private static uint CalcChecksum(ExecutableImage pe, out uint checkSumPos) { const uint checksum_pos_in_optional_headers = 64; checkSumPos = (uint)pe.NTHeaders.OptionalHeader.Location.FileOffset + checksum_pos_in_optional_headers; uint fileSize = (uint)pe.GetBytes().Length; MemoryStream ms = new MemoryStream(pe.GetBytes()); byte[] bytes4 = new byte[4]; int pos = 0; ulong calcSum = 0; ulong top = (ulong)0xFFFFFFFF + 1; while (ms.Read(bytes4, pos, 4) == 4) { uint dw = BitConverter.ToUInt32(bytes4, 0); if (ms.Position == checkSumPos + 4) { continue; } calcSum = (calcSum & 0xFFFFFFFF) + dw + (calcSum >> 32); if (calcSum > top) { calcSum = (calcSum & 0xFFFFFFFF) + (calcSum >> 32); } } calcSum = (calcSum & 0xffff) + (calcSum >> 16); calcSum = (calcSum) + (calcSum >> 16); calcSum = calcSum & 0xffff; calcSum += (uint)fileSize; return((uint)calcSum); }
public static Certificate Get(ExecutableImage image) { if (!image.NTHeaders.DataDirectories.Exists(DataDirectoryType.CertificateTable)) return null; DataDirectory directory = image.NTHeaders.DataDirectories[DataDirectoryType.CertificateTable]; if (DataDirectory.IsNullOrEmpty(directory)) return null; Stream stream = directory.Directories.Image.GetStream(); long file_offset = directory.VirtualAddress.ToInt64(); stream.Seek(file_offset, SeekOrigin.Begin); ulong image_base = directory.Directories.Image.NTHeaders.OptionalHeader.ImageBase; Location location = new Location(directory.VirtualAddress, directory.VirtualAddress, image_base + directory.VirtualAddress, directory.Size, directory.Size); WIN_CERTIFICATE win_cert = Utils.Read<WIN_CERTIFICATE>(stream); Certificate cert = new Certificate(directory, location, win_cert); return cert; }
public static CLRContent Get(ExecutableImage image) { if (!image.NTHeaders.DataDirectories.Exists(DataDirectoryType.CLRRuntimeHeader)) return null; DataDirectory directory = image.NTHeaders.DataDirectories[DataDirectoryType.CLRRuntimeHeader]; if (DataDirectory.IsNullOrEmpty(directory)) return null; LocationCalculator calc = directory.Directories.Image.GetCalculator(); Section section = calc.RVAToSection(directory.VirtualAddress); ulong file_offset = calc.RVAToOffset(section, directory.VirtualAddress); ulong image_base = directory.Directories.Image.NTHeaders.OptionalHeader.ImageBase; Location location = new Location(file_offset, directory.VirtualAddress, image_base + directory.VirtualAddress, directory.Size, directory.Size, section); CLRContent result = new CLRContent(directory, location); return result; }
public static ExportDirectory Get(ExecutableImage image) { if (!image.NTHeaders.DataDirectories.Exists(DataDirectoryType.ExportTable)) return null; DataDirectory directory = image.NTHeaders.DataDirectories[DataDirectoryType.ExportTable]; if (DataDirectory.IsNullOrEmpty(directory)) return null; LocationCalculator calc = directory.Directories.Image.GetCalculator(); uint rva = directory.VirtualAddress; ulong image_base = directory.Directories.Image.NTHeaders.OptionalHeader.ImageBase; ulong va = image_base + rva; Section section = calc.RVAToSection(rva); ulong offset = calc.RVAToOffset(section, rva); uint size = Utils.SizeOf<IMAGE_EXPORT_DIRECTORY>().ToUInt32(); Location location = new Location(offset, rva, va, size, size, section); Stream stream = directory.Directories.Image.GetStream(); stream.Seek(offset.ToInt64(), SeekOrigin.Begin); IMAGE_EXPORT_DIRECTORY export_directory = Utils.Read<IMAGE_EXPORT_DIRECTORY>(stream); ExportDirectory result = new ExportDirectory(directory, location, export_directory); return result; }
public static TLSDirectory Get(ExecutableImage image) { if (!image.NTHeaders.DataDirectories.Exists(DataDirectoryType.TLSTable)) return null; DataDirectory directory = image.NTHeaders.DataDirectories[DataDirectoryType.TLSTable]; if (DataDirectory.IsNullOrEmpty(directory)) return null; LocationCalculator calc = directory.Directories.Image.GetCalculator(); Section section = calc.RVAToSection(directory.VirtualAddress); ulong file_offset = calc.RVAToOffset(section, directory.VirtualAddress); ulong image_base = directory.Directories.Image.NTHeaders.OptionalHeader.ImageBase; Location location = new Location(file_offset, directory.VirtualAddress, image_base + directory.VirtualAddress, directory.Size, directory.Size, section); Stream stream = directory.Directories.Image.GetStream(); stream.Seek(file_offset.ToInt64(), SeekOrigin.Begin); bool is_64bit = directory.Directories.Image.Is64Bit; TLSDirectory tls_directory; if (!is_64bit) { IMAGE_TLS_DIRECTORY32 tls_dir = Utils.Read<IMAGE_TLS_DIRECTORY32>(stream); tls_directory = new TLSDirectory32(directory, location, tls_dir); } else { IMAGE_TLS_DIRECTORY64 tls_dir = Utils.Read<IMAGE_TLS_DIRECTORY64>(stream); tls_directory = new TLSDirectory64(directory, location, tls_dir); } return tls_directory; }