internal PeHeaderReader(string filePath)
{
// Read in the DLL or EXE and get the timestamp
using (var stream = new FileStream(filePath, FileMode.Open, FileAccess.Read))
{
var reader = new BinaryReader(stream);
_dosHeader = FromBinaryReader <ImageDosHeader>(reader);
// Add 4 bytes to the offset
stream.Seek(_dosHeader.ELfanew, SeekOrigin.Begin);
var ntHeadersSignature = reader.ReadUInt32();
_fileHeader = FromBinaryReader <ImageFileHeader>(reader);
if (Is32BitHeader)
{
_optionalHeader32 = FromBinaryReader <ImageOptionalHeader32>(reader);
}
else
{
_optionalHeader64 = FromBinaryReader <ImageOptionalHeader64>(reader);
}
_imageSectionHeaders = new ImageSectionHeader[_fileHeader.NumberOfSections];
for (var headerNo = 0; headerNo < _imageSectionHeaders.Length; ++headerNo)
{
_imageSectionHeaders[headerNo] = FromBinaryReader <ImageSectionHeader>(reader);
}
}
}
public void Read(Stream input)
{
this.DosHeader = input.ReadStructure <ImageDosHeader>();
if (this.DosHeader.Magic != 0x5A4D) // MZ
{
throw new FormatException("dos header has bad magic");
}
input.Seek(this.DosHeader.NewExeOffset, SeekOrigin.Begin);
this.NTHeaders = input.ReadStructure <ImageNTHeaders32>();
if (this.NTHeaders.Signature != 0x4550 || this.NTHeaders.FileHeader.SizeOfOptionalHeader != 0xE0) // PE
{
throw new FormatException("nt header has bad signature");
}
else if (this.NTHeaders.OptionalHeader.Magic != 0x10B) // IMAGE_NT_OPTIONAL_HDR32_MAGIC
{
throw new FormatException("optional header has bad magic");
}
this.Sections = new List <ImageSectionHeader>();
for (int i = 0; i < this.NTHeaders.FileHeader.NumberOfSections; i++)
{
this.Sections.Add(input.ReadStructure <ImageSectionHeader>());
}
}
/// <summary>
/// Obtains a section from the given file information.
/// </summary>
/// <param name="rawData"></param>
/// <param name="index"></param>
/// <param name="dosHeader"></param>
/// <param name="ntHeaders"></param>
/// <returns></returns>
public static ImageSectionHeader GetSection(byte[] rawData, int index, ImageDosHeader dosHeader, ImageNtHeaders32 ntHeaders)
{
var sectionSize = Marshal.SizeOf(typeof(ImageSectionHeader));
var optionalHeaderOffset = Marshal.OffsetOf(typeof(ImageNtHeaders32), "OptionalHeader").ToInt32();
var dataOffset = dosHeader.e_lfanew + optionalHeaderOffset + ntHeaders.FileHeader.SizeOfOptionalHeader;
return(GetStructure <ImageSectionHeader>(rawData, dataOffset + (index * sectionSize)));
}
internal static ImageDosHeader FromReadingContext(ReadingContext context)
{
var reader = context.Reader;
var header = new ImageDosHeader
{
StartOffset = reader.Position,
Magic = reader.ReadUInt16()
};
reader.Position = 0x3C;
header.Lfanew = reader.ReadUInt32();
return(header);
}
public PeHeaderReader(RemoteProcess process, IntPtr moduleBase) : base(process, moduleBase)
{
DosHeader = new ImageDosHeader(process, moduleBase);
NtHeader = new ImageNtHeader(process, moduleBase + (int)DosHeader.e_lfanew, Is64Bit);
var numSections = (int)NtHeader.FileHeader.NumberOfSections;
var secHeaderStart = DosHeader.e_lfanew + NtHeader.FileHeader.SizeOfOptionalHeader + 0x18;
SectionHeaders = new ImageSectionHeaders(process, moduleBase + (int)secHeaderStart, numSections);
var exportDirVa = NtHeader.OptionalHeader.DataDirectory[0].VirtualAddress;
if (exportDirVa != 0)
{
ExportDirectory = new ImageExportDirectory(process, moduleBase + (int)exportDirVa);
}
}
public void ImageDosHeaderConstructorWorks_Test()
{
var idh = new ImageDosHeader(new BufferFile(RawStructures.RawDosHeader), 0);
Assert.Equal((uint)0x1100, idh.E_magic);
Assert.Equal((uint)0x3322, idh.E_cblp);
Assert.Equal((uint)0x5544, idh.E_cp);
Assert.Equal((uint)0x7766, idh.E_crlc);
Assert.Equal((uint)0x9988, idh.E_cparhdr);
Assert.Equal((uint)0xbbaa, idh.E_minalloc);
Assert.Equal((uint)0xddcc, idh.E_maxalloc);
Assert.Equal((uint)0x00ff, idh.E_ss);
Assert.Equal((uint)0x2211, idh.E_sp);
Assert.Equal((uint)0x4433, idh.E_csum);
Assert.Equal((uint)0x6655, idh.E_ip);
Assert.Equal((uint)0x8877, idh.E_cs);
Assert.Equal((uint)0xaa99, idh.E_lfarlc);
Assert.Equal((uint)0xccbb, idh.E_ovno);
AssertEqual(new ushort[]
{
0xeedd,
0x00ff,
0x2211,
0x4433
}, idh.E_res);
Assert.Equal((uint)0x6655, idh.E_oemid);
Assert.Equal((uint)0x8877, idh.E_oeminfo);
AssertEqual(new ushort[]
{
0xaa99,
0xccbb,
0xeedd,
0x11ff,
0x3322,
0x5544,
0x7766,
0x9988,
0xbbaa,
0xbbcc
}, idh.E_res2);
}
bool IBinaryConverter <ImageDosHeader> .Convert(ref ImageDosHeader s, uint startOffset, uint size)
{
Checksum = s.e_csum;
Type = s.e_magic;
NtHeaderAddress = s.e_lfanew;
OemID = s.e_oemid;
OemInfo = s.e_oeminfo;
PagesCount = s.e_cp;
StackPointer = s.e_sp;
ReallocationCount = s.e_crlc;
ReallocationHeaderAddress = s.e_lfarlc;
MsDosStubProgram = startOffset + size;
UpdateVirtualInfo(startOffset, size);
if (IsExecutable)
{
UpdateFileInfo(GetSignature(s.e_magic), startOffset, size);
}
return(true);
}
public PeHeaderParser(RemoteProcess process, IntPtr moduleBase) : base(process, moduleBase)
{
DosHeader = new ImageDosHeader(process, moduleBase);
}
public ImageDosHeaderNode(HexDocument doc, ImageDosHeader dosHeader)
: base((ulong)dosHeader.StartOffset, (ulong)dosHeader.EndOffset - 1)
{
this.imageDosHeaderVM = new ImageDosHeaderVM(this, doc, StartOffset);
}
public ImageDosHeaderNode(HexBuffer buffer, ImageDosHeader dosHeader)
: base(HexSpan.FromBounds((ulong)dosHeader.StartOffset, (ulong)dosHeader.EndOffset))
{
imageDosHeaderVM = new ImageDosHeaderVM(this, buffer, Span.Start);
}
