mvankuipers/tf-article2-windbg-8.txt Secret

## tf-article2-windbg-8.txt
6: kd> !dh notepad.exe

File Type: EXECUTABLE IMAGE
FILE HEADER VALUES
    8664 machine (X64)
       6 number of sections
559EA8BE time date stamp Thu Jul  9 10:00:46 2015

       0 file pointer to symbol table
       0 number of symbols
      F0 size of optional header
      22 characteristics
            Executable
            App can handle >2gb addresses

OPTIONAL HEADER VALUES
     20B magic #
    9.00 linker version
    A800 size of code
   25800 size of initialized data
       0 size of uninitialized data
    3ACC address of entry point
    1000 base of code
         ----- new -----
00000000ffd50000 image base
    1000 section alignment
     200 file alignment
       2 subsystem (Windows GUI)
    6.01 operating system version
    6.01 image version
    6.01 subsystem version
   35000 size of image
     600 size of headers
   36DA2 checksum
0000000000080000 size of stack reserve
0000000000011000 size of stack commit
0000000000100000 size of heap reserve
0000000000001000 size of heap commit
    8140  DLL characteristics
            Dynamic base
            NX compatible
            Terminal server aware
       0 [       0] address [size] of Export Directory
    CFF8 [     12C] address [size] of Import Directory
   14000 [   1F168] address [size] of Resource Directory
   13000 [     6B4] address [size] of Exception Directory
       0 [       0] address [size] of Security Directory
   34000 [      B8] address [size] of Base Relocation Directory
    B740 [      38] address [size] of Debug Directory
       0 [       0] address [size] of Description Directory
       0 [       0] address [size] of Special Directory
       0 [       0] address [size] of Thread Storage Directory
       0 [       0] address [size] of Load Configuration Directory
     2E0 [     138] address [size] of Bound Import Directory
    C000 [     7F0] address [size] of Import Address Table Directory
       0 [       0] address [size] of Delay Import Directory
       0 [       0] address [size] of COR20 Header Directory
       0 [       0] address [size] of Reserved Directory
…
	6: kd> !dh notepad.exe

	File Type: EXECUTABLE IMAGE
	FILE HEADER VALUES
	8664 machine (X64)
	6 number of sections
	559EA8BE time date stamp Thu Jul 9 10:00:46 2015

	0 file pointer to symbol table
	0 number of symbols
	F0 size of optional header
	22 characteristics
	Executable
	App can handle >2gb addresses

	OPTIONAL HEADER VALUES
	20B magic #
	9.00 linker version
	A800 size of code
	25800 size of initialized data
	0 size of uninitialized data
	3ACC address of entry point
	1000 base of code
	----- new -----
	00000000ffd50000 image base
	1000 section alignment
	200 file alignment
	2 subsystem (Windows GUI)
	6.01 operating system version
	6.01 image version
	6.01 subsystem version
	35000 size of image
	600 size of headers
	36DA2 checksum
	0000000000080000 size of stack reserve
	0000000000011000 size of stack commit
	0000000000100000 size of heap reserve
	0000000000001000 size of heap commit
	8140 DLL characteristics
	Dynamic base
	NX compatible
	Terminal server aware
	0 [ 0] address [size] of Export Directory
	CFF8 [ 12C] address [size] of Import Directory
	14000 [ 1F168] address [size] of Resource Directory
	13000 [ 6B4] address [size] of Exception Directory
	0 [ 0] address [size] of Security Directory
	34000 [ B8] address [size] of Base Relocation Directory
	B740 [ 38] address [size] of Debug Directory
	0 [ 0] address [size] of Description Directory
	0 [ 0] address [size] of Special Directory
	0 [ 0] address [size] of Thread Storage Directory
	0 [ 0] address [size] of Load Configuration Directory
	2E0 [ 138] address [size] of Bound Import Directory
	C000 [ 7F0] address [size] of Import Address Table Directory
	0 [ 0] address [size] of Delay Import Directory
	0 [ 0] address [size] of COR20 Header Directory
	0 [ 0] address [size] of Reserved Directory
	…