Beispiel #1
0
        public TablesStreamVM(HexDocument doc, TablesStream tblStream)
        {
            ulong startOffset = (ulong)tblStream.StartOffset;
            this.m_ulReservedVM = new UInt32HexField(doc, Name, "m_ulReserved", startOffset + 0);
            this.m_majorVM = new ByteHexField(doc, Name, "m_major", startOffset + 4, true);
            this.m_minorVM = new ByteHexField(doc, Name, "m_minor", startOffset + 5, true);
            this.m_heapsVM = new ByteFlagsHexField(doc, Name, "m_heaps", startOffset + 6);
            this.m_heapsVM.Add(new BooleanHexBitField("BigStrings", 0));
            this.m_heapsVM.Add(new BooleanHexBitField("BigGUID", 1));
            this.m_heapsVM.Add(new BooleanHexBitField("BigBlob", 2));
            this.m_heapsVM.Add(new BooleanHexBitField("Padding", 3));
            this.m_heapsVM.Add(new BooleanHexBitField("Reserved", 4));
            this.m_heapsVM.Add(new BooleanHexBitField("DeltaOnly", 5));
            this.m_heapsVM.Add(new BooleanHexBitField("ExtraData", 6));
            this.m_heapsVM.Add(new BooleanHexBitField("HasDelete", 7));
            this.m_ridVM = new ByteHexField(doc, Name, "m_rid", startOffset + 7);
            this.m_maskvalidVM = new UInt64FlagsHexField(doc, Name, "m_maskvalid", startOffset + 8);
            AddTableFlags(this.m_maskvalidVM);
            this.m_sortedVM = new UInt64FlagsHexField(doc, Name, "m_sorted", startOffset + 0x10);
            AddTableFlags(this.m_sortedVM);

            var list = new List<HexField> {
                m_ulReservedVM,
                m_majorVM,
                m_minorVM,
                m_heapsVM,
                m_ridVM,
                m_maskvalidVM,
                m_sortedVM,
            };

            this.rowsVM = new UInt32HexField[64];
            ulong valid = tblStream.ValidMask;
            ulong offs = startOffset + 0x18;
            for (int i = 0; i < this.rowsVM.Length; i++) {
                this.rowsVM[i] = new UInt32HexField(doc, Name, string.Format("rows[{0:X2}]", i), offs);
                if ((valid & 1) != 0) {
                    list.Add(this.rowsVM[i]);
                    offs += 4;
                }
                else
                    this.rowsVM[i].IsVisible = false;

                valid >>= 1;
            }

            this.m_ulExtraVM = new UInt32HexField(doc, Name, "m_ulExtra", offs);
            this.m_ulExtraVM.IsVisible = tblStream.HasExtraData;
            if (tblStream.HasExtraData)
                list.Add(this.m_ulExtraVM);

            Debug.Assert(offs == (ulong)tblStream.MDTables[0].StartOffset);

            this.hexFields = list.ToArray();
        }
Beispiel #2
0
        public StorageHeaderVM(HexDocument doc, ulong startOffset)
        {
            this.fFlagsVM = new ByteFlagsHexField(doc, Name, "fFlags", startOffset + 0);
            this.fFlagsVM.Add(new BooleanHexBitField("ExtraData", 0));
            this.padVM      = new ByteHexField(doc, Name, "pad", startOffset + 1);
            this.iStreamsVM = new UInt16HexField(doc, Name, "iStreams", startOffset + 2);

            this.hexFields = new HexField[] {
                fFlagsVM,
                padVM,
                iStreamsVM,
            };
        }
Beispiel #3
0
		public StorageHeaderVM(object owner, HexDocument doc, ulong startOffset)
			: base(owner) {
			this.fFlagsVM = new ByteFlagsHexField(doc, Name, "fFlags", startOffset + 0);
			this.fFlagsVM.Add(new BooleanHexBitField("ExtraData", 0));
			this.padVM = new ByteHexField(doc, Name, "pad", startOffset + 1);
			this.iStreamsVM = new UInt16HexField(doc, Name, "iStreams", startOffset + 2);

			this.hexFields = new HexField[] {
				fFlagsVM,
				padVM,
				iStreamsVM,
			};
		}
Beispiel #4
0
        public TablesStreamVM(object owner, HexDocument doc, TablesStream tblStream)
            : base(owner)
        {
            ulong startOffset = (ulong)tblStream.StartOffset;

            this.m_ulReservedVM = new UInt32HexField(doc, Name, "m_ulReserved", startOffset + 0);
            this.m_majorVM      = new ByteHexField(doc, Name, "m_major", startOffset + 4, true);
            this.m_minorVM      = new ByteHexField(doc, Name, "m_minor", startOffset + 5, true);
            this.m_heapsVM      = new ByteFlagsHexField(doc, Name, "m_heaps", startOffset + 6);
            this.m_heapsVM.Add(new BooleanHexBitField("BigStrings", 0));
            this.m_heapsVM.Add(new BooleanHexBitField("BigGUID", 1));
            this.m_heapsVM.Add(new BooleanHexBitField("BigBlob", 2));
            this.m_heapsVM.Add(new BooleanHexBitField("Padding", 3));
            this.m_heapsVM.Add(new BooleanHexBitField("Reserved", 4));
            this.m_heapsVM.Add(new BooleanHexBitField("DeltaOnly", 5));
            this.m_heapsVM.Add(new BooleanHexBitField("ExtraData", 6));
            this.m_heapsVM.Add(new BooleanHexBitField("HasDelete", 7));
            this.m_ridVM       = new ByteHexField(doc, Name, "m_rid", startOffset + 7);
            this.m_maskvalidVM = new UInt64FlagsHexField(doc, Name, "m_maskvalid", startOffset + 8);
            AddTableFlags(this.m_maskvalidVM);
            this.m_sortedVM = new UInt64FlagsHexField(doc, Name, "m_sorted", startOffset + 0x10);
            AddTableFlags(this.m_sortedVM);

            var list = new List <HexField> {
                m_ulReservedVM,
                m_majorVM,
                m_minorVM,
                m_heapsVM,
                m_ridVM,
                m_maskvalidVM,
                m_sortedVM,
            };

            this.rowsVM = new UInt32HexField[64];
            ulong valid = tblStream.ValidMask;
            ulong offs  = startOffset + 0x18;

            for (int i = 0; i < this.rowsVM.Length; i++)
            {
                this.rowsVM[i] = new UInt32HexField(doc, Name, string.Format("rows[{0:X2}]", i), offs);
                if ((valid & 1) != 0)
                {
                    list.Add(this.rowsVM[i]);
                    offs += 4;
                }
                else
                {
                    this.rowsVM[i].IsVisible = false;
                }

                valid >>= 1;
            }

            this.m_ulExtraVM           = new UInt32HexField(doc, Name, "m_ulExtra", offs);
            this.m_ulExtraVM.IsVisible = tblStream.HasExtraData;
            if (tblStream.HasExtraData)
            {
                list.Add(this.m_ulExtraVM);
            }

            Debug.Assert(offs == (ulong)tblStream.MDTables[0].StartOffset);

            this.hexFields = list.ToArray();
        }
        protected ImageOptionalHeaderVM(HexDocument doc, ulong startOffset, ulong endOffset, ulong offs1, ulong offs2)
        {
            this.magicVM = new UInt16HexField(doc, Name, "Magic", startOffset + 0);
            this.majorLinkerVersionVM = new ByteHexField(doc, Name, "MajorLinkerVersion", startOffset + 2, true);
            this.minorLinkerVersionVM = new ByteHexField(doc, Name, "MinorLinkerVersion", startOffset + 3, true);
            this.sizeOfCodeVM = new UInt32HexField(doc, Name, "SizeOfCode", startOffset + 4);
            this.sizeOfInitializedDataVM = new UInt32HexField(doc, Name, "SizeOfInitializedData", startOffset + 8);
            this.sizeOfUninitializedDataVM = new UInt32HexField(doc, Name, "SizeOfUninitializedData", startOffset + 0x0C);
            this.addressOfEntryPointVM = new UInt32HexField(doc, Name, "AddressOfEntryPoint", startOffset + 0x10);
            this.baseOfCodeVM = new UInt32HexField(doc, Name, "BaseOfCode", startOffset + 0x14);

            this.sectionAlignmentVM = new UInt32HexField(doc, Name, "SectionAlignment", startOffset + offs1 + 0);
            this.fileAlignmentVM = new UInt32HexField(doc, Name, "FileAlignment", startOffset + offs1 + 4);
            this.majorOperatingSystemVersionVM = new UInt16HexField(doc, Name, "MajorOperatingSystemVersion", startOffset + offs1 + 8, true);
            this.minorOperatingSystemVersionVM = new UInt16HexField(doc, Name, "MinorOperatingSystemVersion", startOffset + offs1 + 0x0A, true);
            this.majorImageVersionVM = new UInt16HexField(doc, Name, "MajorImageVersion", startOffset + offs1 + 0x0C, true);
            this.minorImageVersionVM = new UInt16HexField(doc, Name, "MinorImageVersion", startOffset + offs1 + 0x0E, true);
            this.majorSubsystemVersionVM = new UInt16HexField(doc, Name, "MajorSubsystemVersion", startOffset + offs1 + 0x10, true);
            this.minorSubsystemVersionVM = new UInt16HexField(doc, Name, "MinorSubsystemVersion", startOffset + offs1 + 0x12, true);
            this.win32VersionValueVM = new UInt32HexField(doc, Name, "Win32VersionValue", startOffset + offs1 + 0x14, true);
            this.sizeOfImageVM = new UInt32HexField(doc, Name, "SizeOfImage", startOffset + offs1 + 0x18);
            this.sizeOfHeadersVM = new UInt32HexField(doc, Name, "SizeOfHeaders", startOffset + offs1 + 0x1C);
            this.checkSumVM = new UInt32HexField(doc, Name, "CheckSum", startOffset + offs1 + 0x20);
            this.subsystemVM = new UInt16FlagsHexField(doc, Name, "Subsystem", startOffset + offs1 + 0x24);
            this.subsystemVM.Add(new IntegerHexBitField("Subsystem", 0, 16, SubsystemInfos));
            this.dllCharacteristicsVM = new UInt16FlagsHexField(doc, Name, "DllCharacteristics", startOffset + offs1 + 0x26);
            this.dllCharacteristicsVM.Add(new BooleanHexBitField("Reserved1", 0));
            this.dllCharacteristicsVM.Add(new BooleanHexBitField("Reserved2", 1));
            this.dllCharacteristicsVM.Add(new BooleanHexBitField("Reserved3", 2));
            this.dllCharacteristicsVM.Add(new BooleanHexBitField("Reserved4", 3));
            this.dllCharacteristicsVM.Add(new BooleanHexBitField("Reserved5", 4));
            this.dllCharacteristicsVM.Add(new BooleanHexBitField("High Entropy VA", 5));
            this.dllCharacteristicsVM.Add(new BooleanHexBitField("Dynamic Base", 6));
            this.dllCharacteristicsVM.Add(new BooleanHexBitField("Force Integrity", 7));
            this.dllCharacteristicsVM.Add(new BooleanHexBitField("NX Compat", 8));
            this.dllCharacteristicsVM.Add(new BooleanHexBitField("No Isolation", 9));
            this.dllCharacteristicsVM.Add(new BooleanHexBitField("No SEH", 10));
            this.dllCharacteristicsVM.Add(new BooleanHexBitField("No Bind", 11));
            this.dllCharacteristicsVM.Add(new BooleanHexBitField("AppContainer", 12));
            this.dllCharacteristicsVM.Add(new BooleanHexBitField("WDM Driver", 13));
            this.dllCharacteristicsVM.Add(new BooleanHexBitField("Guard CF", 14));
            this.dllCharacteristicsVM.Add(new BooleanHexBitField("Terminal Server Aware", 15));
            this.loaderFlagsVM = new UInt32HexField(doc, Name, "LoaderFlags", startOffset + offs2 + 0);
            this.numberOfRvaAndSizesVM = new UInt32HexField(doc, Name, "NumberOfRvaAndSizes", startOffset + offs2 + 4);

            ulong doffs = offs2 + 8;
            this.dataDir0VM = new DataDirVM(doc, Name, "Export", startOffset + doffs + 0);
            this.dataDir1VM = new DataDirVM(doc, Name, "Import", startOffset + doffs + 8);
            this.dataDir2VM = new DataDirVM(doc, Name, "Resource", startOffset + doffs + 0x10);
            this.dataDir3VM = new DataDirVM(doc, Name, "Exception", startOffset + doffs + 0x18);
            this.dataDir4VM = new DataDirVM(doc, Name, "Security", startOffset + doffs + 0x20);
            this.dataDir5VM = new DataDirVM(doc, Name, "Base Reloc", startOffset + doffs + 0x28);
            this.dataDir6VM = new DataDirVM(doc, Name, "Debug", startOffset + doffs + 0x30);
            this.dataDir7VM = new DataDirVM(doc, Name, "Architecture", startOffset + doffs + 0x38);
            this.dataDir8VM = new DataDirVM(doc, Name, "Global Ptr", startOffset + doffs + 0x40);
            this.dataDir9VM = new DataDirVM(doc, Name, "TLS", startOffset + doffs + 0x48);
            this.dataDir10VM = new DataDirVM(doc, Name, "Load Config", startOffset + doffs + 0x50);
            this.dataDir11VM = new DataDirVM(doc, Name, "Bound Import", startOffset + doffs + 0x58);
            this.dataDir12VM = new DataDirVM(doc, Name, "IAT", startOffset + doffs + 0x60);
            this.dataDir13VM = new DataDirVM(doc, Name, "Delay Import", startOffset + doffs + 0x68);
            this.dataDir14VM = new DataDirVM(doc, Name, ".NET", startOffset + doffs + 0x70);
            this.dataDir15VM = new DataDirVM(doc, Name, "Reserved15", startOffset + doffs + 0x78);
        }
Beispiel #6
0
        protected ImageOptionalHeaderVM(HexDocument doc, ulong startOffset, ulong endOffset, ulong offs1, ulong offs2)
        {
            this.magicVM = new UInt16HexField(doc, Name, "Magic", startOffset + 0);
            this.majorLinkerVersionVM      = new ByteHexField(doc, Name, "MajorLinkerVersion", startOffset + 2, true);
            this.minorLinkerVersionVM      = new ByteHexField(doc, Name, "MinorLinkerVersion", startOffset + 3, true);
            this.sizeOfCodeVM              = new UInt32HexField(doc, Name, "SizeOfCode", startOffset + 4);
            this.sizeOfInitializedDataVM   = new UInt32HexField(doc, Name, "SizeOfInitializedData", startOffset + 8);
            this.sizeOfUninitializedDataVM = new UInt32HexField(doc, Name, "SizeOfUninitializedData", startOffset + 0x0C);
            this.addressOfEntryPointVM     = new UInt32HexField(doc, Name, "AddressOfEntryPoint", startOffset + 0x10);
            this.baseOfCodeVM              = new UInt32HexField(doc, Name, "BaseOfCode", startOffset + 0x14);

            this.sectionAlignmentVM            = new UInt32HexField(doc, Name, "SectionAlignment", startOffset + offs1 + 0);
            this.fileAlignmentVM               = new UInt32HexField(doc, Name, "FileAlignment", startOffset + offs1 + 4);
            this.majorOperatingSystemVersionVM = new UInt16HexField(doc, Name, "MajorOperatingSystemVersion", startOffset + offs1 + 8, true);
            this.minorOperatingSystemVersionVM = new UInt16HexField(doc, Name, "MinorOperatingSystemVersion", startOffset + offs1 + 0x0A, true);
            this.majorImageVersionVM           = new UInt16HexField(doc, Name, "MajorImageVersion", startOffset + offs1 + 0x0C, true);
            this.minorImageVersionVM           = new UInt16HexField(doc, Name, "MinorImageVersion", startOffset + offs1 + 0x0E, true);
            this.majorSubsystemVersionVM       = new UInt16HexField(doc, Name, "MajorSubsystemVersion", startOffset + offs1 + 0x10, true);
            this.minorSubsystemVersionVM       = new UInt16HexField(doc, Name, "MinorSubsystemVersion", startOffset + offs1 + 0x12, true);
            this.win32VersionValueVM           = new UInt32HexField(doc, Name, "Win32VersionValue", startOffset + offs1 + 0x14, true);
            this.sizeOfImageVM   = new UInt32HexField(doc, Name, "SizeOfImage", startOffset + offs1 + 0x18);
            this.sizeOfHeadersVM = new UInt32HexField(doc, Name, "SizeOfHeaders", startOffset + offs1 + 0x1C);
            this.checkSumVM      = new UInt32HexField(doc, Name, "CheckSum", startOffset + offs1 + 0x20);
            this.subsystemVM     = new UInt16FlagsHexField(doc, Name, "Subsystem", startOffset + offs1 + 0x24);
            this.subsystemVM.Add(new IntegerHexBitField("Subsystem", 0, 16, SubsystemInfos));
            this.dllCharacteristicsVM = new UInt16FlagsHexField(doc, Name, "DllCharacteristics", startOffset + offs1 + 0x26);
            this.dllCharacteristicsVM.Add(new BooleanHexBitField("Reserved1", 0));
            this.dllCharacteristicsVM.Add(new BooleanHexBitField("Reserved2", 1));
            this.dllCharacteristicsVM.Add(new BooleanHexBitField("Reserved3", 2));
            this.dllCharacteristicsVM.Add(new BooleanHexBitField("Reserved4", 3));
            this.dllCharacteristicsVM.Add(new BooleanHexBitField("Reserved5", 4));
            this.dllCharacteristicsVM.Add(new BooleanHexBitField("High Entropy VA", 5));
            this.dllCharacteristicsVM.Add(new BooleanHexBitField("Dynamic Base", 6));
            this.dllCharacteristicsVM.Add(new BooleanHexBitField("Force Integrity", 7));
            this.dllCharacteristicsVM.Add(new BooleanHexBitField("NX Compat", 8));
            this.dllCharacteristicsVM.Add(new BooleanHexBitField("No Isolation", 9));
            this.dllCharacteristicsVM.Add(new BooleanHexBitField("No SEH", 10));
            this.dllCharacteristicsVM.Add(new BooleanHexBitField("No Bind", 11));
            this.dllCharacteristicsVM.Add(new BooleanHexBitField("AppContainer", 12));
            this.dllCharacteristicsVM.Add(new BooleanHexBitField("WDM Driver", 13));
            this.dllCharacteristicsVM.Add(new BooleanHexBitField("Guard CF", 14));
            this.dllCharacteristicsVM.Add(new BooleanHexBitField("Terminal Server Aware", 15));
            this.loaderFlagsVM         = new UInt32HexField(doc, Name, "LoaderFlags", startOffset + offs2 + 0);
            this.numberOfRvaAndSizesVM = new UInt32HexField(doc, Name, "NumberOfRvaAndSizes", startOffset + offs2 + 4);

            ulong doffs = offs2 + 8;

            this.dataDir0VM  = new DataDirVM(doc, Name, "Export", startOffset + doffs + 0);
            this.dataDir1VM  = new DataDirVM(doc, Name, "Import", startOffset + doffs + 8);
            this.dataDir2VM  = new DataDirVM(doc, Name, "Resource", startOffset + doffs + 0x10);
            this.dataDir3VM  = new DataDirVM(doc, Name, "Exception", startOffset + doffs + 0x18);
            this.dataDir4VM  = new DataDirVM(doc, Name, "Security", startOffset + doffs + 0x20);
            this.dataDir5VM  = new DataDirVM(doc, Name, "Base Reloc", startOffset + doffs + 0x28);
            this.dataDir6VM  = new DataDirVM(doc, Name, "Debug", startOffset + doffs + 0x30);
            this.dataDir7VM  = new DataDirVM(doc, Name, "Architecture", startOffset + doffs + 0x38);
            this.dataDir8VM  = new DataDirVM(doc, Name, "Global Ptr", startOffset + doffs + 0x40);
            this.dataDir9VM  = new DataDirVM(doc, Name, "TLS", startOffset + doffs + 0x48);
            this.dataDir10VM = new DataDirVM(doc, Name, "Load Config", startOffset + doffs + 0x50);
            this.dataDir11VM = new DataDirVM(doc, Name, "Bound Import", startOffset + doffs + 0x58);
            this.dataDir12VM = new DataDirVM(doc, Name, "IAT", startOffset + doffs + 0x60);
            this.dataDir13VM = new DataDirVM(doc, Name, "Delay Import", startOffset + doffs + 0x68);
            this.dataDir14VM = new DataDirVM(doc, Name, ".NET", startOffset + doffs + 0x70);
            this.dataDir15VM = new DataDirVM(doc, Name, "Reserved15", startOffset + doffs + 0x78);
        }