The number of symbols indicate how many fixed length symbol structures are in the symbol table. This value coupled with the Symbol table pointer allow you to calculate where the String table starts. The flags field usually indicates the state of the file. Usually this is used to quickly lookup information that could be calculated from the rest of the file. For example, one bit of this field indicates if relocation information has been removed from the file, another bit indicates if all the external symbols have been resolved, etc.
The Optional header provides run-time information about the file and therefore is only present in executable COFF files. The Section table is an array of Section header structures. Unlike most other tables, the Section table is 1-based, meaning that the first Section is referred to as Section 1 instead of Section 0.
This is done because in the Symbol table, a Section number of 0 has a special meaning. The Section name field stores the name of this section if it is eight characters or fewer, otherwise this field contains a pointer into the String table. See the entry on the String table below. The Physical address field stores the memory start address for this file.
If the file has been linked so that this section is to be loaded to a specific location in memory, this field will have been set to that value. The Virtual address field is equivalent to the Physical address field for the Virtual memory space. However, in almost all instances, these two fields contain the same value. The Section pointer field contains the file offset where the raw data for this section begins.
This, coupled with the Section size, can be used to load the section data. The Flags field gives important information on how the Section should be handled when being processed.
The most important flag values relate to the type of field as follows:. Using Relocation entries, it is possible to load a section of code into an arbitrary memory address and then modify the code so that the memory addresses for Symbols are correct.
This means you can take a COFF file, load the. New issue. Jump to bottom. RuntimeError: Bad magic number in. Labels Windows. Copy link. RuntineError: Bad magic number in. Where can i find it? Also what python is it you used? Because i use python 3. The first two byes were "03 F3" which when reversed to "F3 03" give the decimal value According to the table, this means that it was built with Python 2.
See if that works I cannot get Visual Studio because i have to be this subscriber. Ok, lets do teamviewer I guess. How did it go? Are you still having this issue or can we close it? You should open a new issue if the answer to any of those is no. Those are linker errors. Look at our Readme on how to fix that. Closed issue :. This issue was closed. I would like to give particular thanks to Danny Mares of Mares and Company , author of the MaresWare Suite primarily for the "subheaders" for many of the file types here , and the people at X-Ways Forensics for their permission to incorporate their lists of file signatures.
Finally, Dr. Nicole Beebe from The University of Texas at San Antonio posted samples of more than 32 file types at the Digital Corpora, which I used for verification and additional signatures. These files were used to develop the Sceadan File Type Classifier. The file samples can be downloaded from the Digital Corpora website.
Permission to use the material here is extended to any of this page's visitors, as long as appropriate attribution is provided and the information is not altered in any way without express written permission of the author. Amiga Hunk executable file. See the Unicode Home Page. Mbox table of contents file. NOTE: The next four bytes appear to be the number of e-mails in the associated mbox file. Firebird and Interbase database files, respectively.
See IBPhoenix for more information. The Bat! INFO2 Windows recycle bin file. Material Exchange Format file. Possibly, maybe, might be a fragment of an Ethernet frame carrying an IPv4 packet. Microsoft Outlook Personal Folder File. See RFC Audio compression format developed by Skype; also used by other applications.
Adobe encapsulated PostScript file If this signature is not at the immediate beginning of the file, it will occur early in the file, commonly at byte offset 30 [0x1E]. NOTE: There may be multiple end-of-file marks within the file.
When carving, be sure to get the last one. This fi le must be conve rted wit h BinHex. The size in bytes of the image, including all headers, as the image is loaded in memory.
It must be a multiple of SectionAlignment. The image file checksum. The following are checked for validation at load time: all drivers, any DLL loaded at boot time, and any DLL that is loaded into a critical Windows process.
The subsystem that is required to run this image. For more information, see Windows Subsystem. For more information, see DLL Characteristics later in this specification. The size of the stack to reserve. Only SizeOfStackCommit is committed; the rest is made available one page at a time until the reserve size is reached.
The size of the local heap space to reserve. Only SizeOfHeapCommit is committed; the rest is made available one page at a time until the reserve size is reached. The number of data-directory entries in the remainder of the optional header. Each describes a location and size. Does not use structured exception SE handling.
No SE handler may be called in this image. The export table address and size. For more information see. The import table address and size. The resource table address and size. The exception table address and size. The attribute certificate table address and size.
The base relocation table address and size. The debug data starting address and size. The RVA of the value to be stored in the global pointer register. The size member of this structure must be set to zero. The thread local storage TLS table address and size. The load configuration table address and size. The import address table address and size. For more information, see Import Address Table. The delay import descriptor address and size.
The CLR runtime header address and size. An 8-byte, null-padded UTF-8 encoded string. If the string is exactly 8 characters long, there is no terminating null. Executable images do not use a string table and do not support section names longer than 8 characters.
Long names in object files are truncated if they are emitted to an executable file. The total size of the section when loaded into memory. If this value is greater than SizeOfRawData, the section is zero-padded. This field is valid only for executable images and should be set to zero for object files. For executable images, the address of the first byte of the section relative to the image base when the section is loaded into memory.
For object files, this field is the address of the first byte before relocation is applied; for simplicity, compilers should set this to zero. Otherwise, it is an arbitrary value that is subtracted from offsets during relocation. The size of the section for object files or the size of the initialized data on disk for image files. For executable images, this must be a multiple of FileAlignment from the optional header. If this is less than VirtualSize, the remainder of the section is zero-filled.
When a section contains only uninitialized data, this field should be zero. The file pointer to the first page of the section within the COFF file. For object files, the value should be aligned on a 4-byte boundary for best performance.
The file pointer to the beginning of relocation entries for the section. This is set to zero for executable images or if there are no relocations. The file pointer to the beginning of line-number entries for the section. This is set to zero if there are no COFF line numbers. The number of relocation entries for the section.
This is set to zero for executable images. The number of line-number entries for the section. The flags that describe the characteristics of the section. For more information, see Section Flags. The section should not be padded to the next boundary. This is valid only for object files. The section contains comments or other information. This is valid for object files only. The address of the item to which relocation is applied. See Section Table Section Headers.
For example, if the first byte of the section has an address of 0x10, the third byte has an address of 0x A zero-based index into the symbol table. This symbol gives the address that is to be used for the relocation. If the specified symbol has section storage class, then the symbol's address is the address with the first section of the same name.
A value that indicates the kind of relocation that should be performed. Valid relocation types depend on machine type. See Type Indicators. The bit section index of the section that contains the target. This is used to support debugging information. The bit offset of the target from the beginning of its section.
This is used to support debugging information and static thread local storage. The reference to a subroutine call. The reference consists of two bit instructions with bit offsets.
The bit VA of the target. The instruction is fixed up with the bit relative displacement to the 2-byte aligned target. The least significant bit of the displacement is always zero and is not stored. This relocation corresponds to a Thumb-2 bit conditional B instruction. The least significant bit of the displacement is zero and is not stored.
This relocation corresponds to a Thumb-2 B instruction. The instruction is fixed up with the bit relative displacement to the 4-byte aligned target. The low 2 bits of the displacement are zero and are not stored. This relocation corresponds to a Thumb-2 BLX instruction. Its SymbolTableIndex contains a displacement and not an index into the symbol table.
Bit of section offset of the target, for instruction LDR indexed, unsigned immediate. A reference to the 8-bit instruction that contains the effective bit VA of the target symbol. A reference to the 8-bit instruction whose low 4 bits contain the effective bit VA of the target symbol.
A reference to the 8-bit instruction that contains the effective bit relative offset of the target symbol. A reference to the bit instruction whose low 12 bits contain the effective bit relative offset of the target symbol. A reference to a bit location that is the VA of the section that contains the target symbol. A reference to the bit location that is the size of the section that contains the target symbol.
The offset from the current instruction in longwords. The SymbolTableIndex field of the relocation contains a displacement and not an index into the symbol table.
The low 24 bits of the VA of the target. This is valid only when the target symbol is absolute and can be sign-extended to its original value.
The low 14 bits of the target's VA. The high 16 bits of the target's bit VA. This is used for the first instruction in a two-instruction sequence that loads a full address. This relocation must be immediately followed by a PAIR relocation whose SymbolTableIndex contains a signed bit displacement that is added to the upper 16 bits that was taken from the location that is being relocated.
The bit relative displacement to the target. This supports the x86 relative branch and call instructions.
The instruction relocation can be followed by an ADDEND relocation whose value is added to the target address before it is inserted into the specified slot in the IMM14 bundle. The relocation target must be absolute or the image must be fixed. The instruction relocation can be followed by an ADDEND relocation whose value is added to the target address before it is inserted into the specified slot in the IMM22 bundle. The slot number of this relocation must be one 1.
The instruction is fixed up with the bit relative displacement to the bit aligned target. The low 4 bits of the displacement are zero and are not stored. The low 4 bits of the displacement, which are zero, are not stored. The LSBs of this relocation's offset must contain the slot number whereas the rest is the bundle address.
The bundle is fixed up with the bit relative displacement to the bit aligned target. The instruction is fixed up with the bit GP-relative offset to the target symbol's literal table entry.
The bit section index of the section contains the target. The instruction is fixed up with the bit offset of the target from the beginning of its section.
This relocation can be followed immediately by an ADDEND relocation, whose Value field contains the bit unsigned offset of the target from the beginning of the section. The slot number for this relocation must be one 1.
This relocation can be followed immediately by an ADDEND relocation whose Value field contains the bit unsigned offset of the target from the beginning of the section.
The address of data to be fixed up with the bit offset of the target from the beginning of its section. This is applied to a signed bit immediate that contains the difference between two relocatable targets.
This is a declarative field for the linker that indicates that the compiler has already emitted this value. This is applied to a signed bit immediate that contains the difference between two relocatable values. This is applied to an unsigned bit immediate that contains the difference between two relocatable values. A bit PC-relative fixup. B in slot 1 and a bit BR instruction with the 4 lowest bits all zero and dropped in slot 2. F in slot 1 and a bit 4 lowest bits all zero and dropped BR instruction in slot 2.
I in slot 1 and a bit 4 lowest bits all zero and dropped BR instruction in slot 2. M in slot 1 and a bit 4 lowest bits all zero and dropped BR instruction in slot 2. Its value contains the addend to apply to instructions within a bundle, not for data. This relocation must be immediately followed by a PAIR relocation whose SymbolTableIndex contains a signed bit displacement that is added to the upper 16 bits that are taken from the location that is being relocated.
The high 16 bits of the bit offset of the target from the beginning of its section. The SymbolTableIndex of the PAIR relocation contains a signed bit displacement that is added to the upper 16 bits that are taken from the location that is being relocated. The target's bit offset from the program counter PC , shifted left by 2 bits and sign-extended.
This is used for the first instruction in a two-instruction sequence that loads a full bit address. When nonzero, this field specifies a one-based line number. When zero, the Type field is interpreted as a symbol table index for a function. Used when Linenumber is zero: index to symbol table entry for a function.
This format is used to indicate the function to which a group of line-number records refers. Used when Linenumber is non-zero: the RVA of the executable code that corresponds to the source line indicated. In an object file, this contains the VA within the section. The name of the symbol, represented by a union of three structures.
An array of 8 bytes is used if the name is not more than 8 bytes long. For more information, see Symbol Name Representation. The value that is associated with the symbol. The interpretation of this field depends on SectionNumber and StorageClass. A typical meaning is the relocatable address. The signed integer that identifies the section, using a one-based index into the section table. Some values have special meaning, as defined in section 5. A number that represents type.
Microsoft tools set this field to 0x20 function or 0x0 not a function. For more information, see Type Representation. An enumerated value that represents storage class. For more information, see Storage Class. An array of 8 bytes. This array is padded with nulls on the right if the name is less than 8 bytes long. The symbol record is not yet assigned a section. A value of zero indicates that a reference to an external symbol is defined elsewhere.
A value of non-zero is a common symbol with a size that is specified by the value. The symbol provides general type or debugging information but does not correspond to a section.
Microsoft tools use this setting along with. A value that Microsoft tools use for external symbols. If the section number is not zero, then the Value field specifies the offset within the section.
The offset of the symbol within the section. If the Value field is zero, then the symbol represents a section name. A code label that is defined within the module. The Value field specifies the offset of the symbol within the section. The Value field is the relocatable address of the code location. A value that Microsoft tools use for symbol records that define the extent of a function: begin function. A value that Microsoft tools, as well as traditional COFF format, use for the source-file symbol record.
The symbol is followed by auxiliary records that name the file. A weak external. For more information, see Auxiliary Format 3: Weak Externals. A CLR token symbol. The size of the executable code for the function itself. If the function is in its own section, the SizeOfRawData in the section header is greater or equal to this field, depending on alignment considerations.
The file offset of the first COFF line-number entry for the function, or zero if none exists. The symbol-table index of the record for the next function. If the function is the last in the symbol table, this field is set to zero. The actual ordinal line number 1, 2, 3, and so on within the source file, corresponding to the.
The symbol-table index of the next. It is not used for. An ANSI string that gives the name of the source file. This is padded with nulls if it is less than the maximum length.
The checksum for communal data. One-based index into the section table for the associated section. If this symbol is already defined, the linker issues a "multiply defined symbol" error. The linker chooses an arbitrary section among the definitions for this symbol. If all definitions are not the same size, a "multiply defined symbol" error is issued. If all definitions do not match exactly, a "multiply defined symbol" error is issued.
This other section is indicated by the Number field of the auxiliary symbol record for the section definition. This setting is useful for definitions that have components in multiple sections for example, code in one and data in another , but where all must be linked or discarded as a set. The linker chooses the largest definition from among all of the definitions for this symbol. If multiple definitions have this size, the choice between them is arbitrary.
Contains a certificate, such as an Authenticode signature. For details, see the following text. It is supported only for purposes of verifying legacy Authenticode signatures. The name resides in the read-only data section of the image. It is used for storage by the routine that is supplied to manage delay-loading. The RVA of the delay-load import address table. The RVA of the delay-load name table, which contains the names of the imports that might need to be loaded.
This matches the layout of the import name table. The RVA of the unload delay-load address table, if it exists. This is an exact copy of the delay import address table. If the caller unloads the DLL, this table should be copied back over the delay import address table so that subsequent calls to the DLL continue to use the thunking mechanism correctly.
The format of debugging information. This field enables support of multiple debuggers. For more information, see Debug Type. The COFF debug information line numbers, symbol table, and string table. This type of debug information is also pointed to by fields in the file headers. The frame pointer omission FPO information. This information tells the debugger how to interpret nonstandard stack frames, which use the EBP register for a purpose other than as a frame pointer.
A table with just one row unlike the debug directory. This table indicates the locations and sizes of the other export tables.
An array of RVAs of exported symbols. These are the actual addresses of the exported functions and data within the executable code and data sections.
Other image files can import a symbol by using an index to this table an ordinal or, optionally, by using the public name that corresponds to the ordinal if a public name is defined.
An array of the ordinals that correspond to members of the name pointer table.
0コメント