internal NTHeaders(ExecutableImage exeImage, ulong headerOffset, ulong imageBase, FileHeader fileHeader, OptionalHeader optHeader, DataDirectoryCollection dataDirs) { uint size = (4U + fileHeader.Location.FileSize + optHeader.Location.FileSize + dataDirs.Location.FileSize).ToUInt32(); image = exeImage; location = new Location(headerOffset,Convert.ToUInt32(headerOffset),imageBase + headerOffset,size,size); file_header = fileHeader; opt_header = optHeader; data_dirs = dataDirs; }
// https://github.com/mrexodia/portable-executable-library/blob/master/pe_lib/pe_checksum.cpp#L43 static int Main(string[] args) { if (args.Length != 1 && args.Length != 2) { Console.WriteLine("[options] file_path"); Console.WriteLine("/s - calc & set checksum"); return(1); } bool setNewChecksum = false; string filePath = null; if (args[0] == "/s" || args[0] == "-s") { setNewChecksum = true; filePath = args[1]; } else { filePath = args[0]; } uint currentCheckSum = 0; uint newCheckSum = 0; uint checkSumPos = 0; using (Workshell.PE.ExecutableImage pe = Workshell.PE.ExecutableImage.FromFile(filePath)) { currentCheckSum = pe.NTHeaders.OptionalHeader.CheckSum; Console.WriteLine($"Current Checksum: {currentCheckSum}(0x{currentCheckSum.ToString("x")})"); newCheckSum = CalcChecksum(pe, out checkSumPos); Console.WriteLine($"New Checksum: {newCheckSum}(0x{newCheckSum.ToString("x")})"); } if (setNewChecksum == true && (currentCheckSum != newCheckSum)) { byte[] contents = File.ReadAllBytes(filePath); byte[] newCheckSumBuffer = BitConverter.GetBytes(newCheckSum); Array.Copy(newCheckSumBuffer, 0, contents, checkSumPos, 4); try { File.WriteAllBytes(filePath, contents); } catch (System.IO.IOException) { string newFilePath = filePath + ".new"; Console.WriteLine($"New file({newFilePath}) created because it is being used by another process."); File.WriteAllBytes(newFilePath, contents); } } return(0); }
internal OptionalHeader(ExecutableImage exeImage, ulong headerOffset, uint headerSize, ulong imageBase) { image = exeImage; location = new Location(headerOffset,Convert.ToUInt32(headerOffset),imageBase + headerOffset,headerSize,headerSize); }
internal DOSHeader(ExecutableImage exeImage, IMAGE_DOS_HEADER dosHeader, ulong imageBase) { image = exeImage; header = dosHeader; location = new Location(0,0,imageBase,Convert.ToUInt32(DOSHeader.Size),Convert.ToUInt32(DOSHeader.Size)); }
internal FileHeader(ExecutableImage exeImage, IMAGE_FILE_HEADER fileHeader, ulong headerOffset, ulong imageBase) { image = exeImage; header = fileHeader; uint size = Convert.ToUInt32(Utils.SizeOf<IMAGE_FILE_HEADER>()); location = new Location(headerOffset,Convert.ToUInt32(headerOffset),imageBase + headerOffset,size,size); }
private int ShowDataDirectories(ExecutableImage image) { Console.WriteLine("[ Data Directories ]"); Console.WriteLine(); Console.WriteLine(" File Offset: {0}", Utils.IntToHex(image.NTHeaders.DataDirectories.Location.FileOffset)); Console.WriteLine(" Virtual Address: {0}", Utils.IntToHex(image.NTHeaders.DataDirectories.Location.VirtualAddress)); Console.WriteLine(" RVA: {0}", Utils.IntToHex(image.NTHeaders.DataDirectories.Location.RelativeVirtualAddress)); Console.WriteLine(" Size: {1} ({0})", Utils.FormatBytes(Convert.ToInt64(image.NTHeaders.DataDirectories.Location.FileSize)), image.NTHeaders.DataDirectories.Location.FileSize); Console.WriteLine(); int address_size = (image.Is64Bit ? 16 : 8); ulong offset; if (offset_type == "fo") { offset = image.NTHeaders.DataDirectories.Location.FileOffset; } else if (offset_type == "vo") { offset = 0; } else if (offset_type == "va") { offset = image.NTHeaders.DataDirectories.Location.VirtualAddress; } else { offset = image.NTHeaders.DataDirectories.Location.RelativeVirtualAddress; } for(var i = 0; i < image.NTHeaders.DataDirectories.Count - 1; i++) { DataDirectory directory = image.NTHeaders.DataDirectories[i]; string name; switch (directory.DirectoryType) { case DataDirectoryType.Unknown: name = String.Empty; break; case DataDirectoryType.ExportTable: name = "Export Table"; break; case DataDirectoryType.ImportTable: name = "Import Table"; break; case DataDirectoryType.ResourceTable: name = "Resource Table"; break; case DataDirectoryType.ExceptionTable: name = "Exception Table"; break; case DataDirectoryType.CertificateTable: name = "Certificate Table"; break; case DataDirectoryType.BaseRelocationTable: name = "Base Relocation Table"; break; case DataDirectoryType.Debug: name = "Debug Directory"; break; case DataDirectoryType.Architecture: name = "Architecture"; break; case DataDirectoryType.GlobalPtr: name = "Global Pointer"; break; case DataDirectoryType.TLSTable: name = "TLS Table"; break; case DataDirectoryType.LoadConfigTable: name = "Load Configuration Table"; break; case DataDirectoryType.BoundImport: name = "Bound Import Table"; break; case DataDirectoryType.ImportAddressTable: name = "Import Address Table"; break; case DataDirectoryType.DelayImportDescriptor: name = "Delayed Import Descriptors"; break; case DataDirectoryType.CLRRuntimeHeader: name = ".NET Common Language Runtime Header"; break; default: name = "Unknown"; break; } List<string> lines = new List<string>(); lines.Add(String.Format("Entry Offset: {0}",Utils.IntToHex(offset, address_size))); lines.Add(String.Format("RVA: {0}", Utils.IntToHex(directory.VirtualAddress))); lines.Add(String.Format("Size: {0} ({1})", directory.Size, Utils.FormatBytes(directory.Size))); string section = directory.GetSectionName(); if (!String.IsNullOrWhiteSpace(section)) lines.Add(String.Format("Section: {0}", section)); int max_len = name.Length; foreach(var line in lines) { if (line.Length > max_len) max_len = line.Length; } max_len = max_len + 2; Console.WriteLine(" " + name.PadRight(max_len)); Console.WriteLine(" " + String.Empty.PadRight(max_len, '-')); foreach(var line in lines) Console.WriteLine(" " + line.PadRight(max_len)); Console.WriteLine(); offset += sizeof(uint) * 2; } Console.WriteLine(); return 0; }
private int ShowOptionalHeader(ExecutableImage image) { Console.WriteLine("[ Optional Header ]"); Console.WriteLine(); Console.WriteLine(" File Offset: {0}", Utils.IntToHex(image.NTHeaders.OptionalHeader.Location.FileOffset)); Console.WriteLine(" Virtual Address: {0}", Utils.IntToHex(image.NTHeaders.OptionalHeader.Location.VirtualAddress)); Console.WriteLine(" RVA: {0}", Utils.IntToHex(image.NTHeaders.OptionalHeader.Location.RelativeVirtualAddress)); Console.WriteLine(" Size: {1} ({0})", Utils.FormatBytes(Convert.ToInt64(image.NTHeaders.OptionalHeader.Location.FileSize)), image.NTHeaders.OptionalHeader.Location.FileSize); Console.WriteLine(); List<Tuple<string, string, string>> tuples = new List<Tuple<string, string, string>>(); ulong offset; if (offset_type == "fo") { offset = image.NTHeaders.OptionalHeader.Location.FileOffset; } else if (offset_type == "vo") { offset = 0; } else if (offset_type == "va") { offset = image.NTHeaders.OptionalHeader.Location.VirtualAddress; } else { offset = image.NTHeaders.OptionalHeader.Location.RelativeVirtualAddress; } int address_size = (image.Is64Bit ? 16 : 8); string[] VARY_FIELDS = { "ImageBase", "SizeOfStackReserve", "SizeOfStackCommit", "SizeOfHeapReserve", "SizeOfHeapCommit" }; FieldAnnotations annotations = FieldAnnotations.Get(image.NTHeaders.OptionalHeader); foreach (FieldAnnotation annotation in annotations) { int size = annotation.Size * 2; if (VARY_FIELDS.Contains(annotation.Name, StringComparer.OrdinalIgnoreCase)) size = (image.Is64Bit ? 16 : 8); int array_size = (annotation.IsArray ? annotation.ArraySize : annotation.Size); object value = (annotation.IsArray ? Utils.GetDefaultValue(annotation.Type.GetElementType()) : annotation.Value); Tuple<string, string, string> tuple = new Tuple<string, string, string>(Utils.IntToHex(offset, address_size), Utils.IntToHex(value, size), annotation.Description); tuples.Add(tuple); offset += Convert.ToUInt32(array_size); } int max_value_len = 0; int max_desc_len = 0; foreach (var tuple in tuples) { if (tuple.Item2.Length > max_value_len) max_value_len = tuple.Item2.Length; if (tuple.Item3.Length > max_desc_len) max_desc_len = tuple.Item3.Length; } string header = String.Format("{0} {1} {2}", "Address".PadRight(address_size + 2), "Value".PadRight(max_value_len), "Description".PadRight(max_desc_len)); Console.WriteLine(" " + header); Console.WriteLine(" " + String.Empty.PadRight(header.Length, '-')); foreach (var tuple in tuples) Console.WriteLine(" {0} {1} {2}", tuple.Item1.PadRight(address_size + 2), tuple.Item2.PadRight(max_value_len), tuple.Item3.PadRight(max_desc_len)); Console.WriteLine(); ShowOptionalHeader_SubSystem(image); ShowOptionalHeader_DllCharacteristics(image); Console.WriteLine(); return 0; }
internal LocationCalculator(ExecutableImage imageReader) { reader = imageReader; }
private void ShowFileHeader_Characteristics(ExecutableImage image) { List<string> lines = new List<string>(); CharacteristicsType characteristics = image.NTHeaders.FileHeader.GetCharacteristics(); long enum_value = Convert.ToInt64(characteristics); EnumAnnotations<CharacteristicsType> enum_annotations = new EnumAnnotations<CharacteristicsType>(); foreach (EnumAnnotation<CharacteristicsType> annotation in enum_annotations) { long value = Convert.ToInt64(annotation.Value); bool selected = ((enum_value & value) == value); if (!selected) continue; string line = String.Format("{0} {1}", Utils.IntToHex(value, 4), annotation.HeaderName); lines.Add(line); } int max_len = 0; foreach (var line in lines) { if (line.Length > max_len) max_len = line.Length; } max_len = max_len + 2; Console.WriteLine(" Characteristics".PadRight(max_len)); Console.WriteLine(" " + String.Empty.PadRight(max_len, '-')); foreach(var line in lines) Console.WriteLine(" " + line.PadRight(max_len)); Console.WriteLine(); }
private int ShowLoadConfig(ExecutableImage image) { LoadConfigDirectory directory = LoadConfigDirectory.Get(image); if (directory == null) return 0; Console.WriteLine("[ Load Configuration ]"); Console.WriteLine(); Console.WriteLine(" File Offset: {0}", Utils.IntToHex(directory.Location.FileOffset)); Console.WriteLine(" Virtual Address: {0}", Utils.IntToHex(directory.Location.VirtualAddress)); Console.WriteLine(" RVA: {0}", Utils.IntToHex(directory.Location.RelativeVirtualAddress)); Console.WriteLine(" Size: {1} ({0})", Utils.FormatBytes(Convert.ToInt64(directory.Location.FileSize)), directory.Location.FileSize); Console.WriteLine(); List<Tuple<string, string, string>> tuples = new List<Tuple<string, string, string>>(); ulong offset; if (offset_type == "fo") { offset = directory.Location.FileOffset; } else if (offset_type == "vo") { offset = 0; } else if (offset_type == "va") { offset = directory.Location.VirtualAddress; } else { offset = directory.Location.RelativeVirtualAddress; } int address_size = (image.Is64Bit ? 16 : 8); string[] VARY_FIELDS = { "DeCommitFreeBlockThreshold", "DeCommitTotalFreeThreshold", "LockPrefixTable", "MaximumAllocationSize", "VirtualMemoryThreshold", "ProcessAffinityMask", "EditList", "SecurityCookie", "SEHandlerTable", "SEHandlerCount", "GuardCFCheckFunctionPointer", "Reserved2", "GuardCFFunctionTable", "GuardCFFunctionCount" }; FieldAnnotations annotations = FieldAnnotations.Get(directory); foreach (FieldAnnotation annotation in annotations) { int size = annotation.Size * 2; if (VARY_FIELDS.Contains(annotation.Name, StringComparer.OrdinalIgnoreCase)) size = (image.Is64Bit ? 16 : 8); int array_size = (annotation.IsArray ? annotation.ArraySize : annotation.Size); object value = (annotation.IsArray ? Utils.GetDefaultValue(annotation.Type.GetElementType()) : annotation.Value); Tuple<string, string, string> tuple = new Tuple<string, string, string>(Utils.IntToHex(offset, address_size), Utils.IntToHex(value, size), annotation.Description); tuples.Add(tuple); offset += Convert.ToUInt32(array_size); } int max_value_len = 0; int max_desc_len = 0; foreach (var tuple in tuples) { if (tuple.Item2.Length > max_value_len) max_value_len = tuple.Item2.Length; if (tuple.Item3.Length > max_desc_len) max_desc_len = tuple.Item3.Length; } string header = String.Format("{0} {1} {2}", "Address".PadRight(address_size + 2), "Value".PadRight(max_value_len), "Description".PadRight(max_desc_len)); Console.WriteLine(" " + header); Console.WriteLine(" " + String.Empty.PadRight(header.Length, '-')); foreach (var tuple in tuples) Console.WriteLine(" {0} {1} {2}", tuple.Item1.PadRight(address_size + 2), tuple.Item2.PadRight(max_value_len), tuple.Item3.PadRight(max_desc_len)); Console.WriteLine(); //ShowOptionalHeader_SubSystem(image); //ShowOptionalHeader_DllCharacteristics(image); // //Console.WriteLine(); return 0; }
private int ShowDOSStub(ExecutableImage image) { Console.WriteLine("[ MS-DOS Stub ]"); Console.WriteLine(); Console.WriteLine(" File Offset: {0}", Utils.IntToHex(image.DOSStub.Location.FileOffset)); Console.WriteLine(" Virtual Address: {0}", Utils.IntToHex(image.DOSStub.Location.VirtualAddress)); Console.WriteLine(" RVA: {0}", Utils.IntToHex(image.DOSStub.Location.RelativeVirtualAddress)); Console.WriteLine(" Size: {1} ({0})", Utils.FormatBytes(Convert.ToInt64(image.DOSStub.Location.FileSize)), image.DOSStub.Location.FileSize); Console.WriteLine(); Console.WriteLine(); return 0; }
private int ShowDOSHeader(ExecutableImage image) { Console.WriteLine("[ MS-DOS Header ]"); Console.WriteLine(); Console.WriteLine(" File Offset: {0}", Utils.IntToHex(image.DOSHeader.Location.FileOffset)); Console.WriteLine(" Virtual Address: {0}", Utils.IntToHex(image.DOSHeader.Location.VirtualAddress)); Console.WriteLine(" RVA: {0}", Utils.IntToHex(image.DOSHeader.Location.RelativeVirtualAddress)); Console.WriteLine(" Size: {1} ({0})", Utils.FormatBytes(Convert.ToInt64(image.DOSHeader.Location.FileSize)), image.DOSHeader.Location.FileSize); Console.WriteLine(); List<Tuple<string, string, string>> tuples = new List<Tuple<string, string, string>>(); ulong offset; if (offset_type == "fo") { offset = image.DOSHeader.Location.FileOffset; } else if (offset_type == "vo") { offset = 0; } else if (offset_type == "va") { offset = image.DOSHeader.Location.VirtualAddress; } else { offset = image.DOSHeader.Location.RelativeVirtualAddress; } int address_size = (image.Is64Bit ? 16 : 8); FieldAnnotations annotations = FieldAnnotations.Get(image.DOSHeader); foreach (FieldAnnotation annotation in annotations) { int size = annotation.Size; int array_size = (annotation.IsArray ? annotation.ArraySize : annotation.Size); object value = (annotation.IsArray ? Utils.GetDefaultValue(annotation.Type.GetElementType()) : annotation.Value); Tuple<string, string, string> tuple = new Tuple<string, string, string>(Utils.IntToHex(offset, address_size), Utils.IntToHex(value, size * 2), annotation.Description); tuples.Add(tuple); offset += Convert.ToUInt32(array_size); } int max_value_len = 0; int max_desc_len = 0; foreach(var tuple in tuples) { if (tuple.Item2.Length > max_value_len) max_value_len = tuple.Item2.Length; if (tuple.Item3.Length > max_desc_len) max_desc_len = tuple.Item3.Length; } string header = String.Format("{0} {1} {2}", "Address".PadRight(address_size + 2), "Value".PadRight(max_value_len), "Description".PadRight(max_desc_len)); Console.WriteLine(" " + header); Console.WriteLine(" " + String.Empty.PadRight(header.Length, '-')); foreach (var tuple in tuples) Console.WriteLine(" {0} {1} {2}", tuple.Item1.PadRight(address_size + 2), tuple.Item2.PadRight(max_value_len), tuple.Item3.PadRight(max_desc_len)); Console.WriteLine(); Console.WriteLine(); return 0; }
private int ShowDebugDirectory(ExecutableImage image) { DebugDirectory directory = DebugDirectory.Get(image); if (directory == null) return 0; Console.WriteLine("[ Debug Directory ]"); Console.WriteLine(); Console.WriteLine(" File Offset: {0}", Utils.IntToHex(directory.Location.FileOffset)); Console.WriteLine(" Virtual Address: {0}", Utils.IntToHex(directory.Location.VirtualAddress)); Console.WriteLine(" RVA: {0}", Utils.IntToHex(directory.Location.RelativeVirtualAddress)); Console.WriteLine(" Size: {1} ({0})", Utils.FormatBytes(Convert.ToInt64(directory.Location.FileSize)), directory.Location.FileSize); Console.WriteLine(); int address_size = (image.Is64Bit ? 16 : 8); ulong offset; if (offset_type == "fo") { offset = directory.Location.FileOffset; } else if (offset_type == "vo") { offset = 0; } else if (offset_type == "va") { offset = directory.Location.VirtualAddress; } else { offset = directory.Location.RelativeVirtualAddress; } foreach (DebugDirectoryEntry entry in directory) { string name = entry.GetEntryType().ToString(); string type = ShowDebugDirectory_Type(entry); List<string> lines = new List<string>(); lines.Add(String.Format("Entry Offset: {0}", Utils.IntToHex(offset, address_size))); lines.Add(String.Format("Characteristics: {0}", Utils.IntToHex(entry.Characteristics))); lines.Add(String.Format("Date/Time Stamp: {0}", Utils.IntToHex(entry.TimeDateStamp))); lines.Add(String.Format("Major Version: {0}", Utils.IntToHex(entry.MajorVersion))); lines.Add(String.Format("Minor Version: {0}", Utils.IntToHex(entry.MinorVersion))); lines.Add(String.Format("Type: {0}", type)); lines.Add(String.Format("Size of Data: {0} ({1})", entry.SizeOfData, Utils.FormatBytes(entry.SizeOfData))); lines.Add(String.Format("Address of Raw Data: {0}", Utils.IntToHex(entry.AddressOfRawData))); lines.Add(String.Format("Pointer to Raw Data: {0}", Utils.IntToHex(entry.PointerToRawData))); int max_len = name.Length; foreach (var line in lines) { if (line.Length > max_len) max_len = line.Length; } max_len = max_len + 2; Console.WriteLine(" " + name.PadRight(max_len)); Console.WriteLine(" " + String.Empty.PadRight(max_len, '-')); foreach (var line in lines) Console.WriteLine(" " + line.PadRight(max_len)); Console.WriteLine(); offset += entry.Location.FileSize; } Console.WriteLine(); return 0; }
internal OptionalHeader32(ExecutableImage exeReader, IMAGE_OPTIONAL_HEADER32 optHeader, ulong headerOffset, ulong imageBase) : base(exeReader,headerOffset,Convert.ToUInt32(OptionalHeader.Size32),imageBase) { header = optHeader; }
private void ShowOptionalHeader_SubSystem(ExecutableImage image) { List<string> lines = new List<string>(); SubSystemType sub_system = image.NTHeaders.OptionalHeader.GetSubsystem(); long enum_value = Convert.ToInt64(sub_system); EnumAnnotations<SubSystemType> enum_annotations = new EnumAnnotations<SubSystemType>(); foreach (EnumAnnotation<SubSystemType> annotation in enum_annotations) { long value = Convert.ToInt64(annotation.Value); if (value == 0) continue; bool selected = ((enum_value & value) == value); if (!selected) continue; string line = String.Format("{0} {1}", Utils.IntToHex(value, 4), annotation.HeaderName); lines.Add(line); } int max_len = 0; foreach (var line in lines) { if (line.Length > max_len) max_len = line.Length; } max_len = max_len + 2; Console.WriteLine(" Sub-System".PadRight(max_len)); Console.WriteLine(" " + String.Empty.PadRight(max_len, '-')); foreach (var line in lines) Console.WriteLine(" " + line.PadRight(max_len)); Console.WriteLine(); }
internal OptionalHeader64(ExecutableImage exeImage, IMAGE_OPTIONAL_HEADER64 optHeader, ulong headerOffset, ulong imageBase) : base(exeImage,headerOffset,Convert.ToUInt32(OptionalHeader.Size64),imageBase) { header = optHeader; }
private int ShowSectionTable(ExecutableImage image) { Console.WriteLine("[ Section Table ]"); Console.WriteLine(); Console.WriteLine(" File Offset: {0}", Utils.IntToHex(image.SectionTable.Location.FileOffset)); Console.WriteLine(" Virtual Address: {0}", Utils.IntToHex(image.SectionTable.Location.VirtualAddress)); Console.WriteLine(" RVA: {0}", Utils.IntToHex(image.SectionTable.Location.RelativeVirtualAddress)); Console.WriteLine(" Size: {1} ({0})", Utils.FormatBytes(Convert.ToInt64(image.SectionTable.Location.FileSize)), image.SectionTable.Location.FileSize); Console.WriteLine(); int address_size = (image.Is64Bit ? 16 : 8); ulong offset; if (offset_type == "fo") { offset = image.SectionTable.Location.FileOffset; } else if (offset_type == "vo") { offset = 0; } else if (offset_type == "va") { offset = image.SectionTable.Location.VirtualAddress; } else { offset = image.SectionTable.Location.RelativeVirtualAddress; } foreach(SectionTableEntry section in image.SectionTable) { string name = section.Name; string[] chars = ShowSectionTable_Characteristics(section); List<string> lines = new List<string>(); lines.Add(String.Format("Entry Offset: {0}", Utils.IntToHex(offset, address_size))); lines.Add(String.Format("Virtual Size: {0} ({1})", section.VirtualSizeOrPhysicalAddress, Utils.FormatBytes(section.VirtualSizeOrPhysicalAddress))); lines.Add(String.Format("RVA: {0}", Utils.IntToHex(section.VirtualAddress))); lines.Add(String.Format("Size of Raw Data: {0} ({1})", section.SizeOfRawData, Utils.FormatBytes(section.SizeOfRawData))); lines.Add(String.Format("Pointer to Raw Data: {0}", Utils.IntToHex(section.PointerToRawData))); lines.Add(String.Format("Pointer to Relocations: {0}", Utils.IntToHex(section.PointerToRelocations))); lines.Add(String.Format("Pointer to Line Numbers: {0}", Utils.IntToHex(section.PointerToLineNumbers))); lines.Add(String.Format("Number of Relocations: {0}", section.NumberOfRelocations)); lines.Add(String.Format("Number of Line Numbers: {0}", section.NumberOfLineNumbers)); if (chars.Length > 0) { lines.Add(String.Format("Characteristics: {0}", chars.First())); if (chars.Length > 1) { foreach(string line in chars.Skip(1)) lines.Add(String.Format(" {0}", line)); } } int max_len = name.Length; foreach (var line in lines) { if (line.Length > max_len) max_len = line.Length; } max_len = max_len + 2; Console.WriteLine(" " + name.PadRight(max_len)); Console.WriteLine(" " + String.Empty.PadRight(max_len, '-')); foreach (var line in lines) Console.WriteLine(" " + line.PadRight(max_len)); Console.WriteLine(); offset += section.Location.FileSize; } Console.WriteLine(); return 0; }
internal DOSStub(ExecutableImage exeImage, ulong stubOffset, uint stubSize, ulong imageBase) { image = exeImage; location = new Location(stubOffset,Convert.ToUInt32(stubOffset),imageBase + stubOffset,stubSize,stubSize); }
private int ShowBasicDetails(ExecutableImage image, string fileName) { Stream stream = image.GetStream(); string image_type = "Unknown"; CharacteristicsType characteristics = image.NTHeaders.FileHeader.GetCharacteristics(); if ((characteristics & CharacteristicsType.IsDLL) == CharacteristicsType.IsDLL) { image_type = "Dynamic Link Library"; } else { SubSystemType sub_system = image.NTHeaders.OptionalHeader.GetSubsystem(); if (sub_system == SubSystemType.WindowsCUI) { image_type = "Console Application"; } else if (sub_system == SubSystemType.WindowsGUI) { image_type = "Windows Application"; } } Console.WriteLine("[ Basic Details ]"); Console.WriteLine(); Console.WriteLine(" Filename: {0}", Path.GetFileName(fileName)); Console.WriteLine(" Path: {0}", Path.GetDirectoryName(fileName)); Console.WriteLine(" Size: {1} ({0})", Utils.FormatBytes(stream.Length), stream.Length); Console.WriteLine(" Architecture: {0}", (image.Is64Bit ? "64-Bit" : "32-Bit")); Console.WriteLine(" Image Type: {0}", image_type); Console.WriteLine(" Is .NET: {0}", (image.IsCLR ? "Yes" : "No")); Console.WriteLine(" Is Signed: {0}", (image.IsSigned ? "Yes" : "No")); Console.WriteLine(); Console.WriteLine(); return 0; }