Esempio n. 1
0
        public bool GetDetails(Stream fs)
        {
            using (var binReader = new BinaryReader(fs))
            {
                if (fs.Length < 0x40)
                {
                    return(false);
                }
                fs.Position = 0x3C;
                var headerOffset = binReader.ReadUInt32();

                if (headerOffset > fs.Length - 5)
                {
                    return(false);
                }

                fs.Position = headerOffset;
                var signature = binReader.ReadUInt32();

                if (signature != 0x00004550)
                {
                    return(false);
                }

                fs.Position     += 2;
                NumberOfSections = binReader.ReadUInt16();

                Sections = new List <MiniSection>();

                TimeStamp    = binReader.ReadUInt32();
                fs.Position += 8;
                secOff       = binReader.ReadUInt16();
                fs.Position += 2;

                var magic = binReader.ReadInt16();
                Is64 = magic == 0x20b;
                if (Is64)
                {
                    fs.Position    += 22;
                    ImageBaseOffset = fs.Position;
                    ImageBase       = binReader.ReadUInt64();
                }
                else
                {
                    fs.Position    += 26;
                    ImageBaseOffset = fs.Position;
                    ImageBase       = binReader.ReadUInt32();
                }
                SectionAlignment = binReader.ReadUInt32();
                FileAlignment    = binReader.ReadUInt32();
                fs.Position     += 16;
                SizeOfImage      = binReader.ReadUInt32();
                SizeOfHeaders    = binReader.ReadUInt32();
                var CurrEnd = SizeOfHeaders;

                /// implicit section for header
                Sections.Add(new MiniSection {
                    VirtualSize = 0x1000, RawFileSize = CurrEnd, RawFilePointer = 0, VirtualAddress = 0, Name = ".PEHeader", Characteristics = 0x20000000
                });

                // get to sections
                fs.Position = headerOffset + (Is64 ? 0x108 : 0xF8);
                for (int i = 0; i < NumberOfSections; i++)
                {
                    var secName = binReader.ReadBytes(8);
                    var rawStr  = Encoding.ASCII.GetString(secName);
                    var secStr  = new string(rawStr.Where(c => char.IsLetterOrDigit(c) || char.IsPunctuation(c)).ToArray());

                    var Size    = binReader.ReadUInt32();
                    var Pos     = binReader.ReadUInt32();
                    var rawSize = binReader.ReadUInt32();
                    var rawPos  = binReader.ReadUInt32();
                    fs.Position += 0xC;
                    var characteristic = binReader.ReadUInt32();

                    var currSecNfo = new MiniSection {
                        VirtualSize = Size, VirtualAddress = Pos, RawFileSize = rawSize, RawFilePointer = rawPos, Name = secStr, Characteristics = characteristic
                    };
                    Sections.Add(currSecNfo);

                    if (Verbose > 2)
                    {
                        Write($" section [{secStr}] ");
                    }

                    if (secStr.StartsWith(@".reloc", StringComparison.Ordinal))
                    {
                        RelocSize = Size;
                        RelocPos  = Pos;
                    }

                    fs.Position += 0x4;
                }
            }
            return(true);
        }
Esempio n. 2
0
        public static Extract IsBlockaPE(byte[] block, int blockOffset = 0)
        {
            Extract extracted_struct = new Extract();

            if (block[blockOffset] != 0x4d || block[blockOffset + 1] != 0x5a)
            {
                return(null);
            }

            var headerOffset = BitConverter.ToInt32(block, blockOffset + 0x3C);

            // bad probably
            if (headerOffset > 3000)
            {
                return(null);
            }

            if (BitConverter.ToInt32(block, blockOffset + headerOffset) != 0x00004550)
            {
                return(null);
            }

            var pos = blockOffset + headerOffset + 6;

            extracted_struct.NumberOfSections = BitConverter.ToUInt16(block, pos); pos += 2;
            extracted_struct.Sections         = new List <MiniSection>();
            //pos += 2;

            extracted_struct.TimeStamp = BitConverter.ToUInt32(block, pos); pos += 4;
            pos += 8;
            extracted_struct.secOff = BitConverter.ToUInt16(block, pos); pos += 2;
            pos += 2;
            var magic = BitConverter.ToUInt16(block, pos); pos += 2;

            extracted_struct.Is64 = magic == 0x20b;
            // sizeofcode, sizeofinit, sizeofuninit,
            pos += 14;
            extracted_struct.EntryPoint = BitConverter.ToUInt32(block, pos); pos += 4;
            extracted_struct.BaseOfCode = BitConverter.ToUInt32(block, pos); pos += 4;

            if (extracted_struct.Is64)
            {
                // we wan't this to be page aligned to typical small page size
                extracted_struct.ImageBaseOffset = pos & 0xfff;
                extracted_struct.ImageBase       = BitConverter.ToUInt64(block, pos); pos += 8;
            }
            else
            {
                // baseofdata
                pos += 4;
                // imagebase
                extracted_struct.ImageBaseOffset = pos & 0xfff;
                extracted_struct.ImageBase       = BitConverter.ToUInt32(block, pos); pos += 4;
            }
            extracted_struct.SectionAlignment = BitConverter.ToUInt32(block, pos); pos += 4;
            extracted_struct.FileAlignment    = BitConverter.ToUInt32(block, pos); pos += 4;

            pos += 16;

            extracted_struct.SizeOfImage   = BitConverter.ToUInt32(block, pos); pos += 4;
            extracted_struct.SizeOfHeaders = BitConverter.ToUInt32(block, pos); pos += 4;
            // checksum
            extracted_struct.CheckSumPos = pos;
            extracted_struct.CheckSum    = BitConverter.ToUInt32(block, pos); pos += 4;
            // subsys
            pos += 2;
            ///characteristics
            extracted_struct.Characteristics = BitConverter.ToUInt16(block, pos); pos += 2;

            // SizeOf/Stack/Heap/Reserve/Commit
            if (extracted_struct.Is64)
            {
                pos += 32;
            }
            else
            {
                pos += 16;
            }
            // LoaderFlags
            pos += 4;
            // NumberOfRvaAndSizes
            pos += 4;

            extracted_struct.Directories = new List <Tuple <int, int> >(16);
            // collect a list of all directories in a table
            for (int i = 0; i < 0x10; i++)
            {
                extracted_struct.Directories.Add(Tuple.Create <int, int>(BitConverter.ToInt32(block, pos + (i * 8)), BitConverter.ToInt32(block, pos + (i * 8) + 4)));
            }

            extracted_struct.ClrAddress = (uint)extracted_struct.Directories[0xf].Item1;
            extracted_struct.ClrSize    = (uint)extracted_struct.Directories[0xf].Item2;

            if (extracted_struct.ClrAddress != 0)
            {
                extracted_struct.IsCLR = true;
            }

            var CurrEnd = extracted_struct.SizeOfHeaders;

            /// implicit section for header
            extracted_struct.Sections.Add(new MiniSection {
                VirtualSize = CurrEnd, RawFileSize = CurrEnd, RawFilePointer = 0, VirtualAddress = 0, Name = ".PEHeader", Characteristics = 0x20000000
            });

            // get to sections
            pos = blockOffset + headerOffset + (extracted_struct.Is64 ? 0x108 : 0xF8);
            for (int i = 0; i < extracted_struct.NumberOfSections; i++)
            {
                /*var rawStr = BitConverter.ToString(block, pos, 8); */
                var rawStr = new String(
                    new char[8] {
                    (char)block[pos], (char)block[pos + 1], (char)block[pos + 2], (char)block[pos + 3],
                    (char)block[pos + 4], (char)block[pos + 5], (char)block[pos + 6], (char)block[pos + 7]
                }); pos += 8;

                var secStr = new string(rawStr.Where(c => char.IsLetterOrDigit(c) || char.IsPunctuation(c)).ToArray());

                var Size           = BitConverter.ToUInt32(block, pos); pos += 4;
                var Pos            = BitConverter.ToUInt32(block, pos); pos += 4;
                var rawSize        = BitConverter.ToUInt32(block, pos); pos += 4;
                var rawPos         = BitConverter.ToUInt32(block, pos); pos += 0x10;
                var characteristic = BitConverter.ToUInt32(block, pos); pos += 4;

                var currSecNfo = new MiniSection {
                    VirtualSize = Size, VirtualAddress = Pos, RawFileSize = rawSize, RawFilePointer = rawPos, Name = secStr, Characteristics = characteristic
                };
                extracted_struct.Sections.Add(currSecNfo);

                if (Verbose > 2)
                {
                    Write($" section [{secStr}] ");
                }

                //optimize reloc for easy access
                if (secStr.StartsWith(@".reloc", StringComparison.Ordinal))
                {
                    extracted_struct.RelocSize = Size;
                    extracted_struct.RelocPos  = Pos;
                }
            }

            return(extracted_struct);
        }
Esempio n. 3
0
        public bool GetDetails(Stream Input)
        {
            using (var binReader = new BinaryReader(fs))
            {
                if (fs.Length < 0x40)
                    return false;

                fs.Position = 0x3C;
                var headerOffset = binReader.ReadUInt32();

                if (headerOffset > fs.Length - 5)
                    return false;

                fs.Position = headerOffset;
                var signature = binReader.ReadUInt32();

                if (signature != 0x00004550)
                    return false;

                fs.Position += 2;
                NumberOfSections = binReader.ReadInt16();

                SectionPosOffsets = new List<MiniSection>();

                TimeStamp = binReader.ReadUInt32();
                fs.Position += 8;
                secOff = binReader.ReadUInt16();
                fs.Position += 2;

                var magic = binReader.ReadInt16();
                Is64 = magic == 0x20b;
                if (Is64)
                {
                    fs.Position += 22;
                    ImageBaseOffset = fs.Position;
                    ImageBase = binReader.ReadUInt64();
                }
                else
                {
                    fs.Position += 26;
                    ImageBaseOffset = fs.Position;
                    ImageBase = binReader.ReadUInt32();
                }
                SectionAlignment = binReader.ReadUInt32();
                FileAlignment = binReader.ReadUInt32();
                fs.Position += 16;
                SizeOfImage = binReader.ReadUInt32();
                SizeOfHeaders = binReader.ReadUInt32();
                var CurrEnd = SizeOfHeaders;
                /// implicit section for header
                SectionPosOffsets.Add(new MiniSection { VirtualSize = 0x1000, RawFileSize = 0x400, RawFilePointer = 0, VirtualOffset = 0, Name = "PE Header" });

                // get to sections
                fs.Position = headerOffset + (Is64 ? 0x108 : 0xF8);
                for (int i = 0; i < NumberOfSections; i++)
                {
                    var secName = binReader.ReadBytes(8);
                    var rawStr = Encoding.ASCII.GetString(secName);
                    var secStr = new string(rawStr.Where(c => char.IsLetterOrDigit(c) || char.IsPunctuation(c)).ToArray());

                    var Size = binReader.ReadUInt32();
                    var Pos = binReader.ReadUInt32();
                    var rawSize = binReader.ReadUInt32();
                    var rawPos = binReader.ReadUInt32();

                    var currSecNfo = new MiniSection { VirtualSize = Size, VirtualOffset = Pos, RawFileSize = rawSize, RawFilePointer = rawPos, Name = secStr };
                    SectionPosOffsets.Add(currSecNfo);

                    if (Verbose > 2)

                        Write($" section [{secStr}] ");

                    if (secStr.StartsWith(@".reloc", StringComparison.Ordinal))
                    {
                        RelocSize = Size;
                        RelocPos = Pos;
                    }

                    fs.Position += 0x10;
                }
            }
        }
Esempio n. 4
0
        public static Extract IsBlockaPE(byte[] block)
        {
            Extract extracted_struct = new Extract();

            if (BitConverter.ToInt16(block, 0) != 0x5A4D)
                return null;

            var headerOffset = BitConverter.ToInt32(block, 0x3C);

            if (headerOffset > 3000)
            {
                // bad probably
                return null;
            }

            if (BitConverter.ToInt32(block, headerOffset) != 0x00004550)
                return null;

            var pos = headerOffset + 6;

            extracted_struct.NumberOfSections = BitConverter.ToInt16(block, pos); pos += 2;
            extracted_struct.SectionPosOffsets = new List<MiniSection>();
            //pos += 2;

            extracted_struct.TimeStamp = BitConverter.ToUInt32(block, pos); pos += 4;
            pos += 8;
            extracted_struct.secOff = BitConverter.ToUInt16(block, pos); pos += 2;
            pos += 2;
            var magic = BitConverter.ToUInt16(block, pos); pos += 2;
            extracted_struct.Is64 = magic == 0x20b;

            if (extracted_struct.Is64)
            {
                pos += 22;
                extracted_struct.ImageBaseOffset = pos;
                extracted_struct.ImageBase = BitConverter.ToUInt64(block, pos); pos += 8;
            }
            else
            {
                pos += 26;
                extracted_struct.ImageBaseOffset = pos;
                extracted_struct.ImageBase = BitConverter.ToUInt32(block, pos); pos += 4;
            }
            extracted_struct.SectionAlignment = BitConverter.ToUInt32(block, pos); pos += 4;
            extracted_struct.FileAlignment = BitConverter.ToUInt32(block, pos); pos += 4;

            pos += 16;

            extracted_struct.SizeOfImage = BitConverter.ToUInt32(block, pos); pos += 4;
            extracted_struct.SizeOfHeaders = BitConverter.ToUInt32(block, pos); pos += 4;
            // checksum
            pos += 4;
            // subsys/characteristics
            pos += 4;
            // SizeOf/Stack/Heap/Reserve/Commit
            if (extracted_struct.Is64)
                pos += 32;
            else
                pos += 16;
            // LoaderFlags
            pos += 4;
            // NumberOfRvaAndSizes
            pos += 4;
            // 16 DataDirectory entries, each is 8 bytes 4byte VA, 4byte Size
            // we care about #6 since it's where we will find the GUID
            pos += 6 * 8;
            extracted_struct.DebugDirPos = BitConverter.ToUInt32(block, pos); pos += 4;
            extracted_struct.DebugDirSize = BitConverter.ToUInt32(block, pos); pos += 4;


            var CurrEnd = extracted_struct.SizeOfHeaders;
            /// implicit section for header
            extracted_struct.SectionPosOffsets.Add(new MiniSection { VirtualSize = 0x1000, RawFileSize = 0x400, RawFilePointer = 0, VirtualOffset = 0, Name = "PEHeader" });

            // get to sections
            pos = headerOffset + (extracted_struct.Is64 ? 0x108 : 0xF8);
            for (int i = 0; i < extracted_struct.NumberOfSections; i++)
            {
                /*var rawStr = BitConverter.ToString(block, pos, 8); */
                var rawStr = new String(
                    new char[8] { (char) block[pos], (char) block[pos + 1], (char) block[pos + 2], (char) block[pos + 3],
                    (char) block[pos + 4], (char) block[pos + 5], (char) block[pos + 6], (char) block[pos + 7] }); pos += 8;

                var secStr = new string(rawStr.Where(c => char.IsLetterOrDigit(c) || char.IsPunctuation(c)).ToArray());

                var Size = BitConverter.ToUInt32(block, pos); pos += 4;
                var Pos = BitConverter.ToUInt32(block, pos); pos += 4;
                var rawSize = BitConverter.ToUInt32(block, pos); pos += 4;
                var rawPos = BitConverter.ToUInt32(block, pos); pos += 4;

                var currSecNfo = new MiniSection { VirtualSize = Size, VirtualOffset = Pos, RawFileSize = rawSize, RawFilePointer = rawPos, Name = secStr };
                extracted_struct.SectionPosOffsets.Add(currSecNfo);

                if (Verbose > 2)
                    Write($" section [{secStr}] ");

                if (secStr.StartsWith(@".reloc", StringComparison.Ordinal))
                {
                    extracted_struct.RelocSize = Size;
                    extracted_struct.RelocPos = Pos;
                }

                pos += 0x10;
            }

            return extracted_struct;
        }
Esempio n. 5
0
        public static Extract IsBlockaPE(byte[] block, int blockOffset = 0)
        {
            Extract extracted_struct = new Extract();

            if (block[blockOffset] != 0x4d || block[blockOffset + 1] != 0x5a)
            {
                return(null);
            }

            var headerOffset = BitConverter.ToInt32(block, blockOffset + 0x3C);

            // bad probably
            if (headerOffset > 3000)
            {
                return(null);
            }

            if (BitConverter.ToInt32(block, blockOffset + headerOffset) != 0x00004550)
            {
                return(null);
            }

            var pos = blockOffset + headerOffset + 6;

            extracted_struct.NumberOfSections = BitConverter.ToInt16(block, pos); pos += 2;
            extracted_struct.Sections         = new List <MiniSection>();
            //pos += 2;

            extracted_struct.TimeStamp = BitConverter.ToUInt32(block, pos); pos += 4;
            pos += 8;
            extracted_struct.secOff = BitConverter.ToUInt16(block, pos); pos += 2;
            pos += 2;
            var magic = BitConverter.ToUInt16(block, pos); pos += 2;

            extracted_struct.Is64 = magic == 0x20b;

            if (extracted_struct.Is64)
            {
                pos += 14;
                extracted_struct.EntryPoint = BitConverter.ToUInt32(block, pos); pos += 4;
                extracted_struct.BaseOfCode = BitConverter.ToUInt32(block, pos); pos += 4;
                // we wan't this to be page aligned to typical small page size
                extracted_struct.ImageBaseOffset = pos & 0xfff;
                extracted_struct.ImageBase       = BitConverter.ToUInt64(block, pos); pos += 8;
            }
            else
            {
                pos += 18;
                extracted_struct.EntryPoint      = BitConverter.ToUInt32(block, pos); pos += 4;
                extracted_struct.BaseOfCode      = BitConverter.ToUInt32(block, pos); pos += 4;
                extracted_struct.ImageBaseOffset = pos & 0xfff;
                extracted_struct.ImageBase       = BitConverter.ToUInt32(block, pos); pos += 4;
            }
            extracted_struct.SectionAlignment = BitConverter.ToUInt32(block, pos); pos += 4;
            extracted_struct.FileAlignment    = BitConverter.ToUInt32(block, pos); pos += 4;

            pos += 16;

            extracted_struct.SizeOfImage   = BitConverter.ToUInt32(block, pos); pos += 4;
            extracted_struct.SizeOfHeaders = BitConverter.ToUInt32(block, pos); pos += 4;
            // checksum
            pos += 4;
            // subsys/characteristics
            pos += 4;
            // SizeOf/Stack/Heap/Reserve/Commit
            if (extracted_struct.Is64)
            {
                pos += 32;
            }
            else
            {
                pos += 16;
            }
            // LoaderFlags
            pos += 4;
            // NumberOfRvaAndSizes
            pos += 4;
            // 16 DataDirectory entries, each is 8 bytes 4byte VA, 4byte Size
            // we care about #6 since it's where we will find the GUID
            pos += 6 * 8;
            extracted_struct.DebugDirPos  = BitConverter.ToUInt32(block, pos); pos += 4;
            extracted_struct.DebugDirSize = BitConverter.ToUInt32(block, pos); pos += 4;
            // move to IAT directory
            pos += 5 * 8;
            extracted_struct.ImportDirPos  = BitConverter.ToUInt32(block, pos); pos += 4;
            extracted_struct.ImportDirSize = BitConverter.ToUInt32(block, pos); pos += 4;
            // move to "COM" directory (.net PE check)
            pos += 8;
            extracted_struct.ClrAddress = BitConverter.ToUInt32(block, pos); pos += 4;
            extracted_struct.ClrSize    = BitConverter.ToUInt32(block, pos); pos += 4;
            if (extracted_struct.ClrAddress != 0)
            {
                extracted_struct.IsCLR = true;
            }

            var CurrEnd = extracted_struct.SizeOfHeaders;

            /// implicit section for header
            extracted_struct.Sections.Add(new MiniSection {
                VirtualSize = CurrEnd, RawFileSize = CurrEnd, RawFilePointer = 0, VirtualAddress = 0, Name = ".PEHeader", Characteristics = 0x20000000
            });

            // get to sections
            pos = blockOffset + headerOffset + (extracted_struct.Is64 ? 0x108 : 0xF8);
            for (int i = 0; i < extracted_struct.NumberOfSections; i++)
            {
                /*var rawStr = BitConverter.ToString(block, pos, 8); */
                var rawStr = new String(
                    new char[8] {
                    (char)block[pos], (char)block[pos + 1], (char)block[pos + 2], (char)block[pos + 3],
                    (char)block[pos + 4], (char)block[pos + 5], (char)block[pos + 6], (char)block[pos + 7]
                }); pos += 8;

                var secStr = new string(rawStr.Where(c => char.IsLetterOrDigit(c) || char.IsPunctuation(c)).ToArray());

                var Size           = BitConverter.ToUInt32(block, pos); pos += 4;
                var Pos            = BitConverter.ToUInt32(block, pos); pos += 4;
                var rawSize        = BitConverter.ToUInt32(block, pos); pos += 4;
                var rawPos         = BitConverter.ToUInt32(block, pos); pos += 0x10;
                var characteristic = BitConverter.ToUInt32(block, pos); pos += 4;

                var currSecNfo = new MiniSection {
                    VirtualSize = Size, VirtualAddress = Pos, RawFileSize = rawSize, RawFilePointer = rawPos, Name = secStr, Characteristics = characteristic
                };
                extracted_struct.Sections.Add(currSecNfo);

                if (Verbose > 2)
                {
                    Write($" section [{secStr}] ");
                }

                //optimize reloc for easy access
                if (secStr.StartsWith(@".reloc", StringComparison.Ordinal))
                {
                    extracted_struct.RelocSize = Size;
                    extracted_struct.RelocPos  = Pos;
                }
            }

            return(extracted_struct);
        }
Esempio n. 6
0
        public static Extract IsBlockaPE(byte[] block)
        {
            Extract extracted_struct = new Extract();

            if (BitConverter.ToInt16(block, 0) != 0x5A4D)
            {
                return(null);
            }

            var headerOffset = BitConverter.ToInt32(block, 0x3C);

            if (headerOffset > 3000)
            {
                // bad probably
                return(null);
            }

            if (BitConverter.ToInt32(block, headerOffset) != 0x00004550)
            {
                return(null);
            }

            var pos = headerOffset + 6;

            extracted_struct.NumberOfSections  = BitConverter.ToInt16(block, pos); pos += 2;
            extracted_struct.SectionPosOffsets = new List <MiniSection>();
            //pos += 2;

            extracted_struct.TimeStamp = BitConverter.ToUInt32(block, pos); pos += 4;
            pos += 8;
            extracted_struct.secOff = BitConverter.ToUInt16(block, pos); pos += 2;
            pos += 2;
            var magic = BitConverter.ToUInt16(block, pos); pos += 2;

            extracted_struct.Is64 = magic == 0x20b;

            if (extracted_struct.Is64)
            {
                pos += 14;
                extracted_struct.EntryPoint      = BitConverter.ToUInt32(block, pos); pos += 4;
                extracted_struct.BaseOfCode      = BitConverter.ToUInt32(block, pos); pos += 4;
                extracted_struct.ImageBaseOffset = pos;
                extracted_struct.ImageBase       = BitConverter.ToUInt64(block, pos); pos += 8;
            }
            else
            {
                pos += 18;
                extracted_struct.EntryPoint      = BitConverter.ToUInt32(block, pos); pos += 4;
                extracted_struct.BaseOfCode      = BitConverter.ToUInt32(block, pos); pos += 4;
                extracted_struct.ImageBaseOffset = pos;
                extracted_struct.ImageBase       = BitConverter.ToUInt32(block, pos); pos += 4;
            }
            extracted_struct.SectionAlignment = BitConverter.ToUInt32(block, pos); pos += 4;
            extracted_struct.FileAlignment    = BitConverter.ToUInt32(block, pos); pos += 4;

            pos += 16;

            extracted_struct.SizeOfImage   = BitConverter.ToUInt32(block, pos); pos += 4;
            extracted_struct.SizeOfHeaders = BitConverter.ToUInt32(block, pos); pos += 4;
            // checksum
            pos += 4;
            // subsys/characteristics
            pos += 4;
            // SizeOf/Stack/Heap/Reserve/Commit
            if (extracted_struct.Is64)
            {
                pos += 32;
            }
            else
            {
                pos += 16;
            }
            // LoaderFlags
            pos += 4;
            // NumberOfRvaAndSizes
            pos += 4;
            // 16 DataDirectory entries, each is 8 bytes 4byte VA, 4byte Size
            // we care about #6 since it's where we will find the GUID
            pos += 6 * 8;
            extracted_struct.DebugDirPos  = BitConverter.ToUInt32(block, pos); pos += 4;
            extracted_struct.DebugDirSize = BitConverter.ToUInt32(block, pos); pos += 4;


            var CurrEnd = extracted_struct.SizeOfHeaders;

            /// implicit section for header
            extracted_struct.SectionPosOffsets.Add(new MiniSection {
                VirtualSize = 0x1000, RawFileSize = 0x400, RawFilePointer = 0, VirtualOffset = 0, Name = "PEHeader"
            });

            // get to sections
            pos = headerOffset + (extracted_struct.Is64 ? 0x108 : 0xF8);
            for (int i = 0; i < extracted_struct.NumberOfSections; i++)
            {
                /*var rawStr = BitConverter.ToString(block, pos, 8); */
                var rawStr = new String(
                    new char[8] {
                    (char)block[pos], (char)block[pos + 1], (char)block[pos + 2], (char)block[pos + 3],
                    (char)block[pos + 4], (char)block[pos + 5], (char)block[pos + 6], (char)block[pos + 7]
                }); pos += 8;

                var secStr = new string(rawStr.Where(c => char.IsLetterOrDigit(c) || char.IsPunctuation(c)).ToArray());

                var Size    = BitConverter.ToUInt32(block, pos); pos += 4;
                var Pos     = BitConverter.ToUInt32(block, pos); pos += 4;
                var rawSize = BitConverter.ToUInt32(block, pos); pos += 4;
                var rawPos  = BitConverter.ToUInt32(block, pos); pos += 4;

                var currSecNfo = new MiniSection {
                    VirtualSize = Size, VirtualOffset = Pos, RawFileSize = rawSize, RawFilePointer = rawPos, Name = secStr
                };
                extracted_struct.SectionPosOffsets.Add(currSecNfo);

                if (Verbose > 2)
                {
                    Write($" section [{secStr}] ");
                }

                if (secStr.StartsWith(@".reloc", StringComparison.Ordinal))
                {
                    extracted_struct.RelocSize = Size;
                    extracted_struct.RelocPos  = Pos;
                }

                pos += 0x10;
            }

            return(extracted_struct);
        }