ionicons-v5-d 0.17.0 (28573db0)
Updated on 31/08/2025, 15:20:24.

Ghidra - Analyzers - IMAGE_LOAD_CONFIG_DIRECTORY

This analyzer enhances the representation and underlying data of the PE LoadConfiguration structure within Ghidra.

                    IMAGE_LOAD_CONFIG_DIRECTORY64_140011b20   XREF[1]:   1400001c0(*) 140011b20 40 01 00 00 00 00 00 00 00 00 00 00 00       IMAGE_LOAD_CONFIG_DIRECTORY64           00 00 00 00 00 00 00 00 00 00 00 00 00           00 00 00 00 00 00 00 00 00 00 00 00 00       140011b20 40 01 00 00                             ddw                       140h                                  Size                            XREF[1]:   1400001c0(*)       140011b24 00 00 00 00                             ddw                       0h                                    TimeDateStamp       140011b28 00 00                                   dw                        0h                                    MajorVersion       140011b2a 00 00                                   dw                        0h                                    MinorVersion       140011b2c 00 00 00 00                             ddw                       0h                                    GlobalFlagsClear       140011b30 00 00 00 00                             ddw                       0h                                    GlobalFlagsSet       140011b34 00 00 00 00                             ddw                       0h                                    CriticalSectionDefaultTimeout       140011b38 00 00 00 00 00 00 00 00                 dq                        0h                                    DeCommitFreeBlockThreshold       140011b40 00 00 00 00 00 00 00 00                 dq                        0h                                    DeCommitTotalFreeThreshold       140011b48 00 00 00 00 00 00 00 00                 addr                      00000000                              LockPrefixTable       140011b50 00 00 00 00 00 00 00 00                 dq                        0h                                    MaximumAllocationSize       140011b58 00 00 00 00 00 00 00 00                 dq                        0h                                    VirtualMemoryThreshold       140011b60 00 00 00 00 00 00 00 00                 dq                        0h                                    ProcessAffinityMask       140011b68 00 00 00 00                             ddw                       0h                                    ProcessHeapFlags       140011b6c 00 00                                   dw                        0h                                    CsdVersion       140011b6e 00 00                                   dw                        0h                                    DependentLoadFlags       140011b70 00 00 00 00 00 00 00 00                 addr                      00000000                              EditList       140011b78 40 60 01 40 01 00 00 00                 addr                      DAT_140016040                         SecurityCookie                         = 32h    2       140011b80 00 00 00 00 00 00 00 00                 addr                      00000000                              SEHandlerTable       140011b88 00 00 00 00 00 00 00 00                 dq                        0h                                    SEHandlerCount       140011b90 70 10 01 40 01 00 00 00                 addr                      PTR__guard_check_icall_140011070      GuardCFCCheckFunctionPointer           = 14000b8d8       140011b98 80 10 01 40 01 00 00 00                 addr                      PTR__guard_dispatch_icall_140011080   GuardCFDispatchFunctionPointer         = 14000e2c0       140011ba0 00 00 00 00 00 00 00 00                 addr                      00000000                              GuardCFFunctionTable       140011ba8 00 00 00 00 00 00 00 00                 dq                        0h                                    GuardCFFunctionCount       140011bb0 00 01 00 00                             IMAGE_GUARD_FLAGS         IMAGE_GUARD_CF_INSTRUMENTED           GuardFlags       140011bb4 00 00 00 00 00 00 00 00 00 00 00 00     IMAGE_LOAD_CONFIG_CODE_I                                        CodeIntegrity       140011bc0 00 00 00 00 00 00 00 00                 addr                      00000000                              GuardAddressTakenIatEntryTable       140011bc8 00 00 00 00 00 00 00 00                 dq                        0h                                    GuardAddressTakenIatEntryCount       140011bd0 00 00 00 00 00 00 00 00                 addr                      00000000                              GuardLongJumpTargetTable       140011bd8 00 00 00 00 00 00 00 00                 dq                        0h                                    GuardLongJumpTargetCount       140011be0 00 00 00 00 00 00 00 00                 addr                      00000000                              DynamicValueRelocTable       140011be8 f8 11 01 40 01 00 00 00                 addr                      DAT_1400111f8                         CHPEMetadataPointer                    = 02h       140011bf0 00 00 00 00 00 00 00 00                 addr                      00000000                              GuardRFFailureRoutine       140011bf8 00 00 00 00 00 00 00 00                 addr                      00000000                              GuardRFFailureRoutineFunctionPointer       140011c00 00 00 00 00                             ddw                       0h                                    DynamicValueRelocTableOffset       140011c04 00 00                                   dw                        0h                                    DynamicValueRelocTableSection       140011c06 00 00                                   dw                        0h                                    Reserved1       140011c08 00 00 00 00 00 00 00 00                 addr                      00000000                              GuardRFVerifyStackPointerFunctionPoin       140011c10 00 00 00 00                             ddw                       0h                                    HotPatchTableOffset       140011c14 00 00 00 00                             ddw                       0h                                    Reserved2       140011c18 00 00 00 00 00 00 00 00                 dq                        0h                                    Reserved3
                    IMAGE_LOAD_CONFIG_DIRECTORY64_140011b20   XREF[1]:   1400001c0(*) 140011b20 40 01 00 00 00 00 00 00 00 00 00 00 00       IMAGE_LOAD_CONFIG_DIRECTORY64           00 00 00 00 00 00 00 00 00 00 00 00 00           00 00 00 00 00 00 00 00 00 00 00 00 00       140011b20 40 01 00 00                             ddw                       140h                                  Size                            XREF[1]:   1400001c0(*)       140011b24 00 00 00 00                             ddw                       0h                                    TimeDateStamp       140011b28 00 00                                   dw                        0h                                    MajorVersion       140011b2a 00 00                                   dw                        0h                                    MinorVersion       140011b2c 00 00 00 00                             ddw                       0h                                    GlobalFlagsClear       140011b30 00 00 00 00                             ddw                       0h                                    GlobalFlagsSet       140011b34 00 00 00 00                             ddw                       0h                                    CriticalSectionDefaultTimeout       140011b38 00 00 00 00 00 00 00 00                 dq                        0h                                    DeCommitFreeBlockThreshold       140011b40 00 00 00 00 00 00 00 00                 dq                        0h                                    DeCommitTotalFreeThreshold       140011b48 00 00 00 00 00 00 00 00                 addr                      00000000                              LockPrefixTable       140011b50 00 00 00 00 00 00 00 00                 dq                        0h                                    MaximumAllocationSize       140011b58 00 00 00 00 00 00 00 00                 dq                        0h                                    VirtualMemoryThreshold       140011b60 00 00 00 00 00 00 00 00                 dq                        0h                                    ProcessAffinityMask       140011b68 00 00 00 00                             ddw                       0h                                    ProcessHeapFlags       140011b6c 00 00                                   dw                        0h                                    CSDVersion       140011b6e 00 00                                   dw                        0h                                    DependentLoadFlags       140011b70 00 00 00 00 00 00 00 00                 addr                      00000000                              EditList       140011b78 40 60 01 40 01 00 00 00                 addr                      DAT_140016040                         SecurityCookie                         = 32h    2       140011b80 00 00 00 00 00 00 00 00                 dq *                      00000000                              SEHandlerTable       140011b88 00 00 00 00 00 00 00 00                 dq                        0h                                    SEHandlerCount       140011b90 70 10 01 40 01 00 00 00                 addr                      PTR__guard_check_icall_140011070      GuardCFCheckFunctionPointer            = 14000b8d8       140011b98 80 10 01 40 01 00 00 00                 addr                      PTR__guard_dispatch_icall_140011080   GuardCFDispatchFunctionPointer         = 14000e2c0       140011ba0 00 00 00 00 00 00 00 00                 ddw *                     00000000                              GuardCFFunctionTable       140011ba8 00 00 00 00 00 00 00 00                 dq                        0h                                    GuardCFFunctionCount       140011bb0 00 01 00 00                             IMAGE_GUARD_FLAGS         IMAGE_GUARD_CF_INSTRUMENTED           GuardFlags       140011bb4 00 00 00 00 00 00 00 00 00 00 00 00     IMAGE_LOAD_CONFIG_CODE_I                                        CodeIntegrity       140011bc0 00 00 00 00 00 00 00 00                 addr                      00000000                              GuardAddressTakenIatEntryTable       140011bc8 00 00 00 00 00 00 00 00                 dq                        0h                                    GuardAddressTakenIatEntryCount       140011bd0 00 00 00 00 00 00 00 00                 addr                      00000000                              GuardLongJumpTargetTable       140011bd8 00 00 00 00 00 00 00 00                 dq                        0h                                    GuardLongJumpTargetCount       140011be0 00 00 00 00 00 00 00 00                 addr                      00000000                              DynamicValueRelocTable       140011be8 f8 11 01 40 01 00 00 00                 IMAGE_ARM64EC_METADATA_V  IMAGE_ARM64EC_METADATA_V2_1400111f8   CHPEMetadataPointer       140011bf0 00 00 00 00 00 00 00 00                 addr                      00000000                              GuardRFFailureRoutine       140011bf8 00 00 00 00 00 00 00 00                 addr                      00000000                              GuardRFFailureRoutineFunctionPointer       140011c00 00 00 00 00                             ibo32                     NaP                                   DynamicValueRelocTableOffset       140011c04 00 00                                   dw                        0h                                    DynamicValueRelocTableSection       140011c06 00 00                                   dw                        0h                                    Reserved2       140011c08 00 00 00 00 00 00 00 00                 addr                      00000000                              GuardRFVerifyStackPointerFunctionPoin       140011c10 00 00 00 00                             ibo32                     NaP                                   HotPatchTableOffset       140011c14 00 00 00 00                             ddw                       0h                                    Reserved3       140011c18 00 00 00 00 00 00 00 00                 addr                      00000000                              EnclaveConfigurationPointer       140011c20 00 00 00 00 00 00 00 00                 addr                      00000000                              VolatileMetadataPointer       140011c28 00 00 00 00 00 00 00 00                 addr                      00000000                              GuardEHContinuationTable       140011c30 00 00 00 00 00 00 00 00                 dq                        0h                                    GuardEHContinuationCount       140011c38 78 10 01 40 01 00 00 00                 addr                      PTR__guard_check_icall_140011078      GuardXFGCheckFunctionPointer           = 14000b8d8       140011c40 88 10 01 40 01 00 00 00                 addr                      PTR_LAB_140011088                     GuardXFGDispatchFunctionPointer        = 14000e2e0       140011c48 90 10 01 40 01 00 00 00                 addr                      PTR_LAB_140011090                     GuardXFGTableDispatchFunctionPointer   = 14000e2e0       140011c50 98 10 01 40 01 00 00 00                 addr                      DAT_140011098                         CastGuardOsDeterminedFailureMode       140011c58 a0 10 01 40 01 00 00 00                 addr                      PTR_LAB_1400110a0                     GuardMemcpyFunctionPointer             = 14000e080
The layout of this structure – exposed in LIEF through the
lief::pe::LoadConfiguration lief.PE.LoadConfiguration LIEF::PE::LoadConfiguration
interface – evolves frequently across new Windows releases. As of today, Ghidra does not natively recognize many of the newer attributes introduced in recent versions. By running this analyzer, you obtain a more complete and accurate representation of these attributes along with their correct data types.
Beyond the Load Configuration, the analyzer also defines additional structures, such as
lief::pe::chpe_metadata_arm64::CHPEMetadata lief.PE.CHPEMetadataARM64 LIEF::PE::CHPEMetadataARM64
, which provide valuable context for analyzing ARM64EC binaries. These definitions make it easier to interpret the purpose of certain functions and pointers, leading to deeper insights during reverse engineering.
                    DAT_1400111f8                             XREF[1]:   140011be8(*) 1400111f8 02                                           ??                                                   02h 1400111f9 00                                           ??                                                   00h 1400111fa 00                                           ??                                                   00h 1400111fb 00                                           ??                                                   00h 1400111fc 00                                           ??                                                   00h 1400111fd 1e                                           ??                                                   1Eh 1400111fe 01                                           ??                                                   01h 1400111ff 00                                           ??                                                   00h 140011200 02                                           ??                                                   02h 140011201 00                                           ??                                                   00h 140011202 00                                           ??                                                   00h 140011203 00                                           ??                                                   00h 140011204 b4                                           ??                                                   B4h 140011205 1c                                           ??                                                   1Ch 140011206 01                                           ??                                                   01h 140011207 00                                           ??                                                   00h 140011208 00                                           ??                                                   00h 140011209 90                                           ??                                                   90h 14001120a 01                                           ??                                                   01h 14001120b 00                                           ??                                                   00h 14001120c 00                                           ??                                                   00h 14001120d 10                                           ??                                                   10h 14001120e 01                                           ??                                                   01h 14001120f 00                                           ??                                                   00h 140011210 08                                           ??                                                   08h 140011211 10                                           ??                                                   10h 140011212 01                                           ??                                                   01h 140011213 00                                           ??                                                   00h 140011214 18                                           ??                                                   18h
                    IMAGE_ARM64EC_METADATA_V2_1400111f8       XREF[1]:   140011be8(*) 1400111f8 02 00 00 00 00 1e 01 00 02 00 00 00 b4       IMAGE_ARM64EC_METADATA_V2           1c 01 00 00 90 01 00 00 10 01 00 08 10           01 00 18 10 01 00 10 10 01 00 20 10 01       1400111f8 02 00 00 00 00 1e 01 00 02 00 00 00 b4  IMAGE_ARM64EC_METADATA                                                                              V1                 1c 01 00 00 90 01 00 00 10 01 00 08 10                 01 00 18 10 01 00 10 10 01 00 20 10 01          1400111f8 02 00 00 00                             ddw                2h                                                             Version          1400111fc 00 1e 01 00                             ibo32              IMAGE_ARM64EC_METADATA_CODE_RANGE_ARRAY_140011e00              CodeMap          140011200 02 00 00 00                             ddw                2h                                                             CodeMapCount          140011204 b4 1c 01 00                             ibo32              IMAGE_ARM64EC_CODE_RANGE_ENTRY_POINT_ARRAY_140011cb4           CodeRangesToEntryPoints          140011208 00 90 01 00                             ibo32              IMAGE_ARM64EC_METADATA_REDIRECTION_ARRAY_140019000             RedirectionMetadata          14001120c 00 10 01 00                             ibo32              DAT_140011000                                                  __os_arm64x_dispatch_call_no_redirect          140011210 08 10 01 00                             ibo32              DAT_140011008                                                  __os_arm64x_dispatch_ret          140011214 18 10 01 00                             ibo32              DAT_140011018                                                  __os_arm64x_dispatch_call          140011218 10 10 01 00                             ibo32              PTR_DAT_140011010                                              __os_arm64x_dispatch_icall          14001121c 20 10 01 00                             ibo32              PTR_DAT_140011020                                              __os_arm64x_dispatch_icall_cfg          140011220 00 00 00 00                             ibo32              NaP                                                            AlternateEntryPoint          140011224 00 50 01 00                             ibo32              PTR_DAT_140015000                                              AuxiliaryIAT          140011228 01 00 00 00                             ddw                1h                                                             CodeRangesToEntryPointsCount          14001122c 01 00 00 00                             ddw                1h                                                             RedirectionMetadataCount          140011230 28 10 01 00                             ibo32              DAT_140011028                                                  GetX64InformationFunctionPointer          140011234 30 10 01 00                             ibo32              DAT_140011030                                                  SetX64InformationFunctionPointer          140011238 00 70 01 00                             ibo32              IMAGE_ARM64_RUNTIME_FUNCTION_UNPACKED_ENTRY_140017000          ExtraRFETable          14001123c 38 0d 00 00                             ddw                D38h                                                           ExtraRFETableSize          140011240 38 10 01 00                             ibo32              DAT_140011038                                                  __os_arm64x_dispatch_fptr          140011244 48 3e 01 00                             ibo32              PTR_DAT_140013e48                                              AuxiliaryIATCopy       140011248 00 00 00 00                             ibo32              NaP                                                            AuxDelayloadIAT       14001124c 00 00 00 00                             ibo32              NaP                                                            AuxDelayloadIATCopy       140011250 00 00 00 00                             ddw                0h                                                             ReservedBitField

BinaryNinja

BinaryNinja’s LIEF plugin also provides this support: LoadConfiguration