public PE(Stream stream, float version, long maxMetadataUsages) : base(stream, version, maxMetadataUsages)
{
if (ReadUInt16() != 0x5A4D)//e_magic
{
throw new Exception("ERROR: Invalid PE file");
}
Position = 0x3C; //e_lfanew
Position = ReadUInt32();
if (ReadUInt32() != 0x00004550) //Signature
{
throw new Exception("ERROR: Invalid PE file");
}
var fileHeader = ReadClass <FileHeader>();
if (fileHeader.Machine == 0x014c)//Intel 386
{
is32Bit = true;
var optionalHeader = ReadClass <OptionalHeader>();
optionalHeader.DataDirectory = ReadClassArray <DataDirectory>(optionalHeader.NumberOfRvaAndSizes);
imageBase = optionalHeader.ImageBase;
}
else if (fileHeader.Machine == 0x8664)//AMD64
{
var optionalHeader = ReadClass <OptionalHeader64>();
optionalHeader.DataDirectory = ReadClassArray <DataDirectory>(optionalHeader.NumberOfRvaAndSizes);
imageBase = optionalHeader.ImageBase;
}
else
{
throw new Exception("ERROR: Unsupported machine.");
}
sections = new SectionHeader[fileHeader.NumberOfSections];
for (int i = 0; i < fileHeader.NumberOfSections; i++)
{
sections[i] = new SectionHeader
{
Name = Encoding.UTF8.GetString(ReadBytes(8)).Trim('\0'),
VirtualSize = ReadUInt32(),
VirtualAddress = ReadUInt32(),
SizeOfRawData = ReadUInt32(),
PointerToRawData = ReadUInt32(),
PointerToRelocations = ReadUInt32(),
PointerToLinenumbers = ReadUInt32(),
NumberOfRelocations = ReadUInt16(),
NumberOfLinenumbers = ReadUInt16(),
Characteristics = ReadUInt32()
};
}
}
private ulong FindCodeRegistration64(int count, SectionHeader search, SectionHeader search2, SectionHeader range)
{
var searchend = search.PointerToRawData + search.SizeOfRawData;
var search2end = search2.PointerToRawData + search2.SizeOfRawData;
var rangeend = range.VirtualAddress + range.VirtualSize;
Position = search.PointerToRawData;
while (Position < searchend)
{
var add = Position;
if (ReadUInt64() == (ulong)count)
{
try
{
uint pointers = MapVATR(ReadUInt64());
if (pointers >= search.PointerToRawData && pointers <= searchend)
{
var np = Position;
var temp = ReadClassArray <ulong>(pointers, count);
var r = Array.FindIndex(temp, x => x - imageBase <range.VirtualAddress || x - imageBase> rangeend);
if (r == -1)
{
return((ulong)add - search.PointerToRawData + search.VirtualAddress + imageBase); //VirtualAddress
}
Position = np;
}
else if (pointers >= search2.PointerToRawData && pointers <= search2end)
{
var np = Position;
var temp = ReadClassArray <ulong>(pointers, count);
var r = Array.FindIndex(temp, x => x - imageBase <range.VirtualAddress || x - imageBase> rangeend);
if (r == -1)
{
return((ulong)add - search.PointerToRawData + search.VirtualAddress + imageBase); //VirtualAddress
}
Position = np;
}
}
catch
{
// ignored
}
}
}
return(0);
}
private ulong FindMetadataRegistration(int typeDefinitionsCount, SectionHeader search, SectionHeader search2, SectionHeader range)
{
var searchend = search.PointerToRawData + search.SizeOfRawData;
var search2end = search2.PointerToRawData + search2.SizeOfRawData;
var rangeend = range.VirtualAddress + range.VirtualSize;
Position = search.PointerToRawData;
while (Position < searchend)
{
var add = Position;
if (ReadUInt32() == typeDefinitionsCount)
{
try
{
var np = Position;
Position += 8;
uint pointers = MapVATR(ReadUInt32());
if (pointers >= search.PointerToRawData && pointers <= searchend)
{
var temp = ReadClassArray <uint>(pointers, maxMetadataUsages);
var r = Array.FindIndex(temp, x => x - imageBase <range.VirtualAddress || x - imageBase> rangeend);
if (r == -1)
{
return((ulong)add - 48ul - search.PointerToRawData + search.VirtualAddress + imageBase); //VirtualAddress
}
}
else if (pointers >= search2.PointerToRawData && pointers <= search2end)
{
var temp = ReadClassArray <uint>(pointers, maxMetadataUsages);
var r = Array.FindIndex(temp, x => x - imageBase <range.VirtualAddress || x - imageBase> rangeend);
if (r == -1)
{
return((ulong)add - 48ul - search.PointerToRawData + search.VirtualAddress + imageBase); //VirtualAddress
}
}
Position = np;
}
catch
{
// ignored
}
}
}
return(0);
}
