public void SetOptionalHeader(PeFile peFile) { var oh = peFile.ImageNtHeaders.OptionalHeader; tbMagic.Text = oh.Magic.ToHexString(); tbMajorLinkerVersion.Text = Utility.ToHexString(oh.MajorLinkerVersion); tbMinorLinkerVersion.Text = Utility.ToHexString(oh.MinorLinkerVersion); tbSizeOfCode.Text = oh.SizeOfCode.ToHexString(); tbSizeOfInitializedData.Text = oh.SizeOfInitializedData.ToHexString(); tbSizeOfUninitializedData.Text = oh.SizeOfUninitializedData.ToHexString(); tbAddressOfEntryPoint.Text = oh.AddressOfEntryPoint.ToHexString(); tbBaseOfCode.Text = oh.BaseOfCode.ToHexString(); tbBaseOfData.Text = oh.BaseOfData.ToHexString(); tbImageBase.Text = oh.ImageBase.ToHexString(); tbSectionAlignment.Text = oh.SectionAlignment.ToHexString(); tbFileAlignment.Text = oh.FileAlignment.ToHexString(); tbMajorOperatingSystemVersion.Text = oh.MajorOperatingSystemVersion.ToHexString(); tbMinorOperatingSystemVersion.Text = oh.MinorOperatingSystemVersion.ToHexString(); tbMajorImageVersion.Text = oh.MajorImageVersion.ToHexString(); tbMinorImageVersion.Text = oh.MinorImageVersion.ToHexString(); tbMajorSubsystemVersion.Text = oh.MajorSubsystemVersion.ToHexString(); tbMinorSubsystemVersion.Text = oh.MinorSubsystemVersion.ToHexString(); tbWin32VersionValue.Text = oh.Win32VersionValue.ToHexString(); tbSizeOfImage.Text = oh.SizeOfImage.ToHexString(); tbSizeOfHeaders.Text = oh.SizeOfHeaders.ToHexString(); tbCheckSum.Text = oh.CheckSum.ToHexString(); tbSubsystem.Text = oh.Subsystem.ToHexString(); tbDllCharacteristics.Text = oh.DllCharacteristics.ToHexString(); tbSizeOfStackReserve.Text = oh.SizeOfStackReserve.ToHexString(); tbSizeOfStackCommit.Text = oh.SizeOfStackCommit.ToHexString(); tbSizeOfHeapReserve.Text = oh.SizeOfHeapReserve.ToHexString(); tbSizeOfHeapCommit.Text = oh.SizeOfHeapCommit.ToHexString(); tbLoaderFlags.Text = oh.LoaderFlags.ToHexString(); tbNumberOfRvaAndSizes.Text = oh.NumberOfRvaAndSizes.ToHexString(); }
public void SetDebug(PeFile peFile) { // Clean tbDebugCharacteristics.Text = string.Empty; tbDebugTimeDateStamp.Text = string.Empty; tbDebugMajorVersion.Text = string.Empty; tbDebugMinorVersion.Text = string.Empty; tbDebugType.Text = string.Empty; tbDebugSizeOfData.Text = string.Empty; tbDebugAddressOfRawData.Text = string.Empty; tbDebugPointerToRawData.Text = string.Empty; if(peFile.ImageDebugDirectory == null) return; // Set tbDebugCharacteristics.Text = peFile.ImageDebugDirectory.Characteristics.ToHexString(); tbDebugTimeDateStamp.Text = peFile.ImageDebugDirectory.TimeDateStamp.ToHexString(); tbDebugMajorVersion.Text = peFile.ImageDebugDirectory.MajorVersion.ToHexString(); tbDebugMinorVersion.Text = peFile.ImageDebugDirectory.MinorVersion.ToHexString(); tbDebugType.Text = peFile.ImageDebugDirectory.Type.ToHexString(); tbDebugSizeOfData.Text = peFile.ImageDebugDirectory.SizeOfData.ToHexString(); tbDebugAddressOfRawData.Text = peFile.ImageDebugDirectory.AddressOfRawData.ToHexString(); tbDebugPointerToRawData.Text = peFile.ImageDebugDirectory.PointerToRawData.ToHexString(); }
public PEImports(string FiletoScan, ref XMLParser raport) { try { var peHeader = new PeNet.PeFile(FiletoScan); for (int i = 0; i <= peHeader.ImportedFunctions.Length - 1; i++) { if (!DLLs.ContainsKey(peHeader.ImportedFunctions.ElementAt(i).DLL)) { DLLs.Add(peHeader.ImportedFunctions.ElementAt(i).DLL, new List <string>()); DLLs[peHeader.ImportedFunctions.ElementAt(i).DLL].Add(peHeader.ImportedFunctions.ElementAt(i).Name); } if (DLLs.ContainsKey(peHeader.ImportedFunctions.ElementAt(i).DLL)) { if (!DLLs[peHeader.ImportedFunctions.ElementAt(i).DLL].Contains(peHeader.ImportedFunctions.ElementAt(i).Name)) { DLLs[peHeader.ImportedFunctions.ElementAt(i).DLL].Add(peHeader.ImportedFunctions.ElementAt(i).Name); } } } raport.AddPEImportDLL(DLLs); } catch (Exception) { } }
public void SetDelayImport(PeFile peFile) { // Clean grAttr.Text = string.Empty; szName.Text = string.Empty; phmod.Text = string.Empty; pIAT.Text = string.Empty; pINT.Text = string.Empty; pBoundIAT.Text = string.Empty; pUnloadIAT.Text = string.Empty; dwTimeStamp.Text = string.Empty; if (peFile.ImageDelayImportDescriptor == null) return; // Set grAttr.Text = peFile.ImageDelayImportDescriptor.grAttrs.ToHexString(); szName.Text = peFile.ImageDelayImportDescriptor.szName.ToHexString(); phmod.Text = peFile.ImageDelayImportDescriptor.phmod.ToHexString(); pIAT.Text = peFile.ImageDelayImportDescriptor.pIAT.ToHexString(); pINT.Text = peFile.ImageDelayImportDescriptor.pINT.ToHexString(); pBoundIAT.Text = peFile.ImageDelayImportDescriptor.pBoundIAT.ToHexString(); pUnloadIAT.Text = peFile.ImageDelayImportDescriptor.pUnloadIAT.ToHexString(); dwTimeStamp.Text = peFile.ImageDelayImportDescriptor.dwTimeStamp.ToHexString(); }
public void SetDigSignature(PeFile peFile) { // Clear all fields. cbCertIsSigned.IsChecked = false; cbCertIsValid.IsChecked = false; cbCertIsValidChain.IsChecked = false; tbCertLength.Text = string.Empty; tbCertRevision.Text = string.Empty; tbCertType.Text = string.Empty; cbX509Archived.IsChecked = false; cbX509HasPrivateKey.IsChecked = false; tbX509FriendlyName.Text = string.Empty; tbX509Issuer.Text = string.Empty; tbX509Thumbprint.Text = string.Empty; tbX509Version.Text = string.Empty; tbX509NotAfter.Text = string.Empty; tbX509NotBefore.Text = string.Empty; tbX509SerialNumber.Text = string.Empty; tbX509SignatureAlgorithm.Text = string.Empty; tbX509Subject.Text = string.Empty; tbX509PrivateKey.Text = string.Empty; tbX509PublicKey.Text = string.Empty; tbX509Extensions.Text = string.Empty; tbX509CrlUrls.Text = string.Empty; if (!peFile.IsSigned) return; cbCertIsValid.IsChecked = Utility.IsSignatureValid(peFile.FileLocation); cbCertIsSigned.IsChecked = peFile.IsSigned; cbCertIsValidChain.IsChecked = peFile.IsValidCertChain(true); tbCertLength.Text = peFile.WinCertificate.dwLength.ToHexString(); tbCertRevision.Text = peFile.WinCertificate.wRevision.ToHexString(); tbCertType.Text = peFile.WinCertificate.wCertificateType.ToHexString(); cbX509Archived.IsChecked = peFile.PKCS7.Archived; cbX509HasPrivateKey.IsChecked = peFile.PKCS7.HasPrivateKey; tbX509FriendlyName.Text = peFile.PKCS7.FriendlyName; tbX509Issuer.Text = peFile.PKCS7.Issuer.Replace(", ", "\n"); tbX509Thumbprint.Text = peFile.PKCS7.Thumbprint; tbX509Version.Text = peFile.PKCS7.Version.ToString(); tbX509NotBefore.Text = peFile.PKCS7.NotBefore.ToLongDateString(); tbX509NotAfter.Text = peFile.PKCS7.NotAfter.ToLongDateString(); tbX509SerialNumber.Text = peFile.PKCS7.SerialNumber; tbX509SignatureAlgorithm.Text = peFile.PKCS7.SignatureAlgorithm.FriendlyName; tbX509Subject.Text = peFile.PKCS7.Subject.Replace(", ", "\n"); tbX509PublicKey.Text = peFile.PKCS7.PublicKey.EncodedKeyValue.Format(true); tbX509PrivateKey.Text = peFile.PKCS7.PrivateKey?.ToXmlString(false); foreach (var x509Extension in peFile.PKCS7.Extensions) { tbX509Extensions.Text += $"{x509Extension.Format(true)}\n"; } foreach (var url in peFile.GetCrlUrlList().Urls) { tbX509CrlUrls.Text += $"{url}\n"; } }
public void SetLoadConfig(PeFile peFile) { ClearLoadConfig(); if(peFile.ImageLoadConfigDirectory == null) return; Size.Text = peFile.ImageLoadConfigDirectory.Size.ToHexString(); TimeDateStamp.Text = peFile.ImageLoadConfigDirectory.TimeDateStamp.ToHexString(); MajorVersion.Text = peFile.ImageLoadConfigDirectory.MajorVesion.ToHexString(); MinorVersion.Text = peFile.ImageLoadConfigDirectory.MinorVersion.ToHexString(); GlobalFlagsClear.Text = peFile.ImageLoadConfigDirectory.GlobalFlagsClear.ToHexString(); GlobalFlagsSet.Text = peFile.ImageLoadConfigDirectory.GlobalFlagsSet.ToHexString(); CriticalSectionDefaultTimeout.Text = peFile.ImageLoadConfigDirectory.CriticalSectionDefaultTimeout.ToHexString(); DeCommitTotalFreeThreshold.Text = peFile.ImageLoadConfigDirectory.DeCommitTotalFreeThreshold.ToHexString(); DeCommitFreeBlockThreshold.Text = peFile.ImageLoadConfigDirectory.DeCommitFreeBlockThreshold.ToHexString(); LockPrefixTable.Text = peFile.ImageLoadConfigDirectory.LockPrefixTable.ToHexString(); MaximumAllocationSize.Text = peFile.ImageLoadConfigDirectory.MaximumAllocationSize.ToHexString(); VirtualMemoryThreshold.Text = peFile.ImageLoadConfigDirectory.VirtualMemoryThershold.ToHexString(); ProcessHeapFlags.Text = peFile.ImageLoadConfigDirectory.ProcessHeapFlags.ToHexString(); ProcessAffinityMask.Text = peFile.ImageLoadConfigDirectory.ProcessAffinityMask.ToHexString(); CSDVersion.Text = peFile.ImageLoadConfigDirectory.CSDVersion.ToHexString(); Reserved1.Text = peFile.ImageLoadConfigDirectory.Reserved1.ToHexString(); EditList.Text = peFile.ImageLoadConfigDirectory.EditList.ToHexString(); SecurityCookie.Text = peFile.ImageLoadConfigDirectory.SecurityCoockie.ToHexString(); SEHandlerTable.Text = peFile.ImageLoadConfigDirectory.SEHandlerTable.ToHexString(); SEHandlerCount.Text = peFile.ImageLoadConfigDirectory.SEHandlerCount.ToHexString(); GuardCFCheckFunctionPointer.Text = peFile.ImageLoadConfigDirectory.GuardCFCheckFunctionPointer.ToHexString(); Reserved2.Text = peFile.ImageLoadConfigDirectory.Reserved2.ToHexString(); GuardCFFunctionTable.Text = peFile.ImageLoadConfigDirectory.GuardCFFunctionTable.ToHexString(); GuardCFFunctionCount.Text = peFile.ImageLoadConfigDirectory.GuardCFFunctionCount.ToHexString(); GuardFlags.Text = peFile.ImageLoadConfigDirectory.GuardFlags.ToHexString(); }
public void SetFileInfo(PeFile peFile) { tbLocation.Text = peFile.FileLocation; tbSize.Text = $"{peFile.FileSize} Bytes"; tbMD5.Text = peFile.MD5; tbSHA1.Text = peFile.SHA1; tbSHA256.Text = peFile.SHA256; tbImpHash.Text = peFile.ImpHash; }
private void SetCallbacks(PeFile peFile) { if(peFile.ImageTlsDirectory?.TlsCallbacks == null) return; foreach (var cb in peFile.ImageTlsDirectory.TlsCallbacks) { Callbacks.Items.Add(new {Callback = cb.Callback.ToHexString()}); } }
public BasicProperties(string FiletoScan, ref XMLParser raport) { try { var peHeader = new PeNet.PeFile(FiletoScan); raport.AddBasicProperties(peHeader.MD5, peHeader.SHA1, AuthentihashCheckSum(FiletoScan), peHeader.ImpHash, MimeGuesser.GuessFileType(FiletoScan).MimeType, peHeader.FileSize.ToString()); } catch (Exception) { raport.AddBasicProperties(MD5CheckSum(FiletoScan), SHA1CheckSum(FiletoScan), AuthentihashCheckSum(FiletoScan), "", MimeGuesser.GuessFileType(FiletoScan).MimeType, ""); } }
public void SetExports(PeFile peFile) { lbExports.Items.Clear(); if (peFile.ExportedFunctions == null) return; foreach (var export in peFile.ExportedFunctions) { lbExports.Items.Add(new { export.Name, export.Ordinal, RVA = $"0x{export.Address.ToString("X")}" }); } }
public void SetDirectoryView(PeFile peFile) { for (var i = 0; i < peFile.ImageNtHeaders.OptionalHeader.NumberOfRvaAndSizes; i++) { dgDirectories.Items.Add(new { Number = i, Name = GetDirectoryNameByIndex(i), VAddress = peFile.ImageNtHeaders.OptionalHeader.DataDirectory[i].VirtualAddress.ToHexString(), VSize = peFile.ImageNtHeaders.OptionalHeader.DataDirectory[i].Size.ToHexString() }); } }
public void SetFileHeader(PeFile peFile) { var fileHeader = peFile.ImageNtHeaders.FileHeader; var machine = fileHeader.Machine; var characteristics = fileHeader.Characteristics; tbMachine.Text = $"{machine.ToHexString()} <-> {Utility.ResolveTargetMachine(machine)}"; tbNumberOfSections.Text = fileHeader.NumberOfSections.ToHexString(); tbTimeDateStamp.Text = fileHeader.TimeDateStamp.ToHexString(); tbPointerToSymbolTable.Text = fileHeader.PointerToSymbolTable.ToHexString(); tbNumberOfSymbols.Text = fileHeader.NumberOfSymbols.ToHexString(); tbSizeOfOptionalHeader.Text = fileHeader.SizeOfOptionalHeader.ToHexString(); tbCharacteristics.Text = $"{characteristics.ToHexString()}\n\n{Utility.ResolveFileCharacteristics(characteristics)}"; }
public void SetBoundImport(PeFile peFile) { // Clean tbBoundImportNumberOfModuleForwarderRefs.Text = string.Empty; tbBoundImportOffsetModuleName.Text = string.Empty; tbBoundImportTimeDateStamp.Text = string.Empty; if (peFile.ImageBoundImportDescriptor == null) return; // Set tbBoundImportNumberOfModuleForwarderRefs.Text = peFile.ImageBoundImportDescriptor.NumberOfModuleForwarderRefs.ToHexString(); tbBoundImportOffsetModuleName.Text = peFile.ImageBoundImportDescriptor.OffsetModuleName.ToHexString(); tbBoundImportTimeDateStamp.Text = peFile.ImageBoundImportDescriptor.TimeDateStamp.ToHexString(); }
public void Transform(string filePath) { var peFile = new PeNet.PeFile(filePath); Code = ParseCode(peFile); UpdateStatistics(Code, m_statistics); PrintOriginalAssembly(peFile, filePath); ObfuscateAssembly(filePath, peFile, Code); PrintNewAssembly(filePath); PrintNewAssemblyMisinterpreted(filePath, peFile); }
public void SetTlsDirectory(PeFile peFile) { ClearTlsDirectory(); ClearTlsCallbacks(); if(peFile.ImageTlsDirectory == null) return; StartAddressOfRawData.Text = peFile.ImageTlsDirectory.StartAddressOfRawData.ToHexString(); EndAddressOfRawData.Text = peFile.ImageTlsDirectory.EndAddressOfRawData.ToHexString(); AddressOfIndex.Text = peFile.ImageTlsDirectory.AddressOfIndex.ToHexString(); AddressOfCallBacks.Text = peFile.ImageTlsDirectory.AddressOfCallBacks.ToHexString(); SizeOfZeroFill.Text = peFile.ImageTlsDirectory.SizeOfZeroFill.ToHexString(); Characteristics.Text = peFile.ImageTlsDirectory.Characteristics.ToHexString(); SetCallbacks(peFile); }
public void SetRelocations(PeFile peFile) { _peFile = peFile; lbRelocationEntries.Items.Clear(); lbRelocTypeOffsets.Items.Clear(); if (!peFile.HasValidRelocDir) return; foreach (var reloc in peFile.ImageRelocationDirectory) { lbRelocationEntries.Items.Add(new { VirtualAddress = reloc.VirtualAddress.ToHexString(), SizeOfBlock = reloc.SizeOfBlock.ToHexString() }); } }
public void SetException(PeFile peFile) { _peFile = peFile; lbRuntimeFunctions.Items.Clear(); if (peFile.Is32Bit || peFile.RuntimeFunctions == null) return; foreach (var rt in peFile.RuntimeFunctions) { lbRuntimeFunctions.Items.Add(new { FunctionStart = rt.FunctionStart.ToHexString(), FunctionEnd = rt.FunctionEnd.ToHexString(), UnwindInfo = rt.UnwindInfo.ToHexString() }); } }
public void SetSections(PeFile peFile) { var num = 1; foreach (var sec in peFile.ImageSectionHeaders) { var flags = string.Join(", ", Utility.ResolveSectionFlags(sec.Characteristics)); dgSections.Items.Add(new { Number = num, Name = Utility.ResolveSectionName(sec.Name), VSize = sec.VirtualSize.ToHexString(), VAddress = sec.VirtualAddress.ToHexString(), PSize = sec.SizeOfRawData.ToHexString(), PAddress = sec.PhysicalAddress.ToHexString(), Flags = sec.Characteristics.ToHexString(), RFlags = flags }); num++; } }
public PEHeader(string FiletoScan, ref XMLParser raport) { try { var peHeader = new PeNet.PeFile(FiletoScan); if (peHeader.ImageNtHeaders.Signature != 17744) { throw new ArgumentException("No PE", "original"); } // 1774 = 4550h czyli po ludzku PE00 kazdy plik PE ma taką wartość, bez niej nie ma sensu sprawdzać header var containedsections = peHeader.ImageSectionHeaders.Length; var entrypoint = peHeader.ImageNtHeaders.OptionalHeader.AddressOfEntryPoint; var targetmachine = PeNet.Utilities.FlagResolver.ResolveTargetMachine(peHeader.ImageNtHeaders.FileHeader.Machine); var compilationtimestamp = new DateTime(1970, 1, 1, 0, 0, 0, 0, DateTimeKind.Utc).AddSeconds(peHeader.ImageNtHeaders.FileHeader.TimeDateStamp); raport.AddPEHeader(targetmachine, compilationtimestamp.ToString(), entrypoint.ToString(), containedsections.ToString()); } catch (Exception) { throw new ArgumentException("No PE", "original"); } }
public void SetImports(PeFile peFile) { _peFile = peFile; lbImportDlls.Items.Clear(); if (peFile.ImportedFunctions == null) return; var dllNames = peFile.ImportedFunctions?.Select(x => x.DLL).Distinct(); var dllFunctions = new Dictionary<string, IEnumerable<ImportFunction>>(); foreach (var dllName in dllNames) { var functions = peFile.ImportedFunctions.Where(x => x.DLL == dllName); dllFunctions.Add(dllName, functions); } foreach (var kv in dllFunctions) { lbImportDlls.Items.Add(new { DLL = kv.Key }); } }
public PESections(string FiletoScan, ref XMLParser raport) { var peHeader = new PeNet.PeFile(FiletoScan); for (int i = 0; i <= peHeader.ImageSectionHeaders.Length - 1; i++) { uint[] byte_count = new uint[256]; byte[] tempmd5 = new byte[peHeader.ImageSectionHeaders.ElementAt(i).SizeOfRawData]; for (uint j = peHeader.ImageSectionHeaders.ElementAt(i).PointerToRawData; j < peHeader.ImageSectionHeaders.ElementAt(i).PointerToRawData + peHeader.ImageSectionHeaders.ElementAt(i).SizeOfRawData; j++) { ++byte_count[(char)peHeader.Buff[j]]; tempmd5[j - peHeader.ImageSectionHeaders.ElementAt(i).PointerToRawData] = peHeader.Buff[j]; } using (MD5 MD5 = MD5.Create()) { raport.AddPESection(PeNet.Utilities.FlagResolver.ResolveSectionName(peHeader.ImageSectionHeaders.ElementAt(i).Name), peHeader.ImageSectionHeaders.ElementAt(i).VirtualAddress.ToString(), peHeader.ImageSectionHeaders.ElementAt(i).VirtualSize.ToString(), peHeader.ImageSectionHeaders.ElementAt(i).SizeOfRawData.ToString(), CountEntropy(byte_count, peHeader.ImageSectionHeaders.ElementAt(i).SizeOfRawData).ToString(), BitConverter.ToString(MD5.ComputeHash(tempmd5)).Replace("-", string.Empty)); } } }
public FileversionInfo(string FiletoScan, ref XMLParser raport) { this.raport = raport; FileVersionInfo filever = FileVersionInfo.GetVersionInfo(FiletoScan); try { var peHeader = new PeNet.PeFile(FiletoScan); if (peHeader.IsSigned) { raport.AddFileVersionSigned(filever.Comments != null ? filever.Comments.ToString() : "", filever.CompanyName != null ? filever.CompanyName.ToString() : "" , filever.FileBuildPart.ToString() ?? "", filever.FileDescription != null ? filever.FileDescription.ToString() : "", filever.FileVersion != null ? filever.FileVersion.ToString() : "", filever.InternalName != null ? filever.InternalName.ToString() : "" , filever.Language != null ? filever.Language.ToString() : "", filever.SpecialBuild != null ? filever.SpecialBuild.ToString() : ""); if (peHeader.IsSignatureValid) { raport.AddFileVersionSignedValid(peHeader.PKCS7); } else { raport.AddFileVersionSignedInvalid(); } } else { raport.AddFileVersionNotSigned(filever.Comments != null ? filever.Comments.ToString() : "", filever.CompanyName != null ? filever.CompanyName.ToString() : "" , filever.FileBuildPart.ToString() ?? "", filever.FileDescription != null ? filever.FileDescription.ToString() : "", filever.FileVersion != null ? filever.FileVersion.ToString() : "", filever.InternalName != null ? filever.InternalName.ToString() : "" , filever.Language != null ? filever.Language.ToString() : "", filever.SpecialBuild != null ? filever.SpecialBuild.ToString() : ""); } } catch (Exception) { } }
public void SetDosHeader(PeFile peFile) { var magic = peFile.ImageDosHeader.e_magic; tbe_magic.Text = magic == 0x5A4D ? $"{magic.ToHexString()} <-> MZ" : magic.ToHexString(); tbe_cblp.Text = peFile.ImageDosHeader.e_cblp.ToHexString(); tbe_cp.Text = peFile.ImageDosHeader.e_cp.ToHexString(); tbe_crlc.Text = peFile.ImageDosHeader.e_crlc.ToHexString(); tbe_cparhdr.Text = peFile.ImageDosHeader.e_cparhdr.ToHexString(); tbe_minalloc.Text = peFile.ImageDosHeader.e_minalloc.ToHexString(); tbe_maxalloc.Text = peFile.ImageDosHeader.e_maxalloc.ToHexString(); tbe_ss.Text = peFile.ImageDosHeader.e_ss.ToHexString(); tbe_sp.Text = peFile.ImageDosHeader.e_sp.ToHexString(); tbe_csum.Text = peFile.ImageDosHeader.e_csum.ToHexString(); tbe_ip.Text = peFile.ImageDosHeader.e_ip.ToHexString(); tbe_cs.Text = peFile.ImageDosHeader.e_cs.ToHexString(); tbe_lfarlc.Text = peFile.ImageDosHeader.e_lfarlc.ToHexString(); tbe_ovno.Text = peFile.ImageDosHeader.e_ovno.ToHexString(); tbe_res.Text = peFile.ImageDosHeader.e_res.ToHexString(); tbe_oemid.Text = peFile.ImageDosHeader.e_oemid.ToHexString(); tbe_oeminfo.Text = peFile.ImageDosHeader.e_oeminfo.ToHexString(); tbe_res2.Text = peFile.ImageDosHeader.e_res2.ToHexString(); tbe_lfanew.Text = peFile.ImageDosHeader.e_lfanew.ToHexString(); }
public void SetNtHeader(PeFile peFile) { tbSignature.Text = peFile.ImageNtHeaders.Signature.ToHexString(); }
private void FileOpen(string file) { // Set status bar location for the file. tbStatusBarLocation.Text = file; // Parse the PE file if (!PeFile.IsPEFile(file)) { ShowInvalidPeFileMsgBox(); return; } PeFile peFile = null; try { peFile = new PeFile(file); } catch (Exception) { ShowInvalidPeFileMsgBox(); return; } _peFile = peFile; // Set all FileInfo fields. FileInfo.SetFileInfo(peFile); // Set the DOS header fields DosNtHeader.SetDosHeader(peFile); // Set the PE File fields DosNtHeader.SetNtHeader(peFile); // Set the File header FileHeaderDebug.SetFileHeader(peFile); // Set the Debug directory. FileHeaderDebug.SetDebug(peFile); // Set the Optional header OptionalHeader.SetOptionalHeader(peFile); // Set the imports. Imports.SetImports(peFile); // Set the exports. Exports.SetExports(peFile); // Set the resources. Resource.SetResources(peFile); // Set the sections. SectionHeaders.SetSections(peFile); // Set the Exception (only for x64) Exceptions.SetException(peFile); // Set the Relocations. Relocation.SetRelocations(peFile); // Set the Digital Signature information. Signature.SetDigSignature(peFile); // Set the Bound Import directory. DebugBoundImport.SetBoundImport(peFile); // Set the Delay Import descriptor. DebugBoundImport.SetDelayImport(peFile); // Set the TLS directory. TlsDirectory.SetTlsDirectory(peFile); // Set the Load Config Directory LoadConfig.SetLoadConfig(peFile); // Set the Data Directory View DirectoryView.SetDirectoryView(peFile); }
public void SetResources(PeFile peFile) { _peFile = peFile; // Clear the tree. tbResources.Items.Clear(); // ROOT var rd = peFile.ImageResourceDirectory; if (rd == null) return; var root = new MyTreeViewItem<IMAGE_RESOURCE_DIRECTORY_ENTRY>(null) { Header = "Resource Directory" }; // Type foreach (var de in rd.DirectoryEntries) { MyTreeViewItem<IMAGE_RESOURCE_DIRECTORY_ENTRY> item = null; if (de.IsIdEntry) { item = new MyTreeViewItem<IMAGE_RESOURCE_DIRECTORY_ENTRY>(de) { Header = Utility.ResolveResourceId(de.ID) }; } else if (de.IsNamedEntry) { item = new MyTreeViewItem<IMAGE_RESOURCE_DIRECTORY_ENTRY>(de) { Header = de.ResolvedName }; } // name/IDs foreach (var de2 in de.ResourceDirectory.DirectoryEntries) { MyTreeViewItem<IMAGE_RESOURCE_DIRECTORY_ENTRY> item2 = null; item2 = new MyTreeViewItem<IMAGE_RESOURCE_DIRECTORY_ENTRY>(de2) { Header = de2.ID.ToString() }; foreach (var de3 in de2.ResourceDirectory.DirectoryEntries) { item2.Items.Add(new MyTreeViewItem<IMAGE_RESOURCE_DIRECTORY_ENTRY>(de3) { Header = de3.ID.ToHexString() }); } item?.Items.Add(item2); } root.Items.Add(item); } tbResources.Items.Add(root); }
/// <summary> /// Tries to parse the PE file and checks all directories. /// </summary> /// <param name="file">Path to a possible PE file.</param> /// <returns> /// True if the file could be parsed as a PE file and /// all directories are valid. /// </returns> public static bool IsValidPEFile(string file) { PeFile pe; try { pe = new PeFile(file); } catch { return false; } return pe.IsValidPeFile; }