Exemple #1
0
        /// <summary>Construct a new instance of the PortableExecutable class using a raw data buffer</summary>
        /// <param name="data">An array of bytes containing a Portable Executable Image file</param>
        public PortableExecutable(byte[] data)
            : base(data)
        {
            string            error     = string.Empty;
            IMAGE_NT_HEADER32 tempNtHd  = default(IMAGE_NT_HEADER32);
            IMAGE_DOS_HEADER  tempDosHd = default(IMAGE_DOS_HEADER);

            if (Read(out tempDosHd) && tempDosHd.e_magic == Constants.DOS_SIGNATURE)                                                    //first check, DOS header ('MZ')
            {
                if (Read(tempDosHd.e_lfanew, System.IO.SeekOrigin.Begin, out tempNtHd) && tempNtHd.Signature == Constants.NT_SIGNATURE) //Next, the NT header ("PE\0\0" sig)
                {
                    if (tempNtHd.OptionalHeader.Magic == Constants.PE32_FORMAT)                                                         //check to make sure only x86 images are allowed.
                    {
                        if (tempNtHd.OptionalHeader.DataDirectory[(int)DATA_DIRECTORIES.CLRRuntimeHeader].Size > 0)                     //check for a CLR header, .NET dependencies require the .NET framework to be loaded, and cbf doing that.
                        {
                            error = "Image contains a CLR runtime header. Currently only native binaries are supported; no .NET dependent libraries.";
                        }
                    }
                    else
                    {
                        error = "File is of the PE32+ format. Currently support only extends to PE32 images. Either recompile the binary as x86, or choose a different target.";
                    }
                }
                else
                {
                    error = "Invalid NT header found in image.";
                }
            }
            else
            {
                error = "Invalid DOS Header found in image";
            }

            if (string.IsNullOrEmpty(error))
            {
                this.NTHeader  = tempNtHd;
                this.DOSHeader = tempDosHd;
            }
            else
            {
                Dispose();
                throw new ArgumentException(error);
            }
        }
Exemple #2
0
        public PortableExecutable(byte[] data) : base(data)
        {
            string            str              = string.Empty;
            IMAGE_NT_HEADER32 result           = new IMAGE_NT_HEADER32();
            IMAGE_DOS_HEADER  image_dos_header = new IMAGE_DOS_HEADER();

            if (base.Read <IMAGE_DOS_HEADER>(out image_dos_header) && (image_dos_header.e_magic == 0x5a4d))
            {
                if (base.Read <IMAGE_NT_HEADER32>((long)image_dos_header.e_lfanew, SeekOrigin.Begin, out result) && (result.Signature == 0x4550L))
                {
                    if (result.OptionalHeader.Magic == 0x10b)
                    {
                        if (result.OptionalHeader.DataDirectory[14].Size > 0)
                        {
                            str = "Image contains a CLR runtime header. Currently only native binaries are supported; no .NET dependent libraries.";
                        }
                    }
                    else
                    {
                        str = "File is of the PE32+ format. Currently support only extends to PE32 images. Either recompile the binary as x86, or choose a different target.";
                    }
                }
                else
                {
                    str = "Invalid NT header found in image.";
                }
            }
            else
            {
                str = "Invalid DOS Header found in image";
            }
            if (string.IsNullOrEmpty(str))
            {
                this.NTHeader  = result;
                this.DOSHeader = image_dos_header;
            }
            else
            {
                base.Dispose();
                throw new ArgumentException(str);
            }
        }
Exemple #3
0
        public PortableExecutable(byte[] data) : base(data)
        {
            string            text      = string.Empty;
            IMAGE_NT_HEADER32 nTHeader  = default(IMAGE_NT_HEADER32);
            IMAGE_DOS_HEADER  dOSHeader = default(IMAGE_DOS_HEADER);

            if (base.Read <IMAGE_DOS_HEADER>(out dOSHeader) && dOSHeader.e_magic == 23117)
            {
                if (base.Read <IMAGE_NT_HEADER32>((long)((ulong)dOSHeader.e_lfanew), SeekOrigin.Begin, out nTHeader) && (long)nTHeader.Signature == 17744L)
                {
                    if (nTHeader.OptionalHeader.Magic == 267)
                    {
                        if (nTHeader.OptionalHeader.DataDirectory[14].Size > 0u)
                        {
                            text = "Image contains a CLR runtime header. Currently only native binaries are supported; no .NET dependent libraries.";
                        }
                    }
                    else
                    {
                        text = "File is of the PE32+ format. Currently support only extends to PE32 images. Either recompile the binary as x86, or choose a different target.";
                    }
                }
                else
                {
                    text = "Invalid NT header found in image.";
                }
            }
            else
            {
                text = "Invalid DOS Header found in image";
            }
            if (string.IsNullOrEmpty(text))
            {
                this.NTHeader  = nTHeader;
                this.DOSHeader = dOSHeader;
                return;
            }
            base.Dispose();
            throw new ArgumentException(text);
        }