internal static ImageNetDirectory FromReadingContext(ReadingContext context)
{
var reader = context.Reader;
var directory = new ImageNetDirectory
{
_readingContext = context,
StartOffset = reader.Position,
Cb = reader.ReadUInt32(),
MajorRuntimeVersion = reader.ReadUInt16(),
MinorRuntimeVersion = reader.ReadUInt16(),
MetadataDirectory = ImageDataDirectory.FromReadingContext(context),
Flags = (ImageNetDirectoryFlags)reader.ReadUInt32(),
EntryPointToken = reader.ReadUInt32(),
ResourcesDirectory = ImageDataDirectory.FromReadingContext(context),
StrongNameSignatureDirectory = ImageDataDirectory.FromReadingContext(context),
CodeManagerTableDirectory = ImageDataDirectory.FromReadingContext(context),
VTableFixupsDirectory = ImageDataDirectory.FromReadingContext(context),
ExportAddressTableJumpsDirectory = ImageDataDirectory.FromReadingContext(context),
ManagedNativeHeaderDirectory = ImageDataDirectory.FromReadingContext(context),
};
return(directory);
}
public void ImageDataDirectoryConstructorWorks_Test()
{
var dataDirectory = new ImageDataDirectory(new BufferFile(RawStructures.RawDataDirectory), 2);
Assert.Equal((uint)0x44332211, dataDirectory.VirtualAddress);
Assert.Equal(0x88776655, dataDirectory.Size);
}
public ImageNetDirectory()
{
MetadataDirectory = new ImageDataDirectory();
ResourcesDirectory = new ImageDataDirectory();
StrongNameSignatureDirectory = new ImageDataDirectory();
CodeManagerTableDirectory = new ImageDataDirectory();
VTableFixupsDirectory = new ImageDataDirectory();
ExportAddressTableJumpsDirectory = new ImageDataDirectory();
ManagedNativeHeaderDirectory = new ImageDataDirectory();
}
public ImageNetDirectory()
{
MetadataDirectory = new ImageDataDirectory();
ResourcesDirectory = new ImageDataDirectory();
StrongNameSignatureDirectory = new ImageDataDirectory();
CodeManagerTableDirectory = new ImageDataDirectory();
VTableFixupsDirectory = new ImageDataDirectory();
ExportAddressTableJumpsDirectory = new ImageDataDirectory();
ManagedNativeHeaderDirectory = new ImageDataDirectory();
}
internal ExportedFunctionsParser(
IRawFile peFile,
ImageExportDirectory?exportDirectory,
ImageSectionHeader[] sectionHeaders,
ImageDataDirectory exportDataDir
)
: base(peFile, 0)
{
_exportDirectory = exportDirectory;
_sectionHeaders = sectionHeaders;
_exportDataDir = exportDataDir;
}
public unsafe ISectionsResult Package(ISectionsInfo param)
{
var sectionDataStart = param.FileOffsetAtSectionsHeader + sizeof(SectionHeader) * (param.OtherSections.Count() + SpecialSectionCount);
var peFile = new MemoryStream
{
Position = sectionDataStart
};
var rva = 0x1000u;
var idataInfo = new IdataInfo(param.Imports, rva, param.FileAlignment);
var idataPackage = _idataPackager.Package(idataInfo);
var idataSection = WriteAndCreateHeader(peFile, idataPackage, param.FileAlignment, param.SectionAlignment, ref rva);
var textSection = WriteAndCreateHeader(peFile, param.TextSection, param.FileAlignment, param.SectionAlignment, ref rva);
var sectionHeaders = new List <SectionHeader>
{
idataSection,
textSection
};
foreach (var otherSection in param.OtherSections)
{
sectionHeaders.Add(WriteAndCreateHeader(peFile, otherSection, param.FileAlignment, param.SectionAlignment, ref rva));
}
var relocInfo = CreateRelocInfo(param, sectionHeaders);
var relocPackage = _relocPackager.Package(relocInfo);
var relocSection = WriteAndCreateHeader(peFile, relocPackage, param.FileAlignment, param.SectionAlignment, ref rva);
sectionHeaders.Add(relocSection);
var relocDataDirectory = new ImageDataDirectory
{
VirtualAddress = relocSection.VirtualAddress,
Size = relocPackage.RelocationDirectorySize
};
peFile.Position = param.FileOffsetAtSectionsHeader;
var structWriter = new StreamStructReaderWriter(peFile);
structWriter.WriteArray(sectionHeaders.ToArray());
Debug.Assert(peFile.Position <= sectionDataStart, "Section headers are writing into section data");
return(new SectionsResult(
peFile.ToArray().Skip((int)param.FileOffsetAtSectionsHeader).ToArray(),
sectionHeaders,
param.TextSection.EntryPointOffset + textSection.VirtualAddress,
idataPackage.IATResolver,
idataPackage.ImportDirectory,
idataPackage.IAT,
public static void Erase(NativeModuleWriter writer, ModuleDefMD module)
{
if (writer == null || module == null)
{
return;
}
List <Tuple <uint, uint, byte[]> > sections = new List <Tuple <uint, uint, byte[]> >();
MemoryStream s = new MemoryStream();
foreach (NativeModuleWriter.OrigSection origSect in writer.OrigSections)
{
var oldChunk = origSect.Chunk;
ImageSectionHeader sectHdr = origSect.PESection;
s.SetLength(0L);
oldChunk.WriteTo(new BinaryWriter(s));
byte[] buf = s.ToArray();
var newChunk = new BinaryReaderChunk(MemoryImageStream.Create(buf), oldChunk.GetVirtualSize());
newChunk.SetOffset(oldChunk.FileOffset, oldChunk.RVA);
origSect.Chunk = newChunk;
sections.Add(Tuple.Create <uint, uint, byte[]>(sectHdr.PointerToRawData, sectHdr.PointerToRawData + sectHdr.SizeOfRawData, buf));
}
var md = module.MetaData;
uint row = md.TablesStream.MethodTable.Rows;
for (uint i = 1u; i <= row; i += 1u)
{
RawMethodRow method = md.TablesStream.ReadMethodRow(i);
if ((method.ImplFlags & 3) == 0)
{
Erase(sections, (uint)md.PEImage.ToFileOffset((RVA)method.RVA));
}
}
ImageDataDirectory res = md.ImageCor20Header.Resources;
if (res.Size > 0u)
{
Erase(sections, (uint)res.StartOffset, res.Size);
}
Erase(sections, md.ImageCor20Header);
Erase(sections, md.MetaDataHeader);// md.MetadataHeader);
foreach (DotNetStream stream in md.AllStreams)
{
Erase(sections, stream);
}
}
public ResourceDirectoryBuilder(NetAssemblyBuilder builder, IOffsetConverter offsetConverter, ImageResourceDirectory rootDirectory)
{
if (builder == null)
throw new ArgumentNullException("builder");
if (offsetConverter == null)
throw new ArgumentNullException("offsetConverter");
if (rootDirectory == null)
throw new ArgumentNullException("rootDirectory");
_offsetConverter = offsetConverter;
_rootDirectory = rootDirectory;
_resourceDirectory = builder.Assembly.NtHeaders.OptionalHeader.DataDirectories[ImageDataDirectory.ResourceDirectoryIndex];
Segments.Add(_directoryTablesBuilder = new DirectoryTablesBuilder(_resourceDirectory, offsetConverter));
Segments.Add(_dataDirectoryTableBuilder = new DataDirectoryTablesBuilder(_dataTableBuilder, offsetConverter));
Segments.Add(_dataTableBuilder);
}
public SectionsResult(
byte[] rawData,
IReadOnlyList <SectionHeader> headers,
uint entryPointRVA,
IResolveIATEntries iatResolver,
ImageDataDirectory importTable,
ImageDataDirectory iat,
ImageDataDirectory debug,
ImageDataDirectory baseRelocationTable
)
{
RawData = rawData;
SectionHeaders = headers;
EntryPointRVA = entryPointRVA;
IATResolver = iatResolver;
ImportTable = importTable;
IAT = iat;
Debug = debug;
BaseRelocationTable = baseRelocationTable;
}
/// <summary>
/// Constructor
/// </summary>
/// <param name="reader">PE file reader pointing to the start of this section</param>
/// <param name="verify">Verify section</param>
/// <exception cref="BadImageFormatException">Thrown if verification fails</exception>
public ImageCor20Header(IImageStream reader, bool verify)
{
SetStartOffset(reader);
CB = reader.ReadUInt32();
if (verify && CB < 0x48)
{
throw new BadImageFormatException("Invalid IMAGE_COR20_HEADER.cb value");
}
MajorRuntimeVersion = reader.ReadUInt16();
MinorRuntimeVersion = reader.ReadUInt16();
MetaData = new ImageDataDirectory(reader, verify);
Flags = (ComImageFlags)reader.ReadUInt32();
EntryPointToken_or_RVA = reader.ReadUInt32();
Resources = new ImageDataDirectory(reader, verify);
StrongNameSignature = new ImageDataDirectory(reader, verify);
CodeManagerTable = new ImageDataDirectory(reader, verify);
VTableFixups = new ImageDataDirectory(reader, verify);
ExportAddressTableJumps = new ImageDataDirectory(reader, verify);
ManagedNativeHeader = new ImageDataDirectory(reader, verify);
SetEndoffset(reader);
}
/// <summary>
/// Constructor
/// </summary>
/// <param name="reader">PE file reader pointing to the start of this section</param>
/// <param name="verify">Verify section</param>
/// <exception cref="BadImageFormatException">Thrown if verification fails</exception>
public ImageCor20Header(ref DataReader reader, bool verify)
{
SetStartOffset(ref reader);
cb = reader.ReadUInt32();
if (verify && cb < 0x48)
{
throw new BadImageFormatException("Invalid IMAGE_COR20_HEADER.cb value");
}
majorRuntimeVersion = reader.ReadUInt16();
minorRuntimeVersion = reader.ReadUInt16();
metadata = new ImageDataDirectory(ref reader, verify);
flags = (ComImageFlags)reader.ReadUInt32();
entryPointToken_or_RVA = reader.ReadUInt32();
resources = new ImageDataDirectory(ref reader, verify);
strongNameSignature = new ImageDataDirectory(ref reader, verify);
codeManagerTable = new ImageDataDirectory(ref reader, verify);
vtableFixups = new ImageDataDirectory(ref reader, verify);
exportAddressTableJumps = new ImageDataDirectory(ref reader, verify);
managedNativeHeader = new ImageDataDirectory(ref reader, verify);
SetEndoffset(ref reader);
}
private static IntPtr GetModuleFunctionAddress(SafeProcessHandle processHandle, IntPtr moduleHandle, string functionName)
{
Interop.Kernel32.NtModuleInfo moduleInfo = GetModuleInfo(processHandle, moduleHandle);
ImageDataDirectory exportDirectory =
ReadExportDataDirectory(ReadPage(processHandle, moduleInfo.BaseOfDll), ImageDirectoryEntry.ImageDirectoryEntryExport);
var exportTable = new byte[exportDirectory.Size];
var exportTableAddress = moduleInfo.BaseOfDll + (int)exportDirectory.VirtualAddress;
if (!Interop.Kernel32.ReadProcessMemory(
processHandle,
exportTableAddress,
exportTable,
new UIntPtr((uint)exportTable.Length),
out UIntPtr bytesRead) || bytesRead.ToUInt32() != exportTable.Length)
{
throw new Win32Exception($"Cannot read export table at {exportTableAddress.ToInt64()}");
}
return(new IntPtr(moduleInfo.BaseOfDll.ToInt64() +
GetAddressFromExportTable(exportTable, exportDirectory.VirtualAddress, functionName).ToInt64()));
}
public ResourceDirectoryBuilder(NetAssemblyBuilder builder, IOffsetConverter offsetConverter, ImageResourceDirectory rootDirectory)
{
if (builder == null)
{
throw new ArgumentNullException("builder");
}
if (offsetConverter == null)
{
throw new ArgumentNullException("offsetConverter");
}
if (rootDirectory == null)
{
throw new ArgumentNullException("rootDirectory");
}
_offsetConverter = offsetConverter;
_rootDirectory = rootDirectory;
_resourceDirectory = builder.Assembly.NtHeaders.OptionalHeader.DataDirectories[ImageDataDirectory.ResourceDirectoryIndex];
Segments.Add(_directoryTablesBuilder = new DirectoryTablesBuilder(_resourceDirectory, offsetConverter));
Segments.Add(_dataDirectoryTableBuilder = new DataDirectoryTablesBuilder(_dataTableBuilder, offsetConverter));
Segments.Add(_dataTableBuilder);
}
private Task LoadPEInfo() {
return _loadingPeInfo ?? (_loadingPeInfo = _tasks.Start(() => {
// load PE data from working file
using (var reader = new BinaryReader(File.Open(WorkingCopy, FileMode.Open, FileAccess.Read, FileShare.Read))) {
// Skip DOS Header and seek to PE signature
if (reader.ReadUInt16() != 0x5A4D) {
IsPEFile.Value = false;
Is64BitPE.Value = false;
Is32BitPE.Value = false;
IsManaged.Value = false;
IsNative.Value = false;
Is32Bit.Value = false;
return;
}
reader.ReadBytes(58);
reader.BaseStream.Position = reader.ReadUInt32();
// Read "PE\0\0" signature
if (reader.ReadUInt32() != 0x00004550) {
IsPEFile.Value = false;
Is64BitPE.Value = false;
Is32BitPE.Value = false;
IsManaged.Value = false;
IsNative.Value = false;
Is32Bit.Value = false;
return;
}
// Read COFF header
CoffHeader = new ImageCoffHeader {
Machine = reader.ReadUInt16(),
NumberOfSections = reader.ReadUInt16(),
TimeDateStamp = reader.ReadUInt32(),
SymbolTablePointer = reader.ReadUInt32(),
NumberOfSymbols = reader.ReadUInt32(),
OptionalHeaderSize = reader.ReadUInt16(),
Characteristics = reader.ReadUInt16()
};
// Compute data sections offset
var dataSectionsOffset = reader.BaseStream.Position + CoffHeader.OptionalHeaderSize;
// Read NT-specific fields
NtHeader = new ImageOptionalHeaderNt();
NtHeader.Magic = reader.ReadUInt16();
NtHeader.MajorLinkerVersion = reader.ReadByte();
NtHeader.MinorLinkerVersion = reader.ReadByte();
NtHeader.SizeOfCode = reader.ReadUInt32();
NtHeader.SizeOfInitializedData = reader.ReadUInt32();
NtHeader.SizeOfUninitializedData = reader.ReadUInt32();
NtHeader.AddressOfEntryPoint = reader.ReadUInt32();
NtHeader.BaseOfCode = reader.ReadUInt32();
// identify this as 64bit or 32bit binary
Is64BitPE.Value = NtHeader.Magic == 0x20b;
Is32BitPE.Value = NtHeader.Magic == 0x10b;
IsPEFile.Value = true;
if (Is32BitPE) {
NtHeader.BaseOfData_32bit = reader.ReadUInt32();
NtHeader.ImageBase_32bit = reader.ReadUInt32();
}
if (Is64BitPE) {
NtHeader.ImageBase_64bit = reader.ReadUInt64();
}
NtHeader.SectionAlignment = reader.ReadUInt32();
NtHeader.FileAlignment = reader.ReadUInt32();
NtHeader.OsMajor = reader.ReadUInt16();
NtHeader.OsMinor = reader.ReadUInt16();
NtHeader.UserMajor = reader.ReadUInt16();
NtHeader.UserMinor = reader.ReadUInt16();
NtHeader.SubSysMajor = reader.ReadUInt16();
NtHeader.SubSysMinor = reader.ReadUInt16();
NtHeader.Reserved = reader.ReadUInt32();
NtHeader.ImageSize = reader.ReadUInt32();
NtHeader.HeaderSize = reader.ReadUInt32();
NtHeader.FileChecksum = reader.ReadUInt32();
NtHeader.SubSystem = reader.ReadUInt16();
NtHeader.DllFlags = reader.ReadUInt16();
if (Is32BitPE) {
NtHeader.StackReserveSize_32bit = reader.ReadUInt32();
NtHeader.StackCommitSize_32bit = reader.ReadUInt32();
NtHeader.HeapReserveSize_32bit = reader.ReadUInt32();
NtHeader.HeapCommitSize_32bit = reader.ReadUInt32();
}
if (Is64BitPE) {
NtHeader.StackReserveSize_64bit = reader.ReadUInt64();
NtHeader.StackCommitSize_64bit = reader.ReadUInt64();
NtHeader.HeapReserveSize_64bit = reader.ReadUInt64();
NtHeader.HeapCommitSize_64bit = reader.ReadUInt64();
}
NtHeader.LoaderFlags = reader.ReadUInt32();
NtHeader.NumberOfDataDirectories = reader.ReadUInt32();
if (NtHeader.NumberOfDataDirectories < 16) {
IsManaged.Value = false;
IsNative.Value = true;
Is32Bit.Value = Is32BitPE;
return;
}
// Read data directories
_exportTable = ReadDataDirectory(reader);
_importTable = ReadDataDirectory(reader);
_resourceTable = ReadDataDirectory(reader);
_exceptionTable = ReadDataDirectory(reader);
_certificateTable = ReadDataDirectory(reader);
_baseRelocationTable = ReadDataDirectory(reader);
_debug = ReadDataDirectory(reader);
_copyright = ReadDataDirectory(reader);
_globalPtr = ReadDataDirectory(reader);
_tlsTable = ReadDataDirectory(reader);
_loadConfigTable = ReadDataDirectory(reader);
_boundImport = ReadDataDirectory(reader);
_iat = ReadDataDirectory(reader);
_delayImportDescriptor = ReadDataDirectory(reader);
_runtimeHeader = ReadDataDirectory(reader);
_reserved = ReadDataDirectory(reader);
if (_runtimeHeader.Size == 0) {
IsManaged.Value = false;
IsNative.Value = true;
Is32Bit.Value = Is32BitPE;
return;
}
// Read data sections
reader.BaseStream.Position = dataSectionsOffset;
SectionHeaders = new ImageSectionHeader[CoffHeader.NumberOfSections];
for (var i = 0; i < SectionHeaders.Length; i++) {
reader.ReadBytes(12);
SectionHeaders[i].VirtualAddress = reader.ReadUInt32();
SectionHeaders[i].SizeOfRawData = reader.ReadUInt32();
SectionHeaders[i].PointerToRawData = reader.ReadUInt32();
reader.ReadBytes(16);
}
// Read COR20 Header
reader.BaseStream.Position = RvaToVa(_runtimeHeader.Rva);
CorHeader = new ImageCor20Header {
Size = reader.ReadUInt32(),
MajorRuntimeVersion = reader.ReadUInt16(),
MinorRuntimeVersion = reader.ReadUInt16(),
MetaData = ReadDataDirectory(reader),
Flags = reader.ReadUInt32(),
EntryPointToken = reader.ReadUInt32(),
Resources = ReadDataDirectory(reader),
StrongNameSignature = ReadDataDirectory(reader),
CodeManagerTable = ReadDataDirectory(reader),
VTableFixups = ReadDataDirectory(reader),
ExportAddressTableJumps = ReadDataDirectory(reader)
};
// we got a CorHeader -- we must be managed.
IsManaged.Value = true;
IsNative.Value = false;
Is32Bit.Value = (CorHeader.Flags & 0x0002) != 0;
}
}));
}
public DirectoryTablesBuilder(ImageDataDirectory resourceDirectory, IOffsetConverter offsetConverter)
{
_resourceDirectory = resourceDirectory;
_offsetConverter = offsetConverter;
}
static void WriteDataDirectory(BinaryWriter writer, ImageDataDirectory dataDir)
{
writer.Write((uint)dataDir.VirtualAddress);
writer.Write(dataDir.Size);
}
bool IBinaryConverter <ImageDataDirectory> .Convert(ref ImageDataDirectory s, uint startOffset, uint size)
{
VirtualAddress = s.VirtualAddress;
Size = s.Size;
return(true);
}
public DirectoryTablesBuilder(ImageDataDirectory resourceDirectory, IOffsetConverter offsetConverter)
{
_resourceDirectory = resourceDirectory;
_offsetConverter = offsetConverter;
}
public IReadable Read()
{
var peHeaderReader = (PeHeaderReader) new PeHeaderReader(_filePath).Read();
ImportTableDirectory = peHeaderReader.Is32BitPeHeader
? peHeaderReader.PeHeader32.OptionalHeader.ImportTable
: peHeaderReader.PeHeader64.OptionalHeader.ImportTable;
var address = RvaToRawFormatConverter.RvaToOffset32(ImportTableDirectory.VirtualAddress,
peHeaderReader.SectionHeaders,
peHeaderReader.Is32BitPeHeader
? peHeaderReader.PeHeader32.OptionalHeader.SectionAlignment
: peHeaderReader.PeHeader64.OptionalHeader.SectionAlignment);
using var fs = new FileStream(_filePath, FileMode.Open, FileAccess.Read);
var br = new BinaryReader(fs);
fs.Seek(address, SeekOrigin.Begin);
while (true)
{
var importDescriptor = PeBlockToStructConverter.ConvertTo <ImportDescriptor>(br);
if (importDescriptor.OriginalFirstThunk == 0 &&
importDescriptor.ForwarderChain == 0 &&
importDescriptor.Name == 0 &&
importDescriptor.FirstThunk == 0)
{
break;
}
ImportTable.Add(importDescriptor);
}
for (var i = 0; i < ImportTable.Count; i++)
{
var importFunction = new ImportFunction();
// Getting DLL name
var dllNameAddress = RvaToRawFormatConverter.RvaToOffset32(ImportTable[i].Name,
peHeaderReader.SectionHeaders,
peHeaderReader.Is32BitPeHeader
? peHeaderReader.PeHeader32.OptionalHeader.SectionAlignment
: peHeaderReader.PeHeader64.OptionalHeader.SectionAlignment);
var currentPosition = fs.Position;
importFunction.DllName = ByteArrayToAsciiStringConverter.ConvertToString(fs, dllNameAddress);
fs.Seek(currentPosition, SeekOrigin.Begin);
importFunction.TimeDateStamp = TimeDateStampToDateTimeConverter.ConvertTimeDateStamp(ImportTable[i].TimeDateStamp);
var ilt = RvaToRawFormatConverter.RvaToOffset32(ImportTable[i].OriginalFirstThunk,
peHeaderReader.SectionHeaders,
peHeaderReader.Is32BitPeHeader
? peHeaderReader.PeHeader32.OptionalHeader.SectionAlignment
: peHeaderReader.PeHeader64.OptionalHeader.SectionAlignment);
fs.Seek(ilt, SeekOrigin.Begin);
if (peHeaderReader.Is32BitPeHeader)
{
while (true)
{
var thunkData32 = PeBlockToStructConverter.ConvertTo <ThunkData32>(br);
if (thunkData32.Function == 0)
{
break;
}
var currentPosition2 = fs.Position;
if ((thunkData32.AddressOfData & (UInt32)1 << 31) == 0)
{
var functionAddress = RvaToRawFormatConverter.RvaToOffset32(thunkData32.Function,
peHeaderReader.SectionHeaders, peHeaderReader.PeHeader32.OptionalHeader.SectionAlignment);
fs.Seek(functionAddress, SeekOrigin.Begin);
var hint = br.ReadUInt16();
var byteList = new List <Byte>();
while (true)
{
var b = br.ReadByte();
if (b == 0x00)
{
break;
}
byteList.Add(b);
}
var name = Encoding.ASCII.GetString(byteList.ToArray());
importFunction.Functions.Add(new ImportFunctionInfo()
{
Hint = hint,
Name = name
});
fs.Seek(currentPosition2, SeekOrigin.Begin);
}
else
{
importFunction.Functions.Add(new ImportFunctionInfo()
{
Name = null,
Ordinal64 = null,
Ordinal32 = (thunkData32.Ordinal & (((UInt32)1 << 31) - 1))
});
}
}
}
else
{
while (true)
{
var thunkData64 = PeBlockToStructConverter.ConvertTo <ThunkData64>(br);
if (thunkData64.Function == 0)
{
break;
}
var currentPosition2 = fs.Position;
if ((thunkData64.AddressOfData & ((UInt64)1 << 63)) == 0)
{
var functionAddress = RvaToRawFormatConverter.RvaToOffset64(thunkData64.Function,
peHeaderReader.SectionHeaders, peHeaderReader.PeHeader64.OptionalHeader.SectionAlignment);
fs.Seek(functionAddress, SeekOrigin.Begin);
var hint = br.ReadUInt16();
var byteList = new List <Byte>();
while (true)
{
var b = br.ReadByte();
if (b == 0x00)
{
break;
}
byteList.Add(b);
}
var name = Encoding.ASCII.GetString(byteList.ToArray());
importFunction.Functions.Add(new ImportFunctionInfo()
{
Hint = hint,
Name = name
});
fs.Seek(currentPosition2, SeekOrigin.Begin);
}
else
{
importFunction.Functions.Add(new ImportFunctionInfo()
{
Name = null,
Ordinal32 = null,
Ordinal64 = (thunkData64.Ordinal & (((UInt64)1 << 63) - 1))
});
}
}
}
ImportFunctions.Add(importFunction);
}
return(this);
}
public string[] ImportFunctionsGet(PEFile OpenPE)
{
if (this.m_asImports == null)
{
if (((OpenPE.DirectoryEntries == null) || (OpenPE.DirectoryEntries.Length < 1)) || (OpenPE.DirectoryEntries[1] == null))
{
return(null);
}
}
ImageDataDirectory directory = OpenPE.DirectoryEntries[1];
SafePointer field = (SafePointer)directory.GetField(ImageDataDirectory.Fields.VirtualAddress);
ArrayList list = new ArrayList();
if (field.Address != 0)
{
field = OpenPE.RVA2VA(field);
while (((((uint)field) != 0) && (((uint)(field + 12)) != 0))) // IDT
{
SafePointer rva = field;
rva.Address = (int)((uint)(field + 12)); // name of DLL
string str = (string)OpenPE.RVA2VA(rva);
/*
* Ollie
*/
SafePointer rva2 = field;
rva2.Address = (int)((uint)(field)); // ILT RVA
SafePointer field2;
field2 = OpenPE.RVA2VA(rva2); // get the ILT RVA pointed too address
while (((uint)(field2)) != 0u)
{
if (OpenPE.Is64Bit == false)
{
try
{
SafePointer rva3 = field2;
if (((int)((uint)(field2)) & 0x80000000) == 0x80000000) // ordinal
{
//Console.WriteLine("Ordinal");
//list.Add(str + " - Ordinal " + Convert.ToInt16((int)((uint)(field2))) );
}
else
{
rva3.Address = (int)((uint)(field2));
string str2 = (string)(OpenPE.RVA2VA(rva3) + 2);
//Console.WriteLine(str2.ToString());
if (list.Contains(str2) == false)
{
//list.Add(str2 + "(" + str +")");
list.Add(str2);
}
}
}
catch (SystemException exception)
{
throw (exception);
}
field2 += 4; // 32bit ILT
}
else
{
try
{
SafePointer rva3 = field2;
if (((int)((uint)(field2 + 4)) & 0x80000000) == 0x80000000) // ordinal
{
//Console.WriteLine("Ordinal");
//list.Add(str + " - Ordinal " + Convert.ToInt16((int)((uint)(field2))) );
}
else
{
rva3.Address = (int)((uint)(field2));
string str2 = (string)(OpenPE.RVA2VA(rva3) + 2);
//Console.WriteLine(str2.ToString());
if (list.Contains(str2) == false)
{
//list.Add(str + " - " + str2);
//list.Add(str2 + "(" + str + ")");
list.Add(str2);
}
}
}
catch (SystemException exception)
{
throw (exception);
}
field2 += 8; // 64bit ILT
}
}
field += 20; // IDT
}
}
list.Sort();
this.m_asImports = (string[])list.ToArray(typeof(string));
return(this.m_asImports);
}
static Dictionary <uint, MethodExportInfo> GetOffsetToExportInfoDictionary(ref DataReader reader, IPEImage peImage, ImageDataDirectory exportHdr, CpuArch cpuArch)
{
reader.Position = (uint)peImage.ToFileOffset(exportHdr.VirtualAddress);
// Skip Characteristics(4), TimeDateStamp(4), MajorVersion(2), MinorVersion(2), Name(4)
reader.Position += 16;
uint ordinalBase = reader.ReadUInt32();
int numFuncs = reader.ReadInt32();
int numNames = reader.ReadInt32();
uint offsetOfFuncs = (uint)peImage.ToFileOffset((RVA)reader.ReadUInt32());
uint offsetOfNames = (uint)peImage.ToFileOffset((RVA)reader.ReadUInt32());
uint offsetOfNameIndexes = (uint)peImage.ToFileOffset((RVA)reader.ReadUInt32());
var names = ReadNames(ref reader, peImage, numNames, offsetOfNames, offsetOfNameIndexes);
reader.Position = offsetOfFuncs;
var allInfos = new MethodExportInfo[numFuncs];
var dict = new Dictionary <uint, MethodExportInfo>(numFuncs);
for (int i = 0; i < allInfos.Length; i++)
{
var nextOffset = reader.Position + 4;
uint funcRva = 0;
var rva = (RVA)reader.ReadUInt32();
reader.Position = (uint)peImage.ToFileOffset(rva);
bool rvaValid = rva != 0 && cpuArch.TryGetExportedRvaFromStub(ref reader, peImage, out funcRva);
uint funcOffset = rvaValid ? (uint)peImage.ToFileOffset((RVA)funcRva) : 0;
var exportInfo = new MethodExportInfo((ushort)(ordinalBase + (uint)i));
if (funcOffset != 0)
{
dict[funcOffset] = exportInfo;
}
allInfos[i] = exportInfo;
reader.Position = nextOffset;
}
foreach (var info in names)
{
int index = info.Index;
if ((uint)index >= (uint)numFuncs)
{
continue;
}
allInfos[index].Ordinal = null;
allInfos[index].Name = info.Name;
}
return(dict);
}
public PeReader(string fPath)
{
try
{
m_fPath = fPath;
m_peImage = new PEImage(File.ReadAllBytes(fPath));
if (m_peImage.ImageNTHeaders.OptionalHeader.DataDirectories.Length >= 14)
{
ImageDataDirectory DotNetDir = m_peImage.ImageNTHeaders.OptionalHeader.DataDirectories[14];
if (m_peImage.ToFileOffset(DotNetDir.VirtualAddress) != 0 && DotNetDir.Size >= 72)
{
m_cor20Header = new ImageCor20Header(m_peImage.CreateStream(m_peImage.ToFileOffset(DotNetDir.VirtualAddress), 0x48), false);
if (m_peImage.ToFileOffset(m_cor20Header.MetaData.VirtualAddress) != 0 && m_cor20Header.MetaData.Size >= 16)
{
m_isManaged = true;
uint mdSize = m_cor20Header.MetaData.Size;
RVA mdRva = m_cor20Header.MetaData.VirtualAddress;
MetaDataHeader mdHeader = new MetaDataHeader(m_peImage.CreateStream(m_peImage.ToFileOffset(mdRva), mdSize), false);
m_RunTimeVersion = mdHeader.VersionString;
}
}
}
if (m_isManaged == true)
{
ImageSectionHeader sect = m_peImage.ImageSectionHeaders.Where(f => f.DisplayName == ".rsrc").FirstOrDefault();
if ((sect != null))
{
ImageDataDirectory resourceTable = m_peImage.ImageNTHeaders.OptionalHeader.DataDirectories[2];
if ((resourceTable != null))
{
uint rva = (uint)resourceTable.VirtualAddress;
uint size = sect.VirtualSize > 0 ? sect.VirtualSize : sect.SizeOfRawData;
if (rva >= (uint)sect.VirtualAddress && rva < (uint)sect.VirtualAddress + size)
{
Stream StreamRead = m_peImage.CreateFullStream().CreateStream();
long baseAddress = StreamRead.Seek(sect.PointerToRawData + (rva - (uint)sect.VirtualAddress), SeekOrigin.Begin);
ResourceDirectory dirInfo = new ResourceDirectory(StreamRead, baseAddress);
if ((dirInfo != null))
{
using (BinaryReader reader = new BinaryReader(StreamRead))
{
dirInfo.Read(reader, true, 0);
ResourceEntry IconGroup = null;
List <ResourceEntry> IconImages = new List <ResourceEntry>();
foreach (ResourceDirectory dir in dirInfo.Directorys)
{
if (dir.DirectoryEntry.Name == Convert.ToUInt32(Win32ResourceType.RT_GROUP_ICON))
{
IconGroup = dir.GetFirstEntry();
break;
}
}
foreach (ResourceDirectory dir in dirInfo.Directorys)
{
if (dir.DirectoryEntry.Name == Convert.ToUInt32(Win32ResourceType.RT_ICON))
{
IconImages = dir.GetAllEntrys();
IconImages.Reverse();
break;
}
}
if (IconGroup != null)
{
IconResource icon = new IconResource(StreamRead, IconGroup.DataAddress, sect.PointerToRawData, (uint)sect.VirtualAddress);
icon.Seek();
if (!icon.Read(reader, IconImages))
{
m_MainIcon = null;
}
m_MainIcon = icon.GetIcon(reader);
}
}
}
}
}
}
}
}
catch (Exception ex)
{
Interaction.MsgBox(ex);
}
}
private PEInfo(string filename) {
_filename = filename;
try {
IsPEBinary = true;
_executableInfo = new Lazy<ExecutableInfo>(() => {
var result = IsManaged ? ExecutableInfo.managed : ExecutableInfo.native;
if (IsAny) {
result |= ExecutableInfo.any;
} else {
switch (CoffHeader.Machine) {
case 0x01c0:
result |= ExecutableInfo.arm;
break;
case 0x014c:
result |= ExecutableInfo.x86;
break;
case 0x0200:
result |= ExecutableInfo.ia64;
break;
case 0x8664:
result |= ExecutableInfo.x64;
break;
default:
throw new ClrPlusException("Unrecognized Executable Machine Type.");
}
}
return result;
});
_fileVersionInfo = new Lazy<FileVersionInfo>(() => FileVersionInfo.GetVersionInfo(_filename));
_fileVersionString =
new Lazy<string>(
() =>
string.Format("{0}.{1}.{2}.{3}", _fileVersionInfo.Value.FileMajorPart, _fileVersionInfo.Value.FileMinorPart,
_fileVersionInfo.Value.FileBuildPart, _fileVersionInfo.Value.FilePrivatePart));
_fileVersionLong =
new Lazy<ulong>(
() =>
(((ulong)_fileVersionInfo.Value.FileMajorPart) << 48) + (((ulong)_fileVersionInfo.Value.FileMinorPart) << 32) +
(((ulong)_fileVersionInfo.Value.FileBuildPart) << 16) + (ulong)_fileVersionInfo.Value.FilePrivatePart);
#if TODO
DependencyInformation = new CacheEnumerable<DependencyInformation>(DependencyInformationImpl);
#endif
using (var reader = new BinaryReader(File.OpenRead(_filename))) {
// Skip DOS Header and seek to PE signature
if (reader.ReadUInt16() != 0x5A4D) {
// Logger.Warning("File '{0}' does not have a valid PE Header", _filename);
throw new ClrPlusException("Invalid DOS header.", true);
}
reader.ReadBytes(58);
reader.BaseStream.Position = reader.ReadUInt32();
// Read "PE\0\0" signature
if (reader.ReadUInt32() != 0x00004550) {
throw new ClrPlusException("File is not a portable executable.");
}
// Read COFF header
CoffHeader = new ImageCoffHeader {
Machine = reader.ReadUInt16(),
NumberOfSections = reader.ReadUInt16(),
TimeDateStamp = reader.ReadUInt32(),
SymbolTablePointer = reader.ReadUInt32(),
NumberOfSymbols = reader.ReadUInt32(),
OptionalHeaderSize = reader.ReadUInt16(),
Characteristics = reader.ReadUInt16()
};
// Compute data sections offset
var dataSectionsOffset = reader.BaseStream.Position + CoffHeader.OptionalHeaderSize;
// Read NT-specific fields
NtHeader = new ImageOptionalHeaderNt();
NtHeader.Magic = reader.ReadUInt16();
NtHeader.MajorLinkerVersion = reader.ReadByte();
NtHeader.MinorLinkerVersion = reader.ReadByte();
NtHeader.SizeOfCode = reader.ReadUInt32();
NtHeader.SizeOfInitializedData = reader.ReadUInt32();
NtHeader.SizeOfUninitializedData = reader.ReadUInt32();
NtHeader.AddressOfEntryPoint = reader.ReadUInt32();
NtHeader.BaseOfCode = reader.ReadUInt32();
if (Is32BitPE) {
NtHeader.BaseOfData_32bit = reader.ReadUInt32();
NtHeader.ImageBase_32bit = reader.ReadUInt32();
}
if (Is64BitPE) {
NtHeader.ImageBase_64bit = reader.ReadUInt64();
}
NtHeader.SectionAlignment = reader.ReadUInt32();
NtHeader.FileAlignment = reader.ReadUInt32();
NtHeader.OsMajor = reader.ReadUInt16();
NtHeader.OsMinor = reader.ReadUInt16();
NtHeader.UserMajor = reader.ReadUInt16();
NtHeader.UserMinor = reader.ReadUInt16();
NtHeader.SubSysMajor = reader.ReadUInt16();
NtHeader.SubSysMinor = reader.ReadUInt16();
NtHeader.Reserved = reader.ReadUInt32();
NtHeader.ImageSize = reader.ReadUInt32();
NtHeader.HeaderSize = reader.ReadUInt32();
NtHeader.FileChecksum = reader.ReadUInt32();
NtHeader.SubSystem = reader.ReadUInt16();
NtHeader.DllFlags = reader.ReadUInt16();
if (Is32BitPE) {
NtHeader.StackReserveSize_32bit = reader.ReadUInt32();
NtHeader.StackCommitSize_32bit = reader.ReadUInt32();
NtHeader.HeapReserveSize_32bit = reader.ReadUInt32();
NtHeader.HeapCommitSize_32bit = reader.ReadUInt32();
}
if (Is64BitPE) {
NtHeader.StackReserveSize_64bit = reader.ReadUInt64();
NtHeader.StackCommitSize_64bit = reader.ReadUInt64();
NtHeader.HeapReserveSize_64bit = reader.ReadUInt64();
NtHeader.HeapCommitSize_64bit = reader.ReadUInt64();
}
NtHeader.LoaderFlags = reader.ReadUInt32();
NtHeader.NumberOfDataDirectories = reader.ReadUInt32();
if (NtHeader.NumberOfDataDirectories < 16) {
return;
}
// Read data directories
_exportTable = ReadDataDirectory(reader);
_importTable = ReadDataDirectory(reader);
_resourceTable = ReadDataDirectory(reader);
_exceptionTable = ReadDataDirectory(reader);
_certificateTable = ReadDataDirectory(reader);
_baseRelocationTable = ReadDataDirectory(reader);
_debug = ReadDataDirectory(reader);
_copyright = ReadDataDirectory(reader);
_globalPtr = ReadDataDirectory(reader);
_tlsTable = ReadDataDirectory(reader);
_loadConfigTable = ReadDataDirectory(reader);
_boundImport = ReadDataDirectory(reader);
_iat = ReadDataDirectory(reader);
_delayImportDescriptor = ReadDataDirectory(reader);
_runtimeHeader = ReadDataDirectory(reader);
_reserved = ReadDataDirectory(reader);
if (_runtimeHeader.Size == 0) {
return;
}
// Read data sections
reader.BaseStream.Position = dataSectionsOffset;
SectionHeaders = new ImageSectionHeader[CoffHeader.NumberOfSections];
for (var i = 0; i < SectionHeaders.Length; i++) {
reader.ReadBytes(12);
SectionHeaders[i].VirtualAddress = reader.ReadUInt32();
SectionHeaders[i].SizeOfRawData = reader.ReadUInt32();
SectionHeaders[i].PointerToRawData = reader.ReadUInt32();
reader.ReadBytes(16);
}
// Read COR20 Header
reader.BaseStream.Position = RvaToVa(_runtimeHeader.Rva);
CorHeader = new ImageCor20Header {
Size = reader.ReadUInt32(),
MajorRuntimeVersion = reader.ReadUInt16(),
MinorRuntimeVersion = reader.ReadUInt16(),
MetaData = ReadDataDirectory(reader),
Flags = reader.ReadUInt32(),
EntryPointToken = reader.ReadUInt32(),
Resources = ReadDataDirectory(reader),
StrongNameSignature = ReadDataDirectory(reader),
CodeManagerTable = ReadDataDirectory(reader),
VTableFixups = ReadDataDirectory(reader),
ExportAddressTableJumps = ReadDataDirectory(reader)
};
}
} catch {
IsPEBinary = false;
}
}
public Directory(ImageDataDirectory dir, DataDirectoryType type)
: this(type, dir.VirtualAddress, dir.Size)
{
this._directory = dir;
}
public IReadable Read()
{
var peHeaderReader = (PeHeaderReader) new PeHeaderReader(_filePath).Read();
ExportTableDirectory = peHeaderReader.Is32BitPeHeader
? peHeaderReader.PeHeader32.OptionalHeader.ExportTable
: peHeaderReader.PeHeader64.OptionalHeader.ExportTable;
var address = RvaToRawFormatConverter.RvaToOffset32(ExportTableDirectory.VirtualAddress,
peHeaderReader.SectionHeaders,
peHeaderReader.Is32BitPeHeader
? peHeaderReader.PeHeader32.OptionalHeader.SectionAlignment
: peHeaderReader.PeHeader64.OptionalHeader.SectionAlignment);
using var fs = new FileStream(_filePath, FileMode.Open, FileAccess.Read);
var br = new BinaryReader(fs);
fs.Seek(address, SeekOrigin.Begin);
ExportTable = PeBlockToStructConverter.ConvertTo <ExportTable>(br);
var ordinalsTableAddress = RvaToRawFormatConverter.RvaToOffset32(ExportTable.AddressOfNameOrdinals,
peHeaderReader.SectionHeaders,
peHeaderReader.Is32BitPeHeader
? peHeaderReader.PeHeader32.OptionalHeader.SectionAlignment
: peHeaderReader.PeHeader64.OptionalHeader.SectionAlignment);
var functionsTableAddress = RvaToRawFormatConverter.RvaToOffset32(ExportTable.AddressOfFunctions,
peHeaderReader.SectionHeaders,
peHeaderReader.Is32BitPeHeader
? peHeaderReader.PeHeader32.OptionalHeader.SectionAlignment
: peHeaderReader.PeHeader64.OptionalHeader.SectionAlignment);
var namesTableAddress = RvaToRawFormatConverter.RvaToOffset32(ExportTable.AddressOfNames,
peHeaderReader.SectionHeaders,
peHeaderReader.Is32BitPeHeader
? peHeaderReader.PeHeader32.OptionalHeader.SectionAlignment
: peHeaderReader.PeHeader64.OptionalHeader.SectionAlignment);
fs.Seek(functionsTableAddress, SeekOrigin.Begin);
for (UInt32 i = 0; i < ExportTable.NumberOfFunctions; i++)
{
var ordinal = ExportTable.Base + i;
var exportFunctionAddress = br.ReadUInt32();
ExportFunctions.Add(new ExportFunction()
{
Address = exportFunctionAddress,
Ordinal = (UInt16)ordinal
});
}
fs.Seek(namesTableAddress, SeekOrigin.Begin);
for (UInt32 i = 0; i < ExportTable.NumberOfNames; i++)
{
var nameRva = br.ReadUInt32();
var nameAddress = RvaToRawFormatConverter.RvaToOffset32(nameRva,
peHeaderReader.SectionHeaders,
peHeaderReader.Is32BitPeHeader
? peHeaderReader.PeHeader32.OptionalHeader.SectionAlignment
: peHeaderReader.PeHeader64.OptionalHeader.SectionAlignment);
var currentPosition = fs.Position;
fs.Seek(ordinalsTableAddress + sizeof(UInt16) * i, SeekOrigin.Begin);
var ordinalIndex = br.ReadUInt16();
fs.Seek(currentPosition, SeekOrigin.Begin);
String name = ByteArrayToAsciiStringConverter.ConvertToString(fs, nameAddress);
fs.Seek(currentPosition, SeekOrigin.Begin);
if (RedirectionRva(ExportFunctions[ordinalIndex].Address))
{
var redirectionNameAddress = RvaToRawFormatConverter.RvaToOffset32(ExportFunctions[ordinalIndex].Address,
peHeaderReader.SectionHeaders,
peHeaderReader.Is32BitPeHeader
? peHeaderReader.PeHeader32.OptionalHeader.SectionAlignment
: peHeaderReader.PeHeader64.OptionalHeader.SectionAlignment);
String redirectionName = ByteArrayToAsciiStringConverter.ConvertToString(fs, redirectionNameAddress);
fs.Seek(currentPosition, SeekOrigin.Begin);
ExportFunctions[ordinalIndex].Name = null;
ExportFunctions[ordinalIndex].RedirectionName = redirectionName;
}
else
{
ExportFunctions[ordinalIndex].Name = name;
}
}
return(this);
}
private PEInfo(string filename)
{
_filename = filename;
try {
IsPEBinary = true;
_executableInfo = new Lazy <ExecutableInfo>(() => {
var result = IsManaged ? ExecutableInfo.managed : ExecutableInfo.native;
if (IsAny)
{
result |= ExecutableInfo.any;
}
else
{
switch (CoffHeader.Machine)
{
case 0x01c0:
result |= ExecutableInfo.arm;
break;
case 0x014c:
result |= ExecutableInfo.x86;
break;
case 0x0200:
result |= ExecutableInfo.ia64;
break;
case 0x8664:
result |= ExecutableInfo.x64;
break;
default:
throw new ClrPlusException("Unrecognized Executable Machine Type.");
}
}
return(result);
});
_fileVersionInfo = new Lazy <FileVersionInfo>(() => FileVersionInfo.GetVersionInfo(_filename));
_fileVersionString =
new Lazy <string>(
() =>
string.Format("{0}.{1}.{2}.{3}", _fileVersionInfo.Value.FileMajorPart, _fileVersionInfo.Value.FileMinorPart,
_fileVersionInfo.Value.FileBuildPart, _fileVersionInfo.Value.FilePrivatePart));
_fileVersionLong =
new Lazy <ulong>(
() =>
(((ulong)_fileVersionInfo.Value.FileMajorPart) << 48) + (((ulong)_fileVersionInfo.Value.FileMinorPart) << 32) +
(((ulong)_fileVersionInfo.Value.FileBuildPart) << 16) + (ulong)_fileVersionInfo.Value.FilePrivatePart);
#if TODO
DependencyInformation = new CacheEnumerable <DependencyInformation>(DependencyInformationImpl);
#endif
using (var reader = new BinaryReader(File.OpenRead(_filename))) {
// Skip DOS Header and seek to PE signature
if (reader.ReadUInt16() != 0x5A4D)
{
// Logger.Warning("File '{0}' does not have a valid PE Header", _filename);
throw new ClrPlusException("Invalid DOS header.", true);
}
reader.ReadBytes(58);
reader.BaseStream.Position = reader.ReadUInt32();
// Read "PE\0\0" signature
if (reader.ReadUInt32() != 0x00004550)
{
throw new ClrPlusException("File is not a portable executable.");
}
// Read COFF header
CoffHeader = new ImageCoffHeader {
Machine = reader.ReadUInt16(),
NumberOfSections = reader.ReadUInt16(),
TimeDateStamp = reader.ReadUInt32(),
SymbolTablePointer = reader.ReadUInt32(),
NumberOfSymbols = reader.ReadUInt32(),
OptionalHeaderSize = reader.ReadUInt16(),
Characteristics = reader.ReadUInt16()
};
// Compute data sections offset
var dataSectionsOffset = reader.BaseStream.Position + CoffHeader.OptionalHeaderSize;
// Read NT-specific fields
NtHeader = new ImageOptionalHeaderNt();
NtHeader.Magic = reader.ReadUInt16();
NtHeader.MajorLinkerVersion = reader.ReadByte();
NtHeader.MinorLinkerVersion = reader.ReadByte();
NtHeader.SizeOfCode = reader.ReadUInt32();
NtHeader.SizeOfInitializedData = reader.ReadUInt32();
NtHeader.SizeOfUninitializedData = reader.ReadUInt32();
NtHeader.AddressOfEntryPoint = reader.ReadUInt32();
NtHeader.BaseOfCode = reader.ReadUInt32();
if (Is32BitPE)
{
NtHeader.BaseOfData_32bit = reader.ReadUInt32();
NtHeader.ImageBase_32bit = reader.ReadUInt32();
}
if (Is64BitPE)
{
NtHeader.ImageBase_64bit = reader.ReadUInt64();
}
NtHeader.SectionAlignment = reader.ReadUInt32();
NtHeader.FileAlignment = reader.ReadUInt32();
NtHeader.OsMajor = reader.ReadUInt16();
NtHeader.OsMinor = reader.ReadUInt16();
NtHeader.UserMajor = reader.ReadUInt16();
NtHeader.UserMinor = reader.ReadUInt16();
NtHeader.SubSysMajor = reader.ReadUInt16();
NtHeader.SubSysMinor = reader.ReadUInt16();
NtHeader.Reserved = reader.ReadUInt32();
NtHeader.ImageSize = reader.ReadUInt32();
NtHeader.HeaderSize = reader.ReadUInt32();
NtHeader.FileChecksum = reader.ReadUInt32();
NtHeader.SubSystem = reader.ReadUInt16();
NtHeader.DllFlags = reader.ReadUInt16();
if (Is32BitPE)
{
NtHeader.StackReserveSize_32bit = reader.ReadUInt32();
NtHeader.StackCommitSize_32bit = reader.ReadUInt32();
NtHeader.HeapReserveSize_32bit = reader.ReadUInt32();
NtHeader.HeapCommitSize_32bit = reader.ReadUInt32();
}
if (Is64BitPE)
{
NtHeader.StackReserveSize_64bit = reader.ReadUInt64();
NtHeader.StackCommitSize_64bit = reader.ReadUInt64();
NtHeader.HeapReserveSize_64bit = reader.ReadUInt64();
NtHeader.HeapCommitSize_64bit = reader.ReadUInt64();
}
NtHeader.LoaderFlags = reader.ReadUInt32();
NtHeader.NumberOfDataDirectories = reader.ReadUInt32();
if (NtHeader.NumberOfDataDirectories < 16)
{
return;
}
// Read data directories
_exportTable = ReadDataDirectory(reader);
_importTable = ReadDataDirectory(reader);
_resourceTable = ReadDataDirectory(reader);
_exceptionTable = ReadDataDirectory(reader);
_certificateTable = ReadDataDirectory(reader);
_baseRelocationTable = ReadDataDirectory(reader);
_debug = ReadDataDirectory(reader);
_copyright = ReadDataDirectory(reader);
_globalPtr = ReadDataDirectory(reader);
_tlsTable = ReadDataDirectory(reader);
_loadConfigTable = ReadDataDirectory(reader);
_boundImport = ReadDataDirectory(reader);
_iat = ReadDataDirectory(reader);
_delayImportDescriptor = ReadDataDirectory(reader);
_runtimeHeader = ReadDataDirectory(reader);
_reserved = ReadDataDirectory(reader);
if (_runtimeHeader.Size == 0)
{
return;
}
// Read data sections
reader.BaseStream.Position = dataSectionsOffset;
SectionHeaders = new ImageSectionHeader[CoffHeader.NumberOfSections];
for (var i = 0; i < SectionHeaders.Length; i++)
{
reader.ReadBytes(12);
SectionHeaders[i].VirtualAddress = reader.ReadUInt32();
SectionHeaders[i].SizeOfRawData = reader.ReadUInt32();
SectionHeaders[i].PointerToRawData = reader.ReadUInt32();
reader.ReadBytes(16);
}
// Read COR20 Header
reader.BaseStream.Position = RvaToVa(_runtimeHeader.Rva);
CorHeader = new ImageCor20Header {
Size = reader.ReadUInt32(),
MajorRuntimeVersion = reader.ReadUInt16(),
MinorRuntimeVersion = reader.ReadUInt16(),
MetaData = ReadDataDirectory(reader),
Flags = reader.ReadUInt32(),
EntryPointToken = reader.ReadUInt32(),
Resources = ReadDataDirectory(reader),
StrongNameSignature = ReadDataDirectory(reader),
CodeManagerTable = ReadDataDirectory(reader),
VTableFixups = ReadDataDirectory(reader),
ExportAddressTableJumps = ReadDataDirectory(reader)
};
}
} catch {
IsPEBinary = false;
}
}
