SECTION_IMAGE_INFORMATION - NtDoc
Native API online documentation, based on the System Informer
(formerly Process Hacker) phnt
headers
#ifndef _NTMMAPI_H
// symbols
typedef struct _SECTION_IMAGE_INFORMATION
{
PVOID TransferAddress;
ULONG ZeroBits;
SIZE_T MaximumStackSize;
SIZE_T CommittedStackSize;
ULONG SubSystemType;
union
{
struct
{
USHORT SubSystemMinorVersion;
USHORT SubSystemMajorVersion;
};
ULONG SubSystemVersion;
};
union
{
struct
{
USHORT MajorOperatingSystemVersion;
USHORT MinorOperatingSystemVersion;
};
ULONG OperatingSystemVersion;
};
USHORT ImageCharacteristics;
USHORT DllCharacteristics;
USHORT Machine;
BOOLEAN ImageContainsCode;
union
{
UCHAR ImageFlags;
struct
{
UCHAR ComPlusNativeReady : 1;
UCHAR ComPlusILOnly : 1;
UCHAR ImageDynamicallyRelocated : 1;
UCHAR ImageMappedFlat : 1;
UCHAR BaseBelow4gb : 1;
UCHAR ComPlusPrefer32bit : 1;
UCHAR Reserved : 2;
};
};
ULONG LoaderFlags;
ULONG ImageFileSize;
ULONG CheckSum;
} SECTION_IMAGE_INFORMATION, *PSECTION_IMAGE_INFORMATION;
View code on GitHubStructure SECTION_IMAGE_INFORMATION is returned as a result of call NtQuerySection with SectionImageInformation information class. System automatically check type and contents of File Object passed as a parameter to function NtCreateSection, and sets SEC_IMAGE bit on Section Attributes.
This structure is very useful in process creation, because caller can check most interesting of PE Header fields just before call to NtCreateProcess and without mapping section to target process'es memory.
Image's entry point.
Number of bits from left side of stack address must be set to zero. It means maximum stack's address in process memory.
Total size of stack, in bytes.
Initially committed stack's block size.
One of IMAGE_SUBSYSTEM_* described in Microsoft SDK and available in <winnt.h> header file.
Minor version number of subsystem.
Major version number of subsystem.
(?)
DLL Characteristics.
One of IMAGE_FILE_MACHINE_*.
(?)