Update
Recently I got a message from Axel S. (Thanks!) who explains that:
It’s emitted by the linker in Visual Studio 2015 and later. The linker calls it “COFF group information” and you can prevent this directory from being emitted by specifying the additional linker option /nocoffgrpinfo.
He also provided a syntax for link.exe that can be used to dump the data from an executable:
link /dump /headers /coffgroup <file>
The below example is for Notepad.exe from Windows 10:
POGO Phase
RVA Size Name
-------- -------- ----
00001000 328 .rdata$brc
00001328 4 .CRT$XCA
0000132C 4 .CRT$XCAA
00001330 10 .CRT$XCU
00001340 4 .CRT$XCZ
00001344 4 .CRT$XIA
00001348 4 .CRT$XIAA
0000134C 4 .CRT$XIY
00001350 4 .CRT$XIZ
00001354 15C .cfguard
000014B0 2FE0 .rdata
00004490 8 .rdata$sxdata
00004498 10 .rdata$zETW0
000044A8 3BB .rdata$zETW1
00004863 38 .rdata$zETW2
0000489B 1 .rdata$zETW9
0000489C 2D0 .rdata$zzzdbg
00004B6C 1C6 .text
00004D32 6E .text$di
00004DA0 16172 .text$mn
0001AF12 20 .text$x
0001AF32 76 .text$yd
0001AFA8 FC .xdata$x
0001C000 180 .data$brc
0001C180 660 .data
0001C7E0 1EC4 .bss
0001F000 4B4 .idata$5
0001F4B4 4 .00cfg
0001F4B8 230 .idata$2
0001F6E8 14 .idata$3
0001F6FC 4B4 .idata$4
0001FBB0 14A4 .idata$6
00022000 530 .rsrc$01
00022530 197B0 .rsrc$02
Update
Okay, so after googling around I think I figured it out – the section is actually called LTCG (read it backwards 🙂 and is related to Link Time Code Generation and Profile Guided Optimization (PGO or pogo):
Link Time Code Generation (AKA Whole Program Optimization) produces better code quality as we have additional whole program optimization to further optimize the code leveraging the bigger picture of the entire program that is only available during LTCG. LTCG is great for code quality, and it’s the foundation for Pogo; however throughput is its downside and developers today have to wait for full clean LTCG build times even on making trivial edits. This often kills the popularity of this feature and developers today are forced away to throw these extra performance improvements away in favor of productivity.
– as explained here. Still don’t know what is a full meaning of the data, but hopefully structures are already documented somewhere.
Here is how latest winedump ‘sees’ the file:
Debug Table (2 directories)
Directory 01
Characteristics: 00000000
TimeDateStamp: 559F3C62 Fri Jul 10 11:30:42 2015
Version 0.00
Type: 2 (CODEVIEW)
SizeOfData: 37
AddressOfRawData: 000016A4
PointerToRawData: 00000AA4
CodeView Data
Signature: RSDS
Guid: {401da8a1-859a-4c87-a389-dbddda54527d}
Age: 00000001
Filename: DirectDB.pdb
Directory 02
Characteristics: 00000000
TimeDateStamp: 559F3C62 Fri Jul 10 11:30:42 2015
Version 0.00
Type: 13 (POGO)
SizeOfData: 432
AddressOfRawData: 000016E0
PointerToRawData: 00000AE0
Older post
While looking at the Windows 10 binaries I noticed it contains an extra debug section marked as ‘GCTL’. I don’t know what is the purpose of it and after asking on Twitter Reversing on Windows suggested it could be “Garbage Collection Table “.
Any ideas?
Here are some details from the 32-bit Windows:
Example debug section from “\Program Files\Common Files\System\DirectDB.dll” as seen by Lord PE:
and
Update:
The type is 0xD – 13 – the largest IMAGE_DEBUG_TYPE_xxx constant I could find documented in SDK is 11 (IMAGE_DEBUG_TYPE_CLSID, but I came across the new types added to wine in May 2015:
IMAGE_DEBUG_TYPE_VC_FEATURE 12 IMAGE_DEBUG_TYPE_POGO 13 <-this is our guy IMAGE_DEBUG_TYPE_ILTCG 14 IMAGE_DEBUG_TYPE_MPX 15
Older post
The hexadecimal dump of a part of the file storing 2 debug sections:
00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 0123456789ABCDEF -------------------------------------------------------------------------------- 00AA0 : 30 60 00 00 52 53 44 53 A1 A8 1D 40 9A 85 87 4C 0`..RSDS...@...L 2720 00AB0 : A3 89 DB DD DA 54 52 7D 01 00 00 00 44 69 72 65 .....TR}....Dire 2736 00AC0 : 63 74 44 42 2E 70 64 62 00 00 00 00 00 00 00 00 ctDB.pdb........ 2752 00AD0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 2768 00AE0 : 47 43 54 4C 00 10 00 00 04 00 00 00 2E 43 52 54 GCTL.........CRT 2784 00AF0 : 24 58 43 41 00 00 00 00 04 10 00 00 04 00 00 00 $XCA............ 2800 00B00 : 2E 43 52 54 24 58 43 5A 00 00 00 00 08 10 00 00 .CRT$XCZ........ 2816 00B10 : 04 00 00 00 2E 43 52 54 24 58 49 41 00 00 00 00 .....CRT$XIA.... 2832 00B20 : 0C 10 00 00 04 00 00 00 2E 43 52 54 24 58 49 41 .........CRT$XIA 2848 00B30 : 41 00 00 00 10 10 00 00 04 00 00 00 2E 43 52 54 A............CRT 2864 00B40 : 24 58 49 5A 00 00 00 00 14 10 00 00 00 01 00 00 $XIZ............ 2880 00B50 : 2E 67 66 69 64 73 24 78 00 00 00 00 20 11 00 00 .gfids$x.... ... 2896 00B60 : 80 05 00 00 2E 72 64 61 74 61 00 00 A0 16 00 00 .....rdata...... 2912 00B70 : 04 00 00 00 2E 72 64 61 74 61 24 73 78 64 61 74 .....rdata$sxdat 2928 00B80 : 61 00 00 00 A4 16 00 00 EC 01 00 00 2E 72 64 61 a............rda 2944 00B90 : 74 61 24 7A 7A 7A 64 62 67 00 00 00 90 18 00 00 ta$zzzdbg....... 2960 00BA0 : 1E 4A 00 00 2E 74 65 78 74 24 6D 6E 00 00 00 00 .J...text$mn.... 2976 00BB0 : B0 62 00 00 04 01 00 00 2E 78 64 61 74 61 24 78 .b.......xdata$x 2992 00BC0 : 00 00 00 00 C0 63 00 00 6B 00 00 00 2E 65 64 61 .....c..k....eda 3008 00BD0 : 74 61 00 00 00 70 00 00 20 00 00 00 2E 64 61 74 ta...p.. ....dat 3024 00BE0 : 61 00 00 00 20 70 00 00 98 03 00 00 2E 62 73 73 a... p.......bss 3040 00BF0 : 00 00 00 00 00 80 00 00 10 01 00 00 2E 69 64 61 .............ida 3056 00C00 : 74 61 24 35 00 00 00 00 10 81 00 00 04 00 00 00 ta$5............ 3072 00C10 : 2E 30 30 63 66 67 00 00 14 81 00 00 8C 00 00 00 .00cfg.......... 3088 00C20 : 2E 69 64 61 74 61 24 32 00 00 00 00 A0 81 00 00 .idata$2........ 3104 00C30 : 14 00 00 00 2E 69 64 61 74 61 24 33 00 00 00 00 .....idata$3.... 3120 00C40 : B4 81 00 00 10 01 00 00 2E 69 64 61 74 61 24 34 .........idata$4 3136 00C50 : 00 00 00 00 C4 82 00 00 90 04 00 00 2E 69 64 61 .............ida 3152 00C60 : 74 61 24 36 00 00 00 00 00 90 00 00 58 00 00 00 ta$6........X... 3168 00C70 : 2E 72 73 72 63 24 30 31 00 00 00 00 60 90 00 00 .rsrc$01....`... 3184 00C80 : A8 03 00 00 2E 72 73 72 63 24 30 32 00 00 00 00 .....rsrc$02.... 3200
Strings – they all look like section names:
- GCTL
- .CRT$XCA
- .CRT$XCZ
- .CRT$XIA
- .CRT$XIAA
- .CRT$XIZ
- .gfids$x
- .rdata
- .rdata$sxdata
- .rdata$zzzdbg
- .text$mn
- .xdata$x
- .edata
- .data
- .bss
- .idata$5
- .00cfg
- .idata$2
- .idata$3
- .idata$4
- .idata$6
- .rsrc$01
- .rsrc$02
Global stats for all the section-like names extracted from all binaries on Windows 10 32-bit:
6299 .rdata$zzzdbg
6299 .rdata
6268 .text$mn
6266 .data
6266 .00cfg
6207 .rsrc$02
6207 .rsrc$01
6205 .idata$6
6205 .idata$5
6205 .idata$4
6205 .idata$3
6205 .idata$2
6147 .bss
5589 .xdata$x
5589 .rdata$sxdata
5481 .gfids$x
5403 .CRT$XIZ
5403 .CRT$XIA
5403 .CRT$XCZ
5403 .CRT$XCA
5199 .CRT$XIAA
4617 .edata
3391 .text$yd
3303 .text$di
3251 .CRT$XCU
3188 .text$x
2882 .data$r
1701 .didat$7
1701 .didat$5
1701 .didat$4
1701 .didat$3
1701 .didat$2
1655 .didat$6
1434 .CRT$XCL
1229 .CRT$XIY
1213 .rdata$zETW2
1211 .text
1166 .rdata$zETW1
1164 .rdata$zETW9
1164 .rdata$zETW0
1135 .CRT$XCAA
920 ATL$__z
920 ATL$__a
836 .rdata$r
708 INIT
646 ATL$__m
636 minATL$__z
636 minATL$__m
636 minATL$__a
612 PAGE
604 .text$s
497 .orpc
487 PAGE$s
380 minATL$__r
352 .CRT$XCC
310 .text$mn$00
278 minATL$__f
208 INIT$s
196 .kmdfclassbind$d
196 .kmdfclassbind$c
196 .kmdfclassbind$a
186 .CRT$XTZ
186 .CRT$XTA
186 .CRT$XPZ
186 .CRT$XPA
184 .CRT$XIC
173 .kmdftypeinit$c
173 .kmdftypeinit$a
169 .tls$ZZZ
169 .tls
169 .rdata$T
169 .CRT$XLZ
169 .CRT$XLA
128 .tls$
97 .rtc$TZZ
97 .rtc$TAA
97 .rtc$IZZ
97 .rtc$IAA
96 .imrsiv
75 .CRT$XPXA
75 .CRT$XPX
48 .text$mn$01
47 .stls
41 PAGER32C
36 .kmdfclassbind$b
36 .guids
26 BID$A012
24 BIDL$W023
24 BIDL$W021
24 BIDL$A023
24 BIDL$A021
24 BID$W103
24 BID$W101
24 BID$W093
24 BID$W091
24 BID$W083
24 BID$W081
24 BID$W073
24 BID$W071
24 BID$W063
24 BID$W061
24 BID$W053
24 BID$W051
24 BID$W043
24 BID$W041
24 BID$W033
24 BID$W032
24 BID$W031
24 BID$W013
24 BID$W011
24 BID$A103
24 BID$A101
24 BID$A093
24 BID$A091
24 BID$A083
24 BID$A081
24 BID$A073
24 BID$A071
24 BID$A063
24 BID$A061
24 BID$A053
24 BID$A051
24 BID$A043
24 BID$A041
24 BID$A033
24 BID$A031
24 BID$A013
24 BID$A011
24 BID$A002
24 BID$A001
24 BID$A000
23 PAGEDATA
22 INITDATAZ
20 PAGECONST
19 PAGELK
16 .wpp_sf
14 BID$W052
14 BID$W042
14 .text$yc
10 .CRT$XCBid
8 INITCONST
6 .no_bbt
5 PAGELK$s
4 RT_CONST
4 PAGEWsk$s
4 PAGEWsk
4 PAGEDATAZ
4 PAGECONS
4 BID$W102
4 BID$A032
4 .mrdata
3 PAGE_LK$s
3 PAGE_LK
3 PAGESRP0$s
3 PAGESRP0
3 PAGESER$s
3 PAGESER
3 PAGESENM$s
3 PAGESENM
3 PAGEPARWMI0
3 PAGED
3 .didat$8
2 dseg
2 cseg
2 RT_DATA
2 RT_BSS
2 RTFOUT_PVTMETHODS
2 PAGEwxcc
2 PAGEwxc
2 PAGEwxb
2 PAGEwxa
2 PAGEwx8
2 PAGEwx7
2 PAGEwx68
2 PAGEwx2
2 PAGEwx1
2 PAGEWArp$s
2 PAGEWArp
2 PAGEVRFY
2 PAGEUPDT
2 PAGEUMDM$s
2 PAGEUMDM
2 PAGESSTP$s
2 PAGESSTP
2 PAGEPpoe$s
2 PAGEPpoe
2 PAGEPPTP$s
2 PAGEPPTP
2 PAGENWan$s
2 PAGENWan
2 PAGENDPx$s
2 PAGENDPx
2 PAGELOCK
2 PAGEL2TP$s
2 PAGEL2TP
2 PAGEIRDA$s
2 PAGEIRDA
2 PAGEHrx$VsmData60467
2 PAGEBTTS$s
2 PAGEBTTS
2 PAGEAVpn$s
2 PAGEAVpn
2 IPPCODE
2 BID$W062
2 BID$A102
2 BID$A062
2 ADUI$__z
2 ADUI$__m
2 ADUI$__a
2 .text$wti
2 .text$tii
2 .text$src
2 .text$cthunks
2 .text$AFX_INIT
2 .text$AFX_CORE4
2 .text$AFX_CORE3
2 .text$AFX_COL1
2 .text$AFX_CMNCTL
2 .text$AFX_AUX
2 .rdata$VsmData
2 .cht_data
2 .chs_data
2 .bootdata
2 .RDFINIT$ZZZ
2 .RDFINIT$
2 .RDFINIT
2 .MODINIT$ZZZ
2 .MODINIT$
2 .MODINIT
2 .CRT$XCAM
2 .CRT$XCAB