8) +0x001d0| c4 29 02 00 | .).. | virtual_size: 141764 0x1d8-0x1db.7 (4) +0x001d0| 00 10 00 00| ....| virtual_address: 0x1000 0x1dc-0x1df.7 (4) +0x001e0|00 2a 02 00 |.*.. | size_of_raw_data: 141824 0x1e0-0x1e3.7 (4) +0x001e0| 00 04 00 00 | .... | pointer_to_raw_data: 0x400 0x1e4-0x1e7.7 (4) +0x001e0| 00 00 00 00 | .... | pointer_to_relocations: 0x0 0x1e8-0x1eb.7 (4) +0x001e0| 00 00 00 00| ....| pointer_to_line_numbers: 0x0 0x1ec-0x1ef.7 (4) +0x001f0|00 00 |.. | number_of_relocations: 0 0x1f0-0x1f1.7 (2) +0x001f0| 00 00 | .. | number_of_line_numbers: 0 0x1f2-0x1f3.7 (2) + | | | characteristics{}: 0x1f4-0x1f7.7 (4) +0x001f0| 20 | | cnt_uninitialized_data: false 0x1f4-0x1f4 (0.1) +0x001f0| 20 | | cnt_initialized_data: false 0x1f4.1-0x1f4.1 (0.1) +0x001f0| 20 | | cnt_code: true 0x1f4.2-0x1f4.2 (0.1) +0x001f0| 20 | | reserved: false 0x1f4.3-0x1f4.3 (0.1) +0x001f0| 20 | | type_no_pad: false 0x1f4.4-0x1f4.4 (0.1) +0x001f0| 20 | | reserved0: false 0x1f4.5-0x1f4.5 (0.1) +0x001f0| 20 | | reserved1: false 0x1f4.6-0x1f4.6 (0.1) +0x001f0| 20 | | reserved2: false 0x1f4.7-0x1f4.7 (0.1) +0x001f0| 00 | . | gprel: false 0x1f5-0x1f5 (0.1) +0x001f0| 00 | . | unknown0: false 0x1f5.1-0x1f5.1 (0.1) +0x001f0| 00 | . | unknown1: false 0x1f5.2-0x1f5.2 (0.1) +0x001f0| 00 | . | lnk_comdat: false 0x1f5.3-0x1f5.3 (0.1) +0x001f0| 00 | . | lnk_remove: false 0x1f5.4-0x1f5.4 (0.1) +0x001f0| 00 | . | reserved3: false 0x1f5.5-0x1f5.5 (0.1) +0x001f0| 00 | . | lnk_info: false 0x1f5.6-0x1f5.6 (0.1) +0x001f0| 00 | . | lnk_other: false 0x1f5.7-0x1f5.7 (0.1) +0x001f0| 00 | . | align_128bytes: false 0x1f6-0x1f6 (0.1) +0x001f0| 00 | . | align_8bytes: false 0x1f6.1-0x1f6.1 (0.1) +0x001f0| 00 | . | align_2bytes: false 0x1f6.2-0x1f6.2 (0.1) +0x001f0| 00 | . | align_1bytes: false 0x1f6.3-0x1f6.3 (0.1) +0x001f0| 00 | . | mem_preload: false 0x1f6.4-0x1f6.4 (0.1) +0x001f0| 00 | . | mem_locked: false 0x1f6.5-0x1f6.5 (0.1) +0x001f0| 00 | . | mem_16bit: false 0x1f6.6-0x1f6.6 (0.1) +0x001f0| 00 | . | mem_purgeable: false 0x1f6.7-0x1f6.7 (0.1) +0x001f0| 60 | ` | mem_write: false 0x1f7-0x1f7 (0.1) +0x001f0| 60 | ` | mem_read: true 0x1f7.1-0x1f7.1 (0.1) +0x001f0| 60 | ` | mem_execute: true 0x1f7.2-0x1f7.2 (0.1) +0x001f0| 60 | ` | mem_shared: false 0x1f7.3-0x1f7.3 (0.1) +0x001f0| 60 | ` | mem_not_paged: false 0x1f7.4-0x1f7.4 (0.1) +0x001f0| 60 | ` | mem_not_cached: false 0x1f7.5-0x1f7.5 (0.1) +0x001f0| 60 | ` | mem_discardable: false 0x1f7.6-0x1f7.6 (0.1) +0x001f0| 60 | ` | lnk_nreloc_ovfl: false 0x1f7.7-0x1f7.7 (0.1) +0x00400|aa 36 f6 6f 19 f7 fa 6f 2c c0 f5 6f 45 ff f5 6f|.6.o...o,..oE..o| data: raw bits 0x400-0x22dff.7 (141824) +* |until 0x22dff.7 (141824) | | + | | | [1]{}: section 0x1f8-0x3f7ff.7 (259592) +0x001f0| 2e 64 61 74 61 00 00 00| .data...| name: ".data" 0x1f8-0x1ff.7 (8) +0x00200|28 c9 01 00 |(... | virtual_size: 117032 0x200-0x203.7 (4) +0x00200| 00 40 02 00 | .@.. | virtual_address: 0x24000 0x204-0x207.7 (4) +0x00200| 00 ca 01 00 | .... | size_of_raw_data: 117248 0x208-0x20b.7 (4) +0x00200| 00 2e 02 00| ....| pointer_to_raw_data: 0x22e00 0x20c-0x20f.7 (4) +0x00210|00 00 00 00 |.... | pointer_to_relocations: 0x0 0x210-0x213.7 (4) +0x00210| 00 00 00 00 | .... | pointer_to_line_numbers: 0x0 0x214-0x217.7 (4) +0x00210| 00 00 | .. | number_of_relocations: 0 0x218-0x219.7 (2) +0x00210| 00 00 | .. | number_of_line_numbers: 0 0x21a-0x21b.7 (2) + | | | characteristics{}: 0x21c-0x21f.7 (4) +0x00210| 40 | @ | cnt_uninitialized_data: false 0x21c-0x21c (0.1) +0x00210| 40 | @ | cnt_initialized_data: true 0x21c.1-0x21c.1 (0.1) +0x00210| 40 | @ | cnt_code: false 0x21c.2-0x21c.2 (0.1) +0x00210| 40 | @ | reserved: false 0x21c.3-0x21c.3 (0.1) +0x00210| 40 | @ | type_no_pad: false 0x21c.4-0x21c.4 (0.1) +0x00210| 40 | @ | reserved0: false 0x21c.5-0x21c.5 (0.1) +0x00210| 40 | @ | reserved1: false 0x21c.6-0x21c.6 (0.1) +0x00210| 40 | @ | reserved2: false 0x21c.7-0x21c.7 (0.1) +0x00210| 00 | . | gprel: false 0x21d-0x21d (0.1) +0x00210| 00 | . | unknown0: false 0x21d.1-0x21d.1 (0.1) +0x00210| 00 | . | unknown1: false 0x21d.2-0x21d.2 (0.1) +0x00210| 00 | . | lnk_comdat: false 0x21d.3-0x21d.3 (0.1) +0x00210| 00 | . | lnk_remove: false 0x21d.4-0x21d.4 (0.1) +0x00210| 00 | . | reserved3: false 0x21d.5-0x21d.5 (0.1) +0x00210| 00 | . | lnk_info: false 0x21d.6-0x21d.6 (0.1) +0x00210| 00 | . | lnk_other: false 0x21d.7-0x21d.7 (0.1) +0x00210| 00 | . | align_128bytes: false 0x21e-0x21e (0.1) +0x00210| 00 | . | align_8bytes: false 0x21e.1-0x21e.1 (0.1) +0x00210| 00 | . | align_2bytes: false 0x21e.2-0x21e.2 (0.1) +0x00210| 00 | . | align_1bytes: false 0x21e.3-0x21e.3 (0.1) +0x00210| 00 | . | mem_preload: false 0x21e.4-0x21e.4 (0.1) +0x00210| 00 | . | mem_locked: false 0x21e.5-0x21e.5 (0.1) +0x00210| 00 | . | mem_16bit: false 0x21e.6-0x21e.6 (0.1) +0x00210| 00 | . | mem_purgeable: false 0x21e.7-0x21e.7 (0.1) +0x00210| c0| .| mem_write: true 0x21f-0x21f (0.1) +0x00210| c0| .| mem_read: true 0x21f.1-0x21f.1 (0.1) +0x00210| c0| .| mem_execute: false 0x21f.2-0x21f.2 (0.1) +0x00210| c0| .| mem_shared: false 0x21f.3-0x21f.3 (0.1) +0x00210| c0| .| mem_not_paged: false 0x21f.4-0x21f.4 (0.1) +0x00210| c0| .| mem_not_cached: false 0x21f.5-0x21f.5 (0.1) +0x00210| c0| .| mem_discardable: false 0x21f.6-0x21f.6 (0.1) +0x00210| c0| .| lnk_nreloc_ovfl: false 0x21f.7-0x21f.7 (0.1) +0x22e00|2c 22 d2 4a 36 22 d2 4a 40 22 d2 4a d3 8a d0 4a|,".J6".J@".J...J| data: raw bits 0x22e00-0x3f7ff.7 (117248) +* |until 0x3f7ff.7 (117248) | | + | | | [2]{}: section 0x220-0x47dff.7 (293856) +0x00220|2e 72 73 72 63 00 00 00 |.rsrc... | name: ".rsrc" 0x220-0x227.7 (8) +0x00220| 48 84 00 00 | H... | virtual_size: 33864 0x228-0x22b.7 (4) +0x00220| 00 10 04 00| ....| virtual_address: 0x41000 0x22c-0x22f.7 (4) +0x00230|00 86 00 00 |.... | size_of_raw_data: 34304 0x230-0x233.7 (4) +0x00230| 00 f8 03 00 | .... | pointer_to_raw_data: 0x3f800 0x234-0x237.7 (4) +0x00230| 00 00 00 00 | .... | pointer_to_relocations: 0x0 0x238-0x23b.7 (4) +0x00230| 00 00 00 00| ....| pointer_to_line_numbers: 0x0 0x23c-0x23f.7 (4) +0x00240|00 00 |.. | number_of_relocations: 0 0x240-0x241.7 (2) +0x00240| 00 00 | .. | number_of_line_numbers: 0 0x242-0x243.7 (2) + | | | characteristics{}: 0x244-0x247.7 (4) +0x00240| 40 | @ | cnt_uninitialized_data: false 0x244-0x244 (0.1) +0x00240| 40 | @ | cnt_initialized_data: true 0x244.1-0x244.1 (0.1) +0x00240| 40 | @ | cnt_code: false 0x244.2-0x244.2 (0.1) +0x00240| 40 | @ | reserved: false 0x244.3-0x244.3 (0.1) +0x00240| 40 | @ | type_no_pad: false 0x244.4-0x244.4 (0.1) +0x00240| 40 | @ | reserved0: false 0x244.5-0x244.5 (0.1) +0x00240| 40 | @ | reserved1: false 0x244.6-0x244.6 (0.1) +0x00240| 40 | @ | reserved2: false 0x244.7-0x244.7 (0.1) +0x00240| 00 | . | gprel: false 0x245-0x245 (0.1) +0x00240| 00 | . | unknown0: false 0x245.1-0x245.1 (0.1) +0x00240| 00 | . | unknown1: false 0x245.2-0x245.2 (0.1) +0x00240| 00 | . | lnk_comdat: false 0x245.3-0x245.3 (0.1) +0x00240| 00 | . | lnk_remove: false 0x245.4-0x245.4 (0.1) +0x00240| 00 | . | reserved3: false 0x245.5-0x245.5 (0.1) +0x00240| 00 | . | lnk_info: false 0x245.6-0x245.6 (0.1) +0x00240| 00 | . | lnk_other: false 0x245.7-0x245.7 (0.1) +0x00240| 00 | . | align_128bytes: false 0x246-0x246 (0.1) +0x00240| 00 | . | align_8bytes: false 0x246.1-0x246.1 (0.1) +0x00240| 00 | . | align_2bytes: false 0x246.2-0x246.2 (0.1) +0x00240| 00 | . | align_1bytes: false 0x246.3-0x246.3 (0.1) +0x00240| 00 | . | mem_preload: false 0x246.4-0x246.4 (0.1) +0x00240| 00 | . | mem_locked: false 0x246.5-0x246.5 (0.1) +0x00240| 00 | . | mem_16bit: false 0x246.6-0x246.6 (0.1) +0x00240| 00 | . | mem_purgeable: false 0x246.7-0x246.7 (0.1) +0x00240| 40 | @ | mem_write: false 0x247-0x247 (0.1) +0x00240| 40 | @ | mem_read: true 0x247.1-0x247.1 (0.1) +0x00240| 40 | @ | mem_execute: false 0x247.2-0x247.2 (0.1) +0x00240| 40 | @ | mem_shared: false 0x247.3-0x247.3 (0.1) +0x00240| 40 | @ | mem_not_paged: false 0x247.4-0x247.4 (0.1) +0x00240| 40 | @ | mem_not_cached: false 0x247.5-0x247.5 (0.1) +0x00240| 40 | @ | mem_discardable: false 0x247.6-0x247.6 (0.1) +0x00240| 40 | @ | lnk_nreloc_ovfl: false 0x247.7-0x247.7 (0.1) +0x3f800|00 00 00 00 00 00 00 00 00 00 00 00 01 00 04 00|................| data: raw bits 0x3f800-0x47dff.7 (34304) +* |until 0x47dff.7 (34304) | | + | | | [3]{}: section 0x248-0x499ff.7 (300984) +0x00240| 2e 72 65 6c 6f 63 00 00| .reloc..| name: ".reloc" 0x248-0x24f.7 (8) +0x00250|1c 1b 00 00 |.... | virtual_size: 6940 0x250-0x253.7 (4) +0x00250| 00 a0 04 00 | .... | virtual_address: 0x4a000 0x254-0x257.7 (4) +0x00250| 00 1c 00 00 | .... | size_of_raw_data: 7168 0x258-0x25b.7 (4) +0x00250| 00 7e 04 00| .~..| pointer_to_raw_data: 0x47e00 0x25c-0x25f.7 (4) +0x00260|00 00 00 00 |.... | pointer_to_relocations: 0x0 0x260-0x263.7 (4) +0x00260| 00 00 00 00 | .... | pointer_to_line_numbers: 0x0 0x264-0x267.7 (4) +0x00260| 00 00 | .. | number_of_relocations: 0 0x268-0x269.7 (2) +0x00260| 00 00 | .. | number_of_line_numbers: 0 0x26a-0x26b.7 (2) + | | | characteristics{}: 0x26c-0x26f.7 (4) +0x00260| 40 | @ | cnt_uninitialized_data: false 0x26c-0x26c (0.1) +0x00260| 40 | @ | cnt_initialized_data: true 0x26c.1-0x26c.1 (0.1) +0x00260| 40 | @ | cnt_code: false 0x26c.2-0x26c.2 (0.1) +0x00260| 40 | @ | reserved: false 0x26c.3-0x26c.3 (0.1) +0x00260| 40 | @ | type_no_pad: false 0x26c.4-0x26c.4 (0.1) +0x00260| 40 | @ | reserved0: false 0x26c.5-0x26c.5 (0.1) +0x00260| 40 | @ | reserved1: false 0x26c.6-0x26c.6 (0.1) +0x00260| 40 | @ | reserved2: false 0x26c.7-0x26c.7 (0.1) +0x00260| 00 | . | gprel: false 0x26d-0x26d (0.1) +0x00260| 00 | . | unknown0: false 0x26d.1-0x26d.1 (0.1) +0x00260| 00 | . | unknown1: false 0x26d.2-0x26d.2 (0.1) +0x00260| 00 | . | lnk_comdat: false 0x26d.3-0x26d.3 (0.1) +0x00260| 00 | . | lnk_remove: false 0x26d.4-0x26d.4 (0.1) +0x00260| 00 | . | reserved3: false 0x26d.5-0x26d.5 (0.1) +0x00260| 00 | . | lnk_info: false 0x26d.6-0x26d.6 (0.1) +0x00260| 00 | . | lnk_other: false 0x26d.7-0x26d.7 (0.1) +0x00260| 00 | . | align_128bytes: false 0x26e-0x26e (0.1) +0x00260| 00 | . | align_8bytes: false 0x26e.1-0x26e.1 (0.1) +0x00260| 00 | . | align_2bytes: false 0x26e.2-0x26e.2 (0.1) +0x00260| 00 | . | align_1bytes: false 0x26e.3-0x26e.3 (0.1) +0x00260| 00 | . | mem_preload: false 0x26e.4-0x26e.4 (0.1) +0x00260| 00 | . | mem_locked: false 0x26e.5-0x26e.5 (0.1) +0x00260| 00 | . | mem_16bit: false 0x26e.6-0x26e.6 (0.1) +0x00260| 00 | . | mem_purgeable: false 0x26e.7-0x26e.7 (0.1) +0x00260| 42| B| mem_write: false 0x26f-0x26f (0.1) +0x00260| 42| B| mem_read: true 0x26f.1-0x26f.1 (0.1) +0x00260| 42| B| mem_execute: false 0x26f.2-0x26f.2 (0.1) +0x00260| 42| B| mem_shared: false 0x26f.3-0x26f.3 (0.1) +0x00260| 42| B| mem_not_paged: false 0x26f.4-0x26f.4 (0.1) +0x00260| 42| B| mem_not_cached: false 0x26f.5-0x26f.5 (0.1) +0x00260| 42| B| mem_discardable: true 0x26f.6-0x26f.6 (0.1) +0x00260| 42| B| lnk_nreloc_ovfl: false 0x26f.7-0x26f.7 (0.1) +0x47e00|00 10 00 00 f8 00 00 00 9f 33 dd 33 e7 33 0e 34|.........3.3.3.4| data: raw bits 0x47e00-0x499ff.7 (7168) +* |until 0x499ff.7 (end) (7168) | | +0x00270|6f da 5b 4a 38 00 00 00 db da 5b 4a 43 00 00 00|o.[J8.....[JC...| gap0: raw bits 0x270-0x3ff.7 (400) +* |until 0x3ff.7 (400) | | diff --git a/format/pe/testdata/pe-cygwin-ls.exe b/format/pe/testdata/pe-cygwin-ls.exe new file mode 100755 index 0000000000..8eb665164a Binary files /dev/null and b/format/pe/testdata/pe-cygwin-ls.exe differ diff --git a/format/pe/testdata/pe-cygwin-ls.exe.fqtest b/format/pe/testdata/pe-cygwin-ls.exe.fqtest new file mode 100644 index 0000000000..7943670d0b --- /dev/null +++ b/format/pe/testdata/pe-cygwin-ls.exe.fqtest @@ -0,0 +1,542 @@ +$ fq dv pe-cygwin-ls.exe + |00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f|0123456789abcdef|.{}: pe-cygwin-ls.exe (pe) 0x0-0x2101c.7 (135197) + |00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f|0123456789abcdef| ms_dos_stub{}: (msdos_stub) 0x0-0x7f.7 (128) +0x00000|4d 5a |MZ | e_magic: 0x5a4d (valid) 0x0-0x1.7 (2) +0x00000| 90 00 | .. | e_cblp: 144 (Bytes on last page of file) 0x2-0x3.7 (2) +0x00000| 03 00 | .. | e_cp: 3 (Pages in file) 0x4-0x5.7 (2) +0x00000| 00 00 | .. | e_crlc: 0 (Relocations) 0x6-0x7.7 (2) +0x00000| 04 00 | .. | e_cparhdr: 4 (Size of header in paragraphs) 0x8-0x9.7 (2) +0x00000| 00 00 | .. | e_minalloc: 0 (Minimum extra paragraphs needed) 0xa-0xb.7 (2) +0x00000| ff ff | .. | e_maxalloc: 65535 (Maximum extra paragraphs needed) 0xc-0xd.7 (2) +0x00000| 00 00| ..| e_ss: 0 (Initial (relative) SS value) 0xe-0xf.7 (2) +0x00010|b8 00 |.. | e_sp: 184 (Initial SP value) 0x10-0x11.7 (2) +0x00010| 00 00 | .. | e_csum: 0 (Checksum) 0x12-0x13.7 (2) +0x00010| 00 00 | .. | e_ip: 0 (Initial IP value) 0x14-0x15.7 (2) +0x00010| 00 00 | .. | e_cs: 0 (Initial (relative) CS value) 0x16-0x17.7 (2) +0x00010| 40 00 | @. | e_lfarlc: 64 (File address of relocation table) 0x18-0x19.7 (2) +0x00010| 00 00 | .. | e_ovno: 0 (Overlay number) 0x1a-0x1b.7 (2) +0x00010| 00 00 00 00| ....| e_res: raw bits (Reserved words) 0x1c-0x23.7 (8) +0x00020|00 00 00 00 |.... | +0x00020| 00 00 | .. | e_oemid: 0 (OEM identifier (for e_oeminfo)) 0x24-0x25.7 (2) +0x00020| 00 00 | .. | e_oeminfo: 0 (OEM information; e_oemid specific) 0x26-0x27.7 (2) +0x00020| 00 00 00 00 00 00 00 00| ........| e_res2: raw bits (Reserved words) 0x28-0x3b.7 (20) +0x00030|00 00 00 00 00 00 00 00 00 00 00 00 |............ | +0x00030| 80 00 00 00| ....| e_lfanew: 128 (File address of new exe header) 0x3c-0x3f.7 (4) +0x00040|0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68|........!..L.!Th| stub: raw bits (Sub program) 0x40-0x7f.7 (64) +* |until 0x7f.7 (64) | | + | | | padding: raw bits 0x80-NA (0) + |00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f|0123456789abcdef| coff{}: (coff) 0x80-0x2101c.7 (135069) +0x00080|50 45 00 00 |PE.. | signature: raw bits (valid) 0x80-0x83.7 (4) +0x00080| 4c 01 | L. | machine: "i386" (0x14c) (Intel 386 or later processors and compatible processors) 0x84-0x85.7 (2) +0x00080| 09 00 | .. | number_of_sections: 9 0x86-0x87.7 (2) +0x00080| 00 00 11 00 | .... | time_date_stamp: 1114112 (1970-01-13T21:28:32Z) 0x88-0x8b.7 (4) +0x00080| 00 10 02 00| ....| pointer_to_symbol_table: 0x21000 0x8c-0x8f.7 (4) +0x00090|00 00 00 00 |.... | number_of_symbols: 0 0x90-0x93.7 (4) +0x00090| e0 00 | .. | size_of_optional_header: 224 0x94-0x95.7 (2) + | | | characteristics{}: 0x96-0x97.7 (2) +0x00090| 2f | / | bytes_reversed_hi: false 0x96-0x96 (0.1) +0x00090| 2f | / | up_system_only: false 0x96.1-0x96.1 (0.1) +0x00090| 2f | / | dll: true 0x96.2-0x96.2 (0.1) +0x00090| 2f | / | system: false 0x96.3-0x96.3 (0.1) +0x00090| 2f | / | net_run_from_swap: true 0x96.4-0x96.4 (0.1) +0x00090| 2f | / | removable_run_from_swap: true 0x96.5-0x96.5 (0.1) +0x00090| 2f | / | debug_stripped: true 0x96.6-0x96.6 (0.1) +0x00090| 2f | / | 32bit_machine: true 0x96.7-0x96.7 (0.1) +0x00090| 01 | . | bytes_reversed_lo: false 0x97-0x97 (0.1) +0x00090| 01 | . | reserved: false 0x97.1-0x97.1 (0.1) +0x00090| 01 | . | large_address_aware: false 0x97.2-0x97.2 (0.1) +0x00090| 01 | . | aggressive_ws_trim: false 0x97.3-0x97.3 (0.1) +0x00090| 01 | . | local_syms_stripped: false 0x97.4-0x97.4 (0.1) +0x00090| 01 | . | line_nums_stripped: false 0x97.5-0x97.5 (0.1) +0x00090| 01 | . | executable_image: false 0x97.6-0x97.6 (0.1) +0x00090| 01 | . | relocs_stripped: true 0x97.7-0x97.7 (0.1) + | | | optional_header{}: 0x98-0x177.7 (224) +0x00090| 0b 01 | .. | format: "pe32" (0x10b) 0x98-0x99.7 (2) +0x00090| 02 | . | major_linker_version: 2 0x9a-0x9a.7 (1) +0x00090| 19 | . | minor_linker_version: 25 0x9b-0x9b.7 (1) +0x00090| 00 4e 01 00| .N..| size_of_code: 85504 0x9c-0x9f.7 (4) +0x000a0|00 0a 02 00 |.... | size_of_initialized_data: 133632 0xa0-0xa3.7 (4) +0x000a0| 00 16 00 00 | .... | size_of_uninitialized_data: 5632 0xa4-0xa7.7 (4) +0x000a0| 00 10 00 00 | .... | address_of_entry_point: 0x1000 0xa8-0xab.7 (4) +0x000a0| 00 10 00 00| ....| base_of_code: 0x1000 0xac-0xaf.7 (4) +0x000b0|00 60 01 00 |.`.. | base_of_data: 0x16000 0xb0-0xb3.7 (4) +0x000b0| 00 00 40 00 | ..@. | image_base: 0x400000 0xb4-0xb7.7 (4) +0x000b0| 00 10 00 00 | .... | section_alignment: 4096 0xb8-0xbb.7 (4) +0x000b0| 00 02 00 00| ....| file_alignment: 512 0xbc-0xbf.7 (4) +0x000c0|04 00 |.. | major_os_version: 4 0xc0-0xc1.7 (2) +0x000c0| 00 00 | .. | minor_os_version: 0 0xc2-0xc3.7 (2) +0x000c0| 01 00 | .. | major_image_version: 1 0xc4-0xc5.7 (2) +0x000c0| 00 00 | .. | minor_image_version: 0 0xc6-0xc7.7 (2) +0x000c0| 04 00 | .. | major_subsystem_version: 4 0xc8-0xc9.7 (2) +0x000c0| 00 00 | .. | minor_subsystem_version: 0 0xca-0xcb.7 (2) +0x000c0| 00 00 00 00| ....| win32_version: 0 0xcc-0xcf.7 (4) +0x000d0|00 80 02 00 |.... | size_of_image: 163840 0xd0-0xd3.7 (4) +0x000d0| 00 04 00 00 | .... | size_of_headers: 1024 0xd4-0xd7.7 (4) +0x000d0| 4c 89 02 00 | L... | chunk_sum: 0x2894c 0xd8-0xdb.7 (4) +0x000d0| 03 00 | .. | subsystem: "windows_cui" (3) (The Windows character subsystem) 0xdc-0xdd.7 (2) + | | | dll_characteristics{}: 0xde-0xdf.7 (2) +0x000d0| 00 | . | force_integrity: false 0xde-0xde (0.1) +0x000d0| 00 | . | dynamic_base: false 0xde.1-0xde.1 (0.1) +0x000d0| 00 | . | high_entropy_va: false 0xde.2-0xde.2 (0.1) +0x000d0| 00 | . | reserved0: false 0xde.3-0xde.3 (0.1) +0x000d0| 00 | . | reserved1: false 0xde.4-0xde.4 (0.1) +0x000d0| 00 | . | reserved2: false 0xde.5-0xde.5 (0.1) +0x000d0| 00 | . | reserved3: false 0xde.6-0xde.6 (0.1) +0x000d0| 00 | . | reserved4: false 0xde.7-0xde.7 (0.1) +0x000d0| 80| .| terminal_server_aware: true 0xdf-0xdf (0.1) +0x000d0| 80| .| guard_cf: false 0xdf.1-0xdf.1 (0.1) +0x000d0| 80| .| wdm_driver: false 0xdf.2-0xdf.2 (0.1) +0x000d0| 80| .| appcontainer: false 0xdf.3-0xdf.3 (0.1) +0x000d0| 80| .| no_bind: false 0xdf.4-0xdf.4 (0.1) +0x000d0| 80| .| no_seh: false 0xdf.5-0xdf.5 (0.1) +0x000d0| 80| .| no_isolation: false 0xdf.6-0xdf.6 (0.1) +0x000d0| 80| .| nx_compat: false 0xdf.7-0xdf.7 (0.1) +0x000e0|00 00 20 00 |.. . | size_of_track_reserve: 2097152 0xe0-0xe3.7 (4) +0x000e0| 00 10 00 00 | .... | size_of_stack_commit: 4096 0xe4-0xe7.7 (4) +0x000e0| 00 00 10 00 | .... | size_of_heap_reserve: 1048576 0xe8-0xeb.7 (4) +0x000e0| 00 10 00 00| ....| size_of_heap_commit: 4096 0xec-0xef.7 (4) +0x000f0|00 00 00 00 |.... | loader_flags: 0 0xf0-0xf3.7 (4) +0x000f0| 10 00 00 00 | .... | number_of_rva_and_sizes: 16 0xf4-0xf7.7 (4) +0x000f0| 00 00 00 00 | .... | export_table_address: 0x0 0xf8-0xfb.7 (4) +0x000f0| 00 00 00 00| ....| export_table_size: 0 0xfc-0xff.7 (4) +0x00100|00 50 02 00 |.P.. | import_table_address: 0x25000 0x100-0x103.7 (4) +0x00100| 30 0e 00 00 | 0... | import_table_size: 3632 0x104-0x107.7 (4) +0x00100| 00 60 02 00 | .`.. | resource_table_address: 0x26000 0x108-0x10b.7 (4) +0x00100| e8 04 00 00| ....| resource_table_size: 1256 0x10c-0x10f.7 (4) +0x00110|00 00 00 00 |.... | exception_table_address: 0x0 0x110-0x113.7 (4) +0x00110| 00 00 00 00 | .... | exception_table_size: 0 0x114-0x117.7 (4) +0x00110| 00 00 00 00 | .... | certificate_table_address: 0x0 0x118-0x11b.7 (4) +0x00110| 00 00 00 00| ....| certificate_table_size: 0 0x11c-0x11f.7 (4) +0x00120|00 00 00 00 |.... | base_relocation_table_address: 0x0 0x120-0x123.7 (4) +0x00120| 00 00 00 00 | .... | base_relocation_table_size: 0 0x124-0x127.7 (4) +0x00120| 00 e0 01 00 | .... | debug_address: 0x1e000 0x128-0x12b.7 (4) +0x00120| 1c 00 00 00| ....| debug_size: 28 0x12c-0x12f.7 (4) +0x00130|00 00 00 00 00 00 00 00 |........ | architecture: 0 0x130-0x137.7 (8) +0x00130| 00 00 00 00 00 00 00 00| ........| global_ptr: 0x0 0x138-0x13f.7 (8) +0x00140|00 00 00 00 |.... | tls_table_address: 0x0 0x140-0x143.7 (4) +0x00140| 00 00 00 00 | .... | tls_table_size: 0 0x144-0x147.7 (4) +0x00140| 00 00 00 00 | .... | load_config_table_address: 0x0 0x148-0x14b.7 (4) +0x00140| 00 00 00 00| ....| load_config_table_size: 0 0x14c-0x14f.7 (4) +0x00150|00 00 00 00 |.... | bound_import_address: 0x0 0x150-0x153.7 (4) +0x00150| 00 00 00 00 | .... | bound_import_size: 0 0x154-0x157.7 (4) +0x00150| 8c 52 02 00 | .R.. | iat_address: 0x2528c 0x158-0x15b.7 (4) +0x00150| 28 02 00 00| (...| iat_size: 552 0x15c-0x15f.7 (4) +0x00160|00 00 00 00 |.... | delay_import_descriptor_address: 0x0 0x160-0x163.7 (4) +0x00160| 00 00 00 00 | .... | delay_import_descriptor_size: 0 0x164-0x167.7 (4) +0x00160| 00 00 00 00 | .... | clr_runtime_header_address: 0x0 0x168-0x16b.7 (4) +0x00160| 00 00 00 00| ....| clr_runtime_header_size: 0 0x16c-0x16f.7 (4) +0x00170|00 00 00 00 00 00 00 00 |........ | reserved: 0 0x170-0x177.7 (8) + | | | unknown: raw bits 0x178-NA (0) + | | | sections[0:9]: 0x178-0x20fff.7 (134792) + | | | [0]{}: section 0x178-0x151ff.7 (86152) +0x00170| 2e 74 65 78 74 00 00 00| .text...| name: ".text" 0x178-0x17f.7 (8) +0x00180|04 4c 01 00 |.L.. | virtual_size: 84996 0x180-0x183.7 (4) +0x00180| 00 10 00 00 | .... | virtual_address: 0x1000 0x184-0x187.7 (4) +0x00180| 00 4e 01 00 | .N.. | size_of_raw_data: 85504 0x188-0x18b.7 (4) +0x00180| 00 04 00 00| ....| pointer_to_raw_data: 0x400 0x18c-0x18f.7 (4) +0x00190|00 00 00 00 |.... | pointer_to_relocations: 0x0 0x190-0x193.7 (4) +0x00190| 00 00 00 00 | .... | pointer_to_line_numbers: 0x0 0x194-0x197.7 (4) +0x00190| 00 00 | .. | number_of_relocations: 0 0x198-0x199.7 (2) +0x00190| 00 00 | .. | number_of_line_numbers: 0 0x19a-0x19b.7 (2) + | | | characteristics{}: 0x19c-0x19f.7 (4) +0x00190| 60 | ` | cnt_uninitialized_data: false 0x19c-0x19c (0.1) +0x00190| 60 | ` | cnt_initialized_data: true 0x19c.1-0x19c.1 (0.1) +0x00190| 60 | ` | cnt_code: true 0x19c.2-0x19c.2 (0.1) +0x00190| 60 | ` | reserved: false 0x19c.3-0x19c.3 (0.1) +0x00190| 60 | ` | type_no_pad: false 0x19c.4-0x19c.4 (0.1) +0x00190| 60 | ` | reserved0: false 0x19c.5-0x19c.5 (0.1) +0x00190| 60 | ` | reserved1: false 0x19c.6-0x19c.6 (0.1) +0x00190| 60 | ` | reserved2: false 0x19c.7-0x19c.7 (0.1) +0x00190| 00 | . | gprel: false 0x19d-0x19d (0.1) +0x00190| 00 | . | unknown0: false 0x19d.1-0x19d.1 (0.1) +0x00190| 00 | . | unknown1: false 0x19d.2-0x19d.2 (0.1) +0x00190| 00 | . | lnk_comdat: false 0x19d.3-0x19d.3 (0.1) +0x00190| 00 | . | lnk_remove: false 0x19d.4-0x19d.4 (0.1) +0x00190| 00 | . | reserved3: false 0x19d.5-0x19d.5 (0.1) +0x00190| 00 | . | lnk_info: false 0x19d.6-0x19d.6 (0.1) +0x00190| 00 | . | lnk_other: false 0x19d.7-0x19d.7 (0.1) +0x00190| 50 | P | align_128bytes: false 0x19e-0x19e (0.1) +0x00190| 50 | P | align_8bytes: true 0x19e.1-0x19e.1 (0.1) +0x00190| 50 | P | align_2bytes: false 0x19e.2-0x19e.2 (0.1) +0x00190| 50 | P | align_1bytes: true 0x19e.3-0x19e.3 (0.1) +0x00190| 50 | P | mem_preload: false 0x19e.4-0x19e.4 (0.1) +0x00190| 50 | P | mem_locked: false 0x19e.5-0x19e.5 (0.1) +0x00190| 50 | P | mem_16bit: false 0x19e.6-0x19e.6 (0.1) +0x00190| 50 | P | mem_purgeable: false 0x19e.7-0x19e.7 (0.1) +0x00190| 60| `| mem_write: false 0x19f-0x19f (0.1) +0x00190| 60| `| mem_read: true 0x19f.1-0x19f.1 (0.1) +0x00190| 60| `| mem_execute: true 0x19f.2-0x19f.2 (0.1) +0x00190| 60| `| mem_shared: false 0x19f.3-0x19f.3 (0.1) +0x00190| 60| `| mem_not_paged: false 0x19f.4-0x19f.4 (0.1) +0x00190| 60| `| mem_not_cached: false 0x19f.5-0x19f.5 (0.1) +0x00190| 60| `| mem_discardable: false 0x19f.6-0x19f.6 (0.1) +0x00190| 60| `| lnk_nreloc_ovfl: false 0x19f.7-0x19f.7 (0.1) +0x00400|55 89 e5 83 ec 18 83 e4 f0 c7 04 24 b0 42 41 00|U..........$.BA.| data: raw bits 0x400-0x151ff.7 (85504) +* |until 0x151ff.7 (85504) | | + | | | [1]{}: section 0x1a0-0x153ff.7 (86624) +0x001a0|2e 64 61 74 61 00 00 00 |.data... | name: ".data" 0x1a0-0x1a7.7 (8) +0x001a0| c4 01 00 00 | .... | virtual_size: 452 0x1a8-0x1ab.7 (4) +0x001a0| 00 60 01 00| .`..| virtual_address: 0x16000 0x1ac-0x1af.7 (4) +0x001b0|00 02 00 00 |.... | size_of_raw_data: 512 0x1b0-0x1b3.7 (4) +0x001b0| 00 52 01 00 | .R.. | pointer_to_raw_data: 0x15200 0x1b4-0x1b7.7 (4) +0x001b0| 00 00 00 00 | .... | pointer_to_relocations: 0x0 0x1b8-0x1bb.7 (4) +0x001b0| 00 00 00 00| ....| pointer_to_line_numbers: 0x0 0x1bc-0x1bf.7 (4) +0x001c0|00 00 |.. | number_of_relocations: 0 0x1c0-0x1c1.7 (2) +0x001c0| 00 00 | .. | number_of_line_numbers: 0 0x1c2-0x1c3.7 (2) + | | | characteristics{}: 0x1c4-0x1c7.7 (4) +0x001c0| 40 | @ | cnt_uninitialized_data: false 0x1c4-0x1c4 (0.1) +0x001c0| 40 | @ | cnt_initialized_data: true 0x1c4.1-0x1c4.1 (0.1) +0x001c0| 40 | @ | cnt_code: false 0x1c4.2-0x1c4.2 (0.1) +0x001c0| 40 | @ | reserved: false 0x1c4.3-0x1c4.3 (0.1) +0x001c0| 40 | @ | type_no_pad: false 0x1c4.4-0x1c4.4 (0.1) +0x001c0| 40 | @ | reserved0: false 0x1c4.5-0x1c4.5 (0.1) +0x001c0| 40 | @ | reserved1: false 0x1c4.6-0x1c4.6 (0.1) +0x001c0| 40 | @ | reserved2: false 0x1c4.7-0x1c4.7 (0.1) +0x001c0| 00 | . | gprel: false 0x1c5-0x1c5 (0.1) +0x001c0| 00 | . | unknown0: false 0x1c5.1-0x1c5.1 (0.1) +0x001c0| 00 | . | unknown1: false 0x1c5.2-0x1c5.2 (0.1) +0x001c0| 00 | . | lnk_comdat: false 0x1c5.3-0x1c5.3 (0.1) +0x001c0| 00 | . | lnk_remove: false 0x1c5.4-0x1c5.4 (0.1) +0x001c0| 00 | . | reserved3: false 0x1c5.5-0x1c5.5 (0.1) +0x001c0| 00 | . | lnk_info: false 0x1c5.6-0x1c5.6 (0.1) +0x001c0| 00 | . | lnk_other: false 0x1c5.7-0x1c5.7 (0.1) +0x001c0| 60 | ` | align_128bytes: false 0x1c6-0x1c6 (0.1) +0x001c0| 60 | ` | align_8bytes: true 0x1c6.1-0x1c6.1 (0.1) +0x001c0| 60 | ` | align_2bytes: true 0x1c6.2-0x1c6.2 (0.1) +0x001c0| 60 | ` | align_1bytes: false 0x1c6.3-0x1c6.3 (0.1) +0x001c0| 60 | ` | mem_preload: false 0x1c6.4-0x1c6.4 (0.1) +0x001c0| 60 | ` | mem_locked: false 0x1c6.5-0x1c6.5 (0.1) +0x001c0| 60 | ` | mem_16bit: false 0x1c6.6-0x1c6.6 (0.1) +0x001c0| 60 | ` | mem_purgeable: false 0x1c6.7-0x1c6.7 (0.1) +0x001c0| c0 | . | mem_write: true 0x1c7-0x1c7 (0.1) +0x001c0| c0 | . | mem_read: true 0x1c7.1-0x1c7.1 (0.1) +0x001c0| c0 | . | mem_execute: false 0x1c7.2-0x1c7.2 (0.1) +0x001c0| c0 | . | mem_shared: false 0x1c7.3-0x1c7.3 (0.1) +0x001c0| c0 | . | mem_not_paged: false 0x1c7.4-0x1c7.4 (0.1) +0x001c0| c0 | . | mem_not_cached: false 0x1c7.5-0x1c7.5 (0.1) +0x001c0| c0 | . | mem_discardable: false 0x1c7.6-0x1c7.6 (0.1) +0x001c0| c0 | . | lnk_nreloc_ovfl: false 0x1c7.7-0x1c7.7 (0.1) +0x15200|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|................| data: raw bits 0x15200-0x153ff.7 (512) +* |until 0x153ff.7 (512) | | + | | | [2]{}: section 0x1c8-0x1b9ff.7 (112696) +0x001c0| 2e 72 64 61 74 61 00 00| .rdata..| name: ".rdata" 0x1c8-0x1cf.7 (8) +0x001d0|70 65 00 00 |pe.. | virtual_size: 25968 0x1d0-0x1d3.7 (4) +0x001d0| 00 70 01 00 | .p.. | virtual_address: 0x17000 0x1d4-0x1d7.7 (4) +0x001d0| 00 66 00 00 | .f.. | size_of_raw_data: 26112 0x1d8-0x1db.7 (4) +0x001d0| 00 54 01 00| .T..| pointer_to_raw_data: 0x15400 0x1dc-0x1df.7 (4) +0x001e0|00 00 00 00 |.... | pointer_to_relocations: 0x0 0x1e0-0x1e3.7 (4) +0x001e0| 00 00 00 00 | .... | pointer_to_line_numbers: 0x0 0x1e4-0x1e7.7 (4) +0x001e0| 00 00 | .. | number_of_relocations: 0 0x1e8-0x1e9.7 (2) +0x001e0| 00 00 | .. | number_of_line_numbers: 0 0x1ea-0x1eb.7 (2) + | | | characteristics{}: 0x1ec-0x1ef.7 (4) +0x001e0| 40 | @ | cnt_uninitialized_data: false 0x1ec-0x1ec (0.1) +0x001e0| 40 | @ | cnt_initialized_data: true 0x1ec.1-0x1ec.1 (0.1) +0x001e0| 40 | @ | cnt_code: false 0x1ec.2-0x1ec.2 (0.1) +0x001e0| 40 | @ | reserved: false 0x1ec.3-0x1ec.3 (0.1) +0x001e0| 40 | @ | type_no_pad: false 0x1ec.4-0x1ec.4 (0.1) +0x001e0| 40 | @ | reserved0: false 0x1ec.5-0x1ec.5 (0.1) +0x001e0| 40 | @ | reserved1: false 0x1ec.6-0x1ec.6 (0.1) +0x001e0| 40 | @ | reserved2: false 0x1ec.7-0x1ec.7 (0.1) +0x001e0| 00 | . | gprel: false 0x1ed-0x1ed (0.1) +0x001e0| 00 | . | unknown0: false 0x1ed.1-0x1ed.1 (0.1) +0x001e0| 00 | . | unknown1: false 0x1ed.2-0x1ed.2 (0.1) +0x001e0| 00 | . | lnk_comdat: false 0x1ed.3-0x1ed.3 (0.1) +0x001e0| 00 | . | lnk_remove: false 0x1ed.4-0x1ed.4 (0.1) +0x001e0| 00 | . | reserved3: false 0x1ed.5-0x1ed.5 (0.1) +0x001e0| 00 | . | lnk_info: false 0x1ed.6-0x1ed.6 (0.1) +0x001e0| 00 | . | lnk_other: false 0x1ed.7-0x1ed.7 (0.1) +0x001e0| 60 | ` | align_128bytes: false 0x1ee-0x1ee (0.1) +0x001e0| 60 | ` | align_8bytes: true 0x1ee.1-0x1ee.1 (0.1) +0x001e0| 60 | ` | align_2bytes: true 0x1ee.2-0x1ee.2 (0.1) +0x001e0| 60 | ` | align_1bytes: false 0x1ee.3-0x1ee.3 (0.1) +0x001e0| 60 | ` | mem_preload: false 0x1ee.4-0x1ee.4 (0.1) +0x001e0| 60 | ` | mem_locked: false 0x1ee.5-0x1ee.5 (0.1) +0x001e0| 60 | ` | mem_16bit: false 0x1ee.6-0x1ee.6 (0.1) +0x001e0| 60 | ` | mem_purgeable: false 0x1ee.7-0x1ee.7 (0.1) +0x001e0| 40| @| mem_write: false 0x1ef-0x1ef (0.1) +0x001e0| 40| @| mem_read: true 0x1ef.1-0x1ef.1 (0.1) +0x001e0| 40| @| mem_execute: false 0x1ef.2-0x1ef.2 (0.1) +0x001e0| 40| @| mem_shared: false 0x1ef.3-0x1ef.3 (0.1) +0x001e0| 40| @| mem_not_paged: false 0x1ef.4-0x1ef.4 (0.1) +0x001e0| 40| @| mem_not_cached: false 0x1ef.5-0x1ef.5 (0.1) +0x001e0| 40| @| mem_discardable: false 0x1ef.6-0x1ef.6 (0.1) +0x001e0| 40| @| lnk_nreloc_ovfl: false 0x1ef.7-0x1ef.7 (0.1) +0x15400|63 79 67 67 63 63 5f 73 2d 31 2e 64 6c 6c 00 5f|cyggcc_s-1.dll._| data: raw bits 0x15400-0x1b9ff.7 (26112) +* |until 0x1b9ff.7 (26112) | | + | | | [3]{}: section 0x1f0-0x1bbff.7 (113168) +0x001f0|2e 62 75 69 6c 64 69 64 |.buildid | name: ".buildid" 0x1f0-0x1f7.7 (8) +0x001f0| 35 00 00 00 | 5... | virtual_size: 53 0x1f8-0x1fb.7 (4) +0x001f0| 00 e0 01 00| ....| virtual_address: 0x1e000 0x1fc-0x1ff.7 (4) +0x00200|00 02 00 00 |.... | size_of_raw_data: 512 0x200-0x203.7 (4) +0x00200| 00 ba 01 00 | .... | pointer_to_raw_data: 0x1ba00 0x204-0x207.7 (4) +0x00200| 00 00 00 00 | .... | pointer_to_relocations: 0x0 0x208-0x20b.7 (4) +0x00200| 00 00 00 00| ....| pointer_to_line_numbers: 0x0 0x20c-0x20f.7 (4) +0x00210|00 00 |.. | number_of_relocations: 0 0x210-0x211.7 (2) +0x00210| 00 00 | .. | number_of_line_numbers: 0 0x212-0x213.7 (2) + | | | characteristics{}: 0x214-0x217.7 (4) +0x00210| 40 | @ | cnt_uninitialized_data: false 0x214-0x214 (0.1) +0x00210| 40 | @ | cnt_initialized_data: true 0x214.1-0x214.1 (0.1) +0x00210| 40 | @ | cnt_code: false 0x214.2-0x214.2 (0.1) +0x00210| 40 | @ | reserved: false 0x214.3-0x214.3 (0.1) +0x00210| 40 | @ | type_no_pad: false 0x214.4-0x214.4 (0.1) +0x00210| 40 | @ | reserved0: false 0x214.5-0x214.5 (0.1) +0x00210| 40 | @ | reserved1: false 0x214.6-0x214.6 (0.1) +0x00210| 40 | @ | reserved2: false 0x214.7-0x214.7 (0.1) +0x00210| 00 | . | gprel: false 0x215-0x215 (0.1) +0x00210| 00 | . | unknown0: false 0x215.1-0x215.1 (0.1) +0x00210| 00 | . | unknown1: false 0x215.2-0x215.2 (0.1) +0x00210| 00 | . | lnk_comdat: false 0x215.3-0x215.3 (0.1) +0x00210| 00 | . | lnk_remove: false 0x215.4-0x215.4 (0.1) +0x00210| 00 | . | reserved3: false 0x215.5-0x215.5 (0.1) +0x00210| 00 | . | lnk_info: false 0x215.6-0x215.6 (0.1) +0x00210| 00 | . | lnk_other: false 0x215.7-0x215.7 (0.1) +0x00210| 30 | 0 | align_128bytes: false 0x216-0x216 (0.1) +0x00210| 30 | 0 | align_8bytes: false 0x216.1-0x216.1 (0.1) +0x00210| 30 | 0 | align_2bytes: true 0x216.2-0x216.2 (0.1) +0x00210| 30 | 0 | align_1bytes: true 0x216.3-0x216.3 (0.1) +0x00210| 30 | 0 | mem_preload: false 0x216.4-0x216.4 (0.1) +0x00210| 30 | 0 | mem_locked: false 0x216.5-0x216.5 (0.1) +0x00210| 30 | 0 | mem_16bit: false 0x216.6-0x216.6 (0.1) +0x00210| 30 | 0 | mem_purgeable: false 0x216.7-0x216.7 (0.1) +0x00210| 40 | @ | mem_write: false 0x217-0x217 (0.1) +0x00210| 40 | @ | mem_read: true 0x217.1-0x217.1 (0.1) +0x00210| 40 | @ | mem_execute: false 0x217.2-0x217.2 (0.1) +0x00210| 40 | @ | mem_shared: false 0x217.3-0x217.3 (0.1) +0x00210| 40 | @ | mem_not_paged: false 0x217.4-0x217.4 (0.1) +0x00210| 40 | @ | mem_not_cached: false 0x217.5-0x217.5 (0.1) +0x00210| 40 | @ | mem_discardable: false 0x217.6-0x217.6 (0.1) +0x00210| 40 | @ | lnk_nreloc_ovfl: false 0x217.7-0x217.7 (0.1) +0x1ba00|00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00|................| data: raw bits 0x1ba00-0x1bbff.7 (512) +* |until 0x1bbff.7 (512) | | + | | | [4]{}: section 0x218-0x1f7ff.7 (128488) +0x00210| 2f 34 00 00 00 00 00 00| /4......| name: ".eh_frame" ("/4") 0x218-0x21f.7 (8) +0x00220|0c 3a 00 00 |.:.. | virtual_size: 14860 0x220-0x223.7 (4) +0x00220| 00 f0 01 00 | .... | virtual_address: 0x1f000 0x224-0x227.7 (4) +0x00220| 00 3c 00 00 | .<.. | size_of_raw_data: 15360 0x228-0x22b.7 (4) +0x00220| 00 bc 01 00| ....| pointer_to_raw_data: 0x1bc00 0x22c-0x22f.7 (4) +0x00230|00 00 00 00 |.... | pointer_to_relocations: 0x0 0x230-0x233.7 (4) +0x00230| 00 00 00 00 | .... | pointer_to_line_numbers: 0x0 0x234-0x237.7 (4) +0x00230| 00 00 | .. | number_of_relocations: 0 0x238-0x239.7 (2) +0x00230| 00 00 | .. | number_of_line_numbers: 0 0x23a-0x23b.7 (2) + | | | characteristics{}: 0x23c-0x23f.7 (4) +0x00230| 40 | @ | cnt_uninitialized_data: false 0x23c-0x23c (0.1) +0x00230| 40 | @ | cnt_initialized_data: true 0x23c.1-0x23c.1 (0.1) +0x00230| 40 | @ | cnt_code: false 0x23c.2-0x23c.2 (0.1) +0x00230| 40 | @ | reserved: false 0x23c.3-0x23c.3 (0.1) +0x00230| 40 | @ | type_no_pad: false 0x23c.4-0x23c.4 (0.1) +0x00230| 40 | @ | reserved0: false 0x23c.5-0x23c.5 (0.1) +0x00230| 40 | @ | reserved1: false 0x23c.6-0x23c.6 (0.1) +0x00230| 40 | @ | reserved2: false 0x23c.7-0x23c.7 (0.1) +0x00230| 00 | . | gprel: false 0x23d-0x23d (0.1) +0x00230| 00 | . | unknown0: false 0x23d.1-0x23d.1 (0.1) +0x00230| 00 | . | unknown1: false 0x23d.2-0x23d.2 (0.1) +0x00230| 00 | . | lnk_comdat: false 0x23d.3-0x23d.3 (0.1) +0x00230| 00 | . | lnk_remove: false 0x23d.4-0x23d.4 (0.1) +0x00230| 00 | . | reserved3: false 0x23d.5-0x23d.5 (0.1) +0x00230| 00 | . | lnk_info: false 0x23d.6-0x23d.6 (0.1) +0x00230| 00 | . | lnk_other: false 0x23d.7-0x23d.7 (0.1) +0x00230| 30 | 0 | align_128bytes: false 0x23e-0x23e (0.1) +0x00230| 30 | 0 | align_8bytes: false 0x23e.1-0x23e.1 (0.1) +0x00230| 30 | 0 | align_2bytes: true 0x23e.2-0x23e.2 (0.1) +0x00230| 30 | 0 | align_1bytes: true 0x23e.3-0x23e.3 (0.1) +0x00230| 30 | 0 | mem_preload: false 0x23e.4-0x23e.4 (0.1) +0x00230| 30 | 0 | mem_locked: false 0x23e.5-0x23e.5 (0.1) +0x00230| 30 | 0 | mem_16bit: false 0x23e.6-0x23e.6 (0.1) +0x00230| 30 | 0 | mem_purgeable: false 0x23e.7-0x23e.7 (0.1) +0x00230| 40| @| mem_write: false 0x23f-0x23f (0.1) +0x00230| 40| @| mem_read: true 0x23f.1-0x23f.1 (0.1) +0x00230| 40| @| mem_execute: false 0x23f.2-0x23f.2 (0.1) +0x00230| 40| @| mem_shared: false 0x23f.3-0x23f.3 (0.1) +0x00230| 40| @| mem_not_paged: false 0x23f.4-0x23f.4 (0.1) +0x00230| 40| @| mem_not_cached: false 0x23f.5-0x23f.5 (0.1) +0x00230| 40| @| mem_discardable: false 0x23f.6-0x23f.6 (0.1) +0x00230| 40| @| lnk_nreloc_ovfl: false 0x23f.7-0x23f.7 (0.1) +0x1bc00|14 00 00 00 00 00 00 00 01 7a 52 00 01 7c 08 01|.........zR..|..| data: raw bits 0x1bc00-0x1f7ff.7 (15360) +* |until 0x1f7ff.7 (15360) | | + | | | [5]{}: section 0x240-0x267.7 (40) +0x00240|2e 62 73 73 00 00 00 00 |.bss.... | name: ".bss" 0x240-0x247.7 (8) +0x00240| 74 15 00 00 | t... | virtual_size: 5492 0x248-0x24b.7 (4) +0x00240| 00 30 02 00| .0..| virtual_address: 0x23000 0x24c-0x24f.7 (4) +0x00250|00 00 00 00 |.... | size_of_raw_data: 0 0x250-0x253.7 (4) +0x00250| 00 00 00 00 | .... | pointer_to_raw_data: 0x0 0x254-0x257.7 (4) +0x00250| 00 00 00 00 | .... | pointer_to_relocations: 0x0 0x258-0x25b.7 (4) +0x00250| 00 00 00 00| ....| pointer_to_line_numbers: 0x0 0x25c-0x25f.7 (4) +0x00260|00 00 |.. | number_of_relocations: 0 0x260-0x261.7 (2) +0x00260| 00 00 | .. | number_of_line_numbers: 0 0x262-0x263.7 (2) + | | | characteristics{}: 0x264-0x267.7 (4) +0x00260| 80 | . | cnt_uninitialized_data: true 0x264-0x264 (0.1) +0x00260| 80 | . | cnt_initialized_data: false 0x264.1-0x264.1 (0.1) +0x00260| 80 | . | cnt_code: false 0x264.2-0x264.2 (0.1) +0x00260| 80 | . | reserved: false 0x264.3-0x264.3 (0.1) +0x00260| 80 | . | type_no_pad: false 0x264.4-0x264.4 (0.1) +0x00260| 80 | . | reserved0: false 0x264.5-0x264.5 (0.1) +0x00260| 80 | . | reserved1: false 0x264.6-0x264.6 (0.1) +0x00260| 80 | . | reserved2: false 0x264.7-0x264.7 (0.1) +0x00260| 00 | . | gprel: false 0x265-0x265 (0.1) +0x00260| 00 | . | unknown0: false 0x265.1-0x265.1 (0.1) +0x00260| 00 | . | unknown1: false 0x265.2-0x265.2 (0.1) +0x00260| 00 | . | lnk_comdat: false 0x265.3-0x265.3 (0.1) +0x00260| 00 | . | lnk_remove: false 0x265.4-0x265.4 (0.1) +0x00260| 00 | . | reserved3: false 0x265.5-0x265.5 (0.1) +0x00260| 00 | . | lnk_info: false 0x265.6-0x265.6 (0.1) +0x00260| 00 | . | lnk_other: false 0x265.7-0x265.7 (0.1) +0x00260| 60 | ` | align_128bytes: false 0x266-0x266 (0.1) +0x00260| 60 | ` | align_8bytes: true 0x266.1-0x266.1 (0.1) +0x00260| 60 | ` | align_2bytes: true 0x266.2-0x266.2 (0.1) +0x00260| 60 | ` | align_1bytes: false 0x266.3-0x266.3 (0.1) +0x00260| 60 | ` | mem_preload: false 0x266.4-0x266.4 (0.1) +0x00260| 60 | ` | mem_locked: false 0x266.5-0x266.5 (0.1) +0x00260| 60 | ` | mem_16bit: false 0x266.6-0x266.6 (0.1) +0x00260| 60 | ` | mem_purgeable: false 0x266.7-0x266.7 (0.1) +0x00260| c0 | . | mem_write: true 0x267-0x267 (0.1) +0x00260| c0 | . | mem_read: true 0x267.1-0x267.1 (0.1) +0x00260| c0 | . | mem_execute: false 0x267.2-0x267.2 (0.1) +0x00260| c0 | . | mem_shared: false 0x267.3-0x267.3 (0.1) +0x00260| c0 | . | mem_not_paged: false 0x267.4-0x267.4 (0.1) +0x00260| c0 | . | mem_not_cached: false 0x267.5-0x267.5 (0.1) +0x00260| c0 | . | mem_discardable: false 0x267.6-0x267.6 (0.1) +0x00260| c0 | . | lnk_nreloc_ovfl: false 0x267.7-0x267.7 (0.1) + | | | [6]{}: section 0x268-0x207ff.7 (132504) +0x00260| 2e 69 64 61 74 61 00 00| .idata..| name: ".idata" 0x268-0x26f.7 (8) +0x00270|30 0e 00 00 |0... | virtual_size: 3632 0x270-0x273.7 (4) +0x00270| 00 50 02 00 | .P.. | virtual_address: 0x25000 0x274-0x277.7 (4) +0x00270| 00 10 00 00 | .... | size_of_raw_data: 4096 0x278-0x27b.7 (4) +0x00270| 00 f8 01 00| ....| pointer_to_raw_data: 0x1f800 0x27c-0x27f.7 (4) +0x00280|00 00 00 00 |.... | pointer_to_relocations: 0x0 0x280-0x283.7 (4) +0x00280| 00 00 00 00 | .... | pointer_to_line_numbers: 0x0 0x284-0x287.7 (4) +0x00280| 00 00 | .. | number_of_relocations: 0 0x288-0x289.7 (2) +0x00280| 00 00 | .. | number_of_line_numbers: 0 0x28a-0x28b.7 (2) + | | | characteristics{}: 0x28c-0x28f.7 (4) +0x00280| 40 | @ | cnt_uninitialized_data: false 0x28c-0x28c (0.1) +0x00280| 40 | @ | cnt_initialized_data: true 0x28c.1-0x28c.1 (0.1) +0x00280| 40 | @ | cnt_code: false 0x28c.2-0x28c.2 (0.1) +0x00280| 40 | @ | reserved: false 0x28c.3-0x28c.3 (0.1) +0x00280| 40 | @ | type_no_pad: false 0x28c.4-0x28c.4 (0.1) +0x00280| 40 | @ | reserved0: false 0x28c.5-0x28c.5 (0.1) +0x00280| 40 | @ | reserved1: false 0x28c.6-0x28c.6 (0.1) +0x00280| 40 | @ | reserved2: false 0x28c.7-0x28c.7 (0.1) +0x00280| 00 | . | gprel: false 0x28d-0x28d (0.1) +0x00280| 00 | . | unknown0: false 0x28d.1-0x28d.1 (0.1) +0x00280| 00 | . | unknown1: false 0x28d.2-0x28d.2 (0.1) +0x00280| 00 | . | lnk_comdat: false 0x28d.3-0x28d.3 (0.1) +0x00280| 00 | . | lnk_remove: false 0x28d.4-0x28d.4 (0.1) +0x00280| 00 | . | reserved3: false 0x28d.5-0x28d.5 (0.1) +0x00280| 00 | . | lnk_info: false 0x28d.6-0x28d.6 (0.1) +0x00280| 00 | . | lnk_other: false 0x28d.7-0x28d.7 (0.1) +0x00280| 30 | 0 | align_128bytes: false 0x28e-0x28e (0.1) +0x00280| 30 | 0 | align_8bytes: false 0x28e.1-0x28e.1 (0.1) +0x00280| 30 | 0 | align_2bytes: true 0x28e.2-0x28e.2 (0.1) +0x00280| 30 | 0 | align_1bytes: true 0x28e.3-0x28e.3 (0.1) +0x00280| 30 | 0 | mem_preload: false 0x28e.4-0x28e.4 (0.1) +0x00280| 30 | 0 | mem_locked: false 0x28e.5-0x28e.5 (0.1) +0x00280| 30 | 0 | mem_16bit: false 0x28e.6-0x28e.6 (0.1) +0x00280| 30 | 0 | mem_purgeable: false 0x28e.7-0x28e.7 (0.1) +0x00280| c0| .| mem_write: true 0x28f-0x28f (0.1) +0x00280| c0| .| mem_read: true 0x28f.1-0x28f.1 (0.1) +0x00280| c0| .| mem_execute: false 0x28f.2-0x28f.2 (0.1) +0x00280| c0| .| mem_shared: false 0x28f.3-0x28f.3 (0.1) +0x00280| c0| .| mem_not_paged: false 0x28f.4-0x28f.4 (0.1) +0x00280| c0| .| mem_not_cached: false 0x28f.5-0x28f.5 (0.1) +0x00280| c0| .| mem_discardable: false 0x28f.6-0x28f.6 (0.1) +0x00280| c0| .| lnk_nreloc_ovfl: false 0x28f.7-0x28f.7 (0.1) +0x1f800|64 50 02 00 00 00 00 00 00 00 00 00 b8 5d 02 00|dP...........]..| data: raw bits 0x1f800-0x207ff.7 (4096) +* |until 0x207ff.7 (4096) | | + | | | [7]{}: section 0x290-0x20dff.7 (134000) +0x00290|2e 72 73 72 63 00 00 00 |.rsrc... | name: ".rsrc" 0x290-0x297.7 (8) +0x00290| e8 04 00 00 | .... | virtual_size: 1256 0x298-0x29b.7 (4) +0x00290| 00 60 02 00| .`..| virtual_address: 0x26000 0x29c-0x29f.7 (4) +0x002a0|00 06 00 00 |.... | size_of_raw_data: 1536 0x2a0-0x2a3.7 (4) +0x002a0| 00 08 02 00 | .... | pointer_to_raw_data: 0x20800 0x2a4-0x2a7.7 (4) +0x002a0| 00 00 00 00 | .... | pointer_to_relocations: 0x0 0x2a8-0x2ab.7 (4) +0x002a0| 00 00 00 00| ....| pointer_to_line_numbers: 0x0 0x2ac-0x2af.7 (4) +0x002b0|00 00 |.. | number_of_relocations: 0 0x2b0-0x2b1.7 (2) +0x002b0| 00 00 | .. | number_of_line_numbers: 0 0x2b2-0x2b3.7 (2) + | | | characteristics{}: 0x2b4-0x2b7.7 (4) +0x002b0| 40 | @ | cnt_uninitialized_data: false 0x2b4-0x2b4 (0.1) +0x002b0| 40 | @ | cnt_initialized_data: true 0x2b4.1-0x2b4.1 (0.1) +0x002b0| 40 | @ | cnt_code: false 0x2b4.2-0x2b4.2 (0.1) +0x002b0| 40 | @ | reserved: false 0x2b4.3-0x2b4.3 (0.1) +0x002b0| 40 | @ | type_no_pad: false 0x2b4.4-0x2b4.4 (0.1) +0x002b0| 40 | @ | reserved0: false 0x2b4.5-0x2b4.5 (0.1) +0x002b0| 40 | @ | reserved1: false 0x2b4.6-0x2b4.6 (0.1) +0x002b0| 40 | @ | reserved2: false 0x2b4.7-0x2b4.7 (0.1) +0x002b0| 00 | . | gprel: false 0x2b5-0x2b5 (0.1) +0x002b0| 00 | . | unknown0: false 0x2b5.1-0x2b5.1 (0.1) +0x002b0| 00 | . | unknown1: false 0x2b5.2-0x2b5.2 (0.1) +0x002b0| 00 | . | lnk_comdat: false 0x2b5.3-0x2b5.3 (0.1) +0x002b0| 00 | . | lnk_remove: false 0x2b5.4-0x2b5.4 (0.1) +0x002b0| 00 | . | reserved3: false 0x2b5.5-0x2b5.5 (0.1) +0x002b0| 00 | . | lnk_info: false 0x2b5.6-0x2b5.6 (0.1) +0x002b0| 00 | . | lnk_other: false 0x2b5.7-0x2b5.7 (0.1) +0x002b0| 30 | 0 | align_128bytes: false 0x2b6-0x2b6 (0.1) +0x002b0| 30 | 0 | align_8bytes: false 0x2b6.1-0x2b6.1 (0.1) +0x002b0| 30 | 0 | align_2bytes: true 0x2b6.2-0x2b6.2 (0.1) +0x002b0| 30 | 0 | align_1bytes: true 0x2b6.3-0x2b6.3 (0.1) +0x002b0| 30 | 0 | mem_preload: false 0x2b6.4-0x2b6.4 (0.1) +0x002b0| 30 | 0 | mem_locked: false 0x2b6.5-0x2b6.5 (0.1) +0x002b0| 30 | 0 | mem_16bit: false 0x2b6.6-0x2b6.6 (0.1) +0x002b0| 30 | 0 | mem_purgeable: false 0x2b6.7-0x2b6.7 (0.1) +0x002b0| c0 | . | mem_write: true 0x2b7-0x2b7 (0.1) +0x002b0| c0 | . | mem_read: true 0x2b7.1-0x2b7.1 (0.1) +0x002b0| c0 | . | mem_execute: false 0x2b7.2-0x2b7.2 (0.1) +0x002b0| c0 | . | mem_shared: false 0x2b7.3-0x2b7.3 (0.1) +0x002b0| c0 | . | mem_not_paged: false 0x2b7.4-0x2b7.4 (0.1) +0x002b0| c0 | . | mem_not_cached: false 0x2b7.5-0x2b7.5 (0.1) +0x002b0| c0 | . | mem_discardable: false 0x2b7.6-0x2b7.6 (0.1) +0x002b0| c0 | . | lnk_nreloc_ovfl: false 0x2b7.7-0x2b7.7 (0.1) +0x20800|00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00|................| data: raw bits 0x20800-0x20dff.7 (1536) +* |until 0x20dff.7 (1536) | | + | | | [8]{}: section 0x2b8-0x20fff.7 (134472) +0x002b0| 2f 31 34 00 00 00 00 00| /14.....| name: ".gnu_debuglink" ("/14") 0x2b8-0x2bf.7 (8) +0x002c0|10 00 00 00 |.... | virtual_size: 16 0x2c0-0x2c3.7 (4) +0x002c0| 00 70 02 00 | .p.. | virtual_address: 0x27000 0x2c4-0x2c7.7 (4) +0x002c0| 00 02 00 00 | .... | size_of_raw_data: 512 0x2c8-0x2cb.7 (4) +0x002c0| 00 0e 02 00| ....| pointer_to_raw_data: 0x20e00 0x2cc-0x2cf.7 (4) +0x002d0|00 00 00 00 |.... | pointer_to_relocations: 0x0 0x2d0-0x2d3.7 (4) +0x002d0| 00 00 00 00 | .... | pointer_to_line_numbers: 0x0 0x2d4-0x2d7.7 (4) +0x002d0| 00 00 | .. | number_of_relocations: 0 0x2d8-0x2d9.7 (2) +0x002d0| 00 00 | .. | number_of_line_numbers: 0 0x2da-0x2db.7 (2) + | | | characteristics{}: 0x2dc-0x2df.7 (4) +0x002d0| 40 | @ | cnt_uninitialized_data: false 0x2dc-0x2dc (0.1) +0x002d0| 40 | @ | cnt_initialized_data: true 0x2dc.1-0x2dc.1 (0.1) +0x002d0| 40 | @ | cnt_code: false 0x2dc.2-0x2dc.2 (0.1) +0x002d0| 40 | @ | reserved: false 0x2dc.3-0x2dc.3 (0.1) +0x002d0| 40 | @ | type_no_pad: false 0x2dc.4-0x2dc.4 (0.1) +0x002d0| 40 | @ | reserved0: false 0x2dc.5-0x2dc.5 (0.1) +0x002d0| 40 | @ | reserved1: false 0x2dc.6-0x2dc.6 (0.1) +0x002d0| 40 | @ | reserved2: false 0x2dc.7-0x2dc.7 (0.1) +0x002d0| 00 | . | gprel: false 0x2dd-0x2dd (0.1) +0x002d0| 00 | . | unknown0: false 0x2dd.1-0x2dd.1 (0.1) +0x002d0| 00 | . | unknown1: false 0x2dd.2-0x2dd.2 (0.1) +0x002d0| 00 | . | lnk_comdat: false 0x2dd.3-0x2dd.3 (0.1) +0x002d0| 00 | . | lnk_remove: false 0x2dd.4-0x2dd.4 (0.1) +0x002d0| 00 | . | reserved3: false 0x2dd.5-0x2dd.5 (0.1) +0x002d0| 00 | . | lnk_info: false 0x2dd.6-0x2dd.6 (0.1) +0x002d0| 00 | . | lnk_other: false 0x2dd.7-0x2dd.7 (0.1) +0x002d0| 30 | 0 | align_128bytes: false 0x2de-0x2de (0.1) +0x002d0| 30 | 0 | align_8bytes: false 0x2de.1-0x2de.1 (0.1) +0x002d0| 30 | 0 | align_2bytes: true 0x2de.2-0x2de.2 (0.1) +0x002d0| 30 | 0 | align_1bytes: true 0x2de.3-0x2de.3 (0.1) +0x002d0| 30 | 0 | mem_preload: false 0x2de.4-0x2de.4 (0.1) +0x002d0| 30 | 0 | mem_locked: false 0x2de.5-0x2de.5 (0.1) +0x002d0| 30 | 0 | mem_16bit: false 0x2de.6-0x2de.6 (0.1) +0x002d0| 30 | 0 | mem_purgeable: false 0x2de.7-0x2de.7 (0.1) +0x002d0| 42| B| mem_write: false 0x2df-0x2df (0.1) +0x002d0| 42| B| mem_read: true 0x2df.1-0x2df.1 (0.1) +0x002d0| 42| B| mem_execute: false 0x2df.2-0x2df.2 (0.1) +0x002d0| 42| B| mem_shared: false 0x2df.3-0x2df.3 (0.1) +0x002d0| 42| B| mem_not_paged: false 0x2df.4-0x2df.4 (0.1) +0x002d0| 42| B| mem_not_cached: false 0x2df.5-0x2df.5 (0.1) +0x002d0| 42| B| mem_discardable: true 0x2df.6-0x2df.6 (0.1) +0x002d0| 42| B| lnk_nreloc_ovfl: false 0x2df.7-0x2df.7 (0.1) +0x20e00|6c 73 2e 65 78 65 2e 64 62 67 00 00 68 e8 a5 16|ls.exe.dbg..h...| data: raw bits 0x20e00-0x20fff.7 (512) +* |until 0x20fff.7 (512) | | + | | | symbol_table[0:0]: 0x2e0-NA (0) + | | | string_table{}: 0x21000-0x2101c.7 (29) +0x21000|1d 00 00 00 |.... | size: 29 0x21000-0x21003.7 (4) + | | | entries[0:2]: 0x21004-0x2101c.7 (25) +0x21000| 2e 65 68 5f 66 72 61 6d 65 00 | .eh_frame. | [0]: ".eh_frame" entry 0x21004-0x2100d.7 (10) +0x21000| 2e 67| .g| [1]: ".gnu_debuglink" entry 0x2100e-0x2101c.7 (15) +0x21010|6e 75 5f 64 65 62 75 67 6c 69 6e 6b 00| |nu_debuglink.| | +0x002e0|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|................| gap0: raw bits 0x2e0-0x3ff.7 (288) +* |until 0x3ff.7 (288) | | diff --git a/format/pe/testdata/pe-mingw32-strip.exe b/format/pe/testdata/pe-mingw32-strip.exe new file mode 100755 index 0000000000..e9630b1fc5 Binary files /dev/null and b/format/pe/testdata/pe-mingw32-strip.exe differ diff --git a/format/pe/testdata/pe-mingw32-strip.exe.fqtest b/format/pe/testdata/pe-mingw32-strip.exe.fqtest new file mode 100644 index 0000000000..ed94d37fee --- /dev/null +++ b/format/pe/testdata/pe-mingw32-strip.exe.fqtest @@ -0,0 +1,496 @@ +$ fq dv pe-mingw32-strip.exe + |00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f|0123456789abcdef|.{}: pe-mingw32-strip.exe (pe) 0x0-0x11b60d.7 (1160718) + |00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f|0123456789abcdef| ms_dos_stub{}: (msdos_stub) 0x0-0x7f.7 (128) +0x000000|4d 5a |MZ | e_magic: 0x5a4d (valid) 0x0-0x1.7 (2) +0x000000| 90 00 | .. | e_cblp: 144 (Bytes on last page of file) 0x2-0x3.7 (2) +0x000000| 03 00 | .. | e_cp: 3 (Pages in file) 0x4-0x5.7 (2) +0x000000| 00 00 | .. | e_crlc: 0 (Relocations) 0x6-0x7.7 (2) +0x000000| 04 00 | .. | e_cparhdr: 4 (Size of header in paragraphs) 0x8-0x9.7 (2) +0x000000| 00 00 | .. | e_minalloc: 0 (Minimum extra paragraphs needed) 0xa-0xb.7 (2) +0x000000| ff ff | .. | e_maxalloc: 65535 (Maximum extra paragraphs needed) 0xc-0xd.7 (2) +0x000000| 00 00| ..| e_ss: 0 (Initial (relative) SS value) 0xe-0xf.7 (2) +0x000010|b8 00 |.. | e_sp: 184 (Initial SP value) 0x10-0x11.7 (2) +0x000010| 00 00 | .. | e_csum: 0 (Checksum) 0x12-0x13.7 (2) +0x000010| 00 00 | .. | e_ip: 0 (Initial IP value) 0x14-0x15.7 (2) +0x000010| 00 00 | .. | e_cs: 0 (Initial (relative) CS value) 0x16-0x17.7 (2) +0x000010| 40 00 | @. | e_lfarlc: 64 (File address of relocation table) 0x18-0x19.7 (2) +0x000010| 00 00 | .. | e_ovno: 0 (Overlay number) 0x1a-0x1b.7 (2) +0x000010| 00 00 00 00| ....| e_res: raw bits (Reserved words) 0x1c-0x23.7 (8) +0x000020|00 00 00 00 |.... | +0x000020| 00 00 | .. | e_oemid: 0 (OEM identifier (for e_oeminfo)) 0x24-0x25.7 (2) +0x000020| 00 00 | .. | e_oeminfo: 0 (OEM information; e_oemid specific) 0x26-0x27.7 (2) +0x000020| 00 00 00 00 00 00 00 00| ........| e_res2: raw bits (Reserved words) 0x28-0x3b.7 (20) +0x000030|00 00 00 00 00 00 00 00 00 00 00 00 |............ | +0x000030| 80 00 00 00| ....| e_lfanew: 128 (File address of new exe header) 0x3c-0x3f.7 (4) +0x000040|0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68|........!..L.!Th| stub: raw bits (Sub program) 0x40-0x7f.7 (64) +* |until 0x7f.7 (64) | | + | | | padding: raw bits 0x80-NA (0) + |00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f|0123456789abcdef| coff{}: (coff) 0x80-0x11b60d.7 (1160590) +0x000080|50 45 00 00 |PE.. | signature: raw bits (valid) 0x80-0x83.7 (4) +0x000080| 4c 01 | L. | machine: "i386" (0x14c) (Intel 386 or later processors and compatible processors) 0x84-0x85.7 (2) +0x000080| 08 00 | .. | number_of_sections: 8 0x86-0x87.7 (2) +0x000080| 00 00 00 00 | .... | time_date_stamp: 0 (1970-01-01T00:00:00Z) 0x88-0x8b.7 (4) +0x000080| 00 b6 11 00| ....| pointer_to_symbol_table: 0x11b600 0x8c-0x8f.7 (4) +0x000090|00 00 00 00 |.... | number_of_symbols: 0 0x90-0x93.7 (4) +0x000090| e0 00 | .. | size_of_optional_header: 224 0x94-0x95.7 (2) + | | | characteristics{}: 0x96-0x97.7 (2) +0x000090| 0f | . | bytes_reversed_hi: false 0x96-0x96 (0.1) +0x000090| 0f | . | up_system_only: false 0x96.1-0x96.1 (0.1) +0x000090| 0f | . | dll: false 0x96.2-0x96.2 (0.1) +0x000090| 0f | . | system: false 0x96.3-0x96.3 (0.1) +0x000090| 0f | . | net_run_from_swap: true 0x96.4-0x96.4 (0.1) +0x000090| 0f | . | removable_run_from_swap: true 0x96.5-0x96.5 (0.1) +0x000090| 0f | . | debug_stripped: true 0x96.6-0x96.6 (0.1) +0x000090| 0f | . | 32bit_machine: true 0x96.7-0x96.7 (0.1) +0x000090| 03 | . | bytes_reversed_lo: false 0x97-0x97 (0.1) +0x000090| 03 | . | reserved: false 0x97.1-0x97.1 (0.1) +0x000090| 03 | . | large_address_aware: false 0x97.2-0x97.2 (0.1) +0x000090| 03 | . | aggressive_ws_trim: false 0x97.3-0x97.3 (0.1) +0x000090| 03 | . | local_syms_stripped: false 0x97.4-0x97.4 (0.1) +0x000090| 03 | . | line_nums_stripped: false 0x97.5-0x97.5 (0.1) +0x000090| 03 | . | executable_image: true 0x97.6-0x97.6 (0.1) +0x000090| 03 | . | relocs_stripped: true 0x97.7-0x97.7 (0.1) + | | | optional_header{}: 0x98-0x177.7 (224) +0x000090| 0b 01 | .. | format: "pe32" (0x10b) 0x98-0x99.7 (2) +0x000090| 02 | . | major_linker_version: 2 0x9a-0x9a.7 (1) +0x000090| 1c | . | minor_linker_version: 28 0x9b-0x9b.7 (1) +0x000090| 00 b6 0c 00| ....| size_of_code: 833024 0x9c-0x9f.7 (4) +0x0000a0|00 b2 11 00 |.... | size_of_initialized_data: 1159680 0xa0-0xa3.7 (4) +0x0000a0| 00 58 00 00 | .X.. | size_of_uninitialized_data: 22528 0xa4-0xa7.7 (4) +0x0000a0| e0 12 00 00 | .... | address_of_entry_point: 0x12e0 0xa8-0xab.7 (4) +0x0000a0| 00 10 00 00| ....| base_of_code: 0x1000 0xac-0xaf.7 (4) +0x0000b0|00 d0 0c 00 |.... | base_of_data: 0xcd000 0xb0-0xb3.7 (4) +0x0000b0| 00 00 40 00 | ..@. | image_base: 0x400000 0xb4-0xb7.7 (4) +0x0000b0| 00 10 00 00 | .... | section_alignment: 4096 0xb8-0xbb.7 (4) +0x0000b0| 00 02 00 00| ....| file_alignment: 512 0xbc-0xbf.7 (4) +0x0000c0|04 00 |.. | major_os_version: 4 0xc0-0xc1.7 (2) +0x0000c0| 00 00 | .. | minor_os_version: 0 0xc2-0xc3.7 (2) +0x0000c0| 01 00 | .. | major_image_version: 1 0xc4-0xc5.7 (2) +0x0000c0| 00 00 | .. | minor_image_version: 0 0xc6-0xc7.7 (2) +0x0000c0| 04 00 | .. | major_subsystem_version: 4 0xc8-0xc9.7 (2) +0x0000c0| 00 00 | .. | minor_subsystem_version: 0 0xca-0xcb.7 (2) +0x0000c0| 00 00 00 00| ....| win32_version: 0 0xcc-0xcf.7 (4) +0x0000d0|00 70 12 00 |.p.. | size_of_image: 1208320 0xd0-0xd3.7 (4) +0x0000d0| 00 04 00 00 | .... | size_of_headers: 1024 0xd4-0xd7.7 (4) +0x0000d0| 95 80 12 00 | .... | chunk_sum: 0x128095 0xd8-0xdb.7 (4) +0x0000d0| 03 00 | .. | subsystem: "windows_cui" (3) (The Windows character subsystem) 0xdc-0xdd.7 (2) + | | | dll_characteristics{}: 0xde-0xdf.7 (2) +0x0000d0| 00 | . | force_integrity: false 0xde-0xde (0.1) +0x0000d0| 00 | . | dynamic_base: false 0xde.1-0xde.1 (0.1) +0x0000d0| 00 | . | high_entropy_va: false 0xde.2-0xde.2 (0.1) +0x0000d0| 00 | . | reserved0: false 0xde.3-0xde.3 (0.1) +0x0000d0| 00 | . | reserved1: false 0xde.4-0xde.4 (0.1) +0x0000d0| 00 | . | reserved2: false 0xde.5-0xde.5 (0.1) +0x0000d0| 00 | . | reserved3: false 0xde.6-0xde.6 (0.1) +0x0000d0| 00 | . | reserved4: false 0xde.7-0xde.7 (0.1) +0x0000d0| 00| .| terminal_server_aware: false 0xdf-0xdf (0.1) +0x0000d0| 00| .| guard_cf: false 0xdf.1-0xdf.1 (0.1) +0x0000d0| 00| .| wdm_driver: false 0xdf.2-0xdf.2 (0.1) +0x0000d0| 00| .| appcontainer: false 0xdf.3-0xdf.3 (0.1) +0x0000d0| 00| .| no_bind: false 0xdf.4-0xdf.4 (0.1) +0x0000d0| 00| .| no_seh: false 0xdf.5-0xdf.5 (0.1) +0x0000d0| 00| .| no_isolation: false 0xdf.6-0xdf.6 (0.1) +0x0000d0| 00| .| nx_compat: false 0xdf.7-0xdf.7 (0.1) +0x0000e0|00 00 c0 00 |.... | size_of_track_reserve: 12582912 0xe0-0xe3.7 (4) +0x0000e0| 00 10 00 00 | .... | size_of_stack_commit: 4096 0xe4-0xe7.7 (4) +0x0000e0| 00 00 10 00 | .... | size_of_heap_reserve: 1048576 0xe8-0xeb.7 (4) +0x0000e0| 00 10 00 00| ....| size_of_heap_commit: 4096 0xec-0xef.7 (4) +0x0000f0|00 00 00 00 |.... | loader_flags: 0 0xf0-0xf3.7 (4) +0x0000f0| 10 00 00 00 | .... | number_of_rva_and_sizes: 16 0xf4-0xf7.7 (4) +0x0000f0| 00 00 00 00 | .... | export_table_address: 0x0 0xf8-0xfb.7 (4) +0x0000f0| 00 00 00 00| ....| export_table_size: 0 0xfc-0xff.7 (4) +0x000100|00 30 12 00 |.0.. | import_table_address: 0x123000 0x100-0x103.7 (4) +0x000100| d4 10 00 00 | .... | import_table_size: 4308 0x104-0x107.7 (4) +0x000100| 00 00 00 00 | .... | resource_table_address: 0x0 0x108-0x10b.7 (4) +0x000100| 00 00 00 00| ....| resource_table_size: 0 0x10c-0x10f.7 (4) +0x000110|00 00 00 00 |.... | exception_table_address: 0x0 0x110-0x113.7 (4) +0x000110| 00 00 00 00 | .... | exception_table_size: 0 0x114-0x117.7 (4) +0x000110| 00 00 00 00 | .... | certificate_table_address: 0x0 0x118-0x11b.7 (4) +0x000110| 00 00 00 00| ....| certificate_table_size: 0 0x11c-0x11f.7 (4) +0x000120|00 00 00 00 |.... | base_relocation_table_address: 0x0 0x120-0x123.7 (4) +0x000120| 00 00 00 00 | .... | base_relocation_table_size: 0 0x124-0x127.7 (4) +0x000120| 00 00 00 00 | .... | debug_address: 0x0 0x128-0x12b.7 (4) +0x000120| 00 00 00 00| ....| debug_size: 0 0x12c-0x12f.7 (4) +0x000130|00 00 00 00 00 00 00 00 |........ | architecture: 0 0x130-0x137.7 (8) +0x000130| 00 00 00 00 00 00 00 00| ........| global_ptr: 0x0 0x138-0x13f.7 (8) +0x000140|04 60 12 00 |.`.. | tls_table_address: 0x126004 0x140-0x143.7 (4) +0x000140| 18 00 00 00 | .... | tls_table_size: 24 0x144-0x147.7 (4) +0x000140| 00 00 00 00 | .... | load_config_table_address: 0x0 0x148-0x14b.7 (4) +0x000140| 00 00 00 00| ....| load_config_table_size: 0 0x14c-0x14f.7 (4) +0x000150|00 00 00 00 |.... | bound_import_address: 0x0 0x150-0x153.7 (4) +0x000150| 00 00 00 00 | .... | bound_import_size: 0 0x154-0x157.7 (4) +0x000150| 24 33 12 00 | $3.. | iat_address: 0x123324 0x158-0x15b.7 (4) +0x000150| 98 02 00 00| ....| iat_size: 664 0x15c-0x15f.7 (4) +0x000160|00 00 00 00 |.... | delay_import_descriptor_address: 0x0 0x160-0x163.7 (4) +0x000160| 00 00 00 00 | .... | delay_import_descriptor_size: 0 0x164-0x167.7 (4) +0x000160| 00 00 00 00 | .... | clr_runtime_header_address: 0x0 0x168-0x16b.7 (4) +0x000160| 00 00 00 00| ....| clr_runtime_header_size: 0 0x16c-0x16f.7 (4) +0x000170|00 00 00 00 00 00 00 00 |........ | reserved: 0 0x170-0x177.7 (8) + | | | unknown: raw bits 0x178-NA (0) + | | | sections[0:8]: 0x178-0x11b5ff.7 (1160328) + | | | [0]{}: section 0x178-0xcb9ff.7 (833672) +0x000170| 2e 74 65 78 74 00 00 00| .text...| name: ".text" 0x178-0x17f.7 (8) +0x000180|d4 b5 0c 00 |.... | virtual_size: 832980 0x180-0x183.7 (4) +0x000180| 00 10 00 00 | .... | virtual_address: 0x1000 0x184-0x187.7 (4) +0x000180| 00 b6 0c 00 | .... | size_of_raw_data: 833024 0x188-0x18b.7 (4) +0x000180| 00 04 00 00| ....| pointer_to_raw_data: 0x400 0x18c-0x18f.7 (4) +0x000190|00 00 00 00 |.... | pointer_to_relocations: 0x0 0x190-0x193.7 (4) +0x000190| 00 00 00 00 | .... | pointer_to_line_numbers: 0x0 0x194-0x197.7 (4) +0x000190| 00 00 | .. | number_of_relocations: 0 0x198-0x199.7 (2) +0x000190| 00 00 | .. | number_of_line_numbers: 0 0x19a-0x19b.7 (2) + | | | characteristics{}: 0x19c-0x19f.7 (4) +0x000190| 60 | ` | cnt_uninitialized_data: false 0x19c-0x19c (0.1) +0x000190| 60 | ` | cnt_initialized_data: true 0x19c.1-0x19c.1 (0.1) +0x000190| 60 | ` | cnt_code: true 0x19c.2-0x19c.2 (0.1) +0x000190| 60 | ` | reserved: false 0x19c.3-0x19c.3 (0.1) +0x000190| 60 | ` | type_no_pad: false 0x19c.4-0x19c.4 (0.1) +0x000190| 60 | ` | reserved0: false 0x19c.5-0x19c.5 (0.1) +0x000190| 60 | ` | reserved1: false 0x19c.6-0x19c.6 (0.1) +0x000190| 60 | ` | reserved2: false 0x19c.7-0x19c.7 (0.1) +0x000190| 00 | . | gprel: false 0x19d-0x19d (0.1) +0x000190| 00 | . | unknown0: false 0x19d.1-0x19d.1 (0.1) +0x000190| 00 | . | unknown1: false 0x19d.2-0x19d.2 (0.1) +0x000190| 00 | . | lnk_comdat: false 0x19d.3-0x19d.3 (0.1) +0x000190| 00 | . | lnk_remove: false 0x19d.4-0x19d.4 (0.1) +0x000190| 00 | . | reserved3: false 0x19d.5-0x19d.5 (0.1) +0x000190| 00 | . | lnk_info: false 0x19d.6-0x19d.6 (0.1) +0x000190| 00 | . | lnk_other: false 0x19d.7-0x19d.7 (0.1) +0x000190| 50 | P | align_128bytes: false 0x19e-0x19e (0.1) +0x000190| 50 | P | align_8bytes: true 0x19e.1-0x19e.1 (0.1) +0x000190| 50 | P | align_2bytes: false 0x19e.2-0x19e.2 (0.1) +0x000190| 50 | P | align_1bytes: true 0x19e.3-0x19e.3 (0.1) +0x000190| 50 | P | mem_preload: false 0x19e.4-0x19e.4 (0.1) +0x000190| 50 | P | mem_locked: false 0x19e.5-0x19e.5 (0.1) +0x000190| 50 | P | mem_16bit: false 0x19e.6-0x19e.6 (0.1) +0x000190| 50 | P | mem_purgeable: false 0x19e.7-0x19e.7 (0.1) +0x000190| 60| `| mem_write: false 0x19f-0x19f (0.1) +0x000190| 60| `| mem_read: true 0x19f.1-0x19f.1 (0.1) +0x000190| 60| `| mem_execute: true 0x19f.2-0x19f.2 (0.1) +0x000190| 60| `| mem_shared: false 0x19f.3-0x19f.3 (0.1) +0x000190| 60| `| mem_not_paged: false 0x19f.4-0x19f.4 (0.1) +0x000190| 60| `| mem_not_cached: false 0x19f.5-0x19f.5 (0.1) +0x000190| 60| `| mem_discardable: false 0x19f.6-0x19f.6 (0.1) +0x000190| 60| `| lnk_nreloc_ovfl: false 0x19f.7-0x19f.7 (0.1) +0x000400|83 ec 1c 8b 44 24 20 8b 00 8b 00 3d 91 00 00 c0|....D$ ....=....| data: raw bits 0x400-0xcb9ff.7 (833024) +* |until 0xcb9ff.7 (833024) | | + | | | [1]{}: section 0x1a0-0xcd9ff.7 (841824) +0x0001a0|2e 64 61 74 61 00 00 00 |.data... | name: ".data" 0x1a0-0x1a7.7 (8) +0x0001a0| e8 1e 00 00 | .... | virtual_size: 7912 0x1a8-0x1ab.7 (4) +0x0001a0| 00 d0 0c 00| ....| virtual_address: 0xcd000 0x1ac-0x1af.7 (4) +0x0001b0|00 20 00 00 |. .. | size_of_raw_data: 8192 0x1b0-0x1b3.7 (4) +0x0001b0| 00 ba 0c 00 | .... | pointer_to_raw_data: 0xcba00 0x1b4-0x1b7.7 (4) +0x0001b0| 00 00 00 00 | .... | pointer_to_relocations: 0x0 0x1b8-0x1bb.7 (4) +0x0001b0| 00 00 00 00| ....| pointer_to_line_numbers: 0x0 0x1bc-0x1bf.7 (4) +0x0001c0|00 00 |.. | number_of_relocations: 0 0x1c0-0x1c1.7 (2) +0x0001c0| 00 00 | .. | number_of_line_numbers: 0 0x1c2-0x1c3.7 (2) + | | | characteristics{}: 0x1c4-0x1c7.7 (4) +0x0001c0| 40 | @ | cnt_uninitialized_data: false 0x1c4-0x1c4 (0.1) +0x0001c0| 40 | @ | cnt_initialized_data: true 0x1c4.1-0x1c4.1 (0.1) +0x0001c0| 40 | @ | cnt_code: false 0x1c4.2-0x1c4.2 (0.1) +0x0001c0| 40 | @ | reserved: false 0x1c4.3-0x1c4.3 (0.1) +0x0001c0| 40 | @ | type_no_pad: false 0x1c4.4-0x1c4.4 (0.1) +0x0001c0| 40 | @ | reserved0: false 0x1c4.5-0x1c4.5 (0.1) +0x0001c0| 40 | @ | reserved1: false 0x1c4.6-0x1c4.6 (0.1) +0x0001c0| 40 | @ | reserved2: false 0x1c4.7-0x1c4.7 (0.1) +0x0001c0| 00 | . | gprel: false 0x1c5-0x1c5 (0.1) +0x0001c0| 00 | . | unknown0: false 0x1c5.1-0x1c5.1 (0.1) +0x0001c0| 00 | . | unknown1: false 0x1c5.2-0x1c5.2 (0.1) +0x0001c0| 00 | . | lnk_comdat: false 0x1c5.3-0x1c5.3 (0.1) +0x0001c0| 00 | . | lnk_remove: false 0x1c5.4-0x1c5.4 (0.1) +0x0001c0| 00 | . | reserved3: false 0x1c5.5-0x1c5.5 (0.1) +0x0001c0| 00 | . | lnk_info: false 0x1c5.6-0x1c5.6 (0.1) +0x0001c0| 00 | . | lnk_other: false 0x1c5.7-0x1c5.7 (0.1) +0x0001c0| 60 | ` | align_128bytes: false 0x1c6-0x1c6 (0.1) +0x0001c0| 60 | ` | align_8bytes: true 0x1c6.1-0x1c6.1 (0.1) +0x0001c0| 60 | ` | align_2bytes: true 0x1c6.2-0x1c6.2 (0.1) +0x0001c0| 60 | ` | align_1bytes: false 0x1c6.3-0x1c6.3 (0.1) +0x0001c0| 60 | ` | mem_preload: false 0x1c6.4-0x1c6.4 (0.1) +0x0001c0| 60 | ` | mem_locked: false 0x1c6.5-0x1c6.5 (0.1) +0x0001c0| 60 | ` | mem_16bit: false 0x1c6.6-0x1c6.6 (0.1) +0x0001c0| 60 | ` | mem_purgeable: false 0x1c6.7-0x1c6.7 (0.1) +0x0001c0| c0 | . | mem_write: true 0x1c7-0x1c7 (0.1) +0x0001c0| c0 | . | mem_read: true 0x1c7.1-0x1c7.1 (0.1) +0x0001c0| c0 | . | mem_execute: false 0x1c7.2-0x1c7.2 (0.1) +0x0001c0| c0 | . | mem_shared: false 0x1c7.3-0x1c7.3 (0.1) +0x0001c0| c0 | . | mem_not_paged: false 0x1c7.4-0x1c7.4 (0.1) +0x0001c0| c0 | . | mem_not_cached: false 0x1c7.5-0x1c7.5 (0.1) +0x0001c0| c0 | . | mem_discardable: false 0x1c7.6-0x1c7.6 (0.1) +0x0001c0| c0 | . | lnk_nreloc_ovfl: false 0x1c7.7-0x1c7.7 (0.1) +0x0cba00|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|................| data: raw bits 0xcba00-0xcd9ff.7 (8192) +* |until 0xcd9ff.7 (8192) | | + | | | [2]{}: section 0x1c8-0xffbff.7 (1047096) +0x0001c0| 2e 72 64 61 74 61 00 00| .rdata..| name: ".rdata" 0x1c8-0x1cf.7 (8) +0x0001d0|a8 21 03 00 |.!.. | virtual_size: 205224 0x1d0-0x1d3.7 (4) +0x0001d0| 00 f0 0c 00 | .... | virtual_address: 0xcf000 0x1d4-0x1d7.7 (4) +0x0001d0| 00 22 03 00 | .".. | size_of_raw_data: 205312 0x1d8-0x1db.7 (4) +0x0001d0| 00 da 0c 00| ....| pointer_to_raw_data: 0xcda00 0x1dc-0x1df.7 (4) +0x0001e0|00 00 00 00 |.... | pointer_to_relocations: 0x0 0x1e0-0x1e3.7 (4) +0x0001e0| 00 00 00 00 | .... | pointer_to_line_numbers: 0x0 0x1e4-0x1e7.7 (4) +0x0001e0| 00 00 | .. | number_of_relocations: 0 0x1e8-0x1e9.7 (2) +0x0001e0| 00 00 | .. | number_of_line_numbers: 0 0x1ea-0x1eb.7 (2) + | | | characteristics{}: 0x1ec-0x1ef.7 (4) +0x0001e0| 40 | @ | cnt_uninitialized_data: false 0x1ec-0x1ec (0.1) +0x0001e0| 40 | @ | cnt_initialized_data: true 0x1ec.1-0x1ec.1 (0.1) +0x0001e0| 40 | @ | cnt_code: false 0x1ec.2-0x1ec.2 (0.1) +0x0001e0| 40 | @ | reserved: false 0x1ec.3-0x1ec.3 (0.1) +0x0001e0| 40 | @ | type_no_pad: false 0x1ec.4-0x1ec.4 (0.1) +0x0001e0| 40 | @ | reserved0: false 0x1ec.5-0x1ec.5 (0.1) +0x0001e0| 40 | @ | reserved1: false 0x1ec.6-0x1ec.6 (0.1) +0x0001e0| 40 | @ | reserved2: false 0x1ec.7-0x1ec.7 (0.1) +0x0001e0| 00 | . | gprel: false 0x1ed-0x1ed (0.1) +0x0001e0| 00 | . | unknown0: false 0x1ed.1-0x1ed.1 (0.1) +0x0001e0| 00 | . | unknown1: false 0x1ed.2-0x1ed.2 (0.1) +0x0001e0| 00 | . | lnk_comdat: false 0x1ed.3-0x1ed.3 (0.1) +0x0001e0| 00 | . | lnk_remove: false 0x1ed.4-0x1ed.4 (0.1) +0x0001e0| 00 | . | reserved3: false 0x1ed.5-0x1ed.5 (0.1) +0x0001e0| 00 | . | lnk_info: false 0x1ed.6-0x1ed.6 (0.1) +0x0001e0| 00 | . | lnk_other: false 0x1ed.7-0x1ed.7 (0.1) +0x0001e0| 60 | ` | align_128bytes: false 0x1ee-0x1ee (0.1) +0x0001e0| 60 | ` | align_8bytes: true 0x1ee.1-0x1ee.1 (0.1) +0x0001e0| 60 | ` | align_2bytes: true 0x1ee.2-0x1ee.2 (0.1) +0x0001e0| 60 | ` | align_1bytes: false 0x1ee.3-0x1ee.3 (0.1) +0x0001e0| 60 | ` | mem_preload: false 0x1ee.4-0x1ee.4 (0.1) +0x0001e0| 60 | ` | mem_locked: false 0x1ee.5-0x1ee.5 (0.1) +0x0001e0| 60 | ` | mem_16bit: false 0x1ee.6-0x1ee.6 (0.1) +0x0001e0| 60 | ` | mem_purgeable: false 0x1ee.7-0x1ee.7 (0.1) +0x0001e0| 40| @| mem_write: false 0x1ef-0x1ef (0.1) +0x0001e0| 40| @| mem_read: true 0x1ef.1-0x1ef.1 (0.1) +0x0001e0| 40| @| mem_execute: false 0x1ef.2-0x1ef.2 (0.1) +0x0001e0| 40| @| mem_shared: false 0x1ef.3-0x1ef.3 (0.1) +0x0001e0| 40| @| mem_not_paged: false 0x1ef.4-0x1ef.4 (0.1) +0x0001e0| 40| @| mem_not_cached: false 0x1ef.5-0x1ef.5 (0.1) +0x0001e0| 40| @| mem_discardable: false 0x1ef.6-0x1ef.6 (0.1) +0x0001e0| 40| @| lnk_nreloc_ovfl: false 0x1ef.7-0x1ef.7 (0.1) +0x0cda00|6c 69 62 67 63 63 5f 73 5f 64 77 32 2d 31 2e 64|libgcc_s_dw2-1.d| data: raw bits 0xcda00-0xffbff.7 (205312) +* |until 0xffbff.7 (205312) | | + | | | [3]{}: section 0x1f0-0x119fff.7 (1154576) +0x0001f0|2f 34 00 00 00 00 00 00 |/4...... | name: ".eh_frame" ("/4") 0x1f0-0x1f7.7 (8) +0x0001f0| 64 a2 01 00 | d... | virtual_size: 107108 0x1f8-0x1fb.7 (4) +0x0001f0| 00 20 10 00| . ..| virtual_address: 0x102000 0x1fc-0x1ff.7 (4) +0x000200|00 a4 01 00 |.... | size_of_raw_data: 107520 0x200-0x203.7 (4) +0x000200| 00 fc 0f 00 | .... | pointer_to_raw_data: 0xffc00 0x204-0x207.7 (4) +0x000200| 00 00 00 00 | .... | pointer_to_relocations: 0x0 0x208-0x20b.7 (4) +0x000200| 00 00 00 00| ....| pointer_to_line_numbers: 0x0 0x20c-0x20f.7 (4) +0x000210|00 00 |.. | number_of_relocations: 0 0x210-0x211.7 (2) +0x000210| 00 00 | .. | number_of_line_numbers: 0 0x212-0x213.7 (2) + | | | characteristics{}: 0x214-0x217.7 (4) +0x000210| 40 | @ | cnt_uninitialized_data: false 0x214-0x214 (0.1) +0x000210| 40 | @ | cnt_initialized_data: true 0x214.1-0x214.1 (0.1) +0x000210| 40 | @ | cnt_code: false 0x214.2-0x214.2 (0.1) +0x000210| 40 | @ | reserved: false 0x214.3-0x214.3 (0.1) +0x000210| 40 | @ | type_no_pad: false 0x214.4-0x214.4 (0.1) +0x000210| 40 | @ | reserved0: false 0x214.5-0x214.5 (0.1) +0x000210| 40 | @ | reserved1: false 0x214.6-0x214.6 (0.1) +0x000210| 40 | @ | reserved2: false 0x214.7-0x214.7 (0.1) +0x000210| 00 | . | gprel: false 0x215-0x215 (0.1) +0x000210| 00 | . | unknown0: false 0x215.1-0x215.1 (0.1) +0x000210| 00 | . | unknown1: false 0x215.2-0x215.2 (0.1) +0x000210| 00 | . | lnk_comdat: false 0x215.3-0x215.3 (0.1) +0x000210| 00 | . | lnk_remove: false 0x215.4-0x215.4 (0.1) +0x000210| 00 | . | reserved3: false 0x215.5-0x215.5 (0.1) +0x000210| 00 | . | lnk_info: false 0x215.6-0x215.6 (0.1) +0x000210| 00 | . | lnk_other: false 0x215.7-0x215.7 (0.1) +0x000210| 30 | 0 | align_128bytes: false 0x216-0x216 (0.1) +0x000210| 30 | 0 | align_8bytes: false 0x216.1-0x216.1 (0.1) +0x000210| 30 | 0 | align_2bytes: true 0x216.2-0x216.2 (0.1) +0x000210| 30 | 0 | align_1bytes: true 0x216.3-0x216.3 (0.1) +0x000210| 30 | 0 | mem_preload: false 0x216.4-0x216.4 (0.1) +0x000210| 30 | 0 | mem_locked: false 0x216.5-0x216.5 (0.1) +0x000210| 30 | 0 | mem_16bit: false 0x216.6-0x216.6 (0.1) +0x000210| 30 | 0 | mem_purgeable: false 0x216.7-0x216.7 (0.1) +0x000210| 40 | @ | mem_write: false 0x217-0x217 (0.1) +0x000210| 40 | @ | mem_read: true 0x217.1-0x217.1 (0.1) +0x000210| 40 | @ | mem_execute: false 0x217.2-0x217.2 (0.1) +0x000210| 40 | @ | mem_shared: false 0x217.3-0x217.3 (0.1) +0x000210| 40 | @ | mem_not_paged: false 0x217.4-0x217.4 (0.1) +0x000210| 40 | @ | mem_not_cached: false 0x217.5-0x217.5 (0.1) +0x000210| 40 | @ | mem_discardable: false 0x217.6-0x217.6 (0.1) +0x000210| 40 | @ | lnk_nreloc_ovfl: false 0x217.7-0x217.7 (0.1) +0x0ffc00|14 00 00 00 00 00 00 00 01 7a 52 00 01 7c 08 01|.........zR..|..| data: raw bits 0xffc00-0x119fff.7 (107520) +* |until 0x119fff.7 (107520) | | + | | | [4]{}: section 0x218-0x23f.7 (40) +0x000210| 2e 62 73 73 00 00 00 00| .bss....| name: ".bss" 0x218-0x21f.7 (8) +0x000220|60 56 00 00 |`V.. | virtual_size: 22112 0x220-0x223.7 (4) +0x000220| 00 d0 11 00 | .... | virtual_address: 0x11d000 0x224-0x227.7 (4) +0x000220| 00 00 00 00 | .... | size_of_raw_data: 0 0x228-0x22b.7 (4) +0x000220| 00 00 00 00| ....| pointer_to_raw_data: 0x0 0x22c-0x22f.7 (4) +0x000230|00 00 00 00 |.... | pointer_to_relocations: 0x0 0x230-0x233.7 (4) +0x000230| 00 00 00 00 | .... | pointer_to_line_numbers: 0x0 0x234-0x237.7 (4) +0x000230| 00 00 | .. | number_of_relocations: 0 0x238-0x239.7 (2) +0x000230| 00 00 | .. | number_of_line_numbers: 0 0x23a-0x23b.7 (2) + | | | characteristics{}: 0x23c-0x23f.7 (4) +0x000230| 80 | . | cnt_uninitialized_data: true 0x23c-0x23c (0.1) +0x000230| 80 | . | cnt_initialized_data: false 0x23c.1-0x23c.1 (0.1) +0x000230| 80 | . | cnt_code: false 0x23c.2-0x23c.2 (0.1) +0x000230| 80 | . | reserved: false 0x23c.3-0x23c.3 (0.1) +0x000230| 80 | . | type_no_pad: false 0x23c.4-0x23c.4 (0.1) +0x000230| 80 | . | reserved0: false 0x23c.5-0x23c.5 (0.1) +0x000230| 80 | . | reserved1: false 0x23c.6-0x23c.6 (0.1) +0x000230| 80 | . | reserved2: false 0x23c.7-0x23c.7 (0.1) +0x000230| 00 | . | gprel: false 0x23d-0x23d (0.1) +0x000230| 00 | . | unknown0: false 0x23d.1-0x23d.1 (0.1) +0x000230| 00 | . | unknown1: false 0x23d.2-0x23d.2 (0.1) +0x000230| 00 | . | lnk_comdat: false 0x23d.3-0x23d.3 (0.1) +0x000230| 00 | . | lnk_remove: false 0x23d.4-0x23d.4 (0.1) +0x000230| 00 | . | reserved3: false 0x23d.5-0x23d.5 (0.1) +0x000230| 00 | . | lnk_info: false 0x23d.6-0x23d.6 (0.1) +0x000230| 00 | . | lnk_other: false 0x23d.7-0x23d.7 (0.1) +0x000230| 60 | ` | align_128bytes: false 0x23e-0x23e (0.1) +0x000230| 60 | ` | align_8bytes: true 0x23e.1-0x23e.1 (0.1) +0x000230| 60 | ` | align_2bytes: true 0x23e.2-0x23e.2 (0.1) +0x000230| 60 | ` | align_1bytes: false 0x23e.3-0x23e.3 (0.1) +0x000230| 60 | ` | mem_preload: false 0x23e.4-0x23e.4 (0.1) +0x000230| 60 | ` | mem_locked: false 0x23e.5-0x23e.5 (0.1) +0x000230| 60 | ` | mem_16bit: false 0x23e.6-0x23e.6 (0.1) +0x000230| 60 | ` | mem_purgeable: false 0x23e.7-0x23e.7 (0.1) +0x000230| c0| .| mem_write: true 0x23f-0x23f (0.1) +0x000230| c0| .| mem_read: true 0x23f.1-0x23f.1 (0.1) +0x000230| c0| .| mem_execute: false 0x23f.2-0x23f.2 (0.1) +0x000230| c0| .| mem_shared: false 0x23f.3-0x23f.3 (0.1) +0x000230| c0| .| mem_not_paged: false 0x23f.4-0x23f.4 (0.1) +0x000230| c0| .| mem_not_cached: false 0x23f.5-0x23f.5 (0.1) +0x000230| c0| .| mem_discardable: false 0x23f.6-0x23f.6 (0.1) +0x000230| c0| .| lnk_nreloc_ovfl: false 0x23f.7-0x23f.7 (0.1) + | | | [5]{}: section 0x240-0x11b1ff.7 (1159104) +0x000240|2e 69 64 61 74 61 00 00 |.idata.. | name: ".idata" 0x240-0x247.7 (8) +0x000240| d4 10 00 00 | .... | virtual_size: 4308 0x248-0x24b.7 (4) +0x000240| 00 30 12 00| .0..| virtual_address: 0x123000 0x24c-0x24f.7 (4) +0x000250|00 12 00 00 |.... | size_of_raw_data: 4608 0x250-0x253.7 (4) +0x000250| 00 a0 11 00 | .... | pointer_to_raw_data: 0x11a000 0x254-0x257.7 (4) +0x000250| 00 00 00 00 | .... | pointer_to_relocations: 0x0 0x258-0x25b.7 (4) +0x000250| 00 00 00 00| ....| pointer_to_line_numbers: 0x0 0x25c-0x25f.7 (4) +0x000260|00 00 |.. | number_of_relocations: 0 0x260-0x261.7 (2) +0x000260| 00 00 | .. | number_of_line_numbers: 0 0x262-0x263.7 (2) + | | | characteristics{}: 0x264-0x267.7 (4) +0x000260| 40 | @ | cnt_uninitialized_data: false 0x264-0x264 (0.1) +0x000260| 40 | @ | cnt_initialized_data: true 0x264.1-0x264.1 (0.1) +0x000260| 40 | @ | cnt_code: false 0x264.2-0x264.2 (0.1) +0x000260| 40 | @ | reserved: false 0x264.3-0x264.3 (0.1) +0x000260| 40 | @ | type_no_pad: false 0x264.4-0x264.4 (0.1) +0x000260| 40 | @ | reserved0: false 0x264.5-0x264.5 (0.1) +0x000260| 40 | @ | reserved1: false 0x264.6-0x264.6 (0.1) +0x000260| 40 | @ | reserved2: false 0x264.7-0x264.7 (0.1) +0x000260| 00 | . | gprel: false 0x265-0x265 (0.1) +0x000260| 00 | . | unknown0: false 0x265.1-0x265.1 (0.1) +0x000260| 00 | . | unknown1: false 0x265.2-0x265.2 (0.1) +0x000260| 00 | . | lnk_comdat: false 0x265.3-0x265.3 (0.1) +0x000260| 00 | . | lnk_remove: false 0x265.4-0x265.4 (0.1) +0x000260| 00 | . | reserved3: false 0x265.5-0x265.5 (0.1) +0x000260| 00 | . | lnk_info: false 0x265.6-0x265.6 (0.1) +0x000260| 00 | . | lnk_other: false 0x265.7-0x265.7 (0.1) +0x000260| 30 | 0 | align_128bytes: false 0x266-0x266 (0.1) +0x000260| 30 | 0 | align_8bytes: false 0x266.1-0x266.1 (0.1) +0x000260| 30 | 0 | align_2bytes: true 0x266.2-0x266.2 (0.1) +0x000260| 30 | 0 | align_1bytes: true 0x266.3-0x266.3 (0.1) +0x000260| 30 | 0 | mem_preload: false 0x266.4-0x266.4 (0.1) +0x000260| 30 | 0 | mem_locked: false 0x266.5-0x266.5 (0.1) +0x000260| 30 | 0 | mem_16bit: false 0x266.6-0x266.6 (0.1) +0x000260| 30 | 0 | mem_purgeable: false 0x266.7-0x266.7 (0.1) +0x000260| c0 | . | mem_write: true 0x267-0x267 (0.1) +0x000260| c0 | . | mem_read: true 0x267.1-0x267.1 (0.1) +0x000260| c0 | . | mem_execute: false 0x267.2-0x267.2 (0.1) +0x000260| c0 | . | mem_shared: false 0x267.3-0x267.3 (0.1) +0x000260| c0 | . | mem_not_paged: false 0x267.4-0x267.4 (0.1) +0x000260| c0 | . | mem_not_cached: false 0x267.5-0x267.5 (0.1) +0x000260| c0 | . | mem_discardable: false 0x267.6-0x267.6 (0.1) +0x000260| c0 | . | lnk_nreloc_ovfl: false 0x267.7-0x267.7 (0.1) +0x11a000|8c 30 12 00 00 00 00 00 00 00 00 00 14 3e 12 00|.0...........>..| data: raw bits 0x11a000-0x11b1ff.7 (4608) +* |until 0x11b1ff.7 (4608) | | + | | | [6]{}: section 0x268-0x11b3ff.7 (1159576) +0x000260| 2e 43 52 54 00 00 00 00| .CRT....| name: ".CRT" 0x268-0x26f.7 (8) +0x000270|18 00 00 00 |.... | virtual_size: 24 0x270-0x273.7 (4) +0x000270| 00 50 12 00 | .P.. | virtual_address: 0x125000 0x274-0x277.7 (4) +0x000270| 00 02 00 00 | .... | size_of_raw_data: 512 0x278-0x27b.7 (4) +0x000270| 00 b2 11 00| ....| pointer_to_raw_data: 0x11b200 0x27c-0x27f.7 (4) +0x000280|00 00 00 00 |.... | pointer_to_relocations: 0x0 0x280-0x283.7 (4) +0x000280| 00 00 00 00 | .... | pointer_to_line_numbers: 0x0 0x284-0x287.7 (4) +0x000280| 00 00 | .. | number_of_relocations: 0 0x288-0x289.7 (2) +0x000280| 00 00 | .. | number_of_line_numbers: 0 0x28a-0x28b.7 (2) + | | | characteristics{}: 0x28c-0x28f.7 (4) +0x000280| 40 | @ | cnt_uninitialized_data: false 0x28c-0x28c (0.1) +0x000280| 40 | @ | cnt_initialized_data: true 0x28c.1-0x28c.1 (0.1) +0x000280| 40 | @ | cnt_code: false 0x28c.2-0x28c.2 (0.1) +0x000280| 40 | @ | reserved: false 0x28c.3-0x28c.3 (0.1) +0x000280| 40 | @ | type_no_pad: false 0x28c.4-0x28c.4 (0.1) +0x000280| 40 | @ | reserved0: false 0x28c.5-0x28c.5 (0.1) +0x000280| 40 | @ | reserved1: false 0x28c.6-0x28c.6 (0.1) +0x000280| 40 | @ | reserved2: false 0x28c.7-0x28c.7 (0.1) +0x000280| 00 | . | gprel: false 0x28d-0x28d (0.1) +0x000280| 00 | . | unknown0: false 0x28d.1-0x28d.1 (0.1) +0x000280| 00 | . | unknown1: false 0x28d.2-0x28d.2 (0.1) +0x000280| 00 | . | lnk_comdat: false 0x28d.3-0x28d.3 (0.1) +0x000280| 00 | . | lnk_remove: false 0x28d.4-0x28d.4 (0.1) +0x000280| 00 | . | reserved3: false 0x28d.5-0x28d.5 (0.1) +0x000280| 00 | . | lnk_info: false 0x28d.6-0x28d.6 (0.1) +0x000280| 00 | . | lnk_other: false 0x28d.7-0x28d.7 (0.1) +0x000280| 30 | 0 | align_128bytes: false 0x28e-0x28e (0.1) +0x000280| 30 | 0 | align_8bytes: false 0x28e.1-0x28e.1 (0.1) +0x000280| 30 | 0 | align_2bytes: true 0x28e.2-0x28e.2 (0.1) +0x000280| 30 | 0 | align_1bytes: true 0x28e.3-0x28e.3 (0.1) +0x000280| 30 | 0 | mem_preload: false 0x28e.4-0x28e.4 (0.1) +0x000280| 30 | 0 | mem_locked: false 0x28e.5-0x28e.5 (0.1) +0x000280| 30 | 0 | mem_16bit: false 0x28e.6-0x28e.6 (0.1) +0x000280| 30 | 0 | mem_purgeable: false 0x28e.7-0x28e.7 (0.1) +0x000280| c0| .| mem_write: true 0x28f-0x28f (0.1) +0x000280| c0| .| mem_read: true 0x28f.1-0x28f.1 (0.1) +0x000280| c0| .| mem_execute: false 0x28f.2-0x28f.2 (0.1) +0x000280| c0| .| mem_shared: false 0x28f.3-0x28f.3 (0.1) +0x000280| c0| .| mem_not_paged: false 0x28f.4-0x28f.4 (0.1) +0x000280| c0| .| mem_not_cached: false 0x28f.5-0x28f.5 (0.1) +0x000280| c0| .| mem_discardable: false 0x28f.6-0x28f.6 (0.1) +0x000280| c0| .| lnk_nreloc_ovfl: false 0x28f.7-0x28f.7 (0.1) +0x11b200|00 00 00 00 80 b9 4b 00 30 b9 4b 00 00 00 00 00|......K.0.K.....| data: raw bits 0x11b200-0x11b3ff.7 (512) +* |until 0x11b3ff.7 (512) | | + | | | [7]{}: section 0x290-0x11b5ff.7 (1160048) +0x000290|2e 74 6c 73 00 00 00 00 |.tls.... | name: ".tls" 0x290-0x297.7 (8) +0x000290| 20 00 00 00 | ... | virtual_size: 32 0x298-0x29b.7 (4) +0x000290| 00 60 12 00| .`..| virtual_address: 0x126000 0x29c-0x29f.7 (4) +0x0002a0|00 02 00 00 |.... | size_of_raw_data: 512 0x2a0-0x2a3.7 (4) +0x0002a0| 00 b4 11 00 | .... | pointer_to_raw_data: 0x11b400 0x2a4-0x2a7.7 (4) +0x0002a0| 00 00 00 00 | .... | pointer_to_relocations: 0x0 0x2a8-0x2ab.7 (4) +0x0002a0| 00 00 00 00| ....| pointer_to_line_numbers: 0x0 0x2ac-0x2af.7 (4) +0x0002b0|00 00 |.. | number_of_relocations: 0 0x2b0-0x2b1.7 (2) +0x0002b0| 00 00 | .. | number_of_line_numbers: 0 0x2b2-0x2b3.7 (2) + | | | characteristics{}: 0x2b4-0x2b7.7 (4) +0x0002b0| 40 | @ | cnt_uninitialized_data: false 0x2b4-0x2b4 (0.1) +0x0002b0| 40 | @ | cnt_initialized_data: true 0x2b4.1-0x2b4.1 (0.1) +0x0002b0| 40 | @ | cnt_code: false 0x2b4.2-0x2b4.2 (0.1) +0x0002b0| 40 | @ | reserved: false 0x2b4.3-0x2b4.3 (0.1) +0x0002b0| 40 | @ | type_no_pad: false 0x2b4.4-0x2b4.4 (0.1) +0x0002b0| 40 | @ | reserved0: false 0x2b4.5-0x2b4.5 (0.1) +0x0002b0| 40 | @ | reserved1: false 0x2b4.6-0x2b4.6 (0.1) +0x0002b0| 40 | @ | reserved2: false 0x2b4.7-0x2b4.7 (0.1) +0x0002b0| 00 | . | gprel: false 0x2b5-0x2b5 (0.1) +0x0002b0| 00 | . | unknown0: false 0x2b5.1-0x2b5.1 (0.1) +0x0002b0| 00 | . | unknown1: false 0x2b5.2-0x2b5.2 (0.1) +0x0002b0| 00 | . | lnk_comdat: false 0x2b5.3-0x2b5.3 (0.1) +0x0002b0| 00 | . | lnk_remove: false 0x2b5.4-0x2b5.4 (0.1) +0x0002b0| 00 | . | reserved3: false 0x2b5.5-0x2b5.5 (0.1) +0x0002b0| 00 | . | lnk_info: false 0x2b5.6-0x2b5.6 (0.1) +0x0002b0| 00 | . | lnk_other: false 0x2b5.7-0x2b5.7 (0.1) +0x0002b0| 30 | 0 | align_128bytes: false 0x2b6-0x2b6 (0.1) +0x0002b0| 30 | 0 | align_8bytes: false 0x2b6.1-0x2b6.1 (0.1) +0x0002b0| 30 | 0 | align_2bytes: true 0x2b6.2-0x2b6.2 (0.1) +0x0002b0| 30 | 0 | align_1bytes: true 0x2b6.3-0x2b6.3 (0.1) +0x0002b0| 30 | 0 | mem_preload: false 0x2b6.4-0x2b6.4 (0.1) +0x0002b0| 30 | 0 | mem_locked: false 0x2b6.5-0x2b6.5 (0.1) +0x0002b0| 30 | 0 | mem_16bit: false 0x2b6.6-0x2b6.6 (0.1) +0x0002b0| 30 | 0 | mem_purgeable: false 0x2b6.7-0x2b6.7 (0.1) +0x0002b0| c0 | . | mem_write: true 0x2b7-0x2b7 (0.1) +0x0002b0| c0 | . | mem_read: true 0x2b7.1-0x2b7.1 (0.1) +0x0002b0| c0 | . | mem_execute: false 0x2b7.2-0x2b7.2 (0.1) +0x0002b0| c0 | . | mem_shared: false 0x2b7.3-0x2b7.3 (0.1) +0x0002b0| c0 | . | mem_not_paged: false 0x2b7.4-0x2b7.4 (0.1) +0x0002b0| c0 | . | mem_not_cached: false 0x2b7.5-0x2b7.5 (0.1) +0x0002b0| c0 | . | mem_discardable: false 0x2b7.6-0x2b7.6 (0.1) +0x0002b0| c0 | . | lnk_nreloc_ovfl: false 0x2b7.7-0x2b7.7 (0.1) +0x11b400|00 00 00 00 01 60 52 00 1c 60 52 00 10 19 52 00|.....`R..`R...R.| data: raw bits 0x11b400-0x11b5ff.7 (512) +* |until 0x11b5ff.7 (512) | | + | | | symbol_table[0:0]: 0x2b8-NA (0) + | | | string_table{}: 0x11b600-0x11b60d.7 (14) +0x11b600|0e 00 00 00 |.... | size: 14 0x11b600-0x11b603.7 (4) + | | | entries[0:1]: 0x11b604-0x11b60d.7 (10) +0x11b600| 2e 65 68 5f 66 72 61 6d 65 00| | .eh_frame.| | [0]: ".eh_frame" entry 0x11b604-0x11b60d.7 (10) +0x0002b0| 00 00 00 00 00 00 00 00| ........| gap0: raw bits 0x2b8-0x3ff.7 (328) +0x0002c0|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|................| +* |until 0x3ff.7 (328) | |