예제 #1
0
        internal static ImageResourceDirectoryEntry FromReadingContext(ReadingContext context)
        {
            var reader            = context.Reader;
            var resourceDirectory =
                context.Assembly.NtHeaders.OptionalHeader.DataDirectories[ImageDataDirectory.ResourceDirectoryIndex];

            var entry = new ImageResourceDirectoryEntry
            {
                StartOffset  = reader.Position,
                NameId       = reader.ReadUInt32(),
                OffsetToData = reader.ReadUInt32(),
            };

            entry.HasData = (entry.OffsetToData >> 31) == 0;

            uint actualDataOffset = entry.OffsetToData & ~(1 << 31);

            entry.HasName = (entry.NameId >> 31) == 1;
            if (entry.HasName)
            {
                entry._nameReadingContext =
                    context.CreateSubContext(context.Assembly.RvaToFileOffset(resourceDirectory.VirtualAddress) +
                                             (entry.NameId & ~(1 << 31)));
            }

            entry._dataReadingContext =
                context.CreateSubContext(context.Assembly.RvaToFileOffset(resourceDirectory.VirtualAddress) +
                                         actualDataOffset);
            return(entry);
        }
예제 #2
0
 public static ImageImportDirectory FromReadingContext(ReadingContext context)
 {
     return new ImageImportDirectory()
     {
         _readingContext = context
     };
 }
예제 #3
0
        internal static ImageModuleImport FromReadingContext(ReadingContext context)
        {
            var application  = context.Assembly;
            var reader       = context.Reader;
            var moduleImport = new ImageModuleImport
            {
                StartOffset          = reader.Position,
                ImportLookupTableRva = reader.ReadUInt32(),
                TimeDateStamp        = reader.ReadUInt32(),
                ForwarderChain       = reader.ReadUInt32(),
                NameRva = reader.ReadUInt32(),
                ImportAddressTableRva = reader.ReadUInt32(),
            };

            if (moduleImport.IsEmpty)
            {
                return(moduleImport);
            }

            var nameReader = reader.CreateSubReader(application.RvaToFileOffset(moduleImport.NameRva));

            moduleImport.Name = nameReader.ReadAsciiString();

            moduleImport._readingContext =
                context.CreateSubContext(application.RvaToFileOffset(moduleImport.ImportLookupTableRva));

            return(moduleImport);
        }
예제 #4
0
        internal static ImageSectionHeader FromReadingContext(ReadingContext context)
        {
            var reader = context.Reader;
            var header = new ImageSectionHeader
            {
                StartOffset          = reader.Position,
                Name                 = Encoding.ASCII.GetString(reader.ReadBytes(8)),
                VirtualSize          = reader.ReadUInt32(),
                VirtualAddress       = reader.ReadUInt32(),
                SizeOfRawData        = reader.ReadUInt32(),
                PointerToRawData     = reader.ReadUInt32(),
                PointerToRelocations = reader.ReadUInt32(),
                PointerToLinenumbers = reader.ReadUInt32(),
                NumberOfRelocations  = reader.ReadUInt16(),
                NumberOfLinenumbers  = reader.ReadUInt16(),
                Attributes           = (ImageSectionAttributes)reader.ReadUInt32(),
            };

            var sectionReader = context.Reader.CreateSubReader(
                header.PointerToRawData,
                (int)header.SizeOfRawData);

            header.Section = new ImageSection(header, sectionReader);

            return(header);
        }
예제 #5
0
        internal static WindowsAssembly FromReadingContext(ReadingContext context)
        {
            var reader = context.Reader;

            var application = new WindowsAssembly();

            context.Assembly           = application;
            application.ReadingContext = context;

            // Read absolute essential parts of PE:
            // - DOS header
            // - NT headers
            // - Section headers

            application._dosHeader = ImageDosHeader.FromReadingContext(context);

            reader.Position        = application.DosHeader.Lfanew;
            application._ntHeaders = ImageNtHeaders.FromReadingContext(context);

            reader.Position =
                application.NtHeaders.OptionalHeader.StartOffset +
                application.NtHeaders.FileHeader.SizeOfOptionalHeader;
            for (int i = 0; i < application.NtHeaders.FileHeader.NumberOfSections; i++)
            {
                application.SectionHeaders.Add(ImageSectionHeader.FromReadingContext(context));
            }

            return(application);
        }
예제 #6
0
        internal static ImageExportDirectory FromReadingContext(ReadingContext context)
        {
            var application = context.Assembly;
            var reader      = context.Reader;

            var directory = new ImageExportDirectory
            {
                _readingContext = context,

                StartOffset = reader.Position,

                Characteristics       = reader.ReadUInt32(),
                TimeDateStamp         = reader.ReadUInt32(),
                MajorVersion          = reader.ReadUInt16(),
                MinorVersion          = reader.ReadUInt16(),
                NameRva               = reader.ReadUInt32(),
                OrdinalBase           = reader.ReadUInt32(),
                NumberOfFunctions     = reader.ReadUInt32(),
                NumberOfNames         = reader.ReadUInt32(),
                AddressOfFunctions    = reader.ReadUInt32(),
                AddressOfNames        = reader.ReadUInt32(),
                AddressOfNameOrdinals = reader.ReadUInt32(),
            };

            var nameReader = reader.CreateSubReader(application.RvaToFileOffset(directory.NameRva));

            directory.Name = nameReader.ReadAsciiString();

            return(directory);
        }
예제 #7
0
        internal static ImageResourceDirectory FromReadingContext(ReadingContext context)
        {
            var reader = context.Reader;

            var directory = new ImageResourceDirectory
            {
                StartOffset     = reader.Position,
                Characteristics = reader.ReadUInt32(),
                TimeDateStamp   = reader.ReadUInt32(),
                MajorVersion    = reader.ReadUInt16(),
                MinorVersion    = reader.ReadUInt16(),
            };

            var numberOfNamedEntries = reader.ReadUInt16();
            var numberOfIdEntries    = reader.ReadUInt16();

            for (int i = 0; i < numberOfNamedEntries; i++)
            {
                directory.Entries.Add(ImageResourceDirectoryEntry.FromReadingContext(context));
            }

            for (int i = 0; i < numberOfIdEntries; i++)
            {
                directory.Entries.Add(ImageResourceDirectoryEntry.FromReadingContext(context));
            }

            return(directory);
        }
예제 #8
0
        internal static ImageSymbolImport FromReadingContext(ReadingContext context)
        {
            var reader      = context.Reader;
            var application = context.Assembly;

            var optionalHeader = application.NtHeaders.OptionalHeader;

            var import = new ImageSymbolImport(optionalHeader.Magic == OptionalHeaderMagic.Pe32Plus
                ? reader.ReadUInt64()
                : reader.ReadUInt32());

            if (import.Lookup == 0)
            {
                return(import);
            }

            import.IsImportByOrdinal = import.Lookup >> (optionalHeader.Magic == OptionalHeaderMagic.Pe32Plus ? 63 : 31) == 1;

            if (!import.IsImportByOrdinal)
            {
                import.HintName =
                    HintName.FromReadingContext(context.CreateSubContext(application.RvaToFileOffset(import.HintNameRva)));
            }

            return(import);
        }
예제 #9
0
 public static ImageImportDirectory FromReadingContext(ReadingContext context)
 {
     return(new ImageImportDirectory()
     {
         _readingContext = context
     });
 }
예제 #10
0
        private static ReadingContext CreateDataDirectoryContext(ReadingContext context, int directoryIndex)
        {
            var application   = context.Assembly;
            var dataDirectory = application.NtHeaders.OptionalHeader.DataDirectories[directoryIndex];

            return(dataDirectory.VirtualAddress == 0
                ? null
                : context.CreateSubContext(application.RvaToFileOffset(dataDirectory.VirtualAddress)));
        }
예제 #11
0
 internal static ImageDataDirectory FromReadingContext(ReadingContext context)
 {
     var reader = context.Reader;
     return new ImageDataDirectory
     {
         StartOffset = reader.Position,
         VirtualAddress = reader.ReadUInt32(),
         Size = reader.ReadUInt32(),
     };
 }
예제 #12
0
        internal static BaseRelocationBlock FromReadingContext(ReadingContext context)
        {
            var reader = context.Reader;
            var block  = new BaseRelocationBlock(reader.ReadUInt32())
            {
                _blockSize = reader.ReadUInt32(),
            };

            block._entriesReadingContext = context.CreateSubContext(reader.Position, (int)(block.BlockSize - (2 * sizeof(uint))));
            return(block);
        }
예제 #13
0
        internal static ImageDataDirectory FromReadingContext(ReadingContext context)
        {
            var reader = context.Reader;

            return(new ImageDataDirectory
            {
                StartOffset = reader.Position,
                VirtualAddress = reader.ReadUInt32(),
                Size = reader.ReadUInt32(),
            });
        }
예제 #14
0
        internal static ImageNtHeaders FromReadingContext(ReadingContext context)
        {
            var reader = context.Reader;

            return new ImageNtHeaders
            {
                StartOffset = reader.Position,
                Signature = reader.ReadUInt32(),
                FileHeader = ImageFileHeader.FromReadingContext(context),
                OptionalHeader = ImageOptionalHeader.FromReadingContext(context),
            };
        }
예제 #15
0
        internal static ImageNtHeaders FromReadingContext(ReadingContext context)
        {
            var reader = context.Reader;

            return(new ImageNtHeaders
            {
                StartOffset = reader.Position,
                Signature = reader.ReadUInt32(),
                FileHeader = ImageFileHeader.FromReadingContext(context),
                OptionalHeader = ImageOptionalHeader.FromReadingContext(context),
            });
        }
예제 #16
0
        internal static ImageDosHeader FromReadingContext(ReadingContext context)
        {
            var reader = context.Reader;

            var header = new ImageDosHeader
            {
                StartOffset = reader.Position,
                Magic       = reader.ReadUInt16()
            };

            reader.Position = 0x3C;
            header.Lfanew   = reader.ReadUInt32();

            return(header);
        }
예제 #17
0
        internal static HintName FromReadingContext(ReadingContext context)
        {
            var reader = context.Reader;
            var hintName = new HintName
            {
                StartOffset = reader.Position,
                Hint = reader.ReadUInt16(),
                Name = reader.ReadAsciiString(),
            };

            if (reader.Position % 2 != 0)
                reader.Position++;

            return hintName;
        }
예제 #18
0
        internal static ImageDosHeader FromReadingContext(ReadingContext context)
        {
            var reader = context.Reader;

            var header = new ImageDosHeader
            {
                StartOffset = reader.Position,
                Magic = reader.ReadUInt16()
            };

            reader.Position = 0x3C;
            header.Lfanew = reader.ReadUInt32();

            return header;
        }
예제 #19
0
        public static ImageRelocationDirectory FromReadingContext(ReadingContext context)
        {
            var directory = new ImageRelocationDirectory();
            var relocDirectory =
                context.Assembly.NtHeaders.OptionalHeader.DataDirectories[
                    ImageDataDirectory.BaseRelocationDirectoryIndex];

            while (context.Reader.Position < context.Reader.StartPosition + relocDirectory.Size)
            {
                var block = BaseRelocationBlock.FromReadingContext(context);
                directory.Blocks.Add(block);
                context.Reader.Position += block.BlockSize - 2 * sizeof (uint);
            }

            return directory;
        }
예제 #20
0
        public static ImageRelocationDirectory FromReadingContext(ReadingContext context)
        {
            var directory      = new ImageRelocationDirectory();
            var relocDirectory =
                context.Assembly.NtHeaders.OptionalHeader.DataDirectories[
                    ImageDataDirectory.BaseRelocationDirectoryIndex];

            while (context.Reader.Position < context.Reader.StartPosition + relocDirectory.Size)
            {
                var block = BaseRelocationBlock.FromReadingContext(context);
                directory.Blocks.Add(block);
                context.Reader.Position += block.BlockSize - 2 * sizeof(uint);
            }

            return(directory);
        }
예제 #21
0
        internal static ImageFileHeader FromReadingContext(ReadingContext context)
        {
            var reader = context.Reader;

            return(new ImageFileHeader()
            {
                StartOffset = reader.Position,
                Machine = (ImageMachineType)reader.ReadUInt16(),
                NumberOfSections = reader.ReadUInt16(),
                TimeDateStamp = reader.ReadUInt32(),
                PointerToSymbolTable = reader.ReadUInt32(),
                NumberOfSymbols = reader.ReadUInt32(),
                SizeOfOptionalHeader = reader.ReadUInt16(),
                Characteristics = (ImageCharacteristics)reader.ReadUInt16(),
            });
        }
예제 #22
0
        private static ReadingContext CreateDataDirectoryContext(ReadingContext context, int directoryIndex)
        {
            var application     = context.Assembly;
            var dataDirectories = application.NtHeaders.OptionalHeader.DataDirectories;

            if (directoryIndex >= 0 && directoryIndex < dataDirectories.Count)
            {
                var dataDirectory = dataDirectories[directoryIndex];

                if (dataDirectory.VirtualAddress != 0)
                {
                    return(context.CreateSubContext(application.RvaToFileOffset(dataDirectory.VirtualAddress)));
                }
            }

            return(null);
        }
예제 #23
0
파일: HintName.cs 프로젝트: xuhaoa/WinPIT
        internal static HintName FromReadingContext(ReadingContext context)
        {
            var reader   = context.Reader;
            var hintName = new HintName
            {
                StartOffset = reader.Position,
                Hint        = reader.ReadUInt16(),
                Name        = reader.ReadAsciiString(),
            };

            if (reader.Position % 2 != 0)
            {
                reader.Position++;
            }

            return(hintName);
        }
예제 #24
0
        public static ImageDebugDirectory FromReadingContext(ReadingContext context)
        {
            var reader    = context.Reader;
            var directory = new ImageDebugDirectory()
            {
                StartOffset      = reader.StartPosition,
                Characteristics  = reader.ReadUInt32(),
                TimeDateStamp    = reader.ReadUInt32(),
                MajorVersion     = reader.ReadUInt16(),
                MinorVersion     = reader.ReadUInt16(),
                Type             = (DebugInformationFormat)reader.ReadUInt32(),
                SizeOfData       = reader.ReadUInt32(),
                AddressOfRawData = reader.ReadUInt32(),
                PointerToRawData = reader.ReadUInt32(),
            };

            directory._dataReadingContext = context.CreateSubContext(directory.PointerToRawData, (int)directory.SizeOfData);
            return(directory);
        }
예제 #25
0
        internal static ImageOptionalHeader FromReadingContext(ReadingContext context)
        {
            var reader = context.Reader;
            var header = new ImageOptionalHeader
            {
                StartOffset = reader.Position,
                Magic = (OptionalHeaderMagic)reader.ReadUInt16(),
                MajorLinkerVersion = reader.ReadByte(),
                MinorLinkerVersion = reader.ReadByte(),
                SizeOfCode = reader.ReadUInt32(),
                SizeOfInitializedData = reader.ReadUInt32(),
                SizeOfUninitializedData = reader.ReadUInt32(),
                AddressOfEntrypoint = reader.ReadUInt32(),
                BaseOfCode = reader.ReadUInt32()
            };

            switch (header.Magic)
            {
                case OptionalHeaderMagic.Pe32:
                    header.BaseOfData = reader.ReadUInt32();
                    header.ImageBase = reader.ReadUInt32();
                    break;
                case OptionalHeaderMagic.Pe32Plus:
                    header.ImageBase = reader.ReadUInt64();
                    break;
                default:
                    throw new NotSupportedException(string.Format("Unrecognized or unsupported executable format."));
            }

            header.SectionAlignment = reader.ReadUInt32();
            header.FileAlignment = reader.ReadUInt32();
            header.MajorOperatingSystemVersion = reader.ReadUInt16();
            header.MinorOperatingSystemVersion = reader.ReadUInt16();
            header.MajorImageVersion = reader.ReadUInt16();
            header.MinorImageVersion = reader.ReadUInt16();
            header.MajorSubsystemVersion = reader.ReadUInt16();
            header.MinorSubsystemVersion = reader.ReadUInt16();
            header.Win32VersionValue = reader.ReadUInt32();
            header.SizeOfImage = reader.ReadUInt32();
            header.SizeOfHeaders = reader.ReadUInt32();
            header.CheckSum = reader.ReadUInt32();
            header.Subsystem = (ImageSubSystem)reader.ReadUInt16();
            header.DllCharacteristics = (ImageDllCharacteristics)reader.ReadUInt16();

            if (header.Magic == OptionalHeaderMagic.Pe32)
            {
                header.SizeOfStackReserve = reader.ReadUInt32();
                header.SizeOfStackCommit = reader.ReadUInt32();
                header.SizeOfHeapReserve = reader.ReadUInt32();
                header.SizeOfHeapCommit = reader.ReadUInt32();
            }
            else
            {
                header.SizeOfStackReserve = reader.ReadUInt64();
                header.SizeOfStackCommit = reader.ReadUInt64();
                header.SizeOfHeapReserve = reader.ReadUInt64();
                header.SizeOfHeapCommit = reader.ReadUInt64();
            }

            header.LoaderFlags = reader.ReadUInt32();
            header.NumberOfRvaAndSizes = reader.ReadUInt32();

            int dataDirectories = context.Parameters.ForceDataDirectoryCount
                ? context.Parameters.DataDirectoryCount
                : (int) header.NumberOfRvaAndSizes;

            for (int i = 0; i < dataDirectories; i++)
                header.DataDirectories.Add(ImageDataDirectory.FromReadingContext(context));

            return header;
        }
예제 #26
0
 public static ImageDebugDirectory FromReadingContext(ReadingContext context)
 {
     var reader = context.Reader;
     var directory =  new ImageDebugDirectory()
     {
         StartOffset = reader.StartPosition,
         Characteristics = reader.ReadUInt32(),
         TimeDateStamp = reader.ReadUInt32(),
         MajorVersion = reader.ReadUInt16(),
         MinorVersion = reader.ReadUInt16(),
         Type = (DebugInformationFormat)reader.ReadUInt32(),
         SizeOfData = reader.ReadUInt32(),
         AddressOfRawData = reader.ReadUInt32(),
         PointerToRawData = reader.ReadUInt32(),
     };
     directory._dataReadingContext = context.CreateSubContext(directory.PointerToRawData, (int)directory.SizeOfData);
     return directory;
 }
예제 #27
0
        internal static ImageResourceDirectory FromReadingContext(ReadingContext context)
        {
            var reader = context.Reader;

            var directory = new ImageResourceDirectory
            {
                StartOffset = reader.Position,
                Characteristics = reader.ReadUInt32(),
                TimeDateStamp = reader.ReadUInt32(),
                MajorVersion = reader.ReadUInt16(),
                MinorVersion = reader.ReadUInt16(),
            };

            var numberOfNamedEntries = reader.ReadUInt16();
            var numberOfIdEntries = reader.ReadUInt16();

            for (int i = 0; i < numberOfNamedEntries; i++)
                directory.Entries.Add(ImageResourceDirectoryEntry.FromReadingContext(context));

            for (int i = 0; i < numberOfIdEntries; i++)
                directory.Entries.Add(ImageResourceDirectoryEntry.FromReadingContext(context));

            return directory;
        }
예제 #28
0
        internal static BaseRelocationBlock FromReadingContext(ReadingContext context)
        {
            var reader = context.Reader;
            long offset = reader.Position;
            var block = new BaseRelocationBlock(reader.ReadUInt32())
            {
                StartOffset = offset,
                _blockSize = reader.ReadUInt32(),
            };

            block._entriesReadingContext = context.CreateSubContext(reader.Position, (int)(block.BlockSize - (2 * sizeof (uint))));
            return block;
        }
예제 #29
0
        internal static ImageModuleImport FromReadingContext(ReadingContext context)
        {
            var application = context.Assembly;
            var reader = context.Reader;
            var moduleImport = new ImageModuleImport
            {
                StartOffset = reader.Position,
                ImportLookupTableRva = reader.ReadUInt32(),
                TimeDateStamp = reader.ReadUInt32(),
                ForwarderChain = reader.ReadUInt32(),
                NameRva = reader.ReadUInt32(),
                ImportAddressTableRva = reader.ReadUInt32(),
            };

            if (moduleImport.IsEmpty)
                return moduleImport;

            var nameReader = reader.CreateSubReader(application.RvaToFileOffset(moduleImport.NameRva));
            moduleImport.Name = nameReader.ReadAsciiString();

            moduleImport._readingContext =
                context.CreateSubContext(application.RvaToFileOffset(moduleImport.ImportLookupTableRva));

            return moduleImport;
        }
예제 #30
0
 internal static ImageSectionHeader FromReadingContext(ReadingContext context)
 {
     var reader = context.Reader;
     return new ImageSectionHeader
     {
         StartOffset = reader.Position,
         Name = Encoding.ASCII.GetString(reader.ReadBytes(8)),
         VirtualSize = reader.ReadUInt32(),
         VirtualAddress = reader.ReadUInt32(),
         SizeOfRawData = reader.ReadUInt32(),
         PointerToRawData = reader.ReadUInt32(),
         PointerToRelocations = reader.ReadUInt32(),
         PointerToLinenumbers = reader.ReadUInt32(),
         NumberOfRelocations = reader.ReadUInt16(),
         NumberOfLinenumbers = reader.ReadUInt16(),
         Attributes = (ImageSectionAttributes)reader.ReadUInt32(),
     };
 }
예제 #31
0
 public static DataSegment FromReadingContext(ReadingContext context)
 {
     return(new DataSegment(context.Reader.ReadBytes(
                                (int)(context.Reader.Length - (context.Reader.Position - context.Reader.StartPosition)))));
 }
예제 #32
0
        internal static ImageOptionalHeader FromReadingContext(ReadingContext context)
        {
            var reader = context.Reader;
            var header = new ImageOptionalHeader
            {
                StartOffset             = reader.Position,
                Magic                   = (OptionalHeaderMagic)reader.ReadUInt16(),
                MajorLinkerVersion      = reader.ReadByte(),
                MinorLinkerVersion      = reader.ReadByte(),
                SizeOfCode              = reader.ReadUInt32(),
                SizeOfInitializedData   = reader.ReadUInt32(),
                SizeOfUninitializedData = reader.ReadUInt32(),
                AddressOfEntrypoint     = reader.ReadUInt32(),
                BaseOfCode              = reader.ReadUInt32()
            };

            switch (header.Magic)
            {
            case OptionalHeaderMagic.Pe32:
                header.BaseOfData = reader.ReadUInt32();
                header.ImageBase  = reader.ReadUInt32();
                break;

            case OptionalHeaderMagic.Pe32Plus:
                header.ImageBase = reader.ReadUInt64();
                break;

            default:
                throw new NotSupportedException(string.Format("Unrecognized or unsupported executable format."));
            }

            header.SectionAlignment            = reader.ReadUInt32();
            header.FileAlignment               = reader.ReadUInt32();
            header.MajorOperatingSystemVersion = reader.ReadUInt16();
            header.MinorOperatingSystemVersion = reader.ReadUInt16();
            header.MajorImageVersion           = reader.ReadUInt16();
            header.MinorImageVersion           = reader.ReadUInt16();
            header.MajorSubsystemVersion       = reader.ReadUInt16();
            header.MinorSubsystemVersion       = reader.ReadUInt16();
            header.Win32VersionValue           = reader.ReadUInt32();
            header.SizeOfImage        = reader.ReadUInt32();
            header.SizeOfHeaders      = reader.ReadUInt32();
            header.CheckSum           = reader.ReadUInt32();
            header.Subsystem          = (ImageSubSystem)reader.ReadUInt16();
            header.DllCharacteristics = (ImageDllCharacteristics)reader.ReadUInt16();

            if (header.Magic == OptionalHeaderMagic.Pe32)
            {
                header.SizeOfStackReserve = reader.ReadUInt32();
                header.SizeOfStackCommit  = reader.ReadUInt32();
                header.SizeOfHeapReserve  = reader.ReadUInt32();
                header.SizeOfHeapCommit   = reader.ReadUInt32();
            }
            else
            {
                header.SizeOfStackReserve = reader.ReadUInt64();
                header.SizeOfStackCommit  = reader.ReadUInt64();
                header.SizeOfHeapReserve  = reader.ReadUInt64();
                header.SizeOfHeapCommit   = reader.ReadUInt64();
            }

            header.LoaderFlags         = reader.ReadUInt32();
            header.NumberOfRvaAndSizes = reader.ReadUInt32();

            int dataDirectories = context.Parameters.ForceDataDirectoryCount
                ? context.Parameters.DataDirectoryCount
                : (int)header.NumberOfRvaAndSizes;

            for (int i = 0; i < dataDirectories; i++)
            {
                header.DataDirectories.Add(ImageDataDirectory.FromReadingContext(context));
            }

            return(header);
        }
예제 #33
0
        internal static ImageSymbolImport FromReadingContext(ReadingContext context)
        {
            var reader = context.Reader;
            var application = context.Assembly;

            var optionalHeader = application.NtHeaders.OptionalHeader;

            var import = new ImageSymbolImport(optionalHeader.Magic == OptionalHeaderMagic.Pe32Plus
                ? reader.ReadUInt64()
                : reader.ReadUInt32());

            if (import.Lookup == 0)
                return import;

            import.IsImportByOrdinal = import.Lookup >> (optionalHeader.Magic == OptionalHeaderMagic.Pe32Plus ? 63 : 31) == 1;

            if (!import.IsImportByOrdinal)
                import.HintName =
                    HintName.FromReadingContext(context.CreateSubContext(application.RvaToFileOffset(import.HintNameRva)));

            return import;
        }
        internal static ImageResourceDirectoryEntry FromReadingContext(ReadingContext context)
        {
            var reader = context.Reader;
            var resourceDirectory =
                context.Assembly.NtHeaders.OptionalHeader.DataDirectories[ImageDataDirectory.ResourceDirectoryIndex];

            var entry = new ImageResourceDirectoryEntry
            {
                StartOffset = reader.Position,
                NameId = reader.ReadUInt32(),
                OffsetToData = reader.ReadUInt32(),
            };

            entry.HasData = (entry.OffsetToData >> 31) == 0;

            uint actualDataOffset = entry.OffsetToData & ~(1 << 31);

            entry.HasName = (entry.NameId >> 31) == 1;
            if (entry.HasName)
            {
                entry._nameReadingContext =
                    context.CreateSubContext(context.Assembly.RvaToFileOffset(resourceDirectory.VirtualAddress) +
                                             (entry.NameId & ~(1 << 31)));
            }

            entry._dataReadingContext =
                context.CreateSubContext(context.Assembly.RvaToFileOffset(resourceDirectory.VirtualAddress) +
                                         actualDataOffset);
            return entry;
        }
예제 #35
0
 public static DataSegment FromReadingContext(ReadingContext context)
 {
     return new DataSegment(context.Reader.ReadBytes(
         (int)(context.Reader.Length - (context.Reader.Position - context.Reader.StartPosition))));
 }
예제 #36
0
        private static ReadingContext CreateDataDirectoryContext(ReadingContext context, int directoryIndex)
        {
            var application = context.Assembly;
            var dataDirectories = application.NtHeaders.OptionalHeader.DataDirectories;

            if (directoryIndex >= 0 && directoryIndex < dataDirectories.Count)
            {
                var dataDirectory = dataDirectories[directoryIndex];

                if (dataDirectory.VirtualAddress != 0)
                    return context.CreateSubContext(application.RvaToFileOffset(dataDirectory.VirtualAddress));
            }

            return null;
        }
예제 #37
0
        internal static ImageExportDirectory FromReadingContext(ReadingContext context)
        {
            var application = context.Assembly;
            var reader = context.Reader;

            var directory = new ImageExportDirectory
            {
                _readingContext = context,

                StartOffset = reader.Position,

                Characteristics = reader.ReadUInt32(),
                TimeDateStamp = reader.ReadUInt32(),
                MajorVersion = reader.ReadUInt16(),
                MinorVersion = reader.ReadUInt16(),
                NameRva = reader.ReadUInt32(),
                OrdinalBase = reader.ReadUInt32(),
                NumberOfFunctions = reader.ReadUInt32(),
                NumberOfNames = reader.ReadUInt32(),
                AddressOfFunctions = reader.ReadUInt32(),
                AddressOfNames = reader.ReadUInt32(),
                AddressOfNameOrdinals = reader.ReadUInt32(),
            };

            var nameReader = reader.CreateSubReader(application.RvaToFileOffset(directory.NameRva));
            directory.Name = nameReader.ReadAsciiString();

            return directory;
        }
예제 #38
0
        internal static WindowsAssembly FromReadingContext(ReadingContext context)
        {
            var reader = context.Reader;

            var application = new WindowsAssembly();
            context.Assembly = application;
            application.ReadingContext = context;

            // Read absolute essential parts of PE:
            // - DOS header
            // - NT headers
            // - Section headers

            application._dosHeader = ImageDosHeader.FromReadingContext(context);

            reader.Position = application.DosHeader.Lfanew;
            application._ntHeaders = ImageNtHeaders.FromReadingContext(context);

            reader.Position =
                application.NtHeaders.OptionalHeader.StartOffset +
                application.NtHeaders.FileHeader.SizeOfOptionalHeader;
            for (int i = 0; i < application.NtHeaders.FileHeader.NumberOfSections; i++)
                application.SectionHeaders.Add(ImageSectionHeader.FromReadingContext(context));

            return application;
        }
예제 #39
0
 internal static ImageFileHeader FromReadingContext(ReadingContext context)
 {
     var reader = context.Reader;
     return new ImageFileHeader()
     {
         StartOffset = reader.Position,
         Machine = (ImageMachineType)reader.ReadUInt16(),
         NumberOfSections = reader.ReadUInt16(),
         TimeDateStamp = reader.ReadUInt32(),
         PointerToSymbolTable = reader.ReadUInt32(),
         NumberOfSymbols = reader.ReadUInt32(),
         SizeOfOptionalHeader = reader.ReadUInt16(),
         Characteristics = (ImageCharacteristics)reader.ReadUInt16(),
     };
 }