public IMAGE_OPTIONAL_HEADER(byte [] buff, UInt32 offset, bool is32Bit) { Magic = Utility.BytesToUshort(buff, offset); MajorLinkerVersion = buff[offset + 2]; MinorLinkerVersion = buff[offset + 3]; SizeOfCode = Utility.BytesToUInt32(buff, offset + 4); SizeOfInitializedData = Utility.BytesToUInt32(buff, offset + 8); SizeOfUninitializedData = Utility.BytesToUInt32(buff, offset + 0xC); AddressOfEntryPoint = Utility.BytesToUInt32(buff, offset + 0x10); BaseOfCode = Utility.BytesToUInt32(buff, offset + 0x14); BaseOfData = (is32Bit) ? Utility.BytesToUInt32(buff, offset + 0x18) : 0; ImageBase = (is32Bit) ? Utility.BytesToUInt32(buff, offset + 0x1c) : Utility.BytesToUInt64(buff, offset + 0x18); SectionAlignment = Utility.BytesToUInt32(buff, offset + 0x20); FileAlignment = Utility.BytesToUInt32(buff, offset + 0x24); MajorOSVersion = Utility.BytesToUshort(buff, offset + 0x28); MinorOSVersion = Utility.BytesToUshort(buff, offset + 0x2a); MajorImageVersion = Utility.BytesToUshort(buff, offset + 0x2c); MinorImageVersion = Utility.BytesToUshort(buff, offset + 0x2e); MajorSubSystemVersion = Utility.BytesToUshort(buff, offset + 0x30); MinorSubSystemVersion = Utility.BytesToUshort(buff, offset + 0x32); Win32VersionValue = Utility.BytesToUInt32(buff, offset + 0x34); SizeOfImage = Utility.BytesToUInt32(buff, offset + 0x38); SizeOfHeaders = Utility.BytesToUInt32(buff, offset + 0x3c); Checksum = Utility.BytesToUInt32(buff, offset + 0x40); Subsystem = Utility.BytesToUshort(buff, offset + 0x44); DllCharacteristics = Utility.BytesToUshort(buff, offset + 0x46); SizeOfStackReverse = (is32Bit) ? Utility.BytesToUInt32(buff, offset + 0x48) : Utility.BytesToUInt64(buff, offset + 0x48); SizeOfStackCommit = (is32Bit) ? Utility.BytesToUInt32(buff, offset + 0x4c) : Utility.BytesToUInt64(buff, offset + 0x50); SizeOfHeapReverse = (is32Bit) ? Utility.BytesToUInt32(buff, offset + 0x50) : Utility.BytesToUInt64(buff, offset + 0x58); SizeOfHeapCommit = (is32Bit) ? Utility.BytesToUInt32(buff, offset + 0x54) : Utility.BytesToUInt64(buff, offset + 0x60); LoaderFlags = (is32Bit) ? Utility.BytesToUInt32(buff, offset + 0x58) : Utility.BytesToUInt32(buff, offset + 0x68); NumberOfRVAandSizes = (is32Bit) ? Utility.BytesToUInt32(buff, offset + 0x5c) : Utility.BytesToUInt32(buff, offset + 0x6c); ImageDataDirectory = (is32Bit) ? new IMAGE_DATA_DIRECTORY(buff, offset + 0x60, is32Bit) : new IMAGE_DATA_DIRECTORY(buff, offset + 0x70, is32Bit); }
public IMAGE_FILE_HEADER(byte [] buff, UInt32 offset) { Machine = Utility.BytesToUshort(buff, offset); NumberOfSections = Utility.BytesToUshort(buff, offset + 2); TimeDateStamp = Utility.BytesToUInt32(buff, offset + 4); PointerToSymbolTable = Utility.BytesToUInt32(buff, offset + 8); NumberOfSymbols = Utility.BytesToUInt32(buff, offset + 12); SizeOfOptionalHeaders = Utility.BytesToUshort(buff, offset + 16); Characteristics = Utility.BytesToUshort(buff, offset + 18); }
public IMAGE_EXPORT_DIRECTORY(byte[] buff, UInt32 offset) { Characteristics = Utility.BytesToUInt32(buff, offset); TimeDateStamp = Utility.BytesToUInt32(buff, offset + 4); MajorVersion = Utility.BytesToUshort(buff, offset + 8); MinorVersion = Utility.BytesToUshort(buff, offset + 0x0A); Name = Utility.BytesToUInt32(buff, offset + 0x0C); Base = Utility.BytesToUInt32(buff, offset + 0x10); NumberOfFuncions = Utility.BytesToUInt32(buff, offset + 0x14); NumberOfNames = Utility.BytesToUInt32(buff, offset + 0x18); AddressOfFunctions = Utility.BytesToUInt32(buff, offset + 0x1C); AddressOfNames = Utility.BytesToUInt32(buff, offset + 0x20); AddressOfNameOrdinals = Utility.BytesToUInt32(buff, offset + 0x24); }
public IMAGE_SECTION_HEADER(byte[] buff, UInt32 offset) { SectionHeaderName = new byte[8]; Array.Copy(buff, offset, SectionHeaderName, (UInt32)0, (UInt32)8); VirtualSize = Utility.BytesToUInt32(buff, offset + 8); VirutalAddress = Utility.BytesToUInt32(buff, offset + 12); SizeOfRawData = Utility.BytesToUInt32(buff, offset + 16); PointerToRawData = Utility.BytesToUInt32(buff, offset + 20); PointerToRelocations = Utility.BytesToUInt32(buff, offset + 24); PointerToLineNumbers = Utility.BytesToUInt32(buff, offset + 30); NumberOfRelocations = Utility.BytesToUshort(buff, offset + 32); NumberofLineNumbers = Utility.BytesToUshort(buff, offset + 34); SectionFlags = Utility.BytesToUInt32(buff, offset + 38); }
} // Offset to the PE signature (IMAGE_NT_HEADERS) public IMAGE_DOS_HEADER(byte[] buff) { e_magic = Utility.BytesToUshort(buff, 0); e_cblp = Utility.BytesToUshort(buff, 2); e_cp = Utility.BytesToUshort(buff, 4); e_crlc = Utility.BytesToUshort(buff, 6); e_cparhdr = Utility.BytesToUshort(buff, 8); e_minalloc = Utility.BytesToUshort(buff, 0xA); e_maxalloc = Utility.BytesToUshort(buff, 0xC); e_ss = Utility.BytesToUshort(buff, 0xE); e_sp = Utility.BytesToUshort(buff, 0x10); e_csum = Utility.BytesToUshort(buff, 0x12); e_ip = Utility.BytesToUshort(buff, 0x14); e_cs = Utility.BytesToUshort(buff, 0x16); e_lfaric = Utility.BytesToUshort(buff, 0x18); e_ovno = Utility.BytesToUshort(buff, 0x1A); e_oemid = Utility.BytesToUshort(buff, 0x24); e_oeminfo = Utility.BytesToUshort(buff, 0x26); e_lfanew = Utility.BytesToUInt32(buff, 0x3C); }