Package ghidra.app.util.bin.format.pe

Class FileHeader

java.lang.Object
ghidra.app.util.bin.format.pe.FileHeader
All Implemented Interfaces:
StructConverter
public class FileHeader extends Object implements StructConverter
A class to represent the IMAGE_FILE_HEADER struct as defined in winnt.h. 
 typedef struct _IMAGE_FILE_HEADER {
     WORD    Machine;                                                           // MANDATORY
     WORD    NumberOfSections;                                  // USED
     DWORD   TimeDateStamp;
     DWORD   PointerToSymbolTable;
     DWORD   NumberOfSymbols;
     WORD    SizeOfOptionalHeader;                              // USED
     WORD    Characteristics;                                           // MANDATORY
 } IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;

  • Field Details

    • NAME

      public static final String NAME
      The name to use when converting into a structure data type.
      See Also:

    • IMAGE_SIZEOF_FILE_HEADER

      public static final int IMAGE_SIZEOF_FILE_HEADER
      The size of the IMAGE_FILE_HEADER in bytes.
      See Also:

    • IMAGE_FILE_RELOCS_STRIPPED

      public static final int IMAGE_FILE_RELOCS_STRIPPED
      Relocation info stripped from file.
      See Also:

    • IMAGE_FILE_EXECUTABLE_IMAGE

      public static final int IMAGE_FILE_EXECUTABLE_IMAGE
      File is executable (no unresolved externel references).
      See Also:

    • IMAGE_FILE_LINE_NUMS_STRIPPED

      public static final int IMAGE_FILE_LINE_NUMS_STRIPPED
      Line nunbers stripped from file.
      See Also:

    • IMAGE_FILE_LOCAL_SYMS_STRIPPED

      public static final int IMAGE_FILE_LOCAL_SYMS_STRIPPED
      Local symbols stripped from file.
      See Also:

    • IMAGE_FILE_AGGRESIVE_WS_TRIM

      public static final int IMAGE_FILE_AGGRESIVE_WS_TRIM
      Agressively trim working set
      See Also:

    • IMAGE_FILE_LARGE_ADDRESS_AWARE

      public static final int IMAGE_FILE_LARGE_ADDRESS_AWARE
      App can handle >2gb addresses
      See Also:

    • IMAGE_FILE_BYTES_REVERSED_LO

      public static final int IMAGE_FILE_BYTES_REVERSED_LO
      Bytes of machine word are reversed.
      See Also:

    • IMAGE_FILE_32BIT_MACHINE

      public static final int IMAGE_FILE_32BIT_MACHINE
      32 bit word machine.
      See Also:

    • IMAGE_FILE_DEBUG_STRIPPED

      public static final int IMAGE_FILE_DEBUG_STRIPPED
      Debugging info stripped from file in .DBG file
      See Also:

    • IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP

      public static final int IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP
      If Image is on removable media, copy and run from the swap file.
      See Also:

    • IMAGE_FILE_NET_RUN_FROM_SWAP

      public static final int IMAGE_FILE_NET_RUN_FROM_SWAP
      If Image is on Net, copy and run from the swap file.
      See Also:

    • IMAGE_FILE_SYSTEM

      public static final int IMAGE_FILE_SYSTEM
      System File.
      See Also:

    • IMAGE_FILE_DLL

      public static final int IMAGE_FILE_DLL
      File is a DLL.
      See Also:

    • IMAGE_FILE_UP_SYSTEM_ONLY

      public static final int IMAGE_FILE_UP_SYSTEM_ONLY
      File should only be run on a UP machine.
      See Also:

    • IMAGE_FILE_BYTES_REVERSED_HI

      public static final int IMAGE_FILE_BYTES_REVERSED_HI
      Bytes of machine word are reversed.
      See Also:

    • CHARACTERISTICS

      public static final String[] CHARACTERISTICS

    • IMAGE_FILE_MACHINE_MASK

      public static final int IMAGE_FILE_MACHINE_MASK
      Values for the Machine field indicating the intended processor architecture
      See Also:

    • IMAGE_FILE_MACHINE_UNKNOWN

      public static final int IMAGE_FILE_MACHINE_UNKNOWN
      See Also:

    • IMAGE_FILE_MACHINE_AM33

      public static final int IMAGE_FILE_MACHINE_AM33
      See Also:

    • IMAGE_FILE_MACHINE_AMD64

      public static final int IMAGE_FILE_MACHINE_AMD64
      See Also:

    • IMAGE_FILE_MACHINE_ARM

      public static final int IMAGE_FILE_MACHINE_ARM
      See Also:

    • IMAGE_FILE_MACHINE_ARM64

      public static final int IMAGE_FILE_MACHINE_ARM64
      See Also:

    • IMAGE_FILE_MACHINE_ARMNT

      public static final int IMAGE_FILE_MACHINE_ARMNT
      See Also:

    • IMAGE_FILE_MACHINE_EBC

      public static final int IMAGE_FILE_MACHINE_EBC
      See Also:

    • IMAGE_FILE_MACHINE_I386

      public static final int IMAGE_FILE_MACHINE_I386
      See Also:

    • IMAGE_FILE_MACHINE_IA64

      public static final int IMAGE_FILE_MACHINE_IA64
      See Also:

    • IMAGE_FILE_MACHINE_M32R

      public static final int IMAGE_FILE_MACHINE_M32R
      See Also:

    • IMAGE_FILE_MACHINE_MIPS16

      public static final int IMAGE_FILE_MACHINE_MIPS16
      See Also:

    • IMAGE_FILE_MACHINE_MIPSFPU

      public static final int IMAGE_FILE_MACHINE_MIPSFPU
      See Also:

    • IMAGE_FILE_MACHINE_MIPSFPU16

      public static final int IMAGE_FILE_MACHINE_MIPSFPU16
      See Also:

    • IMAGE_FILE_MACHINE_POWERPC

      public static final int IMAGE_FILE_MACHINE_POWERPC
      See Also:

    • IMAGE_FILE_MACHINE_POWERPCFP

      public static final int IMAGE_FILE_MACHINE_POWERPCFP
      See Also:

    • IMAGE_FILE_MACHINE_R4000

      public static final int IMAGE_FILE_MACHINE_R4000
      See Also:

    • IMAGE_FILE_MACHINE_RISCV32

      public static final int IMAGE_FILE_MACHINE_RISCV32
      See Also:

    • IMAGE_FILE_MACHINE_RISCV64

      public static final int IMAGE_FILE_MACHINE_RISCV64
      See Also:

    • IMAGE_FILE_MACHINE_RISCV128

      public static final int IMAGE_FILE_MACHINE_RISCV128
      See Also:

    • IMAGE_FILE_MACHINE_SH3

      public static final int IMAGE_FILE_MACHINE_SH3
      See Also:

    • IMAGE_FILE_MACHINE_SH3DSP

      public static final int IMAGE_FILE_MACHINE_SH3DSP
      See Also:

    • IMAGE_FILE_MACHINE_SH4

      public static final int IMAGE_FILE_MACHINE_SH4
      See Also:

    • IMAGE_FILE_MACHINE_SH5

      public static final int IMAGE_FILE_MACHINE_SH5
      See Also:

    • IMAGE_FILE_MACHINE_THUMB

      public static final int IMAGE_FILE_MACHINE_THUMB
      See Also:

    • IMAGE_FILE_MACHINE_WCEMIPSV2

      public static final int IMAGE_FILE_MACHINE_WCEMIPSV2
      See Also:

  • Method Details

    • getMachine

      public short getMachine()
      Returns the architecture type of the computer.
      Returns:
      the architecture type of the computer

    • getMachineName

      public String getMachineName()
      Returns a string representation of the architecture type of the computer.
      Returns:
      a string representation of the architecture type of the computer

    • getNumberOfSections

      public int getNumberOfSections()
      Returns the number of sections. Sections equate to Ghidra memory blocks.
      Returns:
      the number of sections

    • getSectionHeaders

      public SectionHeader[] getSectionHeaders()
      Returns the array of section headers.
      Returns:
      the array of section headers

    • getSymbols

      public List<DebugCOFFSymbol> getSymbols()
      Returns the array of symbols.
      Returns:
      the array of symbols

    • getSectionHeaderContaining

      public SectionHeader getSectionHeaderContaining(int virtualAddr)
      Returns the section header that contains the specified virtual address.
      Parameters:
      virtualAddr - the virtual address
      Returns:
      the section header that contains the specified virtual address

    • getSectionHeader

      public SectionHeader getSectionHeader(int index)
      Returns the section header at the specified position in the array.
      Parameters:
      index - index of section header to return
      Returns:
      the section header at the specified position in the array, or null if invalid

    • getSectionHeader

      public SectionHeader getSectionHeader(String name)
      Get the first section header defined with the specified name
      Parameters:
      name - section name
      Returns:
      first section header defined with the specified name or null if not found

    • getTimeDateStamp

      public int getTimeDateStamp()
      Returns the time stamp of the image.
      Returns:
      the time stamp of the image

    • getPointerToSymbolTable

      public int getPointerToSymbolTable()
      Returns the file offset of the COFF symbol table
      Returns:
      the file offset of the COFF symbol table

    • getNumberOfSymbols

      public int getNumberOfSymbols()
      Returns the number of symbols in the COFF symbol table
      Returns:
      the number of symbols in the COFF symbol table

    • getSizeOfOptionalHeader

      public int getSizeOfOptionalHeader()
      Returns the size of the optional header data
      Returns:
      the size of the optional header, in bytes

    • getCharacteristics

      public int getCharacteristics()
      Returns a set of bit flags indicating attributes of the file.
      Returns:
      a set of bit flags indicating attributes

    • getPointerToSections

      public int getPointerToSections()
      Returns the file pointer to the section headers.
      Returns:
      the file pointer to the section headers

    • isLordPE

      public boolean isLordPE()

    • toDataType

      public DataType toDataType() throws DuplicateNameException
      Description copied from interface: StructConverter
      Returns a structure datatype representing the contents of the implementor of this interface.

      For example, given: 

       class A {
     int foo;
     double bar;
 }

      The return value should be a structure data type with two data type components; an INT and a DOUBLE. The structure should contain field names and, if possible, field comments.

      Specified by:
      toDataType in interface StructConverter
      Returns:
      returns a structure datatype representing the implementor of this interface
      Throws:
      DuplicateNameException - when a datatype of the same name already exists
      See Also:

    • addSection

      public void addSection(MemoryBlock block, OptionalHeader optionalHeader)
      Adds a new section to this file header. Uses the given memory block as the section template. The section will have the memory block's name, start address, size, etc. The optional header is needed to determine the free byte position in the file.
      Parameters:
      block - the memory block template
      optionalHeader - the related optional header
      Throws:
      RuntimeException - if the memory block is uninitialized