SECTION_IMAGE_INFORMATION

2OO0, 26 November

typedef struct _SECTION_IMAGE_INFORMATION {



  PVOID                   EntryPoint;
  ULONG                   StackZeroBits;
  ULONG                   StackReserved;
  ULONG                   StackCommit;
  ULONG                   ImageSubsystem;
  WORD                    SubSystemVersionLow;
  WORD                    SubSystemVersionHigh;
  ULONG                   Unknown1;
  ULONG                   ImageCharacteristics;
  ULONG                   ImageMachineType;
  ULONG                   Unknown2[3];

} SECTION_IMAGE_INFORMATION, *PSECTION_IMAGE_INFORMATION;

Structure SECTION_IMAGE_INFORMATION is returned as a result of call NtQuerySection with SectionImageInformation information class. System automatically check type and contents of File Object passed as a parameter to function NtCreateSection, and sets SEC_IMAGE bit on Section Attributes.

This structure is very useful in process creation, becouse caller can check most interesting of PE Header fields just before call to NtCreateProcess and without mapping section to target process'es memory.

EntryPoint Image's entry point.

StackZeroBits Number of bits from left side of stack address must be set to zero. It means maximum stack's address in process memory.

StackReserved Total size of stack, in bytes.

StackCommit Initially commited stack's block size.

ImageSubsystem One of IMAGE_SUBSYSTEM_* descripted in Microsoft SDK and avaiable in <winnt.h> header file.

SubSystemVersionLow Minor version number of subsystem.

SubSystemVersionHigh Major version number of subsystem.

Unknown1 (?)

ImageCharacteristics DLL Characteristics.

ImageMachineType One of IMAGE_FILE_MACHINE_*.

Unknown2[3] (?)

Documented by:

Tomasz Nowak

Requirements:

Library: ntdll.lib

Undocumented functions of NTDLL