// http://msdn.microsoft.com/en-us/library/windows/desktop/ms680341(v=vs.85).aspx private void ParseImageSectionHeader() { var header = FromBinaryReader <IMAGE_SECTION_HEADER>(Reader); SectionHeaders.Add(header); LogStructure(header); Reader.BaseStream.Seek(-4, SeekOrigin.Current); // The f**k? Why is this needed? }
public ElfFile(MemoryStream stream) { //load main file header ElfHeader = new Elf32Ehdr((Elf32_Ehdr *)stream.Pointer); //load section headers var header = (Elf32_Shdr *)(stream.Pointer + ElfHeader.Shoff); for (int i = 0; i < ElfHeader.Shnum; i++) { var x = new Elf32Shdr(&header[i]); if (x.Type == SectionType.StringTable) { _stringTables.Add(x.Offset); } SectionHeaders.Add(x); } //now we can load names into symbols and process sub data for (var index = 0; index < SectionHeaders.Count; index++) { var sectionHeader = SectionHeaders[index]; sectionHeader.Name = ResolveName(sectionHeader, sectionHeader.NameOffset, stream); switch (sectionHeader.Type) { case SectionType.Relocation: for (int i = 0; i < sectionHeader.Size / sectionHeader.Entsize; i++) { RelocationInformation.Add(new Elf32Rel( (Elf32_Rel *)(stream.Pointer + sectionHeader.Offset + i * sectionHeader.Entsize)) { Section = index }); } break; case SectionType.SymbolTable: for (int i = 0; i < sectionHeader.Size / sectionHeader.Entsize; i++) { var x = new Elf32Sym( (Elf32_Sym *)(stream.Pointer + sectionHeader.Offset + i * sectionHeader.Entsize)); x.Name = ResolveName(sectionHeader, x.NameOffset, stream); Symbols.Add(x); } break; } } }
private bool ReadFromStream(BinaryReader r) { DosHeader = ReadDosHeader(r); if (DosHeader.e_magic != (int)ImageSignatureTypes.IMAGE_DOS_SIGNATURE) { r.Close(); return(false); } r.BaseStream.Seek((long)DosHeader.e_lfanew, SeekOrigin.Begin); NTHeader = ReadNTHeader(r); if (NTHeader.Signature != (int)ImageSignatureTypes.IMAGE_NT_SIGNATURE) { r.Close(); return(false); } { uint maxpointer = 0; uint exesize = 0; for (int i = 0; i < NTHeader.FileHeader.NumberOfSections; ++i) { IMAGE_SECTION_HEADER data = new IMAGE_SECTION_HEADER(); { data.NameBytes = r.ReadBytes(8); data.PhysicalAddress = r.ReadUInt32(); data.VirtualAddress = r.ReadUInt32(); data.SizeOfRawData = r.ReadUInt32(); data.PointerToRawData = r.ReadUInt32(); data.PointerToRelocations = r.ReadUInt32(); data.PointerToLinenumbers = r.ReadUInt32(); data.NumberOfRelocations = r.ReadUInt16(); data.NumberOfLinenumbers = r.ReadUInt16(); data.Characteristics = r.ReadUInt32(); } if (data.PointerToRawData > maxpointer) { maxpointer = data.PointerToRawData; exesize = data.PointerToRawData + data.SizeOfRawData; } SectionHeaders.Add(data); } this.FileSize = exesize; } return(true); }
public void Parse(BinaryReader reader) { DOSHeader = DOSHeader.Parse(reader); var dosStubSize = (int)(DOSHeader.CoffHeaderOffset - reader.BaseStream.Position); _dosStubBytes = reader.ReadBytes(dosStubSize); COFFHeader = COFFHeader.Parse(reader); PEHeaderOffset = (uint)reader.BaseStream.Position; PEHeader = PEHeader.Parse(reader); for (var i = 0; i < COFFHeader.NumberOfSections; i++) { SectionHeaders.Add(PESectionHeader.Parse(reader)); } var fillerSize = (int)(SectionHeaders[0].PointerToRawData - reader.BaseStream.Position); _filler = reader.ReadBytes(fillerSize); for (var i = 0; i < COFFHeader.NumberOfSections; i++) { var sectionBytes = reader.ReadBytes((int)SectionHeaders[i].SizeOfRawData); Sections.Add(sectionBytes); } var remainingByteCount = (int)(reader.BaseStream.Length - reader.BaseStream.Position); _remainingBytes = reader.ReadBytes(remainingByteCount); // file ends here // Parse Import Directory: var importDirectoryEntry = PEHeader.DataDirectories[(int)DataDirectoryName.Import]; if (importDirectoryEntry.VirtualAddress > 0) { var importDirectoryFileOffset = GetOffsetFromRVA(importDirectoryEntry.VirtualAddress); reader.BaseStream.Seek(importDirectoryFileOffset, SeekOrigin.Begin); ImportDirectory = ImportDirectory.Parse(reader); } }