public Executable ReadExecutable(Stream stream)
{
var executable = new Executable
{
DosHeader = _streamBinaryMapper.ReadObject <IMAGE_DOS_HEADER>(stream)
};
stream.Position = executable.DosHeader.e_lfanew;
executable.PeHeader = _streamBinaryMapper.ReadObject <IMAGE_PE_HEADER>(stream);
executable.CoffHeader = _streamBinaryMapper.ReadObject <COFF_HEADER>(stream);
// Peek at the value of the image optional header's "magic"
// value to determine which version of the header to parse.
long beforeHeaderPeekPosition = stream.Position;
IMAGE_OPTIONAL_HDR_MAGIC headerMagic = _streamBinaryMapper.ReadValue <IMAGE_OPTIONAL_HDR_MAGIC>(stream);
stream.Position = beforeHeaderPeekPosition;
if (headerMagic == IMAGE_OPTIONAL_HDR_MAGIC.IMAGE_NT_OPTIONAL_HDR64_MAGIC)
{
executable.OptionalHeader64 = _streamBinaryMapper.ReadObject <IMAGE_OPTIONAL_HEADER64>(stream);
}
else
{
executable.OptionalHeader = _streamBinaryMapper.ReadObject <IMAGE_OPTIONAL_HEADER>(stream);
}
executable.ImageSectionHeaders = _streamBinaryMapper.ReadArray <IMAGE_SECTION_HEADER>(stream, executable.CoffHeader.NumberOfSections);
//var resourceSectionHeader = executable.ImageSectionHeaders.SingleOrDefault(x => x.Name == ".rsrc");
//if (resourceSectionHeader != null)
//{
// stream.Position = resourceSectionHeader.PointerToRawData;
// var directory = _streamBinaryMapper.ReadObject<IMAGE_RESOURCE_DIRECTORY>(stream);
// var entries = _streamBinaryMapper.ReadArray<IMAGE_RESOURCE_DIRECTORY_ENTRY>(stream, (uint)directory.NumberOfIdEntries + directory.NumberOfNamedEntries);
// foreach (var entry in entries)
// {
// if (entry.IsDirectory)
// {
// stream.Position = entry.DirectoryAddress;
// var test = _streamBinaryMapper.ReadObject<IMAGE_RESOURCE_DIRECTORY_ENTRY>(stream);
// stream.Position = test.OffsetToData;
// var test2 = _streamBinaryMapper.ReadObject<IMAGE_RESOURCE_DATA_ENTRY>(stream);
// }
// stream.Position = entry.OffsetToData;
// var e = _streamBinaryMapper.ReadObject<IMAGE_RESOURCE_DATA_ENTRY>(stream);
// }
//}
return(executable);
}
public Minidump ReadMinidump(Stream stream)
{
var minidump = new Minidump
{
Header = _streamBinaryMapper.ReadObject <MINIDUMP_HEADER>(stream)
};
stream.Position = minidump.Header.StreamDirectoryRva;
var directories = _streamBinaryMapper.ReadArray <MINIDUMP_DIRECTORY>(stream, minidump.Header.NumberOfStreams);
foreach (var directory in directories)
{
stream.Position = directory.Location.Rva;
switch (directory.StreamType)
{
case MINIDUMP_STREAM_TYPE.ThreadListStream:
minidump.ThreadListStream = _streamBinaryMapper.ReadObject <MINIDUMP_THREAD_LIST_STREAM>(stream);
break;
case MINIDUMP_STREAM_TYPE.ModuleListStream:
minidump.ModuleListStream = _streamBinaryMapper.ReadObject <MINIDUMP_MODULE_LIST_STREAM>(stream);
foreach (var module in minidump.ModuleListStream.Modules)
{
stream.Position = module.ModuleNameRva;
module.Name = _streamBinaryMapper.ReadObject <MINIDUMP_STRING>(stream).Buffer;
minidump.Modules.Add(module);
}
break;
case MINIDUMP_STREAM_TYPE.MemoryListStream:
minidump.MemoryListStream = _streamBinaryMapper.ReadObject <MINIDUMP_MEMORY_LIST_STREAM>(stream);
break;
case MINIDUMP_STREAM_TYPE.ExceptionStream:
minidump.ExceptionStream = _streamBinaryMapper.ReadObject <MINIDUMP_EXCEPTION_STREAM>(stream);
break;
case MINIDUMP_STREAM_TYPE.SystemInfoStream:
minidump.SystemInfoStream = _streamBinaryMapper.ReadObject <MINIDUMP_SYSTEM_INFO_STREAM>(stream);
stream.Position = minidump.SystemInfoStream.CSDVersionRva;
var servicePackString = _streamBinaryMapper.ReadObject <MINIDUMP_STRING>(stream);
minidump.SystemInfoServicePack = servicePackString.Buffer;
break;
case MINIDUMP_STREAM_TYPE.MiscInfoStream:
minidump.MiscInfoStream = _streamBinaryMapper.ReadObject <MINIDUMP_MISC_INFO_STREAM>(stream);
break;
case MINIDUMP_STREAM_TYPE.ThreadInfoListStream:
minidump.ThreadInfoListStream = _streamBinaryMapper.ReadObject <MINIDUMP_THREAD_INFO_LIST_STREAM>(stream);
break;
// Add support for reading Chromium minidumps
case MINIDUMP_STREAM_TYPE.MD_LINUX_CMD_LINE:
var strs = MDReadStrings(stream, directory.Location.DataSize);
minidump.CommandLine = strs.Length > 0 ? strs[0] : "";
break;
case MINIDUMP_STREAM_TYPE.MD_LINUX_ENVIRON:
minidump.EnvironmentVariables = SplitIntoDictionary('=',
MDReadStrings(stream, directory.Location.DataSize));
break;
case MINIDUMP_STREAM_TYPE.MD_LINUX_LSB_RELEASE:
minidump.LSBRelease = MDReadStrings(stream, directory.Location.DataSize);
break;
case MINIDUMP_STREAM_TYPE.MD_LINUX_PROC_STATUS:
minidump.ProcessStatus = SplitIntoDictionary(':',
MDReadStrings(stream, directory.Location.DataSize));
break;
case MINIDUMP_STREAM_TYPE.MD_LINUX_CPU_INFO:
minidump.CpuInfo = SplitProcs(MDReadStrings(stream, directory.Location.DataSize));
break;
case MINIDUMP_STREAM_TYPE.MD_LINUX_MAPS:
minidump.LinuxMaps = MDReadStrings(stream, directory.Location.DataSize);
break;
}
}
return(minidump);
}
