예제 #1
0
        internal NETTableReader(TablesHeap tablesheap)
        {
            using (BinaryReader reader = new BinaryReader(new MemoryStream(tablesheap.Contents)))
            {
                tablesheap._header = ASMGlobals.ReadStructureFromReader <Structures.METADATA_TABLE_HEADER>(reader);
                this.tablesHeap    = tablesheap;

                for (int i = 0; i < 45; i++)
                {
                    if (tablesHeap.HasTable((MetaDataTableType)i))
                    {
                        tablesHeap._tablecount++;
                    }
                }

                tablesHeap._tablereader = this;
                if ((tablesHeap.HeapOffsetSizes & 1) == 1)
                {
                    tablesHeap._netheader.StringsHeap._indexsize = 4;
                }
                if ((tablesHeap.HeapOffsetSizes & 2) == 2)
                {
                    tablesHeap._netheader.GuidHeap._indexsize = 4;
                }
                if ((tablesHeap.HeapOffsetSizes & 4) == 4)
                {
                    tablesHeap._netheader.BlobHeap._indexsize = 4;
                }

                ReadTableHeaders(reader);
            }
        }
예제 #2
0
        internal ResourceDirectoryEntry ReadDirectoryEntry(uint offset)
        {
            var    rawEntry   = ASMGlobals.ReadStructureFromReader <Structures.IMAGE_RESOURCE_DIRECTORY_ENTRY>(reader);
            string customName = string.Empty;
            ResourceDirectoryEntry resourceEntry = new ResourceDirectoryEntry(image, offset, rawEntry, customName);

            return(resourceEntry);
        }
예제 #3
0
 internal ResourceDataEntry ReadDataEntry(uint offset, ResourceDirectoryEntry entry)
 {
     if (TrySetOffset(offset))
     {
         var rawDataEntry = ASMGlobals.ReadStructureFromReader <Structures.IMAGE_RESOURCE_DATA_ENTRY>(reader);
         return(new ResourceDataEntry(image, resourceDirectory.TargetOffset.FileOffset + offset, entry, rawDataEntry));
     }
     return(null);
 }
예제 #4
0
        internal ResourceDirectory ReadDirectory(uint offset, ResourceDirectoryEntry entry)
        {
            if (TrySetOffset(offset))
            {
                var rawDirectory = ASMGlobals.ReadStructureFromReader <Structures.IMAGE_RESOURCE_DIRECTORY>(reader);

                return(new ResourceDirectory(image, offset, this, entry, rawDirectory));
            }
            return(null);
        }
예제 #5
0
        private LibraryReference ReadLibraryImport()
        {
            uint importDirOffset = (uint)image.Position;
            var  rawImportDir    = image.ReadStructure <Structures.IMAGE_IMPORT_DESCRIPTOR>();

            if (ASMGlobals.IsEmptyStructure(rawImportDir))
            {
                return(null);
            }

            string libName = ReadLibraryName(rawImportDir);

            ImportMethod[] methods = ReadImportMethods(rawImportDir);

            LibraryReference libReference = new LibraryReference(image, importDirOffset, rawImportDir, libName, methods);

            // advance to next datadir.
            image.SetOffset(importDirOffset + sizeof(Structures.IMAGE_IMPORT_DESCRIPTOR));

            return(libReference);
        }
예제 #6
0
        private byte[] ReadRawOperand(MSILOpCode opcode)
        {
            int size = opcode.Bytes.Length;

            switch (opcode.OperandType)
            {
            case OperandType.Int8:
            case OperandType.ShortArgument:
            case OperandType.ShortInstructionTarget:
            case OperandType.ShortVariable:
                return(_reader.ReadBytes(1));

            case OperandType.Argument:
            case OperandType.Variable:
                return(_reader.ReadBytes(2));

            case OperandType.Field:
            case OperandType.Int32:
            case OperandType.Float32:
            case OperandType.InstructionTarget:
            case OperandType.Method:
            case OperandType.Signature:
            case OperandType.String:
            case OperandType.Token:
            case OperandType.Type:
                return(_reader.ReadBytes(4));

            case OperandType.Float64:
            case OperandType.Int64:
                return(_reader.ReadBytes(8));

            case OperandType.InstructionTable:
                byte[] header  = _reader.ReadBytes(4);
                byte[] offsets = _reader.ReadBytes(BitConverter.ToInt32(header, 0) * sizeof(int));
                return(ASMGlobals.MergeBytes(header, offsets));
            }
            return(null);
        }
예제 #7
0
        //  /// <summary>
        //  /// Gets the address of the library reference in the portable executable file.
        //  /// </summary>
        //  public uint Address
        //  {
        //      get { return rawDescriptor.; }
        //  }

        /// <summary>
        /// Resolves the asembly by checking the directory of the assembly, the system directories and the current directory.
        /// </summary>
        /// <param name="parentAssembly">The parent assembly to search from. You can fill in a null value, but it can influent the result.</param>
        /// <param name="disableWOW64Redirection">Disables WOW64 layer redirections to get access 64 bit directories. Default value is true.</param>
        /// <returns></returns>
        public LWin32 Resolve(LWin32 parentAssembly, bool disableWOW64Redirection = true)
        {
            LWin32 assembly;

            if (disableWOW64Redirection)
            {
                ASMGlobals.Wow64EnableWow64FsRedirection(false);
            }
            try
            {
                string actualpath = "";
                if (parentAssembly != null)
                {
                    string path = parentAssembly._path.Substring(0, parentAssembly._path.LastIndexOf("\\"));
                    if (File.Exists(path + "\\" + LibraryName))
                    {
                        actualpath = path + "\\" + LibraryName;
                        goto things;
                    }
                }
                if (parentAssembly._ntHeader.OptionalHeader.Is32Bit)
                {
                    if (File.Exists(Environment.GetFolderPath(Environment.SpecialFolder.SystemX86) + "\\" + LibraryName))
                    {
                        actualpath = Environment.GetFolderPath(Environment.SpecialFolder.SystemX86) + "\\" + LibraryName;
                    }
                }
                else if (File.Exists(Environment.GetFolderPath(Environment.SpecialFolder.System) + "\\" + LibraryName))
                {
                    actualpath = Environment.GetFolderPath(Environment.SpecialFolder.System) + "\\" + LibraryName;
                }


                if (actualpath == "" & File.Exists(Environment.CurrentDirectory + "\\" + LibraryName))
                {
                    actualpath = Environment.CurrentDirectory + "\\" + LibraryName;
                }

things:
                if (actualpath == "")
                {
                    throw new ResolveException(new FileNotFoundException("The target application can not be found."));
                }


                try
                {
                    assembly = LWin32.LoadFile(actualpath);
                }
                catch (Exception ex)
                {
                    throw new ResolveException(ex);
                }
            }
            catch
            {
                if (disableWOW64Redirection)
                {
                    ASMGlobals.Wow64EnableWow64FsRedirection(true);
                }
                throw;
            }
            finally
            {
                if (disableWOW64Redirection)
                {
                    ASMGlobals.Wow64EnableWow64FsRedirection(true);
                }
            }
            return(assembly);
        }
예제 #8
0
        private object ConvertToOperand(int instructionOffset, MSILOpCode opcode, byte[] rawoperand)
        {
            try
            {
                switch (opcode.OperandType)
                {
                case OperandType.Argument:
                    ParameterDefinition paramDef = GetParameter(BitConverter.ToInt16(rawoperand, 0));
                    if (paramDef == null)
                    {
                        return(BitConverter.ToInt16(rawoperand, 0));
                    }
                    return(paramDef);

                case OperandType.ShortArgument:
                    paramDef = GetParameter(rawoperand[0]);
                    if (paramDef == null)
                    {
                        return(rawoperand[0]);
                    }
                    return(paramDef);

                case OperandType.Float32:
                    return(BitConverter.ToSingle(rawoperand, 0));

                case OperandType.Float64:
                    return(BitConverter.ToDouble(rawoperand, 0));

                case OperandType.InstructionTable:

                    int   length     = BitConverter.ToInt32(rawoperand, 0);
                    int[] offsets    = new int[length];
                    int   nextOffset = instructionOffset + (length * 4) + opcode.Bytes.Length + 4;
                    for (int i = 0; i < length; i++)
                    {
                        int index   = (i + 1) * sizeof(int);
                        int roffset = BitConverter.ToInt32(rawoperand, index);
                        offsets[i] = roffset + nextOffset;
                    }

                    return(offsets);

                case OperandType.InstructionTarget:
                    return(BitConverter.ToInt32(rawoperand, 0) + instructionOffset + opcode.Bytes.Length + sizeof(int));

                case OperandType.ShortInstructionTarget:
                    return(ASMGlobals.ByteToSByte(rawoperand[0]) + instructionOffset + opcode.Bytes.Length + sizeof(byte));

                case OperandType.Int8:
                    return(ASMGlobals.ByteToSByte(rawoperand[0]));

                case OperandType.Int32:
                    return(BitConverter.ToInt32(rawoperand, 0));

                case OperandType.Int64:
                    return(BitConverter.ToInt64(rawoperand, 0));

                case OperandType.Token:
                case OperandType.Field:
                case OperandType.Method:
                case OperandType.Type:
                    uint metadata = BitConverter.ToUInt32(rawoperand, 0);
                    try
                    {
                        object operand = TokenResolver.ResolveMember(metadata);

                        if (operand is ISpecification)
                        {
                            operand = (operand as ISpecification).TransformWith(MethodBody.Method);
                        }

                        return(operand);
                    }
                    catch { return(new TypeReference(string.Empty, "TOKEN:" + metadata.ToString("X8"), null)); }

                case OperandType.ShortVariable:
                    VariableDefinition varDef = GetVariable(rawoperand[0]);
                    if (varDef == null)
                    {
                        return(rawoperand[0]);
                    }
                    return(varDef);

                case OperandType.Variable:
                    varDef = GetVariable(BitConverter.ToInt16(rawoperand, 0));
                    if (varDef == null)
                    {
                        return(rawoperand[0]);
                    }
                    return(varDef);

                case OperandType.Signature:
                    return(BitConverter.ToInt32(rawoperand, 0));

                case OperandType.String:
                    return(TokenResolver.ResolveString(BitConverter.ToUInt32(rawoperand, 0)));
                }
            }
            catch { }

            return(null);
        }