| private static BytesToUInt32 ( byte b1, byte b2, byte b3, byte b4 ) : uint | ||
| b1 | byte | Highest byte. |
| b2 | byte | Second highest byte. |
| b3 | byte | Second lowest byte. |
| b4 | byte | Lowest byte. |
| return | uint | |
public IMAGE_DATA_DIRECTORY(byte[] buff, UInt32 offset, bool is32Bit)
{
edataOffset = Utility.BytesToUInt32(buff, offset); // Offset to the ExportTable
edataSize = Utility.BytesToUInt32(buff, offset + 4); // Size of the ExportTable
idataOffset = Utility.BytesToUInt32(buff, offset + 8); // Offset to the ImportTable
idataSize = Utility.BytesToUInt32(buff, offset + 12); // Size of the ImportTable
rsrcOffset = Utility.BytesToUInt32(buff, offset + 16);
rsrcSize = Utility.BytesToUInt32(buff, offset + 20);
pdataOffset = Utility.BytesToUInt32(buff, offset + 24);
pdataSize = Utility.BytesToUInt32(buff, offset + 28);
AttributeCertificateOffsetImage = Utility.BytesToUInt32(buff, offset + 32);
AttributeCertificateSizeImage = Utility.BytesToUInt32(buff, offset + 36);
relocOffsetImage = Utility.BytesToUInt32(buff, offset + 40);
relocSizeImage = Utility.BytesToUInt32(buff, offset + 44);
debugOffset = Utility.BytesToUInt32(buff, offset + 48);
debugSize = Utility.BytesToUInt32(buff, offset + 52);
Architecture1 = Utility.BytesToUInt32(buff, offset + 56);
Architecture2 = Utility.BytesToUInt32(buff, offset + 60);
GlobalPtrOffset = Utility.BytesToUInt32(buff, offset + 64);
Zero = Utility.BytesToUInt32(buff, offset + 68); // Always 0x00
tlsOffset = Utility.BytesToUInt32(buff, offset + 72);
tlsSize = Utility.BytesToUInt32(buff, offset + 76);
LoadConfigTableOffsetImage = Utility.BytesToUInt32(buff, offset + 80);
LoadConfigTableSizeImage = Utility.BytesToUInt32(buff, offset + 84);
BoundImportTableOffset = Utility.BytesToUInt32(buff, offset + 88);
BoundImportTableSize = Utility.BytesToUInt32(buff, offset + 92);
ImportAddressTableOffset = Utility.BytesToUInt32(buff, offset + 96);
ImportAddressTableSize = Utility.BytesToUInt32(buff, offset + 100);
DelayImportDescriptorOffsetImage = Utility.BytesToUInt32(buff, offset + 104);
DelayImportDescriptorSizeImage = Utility.BytesToUInt32(buff, offset + 108);
CLRRuntimeHeaderOffsetObject = Utility.BytesToUInt32(buff, offset + 112);
CLRRuntimeHeaderSizeObject = Utility.BytesToUInt32(buff, offset + 116);
}
public IMAGE_THUNK_DATA(byte[] buff, UInt32 offset, IMAGE_SECTION_HEADER[] sh, bool is32Bit)
{
if (is32Bit)
{
Ordinal = Utility.BytesToUInt32(buff, Utility.RVAtoFileMapping(offset, sh));
// Check if import by name or by ordinal.
// If it is an import by ordinal, the most significant bit of "Ordinal" is "1" and the ordinal can
// be extracted from the least significant bits.
// Else it is an import by name and the link to the IMAGE_IMPORT_BY_NAME has to be followed
if ((Ordinal & 0x80000000) == 0x80000000)
{
Ordinal = (Ordinal & 0x7FFFFFFF);
}
else
{
var ordinal = Utility.RVAtoFileMapping((UInt32)Ordinal, sh);
ImageImportByName = ParseImageImportByName(nextItdAddress, mode2, buff, st);
}
}
else
{
Ordinal = Utility.BytesToUInt64(buff, Utility.RVAtoFileMapping(offset, sh));
if ((Ordinal & 0x8000000000000000) == 0x8000000000000000)
{
Ordinal = (Ordinal & 0x7FFFFFFFFFFFFFFF);
}
else
{
var ordinal = Utility.RVAtoFileMapping(Ordinal, sh);
ImageImportByName = ParseImageImportByName(nextItdAddress, mode2, buff, st);
}
}
public IMAGE_OPTIONAL_HEADER(byte [] buff, UInt32 offset, bool is32Bit)
{
Magic = Utility.BytesToUshort(buff, offset);
MajorLinkerVersion = buff[offset + 2];
MinorLinkerVersion = buff[offset + 3];
SizeOfCode = Utility.BytesToUInt32(buff, offset + 4);
SizeOfInitializedData = Utility.BytesToUInt32(buff, offset + 8);
SizeOfUninitializedData = Utility.BytesToUInt32(buff, offset + 0xC);
AddressOfEntryPoint = Utility.BytesToUInt32(buff, offset + 0x10);
BaseOfCode = Utility.BytesToUInt32(buff, offset + 0x14);
BaseOfData = (is32Bit) ? Utility.BytesToUInt32(buff, offset + 0x18) : 0;
ImageBase = (is32Bit) ? Utility.BytesToUInt32(buff, offset + 0x1c) : Utility.BytesToUInt64(buff, offset + 0x18);
SectionAlignment = Utility.BytesToUInt32(buff, offset + 0x20);
FileAlignment = Utility.BytesToUInt32(buff, offset + 0x24);
MajorOSVersion = Utility.BytesToUshort(buff, offset + 0x28);
MinorOSVersion = Utility.BytesToUshort(buff, offset + 0x2a);
MajorImageVersion = Utility.BytesToUshort(buff, offset + 0x2c);
MinorImageVersion = Utility.BytesToUshort(buff, offset + 0x2e);
MajorSubSystemVersion = Utility.BytesToUshort(buff, offset + 0x30);
MinorSubSystemVersion = Utility.BytesToUshort(buff, offset + 0x32);
Win32VersionValue = Utility.BytesToUInt32(buff, offset + 0x34);
SizeOfImage = Utility.BytesToUInt32(buff, offset + 0x38);
SizeOfHeaders = Utility.BytesToUInt32(buff, offset + 0x3c);
Checksum = Utility.BytesToUInt32(buff, offset + 0x40);
Subsystem = Utility.BytesToUshort(buff, offset + 0x44);
DllCharacteristics = Utility.BytesToUshort(buff, offset + 0x46);
SizeOfStackReverse = (is32Bit) ? Utility.BytesToUInt32(buff, offset + 0x48) : Utility.BytesToUInt64(buff, offset + 0x48);
SizeOfStackCommit = (is32Bit) ? Utility.BytesToUInt32(buff, offset + 0x4c) : Utility.BytesToUInt64(buff, offset + 0x50);
SizeOfHeapReverse = (is32Bit) ? Utility.BytesToUInt32(buff, offset + 0x50) : Utility.BytesToUInt64(buff, offset + 0x58);
SizeOfHeapCommit = (is32Bit) ? Utility.BytesToUInt32(buff, offset + 0x54) : Utility.BytesToUInt64(buff, offset + 0x60);
LoaderFlags = (is32Bit) ? Utility.BytesToUInt32(buff, offset + 0x58) : Utility.BytesToUInt32(buff, offset + 0x68);
NumberOfRVAandSizes = (is32Bit) ? Utility.BytesToUInt32(buff, offset + 0x5c) : Utility.BytesToUInt32(buff, offset + 0x6c);
ImageDataDirectory = (is32Bit) ? new IMAGE_DATA_DIRECTORY(buff, offset + 0x60, is32Bit) : new IMAGE_DATA_DIRECTORY(buff, offset + 0x70, is32Bit);
}
public IMAGE_NT_HEADERS(byte [] buff, UInt32 offset)
{
Signature = Utility.BytesToUInt32(buff, offset);
ImageFileHeader = new IMAGE_FILE_HEADER(buff, offset + 0x4);
// Determine if the PE file is a x32 or x64 file.
bool is32Bit = (ImageFileHeader.Machine == 34404) ? false : true;
ImageOptionalHeader = new IMAGE_OPTIONAL_HEADER(buff, offset + 0x18, is32Bit);
}
public IMAGE_FILE_HEADER(byte [] buff, UInt32 offset)
{
Machine = Utility.BytesToUshort(buff, offset);
NumberOfSections = Utility.BytesToUshort(buff, offset + 2);
TimeDateStamp = Utility.BytesToUInt32(buff, offset + 4);
PointerToSymbolTable = Utility.BytesToUInt32(buff, offset + 8);
NumberOfSymbols = Utility.BytesToUInt32(buff, offset + 12);
SizeOfOptionalHeaders = Utility.BytesToUshort(buff, offset + 16);
Characteristics = Utility.BytesToUshort(buff, offset + 18);
}
public IMAGE_EXPORT_DIRECTORY(byte[] buff, UInt32 offset)
{
Characteristics = Utility.BytesToUInt32(buff, offset);
TimeDateStamp = Utility.BytesToUInt32(buff, offset + 4);
MajorVersion = Utility.BytesToUshort(buff, offset + 8);
MinorVersion = Utility.BytesToUshort(buff, offset + 0x0A);
Name = Utility.BytesToUInt32(buff, offset + 0x0C);
Base = Utility.BytesToUInt32(buff, offset + 0x10);
NumberOfFuncions = Utility.BytesToUInt32(buff, offset + 0x14);
NumberOfNames = Utility.BytesToUInt32(buff, offset + 0x18);
AddressOfFunctions = Utility.BytesToUInt32(buff, offset + 0x1C);
AddressOfNames = Utility.BytesToUInt32(buff, offset + 0x20);
AddressOfNameOrdinals = Utility.BytesToUInt32(buff, offset + 0x24);
}
public IMAGE_SECTION_HEADER(byte[] buff, UInt32 offset)
{
SectionHeaderName = new byte[8];
Array.Copy(buff, offset, SectionHeaderName, (UInt32)0, (UInt32)8);
VirtualSize = Utility.BytesToUInt32(buff, offset + 8);
VirutalAddress = Utility.BytesToUInt32(buff, offset + 12);
SizeOfRawData = Utility.BytesToUInt32(buff, offset + 16);
PointerToRawData = Utility.BytesToUInt32(buff, offset + 20);
PointerToRelocations = Utility.BytesToUInt32(buff, offset + 24);
PointerToLineNumbers = Utility.BytesToUInt32(buff, offset + 30);
NumberOfRelocations = Utility.BytesToUshort(buff, offset + 32);
NumberofLineNumbers = Utility.BytesToUshort(buff, offset + 34);
SectionFlags = Utility.BytesToUInt32(buff, offset + 38);
}
public IMAGE_IMPORT_DESCRIPTOR(byte[] buff, UInt32 offset, IMAGE_SECTION_HEADER[] sh)
{
OriginalFirstThunk = Utility.BytesToUInt32(buff, offset);
TimeDataStamp = Utility.BytesToUInt32(buff, offset + sizeof(UInt32));
ForwarderChain = Utility.BytesToUInt32(buff, offset + 2 * sizeof(UInt32));
Name = Utility.BytesToUInt32(buff, offset + 3 * sizeof(UInt32));
FirstThunk = Utility.BytesToUInt32(buff, offset + 4 * sizeof(UInt32));
try
{
// If no name can be resolved, break
NameResolved = Utility.GetName(Utility.RVAtoFileMapping(Name, sh), buff);
}
catch
{
NameResolved = null;
}
}
} // Offset to the PE signature (IMAGE_NT_HEADERS)
public IMAGE_DOS_HEADER(byte[] buff)
{
e_magic = Utility.BytesToUshort(buff, 0);
e_cblp = Utility.BytesToUshort(buff, 2);
e_cp = Utility.BytesToUshort(buff, 4);
e_crlc = Utility.BytesToUshort(buff, 6);
e_cparhdr = Utility.BytesToUshort(buff, 8);
e_minalloc = Utility.BytesToUshort(buff, 0xA);
e_maxalloc = Utility.BytesToUshort(buff, 0xC);
e_ss = Utility.BytesToUshort(buff, 0xE);
e_sp = Utility.BytesToUshort(buff, 0x10);
e_csum = Utility.BytesToUshort(buff, 0x12);
e_ip = Utility.BytesToUshort(buff, 0x14);
e_cs = Utility.BytesToUshort(buff, 0x16);
e_lfaric = Utility.BytesToUshort(buff, 0x18);
e_ovno = Utility.BytesToUshort(buff, 0x1A);
e_oemid = Utility.BytesToUshort(buff, 0x24);
e_oeminfo = Utility.BytesToUshort(buff, 0x26);
e_lfanew = Utility.BytesToUInt32(buff, 0x3C);
}
ExportFunction[] ParseExportedFunctions(byte[] buff, IMAGE_EXPORT_DIRECTORY ed, IMAGE_SECTION_HEADER[] sh)
{
var expFuncs = new ExportFunction[ed.NumberOfNames];
var funcOffsetPointer = Utility.RVAtoFileMapping(ed.AddressOfFunctions, sh);
var ordOffset = Utility.RVAtoFileMapping(ed.AddressOfNameOrdinals, sh);
var nameOffsetPointer = Utility.RVAtoFileMapping(ed.AddressOfNames, sh);
var funcOffset = Utility.BytesToUInt32(buff, funcOffsetPointer);
for (UInt32 i = 0; i < expFuncs.Length; i++)
{
var namePtr = Utility.BytesToUInt32(buff, nameOffsetPointer + sizeof(UInt32) * i);
var nameAdr = Utility.RVAtoFileMapping(namePtr, sh);
var name = Utility.GetName(nameAdr, buff);
var ordinalIndex = (UInt32)Utility.GetOrdinal(ordOffset + sizeof(UInt16) * i, buff);
var ordinal = ordinalIndex + ed.Base;
var address = Utility.BytesToUInt32(buff, funcOffsetPointer + sizeof(UInt32) * ordinalIndex);
expFuncs[i] = new ExportFunction(name, address, (UInt16)ordinal);
}
return(expFuncs);
}
