Type: Driver
File Name:
File Size: 16.0 MB
65 (4.78)
Downloads: 45
Supported systems: Windows 7/8/10, Windows XP 64-bit, Mac OS X 10.X
Price: Free* (*Free Registration Required)

Download Now

In this case, an RVA would be an address within a section described later in this tableto which a relocation is later applied during linking. For simplicity, a compiler should just set the first Image dllcharacteristics wdm in each section to zero.


For example, all code in an object file can be combined within a single section or depending on compiler behavior each function can occupy its own section. With more sections, there is more file overhead, but the linker image dllcharacteristics wdm able to link in code more selectively. A section is similar to a segment in Intel architecture. All the raw data in a section must be loaded contiguously.

PE module — yara documentation

In addition, an image file can contain a number of sections, such as. Same as RVA, except that the base address of the image file is not subtracted. The address is called a "VA" because Windows creates a distinct VA space for each process, independent of physical memory. For almost all purposes, a VA should be considered just an address. A VA is not as predictable as an RVA because the loader might not load the image at its preferred image dllcharacteristics wdm.

The number that identifies the type of target machine. For more information, see Machine Types. Image dllcharacteristics wdm number of sections. This indicates the size of the section table, which immediately follows the headers.

Please edit this page!

This value should be zero for an image because COFF debugging information is deprecated. The number of entries in the symbol table.


This data can be used to image dllcharacteristics wdm the string table, which immediately follows the symbol table. The size of the optional header, which is required for executable files but not for object files. This value should be zero for an object file. For a description of the header format, see Optional Header Image Only.

Verifying ASLR, DEP, and SafeSEH with PowerShell

The flags that image dllcharacteristics wdm the attributes of the file. For specific flag values, see Characteristics. This indicates that the file does not contain base relocations and must therefore be loaded at its preferred base address. If the base address is not available, the loader reports an error. The default behavior of the linker is to strip base relocations from executable EXE files. Image only.

This indicates that the image file is valid and can be run. If image dllcharacteristics wdm flag is not set, it indicates a linker error. COFF symbol table entries for local symbols have been removed. This flag is deprecated and should be zero. Aggressively trim working set.

This flag is deprecated for Windows and later and must be zero. The image file is a dynamic-link library DLL. Such files are considered executable files for almost all purposes, although they cannot be directly run. The unsigned integer that identifies the state of the image file. The most common number is 0x10B, which image dllcharacteristics wdm it as a normal executable image dllcharacteristics wdm. The size of the code text section, or the sum of all code sections if there are multiple sections. The size of the initialized data section, or the sum of all such sections if there are multiple data sections. The address of the entry point relative to the image base when the executable file is loaded into memory. For program images, this is the starting address. For device drivers, this is the address of the initialization function.

An entry point is optional for DLLs. When no entry point is present, this field must be zero. The address that is relative to the image base of the beginning-of-code section when it is loaded into memory. The address that is relative to the image base image dllcharacteristics wdm the beginning-of-data section when it is loaded into memory. PEchecker provides a lot of functionality. Each resource directory entry has the following format. These records are the leaves in the resource-description tree. Learn more about Teams.This specification describes the structure of executable (image) files and object files under the Windows family of operating systems.


For more information, see DLL Image dllcharacteristics wdm later in this specification. A WDM driver. A pointer to the entry point function, relative to the image base address. The DLL characteristics of the image.

The following A WDM driver.

Relevant Posts