Package ghidra.app.util.bin.format.pe

Class FileHeader

  • All Implemented Interfaces:
    StructConverter
    public class FileHeader
extends java.lang.Object
implements StructConverter
    A class to represent the IMAGE_FILE_HEADER struct as defined in winnt.h. 
     typedef struct _IMAGE_FILE_HEADER {
     WORD    Machine;                                                           // MANDATORY
     WORD    NumberOfSections;                                  // USED
     DWORD   TimeDateStamp;
     DWORD   PointerToSymbolTable;
     DWORD   NumberOfSymbols;
     WORD    SizeOfOptionalHeader;                              // USED
     WORD    Characteristics;                                           // MANDATORY
 } IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;

    • Field Detail

      • NAME

        public static final java.lang.String NAME
        The name to use when converting into a structure data type.
        See Also:
        Constant Field Values

      • IMAGE_SIZEOF_FILE_HEADER

        public static final int IMAGE_SIZEOF_FILE_HEADER
        The size of the IMAGE_FILE_HEADER in bytes.
        See Also:
        Constant Field Values

      • IMAGE_FILE_RELOCS_STRIPPED

        public static final int IMAGE_FILE_RELOCS_STRIPPED
        Relocation info stripped from file.
        See Also:
        Constant Field Values

      • IMAGE_FILE_EXECUTABLE_IMAGE

        public static final int IMAGE_FILE_EXECUTABLE_IMAGE
        File is executable (no unresolved externel references).
        See Also:
        Constant Field Values

      • IMAGE_FILE_LINE_NUMS_STRIPPED

        public static final int IMAGE_FILE_LINE_NUMS_STRIPPED
        Line nunbers stripped from file.
        See Also:
        Constant Field Values

      • IMAGE_FILE_LOCAL_SYMS_STRIPPED

        public static final int IMAGE_FILE_LOCAL_SYMS_STRIPPED
        Local symbols stripped from file.
        See Also:
        Constant Field Values

      • IMAGE_FILE_AGGRESIVE_WS_TRIM

        public static final int IMAGE_FILE_AGGRESIVE_WS_TRIM
        Agressively trim working set
        See Also:
        Constant Field Values

      • IMAGE_FILE_LARGE_ADDRESS_AWARE

        public static final int IMAGE_FILE_LARGE_ADDRESS_AWARE
        App can handle >2gb addresses
        See Also:
        Constant Field Values

      • IMAGE_FILE_BYTES_REVERSED_LO

        public static final int IMAGE_FILE_BYTES_REVERSED_LO
        Bytes of machine word are reversed.
        See Also:
        Constant Field Values

      • IMAGE_FILE_32BIT_MACHINE

        public static final int IMAGE_FILE_32BIT_MACHINE
        32 bit word machine.
        See Also:
        Constant Field Values

      • IMAGE_FILE_DEBUG_STRIPPED

        public static final int IMAGE_FILE_DEBUG_STRIPPED
        Debugging info stripped from file in .DBG file
        See Also:
        Constant Field Values

      • IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP

        public static final int IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP
        If Image is on removable media, copy and run from the swap file.
        See Also:
        Constant Field Values

      • IMAGE_FILE_NET_RUN_FROM_SWAP

        public static final int IMAGE_FILE_NET_RUN_FROM_SWAP
        If Image is on Net, copy and run from the swap file.
        See Also:
        Constant Field Values

      • IMAGE_FILE_SYSTEM

        public static final int IMAGE_FILE_SYSTEM
        System File.
        See Also:
        Constant Field Values

      • IMAGE_FILE_UP_SYSTEM_ONLY

        public static final int IMAGE_FILE_UP_SYSTEM_ONLY
        File should only be run on a UP machine.
        See Also:
        Constant Field Values

      • IMAGE_FILE_BYTES_REVERSED_HI

        public static final int IMAGE_FILE_BYTES_REVERSED_HI
        Bytes of machine word are reversed.
        See Also:
        Constant Field Values

      • CHARACTERISTICS

        public static final java.lang.String[] CHARACTERISTICS

      • IMAGE_FILE_MACHINE_MASK

        public static final int IMAGE_FILE_MACHINE_MASK
        Values for the Machine field indicating the intended processor architecture
        See Also:
        Constant Field Values

      • IMAGE_FILE_MACHINE_UNKNOWN

        public static final int IMAGE_FILE_MACHINE_UNKNOWN
        See Also:
        Constant Field Values

      • IMAGE_FILE_MACHINE_AM33

        public static final int IMAGE_FILE_MACHINE_AM33
        See Also:
        Constant Field Values

      • IMAGE_FILE_MACHINE_AMD64

        public static final int IMAGE_FILE_MACHINE_AMD64
        See Also:
        Constant Field Values

      • IMAGE_FILE_MACHINE_ARM64

        public static final int IMAGE_FILE_MACHINE_ARM64
        See Also:
        Constant Field Values

      • IMAGE_FILE_MACHINE_ARMNT

        public static final int IMAGE_FILE_MACHINE_ARMNT
        See Also:
        Constant Field Values

      • IMAGE_FILE_MACHINE_I386

        public static final int IMAGE_FILE_MACHINE_I386
        See Also:
        Constant Field Values

      • IMAGE_FILE_MACHINE_IA64

        public static final int IMAGE_FILE_MACHINE_IA64
        See Also:
        Constant Field Values

      • IMAGE_FILE_MACHINE_M32R

        public static final int IMAGE_FILE_MACHINE_M32R
        See Also:
        Constant Field Values

      • IMAGE_FILE_MACHINE_MIPS16

        public static final int IMAGE_FILE_MACHINE_MIPS16
        See Also:
        Constant Field Values

      • IMAGE_FILE_MACHINE_MIPSFPU

        public static final int IMAGE_FILE_MACHINE_MIPSFPU
        See Also:
        Constant Field Values

      • IMAGE_FILE_MACHINE_MIPSFPU16

        public static final int IMAGE_FILE_MACHINE_MIPSFPU16
        See Also:
        Constant Field Values

      • IMAGE_FILE_MACHINE_POWERPC

        public static final int IMAGE_FILE_MACHINE_POWERPC
        See Also:
        Constant Field Values

      • IMAGE_FILE_MACHINE_POWERPCFP

        public static final int IMAGE_FILE_MACHINE_POWERPCFP
        See Also:
        Constant Field Values

      • IMAGE_FILE_MACHINE_R4000

        public static final int IMAGE_FILE_MACHINE_R4000
        See Also:
        Constant Field Values

      • IMAGE_FILE_MACHINE_RISCV32

        public static final int IMAGE_FILE_MACHINE_RISCV32
        See Also:
        Constant Field Values

      • IMAGE_FILE_MACHINE_RISCV64

        public static final int IMAGE_FILE_MACHINE_RISCV64
        See Also:
        Constant Field Values

      • IMAGE_FILE_MACHINE_RISCV128

        public static final int IMAGE_FILE_MACHINE_RISCV128
        See Also:
        Constant Field Values

      • IMAGE_FILE_MACHINE_SH3DSP

        public static final int IMAGE_FILE_MACHINE_SH3DSP
        See Also:
        Constant Field Values

      • IMAGE_FILE_MACHINE_THUMB

        public static final int IMAGE_FILE_MACHINE_THUMB
        See Also:
        Constant Field Values

      • IMAGE_FILE_MACHINE_WCEMIPSV2

        public static final int IMAGE_FILE_MACHINE_WCEMIPSV2
        See Also:
        Constant Field Values

    • Constructor Detail

      • FileHeader

        public FileHeader()
        DO NOT USE THIS CONSTRUCTOR, USE create*(GenericFactory ...) FACTORY METHODS INSTEAD.

    • Method Detail

      • getMachine

        public short getMachine()
        Returns the architecture type of the computer.
        Returns:
        the architecture type of the computer

      • getMachineName

        public java.lang.String getMachineName()
        Returns a string representation of the architecture type of the computer.
        Returns:
        a string representation of the architecture type of the computer

      • getNumberOfSections

        public int getNumberOfSections()
        Returns the number of sections. Sections equate to Ghidra memory blocks.
        Returns:
        the number of sections

      • getSectionHeaders

        public SectionHeader[] getSectionHeaders()
        Returns the array of section headers.
        Returns:
        the array of section headers

      • getSymbols

        public java.util.List<DebugCOFFSymbol> getSymbols()
        Returns the array of symbols.
        Returns:
        the array of symbols

      • getImageRuntimeFunctionEntries

        public java.util.List<ImageRuntimeFunctionEntries._IMAGE_RUNTIME_FUNCTION_ENTRY> getImageRuntimeFunctionEntries()
        Returns the array of RUNTIME_INFO entries, if any are present.
        Returns:
        An array of _IMAGE_RUNTIME_FUNCTION_ENTRY. The array can be empty. TODO: This is x86-64 architecture-specific and needs to be generalized.

      • getSectionHeaderContaining

        public SectionHeader getSectionHeaderContaining​(int virtualAddr)
        Returns the section header that contains the specified virtual address.
        Parameters:
        virtualAddr - the virtual address
        Returns:
        the section header that contains the specified virtual address

      • getSectionHeader

        public SectionHeader getSectionHeader​(int index)
        Returns the section header at the specified position in the array.
        Parameters:
        index - index of section header to return
        Returns:
        the section header at the specified position in the array, or null if invalid

      • getTimeDateStamp

        public int getTimeDateStamp()
        Returns the time stamp of the image.
        Returns:
        the time stamp of the image

      • getPointerToSymbolTable

        public int getPointerToSymbolTable()
        Returns the file offset of the COFF symbol table
        Returns:
        the file offset of the COFF symbol table

      • getNumberOfSymbols

        public int getNumberOfSymbols()
        Returns the number of symbols in the COFF symbol table
        Returns:
        the number of symbols in the COFF symbol table

      • getSizeOfOptionalHeader

        public int getSizeOfOptionalHeader()
        Returns the size of the optional header data
        Returns:
        the size of the optional header, in bytes

      • getCharacteristics

        public int getCharacteristics()
        Returns a set of bit flags indicating attributes of the file.
        Returns:
        a set of bit flags indicating attributes

      • getPointerToSections

        public int getPointerToSections()
        Returns the file pointer to the section headers.
        Returns:
        the file pointer to the section headers

      • isLordPE

        public boolean isLordPE()

      • toDataType

        public DataType toDataType()
                    throws DuplicateNameException
        Description copied from interface: StructConverter
        Returns a structure datatype representing the contents of the implementor of this interface.

        For example, given: 

         class A {
     int foo;
     double bar;
 }

        The return value should be a structure data type with two data type components; an INT and a DOUBLE. The structure should contain field names and, if possible, field comments.

        Specified by:
        toDataType in interface StructConverter
        Returns:
        returns a structure datatype representing the implementor of this interface
        Throws:
        DuplicateNameException - when a datatype of the same name already exists
        See Also:
        StructConverter.toDataType()

      • addSection

        public void addSection​(MemoryBlock block,
                       OptionalHeader optionalHeader)
        Adds a new section to this file header. Uses the given memory block as the section template. The section will have the memory block's name, start address, size, etc. The optional header is needed to determine the free byte position in the file.
        Parameters:
        block - the memory block template
        optionalHeader - the related optional header
        Throws:
        java.lang.RuntimeException - if the memory block is uninitialized