private static OffsetConverter CreateConverter(LWin32 assembly, ulong offset, int type)
{
OffsetConverter converter;
switch (type)
{
case 2:
converter = new OffsetConverter(Section.GetSectionByRva(assembly, (uint)offset));
break;
case 3:
converter = new OffsetConverter(Section.GetSectionByRva(assembly, (uint)(offset - assembly._ntHeader.OptionalHeader.ImageBase)));
break;
default: // case 1:
converter = new OffsetConverter(Section.GetSectionByFileOffset(assembly, (uint)offset));
break;
}
if (converter.TargetSection == null)
{
converter = new OffsetConverter(assembly);
}
return(converter);
}
internal static PeImage LoadFromAssembly(LWin32 assembly)
{
return(new PeImage(assembly._path)
{
ParentAssembly = assembly
});
}
/// <summary>
/// Loads an assembly from a specific file using the specific reading parameters.
/// </summary>
/// <param name="file">The file to read.</param>
/// <param name="arguments">The reading parameters to use.</param>
/// <returns></returns>
/// <exception cref="System.BadImageFormatException"></exception>
public static LWin32 LoadFile(string file, ReadingParameters arguments)
{
try
{
LWin32 a = new LWin32();
a._path = file;
a.ReadingArguments = arguments;
a._peImage = PeImage.LoadFromAssembly(a);
a._headerReader = PeHeaderReader.FromAssembly(a);
a._ntHeader = NTHeader.FromAssembly(a);
a._mzHeader = MZHeader.FromAssembly(a);
a._headerReader.LoadData(arguments.IgnoreDataDirectoryAmount);
if (!arguments.OnlyManaged)
{
a._importExportTableReader = new ImportExportTableReader(a._ntHeader);
a._resourcesReader = new ResourcesReader(a._ntHeader);
}
a._netHeader = NETHeader.FromAssembly(a);
a._peImage.SetOffset(a._ntHeader.OptionalHeader.HeaderSize);
return(a);
}
catch (Exception ex)
{
if (ex is AccessViolationException || ex is FileNotFoundException)
{
throw;
}
throw new BadImageFormatException("The file is not a valid Portable Executable File.", ex);
}
}
internal static PeHeaderReader FromAssembly(LWin32 assembly)
{
PeHeaderReader headerreader = new PeHeaderReader();
headerreader.assembly = assembly;
headerreader.image = assembly._peImage;
return headerreader;
}
/// <summary>
/// Gets the Portable Executeable's MZ header by specifing the assembly.
/// </summary>
/// <param name="assembly">The assembly to read the mz header</param>
/// <returns></returns>
public static MZHeader FromAssembly(LWin32 assembly)
{
MZHeader a = new MZHeader();
a._assembly = assembly;
return(a);
}
/// <summary>
/// Gets the Portable Executeable's file header by specifing the assembly.
/// </summary>
/// <param name="assembly">The assembly to read the mz header</param>
/// <returns></returns>
public static FileHeader FromAssembly(LWin32 assembly)
{
FileHeader a = new FileHeader();
a._assembly = assembly;
a._headerReader = assembly._headerReader;
return(a);
}
/// <summary>
/// Gets the 64 bit optional header by specifing a 64 bit assembly.
/// </summary>
/// <param name="assembly">The assembly to read the optional header</param>
/// <returns></returns>
public static OptionalHeader64 FromAssembly(LWin32 assembly)
{
OptionalHeader64 a = new OptionalHeader64();
a.assembly = assembly;
a.header = assembly._headerReader;
return(a);
}
internal static PeHeaderReader FromAssembly(LWin32 assembly)
{
PeHeaderReader headerreader = new PeHeaderReader();
headerreader.assembly = assembly;
headerreader.image = assembly._peImage;
return(headerreader);
}
internal Section(LWin32 assembly,
uint headeroffset,
Structures.IMAGE_SECTION_HEADER rawHeader)
{
this._rawHeader = rawHeader;
this.headeroffset = headeroffset;
this.assembly = assembly;
this.HasImage = true;
}
/// <summary>
/// Converts the offset to an Ascii String pointer.
/// </summary>
/// <param name="assembly">The assembly that contains the offset</param>
/// <returns></returns>
public ulong ToAsciiStringPtr(LWin32 assembly)
{
Section targetsection = Section.GetSectionByRva(assembly, Rva);
ulong stroffset = Va - assembly._ntHeader.OptionalHeader.ImageBase - targetsection.RVA + targetsection.RawOffset;
// if (stroffset < 0)
// throw new ArgumentException("The target offset is not a valid offset to a string");
return(stroffset);
}
/// <summary>
/// Creates an instance of an offset by specifying a raw offset.
/// </summary>
/// <param name="rawoffset">The file offset.</param>
/// <param name="assembly">The assembly containing the offset.</param>
/// <returns></returns>
public static Offset FromFileOffset(uint rawoffset, LWin32 assembly)
{
if (rawoffset == 0)
return new Offset(0, 0, 0);
if (assembly == null)
return new Offset(rawoffset, 0, 0);
OffsetConverter offsetconverter = CreateConverter(assembly, rawoffset, 1);
return new Offset(rawoffset, offsetconverter.FileOffsetToRva(rawoffset), offsetconverter.FileOffsetToVa(rawoffset));
}
internal Section(LWin32 assembly,
uint headeroffset,
Structures.IMAGE_SECTION_HEADER rawHeader)
{
this._rawHeader = rawHeader;
this.headeroffset = headeroffset;
this.assembly = assembly;
this.HasImage = true;
}
/// <summary>
/// Gets the Portable Executeable's NT header by specifing the assembly.
/// </summary>
/// <param name="assembly">The assembly to read the nt header</param>
/// <returns></returns>
public static NTHeader FromAssembly(LWin32 assembly)
{
NTHeader a = new NTHeader();
a._assembly = assembly;
a._file = assembly._path;
a._header = assembly._headerReader;
a._fheader = FileHeader.FromAssembly(assembly);
return(a);
}
// /// <summary>
// /// Gets the address of the library reference in the portable executable file.
// /// </summary>
// public uint Address
// {
// get { return rawDescriptor.; }
// }
/// <summary>
/// Resolves the asembly by checking the directory of the assembly, the system directories and the current directory.
/// </summary>
/// <param name="parentAssembly">The parent assembly to search from. You can fill in a null value, but it can influent the result.</param>
/// <param name="disableWOW64Redirection">Disables WOW64 layer redirections to get access 64 bit directories. Default value is true.</param>
/// <returns></returns>
public LWin32 Resolve(LWin32 parentAssembly, bool disableWOW64Redirection = true)
{
LWin32 assembly;
if (disableWOW64Redirection)
ASMGlobals.Wow64EnableWow64FsRedirection(false);
try
{
string actualpath = "";
if (parentAssembly != null)
{
string path = parentAssembly._path.Substring(0, parentAssembly._path.LastIndexOf("\\"));
if (File.Exists(path + "\\" + LibraryName))
{
actualpath = path + "\\" + LibraryName;
goto things;
}
}
if (parentAssembly._ntHeader.OptionalHeader.Is32Bit)
{
if (File.Exists(Environment.GetFolderPath(Environment.SpecialFolder.SystemX86) + "\\" + LibraryName))
actualpath = Environment.GetFolderPath(Environment.SpecialFolder.SystemX86) + "\\" + LibraryName;
}
else if (File.Exists(Environment.GetFolderPath(Environment.SpecialFolder.System) + "\\" + LibraryName))
actualpath = Environment.GetFolderPath(Environment.SpecialFolder.System) + "\\" + LibraryName;
if (actualpath == "" & File.Exists(Environment.CurrentDirectory + "\\" + LibraryName))
actualpath = Environment.CurrentDirectory + "\\" + LibraryName;
things:
if (actualpath == "")
throw new ResolveException(new FileNotFoundException("The target application can not be found."));
try
{
assembly = LWin32.LoadFile(actualpath);
}
catch (Exception ex)
{
throw new ResolveException(ex);
}
}
catch
{
if (disableWOW64Redirection)
ASMGlobals.Wow64EnableWow64FsRedirection(true);
throw;
}
finally
{
if (disableWOW64Redirection)
ASMGlobals.Wow64EnableWow64FsRedirection(true);
}
return assembly;
}
private bool TryGetAssemblyGac(string gacDirectory, string name, out LWin32 resolvedAssembly)
{
resolvedAssembly = null;
string folder = Path.Combine(gacDirectory, name);
if (Directory.Exists(folder))
{
return(TryGetAssembly(Directory.GetDirectories(folder)[0], name, out resolvedAssembly));
}
return(false);
}
/// <summary>
/// Gets the Portable Executeable's NT header by specifing the assembly.
/// </summary>
/// <param name="assembly">The assembly to read the nt header</param>
/// <returns></returns>
public static NETHeader FromAssembly(LWin32 assembly)
{
NETHeader header = new NETHeader();
header._assembly = assembly;
NETHeaderReader reader = new NETHeaderReader(assembly._ntHeader, header);
header._metadata = new MetaDataHeader(reader);
reader.LoadData();
header.TokenResolver = new MetaDataTokenResolver(header);
return(header);
}
/// <summary>
/// Creates an instance of an offset by specifying a virtual address.
/// </summary>
/// <param name="va">The virtual address.</param>
/// <param name="assembly">The assembly containing the offset.</param>
/// <returns></returns>
public static Offset FromVa(ulong va, LWin32 assembly)
{
if (va == 0)
{
return(new Offset(0, 0, 0));
}
if (assembly == null)
{
return(new Offset(0, 0, va));
}
OffsetConverter offsetconverter = CreateConverter(assembly, va, 3);
return(new Offset(offsetconverter.VaToFileOffset(va), offsetconverter.VaToRva(va), va));
}
/// <summary>
/// Creates an instance of an offset by specifying a virtual address that is relative to a section.
/// </summary>
/// <param name="rva">The relative virtual address.</param>
/// <param name="assembly">The assembly containing the offset.</param>
/// <returns></returns>
public static Offset FromRva(uint rva, LWin32 assembly)
{
if (rva == 0)
{
return(new Offset(0, 0, 0));
}
if (assembly == null)
{
return(new Offset(0, rva, 0));
}
OffsetConverter offsetconverter = CreateConverter(assembly, rva, 2);
return(new Offset(offsetconverter.RvaToFileOffset(rva), rva, offsetconverter.RvaToVa(rva)));
}
/// <summary>
/// Creates an instance of an offset by specifying a raw offset.
/// </summary>
/// <param name="rawoffset">The file offset.</param>
/// <param name="assembly">The assembly containing the offset.</param>
/// <returns></returns>
public static Offset FromFileOffset(uint rawoffset, LWin32 assembly)
{
if (rawoffset == 0)
{
return(new Offset(0, 0, 0));
}
if (assembly == null)
{
return(new Offset(rawoffset, 0, 0));
}
OffsetConverter offsetconverter = CreateConverter(assembly, rawoffset, 1);
return(new Offset(rawoffset, offsetconverter.FileOffsetToRva(rawoffset), offsetconverter.FileOffsetToVa(rawoffset)));
}
private bool TryReadAssembly(string file, out LWin32 assembly)
{
assembly = null;
try
{
assembly = LWin32.LoadFile(file);
_assemblyCache.Add(file, assembly);
return(true);
}
catch
{
return(false);
}
}
public virtual LWin32 Resolve(AssemblyReference reference)
{
LWin32 resolvedAssembly = null;
string name = reference.Name;
if (reference.HasImage && !string.IsNullOrEmpty(reference.NETHeader.ParentAssembly.Path))
{
// Check directory of container assembly.
TryGetAssembly(Path.GetDirectoryName(reference.NETHeader.ParentAssembly.Path), name, out resolvedAssembly);
}
if (resolvedAssembly == null)
{
// Check gac directories.
if (!TryGetAssemblyGac(Path.Combine(_gacDirectory, "GAC_64"), name, out resolvedAssembly))
{
if (!TryGetAssemblyGac(Path.Combine(_gacDirectory, "GAC_32"), name, out resolvedAssembly))
{
TryGetAssemblyGac(Path.Combine(_gacDirectory, "GAC_MSIL"), name, out resolvedAssembly);
}
}
}
if (resolvedAssembly == null)
{
// Check search directories
foreach (var directory in SearchDirectories)
{
if (TryGetAssembly(directory, name, out resolvedAssembly))
{
break;
}
}
}
if (resolvedAssembly == null)
{
OnResolutionFailed(reference);
}
if (resolvedAssembly != null)
{
_assemblyCache.Add(reference.Name, resolvedAssembly);
}
return(resolvedAssembly);
}
public virtual TypeDefinition ResolveType(TypeReference typeRef)
{
LWin32 targetAssembly = null;
typeRef = typeRef.GetElementType();
if (typeRef.IsNested)
{
var declaringType = ResolveType(typeRef.DeclaringType);
foreach (var nestedClass in declaringType.NestedClasses)
{
if (nestedClass.Class != null && TypeRefsAreEqual(nestedClass.Class, typeRef))
{
return(nestedClass.Class);
}
}
}
else
{
if (typeRef.ResolutionScope is AssemblyDefinition)
{
targetAssembly = typeRef.ResolutionScope.NETHeader.ParentAssembly;
}
else if (typeRef.ResolutionScope is AssemblyReference)
{
targetAssembly = AssemblyResolver.Resolve(typeRef.ResolutionScope as AssemblyReference);
}
if (targetAssembly == null)
{
return(null);
}
var typesTable = targetAssembly.NETHeader.TablesHeap.GetTable(MetaDataTableType.TypeDef);
foreach (TypeDefinition member in typesTable.Members)
{
if (TypeRefsAreEqual(member, typeRef))
{
return(member);
}
}
}
return(null);
}
/// <summary>
/// Converts the offset to an imported or exported method/
/// </summary>
/// <param name="assembly">The assembly that contains the offset</param>
/// <returns></returns>
public IMethod ToMethod(LWin32 assembly)
{
foreach (LibraryReference lib in assembly.LibraryImports)
{
foreach (ImportMethod method in lib.ImportMethods)
{
if (method.RVA + assembly._ntHeader.OptionalHeader.ImageBase == Va)
{
return(method);
}
}
}
foreach (ExportMethod method in assembly.LibraryExports)
{
if (Va == method.RVA + assembly._ntHeader.OptionalHeader.ImageBase)
{
return(method);
}
}
throw new ArgumentException("No matching method has been found.");
}
private bool TryGetAssembly(string directory, string name, out LWin32 resolvedAssembly)
{
resolvedAssembly = null;
var extensions = new string[] { ".exe", ".dll" };
foreach (var extension in extensions)
{
string file = Path.Combine(directory, name + extension);
if (_assemblyCache.TryGetValue(file, out resolvedAssembly))
{
return(true);
}
if (File.Exists(file))
{
return(TryReadAssembly(file, out resolvedAssembly));
}
}
return(false);
}
/// <summary>
/// Gets the section of an assembly by it's raw offset.
/// </summary>
/// <param name="assembly">The assembly to search in.</param>
/// <param name="rawoffset">The raw offset to search for.</param>
/// <returns></returns>
public static Section GetSectionByFileOffset(LWin32 assembly, uint rawoffset)
{
return GetSectionByFileOffset(assembly._ntHeader.Sections, rawoffset);
}
public OffsetConverter(LWin32 assembly)
{
TargetSection = new Section(assembly, 0, default(Structures.IMAGE_SECTION_HEADER));
}
/// <summary>
/// Gets the last section of an assembly that contains the specified flag
/// </summary>
/// <param name="assembly">The assembly to search in.</param>
/// <param name="characteristics">The flag to search for.</param>
/// <returns></returns>
public static Section GetLastSectionByFlag(LWin32 assembly, SectionFlags characteristics)
{
return GetLastSectionByFlag(assembly._ntHeader.Sections, characteristics);
}
/// <summary>
/// Gets the Portable Executeable's MZ header by specifing the assembly.
/// </summary>
/// <param name="assembly">The assembly to read the mz header</param>
/// <returns></returns>
public static MZHeader FromAssembly(LWin32 assembly)
{
MZHeader a = new MZHeader();
a._assembly = assembly;
return a;
}
/// <summary>
/// Creates an instance of an offset by specifying a virtual address that is relative to a section.
/// </summary>
/// <param name="rva">The relative virtual address.</param>
/// <param name="assembly">The assembly containing the offset.</param>
/// <returns></returns>
public static Offset FromRva(uint rva, LWin32 assembly)
{
if (rva == 0)
return new Offset(0, 0, 0);
if (assembly == null)
return new Offset(0, rva, 0);
OffsetConverter offsetconverter = CreateConverter(assembly, rva, 2);
return new Offset(offsetconverter.RvaToFileOffset(rva), rva, offsetconverter.RvaToVa(rva));
}
private static OffsetConverter CreateConverter(LWin32 assembly, ulong offset, int type)
{
OffsetConverter converter;
switch (type)
{
case 2:
converter = new OffsetConverter(Section.GetSectionByRva(assembly, (uint)offset));
break;
case 3:
converter = new OffsetConverter(Section.GetSectionByRva(assembly, (uint)(offset - assembly._ntHeader.OptionalHeader.ImageBase)));
break;
default: // case 1:
converter = new OffsetConverter(Section.GetSectionByFileOffset(assembly, (uint)offset));
break;
}
if (converter.TargetSection == null)
converter = new OffsetConverter(assembly);
return converter;
}
/// <summary>
/// Gets the section of an assembly by it's name.
/// </summary>
/// <param name="assembly">The assembly to search in.</param>
/// <param name="sectionname">The section name to search for.</param>
/// <returns></returns>
public static Section GetSectionByName(LWin32 assembly, string sectionname)
{
return(GetSectionByName(assembly.NTHeader.Sections, sectionname));
}
/// <summary>
/// Converts the offset to an Ascii String pointer.
/// </summary>
/// <param name="assembly">The assembly that contains the offset</param>
/// <returns></returns>
public ulong ToAsciiStringPtr(LWin32 assembly)
{
Section targetsection = Section.GetSectionByRva(assembly, Rva);
ulong stroffset = Va - assembly._ntHeader.OptionalHeader.ImageBase - targetsection.RVA + targetsection.RawOffset;
// if (stroffset < 0)
// throw new ArgumentException("The target offset is not a valid offset to a string");
return stroffset;
}
public bool CanLoad(string FName, out string descr)
{
ldr = LWin32.LoadFile(FName);
descr = "Win32 Loader";
return (ldr.NTHeader.Signature == ImageSignature.NT);
}
public IntPtr LoadFile(string FName)
{
this.FName = FName;
ldr = LWin32.LoadFile(FName);
return IntPtr.Zero;
}
public OffsetConverter(LWin32 assembly)
{
TargetSection = new Section(assembly, 0, default(Structures.IMAGE_SECTION_HEADER));
}
/// <summary>
/// Creates an instance of an offset by specifying a virtual address.
/// </summary>
/// <param name="va">The virtual address.</param>
/// <param name="assembly">The assembly containing the offset.</param>
/// <returns></returns>
public static Offset FromVa(ulong va, LWin32 assembly)
{
if (va == 0)
return new Offset(0, 0, 0);
if (assembly == null)
return new Offset(0, 0, va);
OffsetConverter offsetconverter = CreateConverter(assembly, va, 3);
return new Offset(offsetconverter.VaToFileOffset(va), offsetconverter.VaToRva(va), va);
}
/// <summary>
/// Gets the Portable Executeable's file header by specifing the assembly.
/// </summary>
/// <param name="assembly">The assembly to read the mz header</param>
/// <returns></returns>
public static FileHeader FromAssembly(LWin32 assembly)
{
FileHeader a = new FileHeader();
a._assembly = assembly;
a._headerReader = assembly._headerReader;
return a;
}
private bool TryGetAssemblyGac(string gacDirectory, string name, out LWin32 resolvedAssembly)
{
resolvedAssembly = null;
string folder = Path.Combine(gacDirectory, name);
if (Directory.Exists(folder))
{
return TryGetAssembly(Directory.GetDirectories(folder)[0], name, out resolvedAssembly);
}
return false;
}
/// <summary>
/// Gets the section of an assembly by it's name.
/// </summary>
/// <param name="assembly">The assembly to search in.</param>
/// <param name="sectionname">The section name to search for.</param>
/// <returns></returns>
public static Section GetSectionByName(LWin32 assembly, string sectionname)
{
return GetSectionByName(assembly.NTHeader.Sections, sectionname);
}
/// <summary>
/// Converts the offset to an imported or exported method/
/// </summary>
/// <param name="assembly">The assembly that contains the offset</param>
/// <returns></returns>
public IMethod ToMethod(LWin32 assembly)
{
foreach (LibraryReference lib in assembly.LibraryImports)
foreach (ImportMethod method in lib.ImportMethods)
{
if (method.RVA + assembly._ntHeader.OptionalHeader.ImageBase == Va)
return method;
}
foreach (ExportMethod method in assembly.LibraryExports)
{
if (Va == method.RVA + assembly._ntHeader.OptionalHeader.ImageBase)
return method;
}
throw new ArgumentException("No matching method has been found.");
}
/// <summary>
/// Gets the section of an assembly by it's virtual offset.
/// </summary>
/// <param name="assembly">The assembly to search in.</param>
/// <param name="va">The virtual offset to search for.</param>
/// <returns></returns>
public static Section GetSectionByRva(LWin32 assembly, uint va)
{
return GetSectionByRva(assembly._ntHeader.Sections, va);
}
/// <summary>
/// Loads an assembly from a specific file using the specific reading parameters.
/// </summary>
/// <param name="file">The file to read.</param>
/// <param name="arguments">The reading parameters to use.</param>
/// <returns></returns>
/// <exception cref="System.BadImageFormatException"></exception>
public static LWin32 LoadFile(string file, ReadingParameters arguments)
{
try
{
LWin32 a = new LWin32();
a._path = file;
a.ReadingArguments = arguments;
a._peImage = PeImage.LoadFromAssembly(a);
a._headerReader = PeHeaderReader.FromAssembly(a);
a._ntHeader = NTHeader.FromAssembly(a);
a._mzHeader = MZHeader.FromAssembly(a);
a._headerReader.LoadData(arguments.IgnoreDataDirectoryAmount);
if (!arguments.OnlyManaged)
{
a._importExportTableReader = new ImportExportTableReader(a._ntHeader);
a._resourcesReader = new ResourcesReader(a._ntHeader);
}
a._netHeader = NETHeader.FromAssembly(a);
a._peImage.SetOffset(a._ntHeader.OptionalHeader.HeaderSize);
return a;
}
catch (Exception ex)
{
if (ex is AccessViolationException || ex is FileNotFoundException)
throw;
throw new BadImageFormatException("The file is not a valid Portable Executable File.", ex);
}
}
// /// <summary>
// /// Gets the address of the library reference in the portable executable file.
// /// </summary>
// public uint Address
// {
// get { return rawDescriptor.; }
// }
/// <summary>
/// Resolves the asembly by checking the directory of the assembly, the system directories and the current directory.
/// </summary>
/// <param name="parentAssembly">The parent assembly to search from. You can fill in a null value, but it can influent the result.</param>
/// <param name="disableWOW64Redirection">Disables WOW64 layer redirections to get access 64 bit directories. Default value is true.</param>
/// <returns></returns>
public LWin32 Resolve(LWin32 parentAssembly, bool disableWOW64Redirection = true)
{
LWin32 assembly;
if (disableWOW64Redirection)
{
ASMGlobals.Wow64EnableWow64FsRedirection(false);
}
try
{
string actualpath = "";
if (parentAssembly != null)
{
string path = parentAssembly._path.Substring(0, parentAssembly._path.LastIndexOf("\\"));
if (File.Exists(path + "\\" + LibraryName))
{
actualpath = path + "\\" + LibraryName;
goto things;
}
}
if (parentAssembly._ntHeader.OptionalHeader.Is32Bit)
{
if (File.Exists(Environment.GetFolderPath(Environment.SpecialFolder.SystemX86) + "\\" + LibraryName))
{
actualpath = Environment.GetFolderPath(Environment.SpecialFolder.SystemX86) + "\\" + LibraryName;
}
}
else if (File.Exists(Environment.GetFolderPath(Environment.SpecialFolder.System) + "\\" + LibraryName))
{
actualpath = Environment.GetFolderPath(Environment.SpecialFolder.System) + "\\" + LibraryName;
}
if (actualpath == "" & File.Exists(Environment.CurrentDirectory + "\\" + LibraryName))
{
actualpath = Environment.CurrentDirectory + "\\" + LibraryName;
}
things:
if (actualpath == "")
{
throw new ResolveException(new FileNotFoundException("The target application can not be found."));
}
try
{
assembly = LWin32.LoadFile(actualpath);
}
catch (Exception ex)
{
throw new ResolveException(ex);
}
}
catch
{
if (disableWOW64Redirection)
{
ASMGlobals.Wow64EnableWow64FsRedirection(true);
}
throw;
}
finally
{
if (disableWOW64Redirection)
{
ASMGlobals.Wow64EnableWow64FsRedirection(true);
}
}
return(assembly);
}
/// <summary>
/// Gets the section of an assembly by it's raw offset.
/// </summary>
/// <param name="assembly">The assembly to search in.</param>
/// <param name="rawoffset">The raw offset to search for.</param>
/// <returns></returns>
public static Section GetSectionByFileOffset(LWin32 assembly, uint rawoffset)
{
return(GetSectionByFileOffset(assembly._ntHeader.Sections, rawoffset));
}
/// <summary>
/// Gets the last section of an assembly that contains the specified flag
/// </summary>
/// <param name="assembly">The assembly to search in.</param>
/// <param name="characteristics">The flag to search for.</param>
/// <returns></returns>
public static Section GetLastSectionByFlag(LWin32 assembly, SectionFlags characteristics)
{
return(GetLastSectionByFlag(assembly._ntHeader.Sections, characteristics));
}
/// <summary>
/// Gets the Portable Executeable's NT header by specifing the assembly.
/// </summary>
/// <param name="assembly">The assembly to read the nt header</param>
/// <returns></returns>
public static NETHeader FromAssembly(LWin32 assembly)
{
NETHeader header = new NETHeader();
header._assembly = assembly;
NETHeaderReader reader = new NETHeaderReader(assembly._ntHeader, header);
header._metadata = new MetaDataHeader(reader);
reader.LoadData();
header.TokenResolver = new MetaDataTokenResolver(header);
return header;
}
/// <summary>
/// Gets the section of an assembly by it's virtual offset.
/// </summary>
/// <param name="assembly">The assembly to search in.</param>
/// <param name="va">The virtual offset to search for.</param>
/// <returns></returns>
public static Section GetSectionByRva(LWin32 assembly, uint va)
{
return(GetSectionByRva(assembly._ntHeader.Sections, va));
}
private bool TryGetAssembly(string directory, string name, out LWin32 resolvedAssembly)
{
resolvedAssembly = null;
var extensions = new string[] { ".exe", ".dll" };
foreach (var extension in extensions)
{
string file = Path.Combine(directory, name + extension);
if (_assemblyCache.TryGetValue(file, out resolvedAssembly))
return true;
if (File.Exists(file))
{
return TryReadAssembly(file, out resolvedAssembly);
}
}
return false;
}
public bool CanLoad(string FName)
{
ldr = LWin32.LoadFile(FName);
return (ldr.NTHeader.Signature == ImageSignature.NT);
}
private bool TryReadAssembly(string file, out LWin32 assembly)
{
assembly = null;
try
{
assembly = LWin32.LoadFile(file);
_assemblyCache.Add(file, assembly);
return true;
}
catch
{
return false;
}
}
/// <summary>
/// Gets the Portable Executeable's NT header by specifing the assembly.
/// </summary>
/// <param name="assembly">The assembly to read the nt header</param>
/// <returns></returns>
public static NTHeader FromAssembly(LWin32 assembly)
{
NTHeader a = new NTHeader();
a._assembly = assembly;
a._file = assembly._path;
a._header = assembly._headerReader;
a._fheader = FileHeader.FromAssembly(assembly);
return a;
}
/// <summary>
/// Converts the offset to an Ascii string.
/// </summary>
/// <param name="assembly">The assembly that contains the offset</param>
/// <returns></returns>
public string ToAsciiString(LWin32 assembly)
{
return assembly._peImage.ReadZeroTerminatedString((uint)this.ToAsciiStringPtr(assembly));
}
/// <summary>
/// Gets the 64 bit optional header by specifing a 64 bit assembly.
/// </summary>
/// <param name="assembly">The assembly to read the optional header</param>
/// <returns></returns>
public static OptionalHeader64 FromAssembly(LWin32 assembly)
{
OptionalHeader64 a = new OptionalHeader64();
a.assembly = assembly;
a.header = assembly._headerReader;
return a;
}
/// <summary>
/// Converts the offset to an Ascii string.
/// </summary>
/// <param name="assembly">The assembly that contains the offset</param>
/// <returns></returns>
public string ToAsciiString(LWin32 assembly)
{
return(assembly._peImage.ReadZeroTerminatedString((uint)this.ToAsciiStringPtr(assembly)));
}