Skip to content
Permalink
Branch: master
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
2690 lines (2294 sloc) 101 KB

MZ, PE-COFF executable file format (EXE)

Summary

The Executable (EXE) format is collection of different formats supported used by various operating systems like DOS, Windows, OS/2 and emulator like Wine. The Executable (EXE) format began with MZ format and was later extended with formats like PE/COFF.

This document is intended as a working document for the Executable (EXE) specification in particular the Windows Resource format with respect to EventLog messages. Which should allow existing Open Source forensic tooling to be able to process this file type.

Special thanks to A. Schuster for his excellent work on the WEVT_TEMPLATE resource format.

Document information

Author(s):

Joachim Metz <joachim.metz@gmail.com>

Abstract:

This document contains information about the MZ, PE-COFF executable format

Classification:

Public

Keywords:

Executable, EXE, MZ, PE-COFF

License

Copyright (C) 2011-2014, Joachim Metz <joachim.metz@gmail.com>.
Permission is granted to copy, distribute and/or modify this document under the
terms of the GNU Free Documentation License, Version 1.3 or any later version
published by the Free Software Foundation; with no Invariant Sections, no
Front-Cover Texts, and no Back-Cover Texts. A copy of the license is included
in the section entitled "GNU Free Documentation License".

Revision history

Version Author Date Comments

0.0.1

J.B. Metz

October 2011

Initial version.

0.0.2

J.B. Metz

February 2012

Additional information.

0.0.3

J.B. Metz

March 2012

Added information about string resources.

0.0.4

J.B. Metz

September 2012

Additional information.

0.0.5

J.B. Metz

October 2012

Additional information regarding MUI resource.

0.0.6

J.B. Metz

October 2012

Additional information regarding WEVT_TEMPLATE resource.

0.0.7

J.B. Metz

November 2012

Additional information regarding WEVT_TEMPLATE resource.

0.0.8

J.B. Metz

December 2012

Additional information regarding WEVT_TEMPLATE resource.

0.0.9

J.B. Metz

February 2013

Additional information, with thanks to W. Harris.

0.0.10

J.B. Metz

May 2013

Additional information about VERSION resource.

0.0.11

J.B. Metz

February 2014

Additional information about PDB information in PE/COFF.

0.0.12

J.B. Metz

May 2014

Additional information about rich signature header.

0.0.13

J.B. Metz

December 2014

Switched to asccidoc format.

1. Overview

The Executable (EXE) format is collection of different formats supported used by various operating systems like DOS, Windows, OS/2 and emulator like Wine. The Executable (EXE) format began with MZ format and was later extended with formats like PE/COFF.

A PE/COFF file consists of:

  • MZ file header

  • COFF header

  • COFF optional header

    • the standard part

    • the Windows NT part

    • the data directories part

  • section table

  • data

    • section data

    • data directories

Characteristics Description

Byte order

little-endian

Date and time values

POSIX timestamp in UTC

Character strings

ASCII strings are Single Byte Character (SBC) or Multi Byte Character (MBC) string stored with a codepage. Sometimes referred to as ANSI string representation.
Though technically maybe incorrect, this document will use term (extended) ASCII string.
Unicode strings are stored in UTF-16 little-endian without the byte order mark (BOM).

On a Windows system "dumpbin" be used to determine more about the metadata of an executable. E.g.

dumpbin.exe /HEADERS file.exe

This tool is part of the Windows SDK.

2. File header

2.1. The MZ file header

The MZ file header is 28 bytes of size and consists of:

Offset Size Value Description

0

2

"MZ"

Signature

2

2

Number of bytes in last 512-byte page of executable

4

2

Total number of 512-byte pages in executable

6

2

Number of relocation entries

8

2

Number of header paragraphs

10

2

Minimum allocated paragraphs
The minimum amount of memory allocated in addition to the code size

12

2

Maximum allocated paragraphs
The maximum amount of memory allocated in addition to the code size

14

2

Initial stack segment
This value is relative to start of the file and is added to the SS register on execution

16

2

Initial stack pointer
This value is loaded in the SP register on execution

18

2

Checksum
TODO

20

4

Entry point
This value is relative to start of the file and is added to the CS:IP registers

24

2

Relocation table offset
The offset value is relative to the start of the file

26

2

Overlay number

If relocation table offset >= 64

Offset Size Value Description

28

32

Unknown
Used for the relocation entries in MZ executables

60

4

Offset to extended header
0 if there is no extended header

64

112

MS DOS stub executable code

Relocation entry is 16-bit?

2.2. LE extended header

The mixed 16/32-bit Linear Executable was introduced in OS/2 2.0. It can be identifier by the "LE" signature in the extended header.

The LE extended header is X bytes of size and consists of:

TODO add text

2.3. LX extended header

The 32-bit Linear Executable was introduced in OS/2 2.0. It can be identifier by the "LX" signature in the extended header.

The LX extended header is X bytes of size and consists of:

TODO add text

2.4. NE extended header

The 16-bit New Executable was introduced in MS-DOS 4.0. It can be identifier by the "NE" signature in the extended header.

The NE (extended) header is 64 bytes of size and consists of:

Offset Size Value Description

0

2

"NE"

Signature

2

1

Linker major version

3

1

Linker minor version

4

2

Entry table offset

6

2

Entry table size

8

4

File load CRC
0 in Borland’s TPW

12

1

Program flags (bitvalues)

13

1

Application flags (bitvalues)

14

1

Auto data segment index

15

1

Unknown

16

2

Initial local heap size

18

2

Initial stack size

20

4

Entry point (CS:IP)
CS is index into segment table

24

4

Initial stack pointer (SS:SP)
SS is index into segment table

28

2

Segment count

30

2

Module reference count

32

2

Size of nonresident names table in bytes

34

2

Offset of segment table

36

2

Offset of resource table

38

2

Offset of resident names table

40

2

Offset of module reference table

42

2

Offset of imported names table
Contains an array of counted strings, terminated with a string of length 0

44

4

Offset from start of file to nonresident names table

48

2

Count of movable entry point listed in entry table

50

2

File alignment size shift count
0 is equivalent to 9 (default 512-byte pages)

52

2

Number of resource table entries

54

1

Target operating system
0 ⇒ Unknown
1 ⇒ OS/2
2 ⇒ Windows
3 ⇒ European MS-DOS 4.x
4 ⇒ Windows 386
5 ⇒ BOSS (Borland Operating System Services)

55

1

Other OS/2 EXE flags (bitmap)

56

2

Offset to return thunks or start of gangload area?

58

2

Offset to segment reference thunks or length of gangload area

50

2

Minimum code swap area size

62

1

Expected Windows minor version

63

1

Expected Windows major version

2.4.1. Program flags

Value Identifier Description

0x03

Dgroup type
0 ⇒ None
1 ⇒ Single shared
2 ⇒ multiple
3 ⇒ null

0x04

Global initialization

0x08

Protected mode only

0x10

8086 instructions

0x20

80286 instructions

0x40

80386 instructions

0x80

80x87 instructions

2.4.2. Application flags

Value Identifier Description

0x07

Application type
1 ⇒ Full screen (not aware of Windows/P.M. API)
2 ⇒ Compatible with Windows/P.M. API
3 ⇒ Uses Windows/P.M. API

0x08

OS/2 family application

0x10

Unknown (Reserved?)

0x20

Errors in image/executable

0x40

Unknown (non-conforming program)

0x80

DLL or driver
(SS:SP info invalid, CS:IP points at FAR init routine called with AX=module handle which returns AX=0000h on failure, AX nonzero on successful initialization)

2.4.3. Other OS/2 EXE flags

Value Identifier Description

0x01

Long filename support

0x02

2.x protected mode

0x04

2.x proportional fonts

0x08

Executable has gangload area

0xf0

Unknown

2.5. PE/COFF extended header

The 32-bit Portable Executable (PE) was introduced in Windows NT. In later versions of Windows a 64-bit extension (PE32+) was added. PE is based on the Unix Common Object File Format (COFF) and therefore often referred to as PE/COFF.

The PE/COFF extended header consist of a PE signature followed by a COFF header.

2.5.1. The PE signature

The PE signature is 4 bytes of size and consists of:

Offset Size Value Description

0

4

"PE\x0\x0"

Signature

2.5.2. COFF header

The COFF header is 20 bytes in size and consists of:

Offset Size Value Description

0

2

Target architecture type

2

2

Number of sections

4

4

Creation date and time
Contains a POSIX time

8

4

Symbol table offset
Offset relative to the start of the file or 0 if table is not present

12

4

Number of symbols

16

2

Optional header size

18

2

File characteristic flags
See section: File characteristic flags

2.5.3. Target architecture type

Value Identifier Description

0x0000

IMAGE_FILE_MACHINE_UNKNOWN

Unknown or any machine type

0x014c

IMAGE_FILE_MACHINE_I386

Intel 386 (or compatible) or later

0x0162

IMAGE_FILE_MACHINE_R3000

0x0166

IMAGE_FILE_MACHINE_R4000

MIPS little-endian

0x0168

IMAGE_FILE_MACHINE_R10000

0x0184

IMAGE_FILE_MACHINE_ALPHA

Alpha AXP

0x01a2

IMAGE_FILE_MACHINE_SH3

Hitachi SH3

0x01a6

IMAGE_FILE_MACHINE_SH4

Hitachi SH4

0x01c0

IMAGE_FILE_MACHINE_ARM

Arm

0x01c2

IMAGE_FILE_MACHINE_THUMB

0x01f0

IMAGE_FILE_MACHINE_POWERPC

Power PC little-endian

0x0200

IMAGE_FILE_MACHINE_IA64

Intel IA64

0x0266

IMAGE_FILE_MACHINE_MIPS16

0x0268

IMAGE_FILE_MACHINE_M68K

Motorola 68000 series.

0x0284

IMAGE_FILE_MACHINE_ALPHA64

64-bit Alpha AXP

0x0366

IMAGE_FILE_MACHINE_MIPSFPU

MIPS with FPU

0x0466

IMAGE_FILE_MACHINE_MIPSFPU16

MIPS16 with FPU

2.5.4. File characteristic flags

Value Identifier Description

0x0001

IMAGE_FILE_RELOCS_STRIPPED

Does not contain base relocations

0x0002

IMAGE_FILE_EXECUTABLE_IMAGE

Is an executable (image file)

0x0004

IMAGE_FILE_LINE_NUMS_STRIPPED

Line numbers have been removed

0x0008

IMAGE_FILE_LOCAL_SYMS_STRIPPED

Symbol table entries for local symbols have been removed

0x0010

IMAGE_FILE_AGGRESSIVE_WS_TRIM

Aggressively trim working set

0x0020

IMAGE_FILE_LARGE_ADDRESS_AWARE

Application can handle > 2 GiB addresses

0x0040

IMAGE_FILE_16BIT_MACHINE

Unknown (reserved for future use)

0x0080

IMAGE_FILE_BYTES_REVERSED_LO

Little-endian

0x0100

IMAGE_FILE_32BIT_MACHINE

32-bit architecture

0x0200

IMAGE_FILE_DEBUG_STRIPPED

Debugging information removed from file

0x0400

IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP

If the file is on removable media, copy and run from swap file

0x1000

IMAGE_FILE_SYSTEM

Is a system file, not a user program

0x2000

IMAGE_FILE_DLL

Is a dynamic-link library (DLL)

0x4000

IMAGE_FILE_UP_SYSTEM_ONLY

File should be run only on a UP machine

0x8000

IMAGE_FILE_BYTES_REVERSED_HI

Big-endian

2.5.5. The COFF optional (PE) header

The COFF optional header or PE header is variable of size and consists of:

  • the standard part

  • the Windows NT part

  • the data directories part

The COFF optional header - standard part

The COFF optional header - standard part is 24 or 28 bytes in size and consists of:

Offset Size Value Description

0

2

Signature
0x0107 ⇒ ROM image
0x010b ⇒ PE32 executable file
0x020b ⇒ PE32+ executable file

2

1

Major linker version

3

1

Minor linker version

4

4

Text sections size
Size of the code
MSB contains flags? 0xd0000000

8

4

Initialized data sections size
Size of the initialized data size

12

4

Uninitialized data sections size
Size of the uninitialized data size (BSS)

16

4

Entry point offset
The offset is relative to the start of the file or 0 if none

20

4

Code base offset
Contains the offset is relative to the start of the file of the start of the text section (code)

If the signature is PE32

24

4

Data base offset
Contains the offset is relative to the start of the file of the start of the initialized data section (data)

The PE32 COFF optional header - Windows NT part

The PE32 COFF optional header - Windows NT part is 68 bytes in size and consists of:

Offset Size Value Description

0

4

Image base offset

4

4

Section alignment size

8

4

File alignment size

12

2

Major operating system version

14

2

Minor operating system version

16

2

Major image version

18

2

Minor image version

20

2

Major subsystem version

22

2

Minor subsystem version

24

4

Unknown (Win32VersionValue)
Must be 0

28

4

Image size

32

4

Headers size

36

4

Checksum

40

2

Subsystem
See section: Windows Subsystem

42

2

DLL characteristic flags
See section: DLL characteristic flags

44

4

Stack reservation size

48

4

Stack commit size

52

4

Heap reservation size

56

4

Heap commit size

60

4

Unknown (Loader flags)
Obsolete must be 0

64

4

Number of data-dictionary entries

TODO: integrate notes in text

ImageBase
Preferred address of first byte of image when loaded into memory; must be a
multiple of 64K. The default for DLLs is 0x10000000. The default for Windows CE
EXEs is 0x00010000. The default for Windows NT, Windows 95, and Windows 98 is
0x00400000.

SectionAlignment
Alignment (in bytes) of sections when loaded into memory. Must greater or equal
to File Alignment. Default is the page size for the architecture.

FileAlignment
Alignment factor (in bytes) used to align the raw data of sections in the image
file. The value should be a power of 2 between 512 and 64K inclusive. The
default is 512. If the SectionAlignment is less than the architecture’s page
size than this must match the SectionAlignment.

SizeOfImage
Size, in bytes, of image, including all headers; must be a multiple of Section
Alignment.

SizeOfHeaders
Combined size of MS-DOS stub, PE Header, and section headers rounded up to a
multiple of FileAlignment.

The algorithm for computing is incorporated into IMAGHELP.DLL.
The PE32+ COFF optional header - Windows NT part

The PE32+ COFF optional header - Windows NT part is 88 bytes in size and consists of:

Offset Size Value Description

0

8

Image base offset

8

4

Section alignment size

12

4

File alignment size

16

2

Major operating system version

18

2

Minor operating system version

20

2

Major image version

22

2

Minor image version

24

2

Major subsystem version

26

2

Minor subsystem version

28

4

Unknown (Win32VersionValue)
Must be 0

32

4

Image size

36

4

Headers size

40

4

Checksum

44

2

Subsystem
See section: Windows Subsystem

46

2

DLL characteristic flags
See section: DLL characteristic flags

48

8

Stack reservation size

56

8

Stack commit size

64

8

Heap reservation size

72

8

Heap commit size

80

4

Unknown (Loader flags)
Obsolete must be 0

84

4

Number of data-dictionary entries

Windows Subsystem
Value Identifier Description

0

IMAGE_SUBSYSTEM_UNKNOWN

Unknown subsystem

1

IMAGE_SUBSYSTEM_NATIVE

Native subsystem
Device drivers or native Windows NT process

2

IMAGE_SUBSYSTEM_WINDOWS_GUI

Windows GUI subsystem

3

IMAGE_SUBSYSTEM_WINDOWS_CUI

Windows character subsystem

7

IMAGE_SUBSYSTEM_POSIX_CUI

POSIX character subsystem

9

IMAGE_SUBSYSTEM_WINDOWS_CE_GUI

Windows CE GUI subsystem

10

IMAGE_SUBSYSTEM_EFI_APPLICATION

EFI application

11

IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER

EFI driver that provides boot service

12

IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER

EFI driver that provides runtime services

DLL characteristic flags
Value Identifier Description

0x0001

Unknown (Reserved)

0x0002

Unknown (Reserved)

0x0004

Unknown (Reserved)

0x0008

Unknown (Reserved)

0x0800

IMAGE_DLLCHARACTERISTICS_NO_BIND

Do not bind

0x2000

IMAGE_DLLCHARACTERISTICS_WDM_DRIVER

Is a WDM Driver

0x8000

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

Is Terminal Server aware

The COFF optional header - the data directories part

Most entries in the data directories consists of a data directory descriptor. Each data directory descriptor contains a Relative virtual address (RVA) and a size. The RVA is a Virtual address relative to the image base. Also see section: The COFF data directory descriptor and Data directories.

The COFF optional header - the data directories part is variable in size and consists of:

Offset Size Value Description

0

4

Export Table RVA

4

4

Export Table size

8

4

Import Table RVA

12

4

Import Table size

16

4

Resource Table RVA

20

4

Resource Table size

24

4

Exception Table RVA

28

4

Exception Table size

32

4

(Attribute) Certificate Table RVA

36

4

(Attribute) Certificate Table size

40

4

Base Relocation Table RVA

44

4

Base Relocation Table size

48

4

Debug data RVA

52

4

Debug data size

56

4

Architecture-specific data RVA

60

4

Architecture-specific data size

64

4

Global pointer register

68

4

Unknown (Reserved)
Should be 0

72

4

Thread Local Storage (TLS) Table RVA

76

4

Thread Local Storage (TLS) Table size

80

4

Load Configuration Table RVA

84

4

Load Configuration Table size

88

4

Bound Import Table RVA

92

4

Bound Import Table size

96

4

Import Address Table RVA

100

4

Import Address Table size

104

4

Delay Import Descriptor RVA

108

4

Delay Import Descriptor size

112

4

COM+ Runtime Header RVA

116

4

COM+ Runtime Header size

120

8

Unknown (Reserved)

The COFF data directory descriptor

The data directory descriptor is 8 bytes in size and consists of:

Offset Size Value Description

0

4

Relative virtual address (RVA)
Virtual address relative to the image base

4

4

Size

2.6. Rich signature header

TODO: integrate notes in text

Obfuscated data:

Offset Size Value Description

0

…​

Obfuscated data

…​

4

"Rich"

Signature

…​

4

XOR key

…​

…​

Unknown (Padding)

Deobfuscated data:

Offset Size Value Description

0

4

"DanS"

Signature

4

12

Unknown (Empty values)

16

8 x …​

Visual Studio C++ linker tool information

Visual Studio C++ linker tool information

Offset Size Value Description

0

2

Version

2

2

Identifier

4

4

Number of times used

3. PE/COFF section table

3.1. Section header

Offset Size Value Description

0

8

Name
ASCII string not terminated by an end-of-string character, unused bytes are set to 0.
Can be empty.

8

4

Virtual size

12

4

Virtual address

16

4

Data size

20

4

Data offset

24

4

Relocations offset
0 if no relocations

28

4

(COFF) line numbers offset
0 if no line numbers

32

2

Number of relocations entries

34

2

Number of line numbers entries

36

4

Section characteristic flags
See section: Section characteristic flags

TODO: integrate notes in text

VirtualSize
Total size of the section when loaded into memory. If this value is greater
than Size of Raw Data, the section is zero-padded. This field is valid only for
executable images and should be set to 0 for object files.

VirtualAddress
For executable images this is the address of the first byte of the section,
when loaded into memory, relative to the image base. For object files, this
field is the address of the first byte before relocation is applied; for
simplicity, compilers should set this to zero. Otherwise, it is an arbitrary
value that is subtracted from offsets during relocation.

SizeOfRawData
Size of the section (object file) or size of the initialized data on disk
(image files). For executable image, this must be a multiple of FileAlignment
from the optional header. If this is less than VirtualSize the remainder of the
section is zero filled. Because this field is rounded while the VirtualSize
field is not it is possible for this to be greater than VirtualSize as well.
When a section contains only uninitialized data, this field should be 0.

PointerToRawData
File pointer to section’s first page within the COFF file. For executable
images, this must be a multiple of FileAlignment from the optional header. For
object files, the value should be aligned on a four-byte boundary for best
performance. When a section contains only uninitialized data, this field should
be 0.

3.2. Section characteristic flags

Value Identifier Description

0x00000000

IMAGE_SCN_TYPE_REG

Unknown (Reserved)
REG ⇒ regular?

0x00000001

IMAGE_SCN_TYPE_DSECT

Unknown (Reserved)

0x00000002

IMAGE_SCN_TYPE_NOLOAD

Unknown (Reserved)

0x00000004

IMAGE_SCN_TYPE_GROUP

Unknown (Reserved)

0x00000008

IMAGE_SCN_TYPE_NO_PAD

No padding
Obsolete replaced by IMAGE_SCN_ALIGN_1BYTES

0x00000010

IMAGE_SCN_TYPE_COPY

Unknown (Reserved)

0x00000020

IMAGE_SCN_CNT_CODE

Contains executable code
Common corresponding section name: .text, TEXT, .code or CODE

0x00000040

IMAGE_SCN_CNT_INITIALIZED_DATA

Contains initialized data
Common corresponding section name: .data, DATA, .idata or IDATA

0x00000080

IMAGE_SCN_CNT_UNINITIALIZED_DATA

Contains uninitialized data
Common corresponding section name: .bss or BSS

0x00000100

IMAGE_SCN_LNK_OTHER

Unknown (Reserved)

0x00000200

IMAGE_SCN_LNK_INFO

Contains comments or other information

0x00000400

IMAGE_SCN_TYPE_OVER

Unknown (Reserved)

0x00000800

IMAGE_SCN_LNK_REMOVE

Will be removed after linking

0x00001000

IMAGE_SCN_LNK_COMDAT

Contains COMDAT data

0x00008000

IMAGE_SCN_MEM_FARDATA

Unknown (Reserved)

0x00010000

IMAGE_SCN_MEM_PURGEABLE

Unknown (Reserved)

0x00020000

IMAGE_SCN_MEM_16BIT

Unknown (Reserved)

0x00040000

IMAGE_SCN_MEM_LOCKED

Unknown (Reserved)

0x00080000

IMAGE_SCN_MEM_PRELOAD

Unknown (Reserved)

0x00100000

IMAGE_SCN_ALIGN_1BYTES

Align data on a 1-byte boundary

0x00200000

IMAGE_SCN_ALIGN_2BYTES

Align data on a 2-byte boundary

0x00300000

IMAGE_SCN_ALIGN_4BYTES

Align data on a 4-byte boundary

0x00400000

IMAGE_SCN_ALIGN_8BYTES

Align data on a 8-byte boundary

0x00500000

IMAGE_SCN_ALIGN_16BYTES

Align data on a 16-byte boundary

0x00600000

IMAGE_SCN_ALIGN_32BYTES

Align data on a 32-byte boundary

0x00700000

IMAGE_SCN_ALIGN_64BYTES

Align data on a 64-byte boundary

0x00800000

IMAGE_SCN_ALIGN_128BYTES

Align data on a 128-byte boundary

0x00900000

IMAGE_SCN_ALIGN_256BYTES

Align data on a 256-byte boundary

0x00a00000

IMAGE_SCN_ALIGN_512BYTES

Align data on a 512-byte boundary

0x00b00000

IMAGE_SCN_ALIGN_1024BYTES

Align data on a 1024-byte boundary

0x00c00000

IMAGE_SCN_ALIGN_2048BYTES

Align data on a 2048-byte boundary

0x00d00000

IMAGE_SCN_ALIGN_4096BYTES

Align data on a 4096-byte boundary

0x00e00000

IMAGE_SCN_ALIGN_8192BYTES

Align data on a 8192-byte boundary

0x01000000

IMAGE_SCN_LNK_NRELOC_OVFL

Contains extended relocations

0x02000000

IMAGE_SCN_MEM_DISCARDABLE

Discarded if needed

0x04000000

IMAGE_SCN_MEM_NOT_CACHED

Do not cache

0x08000000

IMAGE_SCN_MEM_NOT_PAGED

Do not page

0x10000000

IMAGE_SCN_MEM_SHARED

Can be in shared memory

0x20000000

IMAGE_SCN_MEM_EXECUTE

Can be executed

0x40000000

IMAGE_SCN_MEM_READ

Can be read

0x80000000

IMAGE_SCN_MEM_WRITE

Can be written

4. Data directories

To calculate the data directory offset from the RVA first find the section that contains the corresponding virtual address (VA) and then apply:

data directory offset = ( RVA - section start VA ) + section start offset

4.1. Export table directory

The export table directory consists of:

  • Export directory table

  • Export address table

4.1.1. Export directory table

TODO check values below

Offset Size Value Description

0

4

0

Unknown (reserved)
Export flags

4

4

Creation time
Contains a POSIX timestamp

8

2

Major format version

10

2

Minor format version

12

4

Name RVA

16

4

Ordinal base

20

4

Number of address table entries

24

4

Number of name pointers

28

4

Export address table RVA

32

4

Name pointer table RVA

36

4

Ordinal table RVA

4.1.2. Export address table

TODO add text and check values below

Offset Size Value Description

0

4

Export RVA

The address of the exported symbol when loaded into memory, relative to the image base. For example, the address of an exported function.

0

4

Forwarder RVA

The pointer to a null-terminated ASCII string in the export section. This string must be within the range that is given by the export table data directory entry. See section 3.4.3, "Optional Header Data Directories (Image Only)." This string gives the DLL name and the name of the export (for example, "MYDLL.expfunc") or the DLL name and the ordinal number of the export (for example, "MYDLL.#27").

4.1.3. Export Name Pointer Table

TODO add text

4.1.4. Export Ordinal Table

TODO add text

4.2. Import table directory

TODO add text

4.3. Debug data directory

The debug data directory consists of:

  • one or more debug data directory entries

  • debug type data

4.3.1. Debug data directory entry

The debug data directory entry is 28 bytes in size and consists of:

Offset Size Value Description

0

4

Characteristics
Reserved, must be zero.

4

4

Creation time
Contains a POSIX timestamp?

8

2

Format major version

10

2

Format minor version

12

4

Debug type

16

4

Debug type data size

20

4

Raw debug data RVA
Virtual address relative to the image base

24

4

Raw debug data offset

4.3.2. Debug type

Value Identifier Description

0

IMAGE_DEBUG_TYPE_UNKNOWN

Unknown
Should be ignored by all tools

1

IMAGE_DEBUG_TYPE_COFF

COFF debug information

2

IMAGE_DEBUG_TYPE_CODEVIEW

Codeview (or Visual C++) debug information
See section: Codeview debug information

3

IMAGE_DEBUG_TYPE_FPO

The frame pointer omission (FPO) debug information

4

IMAGE_DEBUG_TYPE_MISC

The location of DBG file

5

IMAGE_DEBUG_TYPE_EXCEPTION

A copy of .pdata section

6

IMAGE_DEBUG_TYPE_FIXUP

Unknown (Reserved)

7

IMAGE_DEBUG_TYPE_OMAP_TO_SRC

The mapping from an RVA in image to an RVA in source image

8

IMAGE_DEBUG_TYPE_OMAP_FROM_SRC

The mapping from an RVA in image to an RVA in source image

9

IMAGE_DEBUG_TYPE_BORLAND

Unknown (Reserved for Borland)

10

IMAGE_DEBUG_TYPE_RESERVED10

Unknown (Reserved)

11

IMAGE_DEBUG_TYPE_CLSID

Unknown (Reserved)

4.3.3. Debug type data

Codeview debug information

The codeview debug information is variable in size and consists of:

Offset Size Value Description

0

4

"RDRS"

Signature

4

16

GUID

20

4

PDB format version

24

…​

PDB filename
(extended?) ASCII string with end-of-string character

IMAGE_DEBUG_TYPE_RESERVED10 data

The IMAGE_DEBUG_TYPE_RESERVED10 debug information is 4 bytes in size and consists of:

Offset Size Value Description

0

4

Unknown (a checksum of some kind?)

5. Resource section data

The resources are stored in the resource section (.rsrc) of a PE/COFF executable. The resources consists of a tree of resource nodes. The identifiers of the first level of sub nodes contain the resource data types.

5.1. Resource node header

The resource node header is 16 bytes of size and consists of:

Offset Size Value Description

0

4

0

Flags
Unknown

4

4

Creation date and time
Contains a POSIX timestamp or 0 if not set

8

2

Major version

10

2

Minor version

12

2

Number of named node entries

14

2

Number of unnamed node entries

The resource node header is followed by an array of (named and unnamed) resource node entries.

5.2. Resource node flags

TODO: integrate notes in text

Suspected to be:
http://msdn.microsoft.com/en-us/library/windows/desktop/ms648027(v=vs.85).aspx

MOVEABLE (0x0010)
FIXED (~MOVEABLE)
PURE (0x0020)
IMPURE (~PURE)
PRELOAD (0x0040)
LOADONCALL (~PRELOAD)
DISCARDABLE (0x1000)

5.3. Resource node entry

The resource node entry is 8 bytes of size and consist of:

Offset Size Value Description

0

4

Identifier
Flag 0x80000000 ⇒ has name

4

4

Offset
Flag 0x80000000 ⇒ is branch node

If the offset of the resource node entry does not have the is branch node flag the offset points to a resource data descriptor.

If the identifier of the resource node entry has name flag set the value points to a name string.

5.3.1. Resource node name string

The resource node name string is variable of size and consists of:

Offset Size Value Description

0

2

Number of characters

2

…​

Name string
UTF-16 little-endian without end-of-string character.

5.3.2. Branch resource node entry identifier

The branch resource node entry identifier of the string resource contain the string group identifier, which is ( string identifier / 16 ) + 1. The corresponding string identifier can be determined by:

( ( string group identifier - 1 ) x 16 ) + string index in group

5.3.3. Leaf resource node entry identifier

The leaf resource node entry identifier of the following resources contains the LCID of the language stored in the resource data.

  • Manifest resource

  • Message-table resource

  • Multilingual User Interface (MUI) resource

  • String resource

  • Version resource

  • Windows Event Template resource

It is possible for the LCID to be 0 (not set).

For more information see [NTLCID].

5.4. Resource data descriptor

The resource data descriptor is 8 bytes of size and consist of:

Offset Size Value Description

0

4

Virtual address

4

4

Size

Note
The virtual address can be outside the resource section, this behavior was seen with an UPX packed executable. It is currently assumed that UPX also compresses some of the resources and only provides them at run-time. The version resource does not seems to be packed by UPX.

5.5. Resource data types

Value Identifier Description

1

RT_CURSOR

Hardware-dependent cursor resource

2

RT_BITMAP

Bitmap resource

3

RT_ICON

Hardware-dependent icon resource

4

RT_MENU

Menu resource

5

RT_DIALOG

Dialog box

6

RT_STRING

String-table entry

7

RT_FONTDIR

Font directory resource

8

RT_FONT

Font resource

9

RT_ACCELERATOR

Accelerator table

10

RT_RCDATA

Application-defined resource (raw data)

11

RT_MESSAGETABLE

Message-table entry

12

RT_GROUP_CURSOR

Hardware-independent cursor resource

14

RT_GROUP_ICON

Hardware-independent icon resource

16

RT_VERSION

Version resource

17

RT_DLGINCLUDE

Dialog include

19

RT_PLUGPLAY

Plug and Play resource

20

RT_VXD

Virtual driver (VXD)

21

RT_ANICURSOR

Animated cursor

22

RT_ANIICON

Animated icon

23

RT_HTML

HTML resource

24

RT_MANIFEST

Side-by-Side Assembly Manifest

2110

Unknown

TODO: integrate notes in text

#define RT_DLGINIT MAKEINTRESOURCE(240);
#define RT_TOOLBAR MAKEINTRESOURCE(241);

5.6. Named resources

The following information is a list of common named resources found in samples.

Value Description

AVI

Unknown (AVI)

CODEPAGE

Unknown (codepage)
Seen in Windows 98 kernel32.dll

MUI

Multilingual User Interface (MUI) resource data

MOFDATA

Unknown (MOF data)

REGINST

Unknown

TYPELIB

Unknown (typelib data)

UIFILE

Unknown (UI file)

WEVT_TEMPLATE

Windows Event template resource data

XMLFILE

Unknown (XML file)

6. Resource type data

6.1. String resource data

The string resource data consists of 16 string descriptors per section. Strings whose identifiers differ only in the bottom 4 bits are placed in the same section.

6.2. String descriptor

The string descriptor is variable of size and consist of.

Offset Size Value Description

0

2

Number of characters

2

…​

UTF-16 string without end-of-string character

6.3. String conversion specifiers

Value Identifier Description

%d

Signed integer

%p

Unknown (Pointer ?)
Access violation at address %p. %s of address %p

%ws

Wide character string

%x

Hexadecimal representation of integer
External exception %x

6.4. Message-table resource data

The message-table resource data contains several structures that make up a message-table. A message-table consists of:

  • a message-table header

  • message-table entry descriptors

  • message-table strings

6.4.1. Message-table header

The message-table header (MESSAGE_RESOURCE_DATA) is variable of size and consists of:

Offset Size Value Description

0

4

Number of message-table entry descriptors

4

…​

Array of message-table entry descriptors

Message-table entry descriptor

The message-table entry descriptor (MESSAGE_RESOURCE_BLOCK) is 12 bytes of size and consist of:

Offset Size Value Description

0

4

First message identifier

4

4

Last message identifier

8

4

Offset of the first message

A single message-table entry descriptor can refer to multiple message-table strings.

6.4.2. Message-table string

The message-table string entry (MESSAGE_RESOURCE_ENTRY) is variable of size and consists of:

Offset Size Value Description

0

2

Size

2

2

Flags
0x00 ⇒ extended ASCII string with codepage
0x01 ⇒ UTF-16 string

4

…​

String without end-of-string character
Note that the string can contain trailing 0-byte values.

…​

…​

Alignment padding
32-bit alignment

6.4.3. Message string conversion specifiers

The message string conversion specifiers seem to be related to those of the WINAPI FormatMessage function.

Value Identifier Description

%0

Unknown 0-byte?

%_

Space ( )
Where _ in %_ represents a space

%.

Dot (.)

%!

Exclamation mark (!)

%%

Percentage character (%)

%b

Unknown
Is replaced by white space in EventViewer

%n

New line

%r

Carriage return

%t

Tab

%#

Argument place holder
Where # is a numeric value from 1 up-to 99

%#!s!

Argument place holder
Where # is a numeric value from 1 up-to 99 and
!s! is the format specifier surrounded by exclamation marks.

Format specifier

The format specifier (or format string) must be surrounded by exclamation marks. The format specifier is optional and will default to string (!s!).

%[flags] [width] [.precision] [type prefix] type

The format specifier can include:

  • a width and precision specifier for strings

  • a width specifier for integers

  • the type prefixes: h, l, ll, w, I, I32, I64

Note
Unsure if the flags are supported the MSDN FormatMessage documentation is unclear about this.

The asterisk (*) is used to specify the width and precision. E.g.

%1!*.*s!
%1!*u!

If a width and precision specifier is used then the insert numbers (%#) do no longer directly correspond to the input arguments. Since the width and precision themselves are arguments, e.g. The arguments:

4 2 TEST

Would result in the string:

  TE

Restrictions:

  • Floating-point format specifiers—e, E, f, and g—are not supported

  • Inserts that use the I64 type prefix are treated as two 32-bit arguments

6.5. Version resource data

The version resource data contains several structures that contain the version information values. The version resource data consists of:

  • Version information

  • Version fixed file information

  • Version sub values

    • Optional version file information variables

    • Version file information strings

6.5.1. Version information

The version information (VS_VERSIONINFO) is variable of size and consists of:

Offset Size Value Description

0

2

Size

2

2

52

Value data size

4

2

0

Value type

6

32

"VS_VERSION_INFO"

Value identifier string
Contains an UTF-16 little-endian string with an end-of-string character

…​

2

Alignment padding
32-bit alignment

…​

…​

Version fixed file information (Value data)
See section: Version fixed file information

…​

2

Alignment padding
32-bit alignment

…​

…​

Version sub values
See section: Version sub values

6.5.2. Version fixed file information

The version fixed file information (VS_FIXEDFILEINFO) is 52 bytes of size and consists of:

Offset Size Value Description

0

4

0xfeef04bd

Signature

4

4

0x00010000

Version
Stored as 2 x 16-bit values, e.g.
"00 00 01 00" ⇒ 1.0

8

4

File version (upper 32-bit)
Stored as 2 x 16-bit values, e.g.
"00 00 06 00" ⇒ 6.0

12

4

File version (lower 32-bit)
Stored as 2 x 16-bit values, e.g.
"02 40 70 17" ⇒ 6000.16386

16

4

Product version (upper 32-bit)
Stored as 2 x 16-bit values, e.g.
"00 00 06 00" ⇒ 6.0

20

4

Product version (lower 32-bit)
Stored as 2 x 16-bit values, e.g.
"02 40 70 17" ⇒ 6000.16386

24

4

0x0000003f

File flags bitmask

28

4

File flags

32

4

File operating system

36

4

File type

40

4

File sub type

44

4

File creation date and time (upper 32-bit)
Unknown format assumed FILETIME

48

4

File creation date and time (lower 32-bit)
Unknown format assumed FILETIME

Version file flags
Value Identifier Description

0x00000001

VS_FF_DEBUG

File contains debugging information or with debugging features enabled.

0x00000002

VS_FF_PRERELEASE

File is a development version, not a commercially released product.

0x00000004

VS_FF_PATCHED

File has been modified and is not identical to the original shipping file of the same version number.

0x00000008

VS_FF_PRIVATEBUILD

File was not built using standard release procedures. If this value is given, the StringFileInfo block must contain a PrivateBuild string.

0x00000010

VS_FF_INFOINFERRED

The file’s version structure was created dynamically; therefore, some of the members in this structure may be empty or incorrect. This flag should never be set in a file’s VS_VERSIONINFO data.

0x00000020

VS_FF_SPECIALBUILD

File was built by the original company using standard release procedures but is a variation of the standard file of the same version number. If this value is given, the StringFileInfo block block must contain a SpecialBuild string.

0x0000003f

VS_FFI_FILEFLAGSMASK

The file flags bitmask

Version file operating system
Value Identifier Description

0x00000000

VOS_UNKNOWN
VOS__BASE

The operating system for which the file was designed is unknown to the system.

0x00000001

VOS__WINDOWS16

The file was designed for 16-bit Windows.

0x00000002

VOS__PM16

The file was designed for 16-bit Presentation Manager.

0x00000003

VOS__PM32

The file was designed for 32-bit Presentation Manager.

0x00000004

VOS__WINDOWS32

The file was designed for 32-bit Windows.

0x00010000

VOS_DOS

The file was designed for MS-DOS.

0x00020000

VOS_OS216

The file was designed for 16-bit OS/2.

0x00030000

VOS_OS232

The file was designed for 32-bit OS/2.

0x00040000

VOS_NT

The file was designed for Windows NT.

What about 64-bit?

Note that these values can be combined, e.g.:

Value Identifier Description

0x00010001

VOS_DOS_WINDOWS16

The file was designed for 16-bit Windows running on MS-DOS.

0x00010004

VOS_DOS_WINDOWS32

The file was designed for 32-bit Windows running on MS-DOS.

0x00020002

VOS_OS216_PM16

The file was designed for 16-bit Presentation Manager running on 16-bit OS/2.

0x00030003

VOS_OS232_PM32

The file was designed for 32-bit Presentation Manager running on 32-bit OS/2.

0x00040004

VOS_NT_WINDOWS32

The file was designed for Windows NT.

Version file type
Value Identifier Description

0x00000000

VFT_UNKNOWN

The file type is unknown to the system.

0x00000001

VFT_APP

The file contains an application.

0x00000002

VFT_DLL

The file contains a DLL.

0x00000003

VFT_DRV

The file contains a device driver.
The file sub type contains a more specific description of the driver.

0x00000004

VFT_FONT

The file contains a font.
The file sub type contains a more specific description of the driver.

0x00000005

VFT_VXD

The file contains a virtual device.

0x00000007

VFT_STATIC_LIB

The file contains a static-link library.

Version file sub type

According to [MSDN_RC] all non-listed version file sub types are are reserved.

Driver
Value Identifier Description

0x00000000

VFT2_UNKNOWN

The driver type is unknown by the system.

0x00000001

VFT2_DRV_PRINTER

The file contains a printer driver.

0x00000002

VFT2_DRV_KEYBOARD

The file contains a keyboard driver.

0x00000003

VFT2_DRV_LANGUAGE

The file contains a language driver.

0x00000004

VFT2_DRV_DISPLAY

The file contains a display driver.

0x00000005

VFT2_DRV_MOUSE

The file contains a mouse driver.

0x00000006

VFT2_DRV_NETWORK

The file contains a network driver.

0x00000007

VFT2_DRV_SYSTEM

The file contains a system driver.

0x00000008

VFT2_DRV_INSTALLABLE

The file contains an installable driver.

0x00000009

VFT2_DRV_SOUND

The file contains a sound driver.

0x0000000a

VFT2_DRV_COMM

The file contains a communications driver.

0x0000000c

VFT2_DRV_VERSIONED_PRINTER

The file contains a versioned printer driver.

Font
Value Identifier Description

0x00000000

VFT2_UNKNOWN

The font type is unknown by the system.

0x00000001

VFT2_FONT_RASTER

The file contains a raster font.

0x00000002

VFT2_FONT_VECTOR

The file contains a vector font.

0x00000003

VFT2_FONT_TRUETYPE

The file contains a TrueType font.

Virtual device

The sub file type contains the virtual device identifier included in the virtual device control block.

6.5.3. Version sub values

The sub values are stored as version file information values and consist of:

  • Version file information strings (zero or one)

  • Version file information variables (zero or one)

Version file information variables

The version file information variables consists of:

  • version file information variables header

  • array of variables

Version file information variables header (VarFileInfo)

The version file information variables header (VarFileInfo) is variable of size and consists of:

Offset Size Value Description

0

2

Size
The size of the file information variables data which includes the size itself

2

2

0

Value data size

4

2

1

Value type
0 ⇒ Binary string
1 ⇒ Text string

6

…​

"VarFileInfo"

Value identifier string
Contains an UTF-16 little-endian string with an end-of-string character

…​

2

Alignment padding
32-bit alignment

Version file information value variable (Var)

The version file information value variables (Var) is variable of size and consists of:

Offset Size Value Description

0

2

Size
The size of the variable data which includes the size itself

2

2

Value data size
If value type is 0 this values contains the number of bytes of the binary data if the value type is 1 this value contains the number of characters of sting including the end-of-string character.

4

2

Value type
0 ⇒ Binary string
1 ⇒ Text string

6

Value identifier string
Contains an UTF-16 little-endian string with an end-of-string character

…​

2

Unknown (Alignment padding)
32-bit alignment

…​

…​

Value data

Version file information value variable identifiers

TODO

Value Description

Translation

TODO
4 bytes of value data
This looks a binary representation of the StringTable value identifier string in the StringFileInfo e.g. 0x040904e0 which look like 2 LCIDs. The first LCID seemt to correspond with the language of the file.

Version file information strings

The version file information strings consists of:

  • version file information strings header

  • string table

  • array of value strings

Version file information strings header (StringFileInfo)

The version file information strings header (StringFileInfo) is variable of size and consists of:

Offset Size Value Description

0

2

Size
The size of the file information strings data which includes the size itself

2

2

0

Value data size

4

2

1

Value type
0 ⇒ Binary string
1 ⇒ Text string

6

…​

"StringFileInfo"

Value identifier string
Contains an UTF-16 little-endian string with an end-of-string character

…​

2

Alignment padding
32-bit alignment

Version file information string table header (StringTable)

The version file information string table header (StringTable) is variable of size and consists of:

Offset Size Value Description

0

2

Size
The size of the string table data which includes the size itself

2

2

0

Value data size

4

2

1

Value type
0 ⇒ Binary string
1 ⇒ Text string

6

Value identifier string
Contains an UTF-16 little-endian string with an end-of-string character
E.g. 040904E0 which look like 2 LCIDs

…​

2

Alignment padding
32-bit alignment

Version file information value string (String)

The version file information value string (String) is variable of size and consists of:

Offset Size Value Description

0

2

Size
The size of the string data which includes the size itself

2

Value data size
This value contains the number of characters of sting including the end-of-string character.

4

2

1

Value type
0 ⇒ Binary string
1 ⇒ Text string

6

Value identifier string
Contains an UTF-16 little-endian string with an end-of-string character

…​

2

Alignment padding
32-bit alignment

…​

…​

Value string (Value data)
Contains an UTF-16 little-endian string with an end-of-string character

Version file information value string identifiers

TODO: integrate notes in text

Value Description

Comments

The Value member contains any additional information that should be displayed for diagnostic purposes. This string can be an arbitrary length.

CompanyName

The Value member identifies the company that produced the file. For example, "Microsoft Corporation" or "Standard Microsystems Corporation, Inc."

FileDescription

The Value member describes the file in such a way that it can be presented to users. This string may be presented in a list box when the user is choosing files to install. For example, "Keyboard driver for AT-style keyboards" or "Microsoft Word for Windows".

FileVersion

The Value member identifies the version of this file. For example, Value could be "3.00A" or "5.00.RC2".

InternalName

The Value member identifies the file’s internal name, if one exists. For example, this string could contain the module name for a DLL, a virtual device name for a Windows virtual device, or a device name for a MS-DOS device driver.

LegalCopyright

The Value member describes all copyright notices, trademarks, and registered trademarks that apply to the file. This should include the full text of all notices, legal symbols, copyright dates, trademark numbers, and so on. In English, this string should be in the format "Copyright Microsoft Corp. 1990 - 1994".

LegalTrademarks

The Value member describes all trademarks and registered trademarks that apply to the file. This should include the full text of all notices, legal symbols, trademark numbers, and so on. In English, this string should be in the format "Windows is a trademark of Microsoft Corporation".

OriginalFilename

The Value member identifies the original name of the file, not including a path. This enables an application to determine whether a file has been renamed by a user. This name may not be MS-DOS 8.3-format if the file is specific to a non-FAT file system.

PrivateBuild

The Value member describes by whom, where, and why this private version of the file was built. This string should only be present if the VS_FF_PRIVATEBUILD flag is set in the dwFileFlags member of the VS_FIXEDFILEINFO structure. For example, Value could be "Built by OSCAR on \OSCAR2".

ProductName

The Value member identifies the name of the product with which this file is distributed. For example, this string could be "Microsoft Windows".

ProductVersion

The Value member identifies the version of the product with which this file is distributed. For example, Value could be "3.00A" or "5.00.RC2".

SpecialBuild

The Value member describes how this version of the file differs from the normal version. This entry should only be present if the VS_FF_SPECIALBUILD flag is set in the dwFileFlags member of the VS_FIXEDFILEINFO structure. For example, Value could be "Private build for Olivetti solving mouse problems on M250 and M250E computers".

6.6. Manifest resource data

The manifest resource data is variable of size and consist of.

Offset Size Value Description

0

…​

Data containing XML string

TODO is this always UTF8 or are other values possible?

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

6.7. Multilingual User Interface (MUI) resource data

The Multilingual User Interface (MUI) resource data was introduce in Windows Vista. It has the name "MUI".

On a Windows system "muirct" be used to determine more about the MUI resource of an executable. E.g.

muirct.exe -d file.exe

This tool is part of the Windows SDK as of Vista.

The MUI resource data is variable of size and consists of:

Offset Size Value Description

0

4

0xfecdfecd

Signature

4

4

Size

8

4

0x00010000

Version (RC config version)
Assumed to be stored as 2 x 16-bit values, e.g.
"00 00 01 00" ⇒ 1.0

12

4

Unknown (Empty values)

16

4

File type
0x11 = > "normal" file
0x12 ⇒ ".mui" file

20

4

System attributes

24

4

Ultimate fallback location
0x01 ⇒ internal
0x02 ⇒ external

28

16

Service checksum
TODO: checksum algorithm

44

16

Checksum
TODO: checksum algorithm

60

24

Unknown (Empty values)

Value descriptors

84

4

Main name type data offset

88

4

Main name type data size

92

4

Main ID types data offset

96

4

Main ID types data size

100

4

MUI name type data offset

104

4

MUI name type data size

108

4

MUI ID types data offset

112

4

MUI ID types data size

116

4

Language data offset

120

4

Language data size

124

4

Ultimate fallback language data offset

128

4

Ultimate fallback language data size

Value data

132

…​

Data
64-bit aligned

Because the value data is 64-bit aligned is can contain alignment padding.

Most of the type values are stored as UTF-16 little-endian string with an end-of-string character. Except for the Main and MUI ID types which are stored as 32-bit little-endian integer values. The name and ID types correspond with the root resource nodes in the file.

If file type is 0x11 fallback language is set, if file type is 0x12 language is set.

6.7.1. File type

Value Identifier Description

0x00000011

Executable

6.7.2. System attributes

TODO: add text

Value Identifier Description

6.7.3. MUI name type

TODO: add text

Value Description

MOFTYPE

MUI

WEVT_TEMPLATE

6.8. Windows Event template resource data

The Windows Event template resource data was introduce in Windows Vista. It has the name "WEVT_TEMPLATE".

6.8.1. Instrumentation manifest

The instrumentation manifest is variable of size and consists of:

Offset Size Value Description

0

4

"CRIM"

Signature

4

4

Size
Including the compiled resource instrumentation manifest header

8

2

3

Major version

10

2

1

Minor version

12

4

Number of event providers

16

20 x number

Array of event provider descriptors

Assumed is that CRIM stands for "Compiled resource instrumentation manifest", but it could also be short for Crimson, which was the codename for the event logging service in Windows Longhorn.

Event provider descriptor

The event provider is variable of size and consists of:

Offset Size Value Description

0

16

Provider identifier
Contains a GUID

16

4

Event provider data offset
The offset is relative to the start of the instrumentation manifest

6.8.2. Event provider

The event provider is variable of size and consists of:

Offset Size Value Description

0

4

"WEVT"

Signature

4

4

Size
Including the Windows Event Template header

8

4

Message-table identifier
or 0xffffffff (-1) if not set

12

4

Number of provider element descriptors

16

4

Number of Unknown 32-bit values

20

…​

Provider element descriptors

…​

…​

Unknown 32-bit values (Empty value)

Provider element descriptor

The provider element descriptor is 8 bytes is size and consists of:

Offset Size Value Description

0

4

Provider element offset
The offset is relative to the start of the instrumentation manifest

4

4

Unknown

The provider element type is determined by its signature?

6.8.3. Keyword definitions

The keyword definitions are variable of size and consist of:

Offset Size Value Description

0

4

"KEYW"

Signature

4

4

Size
Including the keyword definitions header

8

4

Number of keyword definitions

12

…​

Array of keyword definitions

…​

…​

Keyword data

Keyword definition

A keyword definition is 16 bytes of size and consists of:

Offset Size Value Description

0

8

Identifier (Bitmask)

8

4

Message-table identifier
or 0xffffffff (-1) if not set

12

4

Data offset
The offset is relative to the start of the instrumentation manifest

Keyword data

The keyword data is variable of size and consists of:

Offset Size Value Description

0

4

Size
Includes the size itself

4

…​

String
The string is formatted as UTF-16 little-endian with an end-of-string character

…​

…​

Alignment padding
The data is 8-byte aligned

6.8.4. Level definitions

The level definitions are variable of size and consist of:

Offset Size Value Description

0

4

"LEVL"

Signature

4

4

Size
The value includes the size of the header or is 0 if empty

8

4

Number of level definitions

12

…​

Array of level definitions

…​

…​

Level data

Level definition

A level definition is 12 bytes of size and consists of:

Offset Size Value Description

0

4

Identifier

4

4

Message-table identifier
or 0xffffffff (-1) if not set

8

4

Data offset
The offset is relative to the start of the instrumentation manifest

Level data

The level data is variable of size and consists of:

Offset Size Value Description

0

4

Size
Includes the size itself

4

…​

String
The string is formatted as UTF-16 little-endian with an end-of-string character

…​

…​

Alignment padding
The data is 8-byte aligned

6.8.5. Maps definitions

The maps definitions are variable of size and consist of:

Offset Size Value Description

0

4

"MAPS"

Signature

4

4

Size
Including the map definitions header

8

4

Number of map definitions

12

4 x (number - 1)

Array of map definition data offsets
The offset is relative to the start of the instrumentation manifest
This array contains one entry less than the number of maps. The first map definition is implied to be stored directly after this array.

…​

…​

Array of map definitions

…​

…​

Array of map stings

Bitmap definition

A bitmap definition is Unknown bytes of size and consists of:

Offset Size Value Description

0

4

"BMAP"

Signature

TODO: BMAPS are used to define flags

Value map definition

Value maps are used to define enumeration types.

A value map definition is variable of size and consists of:

Offset Size Value Description

0

4

"VMAP"

Signature

4

4

Size
Including including the signature

8

4

Map string data offset
The offset is relative to the start of the instrumentation manifest

12

4

Number of value map entries

16

…​

Array of value map entries

Value map entry

A value map entry is 8 bytes of size and consists of:

Offset Size Value Description

0

4

Identifier

4

4

Message-table identifier
or 0xffffffff (-1) if not set

Map string

The map string data is variable of size and consists of:

Offset Size Value Description

0

4

Size
Includes the size itself

4

…​

String
The string is formatted as UTF-16 little-endian with an end-of-string character

6.8.6. Channel definitions

The channel definitions are variable of size and consist of:

Offset Size Value Description

0

4

"CHAN"

Signature

4

4

Size
Including the channel definitions header

8

4

Number of channel definitions

12

…​

Array of channel definitions

…​

…​

Channel data

Channel definition

A channel definition is 16 bytes of size and consists of:

Offset Size Value Description

0

4

Identifier

4

4

Data offset
The offset is relative to the start of the instrumentation manifest

8

4

Unknown (Value)

12

4

Message-table identifier
or 0xffffffff (-1) if not set

Channel data

The channel data is variable of size and consists of:

Offset Size Value Description

0

4

Size
Includes the size itself

4

…​

String
The string is formatted as UTF-16 little-endian with an end-of-string character

…​

…​

Alignment padding
The data is 8-byte aligned

6.8.7. Event definitions

The event definitions are variable of size and consist of:

Offset Size Value Description

0

4

"EVTN"

Signature

4

4

Size
Including the event definitions header

8

4

Number of event definitions

12

4

Unknown (Empty values)

12

…​

Array of event definitions

…​

[yellow-background]*28&

Unknown

Event definition

An event definition is 48 bytes of size and consists of:

Offset Size Value Description

0

2

Identifier
The event identifier without Customer flags and Severity.

If flag 0x00000080 is not set (does this hold?)

2

2

Unknown

4

2

Qualifiers

6

2

Unknown

If flag 0x00000080 is set (does this hold?)

2

1

Version

3

1

Channel

4

1

Level

5

1

Opcode

6

2

Task

Common

8

8

Keywords

16

4

Message identifier

20

4

Template definition offset
The offset is relative to the start of the instrumentation manifest or 0 if not set

24

4

Opcode definition offset
The offset is relative to the start of the instrumentation manifest or 0 if not set

28

4

Level definition offset
The offset is relative to the start of the instrumentation manifest or 0 if not set

32

4

Task definition offset
The offset is relative to the start of the instrumentation manifest or 0 if not set

36

4

Unknown (number of 4 byte values?)

40

4

Unknown (Offset to a 4 byte value?)

44

4

Unknown (Flags)

6.8.8. Keyword definitions

The keyword definitions are variable of size and consist of:

Offset Size Value Description

0

4

"KEYW"

Signature

4

4

Size
Including the keyword definitions header

8

4

Number of keyword definitions

12

…​

Array of keyword definitions

…​

…​

Keyword data

Keyword definition

A keyword definition is 16 bytes of size and consists of:

Offset Size Value Description

0

8

Identifier (Bitmask)

8

4

Message-table identifier
or 0xffffffff (-1) if not set

12

4

Data offset
The offset is relative to the start of the instrumentation manifest

Keyword data

The keyword data is variable of size and consists of:

Offset Size Value Description

0

4

Size
Includes the size itself

4

…​

String
The string is formatted as UTF-16 little-endian with an end-of-string character

…​

…​

Alignment padding The data is 8-byte aligned

6.8.9. Opcode definitions

The opcode definitions are variable of size and consist of:

Offset Size Value Description

0

4

"OPCO"

Signature

4

4

Size
The value includes the size of the header or is 0 if empty

8

4

Number of opcode definitions

12

…​

Array of opcode definitions

Opcode definition

A opcode definition is 12 bytes of size and consists of:

Offset Size Value Description

0

4

Identifier

4

4

Message-table identifier
or 0xffffffff (-1) if not set

8

4

Data offset
The offset is relative to the start of the instrumentation manifest

Opcode data

The opcode data is variable of size and consists of:

Offset Size Value Description

0

4

Size
Includes the size itself

4

…​

String
The string is formatted as UTF-16 little-endian with an end-of-string character

…​

…​

Alignment padding
The data is 8-byte aligned

6.8.10. Task

The task definitions are variable of size and consist of:

Offset Size Value Description

0

4

"TASK"

Signature

4

4

Size
Including the task definitions header

8

4

Number of task definitions

12

…​

Array of task definitions

…​

…​

Task data

Task definition

A task definition is 28 bytes of size and consists of:

Offset Size Value Description

0

4

Identifier

4

4

Message-table identifier
or 0xffffffff (-1) if not set

8

16

Unknown (MUI identifier)
Contains a GUID

24

4

Data offset
The offset is relative to the start of the instrumentation manifest

Task data

The task data is variable of size and consists of:

Offset Size Value Description

0

4

Size
Includes the size itself

4

…​

String
The string is formatted as UTF-16 little-endian with an end-of-string character

…​

…​

Alignment padding
The data is 8-byte aligned

6.8.11. Template table

The template table is variable of size and consists of:

Offset Size Value Description

0

4

"TTBL"

Signature

4

4

Size
Including the template table header

8

4

Number of templates

12

…​

Array of templates

…​

…​

Template data

Template definition

A template definition is variable of size and consists of:

Offset Size Value Description

0

4

"TEMP"

Signature

4

4

Size
Including the template header

8

4

Number of variable descriptors

12

4

Number of variable names

16

4

Instance variables offset
The offset is relative to the start of the instrumentation manifest

20

4

1

Unknown (number of BinXML fragments?)

24

16

Identifier
Contains a GUID

40

…​

Binary XML fragment

…​

…​

Template variables descriptors

…​

…​

Template variables names

Note
If the number of variable descriptors (and number of variable names) the instance variables offset is either 0 or contains the template size.
Template binary XML fragment

The binary XML is slightly different to that of EVTX.

  • the name offset is not used

  • the name does not contain the additional unknown 4 byte value

  • the template instance variables are stored outside the template

Template instance variable descriptor

The template instance variable descriptor is 20 bytes of size and consists of:

Offset Size Value Description

0

4

Unknown (empty value)

4

1

Value type

5

1

Unknown (Value type)

6

2

Unknown (empty value)

8

4

Unknown (empty value)

12

4

Unknown (empty value)

16

4

Template instance variable name offset
The offset is relative to the start of the instrumentation manifest

Template instance variable name

The template instance variable name is variable of size and consists of:

Offset Size Value Description

0

4

Size
Includes the size itself

4

…​

String
The string is formatted as UTF-16 little-endian with an end-of-string character

…​

…​

Alignment padding
The data is 8-byte aligned
Last name only?

7. Notes

7.1. Export directory table

Offset Size Value Description

0

4

Export Flags

Reserved, must be 0.

4

4

Time/Date Stamp

The time and date that the export data was created.

8

2

Major Version

The major version number. The major and minor version numbers can be set by the user.

10

2

Minor Version

The minor version number.

12

4

Name RVA

The address of the ASCII string that contains the name of the DLL. This address is relative to the image base.

16

4

Ordinal Base

The starting ordinal number for exports in this image. This field specifies the starting ordinal number for the export address table. It is usually set to 1.

20

4

Address Table Entries

The number of entries in the export address table.

24

4

Number of Name Pointers

The number of entries in the name pointer table. This is also the number of entries in the ordinal table.

28

4

Export Address Table RVA

The address of the export address table, relative to the image base.

32

4

Name Pointer RVA

The address of the export name pointer table, relative to the image base. The table size is given by the Number of Name Pointers field.

36

4

Ordinal Table RVA

The address of the ordinal table, relative to the image base.

7.2. Export address table

Offset Size Value Description

0

4

Export RVA

The address of the exported symbol when loaded into memory, relative to the image base. For example, the address of an exported function.

0

4

Forwarder RVA

The pointer to a null-terminated ASCII string in the export section.
This string must be within the range that is given by the export table data directory entry.
See section 3.4.3, "Optional Header Data Directories (Image Only)."
This string gives the DLL name and the name of the export (for example, "MYDLL.expfunc") or the DLL name and the ordinal number of the export (for example, "MYDLL.#27").

7.3. Import directory table

Offset Size Value Description

0

4

Import Lookup Table RVA (Characteristics)

The RVA of the import lookup table. This table contains a name or ordinal for each import.
(The name "Characteristics" is used in Winnt.h, but no longer describes this field.)

4

4

Time/Date Stamp

The stamp that is set to zero until the image is bound. After the image is bound, this field is set to the time/data stamp of the DLL.

8

4

Forwarder Chain

The index of the first forwarder reference.

12

4

Name RVA

The address of an ASCII string that contains the name of the DLL. This address is relative to the image base.

16

4

Import Address Table RVA (Thunk Table)

The RVA of the import address table.
The contents of this table are identical to the contents of the import lookup table until the image is bound.

7.4. Import lookup table

Bit(s) Size Bit field Description

31/63

1

Ordinal/Name Flag

If this bit is set, import by ordinal. Otherwise, import by name. Bit is masked as 0x80000000 for PE32, 0x8000000000000000 for PE32+.

15-0

16

Ordinal Number

A 16-bit ordinal number. This field is used only if the Ordinal/Name Flag bit field is 1 (import by ordinal). Bits 30-15 or 62-15 must be 0.

30-0

31

Hint/Name Table RVA

A 31-bit RVA of a hint/name table entry. This field is used only if the Ordinal/Name Flag bit field is 0 (import by name). For PE32+ bits 62-31 must be zero.

7.5. Hint/Name table

Offset Size Value Description

0

2

Hint

An index into the export name pointer table. A match is attempted first with this value. If it fails, a binary search is performed on the DLL’s export name pointer table.

2

variable

Name

An ASCII string that contains the name to import. This is the string that must be matched to the public name in the DLL. This string is case sensitive and terminated by a null byte.

*

0 or 1

Pad

A trailing zero-pad byte that appears after the trailing null byte, if necessary, to align the next entry on an even boundary.

7.6. FPO debug information

#define FRAME_FPO   0
#define FRAME_TRAP  1
#define FRAME_TSS   2

typedef struct _FPO_DATA {
    DWORD       ulOffStart;          // offset 1st byte of function code
    DWORD       cbProcSize;          // # bytes in function
    DWORD       cdwLocals;           // # bytes in locals/4
    WORD        cdwParams;           // # bytes in params/4

    WORD        cbProlog : 8;        // # bytes in prolog
    WORD        cbRegs   : 3;        // # regs saved
    WORD        fHasSEH  : 1;        // TRUE if SEH in func
    WORD        fUseBP   : 1;        // TRUE if EBP has been allocated
    WORD        reserved : 1;        // reserved for future use
    WORD        cbFrame  : 2;        // frame type
} FPO_DATA;

Appendix A: References

[CORION]

Title: The EXE File Formats

Author(s):

Max Maischein

URL:

http://www.corion.net/fileformats/index.html
http://www.fileformat.info/format/exe/corion-mz.htm http://www.fileformat.info/format/exe/corion-ne.htm

[DJGPP]

Title: EXE Format

URL:

http://www.delorie.com/djgpp/doc/exe/

[KUHR06]

Title: Enumerating Message Table Contents

Author(s):

Stefan Kuhr

Date:

14 Jun 2006

URL:

http://www.codeproject.com/KB/system/msgdump.aspx

[MSDN]

Title: MSDN articles about executable format

URL:

http://www.microsoft.com/whdc/system/platform/firmware/PECOFF.mspx
http://download.microsoft.com/download/e/b/a/eba1050f-a31d-436b-9281-92cdfeae4b45/pecoff.doc

[MSDN_RC]

Title: MSDN articles about Resource types

URL:

http://msdn.microsoft.com/en-us/library/ms648009(v=VS.85).aspx
http://msdn.microsoft.com/en-us/library/windows/desktop/aa381058(v=vs.85).aspx
http://msdn.microsoft.com/en-us/library/windows/desktop/ms647001(v=vs.85).aspx
http://msdn.microsoft.com/en-us/library/windows/desktop/ms646997(v=vs.85).aspx
http://msdn.microsoft.com/en-us/library/windows/desktop/ms646989(v=vs.85).aspx
http://msdn.microsoft.com/en-us/library/windows/desktop/ms646995(v=vs.85).aspx
http://msdn.microsoft.com/en-us/library/windows/desktop/ms646992(v=vs.85).aspx
http://msdn.microsoft.com/en-us/library/windows/desktop/ms646987(v=VS.85).aspx
http://msdn.microsoft.com/en-us/library/windows/desktop/ms646994(v=VS.85).aspx

[MSDN_FORMATMESSAGE]

URL: http://msdn.microsoft.com/en-us/library/windows/desktop/ms679351(v=vs.85).aspx
http://msdn.microsoft.com/en-us/library/56e442dc.aspx

[NTCORE]

Title: Microsoft’s Rich Signature (undocumented)

Author(s):

Daniel Pistelli

URL:

http://www.ntcore.com/files/richsign.htm

[NTLCID]

Title: Locale identifier (LCID) definitions

URL:

https://downloads.sourceforge.net/project/libpff/documentation/MAPI%20definitions/

[REVLABS]

Title: Undocumented PECOFF

URL:

http://www.reversinglabs.com/blackhat/PECOFF_BlackHat-USA-11-Whitepaper.pdf

[SCHUSTER10]

Title: Linking Event Messages and Resource DLLs

Author(s):

A. Schuster

Date:

October 5, 2010

URL:

http://computer.forensikblog.de/en/2010/10/linking-event-messages-and-resource-dlls.html

[SCHUSTER11]

Title: Microsoft Windows Event Logging - Dokumentation der Binärformate

Author(s):

A. Schuster

Version:

148

Date:

February 6, 2011

[TRIPOD]

Title: LINEAR-EXECUTABLE File Header Layout

URL:

http://faydoc.tripod.com/formats/exe-LE.htm

[WIKI]

URL: http://en.wikipedia.org/wiki/DOS_MZ_executable
http://en.wikipedia.org/wiki/COFF
http://en.wikipedia.org/wiki/New_Executable
http://en.wikipedia.org/wiki/Portable_Executable

[WIKIBOOKS]

URL: http://en.wikibooks.org/wiki/X86_Disassembly/Windows_Executable_Files

Appendix B: GNU Free Documentation License

Version 1.3, 3 November 2008 Copyright © 2000, 2001, 2002, 2007, 2008 Free Software Foundation, Inc. http://fsf.org/

Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.

0. PREAMBLE

The purpose of this License is to make a manual, textbook, or other functional and useful document "free" in the sense of freedom: to assure everyone the effective freedom to copy and redistribute it, with or without modifying it, either commercially or noncommercially. Secondarily, this License preserves for the author and publisher a way to get credit for their work, while not being considered responsible for modifications made by others.

This License is a kind of "copyleft", which means that derivative works of the document must themselves be free in the same sense. It complements the GNU General Public License, which is a copyleft license designed for free software.

We have designed this License in order to use it for manuals for free software, because free software needs free documentation: a free program should come with manuals providing the same freedoms that the software does. But this License is not limited to software manuals; it can be used for any textual work, regardless of subject matter or whether it is published as a printed book. We recommend this License principally for works whose purpose is instruction or reference.

1. APPLICABILITY AND DEFINITIONS

This License applies to any manual or other work, in any medium, that contains a notice placed by the copyright holder saying it can be distributed under the terms of this License. Such a notice grants a world-wide, royalty-free license, unlimited in duration, to use that work under the conditions stated herein. The "Document", below, refers to any such manual or work. Any member of the public is a licensee, and is addressed as "you". You accept the license if you copy, modify or distribute the work in a way requiring permission under copyright law.

A "Modified Version" of the Document means any work containing the Document or a portion of it, either copied verbatim, or with modifications and/or translated into another language.

A "Secondary Section" is a named appendix or a front-matter section of the Document that deals exclusively with the relationship of the publishers or authors of the Document to the Document’s overall subject (or to related matters) and contains nothing that could fall directly within that overall subject. (Thus, if the Document is in part a textbook of mathematics, a Secondary Section may not explain any mathematics.) The relationship could be a matter of historical connection with the subject or with related matters, or of legal, commercial, philosophical, ethical or political position regarding them.

The "Invariant Sections" are certain Secondary Sections whose titles are designated, as being those of Invariant Sections, in the notice that says that the Document is released under this License. If a section does not fit the above definition of Secondary then it is not allowed to be designated as Invariant. The Document may contain zero Invariant Sections. If the Document does not identify any Invariant Sections then there are none.

The "Cover Texts" are certain short passages of text that are listed, as Front-Cover Texts or Back-Cover Texts, in the notice that says that the Document is released under this License. A Front-Cover Text may be at most 5 words, and a Back-Cover Text may be at most 25 words.

A "Transparent" copy of the Document means a machine-readable copy, represented in a format whose specification is available to the general public, that is suitable for revising the document straightforwardly with generic text editors or (for images composed of pixels) generic paint programs or (for drawings) some widely available drawing editor, and that is suitable for input to text formatters or for automatic translation to a variety of formats suitable for input to text formatters. A copy made in an otherwise Transparent file format whose markup, or absence of markup, has been arranged to thwart or discourage subsequent modification by readers is not Transparent. An image format is not Transparent if used for any substantial amount of text. A copy that is not "Transparent" is called "Opaque".

Examples of suitable formats for Transparent copies include plain ASCII without markup, Texinfo input format, LaTeX input format, SGML or XML using a publicly available DTD, and standard-conforming simple HTML, PostScript or PDF designed for human modification. Examples of transparent image formats include PNG, XCF and JPG. Opaque formats include proprietary formats that can be read and edited only by proprietary word processors, SGML or XML for which the DTD and/or processing tools are not generally available, and the machine-generated HTML, PostScript or PDF produced by some word processors for output purposes only.

The "Title Page" means, for a printed book, the title page itself, plus such following pages as are needed to hold, legibly, the material this License requires to appear in the title page. For works in formats which do not have any title page as such, "Title Page" means the text near the most prominent appearance of the work’s title, preceding the beginning of the body of the text.

The "publisher" means any person or entity that distributes copies of the Document to the public.

A section "Entitled XYZ" means a named subunit of the Document whose title either is precisely XYZ or contains XYZ in parentheses following text that translates XYZ in another language. (Here XYZ stands for a specific section name mentioned below, such as "Acknowledgements", "Dedications", "Endorsements", or "History".) To "Preserve the Title" of such a section when you modify the Document means that it remains a section "Entitled XYZ" according to this definition.

The Document may include Warranty Disclaimers next to the notice which states that this License applies to the Document. These Warranty Disclaimers are considered to be included by reference in this License, but only as regards disclaiming warranties: any other implication that these Warranty Disclaimers may have is void and has no effect on the meaning of this License.

2. VERBATIM COPYING

You may copy and distribute the Document in any medium, either commercially or noncommercially, provided that this License, the copyright notices, and the license notice saying this License applies to the Document are reproduced in all copies, and that you add no other conditions whatsoever to those of this License. You may not use technical measures to obstruct or control the reading or further copying of the copies you make or distribute. However, you may accept compensation in exchange for copies. If you distribute a large enough number of copies you must also follow the conditions in section 3.

You may also lend copies, under the same conditions stated above, and you may publicly display copies.

3. COPYING IN QUANTITY

If you publish printed copies (or copies in media that commonly have printed covers) of the Document, numbering more than 100, and the Document’s license notice requires Cover Texts, you must enclose the copies in covers that carry, clearly and legibly, all these Cover Texts: Front-Cover Texts on the front cover, and Back-Cover Texts on the back cover. Both covers must also clearly and legibly identify you as the publisher of these copies. The front cover must present the full title with all words of the title equally prominent and visible. You may add other material on the covers in addition. Copying with changes limited to the covers, as long as they preserve the title of the Document and satisfy these conditions, can be treated as verbatim copying in other respects.

If the required texts for either cover are too voluminous to fit legibly, you should put the first ones listed (as many as fit reasonably) on the actual cover, and continue the rest onto adjacent pages.

If you publish or distribute Opaque copies of the Document numbering more than 100, you must either include a machine-readable Transparent copy along with each Opaque copy, or state in or with each Opaque copy a computer-network location from which the general network-using public has access to download using public-standard network protocols a complete Transparent copy of the Document, free of added material. If you use the latter option, you must take reasonably prudent steps, when you begin distribution of Opaque copies in quantity, to ensure that this Transparent copy will remain thus accessible at the stated location until at least one year after the last time you distribute an Opaque copy (directly or through your agents or retailers) of that edition to the public.

It is requested, but not required, that you contact the authors of the Document well before redistributing any large number of copies, to give them a chance to provide you with an updated version of the Document.

4. MODIFICATIONS

You may copy and distribute a Modified Version of the Document under the conditions of sections 2 and 3 above, provided that you release the Modified Version under precisely this License, with the Modified Version filling the role of the Document, thus licensing distribution and modification of the Modified Version to whoever possesses a copy of it. In addition, you must do these things in the Modified Version:

  1. Use in the Title Page (and on the covers, if any) a title distinct from that of the Document, and from those of previous versions (which should, if there were any, be listed in the History section of the Document). You may use the same title as a previous version if the original publisher of that version gives permission.

  2. List on the Title Page, as authors, one or more persons or entities responsible for authorship of the modifications in the Modified Version, together with at least five of the principal authors of the Document (all of its principal authors, if it has fewer than five), unless they release you from this requirement.

  3. State on the Title page the name of the publisher of the Modified Version, as the publisher.

  4. Preserve all the copyright notices of the Document.

  5. Add an appropriate copyright notice for your modifications adjacent to the other copyright notices.

  6. Include, immediately after the copyright notices, a license notice giving the public permission to use the Modified Version under the terms of this License, in the form shown in the Addendum below.

  7. Preserve in that license notice the full lists of Invariant Sections and required Cover Texts given in the Document’s license notice.

  8. Include an unaltered copy of this License.

  9. Preserve the section Entitled "History", Preserve its Title, and add to it an item stating at least the title, year, new authors, and publisher of the Modified Version as given on the Title Page. If there is no section Entitled "History" in the Document, create one stating the title, year, authors, and publisher of the Document as given on its Title Page, then add an item describing the Modified Version as stated in the previous sentence.

  10. Preserve the network location, if any, given in the Document for public access to a Transparent copy of the Document, and likewise the network locations given in the Document for previous versions it was based on. These may be placed in the "History" section. You may omit a network location for a work that was published at least four years before the Document itself, or if the original publisher of the version it refers to gives permission.

  11. For any section Entitled "Acknowledgements" or "Dedications", Preserve the Title of the section, and preserve in the section all the substance and tone of each of the contributor acknowledgements and/or dedications given therein.

  12. Preserve all the Invariant Sections of the Document, unaltered in their text and in their titles. Section numbers or the equivalent are not considered part of the section titles.

  13. Delete any section Entitled "Endorsements". Such a section may not be included in the Modified Version.

  14. Do not retitle any existing section to be Entitled "Endorsements" or to conflict in title with any Invariant Section.

  15. Preserve any Warranty Disclaimers.

If the Modified Version includes new front-matter sections or appendices that qualify as Secondary Sections and contain no material copied from the Document, you may at your option designate some or all of these sections as invariant. To do this, add their titles to the list of Invariant Sections in the Modified Version’s license notice. These titles must be distinct from any other section titles.

You may add a section Entitled "Endorsements", provided it contains nothing but endorsements of your Modified Version by various parties—for example, statements of peer review or that the text has been approved by an organization as the authoritative definition of a standard.

You may add a passage of up to five words as a Front-Cover Text, and a passage of up to 25 words as a Back-Cover Text, to the end of the list of Cover Texts in the Modified Version. Only one passage of Front-Cover Text and one of Back-Cover Text may be added by (or through arrangements made by) any one entity. If the Document already includes a cover text for the same cover, previously added by you or by arrangement made by the same entity you are acting on behalf of, you may not add another; but you may replace the old one, on explicit permission from the previous publisher that added the old one.

The author(s) and publisher(s) of the Document do not by this License give permission to use their names for publicity for or to assert or imply endorsement of any Modified Version.

5. COMBINING DOCUMENTS

You may combine the Document with other documents released under this License, under the terms defined in section 4 above for modified versions, provided that you include in the combination all of the Invariant Sections of all of the original documents, unmodified, and list them all as Invariant Sections of your combined work in its license notice, and that you preserve all their Warranty Disclaimers.

The combined work need only contain one copy of this License, and multiple identical Invariant Sections may be replaced with a single copy. If there are multiple Invariant Sections with the same name but different contents, make the title of each such section unique by adding at the end of it, in parentheses, the name of the original author or publisher of that section if known, or else a unique number. Make the same adjustment to the section titles in the list of Invariant Sections in the license notice of the combined work.

In the combination, you must combine any sections Entitled "History" in the various original documents, forming one section Entitled "History"; likewise combine any sections Entitled "Acknowledgements", and any sections Entitled "Dedications". You must delete all sections Entitled "Endorsements".

6. COLLECTIONS OF DOCUMENTS

You may make a collection consisting of the Document and other documents released under this License, and replace the individual copies of this License in the various documents with a single copy that is included in the collection, provided that you follow the rules of this License for verbatim copying of each of the documents in all other respects.

You may extract a single document from such a collection, and distribute it individually under this License, provided you insert a copy of this License into the extracted document, and follow this License in all other respects regarding verbatim copying of that document.

7. AGGREGATION WITH INDEPENDENT WORKS

A compilation of the Document or its derivatives with other separate and independent documents or works, in or on a volume of a storage or distribution medium, is called an "aggregate" if the copyright resulting from the compilation is not used to limit the legal rights of the compilation’s users beyond what the individual works permit. When the Document is included in an aggregate, this License does not apply to the other works in the aggregate which are not themselves derivative works of the Document.

If the Cover Text requirement of section 3 is applicable to these copies of the Document, then if the Document is less than one half of the entire aggregate, the Document’s Cover Texts may be placed on covers that bracket the Document within the aggregate, or the electronic equivalent of covers if the Document is in electronic form. Otherwise they must appear on printed covers that bracket the whole aggregate.

8. TRANSLATION

Translation is considered a kind of modification, so you may distribute translations of the Document under the terms of section 4. Replacing Invariant Sections with translations requires special permission from their copyright holders, but you may include translations of some or all Invariant Sections in addition to the original versions of these Invariant Sections. You may include a translation of this License, and all the license notices in the Document, and any Warranty Disclaimers, provided that you also include the original English version of this License and the original versions of those notices and disclaimers. In case of a disagreement between the translation and the original version of this License or a notice or disclaimer, the original version will prevail.

If a section in the Document is Entitled "Acknowledgements", "Dedications", or "History", the requirement (section 4) to Preserve its Title (section 1) will typically require changing the actual title.

9. TERMINATION

You may not copy, modify, sublicense, or distribute the Document except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense, or distribute it is void, and will automatically terminate your rights under this License.

However, if you cease all violation of this License, then your license from a particular copyright holder is reinstated (a) provisionally, unless and until the copyright holder explicitly and finally terminates your license, and (b) permanently, if the copyright holder fails to notify you of the violation by some reasonable means prior to 60 days after the cessation.

Moreover, your license from a particular copyright holder is reinstated permanently if the copyright holder notifies you of the violation by some reasonable means, this is the first time you have received notice of violation of this License (for any work) from that copyright holder, and you cure the violation prior to 30 days after your receipt of the notice.

Termination of your rights under this section does not terminate the licenses of parties who have received copies or rights from you under this License. If your rights have been terminated and not permanently reinstated, receipt of a copy of some or all of the same material does not give you any rights to use it.

10. FUTURE REVISIONS OF THIS LICENSE

The Free Software Foundation may publish new, revised versions of the GNU Free Documentation License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. See http://www.gnu.org/copyleft/.

Each version of the License is given a distinguishing version number. If the Document specifies that a particular numbered version of this License "or any later version" applies to it, you have the option of following the terms and conditions either of that specified version or of any later version that has been published (not as a draft) by the Free Software Foundation. If the Document does not specify a version number of this License, you may choose any version ever published (not as a draft) by the Free Software Foundation. If the Document specifies that a proxy can decide which future versions of this License can be used, that proxy’s public statement of acceptance of a version permanently authorizes you to choose that version for the Document.

11. RELICENSING

"Massive Multiauthor Collaboration Site" (or "MMC Site") means any World Wide Web server that publishes copyrightable works and also provides prominent facilities for anybody to edit those works. A public wiki that anybody can edit is an example of such a server. A "Massive Multiauthor Collaboration" (or "MMC") contained in the site means any set of copyrightable works thus published on the MMC site.

"CC-BY-SA" means the Creative Commons Attribution-Share Alike 3.0 license published by Creative Commons Corporation, a not-for-profit corporation with a principal place of business in San Francisco, California, as well as future copyleft versions of that license published by that same organization.

"Incorporate" means to publish or republish a Document, in whole or in part, as part of another Document.

An MMC is "eligible for relicensing" if it is licensed under this License, and if all works that were first published under this License somewhere other than this MMC, and subsequently incorporated in whole or in part into the MMC, (1) had no cover texts or invariant sections, and (2) were thus incorporated prior to November 1, 2008.

The operator of an MMC Site may republish an MMC contained in the site under CC-BY-SA on the same site at any time before August 1, 2009, provided the MMC is eligible for relicensing.

You can’t perform that action at this time.