Struct goblin::pe::optional_header::WindowsFields64

#[repr(C)]
pub struct WindowsFields64 {

    pub image_base: u64,
    pub section_alignment: u32,
    pub file_alignment: u32,
    pub major_operating_system_version: u16,
    pub minor_operating_system_version: u16,
    pub major_image_version: u16,
    pub minor_image_version: u16,
    pub major_subsystem_version: u16,
    pub minor_subsystem_version: u16,
    pub win32_version_value: u32,
    pub size_of_image: u32,
    pub size_of_headers: u32,
    pub check_sum: u32,
    pub subsystem: u16,
    pub dll_characteristics: u16,
    pub size_of_stack_reserve: u64,
    pub size_of_stack_commit: u64,
    pub size_of_heap_reserve: u64,
    pub size_of_heap_commit: u64,
    pub loader_flags: u32,
    pub number_of_rva_and_sizes: u32,
}

Windows specific fields for 64-bit binary (PE32+). They’re also known as “NT additional fields”.

In winnt.h, this is a subset of IMAGE_OPTIONAL_HEADER64.

Note: at the moment of writing, WindowsFields is an alias for WindowsFields64. Though nominally equivalent, they’re semantically distinct.

• For 32-bit version, see WindowsFields32.
• For unified version, see WindowsFields.

Fields

image_base: u64

The preferred yet rarely provided address of the first byte of image when loaded into memory; must be a multiple of 64 K.

This address is rarely used because Windows uses memory protection mechanisms like Address Space Layout Randomization (ASLR). As a result, it’s rare to see an image mapped to the preferred address. Instead, the Windows PE Loader maps the file to a different address with an unused memory range. This process would create issues because some addresses that would have been constant are now changed. The Loader addresses this via a process called PE relocation which fixes these constant addresses to work with the new image base. The relocation section (.reloc) holds data essential to this relocation process. Source.

• The default address for DLLs is 0x10000000.
• The default for Windows CE EXEs is 0x00010000.
• The default for Windows NT, Windows 2000, Windows XP, Windows 95, Windows 98, and Windows Me is 0x00400000.

Position in PE binary

Windows fields are located inside OptionalHeader after StandardFields and before the DataDirectories.

Related structures

• For 32-bit version, see WindowsFields32.
• For unified version, see WindowsFields, especially the note on nominal equivalence.

section_alignment: u32

Holds a byte value used for section alignment in memory.

This value must be greater than or equal to file_alignment, which is the next field.

When loaded into memory, sections are aligned in memory boundaries that are multiples of this value.

If the value is less than the architecture’s page size, then the value should match file_alignment. Source.

The default value is the page size for the architecture.

file_alignment: u32

The alignment factor (in bytes) that is used to align the raw data of sections in the image file.

The value should be a power of 2 between 512 and 64 K, inclusive.

If the section_alignment is less than the architecture’s page size, then file_alignment must match section_alignment.

If file_alignment is less than section_alignment, then remainder will be padded with zeroes in order to maintain the alignment boundaries. Source.

The default value is 512.

major_operating_system_version: u16

The major version number of the required operating system.

minor_operating_system_version: u16

The minor version number of the required operating system.

major_image_version: u16

The major version number of the image.

minor_image_version: u16

The minor version number of the image.

major_subsystem_version: u16

The major version number of the subsystem.

minor_subsystem_version: u16

The minor version number of the subsystem.

win32_version_value: u32

Reserved, must be zero.

size_of_image: u32

The size (in bytes) of the image, including all headers, as the image is loaded in memory.

It must be a multiple of the section_alignment.

size_of_headers: u32

The combined size of an MS-DOS stub, PE header, and section headers rounded up to a multiple of file_alignment.

check_sum: u32

The image file checksum. The algorithm for computing the checksum is incorporated into IMAGHELP.DLL.

The following are checked for validation at load time:

• all drivers,
• any DLL loaded at boot time, and
• any DLL that is loaded into a critical Windows process.

subsystem: u16

The subsystem that is required to run this image.

The subsystem can be one of the values in the goblin::pe::subsystem module.

dll_characteristics: u16

DLL characteristics of the image.

DLL characteristics can be one of the values in the goblin::pe::dll_characteristic module.

size_of_stack_reserve: u64

The size of the stack to reserve. Only WindowsFields::size_of_stack_commit is committed; the rest is made available one page at a time until the reserve size is reached.

In the context of memory management in operating systems, “commit” refers to the act of allocating physical memory to back a portion of the virtual memory space.

When a program requests memory, the operating system typically allocates virtual memory space for it. However, this virtual memory space doesn’t immediately consume physical memory (RAM) resources. Instead, physical memory is only allocated when the program actually uses (or accesses) that portion of the virtual memory space. This allocation of physical memory to back virtual memory is called “committing” memory.

size_of_stack_commit: u64

The size of the stack to commit.

size_of_heap_reserve: u64

The size of the local heap space to reserve. Only WindowsFields::size_of_heap_commit is committed; the rest is made available one page at a time until the reserve size is reached.

size_of_heap_commit: u64

The size of the local heap space to commit.

loader_flags: u32

Reserved, must be zero.

number_of_rva_and_sizes: u32

The number of data-directory entries in the remainder of the optional header. Each describes a location and size.

Trait Implementations

impl Clone for WindowsFields64

fn clone(&self) -> WindowsFields64

Returns a copy of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for WindowsFields64

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl Default for WindowsFields64

fn default() -> WindowsFields64

Returns the “default value” for a type.

impl PartialEq for WindowsFields64

fn eq(&self, other: &WindowsFields64) -> bool

This method tests for self and other values to be equal, and is used by ==.

fn ne(&self, other: &Rhs) -> bool

This method tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.

impl SizeWith<Endian> for WindowsFields64

fn size_with(ctx: &Endian) -> usize

impl TryFrom<WindowsFields64> for WindowsFields32

type Error = Error

The type returned in the event of a conversion error.

fn try_from(value: WindowsFields64) -> Result<Self, Self::Error>

Performs the conversion.

impl<'a> TryFromCtx<'a, Endian> for WindowsFields64

where WindowsFields64: 'a,

type Error = Error

fn try_from_ctx( src: &'a [u8], ctx: Endian ) -> Result<(Self, usize), Self::Error>

impl<'a> TryIntoCtx<Endian> for &'a WindowsFields64

type Error = Error

fn try_into_ctx(self, dst: &mut [u8], ctx: Endian) -> Result<usize, Self::Error>

impl TryIntoCtx<Endian> for WindowsFields64

type Error = Error

fn try_into_ctx(self, dst: &mut [u8], ctx: Endian) -> Result<usize, Self::Error>

impl Copy for WindowsFields64

impl StructuralPartialEq for WindowsFields64