private uint GetSectionProtection(DataSectionFlags characteristics) { uint result = 0; if (characteristics.HasFlag(DataSectionFlags.MemoryNotCached)) result |= /*PAGE_NOCACHE*/ 0x200; if (characteristics.HasFlag(DataSectionFlags.MemoryExecute)) { if (characteristics.HasFlag(DataSectionFlags.MemoryRead)) { if (characteristics.HasFlag(DataSectionFlags.MemoryWrite)) result |= /*PAGE_EXECUTE_READWRITE*/ 0x40; else result |= /*PAGE_EXECUTE_READ*/ 0x20; } else if (characteristics.HasFlag(DataSectionFlags.MemoryWrite)) result |= /*PAGE_EXECUTE_WRITECOPY*/ 0x80; else result |= /*PAGE_EXECUTE*/ 0x10; } else if (characteristics.HasFlag(DataSectionFlags.MemoryRead)) { if (characteristics.HasFlag(DataSectionFlags.MemoryWrite)) result |= /*PAGE_READWRITE*/ 0x04; else result |= /*PAGE_READONLY*/ 0x02; } else if (characteristics.HasFlag(DataSectionFlags.MemoryWrite)) result |= /*PAGE_WRITECOPY*/ 0x08; else result |= /*PAGE_NOACCESS*/ 0x01; return result; }
private static Protection ChooseMemoryProtection(DataSectionFlags sectionFlags) { switch (sectionFlags & (DataSectionFlags.MemoryExecute | DataSectionFlags.MemoryRead | DataSectionFlags.MemoryWrite)) { default: return(Protection.PAGE_NOACCESS); case DataSectionFlags.MemoryRead: return(Protection.PAGE_READONLY); case DataSectionFlags.MemoryWrite: return(Protection.PAGE_WRITECOPY); case DataSectionFlags.MemoryRead | DataSectionFlags.MemoryWrite: return(Protection.PAGE_READWRITE); case DataSectionFlags.MemoryExecute: return(Protection.PAGE_EXECUTE); case DataSectionFlags.MemoryExecute | DataSectionFlags.MemoryRead: return(Protection.PAGE_EXECUTE_READ); case DataSectionFlags.MemoryExecute | DataSectionFlags.MemoryWrite: return(Protection.PAGE_EXECUTE_WRITECOPY); case DataSectionFlags.MemoryExecute | DataSectionFlags.MemoryRead | DataSectionFlags.MemoryWrite: return(Protection.PAGE_EXECUTE_READWRITE); } }
internal ImageSectionInfo(ImageSectionHeader struc, int number, IntPtr address) { Number = number; Name = struc.Section; Address = address; Size = (int)struc.VirtualSize; Characteristics = struc.Characteristics; }
public IMAGE_SECTION_HEADER AddSection(string szSectionName, ulong uSize, DataSectionFlags Flag) { // 섹션을 한칸 늘리고 SizeOfImage 를 추가함 다시 읽어옴 NtHeader.FileHeader.NumberOfSections++; NtHeader.OptionalHeader.SizeOfImage += (uint)VirtualAlign(uSize); /* #define IMAGE_DIRECTORY_ENTRY_EXPORT 0 // Export Directory #define IMAGE_DIRECTORY_ENTRY_IMPORT 1 // Import Directory #define IMAGE_DIRECTORY_ENTRY_RESOURCE 2 // Resource Directory #define IMAGE_DIRECTORY_ENTRY_EXCEPTION 3 // Exception Directory #define IMAGE_DIRECTORY_ENTRY_SECURITY 4 // Security Directory #define IMAGE_DIRECTORY_ENTRY_BASERELOC 5 // Base Relocation Table #define IMAGE_DIRECTORY_ENTRY_DEBUG 6 // Debug Directory #define IMAGE_DIRECTORY_ENTRY_ARCHITECTURE 7 // Architecture Specific Data #define IMAGE_DIRECTORY_ENTRY_GLOBALPTR 8 // RVA of GP #define IMAGE_DIRECTORY_ENTRY_TLS 9 // TLS Directory #define IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 10 // Load Configuration Directory #define IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 11 // Bound Import Directory in headers #define IMAGE_DIRECTORY_ENTRY_IAT 12 // Import Address Table #define IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 13 // Delay Load Import Descriptors #define IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 14 // COM Runtime descriptor #define IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 14 // COM Runtime descriptor */ // 그냥 샘. NtHeader.OptionalHeader.DataDirectory[11].VirtualAddress = 0; NtHeader.OptionalHeader.DataDirectory[11].Size = 0; StructureToBytes(DosHeader.e_lfanew, NtHeader); ReadSection(); // 섹션을 작성함 ulong LastSection = (ulong)NtHeader.FileHeader.NumberOfSections - 1; byte[] tmpSecName = Encoding.ASCII.GetBytes(szSectionName); byte[] StrByte = new byte[8]; Buffer.BlockCopy(tmpSecName, 0, StrByte, 0, tmpSecName.Length); SecHeader[LastSection].Name = StrByte; SecHeader[LastSection].VirtualAddress = (uint)VirtualAlign(SecHeader[LastSection - 1].VirtualAddress + SecHeader[LastSection - 1].VirtualSize); SecHeader[LastSection].VirtualSize = (uint)VirtualAlign(uSize); SecHeader[LastSection].PointerToRawData = (uint)RawAlign(SecHeader[LastSection - 1].PointerToRawData + SecHeader[LastSection - 1].SizeOfRawData); SecHeader[LastSection].SizeOfRawData = (uint)RawAlign(uSize); SecHeader[LastSection].Characteristics = Flag; StructureToBytes(DosHeader.e_lfanew + 248 + 40 * (int)LastSection, SecHeader[LastSection]); // 바이너리 추가 (realloc) byte[] temp = new byte[FileBinary.Length + (uint)RawAlign(uSize)]; FileBinary.CopyTo(temp, 0); FileBinary = new byte[temp.Length]; temp.CopyTo(FileBinary, 0); return(SecHeader[LastSection]); }
private uint get_section_protection(DataSectionFlags characteristics) { uint result = 0; if (characteristics.HasFlag(DataSectionFlags.MemoryNotCached)) { result |= /*PAGE_NOCACHE*/ 0x200; } if (characteristics.HasFlag(DataSectionFlags.MemoryExecute)) { if (characteristics.HasFlag(DataSectionFlags.MemoryRead)) { if (characteristics.HasFlag(DataSectionFlags.MemoryWrite)) { result |= /*PAGE_EXECUTE_READWRITE*/ 0x40; } else { result |= /*PAGE_EXECUTE_READ*/ 0x20; } } else if (characteristics.HasFlag(DataSectionFlags.MemoryWrite)) { result |= /*PAGE_EXECUTE_WRITECOPY*/ 0x80; } else { result |= /*PAGE_EXECUTE*/ 0x10; } } else if (characteristics.HasFlag(DataSectionFlags.MemoryRead)) { if (characteristics.HasFlag(DataSectionFlags.MemoryWrite)) { result |= /*PAGE_READWRITE*/ 0x04; } else { result |= /*PAGE_READONLY*/ 0x02; } } else if (characteristics.HasFlag(DataSectionFlags.MemoryWrite)) { result |= /*PAGE_WRITECOPY*/ 0x08; } else { result |= /*PAGE_NOACCESS*/ 0x01; } return(result); }
// Token: 0x06000014 RID: 20 RVA: 0x00002E90 File Offset: 0x00001090 private uint GetSectionProtection(DataSectionFlags characteristics) { uint num = 0U; if (characteristics.HasFlag(DataSectionFlags.MemoryNotCached)) { num |= 512U; } if (characteristics.HasFlag(DataSectionFlags.MemoryExecute)) { if (characteristics.HasFlag(DataSectionFlags.MemoryRead)) { if (characteristics.HasFlag((DataSectionFlags)2147483648U)) { num |= 64U; } else { num |= 32U; } } else if (characteristics.HasFlag((DataSectionFlags)2147483648U)) { num |= 128U; } else { num |= 16U; } } else if (characteristics.HasFlag(DataSectionFlags.MemoryRead)) { if (characteristics.HasFlag((DataSectionFlags)2147483648U)) { num |= 4U; } else { num |= 2U; } } else if (characteristics.HasFlag((DataSectionFlags)2147483648U)) { num |= 8U; } else { num |= 1U; } return(num); }
// Token: 0x06000014 RID: 20 RVA: 0x00002E90 File Offset: 0x00001090 private uint GetSectionProtection(DataSectionFlags characteristics) { uint num = 0u; if (characteristics.HasFlag(DataSectionFlags.MemoryNotCached)) { num |= 512u; } if (characteristics.HasFlag(DataSectionFlags.MemoryExecute)) { if (characteristics.HasFlag(DataSectionFlags.MemoryRead)) { if (characteristics.HasFlag((DataSectionFlags)2147483648u)) { num |= 64u; } else { num |= 32u; } } else if (characteristics.HasFlag((DataSectionFlags)2147483648u)) { num |= 128u; } else { num |= 16u; } } else if (characteristics.HasFlag(DataSectionFlags.MemoryRead)) { if (characteristics.HasFlag((DataSectionFlags)2147483648u)) { num |= 4u; } else { num |= 2u; } } else if (characteristics.HasFlag((DataSectionFlags)2147483648u)) { num |= 8u; } else { num |= 1u; } return(num); }
/// <summary> /// Setup internal data based on given input read from native image. /// </summary> bool IBinaryConverter <ImageSectionHeader> .Convert(ref ImageSectionHeader s, uint startOffset, uint size) { DataSize = s.SizeOfRawData; DataAddress = s.PointerToRawData; RelocationAddress = s.PointerToRelocations; LineNumberAddress = s.PointerToLinenumbers; RelocationCount = s.NumberOfRelocations; LineNumberCount = s.NumberOfLinenumbers; Characteristics = (DataSectionFlags)s.Characteristics; UpdateFileInfo(GetName(s.Name), startOffset, size); UpdateVirtualInfo(s.VirtualAddress, s.PhysicalAddressOrVirtualSize); return(true); }
// Token: 0x06000016 RID: 22 RVA: 0x0000300C File Offset: 0x0000120C private bool ProcessSections(IntPtr baseAddress, IntPtr remoteAddress) { PIMAGE_NT_HEADERS32 ntHeader = this.GetNtHeader(baseAddress); if (ntHeader == null) { return(false); } PIMAGE_SECTION_HEADER pimage_SECTION_HEADER = (PIMAGE_SECTION_HEADER)(ntHeader.Address + 24 + (int)ntHeader.Value.FileHeader.SizeOfOptionalHeader); for (ushort num = 0; num < ntHeader.Value.FileHeader.NumberOfSections; num += 1) { if (!Helpers._stricmp(".reloc".ToCharArray(), pimage_SECTION_HEADER[(uint)num].Name)) { DataSectionFlags characteristics = pimage_SECTION_HEADER[(uint)num].Characteristics; if (characteristics.HasFlag(DataSectionFlags.MemoryRead) || characteristics.HasFlag((DataSectionFlags)2147483648U) || characteristics.HasFlag(DataSectionFlags.MemoryExecute)) { uint sectionProtection = this.GetSectionProtection(pimage_SECTION_HEADER[(uint)num].Characteristics); this.ProcessSection(pimage_SECTION_HEADER[(uint)num].Name, baseAddress, remoteAddress, (ulong)pimage_SECTION_HEADER[(uint)num].PointerToRawData, (ulong)pimage_SECTION_HEADER[(uint)num].VirtualAddress, (ulong)pimage_SECTION_HEADER[(uint)num].SizeOfRawData, (ulong)pimage_SECTION_HEADER[(uint)num].VirtualSize, sectionProtection); } } } return(true); }
private static int GetSectionProtection(DataSectionFlags characteristics) { var protection = 0; // Calculate the sections protection if (characteristics.HasFlag(DataSectionFlags.MemoryNotCached)) { protection |= (int)MemoryProtection.PageNoCache; } if (characteristics.HasFlag(DataSectionFlags.MemoryExecute)) { if (characteristics.HasFlag(DataSectionFlags.MemoryRead)) { if (characteristics.HasFlag(DataSectionFlags.MemoryWrite)) { protection |= (int)MemoryProtection.PageExecuteReadWrite; } else { protection |= (int)MemoryProtection.PageExecuteRead; } } else if (characteristics.HasFlag(DataSectionFlags.MemoryWrite)) { protection |= (int)MemoryProtection.PageExecuteWriteCopy; } else { protection |= (int)MemoryProtection.PageExecute; } } else if (characteristics.HasFlag(DataSectionFlags.MemoryRead)) { if (characteristics.HasFlag(DataSectionFlags.MemoryWrite)) { protection |= (int)MemoryProtection.PageReadWrite; } else { protection |= (int)MemoryProtection.PageReadOnly; } } else if (characteristics.HasFlag(DataSectionFlags.MemoryWrite)) { protection |= (int)MemoryProtection.PageWriteCopy; } else { protection |= (int)MemoryProtection.PageNoAccess; } return(protection); }
public bool HasFlag(DataSectionFlags flag) { return((this.Characteristics & flag) == flag); }