Example #1
0
        private static uint CalcChecksum(ExecutableImage pe, out uint checkSumPos)
        {
            const uint checksum_pos_in_optional_headers = 64;

            checkSumPos = (uint)pe.NTHeaders.OptionalHeader.Location.FileOffset + checksum_pos_in_optional_headers;

            uint fileSize = (uint)pe.GetBytes().Length;

            MemoryStream ms = new MemoryStream(pe.GetBytes());

            byte[] bytes4 = new byte[4];
            int    pos    = 0;

            ulong calcSum = 0;
            ulong top     = (ulong)0xFFFFFFFF + 1;

            while (ms.Read(bytes4, pos, 4) == 4)
            {
                uint dw = BitConverter.ToUInt32(bytes4, 0);

                if (ms.Position == checkSumPos + 4)
                {
                    continue;
                }

                calcSum = (calcSum & 0xFFFFFFFF) + dw + (calcSum >> 32);
                if (calcSum > top)
                {
                    calcSum = (calcSum & 0xFFFFFFFF) + (calcSum >> 32);
                }
            }

            calcSum = (calcSum & 0xffff) + (calcSum >> 16);
            calcSum = (calcSum) + (calcSum >> 16);
            calcSum = calcSum & 0xffff;

            calcSum += (uint)fileSize;

            return((uint)calcSum);
        }
Example #2
0
        public static Certificate Get(ExecutableImage image)
        {
            if (!image.NTHeaders.DataDirectories.Exists(DataDirectoryType.CertificateTable))
                return null;

            DataDirectory directory = image.NTHeaders.DataDirectories[DataDirectoryType.CertificateTable];

            if (DataDirectory.IsNullOrEmpty(directory))
                return null;

            Stream stream = directory.Directories.Image.GetStream();
            long file_offset = directory.VirtualAddress.ToInt64();

            stream.Seek(file_offset, SeekOrigin.Begin);

            ulong image_base = directory.Directories.Image.NTHeaders.OptionalHeader.ImageBase;
            Location location = new Location(directory.VirtualAddress, directory.VirtualAddress, image_base + directory.VirtualAddress, directory.Size, directory.Size);
            WIN_CERTIFICATE win_cert = Utils.Read<WIN_CERTIFICATE>(stream);
            Certificate cert = new Certificate(directory, location, win_cert);

            return cert;
        }
Example #3
0
File: CLR.cs Project: Workshell/pe
        public static CLRContent Get(ExecutableImage image)
        {
            if (!image.NTHeaders.DataDirectories.Exists(DataDirectoryType.CLRRuntimeHeader))
                return null;

            DataDirectory directory = image.NTHeaders.DataDirectories[DataDirectoryType.CLRRuntimeHeader];

            if (DataDirectory.IsNullOrEmpty(directory))
                return null;

            LocationCalculator calc = directory.Directories.Image.GetCalculator();
            Section section = calc.RVAToSection(directory.VirtualAddress);
            ulong file_offset = calc.RVAToOffset(section, directory.VirtualAddress);
            ulong image_base = directory.Directories.Image.NTHeaders.OptionalHeader.ImageBase;
            Location location = new Location(file_offset, directory.VirtualAddress, image_base + directory.VirtualAddress, directory.Size, directory.Size, section);
            CLRContent result = new CLRContent(directory, location);

            return result;
        }
Example #4
0
        public static ExportDirectory Get(ExecutableImage image)
        {
            if (!image.NTHeaders.DataDirectories.Exists(DataDirectoryType.ExportTable))
                return null;

            DataDirectory directory = image.NTHeaders.DataDirectories[DataDirectoryType.ExportTable];

            if (DataDirectory.IsNullOrEmpty(directory))
                return null;

            LocationCalculator calc = directory.Directories.Image.GetCalculator();
            uint rva = directory.VirtualAddress;
            ulong image_base = directory.Directories.Image.NTHeaders.OptionalHeader.ImageBase;
            ulong va = image_base + rva;
            Section section = calc.RVAToSection(rva);
            ulong offset = calc.RVAToOffset(section, rva);
            uint size = Utils.SizeOf<IMAGE_EXPORT_DIRECTORY>().ToUInt32();
            Location location = new Location(offset, rva, va, size, size, section);
            Stream stream = directory.Directories.Image.GetStream();

            stream.Seek(offset.ToInt64(), SeekOrigin.Begin);

            IMAGE_EXPORT_DIRECTORY export_directory = Utils.Read<IMAGE_EXPORT_DIRECTORY>(stream);
            ExportDirectory result = new ExportDirectory(directory, location, export_directory);

            return result;
        }
Example #5
0
        public static TLSDirectory Get(ExecutableImage image)
        {
            if (!image.NTHeaders.DataDirectories.Exists(DataDirectoryType.TLSTable))
                return null;

            DataDirectory directory = image.NTHeaders.DataDirectories[DataDirectoryType.TLSTable];

            if (DataDirectory.IsNullOrEmpty(directory))
                return null;

            LocationCalculator calc = directory.Directories.Image.GetCalculator();
            Section section = calc.RVAToSection(directory.VirtualAddress);
            ulong file_offset = calc.RVAToOffset(section, directory.VirtualAddress);
            ulong image_base = directory.Directories.Image.NTHeaders.OptionalHeader.ImageBase;
            Location location = new Location(file_offset, directory.VirtualAddress, image_base + directory.VirtualAddress, directory.Size, directory.Size, section);
            Stream stream = directory.Directories.Image.GetStream();

            stream.Seek(file_offset.ToInt64(), SeekOrigin.Begin);

            bool is_64bit = directory.Directories.Image.Is64Bit;
            TLSDirectory tls_directory;

            if (!is_64bit)
            {
                IMAGE_TLS_DIRECTORY32 tls_dir = Utils.Read<IMAGE_TLS_DIRECTORY32>(stream);

                tls_directory = new TLSDirectory32(directory, location, tls_dir);
            }
            else
            {
                IMAGE_TLS_DIRECTORY64 tls_dir = Utils.Read<IMAGE_TLS_DIRECTORY64>(stream);

                tls_directory = new TLSDirectory64(directory, location, tls_dir);
            }

            return tls_directory;
        }