public static unsafe NTHeaders32 *GetNtHeaders32(byte *pBin) { MS_DOS_Stub *stub = (MS_DOS_Stub *)(pBin); if (stub->e_magic != IMAGE_DOS_SIGNATURE) { throw new FormatException("Error, Invalid file. DOS Signature is incorrect."); } NTHeaders32 *ntHeaders = (NTHeaders32 *)(pBin + stub->e_lfanew); if (ntHeaders->MagicNumber != IMAGE_NT_PEHEADER_SIGNATURE) { throw new FormatException("Error, Invalid file. PE File signature incorrect."); } if (ntHeaders->optnHeader.magic == Magic.PE64) { throw new FormatException("Error, Invalid file. 64 Bit DLL's are not supported."); } else if (ntHeaders->optnHeader.magic != Magic.PE32) { throw new FormatException("Error, Invalid file. Optional header signature is incorrect."); } return(ntHeaders); }
public static unsafe List <ImportInfo> DumpImportsFromFile32(byte *pBin) { List <ImportInfo> importInfo = new List <ImportInfo>(); NTHeaders32 *ntHeaders = GetNtHeaders32(pBin); ImageExportDirectory *exportDir = (ImageExportDirectory *)(pBin + RVAtoOffset32(ntHeaders->optnHeader.importTable.VirtualAddress, ntHeaders, pBin)); return(importInfo); }
public static unsafe List <ExportInfo> DumpExportsFromFile32(byte *pBin) { List <ExportInfo> exportInfo = new List <ExportInfo>(); NTHeaders32 *ntHeaders = GetNtHeaders32(pBin); if (ntHeaders->optnHeader.exportTable.Size == 0) { // WARN return(exportInfo); } ImageExportDirectory *exportDir = (ImageExportDirectory *)(pBin + RVAtoOffset32(ntHeaders->optnHeader.exportTable.VirtualAddress, ntHeaders, pBin)); if (ntHeaders->optnHeader.numberOfRvaAndSizes <= 0) { throw new ArgumentException("Error, This file has no exports."); } for (UInt32 i = 0; i < exportDir->NumberOfNames; i++) { // Offset of Address UInt32 Rva = (*(UInt32 *)(pBin + RVAtoOffset32(exportDir->AddressOfFunctions, ntHeaders, pBin) + (i * sizeof(UInt32)))); UInt32 Offset = (UInt32)RVAtoOffset32(Rva, ntHeaders, pBin); UInt32 nameOffset = (UInt32)RVAtoOffset32((UInt32)exportDir->AddressOfNames, ntHeaders, pBin) + (i * sizeof(UInt32)); string methodName = Marshal.PtrToStringAnsi((IntPtr) (pBin + RVAtoOffset32((*(UInt32 *)(pBin + nameOffset)), ntHeaders, pBin))); UInt32 OridnalOffset = (UInt16)(RVAtoOffset32((UInt32)(exportDir->AddressOfNameOrdinals), ntHeaders, pBin) + (i * sizeof(UInt16))); UInt32 Hint = (*(UInt16 *)(pBin + OridnalOffset)); UInt32 Ordinal = Hint + exportDir->Base; ExportInfo ef; ef.RVA = Rva; ef.Offset = Offset; ef.NameOffset = nameOffset; ef.Name = methodName; ef.OrdinalOffset = OridnalOffset; ef.Hint = Hint; ef.Ordinal = Ordinal; exportInfo.Add(ef); } return(exportInfo); }
public static unsafe UInt32 RVAtoOffset32(UInt32 rva, NTHeaders32 *ntHeaders, byte *pBin) { MS_DOS_Stub *stub = (MS_DOS_Stub *)(pBin); for (int i = 0; i < ntHeaders->FileHeader.numberOfSections; i++) { section_table *secTable = (section_table *)(pBin + stub->e_lfanew + sizeof(NTHeaders32) + sizeof(section_table) * i); if (secTable->virtualAddress <= rva && rva < secTable->virtualAddress + secTable->virtualSize) { return((UInt32)(rva) + secTable->pointerToRawData - secTable->virtualAddress); } } throw new Exception("Erorr: Could not map RVA to Offset."); }