DumpedMethods createDumpedMethods(MyPEImage peImage, byte[] fileData, byte[] methodsData)
{
var dumpedMethods = new DumpedMethods();
var methodsDataReader = MemoryImageStream.Create(methodsData);
var fileDataReader = MemoryImageStream.Create(fileData);
var methodDef = peImage.DotNetFile.MetaData.TablesStream.MethodTable;
for (uint rid = 1; rid <= methodDef.Rows; rid++)
{
var dm = new DumpedMethod();
peImage.readMethodTableRowTo(dm, rid);
if (dm.mdRVA == 0)
{
continue;
}
uint bodyOffset = peImage.rvaToOffset(dm.mdRVA);
byte b = peImage.offsetReadByte(bodyOffset);
uint codeOffset;
if ((b & 3) == 2)
{
if (b != 2)
{
continue; // not zero byte code size
}
dm.mhFlags = 2;
dm.mhMaxStack = 8;
dm.mhLocalVarSigTok = 0;
codeOffset = bodyOffset + 1;
}
else
{
if (peImage.offsetReadUInt32(bodyOffset + 4) != 0)
{
continue; // not zero byte code size
}
dm.mhFlags = peImage.offsetReadUInt16(bodyOffset);
dm.mhMaxStack = peImage.offsetReadUInt16(bodyOffset + 2);
dm.mhLocalVarSigTok = peImage.offsetReadUInt32(bodyOffset + 8);
codeOffset = bodyOffset + (uint)(dm.mhFlags >> 12) * 4;
}
fileDataReader.Position = codeOffset;
if (!decrypter.decrypt(fileDataReader, dm))
{
continue;
}
dumpedMethods.add(dm);
}
return(dumpedMethods);
}
static void clearDllBit(byte[] peImageData)
{
using (var mainPeImage = new MyPEImage(peImageData)) {
uint characteristicsOffset = (uint)mainPeImage.PEImage.ImageNTHeaders.FileHeader.StartOffset + 18;
ushort characteristics = mainPeImage.offsetReadUInt16(characteristicsOffset);
characteristics &= 0xDFFF;
characteristics |= 2;
mainPeImage.offsetWriteUInt16(characteristicsOffset, characteristics);
}
}
short readInt16(uint offset)
{
return((short)peImage.offsetReadUInt16(methodInfosOffset + offset));
}
DumpedMethods createDumpedMethods(MyPEImage peImage, byte[] fileData, byte[] methodsData)
{
var dumpedMethods = new DumpedMethods();
var methodsDataReader = MemoryImageStream.Create(methodsData);
var fileDataReader = MemoryImageStream.Create(fileData);
var methodDef = peImage.DotNetFile.MetaData.TablesStream.MethodTable;
for (uint rid = 1; rid <= methodDef.Rows; rid++) {
var dm = new DumpedMethod();
peImage.readMethodTableRowTo(dm, rid);
if (dm.mdRVA == 0)
continue;
uint bodyOffset = peImage.rvaToOffset(dm.mdRVA);
byte b = peImage.offsetReadByte(bodyOffset);
uint codeOffset;
if ((b & 3) == 2) {
if (b != 2)
continue; // not zero byte code size
dm.mhFlags = 2;
dm.mhMaxStack = 8;
dm.mhLocalVarSigTok = 0;
codeOffset = bodyOffset + 1;
}
else {
if (peImage.offsetReadUInt32(bodyOffset + 4) != 0)
continue; // not zero byte code size
dm.mhFlags = peImage.offsetReadUInt16(bodyOffset);
dm.mhMaxStack = peImage.offsetReadUInt16(bodyOffset + 2);
dm.mhLocalVarSigTok = peImage.offsetReadUInt32(bodyOffset + 8);
codeOffset = bodyOffset + (uint)(dm.mhFlags >> 12) * 4;
}
fileDataReader.Position = codeOffset;
if (!decrypter.decrypt(fileDataReader, dm))
continue;
dumpedMethods.add(dm);
}
return dumpedMethods;
}
static void clearDllBit(byte[] peImageData)
{
using (var mainPeImage = new MyPEImage(peImageData)) {
uint characteristicsOffset = (uint)mainPeImage.PEImage.ImageNTHeaders.FileHeader.StartOffset + 18;
ushort characteristics = mainPeImage.offsetReadUInt16(characteristicsOffset);
characteristics &= 0xDFFF;
characteristics |= 2;
mainPeImage.offsetWriteUInt16(characteristicsOffset, characteristics);
}
}