public ImageFileHeaderVM(HexBuffer buffer, PeFileHeaderData fileHeader)
            : base(fileHeader.Span)
        {
            Name      = fileHeader.Name;
            MachineVM = new UInt16FlagsHexField(fileHeader.Machine);
            MachineVM.Add(new IntegerHexBitField(fileHeader.Machine.Name, 0, 16, MachineInfos));
            NumberOfSectionsVM = new UInt16HexField(fileHeader.NumberOfSections);
            TimeDateStampVM    = new UInt32HexField(fileHeader.TimeDateStamp.Data, fileHeader.TimeDateStamp.Name);
            TimeDateStampVM.DataFieldVM.PropertyChanged += (s, e) => OnPropertyChanged(nameof(TimeDateStampString));
            PointerToSymbolTableVM = new UInt32HexField(fileHeader.PointerToSymbolTable);
            NumberOfSymbolsVM      = new UInt32HexField(fileHeader.NumberOfSymbols);
            SizeOfOptionalHeaderVM = new UInt16HexField(fileHeader.SizeOfOptionalHeader);
            CharacteristicsVM      = new UInt16FlagsHexField(fileHeader.Characteristics);
            CharacteristicsVM.Add(new BooleanHexBitField("Relocs Stripped", 0));
            CharacteristicsVM.Add(new BooleanHexBitField("Executable Image", 1));
            CharacteristicsVM.Add(new BooleanHexBitField("Line Nums Stripped", 2));
            CharacteristicsVM.Add(new BooleanHexBitField("Local Syms Stripped", 3));
            CharacteristicsVM.Add(new BooleanHexBitField("Aggressive WS Trim", 4));
            CharacteristicsVM.Add(new BooleanHexBitField("Large Address Aware", 5));
            CharacteristicsVM.Add(new BooleanHexBitField("Reserved 0040h", 6));
            CharacteristicsVM.Add(new BooleanHexBitField("Bytes Reversed Lo", 7));
            CharacteristicsVM.Add(new BooleanHexBitField("32-Bit Machine", 8));
            CharacteristicsVM.Add(new BooleanHexBitField("Debug Stripped", 9));
            CharacteristicsVM.Add(new BooleanHexBitField("Removable Run From Swap", 10));
            CharacteristicsVM.Add(new BooleanHexBitField("Net Run From Swap", 11));
            CharacteristicsVM.Add(new BooleanHexBitField("System", 12));
            CharacteristicsVM.Add(new BooleanHexBitField("Dll", 13));
            CharacteristicsVM.Add(new BooleanHexBitField("Up System Only", 14));
            CharacteristicsVM.Add(new BooleanHexBitField("Bytes Reversed Hi", 15));

            hexFields = new HexField[] {
                MachineVM,
                NumberOfSectionsVM,
                TimeDateStampVM,
                PointerToSymbolTableVM,
                NumberOfSymbolsVM,
                SizeOfOptionalHeaderVM,
                CharacteristicsVM,
            };
        }
Beispiel #2
0
        protected ImageOptionalHeaderVM(HexBuffer buffer, PeOptionalHeaderData optionalHeader)
            : base(optionalHeader.Span)
        {
            hexFields                 = null !;
            MagicVM                   = new UInt16HexField(optionalHeader.Magic);
            MajorLinkerVersionVM      = new ByteHexField(optionalHeader.MajorLinkerVersion, true);
            MinorLinkerVersionVM      = new ByteHexField(optionalHeader.MinorLinkerVersion, true);
            SizeOfCodeVM              = new UInt32HexField(optionalHeader.SizeOfCode);
            SizeOfInitializedDataVM   = new UInt32HexField(optionalHeader.SizeOfInitializedData);
            SizeOfUninitializedDataVM = new UInt32HexField(optionalHeader.SizeOfUninitializedData);
            AddressOfEntryPointVM     = new UInt32HexField(optionalHeader.AddressOfEntryPoint);
            BaseOfCodeVM              = new UInt32HexField(optionalHeader.BaseOfCode);

            SectionAlignmentVM            = new UInt32HexField(optionalHeader.SectionAlignment);
            FileAlignmentVM               = new UInt32HexField(optionalHeader.FileAlignment);
            MajorOperatingSystemVersionVM = new UInt16HexField(optionalHeader.MajorOperatingSystemVersion, true);
            MinorOperatingSystemVersionVM = new UInt16HexField(optionalHeader.MinorOperatingSystemVersion, true);
            MajorImageVersionVM           = new UInt16HexField(optionalHeader.MajorImageVersion, true);
            MinorImageVersionVM           = new UInt16HexField(optionalHeader.MinorImageVersion, true);
            MajorSubsystemVersionVM       = new UInt16HexField(optionalHeader.MajorSubsystemVersion, true);
            MinorSubsystemVersionVM       = new UInt16HexField(optionalHeader.MinorSubsystemVersion, true);
            Win32VersionValueVM           = new UInt32HexField(optionalHeader.Win32VersionValue, true);
            SizeOfImageVM   = new UInt32HexField(optionalHeader.SizeOfImage);
            SizeOfHeadersVM = new UInt32HexField(optionalHeader.SizeOfHeaders);
            CheckSumVM      = new UInt32HexField(optionalHeader.CheckSum);
            SubsystemVM     = new UInt16FlagsHexField(optionalHeader.Subsystem);
            SubsystemVM.Add(new IntegerHexBitField("Subsystem", 0, 16, SubsystemInfos));
            DllCharacteristicsVM = new UInt16FlagsHexField(optionalHeader.DllCharacteristics);
            DllCharacteristicsVM.Add(new BooleanHexBitField("Reserved1", 0));
            DllCharacteristicsVM.Add(new BooleanHexBitField("Reserved2", 1));
            DllCharacteristicsVM.Add(new BooleanHexBitField("Reserved3", 2));
            DllCharacteristicsVM.Add(new BooleanHexBitField("Reserved4", 3));
            DllCharacteristicsVM.Add(new BooleanHexBitField("Reserved5", 4));
            DllCharacteristicsVM.Add(new BooleanHexBitField("High Entropy VA", 5));
            DllCharacteristicsVM.Add(new BooleanHexBitField("Dynamic Base", 6));
            DllCharacteristicsVM.Add(new BooleanHexBitField("Force Integrity", 7));
            DllCharacteristicsVM.Add(new BooleanHexBitField("NX Compat", 8));
            DllCharacteristicsVM.Add(new BooleanHexBitField("No Isolation", 9));
            DllCharacteristicsVM.Add(new BooleanHexBitField("No SEH", 10));
            DllCharacteristicsVM.Add(new BooleanHexBitField("No Bind", 11));
            DllCharacteristicsVM.Add(new BooleanHexBitField("AppContainer", 12));
            DllCharacteristicsVM.Add(new BooleanHexBitField("WDM Driver", 13));
            DllCharacteristicsVM.Add(new BooleanHexBitField("Guard CF", 14));
            DllCharacteristicsVM.Add(new BooleanHexBitField("Terminal Server Aware", 15));
            LoaderFlagsVM         = new UInt32HexField(optionalHeader.LoaderFlags);
            NumberOfRvaAndSizesVM = new UInt32HexField(optionalHeader.NumberOfRvaAndSizes);

            DataDir0VM  = Create(optionalHeader, 0, "Export");
            DataDir1VM  = Create(optionalHeader, 1, "Import");
            DataDir2VM  = Create(optionalHeader, 2, "Resource");
            DataDir3VM  = Create(optionalHeader, 3, "Exception");
            DataDir4VM  = Create(optionalHeader, 4, "Security");
            DataDir5VM  = Create(optionalHeader, 5, "Base Reloc");
            DataDir6VM  = Create(optionalHeader, 6, "Debug");
            DataDir7VM  = Create(optionalHeader, 7, "Architecture");
            DataDir8VM  = Create(optionalHeader, 8, "Global Ptr");
            DataDir9VM  = Create(optionalHeader, 9, "TLS");
            DataDir10VM = Create(optionalHeader, 10, "Load Config");
            DataDir11VM = Create(optionalHeader, 11, "Bound Import");
            DataDir12VM = Create(optionalHeader, 12, "IAT");
            DataDir13VM = Create(optionalHeader, 13, "Delay Import");
            DataDir14VM = Create(optionalHeader, 14, ".NET");
            DataDir15VM = Create(optionalHeader, 15, "Reserved15");
        }
Beispiel #3
0
		protected override HexField CreateField(ColumnInfo colInfo) {
			if (colInfo.Index == 0) {
				var field = new UInt16FlagsHexField(mdVM.Buffer, Name, colInfo.Name, Span.Start + (uint)colInfo.Offset);
				field.Add(new BooleanHexBitField("NoMangle", 0));
				field.Add(new IntegerHexBitField("CharSet", 1, 2, CharSetInfos));
				field.Add(new IntegerHexBitField("BestFit", 4, 2, BestFitInfos));
				field.Add(new BooleanHexBitField("SupportsLastError", 6));
				field.Add(new IntegerHexBitField("CallConv", 8, 3, CallConvInfos));
				field.Add(new IntegerHexBitField("ThrowOnUnmappableChar", 12, 2, ThrowOnUnmappableCharInfos));
				return field;
			}
			return base.CreateField(colInfo);
		}
Beispiel #4
0
		protected ImageOptionalHeaderVM(HexBuffer buffer, HexPosition startOffset, HexPosition endOffset, ulong offs1, ulong offs2) {
			MagicVM = new UInt16HexField(buffer, Name, "Magic", startOffset + 0);
			MajorLinkerVersionVM = new ByteHexField(buffer, Name, "MajorLinkerVersion", startOffset + 2, true);
			MinorLinkerVersionVM = new ByteHexField(buffer, Name, "MinorLinkerVersion", startOffset + 3, true);
			SizeOfCodeVM = new UInt32HexField(buffer, Name, "SizeOfCode", startOffset + 4);
			SizeOfInitializedDataVM = new UInt32HexField(buffer, Name, "SizeOfInitializedData", startOffset + 8);
			SizeOfUninitializedDataVM = new UInt32HexField(buffer, Name, "SizeOfUninitializedData", startOffset + 0x0C);
			AddressOfEntryPointVM = new UInt32HexField(buffer, Name, "AddressOfEntryPoint", startOffset + 0x10);
			BaseOfCodeVM = new UInt32HexField(buffer, Name, "BaseOfCode", startOffset + 0x14);

			SectionAlignmentVM = new UInt32HexField(buffer, Name, "SectionAlignment", startOffset + offs1 + 0);
			FileAlignmentVM = new UInt32HexField(buffer, Name, "FileAlignment", startOffset + offs1 + 4);
			MajorOperatingSystemVersionVM = new UInt16HexField(buffer, Name, "MajorOperatingSystemVersion", startOffset + offs1 + 8, true);
			MinorOperatingSystemVersionVM = new UInt16HexField(buffer, Name, "MinorOperatingSystemVersion", startOffset + offs1 + 0x0A, true);
			MajorImageVersionVM = new UInt16HexField(buffer, Name, "MajorImageVersion", startOffset + offs1 + 0x0C, true);
			MinorImageVersionVM = new UInt16HexField(buffer, Name, "MinorImageVersion", startOffset + offs1 + 0x0E, true);
			MajorSubsystemVersionVM = new UInt16HexField(buffer, Name, "MajorSubsystemVersion", startOffset + offs1 + 0x10, true);
			MinorSubsystemVersionVM = new UInt16HexField(buffer, Name, "MinorSubsystemVersion", startOffset + offs1 + 0x12, true);
			Win32VersionValueVM = new UInt32HexField(buffer, Name, "Win32VersionValue", startOffset + offs1 + 0x14, true);
			SizeOfImageVM = new UInt32HexField(buffer, Name, "SizeOfImage", startOffset + offs1 + 0x18);
			SizeOfHeadersVM = new UInt32HexField(buffer, Name, "SizeOfHeaders", startOffset + offs1 + 0x1C);
			CheckSumVM = new UInt32HexField(buffer, Name, "CheckSum", startOffset + offs1 + 0x20);
			SubsystemVM = new UInt16FlagsHexField(buffer, Name, "Subsystem", startOffset + offs1 + 0x24);
			SubsystemVM.Add(new IntegerHexBitField("Subsystem", 0, 16, SubsystemInfos));
			DllCharacteristicsVM = new UInt16FlagsHexField(buffer, Name, "DllCharacteristics", startOffset + offs1 + 0x26);
			DllCharacteristicsVM.Add(new BooleanHexBitField("Reserved1", 0));
			DllCharacteristicsVM.Add(new BooleanHexBitField("Reserved2", 1));
			DllCharacteristicsVM.Add(new BooleanHexBitField("Reserved3", 2));
			DllCharacteristicsVM.Add(new BooleanHexBitField("Reserved4", 3));
			DllCharacteristicsVM.Add(new BooleanHexBitField("Reserved5", 4));
			DllCharacteristicsVM.Add(new BooleanHexBitField("High Entropy VA", 5));
			DllCharacteristicsVM.Add(new BooleanHexBitField("Dynamic Base", 6));
			DllCharacteristicsVM.Add(new BooleanHexBitField("Force Integrity", 7));
			DllCharacteristicsVM.Add(new BooleanHexBitField("NX Compat", 8));
			DllCharacteristicsVM.Add(new BooleanHexBitField("No Isolation", 9));
			DllCharacteristicsVM.Add(new BooleanHexBitField("No SEH", 10));
			DllCharacteristicsVM.Add(new BooleanHexBitField("No Bind", 11));
			DllCharacteristicsVM.Add(new BooleanHexBitField("AppContainer", 12));
			DllCharacteristicsVM.Add(new BooleanHexBitField("WDM Driver", 13));
			DllCharacteristicsVM.Add(new BooleanHexBitField("Guard CF", 14));
			DllCharacteristicsVM.Add(new BooleanHexBitField("Terminal Server Aware", 15));
			LoaderFlagsVM = new UInt32HexField(buffer, Name, "LoaderFlags", startOffset + offs2 + 0);
			NumberOfRvaAndSizesVM = new UInt32HexField(buffer, Name, "NumberOfRvaAndSizes", startOffset + offs2 + 4);

			ulong doffs = offs2 + 8;
			DataDir0VM = new DataDirVM(buffer, Name, "Export", startOffset + doffs + 0);
			DataDir1VM = new DataDirVM(buffer, Name, "Import", startOffset + doffs + 8);
			DataDir2VM = new DataDirVM(buffer, Name, "Resource", startOffset + doffs + 0x10);
			DataDir3VM = new DataDirVM(buffer, Name, "Exception", startOffset + doffs + 0x18);
			DataDir4VM = new DataDirVM(buffer, Name, "Security", startOffset + doffs + 0x20);
			DataDir5VM = new DataDirVM(buffer, Name, "Base Reloc", startOffset + doffs + 0x28);
			DataDir6VM = new DataDirVM(buffer, Name, "Debug", startOffset + doffs + 0x30);
			DataDir7VM = new DataDirVM(buffer, Name, "Architecture", startOffset + doffs + 0x38);
			DataDir8VM = new DataDirVM(buffer, Name, "Global Ptr", startOffset + doffs + 0x40);
			DataDir9VM = new DataDirVM(buffer, Name, "TLS", startOffset + doffs + 0x48);
			DataDir10VM = new DataDirVM(buffer, Name, "Load Config", startOffset + doffs + 0x50);
			DataDir11VM = new DataDirVM(buffer, Name, "Bound Import", startOffset + doffs + 0x58);
			DataDir12VM = new DataDirVM(buffer, Name, "IAT", startOffset + doffs + 0x60);
			DataDir13VM = new DataDirVM(buffer, Name, "Delay Import", startOffset + doffs + 0x68);
			DataDir14VM = new DataDirVM(buffer, Name, ".NET", startOffset + doffs + 0x70);
			DataDir15VM = new DataDirVM(buffer, Name, "Reserved15", startOffset + doffs + 0x78);
		}
Beispiel #5
0
		protected override HexField CreateField(ColumnInfo colInfo) {
			if (colInfo.Index == 0) {
				var field = new UInt16FlagsHexField(mdVM.Buffer, Name, colInfo.Name, Span.Start + (uint)colInfo.Offset);
				field.Add(new BooleanHexBitField("SpecialName", 9));
				field.Add(new BooleanHexBitField("RTSpecialName", 10));
				field.Add(new BooleanHexBitField("HasDefault", 12));
				return field;
			}
			return base.CreateField(colInfo);
		}
Beispiel #6
0
		protected override HexField CreateField(ColumnInfo colInfo) {
			if (colInfo.Index == 0) {
				var field = new UInt16FlagsHexField(mdVM.Buffer, Name, colInfo.Name, Span.Start + (uint)colInfo.Offset);
				field.Add(new BooleanHexBitField("Setter", 0));
				field.Add(new BooleanHexBitField("Getter", 1));
				field.Add(new BooleanHexBitField("Other", 2));
				field.Add(new BooleanHexBitField("AddOn", 3));
				field.Add(new BooleanHexBitField("RemoveOn", 4));
				field.Add(new BooleanHexBitField("Fire", 5));
				return field;
			}
			return base.CreateField(colInfo);
		}
Beispiel #7
0
		protected override HexField CreateField(ColumnInfo colInfo) {
			if (colInfo.Index == 0) {
				var field = new UInt16FlagsHexField(mdVM.Buffer, Name, colInfo.Name, Span.Start + (uint)colInfo.Offset);
				field.Add(new BooleanHexBitField("In", 0));
				field.Add(new BooleanHexBitField("Out", 1));
				field.Add(new BooleanHexBitField("Optional", 4));
				field.Add(new BooleanHexBitField("HasDefault", 12));
				field.Add(new BooleanHexBitField("HasFieldMarshal", 13));
				return field;
			}
			return base.CreateField(colInfo);
		}
Beispiel #8
0
		protected override HexField CreateField(ColumnInfo colInfo) {
			if (colInfo.Index == 1) {
				var field = new UInt16FlagsHexField(mdVM.Buffer, Name, colInfo.Name, Span.Start + (uint)colInfo.Offset);
				field.Add(new IntegerHexBitField("CodeType", 0, 2, CodeTypeInfos));
				field.Add(new IntegerHexBitField("ManagedType", 2, 1, ManagedInfos));
				field.Add(new BooleanHexBitField("NoInlining", 3));
				field.Add(new BooleanHexBitField("ForwardRef", 4));
				field.Add(new BooleanHexBitField("Synchronized", 5));
				field.Add(new BooleanHexBitField("NoOptimization", 6));
				field.Add(new BooleanHexBitField("PreserveSig", 7));
				field.Add(new BooleanHexBitField("AggressiveInlining", 8));
				field.Add(new BooleanHexBitField("InternalCall", 12));
				return field;
			}
			else if (colInfo.Index == 2) {
				var field = new UInt16FlagsHexField(mdVM.Buffer, Name, colInfo.Name, Span.Start + (uint)colInfo.Offset);
				field.Add(new IntegerHexBitField("Access", 0, 3, AccessInfos));
				field.Add(new BooleanHexBitField("UnmanagedExport", 3));
				field.Add(new BooleanHexBitField("Static", 4));
				field.Add(new BooleanHexBitField("Final", 5));
				field.Add(new BooleanHexBitField("Virtual", 6));
				field.Add(new BooleanHexBitField("HideBySig", 7));
				field.Add(new IntegerHexBitField("VtableLayout", 8, 1, VtableLayoutInfos));
				field.Add(new BooleanHexBitField("CheckAccessOnOverride", 9));
				field.Add(new BooleanHexBitField("Abstract", 10));
				field.Add(new BooleanHexBitField("SpecialName", 11));
				field.Add(new BooleanHexBitField("RTSpecialName", 12));
				field.Add(new BooleanHexBitField("PinvokeImpl", 13));
				field.Add(new BooleanHexBitField("HasSecurity", 14));
				field.Add(new BooleanHexBitField("RequireSecObject", 15));
				return field;
			}
			return base.CreateField(colInfo);
		}
Beispiel #9
0
		protected override HexField CreateField(ColumnInfo colInfo) {
			if (colInfo.Index == 0) {
				var field = new UInt16FlagsHexField(mdVM.Buffer, Name, colInfo.Name, Span.Start + (uint)colInfo.Offset);
				field.Add(new IntegerHexBitField("Access", 0, 3, AccessInfos));
				field.Add(new BooleanHexBitField("Static", 4));
				field.Add(new BooleanHexBitField("InitOnly", 5));
				field.Add(new BooleanHexBitField("Literal", 6));
				field.Add(new BooleanHexBitField("NotSerialized", 7));
				field.Add(new BooleanHexBitField("HasFieldRVA", 8));
				field.Add(new BooleanHexBitField("SpecialName", 9));
				field.Add(new BooleanHexBitField("RTSpecialName", 10));
				field.Add(new BooleanHexBitField("HasFieldMarshal", 12));
				field.Add(new BooleanHexBitField("PinvokeImpl", 13));
				field.Add(new BooleanHexBitField("HasDefault", 15));
				return field;
			}
			return base.CreateField(colInfo);
		}
Beispiel #10
0
		internal static UInt16FlagsHexField CreateGenericParamAttributesField(ColumnInfo colInfo, HexBuffer buffer, string name, HexPosition startOffset) {
			var field = new UInt16FlagsHexField(buffer, name, colInfo.Name, startOffset + (uint)colInfo.Offset);
			field.Add(new IntegerHexBitField("Variance", 0, 2, VarianceInfos));
			field.Add(new BooleanHexBitField("Reference", 2));
			field.Add(new BooleanHexBitField("Struct", 3));
			field.Add(new BooleanHexBitField("Default ctor", 4));
			return field;
		}
Beispiel #11
0
		public ImageFileHeaderVM(HexBuffer buffer, HexPosition startOffset) {
			MachineVM = new UInt16FlagsHexField(buffer, Name, "Machine", startOffset + 0);
			MachineVM.Add(new IntegerHexBitField("Machine", 0, 16, MachineInfos));
			NumberOfSectionsVM = new UInt16HexField(buffer, Name, "NumberOfSections", startOffset + 2);
			TimeDateStampVM = new UInt32HexField(buffer, Name, "TimeDateStamp", startOffset + 4);
			TimeDateStampVM.DataFieldVM.PropertyChanged += (s, e) => OnPropertyChanged(nameof(TimeDateStampString));
			PointerToSymbolTableVM = new UInt32HexField(buffer, Name, "PointerToSymbolTable", startOffset + 8);
			NumberOfSymbolsVM = new UInt32HexField(buffer, Name, "NumberOfSymbols", startOffset + 0x0C);
			SizeOfOptionalHeaderVM = new UInt16HexField(buffer, Name, "SizeOfOptionalHeader", startOffset + 0x10);
			CharacteristicsVM = new UInt16FlagsHexField(buffer, Name, "Characteristics", startOffset + 0x12);
			CharacteristicsVM.Add(new BooleanHexBitField("Relocs Stripped", 0));
			CharacteristicsVM.Add(new BooleanHexBitField("Executable Image", 1));
			CharacteristicsVM.Add(new BooleanHexBitField("Line Nums Stripped", 2));
			CharacteristicsVM.Add(new BooleanHexBitField("Local Syms Stripped", 3));
			CharacteristicsVM.Add(new BooleanHexBitField("Aggressive WS Trim", 4));
			CharacteristicsVM.Add(new BooleanHexBitField("Large Address Aware", 5));
			CharacteristicsVM.Add(new BooleanHexBitField("Reserved 0040h", 6));
			CharacteristicsVM.Add(new BooleanHexBitField("Bytes Reversed Lo", 7));
			CharacteristicsVM.Add(new BooleanHexBitField("32-Bit Machine", 8));
			CharacteristicsVM.Add(new BooleanHexBitField("Debug Stripped", 9));
			CharacteristicsVM.Add(new BooleanHexBitField("Removable Run From Swap", 10));
			CharacteristicsVM.Add(new BooleanHexBitField("Net Run From Swap", 11));
			CharacteristicsVM.Add(new BooleanHexBitField("System", 12));
			CharacteristicsVM.Add(new BooleanHexBitField("Dll", 13));
			CharacteristicsVM.Add(new BooleanHexBitField("Up System Only", 14));
			CharacteristicsVM.Add(new BooleanHexBitField("Bytes Reversed Hi", 15));

			hexFields = new HexField[] {
				MachineVM,
				NumberOfSectionsVM,
				TimeDateStampVM,
				PointerToSymbolTableVM,
				NumberOfSymbolsVM,
				SizeOfOptionalHeaderVM,
				CharacteristicsVM,
			};
		}