private void AssertCommonOptHeaderProperties(IMAGE_OPTIONAL_HEADER optHeader)
{
Assert.AreEqual((ushort) 0x010b, optHeader.Magic);
Assert.AreEqual((ushort) 0x11, optHeader.MajorLinkerVersion);
Assert.AreEqual((ushort) 0x33, optHeader.MinorLinkerVersion);
Assert.AreEqual((uint) 0x22115544, optHeader.SizeOfCode);
Assert.AreEqual(0xaa998877, optHeader.SizeOfInitializedData);
Assert.AreEqual((uint) 0x22115544, optHeader.SizeOfUninitializedData);
Assert.AreEqual(0xaa778822, optHeader.AddressOfEntryPoint);
Assert.AreEqual(0xaaff8877, optHeader.BaseOfCode);
Assert.AreEqual(0xaa99cc77, optHeader.SectionAlignment);
Assert.AreEqual(0xaa99ffdd, optHeader.FileAlignment);
Assert.AreEqual((ushort) 0x8877, optHeader.MajorOperatingSystemVersion);
Assert.AreEqual((ushort) 0xaa99, optHeader.MinorOperatingSystemVersion);
Assert.AreEqual((ushort) 0x44ff, optHeader.MajorImageVersion);
Assert.AreEqual((ushort) 0xeedd, optHeader.MinorImageVersion);
Assert.AreEqual((ushort) 0x88bb, optHeader.MajorSubsystemVersion);
Assert.AreEqual((ushort) 0xaaee, optHeader.MinorSubsystemVersion);
Assert.AreEqual(0xaa998877, optHeader.Win32VersionValue);
Assert.AreEqual(0xaaff8877, optHeader.SizeOfHeaders);
Assert.AreEqual(0xcc998877, optHeader.CheckSum);
Assert.AreEqual((ushort) 0x8877, optHeader.Subsystem);
Assert.AreEqual((ushort) 0xaa99, optHeader.DllCharacteristics);
Assert.AreEqual(0xaa998822, optHeader.LoaderFlags);
Assert.AreEqual((uint) 0x00000005, optHeader.NumberOfRvaAndSizes);
}
private void AssertCommonOptHeaderProperties(IMAGE_OPTIONAL_HEADER optHeader)
{
Assert.Equal((ushort)0x010b, optHeader.Magic);
Assert.Equal((ushort)0x11, optHeader.MajorLinkerVersion);
Assert.Equal((ushort)0x33, optHeader.MinorLinkerVersion);
Assert.Equal((uint)0x22115544, optHeader.SizeOfCode);
Assert.Equal(0xaa998877, optHeader.SizeOfInitializedData);
Assert.Equal((uint)0x22115544, optHeader.SizeOfUninitializedData);
Assert.Equal(0xaa778822, optHeader.AddressOfEntryPoint);
Assert.Equal(0xaaff8877, optHeader.BaseOfCode);
Assert.Equal(0xaa99cc77, optHeader.SectionAlignment);
Assert.Equal(0xaa99ffdd, optHeader.FileAlignment);
Assert.Equal((ushort)0x8877, optHeader.MajorOperatingSystemVersion);
Assert.Equal((ushort)0xaa99, optHeader.MinorOperatingSystemVersion);
Assert.Equal((ushort)0x44ff, optHeader.MajorImageVersion);
Assert.Equal((ushort)0xeedd, optHeader.MinorImageVersion);
Assert.Equal((ushort)0x88bb, optHeader.MajorSubsystemVersion);
Assert.Equal((ushort)0xaaee, optHeader.MinorSubsystemVersion);
Assert.Equal(0xaa998877, optHeader.Win32VersionValue);
Assert.Equal(0xaaff8877, optHeader.SizeOfHeaders);
Assert.Equal(0xcc998877, optHeader.CheckSum);
Assert.Equal((ushort)0x8877, optHeader.Subsystem);
Assert.Equal((ushort)0xaa99, optHeader.DllCharacteristics);
Assert.Equal(0xaa998822, optHeader.LoaderFlags);
Assert.Equal((uint)0x00000005, optHeader.NumberOfRvaAndSizes);
}
/// <summary>
/// Create a new IMAGE_NT_HEADERS object.
/// </summary>
/// <param name="buff">A PE file as a byte array.</param>
/// <param name="offset">Raw offset of the NT header.</param>
public IMAGE_NT_HEADERS(byte[] buff, uint offset)
: base(buff, offset)
{
FileHeader = new IMAGE_FILE_HEADER(buff, offset + 0x4);
var is32Bit = FileHeader.Machine == 0x14c;
OptionalHeader = new IMAGE_OPTIONAL_HEADER(buff, offset + 0x18, !is32Bit);
}
public PeUtility(string filePath)
{
curFileStream = new FileStream(filePath, System.IO.FileMode.Open, System.IO.FileAccess.ReadWrite);
var reader = new BinaryReader(curFileStream);
var dosHeader = FromBinaryReader <IMAGE_DOS_HEADER>(reader);
// Seek the new PE Header and skip NtHeadersSignature (4 bytes) & IMAGE_FILE_HEADER struct (20bytes).
curFileStream.Seek(dosHeader.e_lfanew + 4 + 20, SeekOrigin.Begin);
fileHeaderOffset = curFileStream.Position;
optionalHeader = FromBinaryReader <IMAGE_OPTIONAL_HEADER>(reader);
}
public void OptionalHeaderConstructor64BitWorks_Test()
{
var optHeader = new IMAGE_OPTIONAL_HEADER(RawStructures.RawImageOptionalHeader64Bit, 2, true);
AssertCommonOptHeaderProperties(optHeader);
Assert.Equal((ulong)0x00112233aa99cc44, optHeader.ImageBase);
Assert.Equal((ulong)0x55443322aa99ddff, optHeader.SizeOfStackReserve);
Assert.Equal(0xaa998888aa998888, optHeader.SizeOfStackCommit);
Assert.Equal(0xaa99cceeaa99ccee, optHeader.SizeOfHeapReserve);
Assert.Equal(0xaa991177aa991177, optHeader.SizeOfHeapCommit);
// Data directories
AssertDataDirectories(optHeader.DataDirectory);
}
public void OptionalHeaderConstructor64BitWorks_Test()
{
var optHeader = new IMAGE_OPTIONAL_HEADER(RawStructures.RawImageOptionalHeader64Bit, 2, true);
AssertCommonOptHeaderProperties(optHeader);
Assert.AreEqual((ulong) 0x00112233aa99cc44, optHeader.ImageBase);
Assert.AreEqual((ulong) 0x55443322aa99ddff, optHeader.SizeOfStackReserve);
Assert.AreEqual(0xaa998888aa998888, optHeader.SizeOfStackCommit);
Assert.AreEqual(0xaa99cceeaa99ccee, optHeader.SizeOfHeapReserve);
Assert.AreEqual(0xaa991177aa991177, optHeader.SizeOfHeapCommit);
// Data directories
AssertDataDirectories(optHeader.DataDirectory);
}
public void OptionalHeaderConstructor32BitWorks_Test()
{
var optHeader = new IMAGE_OPTIONAL_HEADER(RawStructures.RawImageOptionalHeader32Bit, 2, false);
AssertCommonOptHeaderProperties(optHeader);
Assert.Equal(0xaa998844, optHeader.BaseOfData);
Assert.Equal(0xaa99cc44, optHeader.ImageBase);
Assert.Equal(0xaa99ddff, optHeader.SizeOfStackReserve);
Assert.Equal(0xaa998888, optHeader.SizeOfStackCommit);
Assert.Equal(0xaa99ccee, optHeader.SizeOfHeapReserve);
Assert.Equal(0xaa991177, optHeader.SizeOfHeapCommit);
// Data directories
AssertDataDirectories(optHeader.DataDirectory);
}
public void OptionalHeaderConstructor32BitWorks_Test()
{
var optHeader = new IMAGE_OPTIONAL_HEADER(RawStructures.RawImageOptionalHeader32Bit, 2, false);
AssertCommonOptHeaderProperties(optHeader);
Assert.AreEqual(0xaa998844, optHeader.BaseOfData);
Assert.AreEqual(0xaa99cc44, optHeader.ImageBase);
Assert.AreEqual(0xaa99ddff, optHeader.SizeOfStackReserve);
Assert.AreEqual(0xaa998888, optHeader.SizeOfStackCommit);
Assert.AreEqual(0xaa99ccee, optHeader.SizeOfHeapReserve);
Assert.AreEqual(0xaa991177, optHeader.SizeOfHeapCommit);
// Data directories
AssertDataDirectories(optHeader.DataDirectory);
}
public static IMAGE_OPTIONAL_HEADER Deserialize(MultiPartFile file)
{
IMAGE_OPTIONAL_HEADER ioh = new IMAGE_OPTIONAL_HEADER();
ioh.Magic = file.ReadUInt16();
ioh.MajorLinkerVersion = file.ReadByte();
ioh.MinorLinkerVersion = file.ReadByte();
ioh.SizeOfCode = file.ReadUInt32();
ioh.SizeOfInitializedData = file.ReadUInt32();
ioh.SizeOfUninitializedData = file.ReadUInt32();
ioh.AddressOfEntryPoint = file.ReadUInt32();
ioh.BaseOfCode = file.ReadUInt32();
ioh.BaseOfData = file.ReadUInt32();
ioh.ImageBase = file.ReadUInt32();
ioh.SectionAlignment = file.ReadUInt32();
ioh.FileAlignment = file.ReadUInt32();
ioh.MajorOperatingSystemVersion = file.ReadUInt16();
ioh.MinorOperatingSystemVersion = file.ReadUInt16();
ioh.MajorImageVersion = file.ReadUInt16();
ioh.MinorImageVersion = file.ReadUInt16();
ioh.MajorSubsystemVersion = file.ReadUInt16();
ioh.MinorSubsystemVersion = file.ReadUInt16();
ioh.Reserved1 = file.ReadUInt32();
ioh.SizeOfImage = file.ReadUInt32();
ioh.SizeOfHeaders = file.ReadUInt32();
ioh.CheckSum = file.ReadUInt32();
ioh.Subsystem = file.ReadUInt16();
ioh.DllCharacteristics = file.ReadUInt16();
ioh.SizeOfStackReserve = file.ReadUInt32();
ioh.SizeOfStackCommit = file.ReadUInt32();
ioh.SizeOfHeapReserve = file.ReadUInt32();
ioh.SizeOfHeapCommit = file.ReadUInt32();
ioh.LoaderFlags = file.ReadUInt32();
ioh.NumberOfRvaAndSizes = file.ReadUInt32();
ioh.DataDirectory = new IMAGE_DATA_DIRECTORY[Constants.IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
for (int i = 0; i < Constants.IMAGE_NUMBEROF_DIRECTORY_ENTRIES; i++)
{
ioh.DataDirectory[i] = IMAGE_DATA_DIRECTORY.Deserialize(file);
}
return(ioh);
}
/// <summary>
/// Process a PE executable header
/// </summary>
private ExecutableType ProcessPe(ref bool searchAgainAtEnd)
{
inputFile.Seek(dataBase + currentFormat.ExecutableOffset + 4);
IMAGE_FILE_HEADER ifh = IMAGE_FILE_HEADER.Deserialize(inputFile);
IMAGE_OPTIONAL_HEADER ioh = IMAGE_OPTIONAL_HEADER.Deserialize(inputFile);
// Read sections until we have the ones we need
IMAGE_SECTION_HEADER temp = null;
IMAGE_SECTION_HEADER resource = null;
for (int i = 0; i < ifh.NumberOfSections; i++)
{
IMAGE_SECTION_HEADER sectionHeader = IMAGE_SECTION_HEADER.Deserialize(inputFile);
string headerName = Encoding.ASCII.GetString(sectionHeader.Name, 0, 8);
// .text
if (headerName.StartsWith(".text"))
{
currentFormat.CodeSectionLength = sectionHeader.VirtualSize;
}
// .rdata
else if (headerName.StartsWith(".rdata"))
{
// No-op
}
// .data
else if (headerName.StartsWith(".data"))
{
currentFormat.DataSectionLength = sectionHeader.VirtualSize;
if ((ifh.Characteristics & (1 << 0)) == 0)
{
temp = sectionHeader;
}
}
// .rsrc
else if (headerName.StartsWith(".rsrc"))
{
resource = sectionHeader;
if ((ifh.Characteristics & (1 << 0)) != 0)
{
temp = sectionHeader;
}
}
}
// the unpacker of the self-extractor does not use any resource functions either.
if (temp.SizeOfRawData > 20000)
{
for (int f = 0; f <= 20000 - 0x80; f++)
{
inputFile.Seek(dataBase + temp.PointerToRawData + f);
IMAGE_DOS_HEADER exeHdr = IMAGE_DOS_HEADER.Deserialize(inputFile);
if ((exeHdr.Magic == Constants.IMAGE_NT_SIGNATURE || exeHdr.Magic == Constants.IMAGE_DOS_SIGNATURE) &&
exeHdr.HeaderParagraphSize >= 4 &&
exeHdr.NewExeHeaderAddr >= 0x40 &&
(exeHdr.Relocations == 0 || exeHdr.Relocations == 3))
{
currentFormat.ExecutableOffset = (int)temp.PointerToRawData + f;
fileEnd = (int)(dataBase + temp.PointerToRawData + ioh.DataDirectory[2].Size);
searchAgainAtEnd = true;
break;
}
}
}
currentFormat.ExecutableOffset = (int)(resource.PointerToRawData + resource.SizeOfRawData);
return(ExecutableType.PE);
}
/// <summary>
/// Create a new IMAGE_NT_HEADERS object.
/// </summary>
/// <param name="buff">A PE file as a byte array.</param>
/// <param name="offset">Raw offset of the NT header.</param>
/// <param name="is64Bit">Flag if the header is for a x64 application.</param>
public IMAGE_NT_HEADERS(byte[] buff, uint offset, bool is64Bit)
: base(buff, offset)
{
FileHeader = new IMAGE_FILE_HEADER(buff, offset + 0x4);
OptionalHeader = new IMAGE_OPTIONAL_HEADER(buff, offset + 0x18, is64Bit);
}
