public static bool HasMagicHeader(byte[] buff)
{
try
{
IMAGE_DOS_HEADER imageDosHeader = new IMAGE_DOS_HEADER(buff, 0);
return(imageDosHeader.e_magic == 0x5a4d);
}
catch (Exception)
{
return(false);
}
}
/// <summary>
/// Tests is a file is a PE file based on the MZ
/// header. It is not checked if the PE file is correct
/// in all other parts.
/// </summary>
/// <param name="file">Path to a possible PE file.</param>
/// <returns>True if the MZ header is set.</returns>
public static bool IsPEFile(string file)
{
var buff = File.ReadAllBytes(file);
IMAGE_DOS_HEADER dosHeader = null;
try
{
dosHeader = new IMAGE_DOS_HEADER(buff, 0);
}
catch (Exception)
{
return(false);
}
return(dosHeader.e_magic == 0x5a4d);
}
/// <summary>
/// Returns if the file is a PE file and 64 Bit.
/// </summary>
/// <param name="file">Path to a possible PE file.</param>
/// <returns>True if file is PE and x64.</returns>
public static bool Is64BitPeFile(string file)
{
var buff = File.ReadAllBytes(file);
IMAGE_DOS_HEADER dosHeader;
bool is64;
try
{
dosHeader = new IMAGE_DOS_HEADER(buff, 0);
is64 = buff.BytesToUInt16(dosHeader.e_lfanew + 0x4) ==
(ushort) Constants.FileHeaderMachine.IMAGE_FILE_MACHINE_AMD64;
}
catch (Exception)
{
return false;
}
return (dosHeader.e_magic == 0x5a4d) && is64;
}
public PeFile(byte [] buff)
{
UInt32 secHeaderOffset = 0;
_buff = buff;
ImageDosHeader = new IMAGE_DOS_HEADER(buff);
// Check if the PE file is 64 bit.
Is64Bit = (Utility.BytesToUInt16(buff, ImageDosHeader.e_lfanew + 0x4) == Constants.IMAGE_FILE_MACHINE_AMD64);
secHeaderOffset = (UInt32)(Is64Bit ? 0x108 : 0xF8);
ImageNtHeaders = new IMAGE_NT_HEADERS(buff, ImageDosHeader.e_lfanew, Is64Bit);
ImageSectionHeaders = ParseImageSectionHeaders(
buff,
ImageNtHeaders.FileHeader.NumberOfSections,
ImageDosHeader.e_lfanew + secHeaderOffset
);
if (ImageNtHeaders.OptionalHeader.DataDirectory[(int)Constants.DataDirectoryIndex.Export].VirtualAddress != 0)
{
try
{
ImageExportDirectory = new IMAGE_EXPORT_DIRECTORY(
buff,
Utility.RVAtoFileMapping(ImageNtHeaders.OptionalHeader.DataDirectory[0].VirtualAddress,
ImageSectionHeaders)
);
ExportedFunctions = ParseExportedFunctions(
buff,
ImageExportDirectory,
ImageSectionHeaders
);
}
catch
{
// No or invalid export directory.
HasValidExportDir = false;
}
}
if (ImageNtHeaders.OptionalHeader.DataDirectory[1].VirtualAddress != 0)
{
try
{
ImageImportDescriptors = ParseImportDescriptors(
buff,
Utility.RVAtoFileMapping(ImageNtHeaders.OptionalHeader.DataDirectory[(int)Constants.DataDirectoryIndex.Import].VirtualAddress, ImageSectionHeaders),
ImageSectionHeaders
);
ImportedFunctions = ParseImportedFunctions(buff, ImageImportDescriptors, ImageSectionHeaders);
}
catch
{
// No or invalid import directory.
HasValidImportDir = false;
}
}
// Parse the resource directory.
if (ImageNtHeaders.OptionalHeader.DataDirectory[2].VirtualAddress != 0)
{
try
{
ImageResourceDirectory = ParseImageResourceDirectory(
buff,
Utility.RVAtoFileMapping(ImageNtHeaders.OptionalHeader.DataDirectory[(int)Constants.DataDirectoryIndex.Resource].VirtualAddress, ImageSectionHeaders),
ImageSectionHeaders
);
}
catch
{
// No or invalid resource directory.
ImageResourceDirectory = null;
HasValidResourceDir = false;
}
}
// Parse x64 Exception directory
if (Is64Bit)
{
if (ImageNtHeaders.OptionalHeader.DataDirectory[(UInt32)Constants.DataDirectoryIndex.Exception].VirtualAddress != 0)
{
try
{
RuntimeFunctions = PareseExceptionDirectory(
buff,
Utility.RVAtoFileMapping(ImageNtHeaders.OptionalHeader.DataDirectory[(UInt32)Constants.DataDirectoryIndex.Exception].VirtualAddress, ImageSectionHeaders),
ImageNtHeaders.OptionalHeader.DataDirectory[(UInt32)Constants.DataDirectoryIndex.Exception].Size,
ImageSectionHeaders
);
}
catch
{
// No or invalid Exception directory.
RuntimeFunctions = null;
HasValidExceptionDir = false;
}
}
}
// Parse the security directory for certificates
if (ImageNtHeaders.OptionalHeader.DataDirectory[(int)Constants.DataDirectoryIndex.Security].VirtualAddress != 0)
{
try
{
WinCertificate = ParseImageSecurityDirectory(
buff,
ImageNtHeaders.OptionalHeader.DataDirectory[(int)Constants.DataDirectoryIndex.Security].VirtualAddress,
ImageSectionHeaders);
}
catch (Exception)
{
// Invalid Security Directory
WinCertificate = null;
HasValidSecurityDir = false;
}
}
}
