public ImageFileHeaderVM(HexBuffer buffer, PeFileHeaderData fileHeader) : base(fileHeader.Span) { Name = fileHeader.Name; MachineVM = new UInt16FlagsHexField(fileHeader.Machine); MachineVM.Add(new IntegerHexBitField(fileHeader.Machine.Name, 0, 16, MachineInfos)); NumberOfSectionsVM = new UInt16HexField(fileHeader.NumberOfSections); TimeDateStampVM = new UInt32HexField(fileHeader.TimeDateStamp.Data, fileHeader.TimeDateStamp.Name); TimeDateStampVM.DataFieldVM.PropertyChanged += (s, e) => OnPropertyChanged(nameof(TimeDateStampString)); PointerToSymbolTableVM = new UInt32HexField(fileHeader.PointerToSymbolTable); NumberOfSymbolsVM = new UInt32HexField(fileHeader.NumberOfSymbols); SizeOfOptionalHeaderVM = new UInt16HexField(fileHeader.SizeOfOptionalHeader); CharacteristicsVM = new UInt16FlagsHexField(fileHeader.Characteristics); CharacteristicsVM.Add(new BooleanHexBitField("Relocs Stripped", 0)); CharacteristicsVM.Add(new BooleanHexBitField("Executable Image", 1)); CharacteristicsVM.Add(new BooleanHexBitField("Line Nums Stripped", 2)); CharacteristicsVM.Add(new BooleanHexBitField("Local Syms Stripped", 3)); CharacteristicsVM.Add(new BooleanHexBitField("Aggressive WS Trim", 4)); CharacteristicsVM.Add(new BooleanHexBitField("Large Address Aware", 5)); CharacteristicsVM.Add(new BooleanHexBitField("Reserved 0040h", 6)); CharacteristicsVM.Add(new BooleanHexBitField("Bytes Reversed Lo", 7)); CharacteristicsVM.Add(new BooleanHexBitField("32-Bit Machine", 8)); CharacteristicsVM.Add(new BooleanHexBitField("Debug Stripped", 9)); CharacteristicsVM.Add(new BooleanHexBitField("Removable Run From Swap", 10)); CharacteristicsVM.Add(new BooleanHexBitField("Net Run From Swap", 11)); CharacteristicsVM.Add(new BooleanHexBitField("System", 12)); CharacteristicsVM.Add(new BooleanHexBitField("Dll", 13)); CharacteristicsVM.Add(new BooleanHexBitField("Up System Only", 14)); CharacteristicsVM.Add(new BooleanHexBitField("Bytes Reversed Hi", 15)); hexFields = new HexField[] { MachineVM, NumberOfSectionsVM, TimeDateStampVM, PointerToSymbolTableVM, NumberOfSymbolsVM, SizeOfOptionalHeaderVM, CharacteristicsVM, }; }
protected ImageOptionalHeaderVM(HexBuffer buffer, PeOptionalHeaderData optionalHeader) : base(optionalHeader.Span) { hexFields = null !; MagicVM = new UInt16HexField(optionalHeader.Magic); MajorLinkerVersionVM = new ByteHexField(optionalHeader.MajorLinkerVersion, true); MinorLinkerVersionVM = new ByteHexField(optionalHeader.MinorLinkerVersion, true); SizeOfCodeVM = new UInt32HexField(optionalHeader.SizeOfCode); SizeOfInitializedDataVM = new UInt32HexField(optionalHeader.SizeOfInitializedData); SizeOfUninitializedDataVM = new UInt32HexField(optionalHeader.SizeOfUninitializedData); AddressOfEntryPointVM = new UInt32HexField(optionalHeader.AddressOfEntryPoint); BaseOfCodeVM = new UInt32HexField(optionalHeader.BaseOfCode); SectionAlignmentVM = new UInt32HexField(optionalHeader.SectionAlignment); FileAlignmentVM = new UInt32HexField(optionalHeader.FileAlignment); MajorOperatingSystemVersionVM = new UInt16HexField(optionalHeader.MajorOperatingSystemVersion, true); MinorOperatingSystemVersionVM = new UInt16HexField(optionalHeader.MinorOperatingSystemVersion, true); MajorImageVersionVM = new UInt16HexField(optionalHeader.MajorImageVersion, true); MinorImageVersionVM = new UInt16HexField(optionalHeader.MinorImageVersion, true); MajorSubsystemVersionVM = new UInt16HexField(optionalHeader.MajorSubsystemVersion, true); MinorSubsystemVersionVM = new UInt16HexField(optionalHeader.MinorSubsystemVersion, true); Win32VersionValueVM = new UInt32HexField(optionalHeader.Win32VersionValue, true); SizeOfImageVM = new UInt32HexField(optionalHeader.SizeOfImage); SizeOfHeadersVM = new UInt32HexField(optionalHeader.SizeOfHeaders); CheckSumVM = new UInt32HexField(optionalHeader.CheckSum); SubsystemVM = new UInt16FlagsHexField(optionalHeader.Subsystem); SubsystemVM.Add(new IntegerHexBitField("Subsystem", 0, 16, SubsystemInfos)); DllCharacteristicsVM = new UInt16FlagsHexField(optionalHeader.DllCharacteristics); DllCharacteristicsVM.Add(new BooleanHexBitField("Reserved1", 0)); DllCharacteristicsVM.Add(new BooleanHexBitField("Reserved2", 1)); DllCharacteristicsVM.Add(new BooleanHexBitField("Reserved3", 2)); DllCharacteristicsVM.Add(new BooleanHexBitField("Reserved4", 3)); DllCharacteristicsVM.Add(new BooleanHexBitField("Reserved5", 4)); DllCharacteristicsVM.Add(new BooleanHexBitField("High Entropy VA", 5)); DllCharacteristicsVM.Add(new BooleanHexBitField("Dynamic Base", 6)); DllCharacteristicsVM.Add(new BooleanHexBitField("Force Integrity", 7)); DllCharacteristicsVM.Add(new BooleanHexBitField("NX Compat", 8)); DllCharacteristicsVM.Add(new BooleanHexBitField("No Isolation", 9)); DllCharacteristicsVM.Add(new BooleanHexBitField("No SEH", 10)); DllCharacteristicsVM.Add(new BooleanHexBitField("No Bind", 11)); DllCharacteristicsVM.Add(new BooleanHexBitField("AppContainer", 12)); DllCharacteristicsVM.Add(new BooleanHexBitField("WDM Driver", 13)); DllCharacteristicsVM.Add(new BooleanHexBitField("Guard CF", 14)); DllCharacteristicsVM.Add(new BooleanHexBitField("Terminal Server Aware", 15)); LoaderFlagsVM = new UInt32HexField(optionalHeader.LoaderFlags); NumberOfRvaAndSizesVM = new UInt32HexField(optionalHeader.NumberOfRvaAndSizes); DataDir0VM = Create(optionalHeader, 0, "Export"); DataDir1VM = Create(optionalHeader, 1, "Import"); DataDir2VM = Create(optionalHeader, 2, "Resource"); DataDir3VM = Create(optionalHeader, 3, "Exception"); DataDir4VM = Create(optionalHeader, 4, "Security"); DataDir5VM = Create(optionalHeader, 5, "Base Reloc"); DataDir6VM = Create(optionalHeader, 6, "Debug"); DataDir7VM = Create(optionalHeader, 7, "Architecture"); DataDir8VM = Create(optionalHeader, 8, "Global Ptr"); DataDir9VM = Create(optionalHeader, 9, "TLS"); DataDir10VM = Create(optionalHeader, 10, "Load Config"); DataDir11VM = Create(optionalHeader, 11, "Bound Import"); DataDir12VM = Create(optionalHeader, 12, "IAT"); DataDir13VM = Create(optionalHeader, 13, "Delay Import"); DataDir14VM = Create(optionalHeader, 14, ".NET"); DataDir15VM = Create(optionalHeader, 15, "Reserved15"); }
protected override HexField CreateField(ColumnInfo colInfo) { if (colInfo.Index == 0) { var field = new UInt16FlagsHexField(mdVM.Buffer, Name, colInfo.Name, Span.Start + (uint)colInfo.Offset); field.Add(new BooleanHexBitField("NoMangle", 0)); field.Add(new IntegerHexBitField("CharSet", 1, 2, CharSetInfos)); field.Add(new IntegerHexBitField("BestFit", 4, 2, BestFitInfos)); field.Add(new BooleanHexBitField("SupportsLastError", 6)); field.Add(new IntegerHexBitField("CallConv", 8, 3, CallConvInfos)); field.Add(new IntegerHexBitField("ThrowOnUnmappableChar", 12, 2, ThrowOnUnmappableCharInfos)); return field; } return base.CreateField(colInfo); }
protected ImageOptionalHeaderVM(HexBuffer buffer, HexPosition startOffset, HexPosition endOffset, ulong offs1, ulong offs2) { MagicVM = new UInt16HexField(buffer, Name, "Magic", startOffset + 0); MajorLinkerVersionVM = new ByteHexField(buffer, Name, "MajorLinkerVersion", startOffset + 2, true); MinorLinkerVersionVM = new ByteHexField(buffer, Name, "MinorLinkerVersion", startOffset + 3, true); SizeOfCodeVM = new UInt32HexField(buffer, Name, "SizeOfCode", startOffset + 4); SizeOfInitializedDataVM = new UInt32HexField(buffer, Name, "SizeOfInitializedData", startOffset + 8); SizeOfUninitializedDataVM = new UInt32HexField(buffer, Name, "SizeOfUninitializedData", startOffset + 0x0C); AddressOfEntryPointVM = new UInt32HexField(buffer, Name, "AddressOfEntryPoint", startOffset + 0x10); BaseOfCodeVM = new UInt32HexField(buffer, Name, "BaseOfCode", startOffset + 0x14); SectionAlignmentVM = new UInt32HexField(buffer, Name, "SectionAlignment", startOffset + offs1 + 0); FileAlignmentVM = new UInt32HexField(buffer, Name, "FileAlignment", startOffset + offs1 + 4); MajorOperatingSystemVersionVM = new UInt16HexField(buffer, Name, "MajorOperatingSystemVersion", startOffset + offs1 + 8, true); MinorOperatingSystemVersionVM = new UInt16HexField(buffer, Name, "MinorOperatingSystemVersion", startOffset + offs1 + 0x0A, true); MajorImageVersionVM = new UInt16HexField(buffer, Name, "MajorImageVersion", startOffset + offs1 + 0x0C, true); MinorImageVersionVM = new UInt16HexField(buffer, Name, "MinorImageVersion", startOffset + offs1 + 0x0E, true); MajorSubsystemVersionVM = new UInt16HexField(buffer, Name, "MajorSubsystemVersion", startOffset + offs1 + 0x10, true); MinorSubsystemVersionVM = new UInt16HexField(buffer, Name, "MinorSubsystemVersion", startOffset + offs1 + 0x12, true); Win32VersionValueVM = new UInt32HexField(buffer, Name, "Win32VersionValue", startOffset + offs1 + 0x14, true); SizeOfImageVM = new UInt32HexField(buffer, Name, "SizeOfImage", startOffset + offs1 + 0x18); SizeOfHeadersVM = new UInt32HexField(buffer, Name, "SizeOfHeaders", startOffset + offs1 + 0x1C); CheckSumVM = new UInt32HexField(buffer, Name, "CheckSum", startOffset + offs1 + 0x20); SubsystemVM = new UInt16FlagsHexField(buffer, Name, "Subsystem", startOffset + offs1 + 0x24); SubsystemVM.Add(new IntegerHexBitField("Subsystem", 0, 16, SubsystemInfos)); DllCharacteristicsVM = new UInt16FlagsHexField(buffer, Name, "DllCharacteristics", startOffset + offs1 + 0x26); DllCharacteristicsVM.Add(new BooleanHexBitField("Reserved1", 0)); DllCharacteristicsVM.Add(new BooleanHexBitField("Reserved2", 1)); DllCharacteristicsVM.Add(new BooleanHexBitField("Reserved3", 2)); DllCharacteristicsVM.Add(new BooleanHexBitField("Reserved4", 3)); DllCharacteristicsVM.Add(new BooleanHexBitField("Reserved5", 4)); DllCharacteristicsVM.Add(new BooleanHexBitField("High Entropy VA", 5)); DllCharacteristicsVM.Add(new BooleanHexBitField("Dynamic Base", 6)); DllCharacteristicsVM.Add(new BooleanHexBitField("Force Integrity", 7)); DllCharacteristicsVM.Add(new BooleanHexBitField("NX Compat", 8)); DllCharacteristicsVM.Add(new BooleanHexBitField("No Isolation", 9)); DllCharacteristicsVM.Add(new BooleanHexBitField("No SEH", 10)); DllCharacteristicsVM.Add(new BooleanHexBitField("No Bind", 11)); DllCharacteristicsVM.Add(new BooleanHexBitField("AppContainer", 12)); DllCharacteristicsVM.Add(new BooleanHexBitField("WDM Driver", 13)); DllCharacteristicsVM.Add(new BooleanHexBitField("Guard CF", 14)); DllCharacteristicsVM.Add(new BooleanHexBitField("Terminal Server Aware", 15)); LoaderFlagsVM = new UInt32HexField(buffer, Name, "LoaderFlags", startOffset + offs2 + 0); NumberOfRvaAndSizesVM = new UInt32HexField(buffer, Name, "NumberOfRvaAndSizes", startOffset + offs2 + 4); ulong doffs = offs2 + 8; DataDir0VM = new DataDirVM(buffer, Name, "Export", startOffset + doffs + 0); DataDir1VM = new DataDirVM(buffer, Name, "Import", startOffset + doffs + 8); DataDir2VM = new DataDirVM(buffer, Name, "Resource", startOffset + doffs + 0x10); DataDir3VM = new DataDirVM(buffer, Name, "Exception", startOffset + doffs + 0x18); DataDir4VM = new DataDirVM(buffer, Name, "Security", startOffset + doffs + 0x20); DataDir5VM = new DataDirVM(buffer, Name, "Base Reloc", startOffset + doffs + 0x28); DataDir6VM = new DataDirVM(buffer, Name, "Debug", startOffset + doffs + 0x30); DataDir7VM = new DataDirVM(buffer, Name, "Architecture", startOffset + doffs + 0x38); DataDir8VM = new DataDirVM(buffer, Name, "Global Ptr", startOffset + doffs + 0x40); DataDir9VM = new DataDirVM(buffer, Name, "TLS", startOffset + doffs + 0x48); DataDir10VM = new DataDirVM(buffer, Name, "Load Config", startOffset + doffs + 0x50); DataDir11VM = new DataDirVM(buffer, Name, "Bound Import", startOffset + doffs + 0x58); DataDir12VM = new DataDirVM(buffer, Name, "IAT", startOffset + doffs + 0x60); DataDir13VM = new DataDirVM(buffer, Name, "Delay Import", startOffset + doffs + 0x68); DataDir14VM = new DataDirVM(buffer, Name, ".NET", startOffset + doffs + 0x70); DataDir15VM = new DataDirVM(buffer, Name, "Reserved15", startOffset + doffs + 0x78); }
protected override HexField CreateField(ColumnInfo colInfo) { if (colInfo.Index == 0) { var field = new UInt16FlagsHexField(mdVM.Buffer, Name, colInfo.Name, Span.Start + (uint)colInfo.Offset); field.Add(new BooleanHexBitField("SpecialName", 9)); field.Add(new BooleanHexBitField("RTSpecialName", 10)); field.Add(new BooleanHexBitField("HasDefault", 12)); return field; } return base.CreateField(colInfo); }
protected override HexField CreateField(ColumnInfo colInfo) { if (colInfo.Index == 0) { var field = new UInt16FlagsHexField(mdVM.Buffer, Name, colInfo.Name, Span.Start + (uint)colInfo.Offset); field.Add(new BooleanHexBitField("Setter", 0)); field.Add(new BooleanHexBitField("Getter", 1)); field.Add(new BooleanHexBitField("Other", 2)); field.Add(new BooleanHexBitField("AddOn", 3)); field.Add(new BooleanHexBitField("RemoveOn", 4)); field.Add(new BooleanHexBitField("Fire", 5)); return field; } return base.CreateField(colInfo); }
protected override HexField CreateField(ColumnInfo colInfo) { if (colInfo.Index == 0) { var field = new UInt16FlagsHexField(mdVM.Buffer, Name, colInfo.Name, Span.Start + (uint)colInfo.Offset); field.Add(new BooleanHexBitField("In", 0)); field.Add(new BooleanHexBitField("Out", 1)); field.Add(new BooleanHexBitField("Optional", 4)); field.Add(new BooleanHexBitField("HasDefault", 12)); field.Add(new BooleanHexBitField("HasFieldMarshal", 13)); return field; } return base.CreateField(colInfo); }
protected override HexField CreateField(ColumnInfo colInfo) { if (colInfo.Index == 1) { var field = new UInt16FlagsHexField(mdVM.Buffer, Name, colInfo.Name, Span.Start + (uint)colInfo.Offset); field.Add(new IntegerHexBitField("CodeType", 0, 2, CodeTypeInfos)); field.Add(new IntegerHexBitField("ManagedType", 2, 1, ManagedInfos)); field.Add(new BooleanHexBitField("NoInlining", 3)); field.Add(new BooleanHexBitField("ForwardRef", 4)); field.Add(new BooleanHexBitField("Synchronized", 5)); field.Add(new BooleanHexBitField("NoOptimization", 6)); field.Add(new BooleanHexBitField("PreserveSig", 7)); field.Add(new BooleanHexBitField("AggressiveInlining", 8)); field.Add(new BooleanHexBitField("InternalCall", 12)); return field; } else if (colInfo.Index == 2) { var field = new UInt16FlagsHexField(mdVM.Buffer, Name, colInfo.Name, Span.Start + (uint)colInfo.Offset); field.Add(new IntegerHexBitField("Access", 0, 3, AccessInfos)); field.Add(new BooleanHexBitField("UnmanagedExport", 3)); field.Add(new BooleanHexBitField("Static", 4)); field.Add(new BooleanHexBitField("Final", 5)); field.Add(new BooleanHexBitField("Virtual", 6)); field.Add(new BooleanHexBitField("HideBySig", 7)); field.Add(new IntegerHexBitField("VtableLayout", 8, 1, VtableLayoutInfos)); field.Add(new BooleanHexBitField("CheckAccessOnOverride", 9)); field.Add(new BooleanHexBitField("Abstract", 10)); field.Add(new BooleanHexBitField("SpecialName", 11)); field.Add(new BooleanHexBitField("RTSpecialName", 12)); field.Add(new BooleanHexBitField("PinvokeImpl", 13)); field.Add(new BooleanHexBitField("HasSecurity", 14)); field.Add(new BooleanHexBitField("RequireSecObject", 15)); return field; } return base.CreateField(colInfo); }
protected override HexField CreateField(ColumnInfo colInfo) { if (colInfo.Index == 0) { var field = new UInt16FlagsHexField(mdVM.Buffer, Name, colInfo.Name, Span.Start + (uint)colInfo.Offset); field.Add(new IntegerHexBitField("Access", 0, 3, AccessInfos)); field.Add(new BooleanHexBitField("Static", 4)); field.Add(new BooleanHexBitField("InitOnly", 5)); field.Add(new BooleanHexBitField("Literal", 6)); field.Add(new BooleanHexBitField("NotSerialized", 7)); field.Add(new BooleanHexBitField("HasFieldRVA", 8)); field.Add(new BooleanHexBitField("SpecialName", 9)); field.Add(new BooleanHexBitField("RTSpecialName", 10)); field.Add(new BooleanHexBitField("HasFieldMarshal", 12)); field.Add(new BooleanHexBitField("PinvokeImpl", 13)); field.Add(new BooleanHexBitField("HasDefault", 15)); return field; } return base.CreateField(colInfo); }
internal static UInt16FlagsHexField CreateGenericParamAttributesField(ColumnInfo colInfo, HexBuffer buffer, string name, HexPosition startOffset) { var field = new UInt16FlagsHexField(buffer, name, colInfo.Name, startOffset + (uint)colInfo.Offset); field.Add(new IntegerHexBitField("Variance", 0, 2, VarianceInfos)); field.Add(new BooleanHexBitField("Reference", 2)); field.Add(new BooleanHexBitField("Struct", 3)); field.Add(new BooleanHexBitField("Default ctor", 4)); return field; }
public ImageFileHeaderVM(HexBuffer buffer, HexPosition startOffset) { MachineVM = new UInt16FlagsHexField(buffer, Name, "Machine", startOffset + 0); MachineVM.Add(new IntegerHexBitField("Machine", 0, 16, MachineInfos)); NumberOfSectionsVM = new UInt16HexField(buffer, Name, "NumberOfSections", startOffset + 2); TimeDateStampVM = new UInt32HexField(buffer, Name, "TimeDateStamp", startOffset + 4); TimeDateStampVM.DataFieldVM.PropertyChanged += (s, e) => OnPropertyChanged(nameof(TimeDateStampString)); PointerToSymbolTableVM = new UInt32HexField(buffer, Name, "PointerToSymbolTable", startOffset + 8); NumberOfSymbolsVM = new UInt32HexField(buffer, Name, "NumberOfSymbols", startOffset + 0x0C); SizeOfOptionalHeaderVM = new UInt16HexField(buffer, Name, "SizeOfOptionalHeader", startOffset + 0x10); CharacteristicsVM = new UInt16FlagsHexField(buffer, Name, "Characteristics", startOffset + 0x12); CharacteristicsVM.Add(new BooleanHexBitField("Relocs Stripped", 0)); CharacteristicsVM.Add(new BooleanHexBitField("Executable Image", 1)); CharacteristicsVM.Add(new BooleanHexBitField("Line Nums Stripped", 2)); CharacteristicsVM.Add(new BooleanHexBitField("Local Syms Stripped", 3)); CharacteristicsVM.Add(new BooleanHexBitField("Aggressive WS Trim", 4)); CharacteristicsVM.Add(new BooleanHexBitField("Large Address Aware", 5)); CharacteristicsVM.Add(new BooleanHexBitField("Reserved 0040h", 6)); CharacteristicsVM.Add(new BooleanHexBitField("Bytes Reversed Lo", 7)); CharacteristicsVM.Add(new BooleanHexBitField("32-Bit Machine", 8)); CharacteristicsVM.Add(new BooleanHexBitField("Debug Stripped", 9)); CharacteristicsVM.Add(new BooleanHexBitField("Removable Run From Swap", 10)); CharacteristicsVM.Add(new BooleanHexBitField("Net Run From Swap", 11)); CharacteristicsVM.Add(new BooleanHexBitField("System", 12)); CharacteristicsVM.Add(new BooleanHexBitField("Dll", 13)); CharacteristicsVM.Add(new BooleanHexBitField("Up System Only", 14)); CharacteristicsVM.Add(new BooleanHexBitField("Bytes Reversed Hi", 15)); hexFields = new HexField[] { MachineVM, NumberOfSectionsVM, TimeDateStampVM, PointerToSymbolTableVM, NumberOfSymbolsVM, SizeOfOptionalHeaderVM, CharacteristicsVM, }; }