public ImageSectionHeaderVM(object owner, HexDocument doc, ulong startOffset)
: base(owner)
{
this.nameVM = new StringHexField(doc, Name, "Name", startOffset + 0, Encoding.UTF8, 8);
this.virtualSizeVM = new UInt32HexField(doc, Name, "VirtualSize", startOffset + 8);
this.virtualAddressVM = new UInt32HexField(doc, Name, "VirtualAddress", startOffset + 0x0C);
this.sizeOfRawDataVM = new UInt32HexField(doc, Name, "SizeOfRawData", startOffset + 0x10);
this.pointerToRawDataVM = new UInt32HexField(doc, Name, "PointerToRawData", startOffset + 0x14);
this.pointerToRelocationsVM = new UInt32HexField(doc, Name, "PointerToRelocations", startOffset + 0x18);
this.pointerToLinenumbersVM = new UInt32HexField(doc, Name, "PointerToLinenumbers", startOffset + 0x1C);
this.numberOfRelocationsVM = new UInt16HexField(doc, Name, "NumberOfRelocations", startOffset + 0x20);
this.numberOfLinenumbersVM = new UInt16HexField(doc, Name, "NumberOfLinenumbers", startOffset + 0x22);
this.characteristicsVM = new UInt32FlagsHexField(doc, Name, "Characteristics", startOffset + 0x24);
this.characteristicsVM.Add(new BooleanHexBitField("TYPE_DSECT", 0));
this.characteristicsVM.Add(new BooleanHexBitField("TYPE_NOLOAD", 1));
this.characteristicsVM.Add(new BooleanHexBitField("TYPE_GROUP", 2));
this.characteristicsVM.Add(new BooleanHexBitField("TYPE_NO_PAD", 3));
this.characteristicsVM.Add(new BooleanHexBitField("TYPE_COPY", 4));
this.characteristicsVM.Add(new BooleanHexBitField("CNT_CODE", 5));
this.characteristicsVM.Add(new BooleanHexBitField("CNT_INITIALIZED_DATA", 6));
this.characteristicsVM.Add(new BooleanHexBitField("CNT_UNINITIALIZED_DATA", 7));
this.characteristicsVM.Add(new BooleanHexBitField("LNK_OTHER", 8));
this.characteristicsVM.Add(new BooleanHexBitField("LNK_INFO", 9));
this.characteristicsVM.Add(new BooleanHexBitField("TYPE_OVER", 10));
this.characteristicsVM.Add(new BooleanHexBitField("LNK_REMOVE", 11));
this.characteristicsVM.Add(new BooleanHexBitField("LNK_COMDAT", 12));
this.characteristicsVM.Add(new BooleanHexBitField("RESERVED", 13));
this.characteristicsVM.Add(new BooleanHexBitField("NO_DEFER_SPEC_EXC", 14));
this.characteristicsVM.Add(new BooleanHexBitField("GPREL", 15));
this.characteristicsVM.Add(new BooleanHexBitField("MEM_SYSHEAP", 16));
this.characteristicsVM.Add(new BooleanHexBitField("MEM_PURGEABLE", 17));
this.characteristicsVM.Add(new BooleanHexBitField("MEM_LOCKED", 18));
this.characteristicsVM.Add(new BooleanHexBitField("MEM_PRELOAD", 19));
this.characteristicsVM.Add(new IntegerHexBitField("Alignment", 20, 4, AlignInfos));
this.characteristicsVM.Add(new BooleanHexBitField("LNK_NRELOC_OVFL", 24));
this.characteristicsVM.Add(new BooleanHexBitField("MEM_DISCARDABLE", 25));
this.characteristicsVM.Add(new BooleanHexBitField("MEM_NOT_CACHED", 26));
this.characteristicsVM.Add(new BooleanHexBitField("MEM_NOT_PAGED", 27));
this.characteristicsVM.Add(new BooleanHexBitField("MEM_SHARED", 28));
this.characteristicsVM.Add(new BooleanHexBitField("MEM_EXECUTE", 29));
this.characteristicsVM.Add(new BooleanHexBitField("MEM_READ", 30));
this.characteristicsVM.Add(new BooleanHexBitField("MEM_WRITE", 31));
this.hexFields = new HexField[] {
this.nameVM,
this.virtualSizeVM,
this.virtualAddressVM,
this.sizeOfRawDataVM,
this.pointerToRawDataVM,
this.pointerToRelocationsVM,
this.pointerToLinenumbersVM,
this.numberOfRelocationsVM,
this.numberOfLinenumbersVM,
this.characteristicsVM,
};
}
public ImageSectionHeaderVM(HexDocument doc, ulong startOffset)
{
this.nameVM = new StringHexField(doc, Name, "Name", startOffset + 0, Encoding.UTF8, 8);
this.virtualSizeVM = new UInt32HexField(doc, Name, "VirtualSize", startOffset + 8);
this.virtualAddressVM = new UInt32HexField(doc, Name, "VirtualAddress", startOffset + 0x0C);
this.sizeOfRawDataVM = new UInt32HexField(doc, Name, "SizeOfRawData", startOffset + 0x10);
this.pointerToRawDataVM = new UInt32HexField(doc, Name, "PointerToRawData", startOffset + 0x14);
this.pointerToRelocationsVM = new UInt32HexField(doc, Name, "PointerToRelocations", startOffset + 0x18);
this.pointerToLinenumbersVM = new UInt32HexField(doc, Name, "PointerToLinenumbers", startOffset + 0x1C);
this.numberOfRelocationsVM = new UInt16HexField(doc, Name, "NumberOfRelocations", startOffset + 0x20);
this.numberOfLinenumbersVM = new UInt16HexField(doc, Name, "NumberOfLinenumbers", startOffset + 0x22);
this.characteristicsVM = new UInt32FlagsHexField(doc, Name, "Characteristics", startOffset + 0x24);
this.characteristicsVM.Add(new BooleanHexBitField("TYPE_DSECT", 0));
this.characteristicsVM.Add(new BooleanHexBitField("TYPE_NOLOAD", 1));
this.characteristicsVM.Add(new BooleanHexBitField("TYPE_GROUP", 2));
this.characteristicsVM.Add(new BooleanHexBitField("TYPE_NO_PAD", 3));
this.characteristicsVM.Add(new BooleanHexBitField("TYPE_COPY", 4));
this.characteristicsVM.Add(new BooleanHexBitField("CNT_CODE", 5));
this.characteristicsVM.Add(new BooleanHexBitField("CNT_INITIALIZED_DATA", 6));
this.characteristicsVM.Add(new BooleanHexBitField("CNT_UNINITIALIZED_DATA", 7));
this.characteristicsVM.Add(new BooleanHexBitField("LNK_OTHER", 8));
this.characteristicsVM.Add(new BooleanHexBitField("LNK_INFO", 9));
this.characteristicsVM.Add(new BooleanHexBitField("TYPE_OVER", 10));
this.characteristicsVM.Add(new BooleanHexBitField("LNK_REMOVE", 11));
this.characteristicsVM.Add(new BooleanHexBitField("LNK_COMDAT", 12));
this.characteristicsVM.Add(new BooleanHexBitField("RESERVED", 13));
this.characteristicsVM.Add(new BooleanHexBitField("NO_DEFER_SPEC_EXC", 14));
this.characteristicsVM.Add(new BooleanHexBitField("GPREL", 15));
this.characteristicsVM.Add(new BooleanHexBitField("MEM_SYSHEAP", 16));
this.characteristicsVM.Add(new BooleanHexBitField("MEM_PURGEABLE", 17));
this.characteristicsVM.Add(new BooleanHexBitField("MEM_LOCKED", 18));
this.characteristicsVM.Add(new BooleanHexBitField("MEM_PRELOAD", 19));
this.characteristicsVM.Add(new IntegerHexBitField("Alignment", 20, 4, AlignInfos));
this.characteristicsVM.Add(new BooleanHexBitField("LNK_NRELOC_OVFL", 24));
this.characteristicsVM.Add(new BooleanHexBitField("MEM_DISCARDABLE", 25));
this.characteristicsVM.Add(new BooleanHexBitField("MEM_NOT_CACHED", 26));
this.characteristicsVM.Add(new BooleanHexBitField("MEM_NOT_PAGED", 27));
this.characteristicsVM.Add(new BooleanHexBitField("MEM_SHARED", 28));
this.characteristicsVM.Add(new BooleanHexBitField("MEM_EXECUTE", 29));
this.characteristicsVM.Add(new BooleanHexBitField("MEM_READ", 30));
this.characteristicsVM.Add(new BooleanHexBitField("MEM_WRITE", 31));
this.hexFields = new HexField[] {
this.nameVM,
this.virtualSizeVM,
this.virtualAddressVM,
this.sizeOfRawDataVM,
this.pointerToRawDataVM,
this.pointerToRelocationsVM,
this.pointerToLinenumbersVM,
this.numberOfRelocationsVM,
this.numberOfLinenumbersVM,
this.characteristicsVM,
};
}
public TablesStreamVM(HexDocument doc, TablesStream tblStream)
{
ulong startOffset = (ulong)tblStream.StartOffset;
this.m_ulReservedVM = new UInt32HexField(doc, Name, "m_ulReserved", startOffset + 0);
this.m_majorVM = new ByteHexField(doc, Name, "m_major", startOffset + 4, true);
this.m_minorVM = new ByteHexField(doc, Name, "m_minor", startOffset + 5, true);
this.m_heapsVM = new ByteFlagsHexField(doc, Name, "m_heaps", startOffset + 6);
this.m_heapsVM.Add(new BooleanHexBitField("BigStrings", 0));
this.m_heapsVM.Add(new BooleanHexBitField("BigGUID", 1));
this.m_heapsVM.Add(new BooleanHexBitField("BigBlob", 2));
this.m_heapsVM.Add(new BooleanHexBitField("Padding", 3));
this.m_heapsVM.Add(new BooleanHexBitField("Reserved", 4));
this.m_heapsVM.Add(new BooleanHexBitField("DeltaOnly", 5));
this.m_heapsVM.Add(new BooleanHexBitField("ExtraData", 6));
this.m_heapsVM.Add(new BooleanHexBitField("HasDelete", 7));
this.m_ridVM = new ByteHexField(doc, Name, "m_rid", startOffset + 7);
this.m_maskvalidVM = new UInt64FlagsHexField(doc, Name, "m_maskvalid", startOffset + 8);
AddTableFlags(this.m_maskvalidVM);
this.m_sortedVM = new UInt64FlagsHexField(doc, Name, "m_sorted", startOffset + 0x10);
AddTableFlags(this.m_sortedVM);
var list = new List<HexField> {
m_ulReservedVM,
m_majorVM,
m_minorVM,
m_heapsVM,
m_ridVM,
m_maskvalidVM,
m_sortedVM,
};
this.rowsVM = new UInt32HexField[64];
ulong valid = tblStream.ValidMask;
ulong offs = startOffset + 0x18;
for (int i = 0; i < this.rowsVM.Length; i++) {
this.rowsVM[i] = new UInt32HexField(doc, Name, string.Format("rows[{0:X2}]", i), offs);
if ((valid & 1) != 0) {
list.Add(this.rowsVM[i]);
offs += 4;
}
else
this.rowsVM[i].IsVisible = false;
valid >>= 1;
}
this.m_ulExtraVM = new UInt32HexField(doc, Name, "m_ulExtra", offs);
this.m_ulExtraVM.IsVisible = tblStream.HasExtraData;
if (tblStream.HasExtraData)
list.Add(this.m_ulExtraVM);
Debug.Assert(offs == (ulong)tblStream.MDTables[0].StartOffset);
this.hexFields = list.ToArray();
}
public StorageStreamVM(HexDocument doc, ulong startOffset, int stringLen)
{
this.iOffsetVM = new UInt32HexField(doc, Name, "iOffset", startOffset + 0);
this.iSizeVM = new UInt32HexField(doc, Name, "iSize", startOffset + 4);
this.rcNameVM = new StringHexField(doc, Name, "rcName", startOffset + 8, Encoding.ASCII, stringLen);
this.hexFields = new HexField[] {
iOffsetVM,
iSizeVM,
rcNameVM,
};
}
public StorageStreamVM(HexDocument doc, ulong startOffset, int stringLen)
{
this.iOffsetVM = new UInt32HexField(doc, Name, "iOffset", startOffset + 0);
this.iSizeVM = new UInt32HexField(doc, Name, "iSize", startOffset + 4);
this.rcNameVM = new StringHexField(doc, Name, "rcName", startOffset + 8, Encoding.ASCII, stringLen);
this.hexFields = new HexField[] {
iOffsetVM,
iSizeVM,
rcNameVM,
};
}
public ImageOptionalHeader32VM(HexDocument doc, ulong startOffset, ulong endOffset)
: base(doc, startOffset, endOffset, 0x20, 0x58)
{
this.baseOfDataVM = new UInt32HexField(doc, Name, "BaseOfData", startOffset + 0x18);
this.imageBaseVM = new UInt32HexField(doc, Name, "ImageBase", startOffset + 0x1C);
this.sizeOfStackReserveVM = new UInt32HexField(doc, Name, "SizeOfStackReserve", startOffset + 0x48);
this.sizeOfStackCommitVM = new UInt32HexField(doc, Name, "SizeOfStackCommit", startOffset + 0x4C);
this.sizeOfHeapReserveVM = new UInt32HexField(doc, Name, "SizeOfHeapReserve", startOffset + 0x50);
this.sizeOfHeapCommitVM = new UInt32HexField(doc, Name, "SizeOfHeapCommit", startOffset + 0x54);
var list = new List <HexField> {
MagicVM,
MajorLinkerVersionVM,
MinorLinkerVersionVM,
SizeOfCodeVM,
SizeOfInitializedDataVM,
SizeOfUninitializedDataVM,
AddressOfEntryPointVM,
BaseOfCodeVM,
BaseOfDataVM,
ImageBaseVM,
SectionAlignmentVM,
FileAlignmentVM,
MajorOperatingSystemVersionVM,
MinorOperatingSystemVersionVM,
MajorImageVersionVM,
MinorImageVersionVM,
MajorSubsystemVersionVM,
MinorSubsystemVersionVM,
Win32VersionValueVM,
SizeOfImageVM,
SizeOfHeadersVM,
CheckSumVM,
SubsystemVM,
DllCharacteristicsVM,
SizeOfStackReserveVM,
SizeOfStackCommitVM,
SizeOfHeapReserveVM,
SizeOfHeapCommitVM,
LoaderFlagsVM,
NumberOfRvaAndSizesVM,
};
AddDataDirs(list, endOffset);
}
public ImageOptionalHeader32VM(HexDocument doc, ulong startOffset, ulong endOffset)
: base(doc, startOffset, endOffset, 0x20, 0x58)
{
this.baseOfDataVM = new UInt32HexField(doc, Name, "BaseOfData", startOffset + 0x18);
this.imageBaseVM = new UInt32HexField(doc, Name, "ImageBase", startOffset + 0x1C);
this.sizeOfStackReserveVM = new UInt32HexField(doc, Name, "SizeOfStackReserve", startOffset + 0x48);
this.sizeOfStackCommitVM = new UInt32HexField(doc, Name, "SizeOfStackCommit", startOffset + 0x4C);
this.sizeOfHeapReserveVM = new UInt32HexField(doc, Name, "SizeOfHeapReserve", startOffset + 0x50);
this.sizeOfHeapCommitVM = new UInt32HexField(doc, Name, "SizeOfHeapCommit", startOffset + 0x54);
var list = new List<HexField> {
MagicVM,
MajorLinkerVersionVM,
MinorLinkerVersionVM,
SizeOfCodeVM,
SizeOfInitializedDataVM,
SizeOfUninitializedDataVM,
AddressOfEntryPointVM,
BaseOfCodeVM,
BaseOfDataVM,
ImageBaseVM,
SectionAlignmentVM,
FileAlignmentVM,
MajorOperatingSystemVersionVM,
MinorOperatingSystemVersionVM,
MajorImageVersionVM,
MinorImageVersionVM,
MajorSubsystemVersionVM,
MinorSubsystemVersionVM,
Win32VersionValueVM,
SizeOfImageVM,
SizeOfHeadersVM,
CheckSumVM,
SubsystemVM,
DllCharacteristicsVM,
SizeOfStackReserveVM,
SizeOfStackCommitVM,
SizeOfHeapReserveVM,
SizeOfHeapCommitVM,
LoaderFlagsVM,
NumberOfRvaAndSizesVM,
};
AddDataDirs(list, endOffset);
}
public ImageCor20HeaderVM(object owner, HexDocument doc, ulong startOffset)
: base(owner)
{
this.cbVM = new UInt32HexField(doc, Name, "cb", startOffset + 0);
this.majorRuntimeVersionVM = new UInt16HexField(doc, Name, "MajorRuntimeVersion", startOffset + 4, true);
this.minorRuntimeVersionVM = new UInt16HexField(doc, Name, "MinorRuntimeVersion", startOffset + 6, true);
this.metaDataVM = new DataDirVM(doc, Name, "MetaData", startOffset + 8);
this.flagsVM = new UInt32FlagsHexField(doc, Name, "Flags", startOffset + 0x10);
this.flagsVM.Add(new BooleanHexBitField("IL Only", 0));
this.flagsVM.Add(new BooleanHexBitField("32-Bit Required", 1));
this.flagsVM.Add(new BooleanHexBitField("IL Library", 2));
this.flagsVM.Add(new BooleanHexBitField("Strong Name Signed", 3));
this.flagsVM.Add(new BooleanHexBitField("Native EntryPoint", 4));
this.flagsVM.Add(new BooleanHexBitField("Track Debug Data", 16));
this.flagsVM.Add(new BooleanHexBitField("32-Bit Preferred", 17));
this.entryPointTokenRVAVM = new UInt32HexField(doc, Name, "EntryPoint Token/RVA", startOffset + 0x14);
this.resourcesVM = new DataDirVM(doc, Name, "Resources", startOffset + 0x18);
this.strongNameSignatureVM = new DataDirVM(doc, Name, "StrongNameSignature", startOffset + 0x20);
this.codeManagerTableVM = new DataDirVM(doc, Name, "CodeManagerTable", startOffset + 0x28);
this.vtableFixupsVM = new DataDirVM(doc, Name, "VTableFixups", startOffset + 0x30);
this.exportAddressTableJumpsVM = new DataDirVM(doc, Name, "ExportAddressTableJumps", startOffset + 0x38);
this.managedNativeHeaderVM = new DataDirVM(doc, Name, "ManagedNativeHeader", startOffset + 0x40);
this.hexFields = new HexField[] {
cbVM,
majorRuntimeVersionVM,
minorRuntimeVersionVM,
metaDataVM.RVAVM,
metaDataVM.SizeVM,
flagsVM,
entryPointTokenRVAVM,
resourcesVM.RVAVM,
resourcesVM.SizeVM,
strongNameSignatureVM.RVAVM,
strongNameSignatureVM.SizeVM,
codeManagerTableVM.RVAVM,
codeManagerTableVM.SizeVM,
vtableFixupsVM.RVAVM,
vtableFixupsVM.SizeVM,
exportAddressTableJumpsVM.RVAVM,
exportAddressTableJumpsVM.SizeVM,
managedNativeHeaderVM.RVAVM,
managedNativeHeaderVM.SizeVM,
};
}
public StorageSignatureVM(object owner, HexDocument doc, ulong startOffset, int stringLen)
: base(owner) {
this.lSignatureVM = new UInt32HexField(doc, Name, "lSignature", startOffset + 0);
this.iMajorVerVM = new UInt16HexField(doc, Name, "iMajorVer", startOffset + 4, true);
this.iMinorVerVM = new UInt16HexField(doc, Name, "iMinorVer", startOffset + 6, true);
this.iExtraDataVM = new UInt32HexField(doc, Name, "iExtraData", startOffset + 8);
this.iVersionStringVM = new UInt32HexField(doc, Name, "iVersionString", startOffset + 0x0C);
this.versionStringVM = new StringHexField(doc, Name, "VersionString", startOffset + 0x10, Encoding.UTF8, stringLen);
this.hexFields = new HexField[] {
lSignatureVM,
iMajorVerVM,
iMinorVerVM,
iExtraDataVM,
iVersionStringVM,
versionStringVM,
};
}
public StorageSignatureVM(HexDocument doc, ulong startOffset, int stringLen)
{
this.lSignatureVM = new UInt32HexField(doc, Name, "lSignature", startOffset + 0);
this.iMajorVerVM = new UInt16HexField(doc, Name, "iMajorVer", startOffset + 4, true);
this.iMinorVerVM = new UInt16HexField(doc, Name, "iMinorVer", startOffset + 6, true);
this.iExtraDataVM = new UInt32HexField(doc, Name, "iExtraData", startOffset + 8);
this.iVersionStringVM = new UInt32HexField(doc, Name, "iVersionString", startOffset + 0x0C);
this.versionStringVM = new StringHexField(doc, Name, "VersionString", startOffset + 0x10, Encoding.UTF8, stringLen);
this.hexFields = new HexField[] {
lSignatureVM,
iMajorVerVM,
iMinorVerVM,
iExtraDataVM,
iVersionStringVM,
versionStringVM,
};
}
public ImageCor20HeaderVM(HexDocument doc, ulong startOffset)
{
this.cbVM = new UInt32HexField(doc, Name, "cb", startOffset + 0);
this.majorRuntimeVersionVM = new UInt16HexField(doc, Name, "MajorRuntimeVersion", startOffset + 4, true);
this.minorRuntimeVersionVM = new UInt16HexField(doc, Name, "MinorRuntimeVersion", startOffset + 6, true);
this.metaDataVM = new DataDirVM(doc, Name, "MetaData", startOffset + 8);
this.flagsVM = new UInt32FlagsHexField(doc, Name, "Flags", startOffset + 0x10);
this.flagsVM.Add(new BooleanHexBitField("IL Only", 0));
this.flagsVM.Add(new BooleanHexBitField("32-Bit Required", 1));
this.flagsVM.Add(new BooleanHexBitField("IL Library", 2));
this.flagsVM.Add(new BooleanHexBitField("Strong Name Signed", 3));
this.flagsVM.Add(new BooleanHexBitField("Native EntryPoint", 4));
this.flagsVM.Add(new BooleanHexBitField("Track Debug Data", 16));
this.flagsVM.Add(new BooleanHexBitField("32-Bit Preferred", 17));
this.entryPointTokenRVAVM = new UInt32HexField(doc, Name, "EntryPoint Token/RVA", startOffset + 0x14);
this.resourcesVM = new DataDirVM(doc, Name, "Resources", startOffset + 0x18);
this.strongNameSignatureVM = new DataDirVM(doc, Name, "StrongNameSignature", startOffset + 0x20);
this.codeManagerTableVM = new DataDirVM(doc, Name, "CodeManagerTable", startOffset + 0x28);
this.vtableFixupsVM = new DataDirVM(doc, Name, "VTableFixups", startOffset + 0x30);
this.exportAddressTableJumpsVM = new DataDirVM(doc, Name, "ExportAddressTableJumps", startOffset + 0x38);
this.managedNativeHeaderVM = new DataDirVM(doc, Name, "ManagedNativeHeader", startOffset + 0x40);
this.hexFields = new HexField[] {
cbVM,
majorRuntimeVersionVM,
minorRuntimeVersionVM,
metaDataVM.RVAVM,
metaDataVM.SizeVM,
flagsVM,
entryPointTokenRVAVM,
resourcesVM.RVAVM,
resourcesVM.SizeVM,
strongNameSignatureVM.RVAVM,
strongNameSignatureVM.SizeVM,
codeManagerTableVM.RVAVM,
codeManagerTableVM.SizeVM,
vtableFixupsVM.RVAVM,
vtableFixupsVM.SizeVM,
exportAddressTableJumpsVM.RVAVM,
exportAddressTableJumpsVM.SizeVM,
managedNativeHeaderVM.RVAVM,
managedNativeHeaderVM.SizeVM,
};
}
public ImageFileHeaderVM(object owner, HexDocument doc, ulong startOffset)
: base(owner)
{
this.machineVM = new UInt16FlagsHexField(doc, Name, "Machine", startOffset + 0);
this.machineVM.Add(new IntegerHexBitField("Machine", 0, 16, MachineInfos));
this.numberOfSectionsVM = new UInt16HexField(doc, Name, "NumberOfSections", startOffset + 2);
this.timeDateStampVM = new UInt32HexField(doc, Name, "TimeDateStamp", startOffset + 4);
this.timeDateStampVM.DataFieldVM.PropertyChanged += (s, e) => OnPropertyChanged("TimeDateStampString");
this.pointerToSymbolTableVM = new UInt32HexField(doc, Name, "PointerToSymbolTable", startOffset + 8);
this.numberOfSymbolsVM = new UInt32HexField(doc, Name, "NumberOfSymbols", startOffset + 0x0C);
this.sizeOfOptionalHeaderVM = new UInt16HexField(doc, Name, "SizeOfOptionalHeader", startOffset + 0x10);
this.characteristicsVM = new UInt16FlagsHexField(doc, Name, "Characteristics", startOffset + 0x12);
this.characteristicsVM.Add(new BooleanHexBitField("Relocs Stripped", 0));
this.characteristicsVM.Add(new BooleanHexBitField("Executable Image", 1));
this.characteristicsVM.Add(new BooleanHexBitField("Line Nums Stripped", 2));
this.characteristicsVM.Add(new BooleanHexBitField("Local Syms Stripped", 3));
this.characteristicsVM.Add(new BooleanHexBitField("Aggressive WS Trim", 4));
this.characteristicsVM.Add(new BooleanHexBitField("Large Address Aware", 5));
this.characteristicsVM.Add(new BooleanHexBitField("Reserved 0040h", 6));
this.characteristicsVM.Add(new BooleanHexBitField("Bytes Reversed Lo", 7));
this.characteristicsVM.Add(new BooleanHexBitField("32-Bit Machine", 8));
this.characteristicsVM.Add(new BooleanHexBitField("Debug Stripped", 9));
this.characteristicsVM.Add(new BooleanHexBitField("Removable Run From Swap", 10));
this.characteristicsVM.Add(new BooleanHexBitField("Net Run From Swap", 11));
this.characteristicsVM.Add(new BooleanHexBitField("System", 12));
this.characteristicsVM.Add(new BooleanHexBitField("Dll", 13));
this.characteristicsVM.Add(new BooleanHexBitField("Up System Only", 14));
this.characteristicsVM.Add(new BooleanHexBitField("Bytes Reversed Hi", 15));
this.hexFields = new HexField[] {
machineVM,
numberOfSectionsVM,
timeDateStampVM,
pointerToSymbolTableVM,
numberOfSymbolsVM,
sizeOfOptionalHeaderVM,
characteristicsVM,
};
}
public ImageFileHeaderVM(object owner, HexDocument doc, ulong startOffset)
: base(owner)
{
this.machineVM = new UInt16FlagsHexField(doc, Name, "Machine", startOffset + 0);
this.machineVM.Add(new IntegerHexBitField("Machine", 0, 16, MachineInfos));
this.numberOfSectionsVM = new UInt16HexField(doc, Name, "NumberOfSections", startOffset + 2);
this.timeDateStampVM = new UInt32HexField(doc, Name, "TimeDateStamp", startOffset + 4);
this.pointerToSymbolTableVM = new UInt32HexField(doc, Name, "PointerToSymbolTable", startOffset + 8);
this.numberOfSymbolsVM = new UInt32HexField(doc, Name, "NumberOfSymbols", startOffset + 0x0C);
this.sizeOfOptionalHeaderVM = new UInt16HexField(doc, Name, "SizeOfOptionalHeader", startOffset + 0x10);
this.characteristicsVM = new UInt16FlagsHexField(doc, Name, "Characteristics", startOffset + 0x12);
this.characteristicsVM.Add(new BooleanHexBitField("Relocs Stripped", 0));
this.characteristicsVM.Add(new BooleanHexBitField("Executable Image", 1));
this.characteristicsVM.Add(new BooleanHexBitField("Line Nums Stripped", 2));
this.characteristicsVM.Add(new BooleanHexBitField("Local Syms Stripped", 3));
this.characteristicsVM.Add(new BooleanHexBitField("Aggressive WS Trim", 4));
this.characteristicsVM.Add(new BooleanHexBitField("Large Address Aware", 5));
this.characteristicsVM.Add(new BooleanHexBitField("Reserved 0040h", 6));
this.characteristicsVM.Add(new BooleanHexBitField("Bytes Reversed Lo", 7));
this.characteristicsVM.Add(new BooleanHexBitField("32-Bit Machine", 8));
this.characteristicsVM.Add(new BooleanHexBitField("Debug Stripped", 9));
this.characteristicsVM.Add(new BooleanHexBitField("Removable Run From Swap", 10));
this.characteristicsVM.Add(new BooleanHexBitField("Net Run From Swap", 11));
this.characteristicsVM.Add(new BooleanHexBitField("System", 12));
this.characteristicsVM.Add(new BooleanHexBitField("Dll", 13));
this.characteristicsVM.Add(new BooleanHexBitField("Up System Only", 14));
this.characteristicsVM.Add(new BooleanHexBitField("Bytes Reversed Hi", 15));
this.hexFields = new HexField[] {
machineVM,
numberOfSectionsVM,
timeDateStampVM,
pointerToSymbolTableVM,
numberOfSymbolsVM,
sizeOfOptionalHeaderVM,
characteristicsVM,
};
}
public TablesStreamVM(object owner, HexDocument doc, TablesStream tblStream)
: base(owner)
{
ulong startOffset = (ulong)tblStream.StartOffset;
this.m_ulReservedVM = new UInt32HexField(doc, Name, "m_ulReserved", startOffset + 0);
this.m_majorVM = new ByteHexField(doc, Name, "m_major", startOffset + 4, true);
this.m_minorVM = new ByteHexField(doc, Name, "m_minor", startOffset + 5, true);
this.m_heapsVM = new ByteFlagsHexField(doc, Name, "m_heaps", startOffset + 6);
this.m_heapsVM.Add(new BooleanHexBitField("BigStrings", 0));
this.m_heapsVM.Add(new BooleanHexBitField("BigGUID", 1));
this.m_heapsVM.Add(new BooleanHexBitField("BigBlob", 2));
this.m_heapsVM.Add(new BooleanHexBitField("Padding", 3));
this.m_heapsVM.Add(new BooleanHexBitField("Reserved", 4));
this.m_heapsVM.Add(new BooleanHexBitField("DeltaOnly", 5));
this.m_heapsVM.Add(new BooleanHexBitField("ExtraData", 6));
this.m_heapsVM.Add(new BooleanHexBitField("HasDelete", 7));
this.m_ridVM = new ByteHexField(doc, Name, "m_rid", startOffset + 7);
this.m_maskvalidVM = new UInt64FlagsHexField(doc, Name, "m_maskvalid", startOffset + 8);
AddTableFlags(this.m_maskvalidVM);
this.m_sortedVM = new UInt64FlagsHexField(doc, Name, "m_sorted", startOffset + 0x10);
AddTableFlags(this.m_sortedVM);
var list = new List <HexField> {
m_ulReservedVM,
m_majorVM,
m_minorVM,
m_heapsVM,
m_ridVM,
m_maskvalidVM,
m_sortedVM,
};
this.rowsVM = new UInt32HexField[64];
ulong valid = tblStream.ValidMask;
ulong offs = startOffset + 0x18;
for (int i = 0; i < this.rowsVM.Length; i++)
{
this.rowsVM[i] = new UInt32HexField(doc, Name, string.Format("rows[{0:X2}]", i), offs);
if ((valid & 1) != 0)
{
list.Add(this.rowsVM[i]);
offs += 4;
}
else
{
this.rowsVM[i].IsVisible = false;
}
valid >>= 1;
}
this.m_ulExtraVM = new UInt32HexField(doc, Name, "m_ulExtra", offs);
this.m_ulExtraVM.IsVisible = tblStream.HasExtraData;
if (tblStream.HasExtraData)
{
list.Add(this.m_ulExtraVM);
}
Debug.Assert(offs == (ulong)tblStream.MDTables[0].StartOffset);
this.hexFields = list.ToArray();
}
protected ImageOptionalHeaderVM(HexDocument doc, ulong startOffset, ulong endOffset, ulong offs1, ulong offs2)
{
this.magicVM = new UInt16HexField(doc, Name, "Magic", startOffset + 0);
this.majorLinkerVersionVM = new ByteHexField(doc, Name, "MajorLinkerVersion", startOffset + 2, true);
this.minorLinkerVersionVM = new ByteHexField(doc, Name, "MinorLinkerVersion", startOffset + 3, true);
this.sizeOfCodeVM = new UInt32HexField(doc, Name, "SizeOfCode", startOffset + 4);
this.sizeOfInitializedDataVM = new UInt32HexField(doc, Name, "SizeOfInitializedData", startOffset + 8);
this.sizeOfUninitializedDataVM = new UInt32HexField(doc, Name, "SizeOfUninitializedData", startOffset + 0x0C);
this.addressOfEntryPointVM = new UInt32HexField(doc, Name, "AddressOfEntryPoint", startOffset + 0x10);
this.baseOfCodeVM = new UInt32HexField(doc, Name, "BaseOfCode", startOffset + 0x14);
this.sectionAlignmentVM = new UInt32HexField(doc, Name, "SectionAlignment", startOffset + offs1 + 0);
this.fileAlignmentVM = new UInt32HexField(doc, Name, "FileAlignment", startOffset + offs1 + 4);
this.majorOperatingSystemVersionVM = new UInt16HexField(doc, Name, "MajorOperatingSystemVersion", startOffset + offs1 + 8, true);
this.minorOperatingSystemVersionVM = new UInt16HexField(doc, Name, "MinorOperatingSystemVersion", startOffset + offs1 + 0x0A, true);
this.majorImageVersionVM = new UInt16HexField(doc, Name, "MajorImageVersion", startOffset + offs1 + 0x0C, true);
this.minorImageVersionVM = new UInt16HexField(doc, Name, "MinorImageVersion", startOffset + offs1 + 0x0E, true);
this.majorSubsystemVersionVM = new UInt16HexField(doc, Name, "MajorSubsystemVersion", startOffset + offs1 + 0x10, true);
this.minorSubsystemVersionVM = new UInt16HexField(doc, Name, "MinorSubsystemVersion", startOffset + offs1 + 0x12, true);
this.win32VersionValueVM = new UInt32HexField(doc, Name, "Win32VersionValue", startOffset + offs1 + 0x14, true);
this.sizeOfImageVM = new UInt32HexField(doc, Name, "SizeOfImage", startOffset + offs1 + 0x18);
this.sizeOfHeadersVM = new UInt32HexField(doc, Name, "SizeOfHeaders", startOffset + offs1 + 0x1C);
this.checkSumVM = new UInt32HexField(doc, Name, "CheckSum", startOffset + offs1 + 0x20);
this.subsystemVM = new UInt16FlagsHexField(doc, Name, "Subsystem", startOffset + offs1 + 0x24);
this.subsystemVM.Add(new IntegerHexBitField("Subsystem", 0, 16, SubsystemInfos));
this.dllCharacteristicsVM = new UInt16FlagsHexField(doc, Name, "DllCharacteristics", startOffset + offs1 + 0x26);
this.dllCharacteristicsVM.Add(new BooleanHexBitField("Reserved1", 0));
this.dllCharacteristicsVM.Add(new BooleanHexBitField("Reserved2", 1));
this.dllCharacteristicsVM.Add(new BooleanHexBitField("Reserved3", 2));
this.dllCharacteristicsVM.Add(new BooleanHexBitField("Reserved4", 3));
this.dllCharacteristicsVM.Add(new BooleanHexBitField("Reserved5", 4));
this.dllCharacteristicsVM.Add(new BooleanHexBitField("High Entropy VA", 5));
this.dllCharacteristicsVM.Add(new BooleanHexBitField("Dynamic Base", 6));
this.dllCharacteristicsVM.Add(new BooleanHexBitField("Force Integrity", 7));
this.dllCharacteristicsVM.Add(new BooleanHexBitField("NX Compat", 8));
this.dllCharacteristicsVM.Add(new BooleanHexBitField("No Isolation", 9));
this.dllCharacteristicsVM.Add(new BooleanHexBitField("No SEH", 10));
this.dllCharacteristicsVM.Add(new BooleanHexBitField("No Bind", 11));
this.dllCharacteristicsVM.Add(new BooleanHexBitField("AppContainer", 12));
this.dllCharacteristicsVM.Add(new BooleanHexBitField("WDM Driver", 13));
this.dllCharacteristicsVM.Add(new BooleanHexBitField("Guard CF", 14));
this.dllCharacteristicsVM.Add(new BooleanHexBitField("Terminal Server Aware", 15));
this.loaderFlagsVM = new UInt32HexField(doc, Name, "LoaderFlags", startOffset + offs2 + 0);
this.numberOfRvaAndSizesVM = new UInt32HexField(doc, Name, "NumberOfRvaAndSizes", startOffset + offs2 + 4);
ulong doffs = offs2 + 8;
this.dataDir0VM = new DataDirVM(doc, Name, "Export", startOffset + doffs + 0);
this.dataDir1VM = new DataDirVM(doc, Name, "Import", startOffset + doffs + 8);
this.dataDir2VM = new DataDirVM(doc, Name, "Resource", startOffset + doffs + 0x10);
this.dataDir3VM = new DataDirVM(doc, Name, "Exception", startOffset + doffs + 0x18);
this.dataDir4VM = new DataDirVM(doc, Name, "Security", startOffset + doffs + 0x20);
this.dataDir5VM = new DataDirVM(doc, Name, "Base Reloc", startOffset + doffs + 0x28);
this.dataDir6VM = new DataDirVM(doc, Name, "Debug", startOffset + doffs + 0x30);
this.dataDir7VM = new DataDirVM(doc, Name, "Architecture", startOffset + doffs + 0x38);
this.dataDir8VM = new DataDirVM(doc, Name, "Global Ptr", startOffset + doffs + 0x40);
this.dataDir9VM = new DataDirVM(doc, Name, "TLS", startOffset + doffs + 0x48);
this.dataDir10VM = new DataDirVM(doc, Name, "Load Config", startOffset + doffs + 0x50);
this.dataDir11VM = new DataDirVM(doc, Name, "Bound Import", startOffset + doffs + 0x58);
this.dataDir12VM = new DataDirVM(doc, Name, "IAT", startOffset + doffs + 0x60);
this.dataDir13VM = new DataDirVM(doc, Name, "Delay Import", startOffset + doffs + 0x68);
this.dataDir14VM = new DataDirVM(doc, Name, ".NET", startOffset + doffs + 0x70);
this.dataDir15VM = new DataDirVM(doc, Name, "Reserved15", startOffset + doffs + 0x78);
}
protected ImageOptionalHeaderVM(HexDocument doc, ulong startOffset, ulong endOffset, ulong offs1, ulong offs2)
{
this.magicVM = new UInt16HexField(doc, Name, "Magic", startOffset + 0);
this.majorLinkerVersionVM = new ByteHexField(doc, Name, "MajorLinkerVersion", startOffset + 2, true);
this.minorLinkerVersionVM = new ByteHexField(doc, Name, "MinorLinkerVersion", startOffset + 3, true);
this.sizeOfCodeVM = new UInt32HexField(doc, Name, "SizeOfCode", startOffset + 4);
this.sizeOfInitializedDataVM = new UInt32HexField(doc, Name, "SizeOfInitializedData", startOffset + 8);
this.sizeOfUninitializedDataVM = new UInt32HexField(doc, Name, "SizeOfUninitializedData", startOffset + 0x0C);
this.addressOfEntryPointVM = new UInt32HexField(doc, Name, "AddressOfEntryPoint", startOffset + 0x10);
this.baseOfCodeVM = new UInt32HexField(doc, Name, "BaseOfCode", startOffset + 0x14);
this.sectionAlignmentVM = new UInt32HexField(doc, Name, "SectionAlignment", startOffset + offs1 + 0);
this.fileAlignmentVM = new UInt32HexField(doc, Name, "FileAlignment", startOffset + offs1 + 4);
this.majorOperatingSystemVersionVM = new UInt16HexField(doc, Name, "MajorOperatingSystemVersion", startOffset + offs1 + 8, true);
this.minorOperatingSystemVersionVM = new UInt16HexField(doc, Name, "MinorOperatingSystemVersion", startOffset + offs1 + 0x0A, true);
this.majorImageVersionVM = new UInt16HexField(doc, Name, "MajorImageVersion", startOffset + offs1 + 0x0C, true);
this.minorImageVersionVM = new UInt16HexField(doc, Name, "MinorImageVersion", startOffset + offs1 + 0x0E, true);
this.majorSubsystemVersionVM = new UInt16HexField(doc, Name, "MajorSubsystemVersion", startOffset + offs1 + 0x10, true);
this.minorSubsystemVersionVM = new UInt16HexField(doc, Name, "MinorSubsystemVersion", startOffset + offs1 + 0x12, true);
this.win32VersionValueVM = new UInt32HexField(doc, Name, "Win32VersionValue", startOffset + offs1 + 0x14, true);
this.sizeOfImageVM = new UInt32HexField(doc, Name, "SizeOfImage", startOffset + offs1 + 0x18);
this.sizeOfHeadersVM = new UInt32HexField(doc, Name, "SizeOfHeaders", startOffset + offs1 + 0x1C);
this.checkSumVM = new UInt32HexField(doc, Name, "CheckSum", startOffset + offs1 + 0x20);
this.subsystemVM = new UInt16FlagsHexField(doc, Name, "Subsystem", startOffset + offs1 + 0x24);
this.subsystemVM.Add(new IntegerHexBitField("Subsystem", 0, 16, SubsystemInfos));
this.dllCharacteristicsVM = new UInt16FlagsHexField(doc, Name, "DllCharacteristics", startOffset + offs1 + 0x26);
this.dllCharacteristicsVM.Add(new BooleanHexBitField("Reserved1", 0));
this.dllCharacteristicsVM.Add(new BooleanHexBitField("Reserved2", 1));
this.dllCharacteristicsVM.Add(new BooleanHexBitField("Reserved3", 2));
this.dllCharacteristicsVM.Add(new BooleanHexBitField("Reserved4", 3));
this.dllCharacteristicsVM.Add(new BooleanHexBitField("Reserved5", 4));
this.dllCharacteristicsVM.Add(new BooleanHexBitField("High Entropy VA", 5));
this.dllCharacteristicsVM.Add(new BooleanHexBitField("Dynamic Base", 6));
this.dllCharacteristicsVM.Add(new BooleanHexBitField("Force Integrity", 7));
this.dllCharacteristicsVM.Add(new BooleanHexBitField("NX Compat", 8));
this.dllCharacteristicsVM.Add(new BooleanHexBitField("No Isolation", 9));
this.dllCharacteristicsVM.Add(new BooleanHexBitField("No SEH", 10));
this.dllCharacteristicsVM.Add(new BooleanHexBitField("No Bind", 11));
this.dllCharacteristicsVM.Add(new BooleanHexBitField("AppContainer", 12));
this.dllCharacteristicsVM.Add(new BooleanHexBitField("WDM Driver", 13));
this.dllCharacteristicsVM.Add(new BooleanHexBitField("Guard CF", 14));
this.dllCharacteristicsVM.Add(new BooleanHexBitField("Terminal Server Aware", 15));
this.loaderFlagsVM = new UInt32HexField(doc, Name, "LoaderFlags", startOffset + offs2 + 0);
this.numberOfRvaAndSizesVM = new UInt32HexField(doc, Name, "NumberOfRvaAndSizes", startOffset + offs2 + 4);
ulong doffs = offs2 + 8;
this.dataDir0VM = new DataDirVM(doc, Name, "Export", startOffset + doffs + 0);
this.dataDir1VM = new DataDirVM(doc, Name, "Import", startOffset + doffs + 8);
this.dataDir2VM = new DataDirVM(doc, Name, "Resource", startOffset + doffs + 0x10);
this.dataDir3VM = new DataDirVM(doc, Name, "Exception", startOffset + doffs + 0x18);
this.dataDir4VM = new DataDirVM(doc, Name, "Security", startOffset + doffs + 0x20);
this.dataDir5VM = new DataDirVM(doc, Name, "Base Reloc", startOffset + doffs + 0x28);
this.dataDir6VM = new DataDirVM(doc, Name, "Debug", startOffset + doffs + 0x30);
this.dataDir7VM = new DataDirVM(doc, Name, "Architecture", startOffset + doffs + 0x38);
this.dataDir8VM = new DataDirVM(doc, Name, "Global Ptr", startOffset + doffs + 0x40);
this.dataDir9VM = new DataDirVM(doc, Name, "TLS", startOffset + doffs + 0x48);
this.dataDir10VM = new DataDirVM(doc, Name, "Load Config", startOffset + doffs + 0x50);
this.dataDir11VM = new DataDirVM(doc, Name, "Bound Import", startOffset + doffs + 0x58);
this.dataDir12VM = new DataDirVM(doc, Name, "IAT", startOffset + doffs + 0x60);
this.dataDir13VM = new DataDirVM(doc, Name, "Delay Import", startOffset + doffs + 0x68);
this.dataDir14VM = new DataDirVM(doc, Name, ".NET", startOffset + doffs + 0x70);
this.dataDir15VM = new DataDirVM(doc, Name, "Reserved15", startOffset + doffs + 0x78);
}
public DataDirVM(HexDocument doc, string parentName, string name, ulong start)
{
this.name = name;
this.rvaVM = new UInt32HexField(doc, parentName, string.Format("{0} RVA", name), start);
this.sizeVM = new UInt32HexField(doc, parentName, string.Format("{0} Size", name), start + 4);
}
public DataDirVM(HexDocument doc, string parentName, string name, ulong start)
{
this.name = name;
this.rvaVM = new UInt32HexField(doc, parentName, string.Format("{0} RVA", name), start);
this.sizeVM = new UInt32HexField(doc, parentName, string.Format("{0} Size", name), start + 4);
}
