public ImageSectionHeaderVM(HexBuffer buffer, PeSectionData section) : base(section.Span) { Name = section.Name; NameVM = new StringHexField(section.SectionName); VirtualSizeVM = new UInt32HexField(section.VirtualSize); VirtualAddressVM = new UInt32HexField(section.VirtualAddress); SizeOfRawDataVM = new UInt32HexField(section.SizeOfRawData); PointerToRawDataVM = new UInt32HexField(section.PointerToRawData); PointerToRelocationsVM = new UInt32HexField(section.PointerToRelocations); PointerToLinenumbersVM = new UInt32HexField(section.PointerToLinenumbers); NumberOfRelocationsVM = new UInt16HexField(section.NumberOfRelocations); NumberOfLinenumbersVM = new UInt16HexField(section.NumberOfLinenumbers); CharacteristicsVM = new UInt32FlagsHexField(section.Characteristics); CharacteristicsVM.Add(new BooleanHexBitField("TYPE_DSECT", 0)); CharacteristicsVM.Add(new BooleanHexBitField("TYPE_NOLOAD", 1)); CharacteristicsVM.Add(new BooleanHexBitField("TYPE_GROUP", 2)); CharacteristicsVM.Add(new BooleanHexBitField("TYPE_NO_PAD", 3)); CharacteristicsVM.Add(new BooleanHexBitField("TYPE_COPY", 4)); CharacteristicsVM.Add(new BooleanHexBitField("CNT_CODE", 5)); CharacteristicsVM.Add(new BooleanHexBitField("CNT_INITIALIZED_DATA", 6)); CharacteristicsVM.Add(new BooleanHexBitField("CNT_UNINITIALIZED_DATA", 7)); CharacteristicsVM.Add(new BooleanHexBitField("LNK_OTHER", 8)); CharacteristicsVM.Add(new BooleanHexBitField("LNK_INFO", 9)); CharacteristicsVM.Add(new BooleanHexBitField("TYPE_OVER", 10)); CharacteristicsVM.Add(new BooleanHexBitField("LNK_REMOVE", 11)); CharacteristicsVM.Add(new BooleanHexBitField("LNK_COMDAT", 12)); CharacteristicsVM.Add(new BooleanHexBitField("RESERVED", 13)); CharacteristicsVM.Add(new BooleanHexBitField("NO_DEFER_SPEC_EXC", 14)); CharacteristicsVM.Add(new BooleanHexBitField("GPREL", 15)); CharacteristicsVM.Add(new BooleanHexBitField("MEM_SYSHEAP", 16)); CharacteristicsVM.Add(new BooleanHexBitField("MEM_PURGEABLE", 17)); CharacteristicsVM.Add(new BooleanHexBitField("MEM_LOCKED", 18)); CharacteristicsVM.Add(new BooleanHexBitField("MEM_PRELOAD", 19)); CharacteristicsVM.Add(new IntegerHexBitField("Alignment", 20, 4, AlignInfos)); CharacteristicsVM.Add(new BooleanHexBitField("LNK_NRELOC_OVFL", 24)); CharacteristicsVM.Add(new BooleanHexBitField("MEM_DISCARDABLE", 25)); CharacteristicsVM.Add(new BooleanHexBitField("MEM_NOT_CACHED", 26)); CharacteristicsVM.Add(new BooleanHexBitField("MEM_NOT_PAGED", 27)); CharacteristicsVM.Add(new BooleanHexBitField("MEM_SHARED", 28)); CharacteristicsVM.Add(new BooleanHexBitField("MEM_EXECUTE", 29)); CharacteristicsVM.Add(new BooleanHexBitField("MEM_READ", 30)); CharacteristicsVM.Add(new BooleanHexBitField("MEM_WRITE", 31)); hexFields = new HexField[] { NameVM, VirtualSizeVM, VirtualAddressVM, SizeOfRawDataVM, PointerToRawDataVM, PointerToRelocationsVM, PointerToLinenumbersVM, NumberOfRelocationsVM, NumberOfLinenumbersVM, CharacteristicsVM, }; }
public ImageSectionHeaderVM(HexBuffer buffer, HexPosition startOffset) { NameVM = new StringHexField(buffer, Name, "Name", startOffset + 0, Encoding.UTF8, 8); VirtualSizeVM = new UInt32HexField(buffer, Name, "VirtualSize", startOffset + 8); VirtualAddressVM = new UInt32HexField(buffer, Name, "VirtualAddress", startOffset + 0x0C); SizeOfRawDataVM = new UInt32HexField(buffer, Name, "SizeOfRawData", startOffset + 0x10); PointerToRawDataVM = new UInt32HexField(buffer, Name, "PointerToRawData", startOffset + 0x14); PointerToRelocationsVM = new UInt32HexField(buffer, Name, "PointerToRelocations", startOffset + 0x18); PointerToLinenumbersVM = new UInt32HexField(buffer, Name, "PointerToLinenumbers", startOffset + 0x1C); NumberOfRelocationsVM = new UInt16HexField(buffer, Name, "NumberOfRelocations", startOffset + 0x20); NumberOfLinenumbersVM = new UInt16HexField(buffer, Name, "NumberOfLinenumbers", startOffset + 0x22); CharacteristicsVM = new UInt32FlagsHexField(buffer, Name, "Characteristics", startOffset + 0x24); CharacteristicsVM.Add(new BooleanHexBitField("TYPE_DSECT", 0)); CharacteristicsVM.Add(new BooleanHexBitField("TYPE_NOLOAD", 1)); CharacteristicsVM.Add(new BooleanHexBitField("TYPE_GROUP", 2)); CharacteristicsVM.Add(new BooleanHexBitField("TYPE_NO_PAD", 3)); CharacteristicsVM.Add(new BooleanHexBitField("TYPE_COPY", 4)); CharacteristicsVM.Add(new BooleanHexBitField("CNT_CODE", 5)); CharacteristicsVM.Add(new BooleanHexBitField("CNT_INITIALIZED_DATA", 6)); CharacteristicsVM.Add(new BooleanHexBitField("CNT_UNINITIALIZED_DATA", 7)); CharacteristicsVM.Add(new BooleanHexBitField("LNK_OTHER", 8)); CharacteristicsVM.Add(new BooleanHexBitField("LNK_INFO", 9)); CharacteristicsVM.Add(new BooleanHexBitField("TYPE_OVER", 10)); CharacteristicsVM.Add(new BooleanHexBitField("LNK_REMOVE", 11)); CharacteristicsVM.Add(new BooleanHexBitField("LNK_COMDAT", 12)); CharacteristicsVM.Add(new BooleanHexBitField("RESERVED", 13)); CharacteristicsVM.Add(new BooleanHexBitField("NO_DEFER_SPEC_EXC", 14)); CharacteristicsVM.Add(new BooleanHexBitField("GPREL", 15)); CharacteristicsVM.Add(new BooleanHexBitField("MEM_SYSHEAP", 16)); CharacteristicsVM.Add(new BooleanHexBitField("MEM_PURGEABLE", 17)); CharacteristicsVM.Add(new BooleanHexBitField("MEM_LOCKED", 18)); CharacteristicsVM.Add(new BooleanHexBitField("MEM_PRELOAD", 19)); CharacteristicsVM.Add(new IntegerHexBitField("Alignment", 20, 4, AlignInfos)); CharacteristicsVM.Add(new BooleanHexBitField("LNK_NRELOC_OVFL", 24)); CharacteristicsVM.Add(new BooleanHexBitField("MEM_DISCARDABLE", 25)); CharacteristicsVM.Add(new BooleanHexBitField("MEM_NOT_CACHED", 26)); CharacteristicsVM.Add(new BooleanHexBitField("MEM_NOT_PAGED", 27)); CharacteristicsVM.Add(new BooleanHexBitField("MEM_SHARED", 28)); CharacteristicsVM.Add(new BooleanHexBitField("MEM_EXECUTE", 29)); CharacteristicsVM.Add(new BooleanHexBitField("MEM_READ", 30)); CharacteristicsVM.Add(new BooleanHexBitField("MEM_WRITE", 31)); hexFields = new HexField[] { NameVM, VirtualSizeVM, VirtualAddressVM, SizeOfRawDataVM, PointerToRawDataVM, PointerToRelocationsVM, PointerToLinenumbersVM, NumberOfRelocationsVM, NumberOfLinenumbersVM, CharacteristicsVM, }; }
public StorageHeaderVM(HexBuffer buffer, HexPosition startOffset) { FFlagsVM = new ByteFlagsHexField(buffer, Name, "fFlags", startOffset + 0); FFlagsVM.Add(new BooleanHexBitField("ExtraData", 0)); PadVM = new ByteHexField(buffer, Name, "pad", startOffset + 1); IStreamsVM = new UInt16HexField(buffer, Name, "iStreams", startOffset + 2); hexFields = new HexField[] { FFlagsVM, PadVM, IStreamsVM, }; }
public StorageHeaderVM(HexBuffer buffer, DotNetMetadataHeaderData mdHeader) : base(HexSpan.FromBounds(mdHeader.Flags.Data.Span.Start, mdHeader.StreamCount.Data.Span.End)) { FFlagsVM = new ByteFlagsHexField(mdHeader.Flags); FFlagsVM.Add(new BooleanHexBitField(mdHeader.ExtraData.Name, 0)); PadVM = new ByteHexField(mdHeader.Pad); IStreamsVM = new UInt16HexField(mdHeader.StreamCount); hexFields = new HexField[] { FFlagsVM, PadVM, IStreamsVM, }; }
public ImageCor20HeaderVM(HexBuffer buffer, DotNetCor20Data cor20) : base(cor20.Span) { Name = cor20.Name; CbVM = new UInt32HexField(cor20.Cb); MajorRuntimeVersionVM = new UInt16HexField(cor20.MajorRuntimeVersion, true); MinorRuntimeVersionVM = new UInt16HexField(cor20.MinorRuntimeVersion, true); MetaDataVM = new DataDirectoryVM(cor20.MetaData); FlagsVM = new UInt32FlagsHexField(cor20.Flags); FlagsVM.Add(new BooleanHexBitField(dnSpy_AsmEditor_Resources.HexNode_Cor20Header_Flags_IL_Only, 0)); FlagsVM.Add(new BooleanHexBitField(dnSpy_AsmEditor_Resources.HexNode_Cor20Header_Flags_32BitReqd, 1)); FlagsVM.Add(new BooleanHexBitField(dnSpy_AsmEditor_Resources.HexNode_Cor20Header_Flags_ILLibrary, 2)); FlagsVM.Add(new BooleanHexBitField(dnSpy_AsmEditor_Resources.HexNode_Cor20Header_Flags_StrongNameSigned, 3)); FlagsVM.Add(new BooleanHexBitField(dnSpy_AsmEditor_Resources.HexNode_Cor20Header_Flags_NativeEntryPoint, 4)); FlagsVM.Add(new BooleanHexBitField(dnSpy_AsmEditor_Resources.HexNode_Cor20Header_Flags_TrackDebugData, 16)); FlagsVM.Add(new BooleanHexBitField(dnSpy_AsmEditor_Resources.HexNode_Cor20Header_Flags_32BitPref, 17)); EntryPointTokenRVAVM = new UInt32HexField(cor20.EntryPointTokenOrRVA); ResourcesVM = new DataDirectoryVM(cor20.Resources); StrongNameSignatureVM = new DataDirectoryVM(cor20.StrongNameSignature); CodeManagerTableVM = new DataDirectoryVM(cor20.CodeManagerTable); VTableFixupsVM = new DataDirectoryVM(cor20.VTableFixups); ExportAddressTableJumpsVM = new DataDirectoryVM(cor20.ExportAddressTableJumps); ManagedNativeHeaderVM = new DataDirectoryVM(cor20.ManagedNativeHeader); hexFields = new HexField[] { CbVM, MajorRuntimeVersionVM, MinorRuntimeVersionVM, MetaDataVM.RVAVM, MetaDataVM.SizeVM, FlagsVM, EntryPointTokenRVAVM, ResourcesVM.RVAVM, ResourcesVM.SizeVM, StrongNameSignatureVM.RVAVM, StrongNameSignatureVM.SizeVM, CodeManagerTableVM.RVAVM, CodeManagerTableVM.SizeVM, VTableFixupsVM.RVAVM, VTableFixupsVM.SizeVM, ExportAddressTableJumpsVM.RVAVM, ExportAddressTableJumpsVM.SizeVM, ManagedNativeHeaderVM.RVAVM, ManagedNativeHeaderVM.SizeVM, }; }
public StorageSignatureVM(HexBuffer buffer, HexPosition startOffset, int stringLen) { LSignatureVM = new UInt32HexField(buffer, Name, "lSignature", startOffset + 0); IMajorVerVM = new UInt16HexField(buffer, Name, "iMajorVer", startOffset + 4, true); IMinorVerVM = new UInt16HexField(buffer, Name, "iMinorVer", startOffset + 6, true); IExtraDataVM = new UInt32HexField(buffer, Name, "iExtraData", startOffset + 8); IVersionStringVM = new UInt32HexField(buffer, Name, "iVersionString", startOffset + 0x0C); VersionStringVM = new StringHexField(buffer, Name, "VersionString", startOffset + 0x10, Encoding.UTF8, stringLen); hexFields = new HexField[] { LSignatureVM, IMajorVerVM, IMinorVerVM, IExtraDataVM, IVersionStringVM, VersionStringVM, }; }
public StorageSignatureVM(HexBuffer buffer, DotNetMetadataHeaderData mdHeader) : base(HexSpan.FromBounds(mdHeader.Span.Start, mdHeader.VersionString.Data.Span.End)) { LSignatureVM = new UInt32HexField(mdHeader.Signature); IMajorVerVM = new UInt16HexField(mdHeader.MajorVersion, true); IMinorVerVM = new UInt16HexField(mdHeader.MinorVersion, true); IExtraDataVM = new UInt32HexField(mdHeader.ExtraData); IVersionStringVM = new UInt32HexField(mdHeader.VersionStringCount); VersionStringVM = new StringHexField(mdHeader.VersionString); hexFields = new HexField[] { LSignatureVM, IMajorVerVM, IMinorVerVM, IExtraDataVM, IVersionStringVM, VersionStringVM, }; }
public ImageCor20HeaderVM(HexBuffer buffer, HexPosition startOffset) { CbVM = new UInt32HexField(buffer, Name, "cb", startOffset + 0); MajorRuntimeVersionVM = new UInt16HexField(buffer, Name, "MajorRuntimeVersion", startOffset + 4, true); MinorRuntimeVersionVM = new UInt16HexField(buffer, Name, "MinorRuntimeVersion", startOffset + 6, true); MetaDataVM = new DataDirVM(buffer, Name, "MetaData", startOffset + 8); FlagsVM = new UInt32FlagsHexField(buffer, Name, "Flags", startOffset + 0x10); FlagsVM.Add(new BooleanHexBitField(dnSpy_AsmEditor_Resources.HexNode_Cor20Header_Flags_IL_Only, 0)); FlagsVM.Add(new BooleanHexBitField(dnSpy_AsmEditor_Resources.HexNode_Cor20Header_Flags_32BitReqd, 1)); FlagsVM.Add(new BooleanHexBitField(dnSpy_AsmEditor_Resources.HexNode_Cor20Header_Flags_ILLibrary, 2)); FlagsVM.Add(new BooleanHexBitField(dnSpy_AsmEditor_Resources.HexNode_Cor20Header_Flags_StrongNameSigned, 3)); FlagsVM.Add(new BooleanHexBitField(dnSpy_AsmEditor_Resources.HexNode_Cor20Header_Flags_NativeEntryPoint, 4)); FlagsVM.Add(new BooleanHexBitField(dnSpy_AsmEditor_Resources.HexNode_Cor20Header_Flags_TrackDebugData, 16)); FlagsVM.Add(new BooleanHexBitField(dnSpy_AsmEditor_Resources.HexNode_Cor20Header_Flags_32BitPref, 17)); EntryPointTokenRVAVM = new UInt32HexField(buffer, Name, "EntryPoint Token/RVA", startOffset + 0x14); ResourcesVM = new DataDirVM(buffer, Name, "Resources", startOffset + 0x18); StrongNameSignatureVM = new DataDirVM(buffer, Name, "StrongNameSignature", startOffset + 0x20); CodeManagerTableVM = new DataDirVM(buffer, Name, "CodeManagerTable", startOffset + 0x28); VTableFixupsVM = new DataDirVM(buffer, Name, "VTableFixups", startOffset + 0x30); ExportAddressTableJumpsVM = new DataDirVM(buffer, Name, "ExportAddressTableJumps", startOffset + 0x38); ManagedNativeHeaderVM = new DataDirVM(buffer, Name, "ManagedNativeHeader", startOffset + 0x40); hexFields = new HexField[] { CbVM, MajorRuntimeVersionVM, MinorRuntimeVersionVM, MetaDataVM.RVAVM, MetaDataVM.SizeVM, FlagsVM, EntryPointTokenRVAVM, ResourcesVM.RVAVM, ResourcesVM.SizeVM, StrongNameSignatureVM.RVAVM, StrongNameSignatureVM.SizeVM, CodeManagerTableVM.RVAVM, CodeManagerTableVM.SizeVM, VTableFixupsVM.RVAVM, VTableFixupsVM.SizeVM, ExportAddressTableJumpsVM.RVAVM, ExportAddressTableJumpsVM.SizeVM, ManagedNativeHeaderVM.RVAVM, ManagedNativeHeaderVM.SizeVM, }; }
public ImageFileHeaderVM(HexBuffer buffer, PeFileHeaderData fileHeader) : base(fileHeader.Span) { Name = fileHeader.Name; MachineVM = new UInt16FlagsHexField(fileHeader.Machine); MachineVM.Add(new IntegerHexBitField(fileHeader.Machine.Name, 0, 16, MachineInfos)); NumberOfSectionsVM = new UInt16HexField(fileHeader.NumberOfSections); TimeDateStampVM = new UInt32HexField(fileHeader.TimeDateStamp.Data, fileHeader.TimeDateStamp.Name); TimeDateStampVM.DataFieldVM.PropertyChanged += (s, e) => OnPropertyChanged(nameof(TimeDateStampString)); PointerToSymbolTableVM = new UInt32HexField(fileHeader.PointerToSymbolTable); NumberOfSymbolsVM = new UInt32HexField(fileHeader.NumberOfSymbols); SizeOfOptionalHeaderVM = new UInt16HexField(fileHeader.SizeOfOptionalHeader); CharacteristicsVM = new UInt16FlagsHexField(fileHeader.Characteristics); CharacteristicsVM.Add(new BooleanHexBitField("Relocs Stripped", 0)); CharacteristicsVM.Add(new BooleanHexBitField("Executable Image", 1)); CharacteristicsVM.Add(new BooleanHexBitField("Line Nums Stripped", 2)); CharacteristicsVM.Add(new BooleanHexBitField("Local Syms Stripped", 3)); CharacteristicsVM.Add(new BooleanHexBitField("Aggressive WS Trim", 4)); CharacteristicsVM.Add(new BooleanHexBitField("Large Address Aware", 5)); CharacteristicsVM.Add(new BooleanHexBitField("Reserved 0040h", 6)); CharacteristicsVM.Add(new BooleanHexBitField("Bytes Reversed Lo", 7)); CharacteristicsVM.Add(new BooleanHexBitField("32-Bit Machine", 8)); CharacteristicsVM.Add(new BooleanHexBitField("Debug Stripped", 9)); CharacteristicsVM.Add(new BooleanHexBitField("Removable Run From Swap", 10)); CharacteristicsVM.Add(new BooleanHexBitField("Net Run From Swap", 11)); CharacteristicsVM.Add(new BooleanHexBitField("System", 12)); CharacteristicsVM.Add(new BooleanHexBitField("Dll", 13)); CharacteristicsVM.Add(new BooleanHexBitField("Up System Only", 14)); CharacteristicsVM.Add(new BooleanHexBitField("Bytes Reversed Hi", 15)); hexFields = new HexField[] { MachineVM, NumberOfSectionsVM, TimeDateStampVM, PointerToSymbolTableVM, NumberOfSymbolsVM, SizeOfOptionalHeaderVM, CharacteristicsVM, }; }
protected ImageOptionalHeaderVM(HexBuffer buffer, PeOptionalHeaderData optionalHeader) : base(optionalHeader.Span) { hexFields = null !; MagicVM = new UInt16HexField(optionalHeader.Magic); MajorLinkerVersionVM = new ByteHexField(optionalHeader.MajorLinkerVersion, true); MinorLinkerVersionVM = new ByteHexField(optionalHeader.MinorLinkerVersion, true); SizeOfCodeVM = new UInt32HexField(optionalHeader.SizeOfCode); SizeOfInitializedDataVM = new UInt32HexField(optionalHeader.SizeOfInitializedData); SizeOfUninitializedDataVM = new UInt32HexField(optionalHeader.SizeOfUninitializedData); AddressOfEntryPointVM = new UInt32HexField(optionalHeader.AddressOfEntryPoint); BaseOfCodeVM = new UInt32HexField(optionalHeader.BaseOfCode); SectionAlignmentVM = new UInt32HexField(optionalHeader.SectionAlignment); FileAlignmentVM = new UInt32HexField(optionalHeader.FileAlignment); MajorOperatingSystemVersionVM = new UInt16HexField(optionalHeader.MajorOperatingSystemVersion, true); MinorOperatingSystemVersionVM = new UInt16HexField(optionalHeader.MinorOperatingSystemVersion, true); MajorImageVersionVM = new UInt16HexField(optionalHeader.MajorImageVersion, true); MinorImageVersionVM = new UInt16HexField(optionalHeader.MinorImageVersion, true); MajorSubsystemVersionVM = new UInt16HexField(optionalHeader.MajorSubsystemVersion, true); MinorSubsystemVersionVM = new UInt16HexField(optionalHeader.MinorSubsystemVersion, true); Win32VersionValueVM = new UInt32HexField(optionalHeader.Win32VersionValue, true); SizeOfImageVM = new UInt32HexField(optionalHeader.SizeOfImage); SizeOfHeadersVM = new UInt32HexField(optionalHeader.SizeOfHeaders); CheckSumVM = new UInt32HexField(optionalHeader.CheckSum); SubsystemVM = new UInt16FlagsHexField(optionalHeader.Subsystem); SubsystemVM.Add(new IntegerHexBitField("Subsystem", 0, 16, SubsystemInfos)); DllCharacteristicsVM = new UInt16FlagsHexField(optionalHeader.DllCharacteristics); DllCharacteristicsVM.Add(new BooleanHexBitField("Reserved1", 0)); DllCharacteristicsVM.Add(new BooleanHexBitField("Reserved2", 1)); DllCharacteristicsVM.Add(new BooleanHexBitField("Reserved3", 2)); DllCharacteristicsVM.Add(new BooleanHexBitField("Reserved4", 3)); DllCharacteristicsVM.Add(new BooleanHexBitField("Reserved5", 4)); DllCharacteristicsVM.Add(new BooleanHexBitField("High Entropy VA", 5)); DllCharacteristicsVM.Add(new BooleanHexBitField("Dynamic Base", 6)); DllCharacteristicsVM.Add(new BooleanHexBitField("Force Integrity", 7)); DllCharacteristicsVM.Add(new BooleanHexBitField("NX Compat", 8)); DllCharacteristicsVM.Add(new BooleanHexBitField("No Isolation", 9)); DllCharacteristicsVM.Add(new BooleanHexBitField("No SEH", 10)); DllCharacteristicsVM.Add(new BooleanHexBitField("No Bind", 11)); DllCharacteristicsVM.Add(new BooleanHexBitField("AppContainer", 12)); DllCharacteristicsVM.Add(new BooleanHexBitField("WDM Driver", 13)); DllCharacteristicsVM.Add(new BooleanHexBitField("Guard CF", 14)); DllCharacteristicsVM.Add(new BooleanHexBitField("Terminal Server Aware", 15)); LoaderFlagsVM = new UInt32HexField(optionalHeader.LoaderFlags); NumberOfRvaAndSizesVM = new UInt32HexField(optionalHeader.NumberOfRvaAndSizes); DataDir0VM = Create(optionalHeader, 0, "Export"); DataDir1VM = Create(optionalHeader, 1, "Import"); DataDir2VM = Create(optionalHeader, 2, "Resource"); DataDir3VM = Create(optionalHeader, 3, "Exception"); DataDir4VM = Create(optionalHeader, 4, "Security"); DataDir5VM = Create(optionalHeader, 5, "Base Reloc"); DataDir6VM = Create(optionalHeader, 6, "Debug"); DataDir7VM = Create(optionalHeader, 7, "Architecture"); DataDir8VM = Create(optionalHeader, 8, "Global Ptr"); DataDir9VM = Create(optionalHeader, 9, "TLS"); DataDir10VM = Create(optionalHeader, 10, "Load Config"); DataDir11VM = Create(optionalHeader, 11, "Bound Import"); DataDir12VM = Create(optionalHeader, 12, "IAT"); DataDir13VM = Create(optionalHeader, 13, "Delay Import"); DataDir14VM = Create(optionalHeader, 14, ".NET"); DataDir15VM = Create(optionalHeader, 15, "Reserved15"); }
protected ImageOptionalHeaderVM(HexBuffer buffer, HexPosition startOffset, HexPosition endOffset, ulong offs1, ulong offs2) { MagicVM = new UInt16HexField(buffer, Name, "Magic", startOffset + 0); MajorLinkerVersionVM = new ByteHexField(buffer, Name, "MajorLinkerVersion", startOffset + 2, true); MinorLinkerVersionVM = new ByteHexField(buffer, Name, "MinorLinkerVersion", startOffset + 3, true); SizeOfCodeVM = new UInt32HexField(buffer, Name, "SizeOfCode", startOffset + 4); SizeOfInitializedDataVM = new UInt32HexField(buffer, Name, "SizeOfInitializedData", startOffset + 8); SizeOfUninitializedDataVM = new UInt32HexField(buffer, Name, "SizeOfUninitializedData", startOffset + 0x0C); AddressOfEntryPointVM = new UInt32HexField(buffer, Name, "AddressOfEntryPoint", startOffset + 0x10); BaseOfCodeVM = new UInt32HexField(buffer, Name, "BaseOfCode", startOffset + 0x14); SectionAlignmentVM = new UInt32HexField(buffer, Name, "SectionAlignment", startOffset + offs1 + 0); FileAlignmentVM = new UInt32HexField(buffer, Name, "FileAlignment", startOffset + offs1 + 4); MajorOperatingSystemVersionVM = new UInt16HexField(buffer, Name, "MajorOperatingSystemVersion", startOffset + offs1 + 8, true); MinorOperatingSystemVersionVM = new UInt16HexField(buffer, Name, "MinorOperatingSystemVersion", startOffset + offs1 + 0x0A, true); MajorImageVersionVM = new UInt16HexField(buffer, Name, "MajorImageVersion", startOffset + offs1 + 0x0C, true); MinorImageVersionVM = new UInt16HexField(buffer, Name, "MinorImageVersion", startOffset + offs1 + 0x0E, true); MajorSubsystemVersionVM = new UInt16HexField(buffer, Name, "MajorSubsystemVersion", startOffset + offs1 + 0x10, true); MinorSubsystemVersionVM = new UInt16HexField(buffer, Name, "MinorSubsystemVersion", startOffset + offs1 + 0x12, true); Win32VersionValueVM = new UInt32HexField(buffer, Name, "Win32VersionValue", startOffset + offs1 + 0x14, true); SizeOfImageVM = new UInt32HexField(buffer, Name, "SizeOfImage", startOffset + offs1 + 0x18); SizeOfHeadersVM = new UInt32HexField(buffer, Name, "SizeOfHeaders", startOffset + offs1 + 0x1C); CheckSumVM = new UInt32HexField(buffer, Name, "CheckSum", startOffset + offs1 + 0x20); SubsystemVM = new UInt16FlagsHexField(buffer, Name, "Subsystem", startOffset + offs1 + 0x24); SubsystemVM.Add(new IntegerHexBitField("Subsystem", 0, 16, SubsystemInfos)); DllCharacteristicsVM = new UInt16FlagsHexField(buffer, Name, "DllCharacteristics", startOffset + offs1 + 0x26); DllCharacteristicsVM.Add(new BooleanHexBitField("Reserved1", 0)); DllCharacteristicsVM.Add(new BooleanHexBitField("Reserved2", 1)); DllCharacteristicsVM.Add(new BooleanHexBitField("Reserved3", 2)); DllCharacteristicsVM.Add(new BooleanHexBitField("Reserved4", 3)); DllCharacteristicsVM.Add(new BooleanHexBitField("Reserved5", 4)); DllCharacteristicsVM.Add(new BooleanHexBitField("High Entropy VA", 5)); DllCharacteristicsVM.Add(new BooleanHexBitField("Dynamic Base", 6)); DllCharacteristicsVM.Add(new BooleanHexBitField("Force Integrity", 7)); DllCharacteristicsVM.Add(new BooleanHexBitField("NX Compat", 8)); DllCharacteristicsVM.Add(new BooleanHexBitField("No Isolation", 9)); DllCharacteristicsVM.Add(new BooleanHexBitField("No SEH", 10)); DllCharacteristicsVM.Add(new BooleanHexBitField("No Bind", 11)); DllCharacteristicsVM.Add(new BooleanHexBitField("AppContainer", 12)); DllCharacteristicsVM.Add(new BooleanHexBitField("WDM Driver", 13)); DllCharacteristicsVM.Add(new BooleanHexBitField("Guard CF", 14)); DllCharacteristicsVM.Add(new BooleanHexBitField("Terminal Server Aware", 15)); LoaderFlagsVM = new UInt32HexField(buffer, Name, "LoaderFlags", startOffset + offs2 + 0); NumberOfRvaAndSizesVM = new UInt32HexField(buffer, Name, "NumberOfRvaAndSizes", startOffset + offs2 + 4); ulong doffs = offs2 + 8; DataDir0VM = new DataDirVM(buffer, Name, "Export", startOffset + doffs + 0); DataDir1VM = new DataDirVM(buffer, Name, "Import", startOffset + doffs + 8); DataDir2VM = new DataDirVM(buffer, Name, "Resource", startOffset + doffs + 0x10); DataDir3VM = new DataDirVM(buffer, Name, "Exception", startOffset + doffs + 0x18); DataDir4VM = new DataDirVM(buffer, Name, "Security", startOffset + doffs + 0x20); DataDir5VM = new DataDirVM(buffer, Name, "Base Reloc", startOffset + doffs + 0x28); DataDir6VM = new DataDirVM(buffer, Name, "Debug", startOffset + doffs + 0x30); DataDir7VM = new DataDirVM(buffer, Name, "Architecture", startOffset + doffs + 0x38); DataDir8VM = new DataDirVM(buffer, Name, "Global Ptr", startOffset + doffs + 0x40); DataDir9VM = new DataDirVM(buffer, Name, "TLS", startOffset + doffs + 0x48); DataDir10VM = new DataDirVM(buffer, Name, "Load Config", startOffset + doffs + 0x50); DataDir11VM = new DataDirVM(buffer, Name, "Bound Import", startOffset + doffs + 0x58); DataDir12VM = new DataDirVM(buffer, Name, "IAT", startOffset + doffs + 0x60); DataDir13VM = new DataDirVM(buffer, Name, "Delay Import", startOffset + doffs + 0x68); DataDir14VM = new DataDirVM(buffer, Name, ".NET", startOffset + doffs + 0x70); DataDir15VM = new DataDirVM(buffer, Name, "Reserved15", startOffset + doffs + 0x78); }
public ImageDosHeaderVM(HexBuffer buffer, HexPosition startOffset) { MagicVM = new UInt16HexField(buffer, Name, "e_magic", startOffset + 0); CblpVM = new UInt16HexField(buffer, Name, "e_cblp", startOffset + 2); CpVM = new UInt16HexField(buffer, Name, "e_cp", startOffset + 4); CrlcVM = new UInt16HexField(buffer, Name, "e_crlc", startOffset + 6); CparhdrVM = new UInt16HexField(buffer, Name, "e_cparhdr", startOffset + 8); MinallocVM = new UInt16HexField(buffer, Name, "e_minalloc", startOffset + 0x0A); MaxallocVM = new UInt16HexField(buffer, Name, "e_maxalloc", startOffset + 0x0C); SsVM = new UInt16HexField(buffer, Name, "e_ss", startOffset + 0x0E); SpVM = new UInt16HexField(buffer, Name, "e_sp", startOffset + 0x10); CsumVM = new UInt16HexField(buffer, Name, "e_csum", startOffset + 0x12); IpVM = new UInt16HexField(buffer, Name, "e_ip", startOffset + 0x14); CsVM = new UInt16HexField(buffer, Name, "e_cs", startOffset + 0x16); LfarlcVM = new UInt16HexField(buffer, Name, "e_lfarlc", startOffset + 0x18); OvnoVM = new UInt16HexField(buffer, Name, "e_ovno", startOffset + 0x1A); Res_0VM = new UInt16HexField(buffer, Name, "e_res[0]", startOffset + 0x1C); Res_1VM = new UInt16HexField(buffer, Name, "e_res[1]", startOffset + 0x1E); Res_2VM = new UInt16HexField(buffer, Name, "e_res[2]", startOffset + 0x20); Res_3VM = new UInt16HexField(buffer, Name, "e_res[3]", startOffset + 0x22); OemidVM = new UInt16HexField(buffer, Name, "e_oemid", startOffset + 0x24); OeminfoVM = new UInt16HexField(buffer, Name, "e_oeminfo", startOffset + 0x26); Res2_0VM = new UInt16HexField(buffer, Name, "e_res2[0]", startOffset + 0x28); Res2_1VM = new UInt16HexField(buffer, Name, "e_res2[1]", startOffset + 0x2A); Res2_2VM = new UInt16HexField(buffer, Name, "e_res2[2]", startOffset + 0x2C); Res2_3VM = new UInt16HexField(buffer, Name, "e_res2[3]", startOffset + 0x2E); Res2_4VM = new UInt16HexField(buffer, Name, "e_res2[4]", startOffset + 0x30); Res2_5VM = new UInt16HexField(buffer, Name, "e_res2[5]", startOffset + 0x32); Res2_6VM = new UInt16HexField(buffer, Name, "e_res2[6]", startOffset + 0x34); Res2_7VM = new UInt16HexField(buffer, Name, "e_res2[7]", startOffset + 0x36); Res2_8VM = new UInt16HexField(buffer, Name, "e_res2[8]", startOffset + 0x38); Res2_9VM = new UInt16HexField(buffer, Name, "e_res2[9]", startOffset + 0x3A); LfanewVM = new Int32HexField(buffer, Name, "e_lfanew", startOffset + 0x3C); hexFields = new HexField[] { MagicVM, CblpVM, CpVM, CrlcVM, CparhdrVM, MinallocVM, MaxallocVM, SsVM, SpVM, CsumVM, IpVM, CsVM, LfarlcVM, OvnoVM, Res_0VM, Res_1VM, Res_2VM, Res_3VM, OemidVM, OeminfoVM, Res2_0VM, Res2_1VM, Res2_2VM, Res2_3VM, Res2_4VM, Res2_5VM, Res2_6VM, Res2_7VM, Res2_8VM, Res2_9VM, LfanewVM, }; }
public ImageDosHeaderVM(HexBuffer buffer, PeDosHeaderData dosHeader) : base(dosHeader.Span.Span) { Name = dosHeader.Name; MagicVM = new UInt16HexField(dosHeader.Magic); CblpVM = new UInt16HexField(dosHeader.Cblp); CpVM = new UInt16HexField(dosHeader.Cp); CrlcVM = new UInt16HexField(dosHeader.Crlc); CparhdrVM = new UInt16HexField(dosHeader.Cparhdr); MinallocVM = new UInt16HexField(dosHeader.Minalloc); MaxallocVM = new UInt16HexField(dosHeader.Maxalloc); SsVM = new UInt16HexField(dosHeader.Ss); SpVM = new UInt16HexField(dosHeader.Sp); CsumVM = new UInt16HexField(dosHeader.Csum); IpVM = new UInt16HexField(dosHeader.Ip); CsVM = new UInt16HexField(dosHeader.Cs); LfarlcVM = new UInt16HexField(dosHeader.Lfarlc); OvnoVM = new UInt16HexField(dosHeader.Ovno); Res_0VM = new UInt16HexField(dosHeader.Res.Data[0].Data, dosHeader.Res.Name + "[0]"); Res_1VM = new UInt16HexField(dosHeader.Res.Data[1].Data, dosHeader.Res.Name + "[1]"); Res_2VM = new UInt16HexField(dosHeader.Res.Data[2].Data, dosHeader.Res.Name + "[2]"); Res_3VM = new UInt16HexField(dosHeader.Res.Data[3].Data, dosHeader.Res.Name + "[3]"); OemidVM = new UInt16HexField(dosHeader.Oemid); OeminfoVM = new UInt16HexField(dosHeader.Oeminfo); Res2_0VM = new UInt16HexField(dosHeader.Res2.Data[0].Data, dosHeader.Res2.Name + "[0]"); Res2_1VM = new UInt16HexField(dosHeader.Res2.Data[1].Data, dosHeader.Res2.Name + "[1]"); Res2_2VM = new UInt16HexField(dosHeader.Res2.Data[2].Data, dosHeader.Res2.Name + "[2]"); Res2_3VM = new UInt16HexField(dosHeader.Res2.Data[3].Data, dosHeader.Res2.Name + "[3]"); Res2_4VM = new UInt16HexField(dosHeader.Res2.Data[4].Data, dosHeader.Res2.Name + "[4]"); Res2_5VM = new UInt16HexField(dosHeader.Res2.Data[5].Data, dosHeader.Res2.Name + "[5]"); Res2_6VM = new UInt16HexField(dosHeader.Res2.Data[6].Data, dosHeader.Res2.Name + "[6]"); Res2_7VM = new UInt16HexField(dosHeader.Res2.Data[7].Data, dosHeader.Res2.Name + "[7]"); Res2_8VM = new UInt16HexField(dosHeader.Res2.Data[8].Data, dosHeader.Res2.Name + "[8]"); Res2_9VM = new UInt16HexField(dosHeader.Res2.Data[9].Data, dosHeader.Res2.Name + "[9]"); LfanewVM = new UInt32HexField(dosHeader.Lfanew); hexFields = new HexField[] { MagicVM, CblpVM, CpVM, CrlcVM, CparhdrVM, MinallocVM, MaxallocVM, SsVM, SpVM, CsumVM, IpVM, CsVM, LfarlcVM, OvnoVM, Res_0VM, Res_1VM, Res_2VM, Res_3VM, OemidVM, OeminfoVM, Res2_0VM, Res2_1VM, Res2_2VM, Res2_3VM, Res2_4VM, Res2_5VM, Res2_6VM, Res2_7VM, Res2_8VM, Res2_9VM, LfanewVM, }; }
public ImageFileHeaderVM(HexBuffer buffer, HexPosition startOffset) { MachineVM = new UInt16FlagsHexField(buffer, Name, "Machine", startOffset + 0); MachineVM.Add(new IntegerHexBitField("Machine", 0, 16, MachineInfos)); NumberOfSectionsVM = new UInt16HexField(buffer, Name, "NumberOfSections", startOffset + 2); TimeDateStampVM = new UInt32HexField(buffer, Name, "TimeDateStamp", startOffset + 4); TimeDateStampVM.DataFieldVM.PropertyChanged += (s, e) => OnPropertyChanged(nameof(TimeDateStampString)); PointerToSymbolTableVM = new UInt32HexField(buffer, Name, "PointerToSymbolTable", startOffset + 8); NumberOfSymbolsVM = new UInt32HexField(buffer, Name, "NumberOfSymbols", startOffset + 0x0C); SizeOfOptionalHeaderVM = new UInt16HexField(buffer, Name, "SizeOfOptionalHeader", startOffset + 0x10); CharacteristicsVM = new UInt16FlagsHexField(buffer, Name, "Characteristics", startOffset + 0x12); CharacteristicsVM.Add(new BooleanHexBitField("Relocs Stripped", 0)); CharacteristicsVM.Add(new BooleanHexBitField("Executable Image", 1)); CharacteristicsVM.Add(new BooleanHexBitField("Line Nums Stripped", 2)); CharacteristicsVM.Add(new BooleanHexBitField("Local Syms Stripped", 3)); CharacteristicsVM.Add(new BooleanHexBitField("Aggressive WS Trim", 4)); CharacteristicsVM.Add(new BooleanHexBitField("Large Address Aware", 5)); CharacteristicsVM.Add(new BooleanHexBitField("Reserved 0040h", 6)); CharacteristicsVM.Add(new BooleanHexBitField("Bytes Reversed Lo", 7)); CharacteristicsVM.Add(new BooleanHexBitField("32-Bit Machine", 8)); CharacteristicsVM.Add(new BooleanHexBitField("Debug Stripped", 9)); CharacteristicsVM.Add(new BooleanHexBitField("Removable Run From Swap", 10)); CharacteristicsVM.Add(new BooleanHexBitField("Net Run From Swap", 11)); CharacteristicsVM.Add(new BooleanHexBitField("System", 12)); CharacteristicsVM.Add(new BooleanHexBitField("Dll", 13)); CharacteristicsVM.Add(new BooleanHexBitField("Up System Only", 14)); CharacteristicsVM.Add(new BooleanHexBitField("Bytes Reversed Hi", 15)); hexFields = new HexField[] { MachineVM, NumberOfSectionsVM, TimeDateStampVM, PointerToSymbolTableVM, NumberOfSymbolsVM, SizeOfOptionalHeaderVM, CharacteristicsVM, }; }