Ejemplo n.º 1
0
        public void ImageCor20HeaderConstructorWorks_Test()
        {
            var imageCor20Header = new ImageCor20Header(new BufferFile(RawDotNetStructures.RawImageCor20Header), 3);

            Assert.Equal((uint)0x33221100, imageCor20Header.Cb);
            Assert.Equal((uint)0x5544, imageCor20Header.MajorRuntimeVersion);
            Assert.Equal((uint)0x7766, imageCor20Header.MinorRuntimeVersion);
            Assert.Equal((uint)0xbbaa9988, imageCor20Header.MetaData.VirtualAddress);
            Assert.Equal((uint)0xffeeddcc, imageCor20Header.MetaData.Size);
            Assert.True(imageCor20Header.Flags.HasFlag(ComFlagsType.IlLibrary));
            Assert.True(imageCor20Header.Flags.HasFlag(ComFlagsType.TrackDebugData));
            Assert.False(imageCor20Header.Flags.HasFlag(ComFlagsType.BitRequired32));
            Assert.Equal((uint)0x88776655, imageCor20Header.EntryPointToken);
            Assert.Equal((uint)0x88776655, imageCor20Header.EntryPointRva);
            Assert.Equal((uint)0xccbbaa99, imageCor20Header.Resources.VirtualAddress);
            Assert.Equal((uint)0x11ffeedd, imageCor20Header.Resources.Size);
            Assert.Equal((uint)0xddccbbaa, imageCor20Header.StrongNameSignature.VirtualAddress);
            Assert.Equal((uint)0x2211ffee, imageCor20Header.StrongNameSignature.Size);
            Assert.Equal((uint)0xeeddccbb, imageCor20Header.CodeManagerTable.VirtualAddress);
            Assert.Equal((uint)0x332211ff, imageCor20Header.CodeManagerTable.Size);
            Assert.Equal((uint)0xffeeddcc, imageCor20Header.VTableFixups.VirtualAddress);
            Assert.Equal((uint)0x44332211, imageCor20Header.VTableFixups.Size);
            Assert.Equal((uint)0x11ffeedd, imageCor20Header.ExportAddressTableJumps.VirtualAddress);
            Assert.Equal((uint)0x55443322, imageCor20Header.ExportAddressTableJumps.Size);
            Assert.Equal((uint)0x2211ffee, imageCor20Header.ManagedNativeHeader.VirtualAddress);
            Assert.Equal((uint)0x66554433, imageCor20Header.ManagedNativeHeader.Size);
        }
Ejemplo n.º 2
0
 static uint GetEntryPointToken(string?filename)
 {
     try {
         using (var peImage = new PEImage(filename)) {
             var dotNetDir = peImage.ImageNTHeaders.OptionalHeader.DataDirectories[14];
             if (dotNetDir.VirtualAddress == 0)
             {
                 return(0);
             }
             if (dotNetDir.Size < 0x48)
             {
                 return(0);
             }
             var cor20HeaderReader = peImage.CreateReader(dotNetDir.VirtualAddress, 0x48);
             var cor20Header       = new ImageCor20Header(ref cor20HeaderReader, true);
             if ((cor20Header.Flags & ComImageFlags.NativeEntryPoint) != 0)
             {
                 return(0);
             }
             uint token = cor20Header.EntryPointToken_or_RVA;
             if ((Table)(token >> 24) == Table.Method && (token & 0x00FFFFFF) != 0)
             {
                 return(token);
             }
         }
     }
     catch {
     }
     return(0);
 }
Ejemplo n.º 3
0
 public void ResolveComFlags_Single_Test()
 {
     Assert.Equal("IlOnly", ImageCor20Header.ResolveComFlags(ComFlagsType.IlOnly).First());
     Assert.Equal("BitRequired32", ImageCor20Header.ResolveComFlags(ComFlagsType.BitRequired32).First());
     Assert.Equal("IlLibrary", ImageCor20Header.ResolveComFlags(ComFlagsType.IlLibrary).First());
     Assert.Equal("StrongNameSigned", ImageCor20Header.ResolveComFlags(ComFlagsType.StrongNameSigned).First());
     Assert.Equal("NativeEntrypoint", ImageCor20Header.ResolveComFlags(ComFlagsType.NativeEntrypoint).First());
     Assert.Equal("TrackDebugData", ImageCor20Header.ResolveComFlags(ComFlagsType.TrackDebugData).First());
 }
Ejemplo n.º 4
0
        public void ResolveComFlags_Multiple_Test()
        {
            const uint flags    = 0x00010005;
            var        resolved = ImageCor20Header.ResolveComFlags((ComFlagsType)flags);

            Assert.Equal(3, resolved.Count);
            Assert.Equal("IlOnly", resolved[0]);
            Assert.Equal("IlLibrary", resolved[1]);
            Assert.Equal("TrackDebugData", resolved[2]);
        }
Ejemplo n.º 5
0
        static uint GetEntryPointToken(string filename, out string otherModuleName)
        {
            otherModuleName = null;
            IImageStream cor20HeaderStream = null;

            try {
                using (var peImage = new PEImage(filename)) {
                    var dotNetDir = peImage.ImageNTHeaders.OptionalHeader.DataDirectories[14];
                    if (dotNetDir.VirtualAddress == 0)
                    {
                        return(0);
                    }
                    if (dotNetDir.Size < 0x48)
                    {
                        return(0);
                    }
                    var cor20Header = new ImageCor20Header(cor20HeaderStream = peImage.CreateStream(dotNetDir.VirtualAddress, 0x48), true);
                    if ((cor20Header.Flags & ComImageFlags.NativeEntryPoint) != 0)
                    {
                        return(0);
                    }
                    uint token = cor20Header.EntryPointToken_or_RVA;
                    if ((Table)(token >> 24) != Table.File)
                    {
                        return(token);
                    }

                    using (var mod = ModuleDefMD.Load(peImage)) {
                        var file = mod.ResolveFile(token & 0x00FFFFFF);
                        if (file == null || !file.ContainsMetaData)
                        {
                            return(0);
                        }

                        otherModuleName = file.Name;
                        return(token);
                    }
                }
            }
            catch {
            }
            finally {
                if (cor20HeaderStream != null)
                {
                    cor20HeaderStream.Dispose();
                }
            }
            return(0);
        }
Ejemplo n.º 6
0
 unsafe (IntPtr metadataAddress, int metadataSize) GetMetadataInfo()
 {
     try {
         var peImage   = new PEImage(address, size, isFileLayout ? ImageLayout.File : ImageLayout.Memory, true);
         var dotNetDir = peImage.ImageNTHeaders.OptionalHeader.DataDirectories[14];
         if (dotNetDir.VirtualAddress != 0 && dotNetDir.Size >= 0x48)
         {
             var cor20   = new ImageCor20Header(peImage.CreateStream(dotNetDir.VirtualAddress, 0x48), true);
             var mdStart = (long)peImage.ToFileOffset(cor20.MetaData.VirtualAddress);
             var mdAddr  = new IntPtr((byte *)address + mdStart);
             var mdSize  = (int)cor20.MetaData.Size;
             return(mdAddr, mdSize);
         }
     }
     catch (Exception ex) when(ex is IOException || ex is BadImageFormatException)
     {
         Debug.Fail("Couldn't read .NET metadata");
     }
     return(IntPtr.Zero, 0);
 }
Ejemplo n.º 7
0
        public unsafe DbgRawMetadataImpl(DbgProcess process, bool isFileLayout, ulong moduleAddress, int moduleSize)
        {
            lockObj           = new object();
            referenceCounter  = 1;
            this.isFileLayout = isFileLayout;
            size = moduleSize;

            try {
                // Prevent allocation on the LOH. We'll also be able to free the memory as soon as it's not needed.
                address = NativeMethods.VirtualAlloc(IntPtr.Zero, new IntPtr(moduleSize), NativeMethods.MEM_COMMIT, NativeMethods.PAGE_READWRITE);
                if (address == IntPtr.Zero)
                {
                    throw new OutOfMemoryException();
                }
                process.ReadMemory(moduleAddress, (byte *)address.ToPointer(), size);

                try {
                    var peImage   = new PEImage(address, size, isFileLayout ? ImageLayout.File : ImageLayout.Memory, true);
                    var dotNetDir = peImage.ImageNTHeaders.OptionalHeader.DataDirectories[14];
                    if (dotNetDir.VirtualAddress != 0 && dotNetDir.Size >= 0x48)
                    {
                        var cor20   = new ImageCor20Header(peImage.CreateStream(dotNetDir.VirtualAddress, 0x48), true);
                        var mdStart = (long)peImage.ToFileOffset(cor20.MetaData.VirtualAddress);
                        metadataAddress = new IntPtr((byte *)address + mdStart);
                        metadataSize    = (int)cor20.MetaData.Size;
                    }
                }
                catch (Exception ex) when(ex is IOException || ex is BadImageFormatException)
                {
                    Debug.Fail("Couldn't read .NET metadata");
                }
            }
            catch {
                Dispose();
                throw;
            }
        }
Ejemplo n.º 8
0
		void CreateChunks() {
			peHeaders = new PEHeaders(Options.PEHeadersOptions);

			if (!Options.Is64Bit) {
				importAddressTable = new ImportAddressTable();
				importDirectory = new ImportDirectory();
				startupStub = new StartupStub();
				relocDirectory = new RelocDirectory();
			}

			CreateStrongNameSignature();

			imageCor20Header = new ImageCor20Header(Options.Cor20HeaderOptions);
			CreateMetaDataChunks(module);

			CreateDebugDirectory();

			if (importDirectory != null)
				importDirectory.IsExeFile = Options.IsExeFile;

			peHeaders.IsExeFile = Options.IsExeFile;
		}
Ejemplo n.º 9
0
 public PECLIModel(IPEImage image, ImageCor20Header header)
 {
     Image     = image;
     CLIHeader = header;
 }
Ejemplo n.º 10
0
        void CreateChunks()
        {
            bool hasDebugDirectory = false;

            peHeaders = new PEHeaders(Options.PEHeadersOptions);

            if (!Options.Is64Bit) {
                importAddressTable = new ImportAddressTable();
                importDirectory = new ImportDirectory();
                startupStub = new StartupStub();
                relocDirectory = new RelocDirectory();
            }

            if (Options.StrongNameKey != null)
                strongNameSignature = new StrongNameSignature(Options.StrongNameKey.SignatureSize);
            else if (module.Assembly != null && !PublicKeyBase.IsNullOrEmpty2(module.Assembly.PublicKey)) {
                int len = module.Assembly.PublicKey.Data.Length - 0x20;
                strongNameSignature = new StrongNameSignature(len > 0 ? len : 0x80);
            }
            else if (((Options.Cor20HeaderOptions.Flags ?? module.Cor20HeaderFlags) & ComImageFlags.StrongNameSigned) != 0)
                strongNameSignature = new StrongNameSignature(0x80);

            imageCor20Header = new ImageCor20Header(Options.Cor20HeaderOptions);
            CreateMetaDataChunks(module);

            if (hasDebugDirectory)
                debugDirectory = new DebugDirectory();

            if (importDirectory != null)
                importDirectory.IsExeFile = Options.IsExeFile;

            peHeaders.IsExeFile = Options.IsExeFile;
        }
Ejemplo n.º 11
0
        static void Main(string[] args)
        {
            string dllPath = String.Empty;

            if (args.Length > 0)
            {
                dllPath = args[0];
                if (File.Exists(dllPath))
                {
                    ModuleContext context  = ModuleDef.CreateModuleContext();
                    ModuleDefMD   module   = ModuleDefMD.Load(dllPath);
                    Metadata      metadata = module.Metadata;
                    //MetaHeader
                    MetadataHeader metadataHeader = metadata.MetadataHeader;
                    //存储流Header数量
                    int count = metadataHeader.StreamHeaders.Count;
                    //Cor20头
                    ImageCor20Header imageCor20Header = metadata.ImageCor20Header;
                    int cbOffeset = 0x208;                                                       //cb偏移
                    int Metadata_VirtualAddress = (int)imageCor20Header.Metadata.VirtualAddress; //Metadata RVA
                    int MetadataOffeset         = Metadata_VirtualAddress - 0x1E00;              //metadata文件偏移
                    int stringHeaderSize        = 0;                                             //stringHeader size
                    int iMajorVerOffeset        = MetadataOffeset + 0x4;
                    int iMinorVerOffeset        = iMajorVerOffeset + 0x2;
                    int VersionStringLOffeset   = MetadataOffeset + 0xC;
                    int stringHeaderOffeset     = MetadataOffeset + 0x30;
                    int pe1 = 0x82;
                    int pe2 = 0x83;
                    int nrs = 0xF4;
                    for (int i = 0; i < count; i++)
                    {
                        StreamHeader header = metadataHeader.StreamHeaders[i];
                        if (header.Name.Contains("Strings"))
                        {
                            stringHeaderSize = (int)header.StreamSize;
                        }
                    }
                    byte[] buffer = File.ReadAllBytes(dllPath);
                    buffer[pe1]                   = 0x2E;
                    buffer[pe2]                   = 0x2E;
                    buffer[nrs]                   = 0xF;
                    buffer[cbOffeset]             = 0x88;
                    buffer[iMajorVerOffeset]      = 0x2;
                    buffer[iMinorVerOffeset]      = 0x2;
                    buffer[VersionStringLOffeset] = 0xB;
                    byte temp = buffer[stringHeaderOffeset];
                    buffer[stringHeaderOffeset]     = buffer[stringHeaderOffeset + 1];
                    buffer[stringHeaderOffeset + 1] = buffer[stringHeaderOffeset + 2];
                    buffer[stringHeaderOffeset + 2] = temp;
                    string savePath = dllPath.Replace(".dll", "_encrypt.dll");
                    File.WriteAllBytes(savePath, buffer);
                    Console.ReadKey();
                }
                else
                {
                    Console.WriteLine("文件不存在!\n按任意键退出!");
                    Console.ReadLine();
                }
            }
            else
            {
                Console.WriteLine("文件输入有误!\n按任意键退出!");
                Console.ReadLine();
            }
        }
Ejemplo n.º 12
0
 public PEImageModel(IPEImage peImage, ImageCor20Header cliHeader)
 {
     Image     = peImage;
     CLIHeader = cliHeader;
     Text      = "PE Image";
 }
Ejemplo n.º 13
0
        private PEInfo(string filename)
        {
            _filename = filename;
            try {
                IsPEBinary      = true;
                _executableInfo = new Lazy <ExecutableInfo>(() => {
                    var result = IsManaged ? ExecutableInfo.managed : ExecutableInfo.native;
                    if (IsAny)
                    {
                        result |= ExecutableInfo.any;
                    }
                    else
                    {
                        switch (CoffHeader.Machine)
                        {
                        case 0x01c0:
                            result |= ExecutableInfo.arm;
                            break;

                        case 0x014c:
                            result |= ExecutableInfo.x86;
                            break;

                        case 0x0200:
                            result |= ExecutableInfo.ia64;
                            break;

                        case 0x8664:
                            result |= ExecutableInfo.x64;
                            break;

                        default:
                            throw new ClrPlusException("Unrecognized Executable Machine Type.");
                        }
                    }

                    return(result);
                });

                _fileVersionInfo   = new Lazy <FileVersionInfo>(() => FileVersionInfo.GetVersionInfo(_filename));
                _fileVersionString =
                    new Lazy <string>(
                        () =>
                        string.Format("{0}.{1}.{2}.{3}", _fileVersionInfo.Value.FileMajorPart, _fileVersionInfo.Value.FileMinorPart,
                                      _fileVersionInfo.Value.FileBuildPart, _fileVersionInfo.Value.FilePrivatePart));
                _fileVersionLong =
                    new Lazy <ulong>(
                        () =>
                        (((ulong)_fileVersionInfo.Value.FileMajorPart) << 48) + (((ulong)_fileVersionInfo.Value.FileMinorPart) << 32) +
                        (((ulong)_fileVersionInfo.Value.FileBuildPart) << 16) + (ulong)_fileVersionInfo.Value.FilePrivatePart);

#if TODO
                DependencyInformation = new CacheEnumerable <DependencyInformation>(DependencyInformationImpl);
#endif
                using (var reader = new BinaryReader(File.OpenRead(_filename))) {
                    // Skip DOS Header and seek to PE signature
                    if (reader.ReadUInt16() != 0x5A4D)
                    {
                        // Logger.Warning("File '{0}' does not have a valid PE Header", _filename);
                        throw new ClrPlusException("Invalid DOS header.", true);
                    }

                    reader.ReadBytes(58);
                    reader.BaseStream.Position = reader.ReadUInt32();

                    // Read "PE\0\0" signature
                    if (reader.ReadUInt32() != 0x00004550)
                    {
                        throw new ClrPlusException("File is not a portable executable.");
                    }

                    // Read COFF header
                    CoffHeader = new ImageCoffHeader {
                        Machine            = reader.ReadUInt16(),
                        NumberOfSections   = reader.ReadUInt16(),
                        TimeDateStamp      = reader.ReadUInt32(),
                        SymbolTablePointer = reader.ReadUInt32(),
                        NumberOfSymbols    = reader.ReadUInt32(),
                        OptionalHeaderSize = reader.ReadUInt16(),
                        Characteristics    = reader.ReadUInt16()
                    };

                    // Compute data sections offset
                    var dataSectionsOffset = reader.BaseStream.Position + CoffHeader.OptionalHeaderSize;

                    // Read NT-specific fields
                    NtHeader = new ImageOptionalHeaderNt();

                    NtHeader.Magic = reader.ReadUInt16();
                    NtHeader.MajorLinkerVersion      = reader.ReadByte();
                    NtHeader.MinorLinkerVersion      = reader.ReadByte();
                    NtHeader.SizeOfCode              = reader.ReadUInt32();
                    NtHeader.SizeOfInitializedData   = reader.ReadUInt32();
                    NtHeader.SizeOfUninitializedData = reader.ReadUInt32();
                    NtHeader.AddressOfEntryPoint     = reader.ReadUInt32();
                    NtHeader.BaseOfCode              = reader.ReadUInt32();

                    if (Is32BitPE)
                    {
                        NtHeader.BaseOfData_32bit = reader.ReadUInt32();
                        NtHeader.ImageBase_32bit  = reader.ReadUInt32();
                    }

                    if (Is64BitPE)
                    {
                        NtHeader.ImageBase_64bit = reader.ReadUInt64();
                    }

                    NtHeader.SectionAlignment = reader.ReadUInt32();
                    NtHeader.FileAlignment    = reader.ReadUInt32();
                    NtHeader.OsMajor          = reader.ReadUInt16();
                    NtHeader.OsMinor          = reader.ReadUInt16();
                    NtHeader.UserMajor        = reader.ReadUInt16();
                    NtHeader.UserMinor        = reader.ReadUInt16();
                    NtHeader.SubSysMajor      = reader.ReadUInt16();
                    NtHeader.SubSysMinor      = reader.ReadUInt16();
                    NtHeader.Reserved         = reader.ReadUInt32();
                    NtHeader.ImageSize        = reader.ReadUInt32();
                    NtHeader.HeaderSize       = reader.ReadUInt32();
                    NtHeader.FileChecksum     = reader.ReadUInt32();
                    NtHeader.SubSystem        = reader.ReadUInt16();
                    NtHeader.DllFlags         = reader.ReadUInt16();

                    if (Is32BitPE)
                    {
                        NtHeader.StackReserveSize_32bit = reader.ReadUInt32();
                        NtHeader.StackCommitSize_32bit  = reader.ReadUInt32();
                        NtHeader.HeapReserveSize_32bit  = reader.ReadUInt32();
                        NtHeader.HeapCommitSize_32bit   = reader.ReadUInt32();
                    }
                    if (Is64BitPE)
                    {
                        NtHeader.StackReserveSize_64bit = reader.ReadUInt64();
                        NtHeader.StackCommitSize_64bit  = reader.ReadUInt64();
                        NtHeader.HeapReserveSize_64bit  = reader.ReadUInt64();
                        NtHeader.HeapCommitSize_64bit   = reader.ReadUInt64();
                    }
                    NtHeader.LoaderFlags             = reader.ReadUInt32();
                    NtHeader.NumberOfDataDirectories = reader.ReadUInt32();
                    if (NtHeader.NumberOfDataDirectories < 16)
                    {
                        return;
                    }

                    // Read data directories
                    _exportTable         = ReadDataDirectory(reader);
                    _importTable         = ReadDataDirectory(reader);
                    _resourceTable       = ReadDataDirectory(reader);
                    _exceptionTable      = ReadDataDirectory(reader);
                    _certificateTable    = ReadDataDirectory(reader);
                    _baseRelocationTable = ReadDataDirectory(reader);
                    _debug                 = ReadDataDirectory(reader);
                    _copyright             = ReadDataDirectory(reader);
                    _globalPtr             = ReadDataDirectory(reader);
                    _tlsTable              = ReadDataDirectory(reader);
                    _loadConfigTable       = ReadDataDirectory(reader);
                    _boundImport           = ReadDataDirectory(reader);
                    _iat                   = ReadDataDirectory(reader);
                    _delayImportDescriptor = ReadDataDirectory(reader);
                    _runtimeHeader         = ReadDataDirectory(reader);
                    _reserved              = ReadDataDirectory(reader);

                    if (_runtimeHeader.Size == 0)
                    {
                        return;
                    }

                    // Read data sections
                    reader.BaseStream.Position = dataSectionsOffset;
                    SectionHeaders             = new ImageSectionHeader[CoffHeader.NumberOfSections];
                    for (var i = 0; i < SectionHeaders.Length; i++)
                    {
                        reader.ReadBytes(12);
                        SectionHeaders[i].VirtualAddress   = reader.ReadUInt32();
                        SectionHeaders[i].SizeOfRawData    = reader.ReadUInt32();
                        SectionHeaders[i].PointerToRawData = reader.ReadUInt32();
                        reader.ReadBytes(16);
                    }

                    // Read COR20 Header
                    reader.BaseStream.Position = RvaToVa(_runtimeHeader.Rva);
                    CorHeader = new ImageCor20Header {
                        Size = reader.ReadUInt32(),
                        MajorRuntimeVersion = reader.ReadUInt16(),
                        MinorRuntimeVersion = reader.ReadUInt16(),
                        MetaData            = ReadDataDirectory(reader),
                        Flags                   = reader.ReadUInt32(),
                        EntryPointToken         = reader.ReadUInt32(),
                        Resources               = ReadDataDirectory(reader),
                        StrongNameSignature     = ReadDataDirectory(reader),
                        CodeManagerTable        = ReadDataDirectory(reader),
                        VTableFixups            = ReadDataDirectory(reader),
                        ExportAddressTableJumps = ReadDataDirectory(reader)
                    };
                }
            } catch {
                IsPEBinary = false;
            }
        }
Ejemplo n.º 14
0
        private PEInfo(string filename) {
            _filename = filename;
            try {
                IsPEBinary = true;
                _executableInfo = new Lazy<ExecutableInfo>(() => {
                    var result = IsManaged ? ExecutableInfo.managed : ExecutableInfo.native;
                    if (IsAny) {
                        result |= ExecutableInfo.any;
                    } else {
                        switch (CoffHeader.Machine) {
                            case 0x01c0:
                                result |= ExecutableInfo.arm;
                                break;
                            case 0x014c:
                                result |= ExecutableInfo.x86;
                                break;
                            case 0x0200:
                                result |= ExecutableInfo.ia64;
                                break;
                            case 0x8664:
                                result |= ExecutableInfo.x64;
                                break;
                            default:
                                throw new ClrPlusException("Unrecognized Executable Machine Type.");
                        }
                    }

                    return result;
                });

                _fileVersionInfo = new Lazy<FileVersionInfo>(() => FileVersionInfo.GetVersionInfo(_filename));
                _fileVersionString =
                    new Lazy<string>(
                        () =>
                            string.Format("{0}.{1}.{2}.{3}", _fileVersionInfo.Value.FileMajorPart, _fileVersionInfo.Value.FileMinorPart,
                                _fileVersionInfo.Value.FileBuildPart, _fileVersionInfo.Value.FilePrivatePart));
                _fileVersionLong =
                    new Lazy<ulong>(
                        () =>
                            (((ulong)_fileVersionInfo.Value.FileMajorPart) << 48) + (((ulong)_fileVersionInfo.Value.FileMinorPart) << 32) +
                                (((ulong)_fileVersionInfo.Value.FileBuildPart) << 16) + (ulong)_fileVersionInfo.Value.FilePrivatePart);

#if TODO
                DependencyInformation = new CacheEnumerable<DependencyInformation>(DependencyInformationImpl);
#endif
                using (var reader = new BinaryReader(File.OpenRead(_filename))) {
                    // Skip DOS Header and seek to PE signature
                    if (reader.ReadUInt16() != 0x5A4D) {
                        // Logger.Warning("File '{0}' does not have a valid PE Header", _filename);
                        throw new ClrPlusException("Invalid DOS header.", true);
                    }

                    reader.ReadBytes(58);
                    reader.BaseStream.Position = reader.ReadUInt32();

                    // Read "PE\0\0" signature
                    if (reader.ReadUInt32() != 0x00004550) {
                        throw new ClrPlusException("File is not a portable executable.");
                    }

                    // Read COFF header
                    CoffHeader = new ImageCoffHeader {
                        Machine = reader.ReadUInt16(),
                        NumberOfSections = reader.ReadUInt16(),
                        TimeDateStamp = reader.ReadUInt32(),
                        SymbolTablePointer = reader.ReadUInt32(),
                        NumberOfSymbols = reader.ReadUInt32(),
                        OptionalHeaderSize = reader.ReadUInt16(),
                        Characteristics = reader.ReadUInt16()
                    };

                    // Compute data sections offset
                    var dataSectionsOffset = reader.BaseStream.Position + CoffHeader.OptionalHeaderSize;

                    // Read NT-specific fields
                    NtHeader = new ImageOptionalHeaderNt();

                    NtHeader.Magic = reader.ReadUInt16();
                    NtHeader.MajorLinkerVersion = reader.ReadByte();
                    NtHeader.MinorLinkerVersion = reader.ReadByte();
                    NtHeader.SizeOfCode = reader.ReadUInt32();
                    NtHeader.SizeOfInitializedData = reader.ReadUInt32();
                    NtHeader.SizeOfUninitializedData = reader.ReadUInt32();
                    NtHeader.AddressOfEntryPoint = reader.ReadUInt32();
                    NtHeader.BaseOfCode = reader.ReadUInt32();

                    if (Is32BitPE) {
                        NtHeader.BaseOfData_32bit = reader.ReadUInt32();
                        NtHeader.ImageBase_32bit = reader.ReadUInt32();
                    }

                    if (Is64BitPE) {
                        NtHeader.ImageBase_64bit = reader.ReadUInt64();
                    }

                    NtHeader.SectionAlignment = reader.ReadUInt32();
                    NtHeader.FileAlignment = reader.ReadUInt32();
                    NtHeader.OsMajor = reader.ReadUInt16();
                    NtHeader.OsMinor = reader.ReadUInt16();
                    NtHeader.UserMajor = reader.ReadUInt16();
                    NtHeader.UserMinor = reader.ReadUInt16();
                    NtHeader.SubSysMajor = reader.ReadUInt16();
                    NtHeader.SubSysMinor = reader.ReadUInt16();
                    NtHeader.Reserved = reader.ReadUInt32();
                    NtHeader.ImageSize = reader.ReadUInt32();
                    NtHeader.HeaderSize = reader.ReadUInt32();
                    NtHeader.FileChecksum = reader.ReadUInt32();
                    NtHeader.SubSystem = reader.ReadUInt16();
                    NtHeader.DllFlags = reader.ReadUInt16();

                    if (Is32BitPE) {
                        NtHeader.StackReserveSize_32bit = reader.ReadUInt32();
                        NtHeader.StackCommitSize_32bit = reader.ReadUInt32();
                        NtHeader.HeapReserveSize_32bit = reader.ReadUInt32();
                        NtHeader.HeapCommitSize_32bit = reader.ReadUInt32();
                    }
                    if (Is64BitPE) {
                        NtHeader.StackReserveSize_64bit = reader.ReadUInt64();
                        NtHeader.StackCommitSize_64bit = reader.ReadUInt64();
                        NtHeader.HeapReserveSize_64bit = reader.ReadUInt64();
                        NtHeader.HeapCommitSize_64bit = reader.ReadUInt64();
                    }
                    NtHeader.LoaderFlags = reader.ReadUInt32();
                    NtHeader.NumberOfDataDirectories = reader.ReadUInt32();
                    if (NtHeader.NumberOfDataDirectories < 16) {
                        return;
                    }

                    // Read data directories
                    _exportTable = ReadDataDirectory(reader);
                    _importTable = ReadDataDirectory(reader);
                    _resourceTable = ReadDataDirectory(reader);
                    _exceptionTable = ReadDataDirectory(reader);
                    _certificateTable = ReadDataDirectory(reader);
                    _baseRelocationTable = ReadDataDirectory(reader);
                    _debug = ReadDataDirectory(reader);
                    _copyright = ReadDataDirectory(reader);
                    _globalPtr = ReadDataDirectory(reader);
                    _tlsTable = ReadDataDirectory(reader);
                    _loadConfigTable = ReadDataDirectory(reader);
                    _boundImport = ReadDataDirectory(reader);
                    _iat = ReadDataDirectory(reader);
                    _delayImportDescriptor = ReadDataDirectory(reader);
                    _runtimeHeader = ReadDataDirectory(reader);
                    _reserved = ReadDataDirectory(reader);

                    if (_runtimeHeader.Size == 0) {
                        return;
                    }

                    // Read data sections
                    reader.BaseStream.Position = dataSectionsOffset;
                    SectionHeaders = new ImageSectionHeader[CoffHeader.NumberOfSections];
                    for (var i = 0; i < SectionHeaders.Length; i++) {
                        reader.ReadBytes(12);
                        SectionHeaders[i].VirtualAddress = reader.ReadUInt32();
                        SectionHeaders[i].SizeOfRawData = reader.ReadUInt32();
                        SectionHeaders[i].PointerToRawData = reader.ReadUInt32();
                        reader.ReadBytes(16);
                    }

                    // Read COR20 Header
                    reader.BaseStream.Position = RvaToVa(_runtimeHeader.Rva);
                    CorHeader = new ImageCor20Header {
                        Size = reader.ReadUInt32(),
                        MajorRuntimeVersion = reader.ReadUInt16(),
                        MinorRuntimeVersion = reader.ReadUInt16(),
                        MetaData = ReadDataDirectory(reader),
                        Flags = reader.ReadUInt32(),
                        EntryPointToken = reader.ReadUInt32(),
                        Resources = ReadDataDirectory(reader),
                        StrongNameSignature = ReadDataDirectory(reader),
                        CodeManagerTable = ReadDataDirectory(reader),
                        VTableFixups = ReadDataDirectory(reader),
                        ExportAddressTableJumps = ReadDataDirectory(reader)
                    };
                }
            } catch {
                IsPEBinary = false;
            }
        }
Ejemplo n.º 15
0
        public PeReader(string fPath)
        {
            try
            {
                m_fPath   = fPath;
                m_peImage = new PEImage(File.ReadAllBytes(fPath));

                if (m_peImage.ImageNTHeaders.OptionalHeader.DataDirectories.Length >= 14)
                {
                    ImageDataDirectory DotNetDir = m_peImage.ImageNTHeaders.OptionalHeader.DataDirectories[14];
                    if (m_peImage.ToFileOffset(DotNetDir.VirtualAddress) != 0 && DotNetDir.Size >= 72)
                    {
                        m_cor20Header = new ImageCor20Header(m_peImage.CreateStream(m_peImage.ToFileOffset(DotNetDir.VirtualAddress), 0x48), false);
                        if (m_peImage.ToFileOffset(m_cor20Header.MetaData.VirtualAddress) != 0 && m_cor20Header.MetaData.Size >= 16)
                        {
                            m_isManaged = true;
                            uint           mdSize   = m_cor20Header.MetaData.Size;
                            RVA            mdRva    = m_cor20Header.MetaData.VirtualAddress;
                            MetaDataHeader mdHeader = new MetaDataHeader(m_peImage.CreateStream(m_peImage.ToFileOffset(mdRva), mdSize), false);
                            m_RunTimeVersion = mdHeader.VersionString;
                        }
                    }
                }

                if (m_isManaged == true)
                {
                    ImageSectionHeader sect = m_peImage.ImageSectionHeaders.Where(f => f.DisplayName == ".rsrc").FirstOrDefault();
                    if ((sect != null))
                    {
                        ImageDataDirectory resourceTable = m_peImage.ImageNTHeaders.OptionalHeader.DataDirectories[2];
                        if ((resourceTable != null))
                        {
                            uint rva  = (uint)resourceTable.VirtualAddress;
                            uint size = sect.VirtualSize > 0 ? sect.VirtualSize : sect.SizeOfRawData;

                            if (rva >= (uint)sect.VirtualAddress && rva < (uint)sect.VirtualAddress + size)
                            {
                                Stream            StreamRead  = m_peImage.CreateFullStream().CreateStream();
                                long              baseAddress = StreamRead.Seek(sect.PointerToRawData + (rva - (uint)sect.VirtualAddress), SeekOrigin.Begin);
                                ResourceDirectory dirInfo     = new ResourceDirectory(StreamRead, baseAddress);

                                if ((dirInfo != null))
                                {
                                    using (BinaryReader reader = new BinaryReader(StreamRead))
                                    {
                                        dirInfo.Read(reader, true, 0);

                                        ResourceEntry        IconGroup  = null;
                                        List <ResourceEntry> IconImages = new List <ResourceEntry>();

                                        foreach (ResourceDirectory dir in dirInfo.Directorys)
                                        {
                                            if (dir.DirectoryEntry.Name == Convert.ToUInt32(Win32ResourceType.RT_GROUP_ICON))
                                            {
                                                IconGroup = dir.GetFirstEntry();
                                                break;
                                            }
                                        }

                                        foreach (ResourceDirectory dir in dirInfo.Directorys)
                                        {
                                            if (dir.DirectoryEntry.Name == Convert.ToUInt32(Win32ResourceType.RT_ICON))
                                            {
                                                IconImages = dir.GetAllEntrys();
                                                IconImages.Reverse();
                                                break;
                                            }
                                        }

                                        if (IconGroup != null)
                                        {
                                            IconResource icon = new IconResource(StreamRead, IconGroup.DataAddress, sect.PointerToRawData, (uint)sect.VirtualAddress);
                                            icon.Seek();
                                            if (!icon.Read(reader, IconImages))
                                            {
                                                m_MainIcon = null;
                                            }
                                            m_MainIcon = icon.GetIcon(reader);
                                        }
                                    }
                                }
                            }
                        }
                    }
                }
            }
            catch (Exception ex)
            {
                Interaction.MsgBox(ex);
            }
        }
Ejemplo n.º 16
0
        private Task LoadPEInfo() {
            return _loadingPeInfo ?? (_loadingPeInfo = _tasks.Start(() => {
                // load PE data from working file

                using (var reader = new BinaryReader(File.Open(WorkingCopy, FileMode.Open, FileAccess.Read, FileShare.Read))) {
                    // Skip DOS Header and seek to PE signature
                    if (reader.ReadUInt16() != 0x5A4D) {
                        IsPEFile.Value = false;
                        Is64BitPE.Value = false;
                        Is32BitPE.Value = false;
                        IsManaged.Value = false;
                        IsNative.Value = false;

                        Is32Bit.Value = false;
                        return;
                    }

                    reader.ReadBytes(58);
                    reader.BaseStream.Position = reader.ReadUInt32();

                    // Read "PE\0\0" signature
                    if (reader.ReadUInt32() != 0x00004550) {
                        IsPEFile.Value = false;
                        Is64BitPE.Value = false;
                        Is32BitPE.Value = false;
                        IsManaged.Value = false;
                        IsNative.Value = false;
                        Is32Bit.Value = false;
                        return;
                    }

                    // Read COFF header
                    CoffHeader = new ImageCoffHeader {
                        Machine = reader.ReadUInt16(),
                        NumberOfSections = reader.ReadUInt16(),
                        TimeDateStamp = reader.ReadUInt32(),
                        SymbolTablePointer = reader.ReadUInt32(),
                        NumberOfSymbols = reader.ReadUInt32(),
                        OptionalHeaderSize = reader.ReadUInt16(),
                        Characteristics = reader.ReadUInt16()
                    };

                    // Compute data sections offset
                    var dataSectionsOffset = reader.BaseStream.Position + CoffHeader.OptionalHeaderSize;

                    // Read NT-specific fields
                    NtHeader = new ImageOptionalHeaderNt();

                    NtHeader.Magic = reader.ReadUInt16();
                    NtHeader.MajorLinkerVersion = reader.ReadByte();
                    NtHeader.MinorLinkerVersion = reader.ReadByte();
                    NtHeader.SizeOfCode = reader.ReadUInt32();
                    NtHeader.SizeOfInitializedData = reader.ReadUInt32();
                    NtHeader.SizeOfUninitializedData = reader.ReadUInt32();
                    NtHeader.AddressOfEntryPoint = reader.ReadUInt32();
                    NtHeader.BaseOfCode = reader.ReadUInt32();

                    // identify this as 64bit or 32bit binary
                    Is64BitPE.Value = NtHeader.Magic == 0x20b;
                    Is32BitPE.Value = NtHeader.Magic == 0x10b;
                    IsPEFile.Value = true;

                    if (Is32BitPE) {
                        NtHeader.BaseOfData_32bit = reader.ReadUInt32();
                        NtHeader.ImageBase_32bit = reader.ReadUInt32();
                    }

                    if (Is64BitPE) {
                        NtHeader.ImageBase_64bit = reader.ReadUInt64();
                    }

                    NtHeader.SectionAlignment = reader.ReadUInt32();
                    NtHeader.FileAlignment = reader.ReadUInt32();
                    NtHeader.OsMajor = reader.ReadUInt16();
                    NtHeader.OsMinor = reader.ReadUInt16();
                    NtHeader.UserMajor = reader.ReadUInt16();
                    NtHeader.UserMinor = reader.ReadUInt16();
                    NtHeader.SubSysMajor = reader.ReadUInt16();
                    NtHeader.SubSysMinor = reader.ReadUInt16();
                    NtHeader.Reserved = reader.ReadUInt32();
                    NtHeader.ImageSize = reader.ReadUInt32();
                    NtHeader.HeaderSize = reader.ReadUInt32();
                    NtHeader.FileChecksum = reader.ReadUInt32();
                    NtHeader.SubSystem = reader.ReadUInt16();
                    NtHeader.DllFlags = reader.ReadUInt16();

                    if (Is32BitPE) {
                        NtHeader.StackReserveSize_32bit = reader.ReadUInt32();
                        NtHeader.StackCommitSize_32bit = reader.ReadUInt32();
                        NtHeader.HeapReserveSize_32bit = reader.ReadUInt32();
                        NtHeader.HeapCommitSize_32bit = reader.ReadUInt32();
                    }
                    if (Is64BitPE) {
                        NtHeader.StackReserveSize_64bit = reader.ReadUInt64();
                        NtHeader.StackCommitSize_64bit = reader.ReadUInt64();
                        NtHeader.HeapReserveSize_64bit = reader.ReadUInt64();
                        NtHeader.HeapCommitSize_64bit = reader.ReadUInt64();
                    }
                    NtHeader.LoaderFlags = reader.ReadUInt32();
                    NtHeader.NumberOfDataDirectories = reader.ReadUInt32();
                    if (NtHeader.NumberOfDataDirectories < 16) {
                        IsManaged.Value = false;
                        IsNative.Value = true;
                        Is32Bit.Value = Is32BitPE;
                        return;
                    }

                    // Read data directories
                    _exportTable = ReadDataDirectory(reader);
                    _importTable = ReadDataDirectory(reader);
                    _resourceTable = ReadDataDirectory(reader);
                    _exceptionTable = ReadDataDirectory(reader);
                    _certificateTable = ReadDataDirectory(reader);
                    _baseRelocationTable = ReadDataDirectory(reader);
                    _debug = ReadDataDirectory(reader);
                    _copyright = ReadDataDirectory(reader);
                    _globalPtr = ReadDataDirectory(reader);
                    _tlsTable = ReadDataDirectory(reader);
                    _loadConfigTable = ReadDataDirectory(reader);
                    _boundImport = ReadDataDirectory(reader);
                    _iat = ReadDataDirectory(reader);
                    _delayImportDescriptor = ReadDataDirectory(reader);
                    _runtimeHeader = ReadDataDirectory(reader);
                    _reserved = ReadDataDirectory(reader);

                    if (_runtimeHeader.Size == 0) {
                        IsManaged.Value = false;
                        IsNative.Value = true;
                        Is32Bit.Value = Is32BitPE;
                        return;
                    }

                    // Read data sections
                    reader.BaseStream.Position = dataSectionsOffset;
                    SectionHeaders = new ImageSectionHeader[CoffHeader.NumberOfSections];
                    for (var i = 0; i < SectionHeaders.Length; i++) {
                        reader.ReadBytes(12);
                        SectionHeaders[i].VirtualAddress = reader.ReadUInt32();
                        SectionHeaders[i].SizeOfRawData = reader.ReadUInt32();
                        SectionHeaders[i].PointerToRawData = reader.ReadUInt32();
                        reader.ReadBytes(16);
                    }

                    // Read COR20 Header
                    reader.BaseStream.Position = RvaToVa(_runtimeHeader.Rva);
                    CorHeader = new ImageCor20Header {
                        Size = reader.ReadUInt32(),
                        MajorRuntimeVersion = reader.ReadUInt16(),
                        MinorRuntimeVersion = reader.ReadUInt16(),
                        MetaData = ReadDataDirectory(reader),
                        Flags = reader.ReadUInt32(),
                        EntryPointToken = reader.ReadUInt32(),
                        Resources = ReadDataDirectory(reader),
                        StrongNameSignature = ReadDataDirectory(reader),
                        CodeManagerTable = ReadDataDirectory(reader),
                        VTableFixups = ReadDataDirectory(reader),
                        ExportAddressTableJumps = ReadDataDirectory(reader)
                    };

                    // we got a CorHeader -- we must be managed.
                    IsManaged.Value = true;
                    IsNative.Value = false;
                    Is32Bit.Value = (CorHeader.Flags & 0x0002) != 0;
                }
            }));
        }