public void ManagedPdbTest()
{
using DataTarget dt = TestTargets.AppDomains.LoadFullDump();
PEModuleInfo clrModule = (PEModuleInfo)dt.EnumerateModules().SingleOrDefault(m => Path.GetFileNameWithoutExtension(m.FileName).Equals("clr", StringComparison.OrdinalIgnoreCase));
using PEImage img = clrModule.GetPEImage();
Assert.NotNull(img);
PdbInfo imgPdb = img.DefaultPdb;
Assert.NotNull(imgPdb);
Assert.NotNull(imgPdb.Path);
}
public ExportedFunctionsReader(string filename, ulong baseAddress)
{
this.baseAddress = baseAddress;
try {
peImage = new PEImage(filename);
}
catch (IOException) {
throw new DbgHookException($"Invalid PE file: {filename}");
}
catch (BadImageFormatException) {
throw new DbgHookException($"Invalid PE file: {filename}");
}
}
public void TestResourceImages()
{
using DataTarget dt = TestTargets.AppDomains.LoadFullDump();
ClrInfo clr = dt.ClrVersions.Single();
using PEImage image = ((PEModuleInfo)clr.ModuleInfo).GetPEImage();
ResourceEntry entry = image.Resources;
bool found = false;
WalkEntry(entry, ref found);
Assert.True(found);
}
public void PersistentEntries()
{
var image = PEImage.FromBytes(Properties.Resources.HelloWorld);
var newImage = RebuildAndReloadManagedPE(image);
Assert.Equal(
image.DebugData
.Where(e => e.Contents != null)
.Select(e => e.Contents.Type),
newImage.DebugData
.Where(e => e.Contents != null)
.Select(e => e.Contents.Type));
}
public ECallListReader(string filename)
{
peImage = new PEImage(filename);
reader = peImage.CreateReader();
is32bit = peImage.ImageNTHeaders.OptionalHeader.Magic == 0x010B;
ptrSize = is32bit ? 4U : 8;
var last = peImage.ImageSectionHeaders[peImage.ImageSectionHeaders.Count - 1];
endRva = (uint)last.VirtualAddress + last.VirtualSize;
list = new List <ECClass>();
tableFormat = null;
Read();
}
//public static void GetExports(string assemblyFileName, string[] exportNames, string[] types, string[] methodNames)
//{
// var exports = Get(assemblyFileName);
// for (int i = 0; i < exports.Length; i++)
// {
// exportNames[i] = exports[i].ExportName;
// types[i] = exports[i].Type;
// methodNames[i] = exports[i].MethodName;
// }
//}
private static IReadOnlyList <FunctionExport> GetFunctionExports(string assemblyFileName)
{
using (var stream = File.OpenRead(assemblyFileName))
{
var file = new PEImage(stream);
var exports = file.ReadFunctionExports().ToList();
if (exports.Count == 0)
{
return(new List <FunctionExport>());
}
var buffer = new byte[file.CorHeader.VTableFixups.Size];
file.Read(buffer, (int)file.CorHeader.VTableFixups.VirtualAddress, buffer.Length);
var tableRva = BitConverter.ToInt32(buffer, 0);
var numSlots = BitConverter.ToInt16(buffer, 4);
var flags = BitConverter.ToInt16(buffer, 6);
var reader = new BinaryReader(file.Stream);
reader.BaseStream.Seek(file.RvaToOffset(tableRva), SeekOrigin.Begin);
var tokens = new List <uint>();
for (int i = 0; i < numSlots; i++)
{
var token = reader.ReadUInt32();
reader.ReadUInt32();
tokens.Add(token);
}
for (int i = 0; i < exports.Count; i++)
{
buffer = new byte[10];
file.Read(buffer, exports[i].Address, buffer.Length);
var int1 = BitConverter.ToUInt32(buffer, 2);
var slot = (int1 - 0x80000000 - tableRva) / 8;
exports[i].Token = tokens[(int)slot];
}
return(exports);
}
}
public void NativeBodyWithCallX86()
{
Skip.IfNot(RuntimeInformation.IsOSPlatform(OSPlatform.Windows), NonWindowsPlatform);
// Read image
var image = PEImage.FromBytes(Properties.Resources.TheAnswer_NetFx);
var module = new ImportedModule("api-ms-win-crt-stdio-l1-1-0.dll");
image.Imports.Add(module);
var function = new ImportedSymbol(0x4fc, "puts");
module.Symbols.Add(function);
var body = new CodeSegment(image.ImageBase, new byte[]
{
/* 00: */ 0x55, // push ebp
/* 01: */ 0x89, 0xE5, // mov ebp,esp
/* 03: */ 0x6A, 0x6F, // push byte +0x6f ; H
/* 05: */ 0x68, 0x48, 0x65, 0x6C, 0x6C, // push dword 0x6c6c6548 ; ello
/* 0A: */ 0x54, // push esp
/* 0B: */ 0xFF, 0x15, 0x00, 0x00, 0x00, 0x00, // call [dword puts]
/* 11: */ 0x83, 0xC4, 0x0C, // add esp,byte +0xc
/* 14: */ 0xB8, 0x37, 0x13, 0x00, 0x00, // mov eax,0x1337
/* 19: */ 0x5D, // pop ebp
/* 1A: */ 0xC3, // ret
});
// Fix up puts call.
body.AddressFixups.Add(new AddressFixup(
0xD, AddressFixupType.Absolute32BitAddress, function
));
image.Relocations.Clear();
image.Relocations.Add(new BaseRelocation(RelocationType.HighLow, new RelativeReference(body, 0xD)));
// Replace body.
ReplaceBodyWithNativeCode(image, body, true);
// Rebuild
var builder = new ManagedPEFileBuilder();
var peFile = builder.CreateFile(image);
// Verify
string expectedOutput = "Hello\r\nThe answer to life, universe and everything is 4919\r\n";
_fixture
.GetRunner <FrameworkPERunner>()
.RebuildAndRun(peFile, "TheAnswer", expectedOutput);
}
public void MaliciousDirectoryOffset()
{
var peImage = PEImage.FromBytes(Properties.Resources.HelloWorld_MaliciousWin32ResDirOffset,
new PEReaderParameters(EmptyErrorListener.Instance));
var entry = peImage.Resources.Entries[0];
Assert.Equal(16u, entry.Id);
Assert.True(entry.IsDirectory);
var directory = (IResourceDirectory)entry;
Assert.Empty(directory.Entries);
}
private static IPEImage RebuildAndReloadManagedPE(IPEImage image)
{
// Build.
using var tempStream = new MemoryStream();
var builder = new ManagedPEFileBuilder();
var newPeFile = builder.CreateFile(image);
newPeFile.Write(new BinaryStreamWriter(tempStream));
// Reload.
var newImage = PEImage.FromBytes(tempStream.ToArray());
return(newImage);
}
public static unsafe CorHeader Load(PEImage pe)
{
var dd = pe.Directories[DataDirectories.CLIHeader];
if (dd.IsNull)
{
throw new BadImageFormatException(string.Format(SR.MetadataImageNotValid, pe.Location));
}
using (var accessor = pe.OpenImageToSectionData(dd.RVA))
{
return(Read(accessor, pe.Location));
}
}
public void HelloWorldRebuild64BitNoChange()
{
// Read image
var image = PEImage.FromBytes(Properties.Resources.HelloWorld_X64);
// Rebuild
var builder = new ManagedPEFileBuilder();
var peFile = builder.CreateFile(image);
// Verify
_fixture
.GetRunner <FrameworkPERunner>()
.RebuildAndRun(peFile, "HelloWorld", "Hello World!" + Environment.NewLine);
}
#pragma warning restore CS8618 // Non-nullable field is uninitialized.
public override bool Execute()
{
if (string.IsNullOrWhiteSpace(OutputFile))
{
Log.LogMessageFromText(nameof(OutputFile) + " is an empty string", MessageImportance.High);
return(false);
}
if (string.IsNullOrWhiteSpace(TargetSubSystem))
{
Log.LogMessageFromText(nameof(TargetSubSystem) + " is an empty string", MessageImportance.High);
return(false);
}
if (!File.Exists(OutputFile))
{
Log.LogMessageFromText("Specified output file does not exist", MessageImportance.High);
return(false);
}
if (!Enum.TryParse <Subsystem>(TargetSubSystem, out var targetSubSystem))
{
Log.LogMessageFromText("Specifed SubSystem is invalid", MessageImportance.High);
return(false);
}
var exeFile = Path.ChangeExtension(OutputFile, "exe");
if (!File.Exists(exeFile))
{
Log.LogMessageFromText("Apphost for specified output file does not exist", MessageImportance.High);
return(false);
}
uint subSystemOffset;
using (var peImage = new PEImage(exeFile, verify: true)) {
// 68 = offset from start of optional header to SubSystem value.
subSystemOffset = (uint)peImage.ImageNTHeaders.OptionalHeader.StartOffset + 68;
}
using (var fs = File.Open(exeFile, FileMode.Open, FileAccess.Write)) {
fs.Position = subSystemOffset;
var subSystemBytes = BitConverter.GetBytes((ushort)targetSubSystem);
fs.Write(subSystemBytes, 0, sizeof(ushort));
}
return(true);
}
static uint GetEntryPointToken(string filename, out string otherModuleName)
{
otherModuleName = null;
IImageStream cor20HeaderStream = null;
try {
using (var peImage = new PEImage(filename)) {
var dotNetDir = peImage.ImageNTHeaders.OptionalHeader.DataDirectories[14];
if (dotNetDir.VirtualAddress == 0)
{
return(0);
}
if (dotNetDir.Size < 0x48)
{
return(0);
}
var cor20Header = new ImageCor20Header(cor20HeaderStream = peImage.CreateStream(dotNetDir.VirtualAddress, 0x48), true);
if ((cor20Header.Flags & ComImageFlags.NativeEntryPoint) != 0)
{
return(0);
}
uint token = cor20Header.EntryPointToken_or_RVA;
if ((Table)(token >> 24) != Table.File)
{
return(token);
}
using (var mod = ModuleDefMD.Load(peImage)) {
var file = mod.ResolveFile(token & 0x00FFFFFF);
if (file == null || !file.ContainsMetaData)
{
return(0);
}
otherModuleName = file.Name;
return(token);
}
}
}
catch {
}
finally {
if (cor20HeaderStream != null)
{
cor20HeaderStream.Dispose();
}
}
return(0);
}
/// <summary>
/// Create a <see cref="DotNetFile"/> instance
/// </summary>
/// <param name="addr">Address of a .NET file in memory</param>
/// <param name="imageLayout">Image layout of the file in memory</param>
/// <returns>A new <see cref="DotNetFile"/> instance</returns>
public static DotNetFile Load(IntPtr addr, ImageLayout imageLayout)
{
IPEImage peImage = null;
try {
return(Load(peImage = new PEImage(addr, imageLayout, true)));
}
catch {
if (peImage != null)
{
peImage.Dispose();
}
throw;
}
}
internal static MetadataBase Load(string fileName, CLRRuntimeReaderKind runtime)
{
IPEImage peImage = null;
try {
return(Load(peImage = new PEImage(fileName), runtime));
}
catch {
if (peImage is not null)
{
peImage.Dispose();
}
throw;
}
}
public void ReadRow_SmallString_Small_Extends_SmallField_SmallMethod()
{
var peImage = PEImage.FromBytes(Properties.Resources.HelloWorld);
var tablesStream = peImage.DotNetDirectory.Metadata.GetStream <TablesStream>();
var typeDefTable = tablesStream.GetTable <TypeDefinitionRow>();
Assert.Equal(2, typeDefTable.Count);
Assert.Equal(
new TypeDefinitionRow(0, 0x0001, 0x0000, 0x0000, 0x0001, 0x0001),
typeDefTable[0]);
Assert.Equal(
new TypeDefinitionRow((TypeAttributes)0x00100001, 0x016F, 0x013, 0x0031, 0x0001, 0x0001),
typeDefTable[typeDefTable.Count - 1]);
}
private static VTableFixupTable Load(IBinaryAccessor accessor, PEImage pe, int size)
{
var table = new VTableFixupTable();
long endOffset = accessor.Position + size;
while (accessor.Position < endOffset)
{
var entry = VTableFixupEntry.Load(accessor, pe);
entry._parent = table;
table._list.Add(entry);
}
return(table);
}
public void WindowsNativePdbTest()
{
// Load Windows' ntdll.dll
var dllFileName = Path.Combine(Environment.SystemDirectory, "ntdll.dll");
using var winFileStream = new FileStream(dllFileName, FileMode.Open, FileAccess.Read);
PEImage img = new PEImage(winFileStream);
Assert.NotNull(img);
PdbInfo imgPdb = img.DefaultPdb;
Assert.NotNull(imgPdb);
Assert.NotNull(imgPdb.Path);
}
internal static MetadataBase Load(IntPtr addr, ImageLayout imageLayout, CLRRuntimeReaderKind runtime)
{
IPEImage peImage = null;
try {
return(Load(peImage = new PEImage(addr, imageLayout, true), runtime));
}
catch {
if (!(peImage is null))
{
peImage.Dispose();
}
throw;
}
}
public void ReadRow_SmallResolutionScope_SmallStrings()
{
var peImage = PEImage.FromBytes(Properties.Resources.HelloWorld);
var tablesStream = peImage.DotNetDirectory.Metadata.GetStream <TablesStream>();
var typeRefTable = tablesStream.GetTable <TypeReferenceRow>();
Assert.Equal(13, typeRefTable.Count);
Assert.Equal(
new TypeReferenceRow(0x0006, 0x00D6, 0x01AE),
typeRefTable[0]);
Assert.Equal(
new TypeReferenceRow(0x0006, 0x001E, 0x0177),
typeRefTable[typeRefTable.Count - 1]);
}
/// <summary>
/// Create a <see cref="DotNetFile"/> instance
/// </summary>
/// <param name="data">The .NET file data</param>
/// <returns>A new <see cref="DotNetFile"/> instance</returns>
public static DotNetFile Load(byte[] data)
{
IPEImage peImage = null;
try {
return(Load(peImage = new PEImage(data)));
}
catch {
if (peImage != null)
{
peImage.Dispose();
}
throw;
}
}
/// <summary>
/// Create a <see cref="DotNetFile"/> instance
/// </summary>
/// <param name="fileName">The file to load</param>
/// <returns>A new <see cref="DotNetFile"/> instance</returns>
public static DotNetFile Load(string fileName)
{
IPEImage peImage = null;
try {
return(Load(peImage = new PEImage(fileName)));
}
catch {
if (peImage != null)
{
peImage.Dispose();
}
throw;
}
}
internal static MetadataBase Load(byte[] data, CLRRuntimeReaderKind runtime)
{
IPEImage peImage = null;
try {
return(Load(peImage = new PEImage(data), runtime));
}
catch {
if (!(peImage is null))
{
peImage.Dispose();
}
throw;
}
}
/// <summary>
/// Create a <see cref="MetadataBase"/> instance
/// </summary>
/// <param name="data">The .NET file data</param>
/// <returns>A new <see cref="MetadataBase"/> instance</returns>
internal static MetadataBase Load(byte[] data)
{
IPEImage peImage = null;
try {
return(Load(peImage = new PEImage(data)));
}
catch {
if (peImage != null)
{
peImage.Dispose();
}
throw;
}
}
/// <summary>
/// Create a <see cref="MetadataBase"/> instance
/// </summary>
/// <param name="fileName">The file to load</param>
/// <returns>A new <see cref="MetadataBase"/> instance</returns>
internal static MetadataBase Load(string fileName)
{
IPEImage peImage = null;
try {
return(Load(peImage = new PEImage(fileName)));
}
catch {
if (peImage != null)
{
peImage.Dispose();
}
throw;
}
}
/// <summary>
/// Create a <see cref="MetadataBase"/> instance
/// </summary>
/// <param name="addr">Address of a .NET file in memory</param>
/// <param name="imageLayout">Image layout of the file in memory</param>
/// <returns>A new <see cref="MetadataBase"/> instance</returns>
internal static MetadataBase Load(IntPtr addr, ImageLayout imageLayout)
{
IPEImage peImage = null;
try {
return(Load(peImage = new PEImage(addr, imageLayout, true)));
}
catch {
if (peImage != null)
{
peImage.Dispose();
}
throw;
}
}
private void button2_Click(object sender, EventArgs e)
{
//Debug.WriteLine("[button2_Click]");
log.Log(LogType.Normal, "button2_Click");
if (this.txtFilePath.Text.Length > 0)
{
using (var a = new PEImage(File.ReadAllBytes(this.txtFilePath.Text)))
{
using (var frm = new frmSecView(a, this.txtFilePath.Text))
{
frm.ShowDialog();
}
}
}
}
static unsafe bool PatchCM(IntPtr addr, IntPtr origValue, IntPtr newValue)
{
var baseAddr = GetModuleHandle(addr);
IntPtr patchAddr;
using (var peImage = new PEImage(baseAddr))
patchAddr = FindCMAddress(peImage, baseAddr, origValue);
if (patchAddr == IntPtr.Zero)
{
return(false);
}
*(IntPtr *)patchAddr = newValue;
return(true);
}
protected VersionData GetVersion()
{
VersionData versionData = null;
PEImage peImage = GetPEInfo();
if (peImage != null)
{
FileVersionInfo fileVersionInfo = peImage.GetFileVersionInfo();
if (fileVersionInfo != null)
{
versionData = fileVersionInfo.VersionInfo.ToVersionData();
}
}
else
{
// If we can't get the version from the PE, search for version string embedded in the module data
string versionString = VersionString;
if (versionString != null)
{
int spaceIndex = versionString.IndexOf(' ');
if (spaceIndex < 0)
{
// It is probably a private build version that doesn't end with a space (no commit id after)
spaceIndex = versionString.Length;
}
if (spaceIndex > 0)
{
if (versionString[spaceIndex - 1] == '.')
{
spaceIndex--;
}
string versionToParse = versionString.Substring(0, spaceIndex);
try
{
Version version = System.Version.Parse(versionToParse);
versionData = new VersionData(version.Major, version.Minor, version.Build, version.Revision);
}
catch (ArgumentException ex)
{
Trace.TraceError($"Module.Version FAILURE: '{versionToParse}' '{versionString}' {ex}");
}
}
}
}
return(versionData);
}
public static AssemblyReference GetAssemblyName(string filePath, bool throwOnFailure = false)
{
try
{
return(GetAssemblyName(PEImage.LoadFile(filePath)));
}
catch (Exception ex)
{
if (throwOnFailure)
{
throw new CodeModelException(string.Format(SR.AssemblyLoadError, filePath), ex);
}
return(null);
}
}
