ExportFunction[] ParseExportedFunctions(byte[] buff, IMAGE_EXPORT_DIRECTORY ed, IMAGE_SECTION_HEADER[] sh)
{
var expFuncs = new ExportFunction[ed.NumberOfNames];
var funcOffsetPointer = Utility.RVAtoFileMapping(ed.AddressOfFunctions, sh);
var ordOffset = Utility.RVAtoFileMapping(ed.AddressOfNameOrdinals, sh);
var nameOffsetPointer = Utility.RVAtoFileMapping(ed.AddressOfNames, sh);
var funcOffset = Utility.BytesToUInt32(buff, funcOffsetPointer);
for (UInt32 i = 0; i < expFuncs.Length; i++)
{
var namePtr = Utility.BytesToUInt32(buff, nameOffsetPointer + sizeof(UInt32) * i);
var nameAdr = Utility.RVAtoFileMapping(namePtr, sh);
var name = Utility.GetName(nameAdr, buff);
var ordinalIndex = (UInt32)Utility.GetOrdinal(ordOffset + sizeof(UInt16) * i, buff);
var ordinal = ordinalIndex + ed.Base;
var address = Utility.BytesToUInt32(buff, funcOffsetPointer + sizeof(UInt32) * ordinalIndex);
expFuncs[i] = new ExportFunction(name, address, (UInt16)ordinal);
}
return(expFuncs);
}
public PeFile(byte [] buff)
{
UInt32 secHeaderOffset = 0;
_buff = buff;
ImageDosHeader = new IMAGE_DOS_HEADER(buff);
// Check if the PE file is 64 bit.
Is64Bit = (Utility.BytesToUInt16(buff, ImageDosHeader.e_lfanew + 0x4) == Constants.IMAGE_FILE_MACHINE_AMD64);
secHeaderOffset = (UInt32)(Is64Bit ? 0x108 : 0xF8);
ImageNtHeaders = new IMAGE_NT_HEADERS(buff, ImageDosHeader.e_lfanew, Is64Bit);
ImageSectionHeaders = ParseImageSectionHeaders(
buff,
ImageNtHeaders.FileHeader.NumberOfSections,
ImageDosHeader.e_lfanew + secHeaderOffset
);
if (ImageNtHeaders.OptionalHeader.DataDirectory[(int)Constants.DataDirectoryIndex.Export].VirtualAddress != 0)
{
try
{
ImageExportDirectory = new IMAGE_EXPORT_DIRECTORY(
buff,
Utility.RVAtoFileMapping(ImageNtHeaders.OptionalHeader.DataDirectory[0].VirtualAddress,
ImageSectionHeaders)
);
ExportedFunctions = ParseExportedFunctions(
buff,
ImageExportDirectory,
ImageSectionHeaders
);
}
catch
{
// No or invalid export directory.
HasValidExportDir = false;
}
}
if (ImageNtHeaders.OptionalHeader.DataDirectory[1].VirtualAddress != 0)
{
try
{
ImageImportDescriptors = ParseImportDescriptors(
buff,
Utility.RVAtoFileMapping(ImageNtHeaders.OptionalHeader.DataDirectory[(int)Constants.DataDirectoryIndex.Import].VirtualAddress, ImageSectionHeaders),
ImageSectionHeaders
);
ImportedFunctions = ParseImportedFunctions(buff, ImageImportDescriptors, ImageSectionHeaders);
}
catch
{
// No or invalid import directory.
HasValidImportDir = false;
}
}
// Parse the resource directory.
if (ImageNtHeaders.OptionalHeader.DataDirectory[2].VirtualAddress != 0)
{
try
{
ImageResourceDirectory = ParseImageResourceDirectory(
buff,
Utility.RVAtoFileMapping(ImageNtHeaders.OptionalHeader.DataDirectory[(int)Constants.DataDirectoryIndex.Resource].VirtualAddress, ImageSectionHeaders),
ImageSectionHeaders
);
}
catch
{
// No or invalid resource directory.
ImageResourceDirectory = null;
HasValidResourceDir = false;
}
}
// Parse x64 Exception directory
if (Is64Bit)
{
if (ImageNtHeaders.OptionalHeader.DataDirectory[(UInt32)Constants.DataDirectoryIndex.Exception].VirtualAddress != 0)
{
try
{
RuntimeFunctions = PareseExceptionDirectory(
buff,
Utility.RVAtoFileMapping(ImageNtHeaders.OptionalHeader.DataDirectory[(UInt32)Constants.DataDirectoryIndex.Exception].VirtualAddress, ImageSectionHeaders),
ImageNtHeaders.OptionalHeader.DataDirectory[(UInt32)Constants.DataDirectoryIndex.Exception].Size,
ImageSectionHeaders
);
}
catch
{
// No or invalid Exception directory.
RuntimeFunctions = null;
HasValidExceptionDir = false;
}
}
}
// Parse the security directory for certificates
if (ImageNtHeaders.OptionalHeader.DataDirectory[(int)Constants.DataDirectoryIndex.Security].VirtualAddress != 0)
{
try
{
WinCertificate = ParseImageSecurityDirectory(
buff,
ImageNtHeaders.OptionalHeader.DataDirectory[(int)Constants.DataDirectoryIndex.Security].VirtualAddress,
ImageSectionHeaders);
}
catch (Exception)
{
// Invalid Security Directory
WinCertificate = null;
HasValidSecurityDir = false;
}
}
}