private static void Load(IBinaryAccessor accessor, PEImage image, DelayImportTable table)
{
while (true)
{
var module = DelayImportModuleTable.Load(accessor, image);
if (module == null)
{
break;
}
module._parent = table;
table._list.Add(module);
}
}
public static ResourceTable Load(PEImage image)
{
if (image == null)
{
return(null);
}
var dd = image.Directories[DataDirectories.ResourceTable];
if (dd.IsNull)
{
return(null);
}
using (var accessor = image.OpenImageToSectionData(dd.RVA))
{
var table = new ResourceTable(image);
Load(accessor, table, accessor.Position);
return(table);
}
}
public static DelayImportTable Load(PEImage image)
{
if (image == null)
{
return(null);
}
var dd = image.Directories[DataDirectories.DelayImportDescriptor];
if (dd.IsNull)
{
return(null);
}
var table = new DelayImportTable();
using (var accessor = image.OpenImageToSectionData(dd.RVA))
{
Load(accessor, image, table);
}
return(table);
}
internal static unsafe DelayImportModuleTable Load(IBinaryAccessor accessor, PEImage image)
{
DelayImportTableHeader header;
fixed(byte *pBuff = accessor.ReadBytes(sizeof(DelayImportTableHeader)))
{
header = *(DelayImportTableHeader *)pBuff;
}
if (header.Name == 0 || header.DelayImportAddressTable == 0)
{
return(null);
}
// Save position
long position = accessor.Position;
var module = new DelayImportModuleTable();
module._moduleHandleRVA = header.ModuleHandle;
// Dll name
accessor.Position = image.ResolvePositionToSectionData(header.Name);
module._dllName = accessor.ReadNullTerminatedString(Encoding.ASCII);
// DelayImportAddressTable
accessor.Position = image.ResolvePositionToSectionData(header.DelayImportAddressTable);
var funcRVAList = new List <uint>();
while (true)
{
uint funcRVA = accessor.ReadUInt32();
if (funcRVA == 0)
{
break;
}
funcRVAList.Add(funcRVA);
}
accessor.Position = image.ResolvePositionToSectionData(header.DelayImportNameTable);
if (image.Is32Bits)
{
var entryDataList = new List <uint>();
for (int i = 0; i < funcRVAList.Count; i++)
{
entryDataList.Add(accessor.ReadUInt32());
}
for (int i = 0; i < funcRVAList.Count; i++)
{
uint funcRVA = funcRVAList[i];
uint entryData = entryDataList[i];
string name = null;
int ordinal;
if ((entryData & 0x80000000) != 0)
{
// DelayImport by ordinal.
ordinal = (int)(entryData & 0x7fffffff);
}
else
{
// DelayImport by name.
uint hintNameRVA = (entryData & 0x7fffffff);
accessor.Position = image.ResolvePositionToSectionData(hintNameRVA);
ordinal = accessor.ReadUInt16();
name = accessor.ReadNullTerminatedString(Encoding.ASCII);
}
var entry = new DelayImportEntry(funcRVA, name, ordinal);
entry._parent = module;
module._list.Add(entry);
}
}
else
{
var entryDataList = new List <ulong>();
for (int i = 0; i < funcRVAList.Count; i++)
{
entryDataList.Add(accessor.ReadUInt64());
}
for (int i = 0; i < funcRVAList.Count; i++)
{
uint funcRVA = funcRVAList[i];
ulong entryData = entryDataList[i];
string name = null;
int ordinal;
if ((entryData & 0x8000000000000000) != 0)
{
// Import by ordinal.
ordinal = (int)(entryData & 0x7fffffffffffffff);
}
else
{
// Import by name.
uint hintNameRVA = (uint)(entryData & 0x7fffffffffffffff);
accessor.Position = image.ResolvePositionToSectionData(hintNameRVA);
ordinal = accessor.ReadUInt16();
name = accessor.ReadNullTerminatedString(Encoding.ASCII);
}
var entry = new DelayImportEntry(funcRVA, name, ordinal);
entry._parent = module;
module._list.Add(entry);
}
}
// Restore position
accessor.Position = position;
return(module);
}
public static unsafe LoadConfigInfo Load(PEImage image)
{
if (image == null)
{
return(null);
}
var dd = image.Directories[DataDirectories.LoadConfigTable];
if (dd.IsNull)
{
return(null);
}
var info = new LoadConfigInfo();
using (var accessor = image.OpenImageToSectionData(dd.RVA))
{
if (image.Is32Bits)
{
fixed(byte *pBuff = accessor.ReadBytes(sizeof(LoadConfigHeader32)))
{
var header = *(LoadConfigHeader32 *)pBuff;
info._characteristics = header.Characteristics;
info._timeDateStamp = ConvertUtils.ToDateTime(header.TimeDateStamp);
info._majorVersion = header.MajorVersion;
info._minorVersion = header.MinorVersion;
info._globalFlagsClear = header.GlobalFlagsClear;
info._globalFlagsSet = header.GlobalFlagsSet;
info._criticalSectionDefaultTimeout = header.CriticalSectionDefaultTimeout;
info._deCommitFreeBlockThreshold = header.DeCommitFreeBlockThreshold;
info._deCommitTotalFreeThreshold = header.DeCommitTotalFreeThreshold;
info._lockPrefixTable = header.LockPrefixTable;
info._maximumAllocationSize = header.MaximumAllocationSize;
info._virtualMemoryThreshold = header.VirtualMemoryThreshold;
info._processAffinityMask = header.ProcessAffinityMask;
info._processHeapFlags = header.ProcessHeapFlags;
info._CSDVersion = header.CSDVersion;
info._reserved1 = header.Reserved1;
info._editList = header.EditList;
info._securityCookie = header.SecurityCookie;
info._SEHandlerTable = header.SEHandlerTable;
info._SEHandlerCount = header.SEHandlerCount;
}
}
else
{
fixed(byte *pBuff = accessor.ReadBytes(sizeof(LoadConfigHeader64)))
{
var header = *(LoadConfigHeader64 *)pBuff;
info._characteristics = header.Characteristics;
info._timeDateStamp = ConvertUtils.ToDateTime(header.TimeDateStamp);
info._majorVersion = header.MajorVersion;
info._minorVersion = header.MinorVersion;
info._globalFlagsClear = header.GlobalFlagsClear;
info._globalFlagsSet = header.GlobalFlagsSet;
info._criticalSectionDefaultTimeout = header.CriticalSectionDefaultTimeout;
info._deCommitFreeBlockThreshold = header.DeCommitFreeBlockThreshold;
info._deCommitTotalFreeThreshold = header.DeCommitTotalFreeThreshold;
info._lockPrefixTable = header.LockPrefixTable;
info._maximumAllocationSize = header.MaximumAllocationSize;
info._virtualMemoryThreshold = header.VirtualMemoryThreshold;
info._processAffinityMask = header.ProcessAffinityMask;
info._processHeapFlags = header.ProcessHeapFlags;
info._CSDVersion = header.CSDVersion;
info._reserved1 = header.Reserved1;
info._editList = header.EditList;
info._securityCookie = header.SecurityCookie;
info._SEHandlerTable = header.SEHandlerTable;
info._SEHandlerCount = header.SEHandlerCount;
}
}
}
return(info);
}
public ResourceTable(PEImage image)
{
_image = image;
}
private static unsafe void Load(IBinaryAccessor accessor, PEImage image, ExportTable table)
{
ExportTableHeader header;
fixed(byte *pBuff = accessor.ReadBytes(sizeof(ExportTableHeader)))
{
header = *(ExportTableHeader *)pBuff;
}
table._ordinalBase = (int)header.Base;
table._timeDateStamp = ConvertUtils.ToDateTime(header.TimeDateStamp);
// Name
accessor.Position = image.ResolvePositionToSectionData(header.Name);
table._dllName = accessor.ReadNullTerminatedString(Encoding.ASCII);
if (header.AddressOfFunctions != 0)
{
// Export Address Table
accessor.Position = image.ResolvePositionToSectionData(header.AddressOfFunctions);
uint[] arrayOfExportRVA = new uint[header.NumberOfFunctions];
for (int i = 0; i < header.NumberOfFunctions; i++)
{
arrayOfExportRVA[i] = accessor.ReadUInt32();
}
// Name pointer table
accessor.Position = image.ResolvePositionToSectionData(header.AddressOfNames);
uint[] arrayOfNameRVA = new uint[header.NumberOfNames];
for (int i = 0; i < header.NumberOfNames; i++)
{
arrayOfNameRVA[i] = accessor.ReadUInt32();
}
// Ordinal table
accessor.Position = image.ResolvePositionToSectionData(header.AddressOfNameOrdinals);
ushort[] arrayOfOrdinals = new ushort[header.NumberOfNames];
for (int i = 0; i < header.NumberOfNames; i++)
{
arrayOfOrdinals[i] = accessor.ReadUInt16();
}
// Read names and map against export rva
string[] names = new string[header.NumberOfFunctions];
for (int i = 0; i < header.NumberOfNames; i++)
{
accessor.Position = image.ResolvePositionToSectionData(arrayOfNameRVA[i]);
string name = accessor.ReadNullTerminatedString(Encoding.ASCII);
int ordinal = arrayOfOrdinals[i];
names[ordinal] = name;
}
var exportDirectory = image.Directories[DataDirectories.ExportTable];
// Build entries
for (int i = 0; i < header.NumberOfFunctions; i++)
{
uint exportRVA = arrayOfExportRVA[i];
string name = names[i];
ExportEntry entry;
// Each entry in the export address table is a field that uses one of two formats in the
// following table. If the address specified is not within the export section (as defined
// by the address and length that are indicated in the optional header), the field is an
// export RVA, which is an actual address in code or data. Otherwise, the field is a
// forwarder RVA, which names a symbol in another DLL.
if (exportDirectory.Contains(exportRVA))
{
accessor.Position = image.ResolvePositionToSectionData(exportRVA);
string forwarder = accessor.ReadNullTerminatedString(Encoding.ASCII);
entry = new ExportForwarderEntry(name, forwarder);
}
else
{
entry = new ExportRVAEntry(name, exportRVA);
}
entry._parent = table;
table._list.Add(entry);
}
}
}
internal static unsafe ImportModuleTable Load(IBinaryAccessor accessor, PEImage image)
{
ImportTableHeader header;
fixed(byte *pBuff = accessor.ReadBytes(sizeof(ImportTableHeader)))
{
header = *(ImportTableHeader *)pBuff;
}
if (header.Name == 0 || (header.ImportLookupTableRVA == 0 && header.ImportAddressTableRVA == 0))
{
return(null);
}
// Save position
long position = accessor.Position;
var module = new ImportModuleTable();
module._forwarderChain = header.ForwarderChain;
// Dll name
accessor.Position = image.ResolvePositionToSectionData(header.Name);
module._dllName = accessor.ReadNullTerminatedString(Encoding.ASCII);
// Set RVA to ImportLookupTable or ImportAddressTable. Both tables are equivalent.
if (header.ImportLookupTableRVA != 0)
{
accessor.Position = image.ResolvePositionToSectionData(header.ImportLookupTableRVA);
}
else
{
accessor.Position = image.ResolvePositionToSectionData(header.ImportAddressTableRVA);
}
if (image.Is32Bits)
{
// Read IMAGE_THUNK_DATA32 structures
var thunkDataList = new List <uint>();
while (true)
{
uint entryData = accessor.ReadUInt32();
if (entryData == 0)
{
break;
}
thunkDataList.Add(entryData);
}
foreach (uint thunkData in thunkDataList)
{
string name = null;
int ordinal;
if ((thunkData & 0x80000000) != 0)
{
// Import by ordinal.
ordinal = (int)(thunkData & 0x7fffffff);
}
else
{
// Import by name.
uint hintNameRVA = (thunkData & 0x7fffffff);
accessor.Position = image.ResolvePositionToSectionData(hintNameRVA);
ordinal = accessor.ReadUInt16();
name = accessor.ReadNullTerminatedString(Encoding.ASCII);
}
var entry = new ImportEntry(name, ordinal);
entry._parent = module;
module._list.Add(entry);
}
}
else
{
// Read IMAGE_THUNK_DATA64 structures
var thunkDataList = new List <ulong>();
while (true)
{
ulong entryData = accessor.ReadUInt64();
if (entryData == 0)
{
break;
}
thunkDataList.Add(entryData);
}
foreach (ulong thunkData in thunkDataList)
{
string name = null;
int ordinal;
if ((thunkData & 0x8000000000000000) != 0)
{
// Import by ordinal.
ordinal = (int)(thunkData & 0x7fffffffffffffff);
}
else
{
// Import by name.
uint hintNameRVA = (uint)(thunkData & 0x7fffffffffffffff);
accessor.Position = image.ResolvePositionToSectionData(hintNameRVA);
ordinal = accessor.ReadUInt16();
name = accessor.ReadNullTerminatedString(Encoding.ASCII);
}
var entry = new ImportEntry(name, ordinal);
entry._parent = module;
module._list.Add(entry);
}
}
// Restore position
accessor.Position = position;
return(module);
}