public Executable ReadExecutable(Stream stream) { var executable = new Executable { DosHeader = _streamBinaryMapper.ReadObject <IMAGE_DOS_HEADER>(stream) }; stream.Position = executable.DosHeader.e_lfanew; executable.PeHeader = _streamBinaryMapper.ReadObject <IMAGE_PE_HEADER>(stream); executable.CoffHeader = _streamBinaryMapper.ReadObject <COFF_HEADER>(stream); // Peek at the value of the image optional header's "magic" // value to determine which version of the header to parse. long beforeHeaderPeekPosition = stream.Position; IMAGE_OPTIONAL_HDR_MAGIC headerMagic = _streamBinaryMapper.ReadValue <IMAGE_OPTIONAL_HDR_MAGIC>(stream); stream.Position = beforeHeaderPeekPosition; if (headerMagic == IMAGE_OPTIONAL_HDR_MAGIC.IMAGE_NT_OPTIONAL_HDR64_MAGIC) { executable.OptionalHeader64 = _streamBinaryMapper.ReadObject <IMAGE_OPTIONAL_HEADER64>(stream); } else { executable.OptionalHeader = _streamBinaryMapper.ReadObject <IMAGE_OPTIONAL_HEADER>(stream); } executable.ImageSectionHeaders = _streamBinaryMapper.ReadArray <IMAGE_SECTION_HEADER>(stream, executable.CoffHeader.NumberOfSections); //var resourceSectionHeader = executable.ImageSectionHeaders.SingleOrDefault(x => x.Name == ".rsrc"); //if (resourceSectionHeader != null) //{ // stream.Position = resourceSectionHeader.PointerToRawData; // var directory = _streamBinaryMapper.ReadObject<IMAGE_RESOURCE_DIRECTORY>(stream); // var entries = _streamBinaryMapper.ReadArray<IMAGE_RESOURCE_DIRECTORY_ENTRY>(stream, (uint)directory.NumberOfIdEntries + directory.NumberOfNamedEntries); // foreach (var entry in entries) // { // if (entry.IsDirectory) // { // stream.Position = entry.DirectoryAddress; // var test = _streamBinaryMapper.ReadObject<IMAGE_RESOURCE_DIRECTORY_ENTRY>(stream); // stream.Position = test.OffsetToData; // var test2 = _streamBinaryMapper.ReadObject<IMAGE_RESOURCE_DATA_ENTRY>(stream); // } // stream.Position = entry.OffsetToData; // var e = _streamBinaryMapper.ReadObject<IMAGE_RESOURCE_DATA_ENTRY>(stream); // } //} return(executable); }
public Minidump ReadMinidump(Stream stream) { var minidump = new Minidump { Header = _streamBinaryMapper.ReadObject <MINIDUMP_HEADER>(stream) }; stream.Position = minidump.Header.StreamDirectoryRva; var directories = _streamBinaryMapper.ReadArray <MINIDUMP_DIRECTORY>(stream, minidump.Header.NumberOfStreams); foreach (var directory in directories) { stream.Position = directory.Location.Rva; switch (directory.StreamType) { case MINIDUMP_STREAM_TYPE.ThreadListStream: minidump.ThreadListStream = _streamBinaryMapper.ReadObject <MINIDUMP_THREAD_LIST_STREAM>(stream); break; case MINIDUMP_STREAM_TYPE.ModuleListStream: minidump.ModuleListStream = _streamBinaryMapper.ReadObject <MINIDUMP_MODULE_LIST_STREAM>(stream); foreach (var module in minidump.ModuleListStream.Modules) { stream.Position = module.ModuleNameRva; module.Name = _streamBinaryMapper.ReadObject <MINIDUMP_STRING>(stream).Buffer; minidump.Modules.Add(module); } break; case MINIDUMP_STREAM_TYPE.MemoryListStream: minidump.MemoryListStream = _streamBinaryMapper.ReadObject <MINIDUMP_MEMORY_LIST_STREAM>(stream); break; case MINIDUMP_STREAM_TYPE.ExceptionStream: minidump.ExceptionStream = _streamBinaryMapper.ReadObject <MINIDUMP_EXCEPTION_STREAM>(stream); break; case MINIDUMP_STREAM_TYPE.SystemInfoStream: minidump.SystemInfoStream = _streamBinaryMapper.ReadObject <MINIDUMP_SYSTEM_INFO_STREAM>(stream); stream.Position = minidump.SystemInfoStream.CSDVersionRva; var servicePackString = _streamBinaryMapper.ReadObject <MINIDUMP_STRING>(stream); minidump.SystemInfoServicePack = servicePackString.Buffer; break; case MINIDUMP_STREAM_TYPE.MiscInfoStream: minidump.MiscInfoStream = _streamBinaryMapper.ReadObject <MINIDUMP_MISC_INFO_STREAM>(stream); break; case MINIDUMP_STREAM_TYPE.ThreadInfoListStream: minidump.ThreadInfoListStream = _streamBinaryMapper.ReadObject <MINIDUMP_THREAD_INFO_LIST_STREAM>(stream); break; // Add support for reading Chromium minidumps case MINIDUMP_STREAM_TYPE.MD_LINUX_CMD_LINE: var strs = MDReadStrings(stream, directory.Location.DataSize); minidump.CommandLine = strs.Length > 0 ? strs[0] : ""; break; case MINIDUMP_STREAM_TYPE.MD_LINUX_ENVIRON: minidump.EnvironmentVariables = SplitIntoDictionary('=', MDReadStrings(stream, directory.Location.DataSize)); break; case MINIDUMP_STREAM_TYPE.MD_LINUX_LSB_RELEASE: minidump.LSBRelease = MDReadStrings(stream, directory.Location.DataSize); break; case MINIDUMP_STREAM_TYPE.MD_LINUX_PROC_STATUS: minidump.ProcessStatus = SplitIntoDictionary(':', MDReadStrings(stream, directory.Location.DataSize)); break; case MINIDUMP_STREAM_TYPE.MD_LINUX_CPU_INFO: minidump.CpuInfo = SplitProcs(MDReadStrings(stream, directory.Location.DataSize)); break; case MINIDUMP_STREAM_TYPE.MD_LINUX_MAPS: minidump.LinuxMaps = MDReadStrings(stream, directory.Location.DataSize); break; } } return(minidump); }