Beispiel #1
0
        public static IntPtr Rva2Offset(uint dwRva, IntPtr PEPointer)
        {
            bool   is64Bit           = false;
            ushort wIndex            = 0;
            ushort wNumberOfSections = 0;
            IntPtr imageSectionPtr;
            IMAGE_SECTION_HEADER SectionHeader;
            int sizeOfSectionHeader = Marshal.SizeOf(typeof(IMAGE_SECTION_HEADER));

            IMAGE_DOS_HEADER dosHeader = InteropTools.PtrToStructure <IMAGE_DOS_HEADER>(PEPointer);

            IntPtr NtHeadersPtr = (IntPtr)((UInt64)PEPointer + (UInt64)dosHeader.e_lfanew);

            var imageNtHeaders32 = (IMAGE_NT_HEADERS)Marshal.PtrToStructure(NtHeadersPtr, typeof(IMAGE_NT_HEADERS));
            var imageNtHeaders64 = (IMAGE_NT_HEADERS64)Marshal.PtrToStructure(NtHeadersPtr, typeof(IMAGE_NT_HEADERS64));

            if (imageNtHeaders64.OptionalHeader.Magic == MagicType.IMAGE_NT_OPTIONAL_HDR64_MAGIC)
            {
                is64Bit = true;
            }


            if (is64Bit)
            {
                imageSectionPtr   = (IntPtr)(((Int64)NtHeadersPtr + (Int64)Marshal.OffsetOf(typeof(IMAGE_NT_HEADERS64), "OptionalHeader") + (Int64)imageNtHeaders64.FileHeader.SizeOfOptionalHeader));
                SectionHeader     = (IMAGE_SECTION_HEADER)Marshal.PtrToStructure(imageSectionPtr, typeof(IMAGE_SECTION_HEADER));
                wNumberOfSections = imageNtHeaders64.FileHeader.NumberOfSections;
            }
            else
            {
                imageSectionPtr   = (IntPtr)(((Int64)NtHeadersPtr + (Int64)Marshal.OffsetOf(typeof(IMAGE_NT_HEADERS), "OptionalHeader") + (Int64)imageNtHeaders32.FileHeader.SizeOfOptionalHeader));
                SectionHeader     = (IMAGE_SECTION_HEADER)Marshal.PtrToStructure(imageSectionPtr, typeof(IMAGE_SECTION_HEADER));
                wNumberOfSections = imageNtHeaders32.FileHeader.NumberOfSections;
            }

            if (dwRva < SectionHeader.PointerToRawData)
            {
                return((IntPtr)((UInt64)dwRva + (UInt64)PEPointer));
            }

            for (wIndex = 0; wIndex < wNumberOfSections; wIndex++)
            {
                SectionHeader = (IMAGE_SECTION_HEADER)Marshal.PtrToStructure((IntPtr)((uint)imageSectionPtr + (uint)(sizeOfSectionHeader * (wIndex))), typeof(IMAGE_SECTION_HEADER));
                if (dwRva >= SectionHeader.VirtualAddress && dwRva < (SectionHeader.VirtualAddress + SectionHeader.SizeOfRawData))
                {
                    return((IntPtr)((UInt64)(dwRva - SectionHeader.VirtualAddress + SectionHeader.PointerToRawData) + (UInt64)PEPointer));
                }
            }

            return(IntPtr.Zero);
        }
Beispiel #2
0
        private static IEnumerable <T> EnumerateStructures <T>(Stream input) where T : struct
        {
            Type t    = TypeOf <T> .TypeID;
            int  size = Marshal.SizeOf(t);

            byte[] buffer = new byte[size];
            IntPtr ptr    = Marshal.AllocHGlobal(size);

            try{
                while (input.Read(buffer, 0, size) == size)
                {
                    Marshal.Copy(buffer, 0, ptr, size);
                    yield return(InteropTools.PtrToStructure <T>(ptr));
                }
                throw new EndOfStreamException();
            }finally{
                Marshal.FreeHGlobal(ptr);
            }
        }