public COFFHeader(AssemblyBuffer buffer, DOSHeader currentHeader)
{
buffer.SetIndexPointer(currentHeader.PEHeaderPointer);
this.Signature = buffer.ReadDWord();
this.Machine = buffer.ReadWord();
this.SectionCount = buffer.ReadWord();
this.TimeDataStamp = buffer.ReadDWord();
this.PointerToSymbolTable = buffer.ReadDWord();
this.NumberOfSymbols = buffer.ReadDWord();
this.SizeOfOptionalHeader = buffer.ReadWord();
this.Characteristics = buffer.ReadWord();
}
public PEAssembly(StreamParser parser)
{
DOSHeader dosHeader = new DOSHeader(parser);
parser.Seek(dosHeader.PEHeaderOffset);
PEHeader peHeader = new PEHeader(parser);
if (peHeader.SizeOfOptionalHeader == 0)
throw new ParseFailedException("PE missing NT header");
PEOptionalHeader peOptionalHeader = new PEOptionalHeader(parser);
PESectionHeader[] sectionHeaders = new PESectionHeader[peHeader.NumberOfSections];
for (int i = 0; i < peHeader.NumberOfSections; i++)
sectionHeaders[i] = new PESectionHeader(parser);
SectionHeaders = sectionHeaders;
DataDirectory = peOptionalHeader.DataDirectory;
}
public override void SaveToDisk(string fileName)
{
try
{
using (BinaryWriter writer = new BinaryWriter(new FileStream(fileName, FileMode.Create, FileAccess.Write)))
{
DOSHeader.AppendToStream(writer);
writer.Write(DOS_Stub);
PEHeader.AppendToStream(writer);
AppendSections(writer);
}
}
catch
{
// ignored
}
}
public virtual void VisitDOSHeader(DOSHeader header)
{
}
public virtual void VisitDOSHeader(DOSHeader header)
{
}
private void LoadPEImage()
{
long fileDataSize = rdr.Bytes.Length - xexData.header.header_size;
BeImageReader memRdr = new BeImageReader(xexData.memoryData);
DOSHeader dosHeader = memRdr.ReadStruct <DOSHeader>();
dosHeader.Validate();
memRdr.Offset = dosHeader.e_lfanew;
UInt32 peSignature = memRdr.ReadUInt32();
if (peSignature != 0x50450000)
{
throw new BadImageFormatException("PE: Invalid or Missing PE Signature");
}
COFFHeader coffHeader = memRdr.ReadStruct <COFFHeader>();
if (coffHeader.Machine != 0x1F2)
{
throw new BadImageFormatException($"PE: Machine type does not match Xbox360 (found 0x{coffHeader.Machine:X})");
}
if ((coffHeader.Characteristics & 0x0100) == 0)
{
throw new BadImageFormatException("PE: Only 32-bit images are supported");
}
if (coffHeader.SizeOfOptionalHeader != 224)
{
throw new BadImageFormatException($"PE: Invalid size of optional header (got {coffHeader.SizeOfOptionalHeader}");
}
PEOptHeader optHeader = memRdr.ReadStruct <PEOptHeader>();
if (optHeader.signature != 0x10b)
{
throw new BadImageFormatException($"PE: Invalid signature of optional header (got 0x{optHeader.signature})");
}
if (optHeader.Subsystem != IMAGE_SUBSYSTEM_XBOX)
{
throw new BadImageFormatException($"PE: Invalid subsystem (got {optHeader.Subsystem})");
}
xexData.peHeader = optHeader;
uint extendedMemorySize = 0;
uint numSections = coffHeader.NumberOfSections;
List <PESection> peSections = new List <PESection>();
for (uint i = 0; i < numSections; i++)
{
COFFSection section = memRdr.ReadStruct <COFFSection>();
string sectionName = Encoding.ASCII.GetString(section.Name).Trim('\0');
uint lastMemoryAddress = section.VirtualAddress + section.VirtualSize;
if (lastMemoryAddress > extendedMemorySize)
{
extendedMemorySize = lastMemoryAddress;
}
if (section.SizeOfRawData == 0)
{
decompilerEventListener.Info(new NullCodeLocation(""),
$"Skipping empty section {sectionName}"
);
continue;
}
byte[] sectionData = memRdr.ReadAt <byte[]>(section.PointerToRawData, rdr => rdr.ReadBytes(section.SizeOfRawData));
AccessMode acc = AccessMode.Read;
if (section.Flags.HasFlag(PESectionFlags.IMAGE_SCN_MEM_WRITE))
{
acc |= AccessMode.Write;
}
if (section.Flags.HasFlag(PESectionFlags.IMAGE_SCN_MEM_EXECUTE))
{
acc |= AccessMode.Execute;
}
PESection managedSection = new PESection(section);
peSections.Add(managedSection);
ImageSegment seg = new ImageSegment(sectionName, new MemoryArea(
new Address32(managedSection.PhysicalOffset + xexData.exe_address), sectionData
), acc);
segments.Add(seg);
}
if (extendedMemorySize > xexData.memorySize)
{
decompilerEventListener.Info(new NullCodeLocation(""),
$"PE: Image sections extend beyond virtual memory range loaded from file ({extendedMemorySize} > {xexData.memorySize}). Extending by {extendedMemorySize - xexData.memorySize} bytes."
);
UInt32 oldMemorySize = xexData.memorySize;
byte[] newMemoryData = new byte[extendedMemorySize];
Array.Copy(xexData.memoryData, newMemoryData, xexData.memorySize);
xexData.memorySize = extendedMemorySize;
xexData.memoryData = newMemoryData;
for (int i = 0; i < peSections.Count; i++)
{
PESection section = peSections[i];
if (section.PhysicalSize == 0)
{
continue;
}
if (section.PhysicalSize + section.PhysicalOffset > fileDataSize)
{
decompilerEventListener.Warn(new NullCodeLocation(""),
$"PE: Section '{section.Name}' lies outside any phyisical data we have {section.PhysicalOffset} (size {section.PhysicalSize})"
);
continue;
}
if (section.VirtualOffset >= oldMemorySize)
{
uint sizeToCopy = section.PhysicalSize;
if (section.VirtualSize < sizeToCopy)
{
sizeToCopy = section.VirtualSize;
}
Array.Copy(
xexData.memoryData, section.PhysicalOffset,
newMemoryData, section.VirtualOffset,
sizeToCopy);
}
}
}
}
public unsafe static IEnumerable <ProcessModule> AppendHiddenModules(this ProcessModuleCollection collection, Process process = null)
{
var hModules = new IntPtr[1024];
var gcHandle = GCHandle.Alloc(hModules, GCHandleType.Pinned); // Don't forget to free this later
var pModules = gcHandle.AddrOfPinnedObject();
var size = (uint)(Marshal.SizeOf(typeof(IntPtr)) * (hModules.Length));
IntPtr minAddress;
IntPtr maxAddress;
uint hProcess;
MEMORY_BASIC_INFORMATION memBasicInfo;
uint regionSize = 0;
var sysInfo = new SYSTEM_INFO();
var processsModuleType = typeof(ProcessModule);
var moduleInfoType = processsModuleType.Assembly.GetTypes().SingleOrDefault(t => t.FullName == "System.Diagnostics.ModuleInfo");
var processModuleConstructor = processsModuleType.GetConstructor(BindingFlags.NonPublic | BindingFlags.Instance, null, new Type[] { moduleInfoType }, null);
var list = new List <ProcessModule>(collection.Cast <ProcessModule>());
var listAddFrom = new List <ProcessModule>();
GetSystemInfo(out sysInfo);
minAddress = sysInfo.MinimumApplicationAddress;
maxAddress = sysInfo.MaximumApplicationAddress;
if (process == null)
{
process = Process.GetCurrentProcess();
}
hProcess = OpenProcess(ProcessAccessFlags.QueryInformation | ProcessAccessFlags.VirtualMemoryRead, false, (uint)process.Id);
memBasicInfo = new MEMORY_BASIC_INFORMATION();
while (minAddress.ToPointer() < maxAddress.ToPointer())
{
uint length = 0;
var builder = new StringBuilder(1024);
builder.Clear();
VirtualQueryEx(hProcess, minAddress, out memBasicInfo, 28);
regionSize = memBasicInfo.RegionSize;
if (memBasicInfo.Protect == AllocationProtectEnum.PAGE_READONLY | memBasicInfo.Protect == AllocationProtectEnum.PAGE_READWRITE | memBasicInfo.Protect == AllocationProtectEnum.PAGE_EXECUTE_READ | memBasicInfo.Protect == AllocationProtectEnum.PAGE_EXECUTE_READWRITE)
{
length = GetMappedFileName(hProcess, memBasicInfo.BaseAddress, builder, 1024);
if (length != 0)
{
uint bytesRead = 0;
var buffer = new byte[memBasicInfo.RegionSize];
var deviceName = builder.ToString();
byte[] bytes;
string magic;
string signature;
ReadProcessMemory(hProcess, memBasicInfo.BaseAddress, buffer, memBasicInfo.RegionSize, ref bytesRead);
if (bytesRead >= (DOSHeader.Size + PEHeader.Size))
{
var assemblyReader = new BinaryReader(buffer.ToMemory());
var dosHeader = DOSHeader.ReadDOSHeader(assemblyReader);
bytes = BitConverter.GetBytes(dosHeader.MagicBytes);
magic = ASCIIEncoding.ASCII.GetString(bytes, 0, 2);
if (magic == "MZ")
{
var peheader = PEHeader.ReadPEHeader(assemblyReader, dosHeader.COFFHeaderAddress);
bytes = BitConverter.GetBytes(peheader.SignatureBytes);
signature = ASCIIEncoding.ASCII.GetString(bytes, 0, 2);
if (signature == "PE")
{
string fileName;
Files.ConvertDevicePathToLocalPath(deviceName, out fileName);
if (!collection.Cast <ProcessModule>().Any(m => m.FileName.AsCaseless() == fileName))
{
var moduleInfo = Activator.CreateInstance(moduleInfoType);
string baseName;
ProcessModule processModule;
baseName = Path.GetFileName(fileName);
moduleInfoType.SetFieldValue("baseName", moduleInfo, baseName);
moduleInfoType.SetFieldValue("baseOfDll", moduleInfo, new IntPtr(memBasicInfo.BaseAddress));
moduleInfoType.SetFieldValue("entryPoint", moduleInfo, new IntPtr(peheader.AddressOfEntryPoint));
moduleInfoType.SetFieldValue("fileName", moduleInfo, fileName);
moduleInfoType.SetFieldValue("sizeOfImage", moduleInfo, (int)peheader.SizeOfImage);
processModule = (ProcessModule)processModuleConstructor.Invoke(new object[] { moduleInfo });
regionSize = peheader.SizeOfImage;
listAddFrom.Add(processModule);
}
}
}
}
}
}
minAddress += (int)regionSize;
}
return(list.Concat(listAddFrom));
}
