public static unsafe NTHeaders32 *GetNtHeaders32(byte *pBin)
{
MS_DOS_Stub *stub = (MS_DOS_Stub *)(pBin);
if (stub->e_magic != IMAGE_DOS_SIGNATURE)
{
throw new FormatException("Error, Invalid file. DOS Signature is incorrect.");
}
NTHeaders32 *ntHeaders = (NTHeaders32 *)(pBin + stub->e_lfanew);
if (ntHeaders->MagicNumber != IMAGE_NT_PEHEADER_SIGNATURE)
{
throw new FormatException("Error, Invalid file. PE File signature incorrect.");
}
if (ntHeaders->optnHeader.magic == Magic.PE64)
{
throw new FormatException("Error, Invalid file. 64 Bit DLL's are not supported.");
}
else if (ntHeaders->optnHeader.magic != Magic.PE32)
{
throw new FormatException("Error, Invalid file. Optional header signature is incorrect.");
}
return(ntHeaders);
}
public static unsafe List <ImportInfo> DumpImportsFromFile32(byte *pBin)
{
List <ImportInfo> importInfo = new List <ImportInfo>();
NTHeaders32 *ntHeaders = GetNtHeaders32(pBin);
ImageExportDirectory *exportDir = (ImageExportDirectory *)(pBin +
RVAtoOffset32(ntHeaders->optnHeader.importTable.VirtualAddress, ntHeaders, pBin));
return(importInfo);
}
public static unsafe List <ExportInfo> DumpExportsFromFile32(byte *pBin)
{
List <ExportInfo> exportInfo = new List <ExportInfo>();
NTHeaders32 *ntHeaders = GetNtHeaders32(pBin);
if (ntHeaders->optnHeader.exportTable.Size == 0)
{
// WARN
return(exportInfo);
}
ImageExportDirectory *exportDir = (ImageExportDirectory *)(pBin +
RVAtoOffset32(ntHeaders->optnHeader.exportTable.VirtualAddress, ntHeaders, pBin));
if (ntHeaders->optnHeader.numberOfRvaAndSizes <= 0)
{
throw new ArgumentException("Error, This file has no exports.");
}
for (UInt32 i = 0; i < exportDir->NumberOfNames; i++)
{
// Offset of Address
UInt32 Rva = (*(UInt32 *)(pBin + RVAtoOffset32(exportDir->AddressOfFunctions, ntHeaders, pBin) + (i * sizeof(UInt32))));
UInt32 Offset = (UInt32)RVAtoOffset32(Rva, ntHeaders, pBin);
UInt32 nameOffset = (UInt32)RVAtoOffset32((UInt32)exportDir->AddressOfNames, ntHeaders, pBin) + (i * sizeof(UInt32));
string methodName = Marshal.PtrToStringAnsi((IntPtr)
(pBin + RVAtoOffset32((*(UInt32 *)(pBin + nameOffset)), ntHeaders, pBin)));
UInt32 OridnalOffset = (UInt16)(RVAtoOffset32((UInt32)(exportDir->AddressOfNameOrdinals), ntHeaders, pBin) + (i * sizeof(UInt16)));
UInt32 Hint = (*(UInt16 *)(pBin + OridnalOffset));
UInt32 Ordinal = Hint + exportDir->Base;
ExportInfo ef;
ef.RVA = Rva;
ef.Offset = Offset;
ef.NameOffset = nameOffset;
ef.Name = methodName;
ef.OrdinalOffset = OridnalOffset;
ef.Hint = Hint;
ef.Ordinal = Ordinal;
exportInfo.Add(ef);
}
return(exportInfo);
}
public static unsafe UInt32 RVAtoOffset32(UInt32 rva, NTHeaders32 *ntHeaders, byte *pBin)
{
MS_DOS_Stub *stub = (MS_DOS_Stub *)(pBin);
for (int i = 0; i < ntHeaders->FileHeader.numberOfSections; i++)
{
section_table *secTable = (section_table *)(pBin + stub->e_lfanew + sizeof(NTHeaders32) + sizeof(section_table) * i);
if (secTable->virtualAddress <= rva && rva < secTable->virtualAddress + secTable->virtualSize)
{
return((UInt32)(rva) + secTable->pointerToRawData - secTable->virtualAddress);
}
}
throw new Exception("Erorr: Could not map RVA to Offset.");
}
