SECTION_IMAGE_INFORMATION - NtDoc
Native API online documentation, based on the System Informer
(formerly Process Hacker) phnt
headers
#ifndef _NTMMAPI_H
/**
* The SECTION_IMAGE_INFORMATION structure contains detailed information about an image section.
*/
typedef struct _SECTION_IMAGE_INFORMATION
{
PVOID TransferAddress; // The address of the image entry point function.
ULONG ZeroBits; // The number of high-order address bits that must be zero in the image base address.
SIZE_T MaximumStackSize; // The maximum stack size of threads from the PE file header.
SIZE_T CommittedStackSize; // The initial stack size of threads from the PE file header.
ULONG SubSystemType; // The image subsystem from the PE file header (e.g., Windows GUI, Windows CUI, POSIX).
union
{
struct
{
USHORT SubSystemMinorVersion;
USHORT SubSystemMajorVersion;
};
ULONG SubSystemVersion;
};
union
{
struct
{
USHORT MajorOperatingSystemVersion;
USHORT MinorOperatingSystemVersion;
};
ULONG OperatingSystemVersion;
};
USHORT ImageCharacteristics; // The image characteristics from the PE file header.
USHORT DllCharacteristics; // The DLL characteristics flags (e.g., ASLR, NX compatibility).
USHORT Machine; // The image architecture (e.g., x86, x64, ARM).
BOOLEAN ImageContainsCode; // The image contains native executable code.
union
{
UCHAR ImageFlags;
struct
{
UCHAR ComPlusNativeReady : 1; // The image contains precompiled .NET assembly generated by NGEN (Native Image Generator).
UCHAR ComPlusILOnly : 1; // the image contains only Microsoft Intermediate Language (IL) assembly.
UCHAR ImageDynamicallyRelocated : 1; // The image was mapped using a random base address rather than the preferred base address.
UCHAR ImageMappedFlat : 1; // The image was mapped using a single contiguous region, rather than separate regions for each section.
UCHAR BaseBelow4gb : 1; // The image was mapped using a base address below the 4 GB boundary.
UCHAR ComPlusPrefer32bit : 1; // The image prefers to run as a 32-bit process, even on a 64-bit system.
UCHAR Reserved : 2;
};
};
ULONG LoaderFlags; // Reserved by ntdll.dll for the Windows loader.
ULONG ImageFileSize; // The size of the image, in bytes, including all headers.
ULONG CheckSum; // The image file checksum, from the PE optional header.
} SECTION_IMAGE_INFORMATION, *PSECTION_IMAGE_INFORMATION;
View code on GitHubNo description available.
Structure SECTION_IMAGE_INFORMATION is returned as a result of call NtQuerySection with SectionImageInformation information class. System automatically check type and contents of File Object passed as a parameter to function NtCreateSection, and sets SEC_IMAGE bit on Section Attributes.
This structure is very useful in process creation, because caller can check most interesting of PE Header fields just before call to NtCreateProcess and without mapping section to target process'es memory.
Image's entry point.
Number of bits from left side of stack address must be set to zero. It means maximum stack's address in process memory.
Total size of stack, in bytes.
Initially committed stack's block size.
One of IMAGE_SUBSYSTEM_* described in Microsoft SDK and available in <winnt.h> header file.
Minor version number of subsystem.
Major version number of subsystem.
(?)
DLL Characteristics.
One of IMAGE_FILE_MACHINE_*.
(?)