spec structs.txt

Offset Size Field Description


PEFileHeader

0 2 Machine Always 0x14c.
2 2 NumberOfSections Number of sections; indicates size of the Section Table, which immediately follows the headers.
4 4 TimeDateStamp Time and date the file was created in seconds since January 1st 1970 00:00:00 or 0.
8 4 PointerToSymbolTable Always 0 (§II.24.1).
12 4 NumberOfSymbols Always 0 (§II.24.1).
16 2 OptionalHeader Size Size of the optional header, the format is described below.
18 2 Characteristics Flags indicating attributes of the file, see §II.25.2.2.1.


PEHeaderStandardFields 

0 2 Magic Always 0x10B.
2 1 LMajor Always 6 (§II.24.1).
3 1 LMinor Always 0 (§II.24.1).
4 4 CodeSize Size of the code (text) section, or the sum of all code sections if there are multiple sections.
8 4 InitializedDataSize Size of the initialized data section, or the sum of all such sections if there are multiple data sections.
12 4 UninitializedDataSize Size of the uninitialized data section, or the sum of all such sections if there are multiple unitinitalized data sections.
16 4 EntryPointRVA RVA of entry point , needs to point to bytes 0xFF 0x25 followed by the RVA in a section marked execute/read for EXEs or 0 for DLLs
20 4 BaseOfCode RVA of the code section. (This is a hint to the loader.)
24 4 BaseOfData RVA of the data section. (This is a hint to the loader.)


PEHeaderWindowsNtSpecificFields 

28 4 ImageBase Shall be a multiple of 0x10000.
32 4 SectionAlignment Shall be greater than File Alignment.
36 4 FileAlignment Should be 0x200 (§II.24.1).
40 2 OSMajor Should be 5 (§II.24.1).
42 2 OSMinor Should be 0 (§II.24.1).
44 2 UserMajor Should be 0 (§II.24.1).
46 2 UserMinor Should be 0 (§II.24.1).
48 2 SubSysMajor Should be 5 (§II.24.1).
50 2 SubSysMinor Should be 0 (§II.24.1).
52 4 Reserved Shall be zero
56 4 ImageSize Size, in bytes, of image, including all headers and padding; shall be a multiple of Section Alignment.
60 4 HeaderSize Combined size of MS-DOS Header, PE Header, PE Optional Header and padding; shall be a multiple of the file alignment.
64 4 FileChecksum Should be 0 (§II.24.1).
68 2 SubSystem Subsystem required to run this image. Shall be either IMAGE_SUBSYSTEM_WINDOWS_CUI (0x3) or IMAGE_SUBSYSTEM_WINDOWS_GUI (0x2).
70 2 DLLFlags Bits 0x100f shall be zero.
72 4 StackReserveSize Should be 0x100000 (1Mb) (§II.24.1).
76 4 StackCommitSize Should be 0x1000 (4Kb) (§II.24.1).
80 4 HeapReserveSize Should be 0x100000 (1Mb) (§II.24.1).
84 4 HeapCommitSize Should be 0x1000 (4Kb) (§II.24.1).
88 4 LoaderFlags Shall be 0
92 4 NumberOfDataDirectories Shall be 0x10


PEHeaderHeaderDataDirectories 

96 8 ExportTable Always 0 (§II.24.1).
104 8 ImportTable RVA and Size of Import Table, (§II.25.3.1).
112 8 ResourceTable Always 0 (§II.24.1).
120 8 ExceptionTable Always 0 (§II.24.1).
128 8 CertificateTable Always 0 (§II.24.1).
136 8 BaseRelocationTable Relocation Table; set to 0 if unused (§).
144 8 Debug Always 0 (§II.24.1).
152 8 Copyright Always 0 (§II.24.1).
160 8 GlobalPtr Always 0 (§II.24.1).
168 8 TLSTable Always 0 (§II.24.1).
176 8 LoadConfigTable Always 0 (§II.24.1).
184 8 BoundImport Always 0 (§II.24.1).
192 8 IAT RVA and Size of Import Address Table,(§II.25.3.1).
200 8 DelayImportDescriptor Always 0 (§II.24.1).
208 8 CLIHeader CLI Header with directories for runtime data,(§II.25.3.1).
216 8 Reserved Always 0 (§II.24.1)


SectionHeaders

0 8 Name An 8-byte, null-padded ASCII string. There is no terminating null if the string is exactly eight characters long.
8 4 VirtualSize Total size of the section in bytes. If this value is greater than SizeOfRawData, the section is zero-padded.
12 4 VirtualAddress For executable images this is the address of the first byte of the section, when loaded into memory, relative to the image base.
16 4 SizeOfRawData Size of the initialized data on disk in bytes, shall be a multiple of FileAlignment from the PE header. If this is less than VirtualSize the remainder of the section is zero filled. Because this field is rounded while the VirtualSize field is not it is possible for this to be greater than VirtualSize as well. When a section contains only uninitialized data, this field should be 0.
20 4 PointerToRawData Offset of section’s first page within the PE file. This shall be a multiple of FileAlignment from the optional header. When a section contains only uninitialized data, this field should be 0.
24 4 PointerToRelocations Should be 0 (§II.24.1).
28 4 PointerToLinenumbers Should be 0 (§II.24.1).
32 2 NumberOfRelocations Should be 0 (§II.24.1).
34 2 NumberOfLinenumbers Should be 0 (§II.24.1).
36 4 Characteristics Flags describing section’s characteristics; see below.


ImportAddressTable

0 4 ImportLookupTable RVA of the Import Lookup Table
4 4 DateTimeStamp Always 0 (§II.24.1).
8 4 ForwarderChain Always 0 (§II.24.1).
12 4 Name RVA of null-terminated ASCII string “mscoree.dll”.
16 4 ImportAddressTable RVA of Import Address Table (this is the same as the RVA of the IAT descriptor in the optional header).
20 20 End of Import Table. Shall be filled with zeros.


CLIHeader
0 4 Cb Size of the header in bytes
4 2 MajorRuntimeVersion The minimum version of the runtime required to run this program, currently 2.
6 2 MinorRuntimeVersion The minor portion of the version, currently 0.
8 8 MetaData RVA and size of the physical metadata (§II.24).
16 4 Flags Flags describing this runtime image. (§II.25.3.3.1).
20 4 EntryPointToken Token for the MethodDef or File of the entry point for the image
24 8 Resources RVA and size of implementation-specific resources.
32 8 StrongNameSignature RVA of the hash data for this PE file used by the CLI loader for binding and versioning
40 8 CodeManagerTable Always 0 (§II.24.1).
48 8 VTableFixups RVA of an array of locations in the file that contain an array of function pointers (e.g., vtable slots), see below.
56 8 ExportAddressTableJumps Always 0 (§II.24.1).
64 8 ManagedNativeHeader Always 0 (§II.24.1).


MetadataRoot

0 4 Signature Magic signature for physical metadata : 0x424A5342.
4 2 MajorVersion Major version, 1 (ignore on read)
6 2 MinorVersion Minor version, 1 (ignore on read)
8 4 Reserved Reserved, always 0 (§II.24.1).
12 4 Length Number of bytes allocated to hold version string, rounded up to a multiple of four.
16 m Version UTF8-encoded null-terminated version string of length m (see above)
16+m x-m Padding to next 4 byte boundary.
16+x 2 Flags Reserved, always 0 (§II.24.1).
16+x+2 2 Streams Number of streams, say n.
16+x+4 StreamHeaders Array of n StreamHdr structures.


TildeStream

0 4 Reserved Reserved, always 0 (§II.24.1).
4 1 MajorVersion Major version of table schemata; shall be 2 (§II.24.1).
5 1 MinorVersion Minor version of table schemata; shall be 0 (§II.24.1).
6 1 HeapSizes Bit vector for heap sizes.
7 1 Reserved Reserved, always 1 (§II.24.1).
8 8 Valid Bit vector of present tables, let n be the number of bits that are 1.
16 8 Sorted Bit vector of sorted tables.
24 4*n Rows Array of n 4-byte unsigned integers indicating the number of rows for each present table.
24+4*n Tables The sequence of physical tables.


AssemblyHashAlgorithm

None 0x0000
Reserved_MD5 0x8003
SHA1 0x8004


AssemblyFlags

PublicKey 0x0001 The assembly reference holds the full (unhashed) public key.
Retargetable 0x0100 The implementation of this assembly used at runtime is not expected to match the version seen at compile time. (See the text following this table.)
DisableJITcompileOptimizer 0x4000 Reserved (a conforming implementation of the CLI can ignore this setting on read; some implementations might use this bit to indicate that a CIL-to-native-code compiler should not generate optimized code)
EnableJITcompileTracking 0x8000 Reserved (a conforming implementation of the CLI can ignore this setting on read; some implementations might use this bit to indicate that a CIL-to-native-code compiler should generate CIL-to-native code map)


TypeAttributes

Visibility attributes
VisibilityMask 0x00000007 Use this mask to retrieve visibility information. These 3 bits contain one of the following values:
NotPublic 0x00000000 Class has no public scope
Public 0x00000001 Class has public scope
NestedPublic 0x00000002 Class is nested with public visibility
NestedPrivate 0x00000003 Class is nested with private visibility
NestedFamily 0x00000004 Class is nested with family visibility
NestedAssembly 0x00000005 Class is nested with assembly visibility
NestedFamANDAssem 0x00000006 Class is nested with family and assembly visibility
NestedFamORAssem 0x00000007 Class is nested with family or assembly visibility

Class layout attributes
LayoutMask 0x00000018 Use this mask to retrieve class layout information. These 2 bits contain one of the following values:
AutoLayout 0x00000000 Class fields are auto-laid out
SequentialLayout 0x00000008 Class fields are laid out sequentially
ExplicitLayout 0x00000010 Layout is supplied explicitly

Class semantics attributes
ClassSemanticsMask 0x00000020 Use this mask to retrive class semantics information. This bit contains one of the following values:
Class 0x00000000 Type is a class
Interface 0x00000020 Type is an interface

Special semantics in addition to class semantics
Abstract 0x00000080 Class is abstract
Sealed 0x00000100 Class cannot be extended
SpecialName 0x00000400 Class name is special

Implementation Attributes
Import 0x00001000 Class/Interface is imported
Serializable 0x00002000 Reserved (Class is serializable)

String formatting Attributes
StringFormatMask 0x00030000 Use this mask to retrieve string information for native interop. These 2 bits contain one of the following values:
AnsiClass 0x00000000 LPSTR is interpreted as ANSI
UnicodeClass 0x00010000 LPSTR is interpreted as Unicode
AutoClass 0x00020000 LPSTR is interpreted automatically
CustomFormatClass 0x00030000 A non-standard encoding specified by CustomStringFormatMask
CustomStringFormatMask 0x00C00000 Use this mask to retrieve non-standard encoding information for native interop. The meaning of the values of these 2 bits is unspecified.

Class Initialization Attributes
BeforeFieldInit 0x00100000 Initialize the class before first static field access

Additional Flags
RTSpecialName 0x00000800 CLI provides 'special' behavior, depending upon the name of the Type
HasSecurity 0x00040000 Type has security associate with it
IsTypeForwarder 0x00200000 This ExportedType entry is a type forwarder

HasCustomAttribute:
MethodDef 0
Field 1
TypeRef 2
TypeDef 3
Param 4
InterfaceImpl 5
MemberRef 6
Module 7
Permission 8
Property 9
Event 10
StandAloneSig 11
ModuleRef 12
TypeSpec 13
Assembly 14
AssemblyRef 15
File 16
ExportedType 17
ManifestResource 18
GenericParam 19
GenericParamConstraint 20
MethodSpec 21


FatFormat 
0 12 (bits) Flags Flags (CorILMethod_FatFormat shall be set in bits 0:1, see §II.25.4.4)
12 (bits) 4 (bits) Size Size of this header expressed as the count of 4-byte integers occupied (currently 3)
2 2 MaxStack Maximum number of items on the operand stack
4 4 CodeSize Size in bytes of the actual method body
8 4 LocalVarSigTok Meta Data token for a signature describing the layout of the local variables for the method


MachineTypes
MachineUnknown = 0x0,
MachineAm33 = 0x1d3,
MachineAmd64 = 0x8664,
MachineArm = 0x1c0,
MachineArmnt = 0x1c4,
MachineArm64 = 0xaa64,
MachineEbc = 0xebc,
MachineI386 = 0x14c,
MachineIa64 = 0x200,
MachineM32r = 0x9041,
MachineMips16 = 0x266,
MachineMipsfpu = 0x366,
MachineMipsfpu16 = 0x466,
MachinePowerpc = 0x1f0,
MachinePowerpcfp = 0x1f1,
MachineR4000 = 0x166,
MachineSh3 = 0x1a2,
MachineSh3dsp = 0x1a3,
MachineSh4 = 0x1a6,
MachineSh5 = 0x1a8,
MachineThumb = 0x1c2,
MachineWcemipsv2 = 0x169,


FieldAttributes
FieldAccessMask 0x0007 These 3 bits contain one of the following values:
CompilerControlled 0x0000 Member not referenceable
Private 0x0001 Accessible only by the parent type
FamANDAssem 0x0002 Accessible by sub-types only in this Assembly
Assembly 0x0003 Accessibly by anyone in the Assembly
Family 0x0004 Accessible only by type and sub-types
FamORAssem 0x0005 Accessibly by sub-types anywhere, plus anyone in assembly
Public 0x0006 Accessibly by anyone who has visibility to this scope field contract attributes
Static 0x0010 Defined on type, else per instance
InitOnly 0x0020 Field can only be initialized, not written to after init
Literal 0x0040 Value is compile time constant
NotSerialized 0x0080 Reserved (to indicate this field should not be serialized when type is remoted)
SpecialName 0x0200 Field is special
PInvokeImpl 0x2000 Implementation is forwarded through PInvoke.
RTSpecialName 0x0400 CLI provides 'special' behavior, depending upon the name of the field
HasFieldMarshal 0x1000 Field has marshalling information
HasDefault 0x8000 Field has default
HasFieldRVA 0x0100 Field has RVA


EventAttributes
SpecialName 0x0200 Event is special
RTSpecialName 0x0400 CLI provides 'special' behavior, depending upon the name of the event


FileAttributes
ContainsMetaData 0x0000 This is not a resource file
ContainsNoMetaData 0x0001 This is a resource file or other non-metadata-containing file


GenericParamAttributes
None 0x0000 The generic parameter is non-variant and has no special constraints
Covariant 0x0001 The generic parameter is covariant
Contravariant 0x0002 The generic parameter is contravariant
ReferenceTypeConstraint 0x0004 The generic parameter has the class special constraint
NotNullableValueTypeConstraint 0x0008 The generic parameter has the valuetype special constraint
DefaultConstructorConstraint 0x0010 The generic parameter has the .ctor special constraint


PInvokeAttributes
NoMangle 0x0001 PInvoke is to use the member name as specified
SupportsLastError 0x0040 Information about target function. Not relevant for fields
NotSpec 0x0000
Ansi 0x0002
Unicode 0x0004
Auto 0x0006
Platformapi 0x0100
Cdecl 0x0200
Stdcall 0x0300
Thiscall 0x0400
Fastcall 0x0500

 
ManifestResourceAttributes
Public 0x0001 The Resource is exported from the Assembly
Private 0x0002 The Resource is private to the Assembly


ParamAttributes
In 0x0001 Param is [In]
Out 0x0002 Param is [out]
Optional 0x0010 Param is optional
HasDefault 0x1000 Param has default value
HasFieldMarshal 0x2000 Param has FieldMarshal


MethodAttributes
MemberAccessMask 0x0007 These 3 bits contain one of the following values:
CompilerControlled 0x0000 Member not referenceable
Private 0x0001 Accessible only by the parent type
FamANDAssem 0x0002 Accessible by sub-types only in this Assembly
Assem 0x0003 Accessibly by anyone in the Assembly
Family 0x0004 Accessible only by type and sub-types
FamORAssem 0x0005 Accessibly by sub-types anywhere, plus anyone in assembly
Public 0x0006 Accessibly by anyone who has visibility to this scope

VtableLayoutMask 0x0100 Use this mask to retrieve vtable attributes. This bit contains one of the following values:
ReuseSlot 0x0000 Method reuses existing slot in vtable
NewSlot 0x0100 Method always gets a new slot in the vtable

Static 0x0010 Defined on type, else per instance
Final 0x0020 Method cannot be overridden
Virtual 0x0040 Method is virtual
HideBySig 0x0080 Method hides by name+sig, else just by name
Strict 0x0200 Method can only be overriden if also accessible
Abstract 0x0400 Method does not provide an implementation
SpecialName 0x0800 Method is special
PInvokeImpl 0x2000 Implementation is forwarded through PInvoke
UnmanagedExport 0x0008 Reserved: shall be zero for conforming implementations
RTSpecialName 0x1000 CLI provides 'special' behavior, depending upon the name of the method
HasSecurity 0x4000 Method has security associate with it
RequireSecObject 0x8000 Method calls another method containing security code.


MethodImplAttributes
CodeTypeMask 0x0003
IL 0x0000 Method impl is CIL
Native 0x0001 Method impl is native
OPTIL 0x0002 Reserved: shall be zero in conforming implementations
Runtime 0x0003 Method impl is provided by the runtime

ManagedMask 0x0004 Flags specifying whether the code is managed or unmanaged.
Unmanaged 0x0004 Method impl is unmanaged, otherwise managed
Managed 0x0000 Method impl is managed

ForwardRef 0x0010 Indicates method is defined; used primarily in merge scenarios
PreserveSig 0x0080 Reserved: conforming implementations can ignore
InternalCall 0x1000 Reserved: shall be zero in conforming implementations
Synchronized 0x0020 Method is single threaded through the body
NoInlining 0x0008 Method cannot be inlined
MaxMethodImplVal 0xffff Range check value
NoOptimization 0x0040 Method will not be optimized when generating native code


MethodSemanticsAttributes
Setter 0x0001 Setter for property
Getter 0x0002 Getter for property
Other 0x0004 Other method for property or event
AddOn 0x0008 AddOn method for event. This refers to the required add_ method for events. (§22.13)
RemoveOn 0x0010 RemoveOn method for event. This refers to the required remove_ method for events. (§22.13)
Fire 0x0020 Fire method for event. This refers to the optional raise_ method for events. (§22.13)


PropertyAttributes
SpecialName 0x0200 Property is special
RTSpecialName 0x0400 Runtime(metadata internal APIs) should check name encoding
HasDefault 0x1000 Property has default
Unused 0xe9ff Reserved: shall be zero in a conforming implementation


MethodHeaderSection
EHTable 0x1 Exception handling data.
OptILTable 0x2 Reserved, shall be 0.
FatFormat 0x40 Data format is of the fat variety, meaning there is a 3-byte length least-significant byte first format. If not set, the header is small with a 1-byte length
MoreSects 0x80 Another data section occurs after this current section


SmallExceptionHandlingClause
0 2 Flags Flags, see below.
2 2 TryOffset Offset in bytes of try block from start of method body.
4 1 TryLength Length in bytes of the try block
5 2 HandlerOffset Location of the handler for this try block
7 1 HandlerLength Size of the handler code in bytes
20 4 ClassTokenOrFilterOffset Meta data token for a type-based exception handler OR offset in method body for filter-based exception handler


LargeExceptionHandlingClause
0 4 Flags Flags, see below.
4 4 TryOffset Offset in bytes of try block from start of method body.
8 4 TryLength Length in bytes of the try block
12 4 HandlerOffset Location of the handler for this try block
16 4 HandlerLength Size of the handler code in bytes
20 4 ClassTokenOrFilterOffset Meta data token for a type-based exception handler OR offset in method body for filter-based exception handler

LargeExceptionClauseFlags
Exception 0x0000 A typed exception clause
Filter 0x0001 An exception filter and handler clause
Finally 0x0002 A finally clause
Fault 0x0004 Fault clause (finally that is called on exception only)

ElementType
End 0x00 Marks end of a list
Void 0x01
Boolean 0x02
Char 0x03
Int1 0x04
UInt1 0x05
Int2 0x06
UInt2 0x07
Int4 0x08
UInt4 0x09
Int8 0x0a
UInt8 0x0b
Real4 0x0c
Real8 0x0d
String 0x0e
Ptr 0x0f Followed by type
Byref 0x10 Followed by type
Valuetype 0x11 Followed by TypeDef or TypeRef token
Class 0x12 Followed by TypeDef or TypeRef token
Var 0x13 Generic parameter in a generic type definition, represented as number (compressed unsigned integer)
Array 0x14 type rank boundsCount bound1 … loCount lo1 …
Genericinst 0x15 Generic type instantiation. Followed by type type-arg-count type-1 ... type-n
Typedbyref 0x16
IntPtr 0x18 System.IntPtr
UIntPtr 0x19 System.UIntPtr
Fnptr 0x1b Followed by full method signature
Object 0x1c System.Object
Szarray 0x1d Single-dim array with 0 lower bound
Mvar 0x1e Generic parameter in a generic method definition, represented as number (compressed unsigned integer)
Cmod_reqd 0x1f Required modifier : followed by a TypeDef or TypeRef token
Cmod_opt 0x20 Optional modifier : followed by a TypeDef or TypeRef token
Internal 0x21 Implemented within the CLI
Modifier 0x40 Or’d with following element types
Sentinel 0x41 Sentinel for vararg method signature
Pinned 0x45 Denotes a local variable that points at a pinned object
Unknown1 0x50 Indicates an argument of type System.Type.
Unknown2 0x51 Used in custom attributes to specify a boxed object (§II.23.3).
Unknown3 0x52 Reserved
Unknown4 0x53 Used in custom attributes to indicate a FIELD (§II.22.10, II.23.3).