private uint DecompressUInt(int offset) { uint length = 0; byte first = _stream.GetByte(offset); // bytes are read in reverse order to get back to little endian format for windows, these // numbers are stored in big endian format. if (first <= 127) { length = _stream.GetByte(offset) & CompressedByteMask; } else if (first <= 191) { byte[] toRead = new byte[2]; toRead[0] = _stream.GetByte(offset + 1); toRead[1] = _stream.GetByte(offset + 0); length = FieldReader.ToUInt32(toRead, 0, 2) & CompressedShortMask; } else if (first <= 223) { byte[] toRead = new byte[4]; toRead[0] = _stream.GetByte(offset + 3); toRead[1] = _stream.GetByte(offset + 2); toRead[2] = _stream.GetByte(offset + 1); toRead[3] = _stream.GetByte(offset + 0); length = FieldReader.ToUInt32(toRead, 0, 4) & CompressedIntMask; } return(length); }
static void Main(string[] args) { // the argument is going to be a library to load PeCoffFile peCoffFile = new PeCoffFile(args[0], new FileSystem()); peCoffFile.Initialise(); BlobStream blobStream = peCoffFile.GetMetadataDirectory().Streams[Streams.BlobStream] as BlobStream; Console.WriteLine("Library Loaded"); string input = Console.ReadLine(); while (input != "q") { int offset = 0; string[] command = input.Split(' '); byte[] contents; switch (command[0]) { case "bytes": // print the bytes for the signiture at offset offset = int.Parse(command[1]); byte[] signiture = blobStream.GetSignitureContents(offset); Console.WriteLine(FieldReader.ToHexString(signiture, 0, signiture.Length)); break; case "tokens": offset = int.Parse(command[1]); try { /* * Signatures type = (Signatures)Enum.Parse(typeof(Signatures), command[2]); * Signiture sig = blobStream.GetSigniture(1, type); * Console.WriteLine(sig.ToString()); */ SignatureBuilder builder1 = new SignatureBuilder(blobStream); Signature sig1 = builder1.Read(offset); Console.WriteLine(sig1.ToString()); } catch (Exception) { Console.WriteLine($"Could not read signiture as a {command[2]}"); } finally { } break; case "length": Console.WriteLine(blobStream.GetLength(int.Parse(command[1]))); break; case "first": offset = int.Parse(command[1]); byte[] a = blobStream.GetSignitureContents(offset); CallingConventions conventions = (CallingConventions)(a[0] & 0x0F); Console.WriteLine(conventions); break; case "all": StringBuilder output = new StringBuilder(); blobStream.GetRange(0, (uint)blobStream.GetLength()); for (int i = 0; i < blobStream.GetLength(); i++) { if (i == 0) { output.Append($"{i.ToString()}: "); } if (i != 0 && i % 16 == 0) { Console.WriteLine(output.ToString()); output.Clear(); output.Append($"{i.ToString()}: "); } output.Append($"{blobStream.GetByte(i).ToString("X2")} "); } break; case "report": offset = int.Parse(command[1]); Console.WriteLine("Original code signiture retrieval: "); contents = blobStream.GetSignitureContents(offset); Console.WriteLine(FieldReader.ToHexString(contents, 0, contents.Length)); Console.WriteLine($" byte at {offset}: 0x{blobStream.GetByte(offset).ToString("X2")}"); SignatureBuilder builder = new SignatureBuilder(blobStream); Console.WriteLine($" length: {builder.GetLength(offset)}"); contents = builder.GetSignitureBytes(offset); Console.WriteLine(" contents:"); Console.WriteLine(FieldReader.ToHexString(contents, 0, contents.Length)); break; } Console.WriteLine(); input = Console.ReadLine(); } }