public void ManagedPdbTest() { using DataTarget dt = TestTargets.AppDomains.LoadFullDump(); PEModuleInfo clrModule = (PEModuleInfo)dt.EnumerateModules().SingleOrDefault(m => Path.GetFileNameWithoutExtension(m.FileName).Equals("clr", StringComparison.OrdinalIgnoreCase)); using PEImage img = clrModule.GetPEImage(); Assert.NotNull(img); PdbInfo imgPdb = img.DefaultPdb; Assert.NotNull(imgPdb); Assert.NotNull(imgPdb.Path); }
public ExportedFunctionsReader(string filename, ulong baseAddress) { this.baseAddress = baseAddress; try { peImage = new PEImage(filename); } catch (IOException) { throw new DbgHookException($"Invalid PE file: {filename}"); } catch (BadImageFormatException) { throw new DbgHookException($"Invalid PE file: {filename}"); } }
public void TestResourceImages() { using DataTarget dt = TestTargets.AppDomains.LoadFullDump(); ClrInfo clr = dt.ClrVersions.Single(); using PEImage image = ((PEModuleInfo)clr.ModuleInfo).GetPEImage(); ResourceEntry entry = image.Resources; bool found = false; WalkEntry(entry, ref found); Assert.True(found); }
public void PersistentEntries() { var image = PEImage.FromBytes(Properties.Resources.HelloWorld); var newImage = RebuildAndReloadManagedPE(image); Assert.Equal( image.DebugData .Where(e => e.Contents != null) .Select(e => e.Contents.Type), newImage.DebugData .Where(e => e.Contents != null) .Select(e => e.Contents.Type)); }
public ECallListReader(string filename) { peImage = new PEImage(filename); reader = peImage.CreateReader(); is32bit = peImage.ImageNTHeaders.OptionalHeader.Magic == 0x010B; ptrSize = is32bit ? 4U : 8; var last = peImage.ImageSectionHeaders[peImage.ImageSectionHeaders.Count - 1]; endRva = (uint)last.VirtualAddress + last.VirtualSize; list = new List <ECClass>(); tableFormat = null; Read(); }
//public static void GetExports(string assemblyFileName, string[] exportNames, string[] types, string[] methodNames) //{ // var exports = Get(assemblyFileName); // for (int i = 0; i < exports.Length; i++) // { // exportNames[i] = exports[i].ExportName; // types[i] = exports[i].Type; // methodNames[i] = exports[i].MethodName; // } //} private static IReadOnlyList <FunctionExport> GetFunctionExports(string assemblyFileName) { using (var stream = File.OpenRead(assemblyFileName)) { var file = new PEImage(stream); var exports = file.ReadFunctionExports().ToList(); if (exports.Count == 0) { return(new List <FunctionExport>()); } var buffer = new byte[file.CorHeader.VTableFixups.Size]; file.Read(buffer, (int)file.CorHeader.VTableFixups.VirtualAddress, buffer.Length); var tableRva = BitConverter.ToInt32(buffer, 0); var numSlots = BitConverter.ToInt16(buffer, 4); var flags = BitConverter.ToInt16(buffer, 6); var reader = new BinaryReader(file.Stream); reader.BaseStream.Seek(file.RvaToOffset(tableRva), SeekOrigin.Begin); var tokens = new List <uint>(); for (int i = 0; i < numSlots; i++) { var token = reader.ReadUInt32(); reader.ReadUInt32(); tokens.Add(token); } for (int i = 0; i < exports.Count; i++) { buffer = new byte[10]; file.Read(buffer, exports[i].Address, buffer.Length); var int1 = BitConverter.ToUInt32(buffer, 2); var slot = (int1 - 0x80000000 - tableRva) / 8; exports[i].Token = tokens[(int)slot]; } return(exports); } }
public void NativeBodyWithCallX86() { Skip.IfNot(RuntimeInformation.IsOSPlatform(OSPlatform.Windows), NonWindowsPlatform); // Read image var image = PEImage.FromBytes(Properties.Resources.TheAnswer_NetFx); var module = new ImportedModule("api-ms-win-crt-stdio-l1-1-0.dll"); image.Imports.Add(module); var function = new ImportedSymbol(0x4fc, "puts"); module.Symbols.Add(function); var body = new CodeSegment(image.ImageBase, new byte[] { /* 00: */ 0x55, // push ebp /* 01: */ 0x89, 0xE5, // mov ebp,esp /* 03: */ 0x6A, 0x6F, // push byte +0x6f ; H /* 05: */ 0x68, 0x48, 0x65, 0x6C, 0x6C, // push dword 0x6c6c6548 ; ello /* 0A: */ 0x54, // push esp /* 0B: */ 0xFF, 0x15, 0x00, 0x00, 0x00, 0x00, // call [dword puts] /* 11: */ 0x83, 0xC4, 0x0C, // add esp,byte +0xc /* 14: */ 0xB8, 0x37, 0x13, 0x00, 0x00, // mov eax,0x1337 /* 19: */ 0x5D, // pop ebp /* 1A: */ 0xC3, // ret }); // Fix up puts call. body.AddressFixups.Add(new AddressFixup( 0xD, AddressFixupType.Absolute32BitAddress, function )); image.Relocations.Clear(); image.Relocations.Add(new BaseRelocation(RelocationType.HighLow, new RelativeReference(body, 0xD))); // Replace body. ReplaceBodyWithNativeCode(image, body, true); // Rebuild var builder = new ManagedPEFileBuilder(); var peFile = builder.CreateFile(image); // Verify string expectedOutput = "Hello\r\nThe answer to life, universe and everything is 4919\r\n"; _fixture .GetRunner <FrameworkPERunner>() .RebuildAndRun(peFile, "TheAnswer", expectedOutput); }
public void MaliciousDirectoryOffset() { var peImage = PEImage.FromBytes(Properties.Resources.HelloWorld_MaliciousWin32ResDirOffset, new PEReaderParameters(EmptyErrorListener.Instance)); var entry = peImage.Resources.Entries[0]; Assert.Equal(16u, entry.Id); Assert.True(entry.IsDirectory); var directory = (IResourceDirectory)entry; Assert.Empty(directory.Entries); }
private static IPEImage RebuildAndReloadManagedPE(IPEImage image) { // Build. using var tempStream = new MemoryStream(); var builder = new ManagedPEFileBuilder(); var newPeFile = builder.CreateFile(image); newPeFile.Write(new BinaryStreamWriter(tempStream)); // Reload. var newImage = PEImage.FromBytes(tempStream.ToArray()); return(newImage); }
public static unsafe CorHeader Load(PEImage pe) { var dd = pe.Directories[DataDirectories.CLIHeader]; if (dd.IsNull) { throw new BadImageFormatException(string.Format(SR.MetadataImageNotValid, pe.Location)); } using (var accessor = pe.OpenImageToSectionData(dd.RVA)) { return(Read(accessor, pe.Location)); } }
public void HelloWorldRebuild64BitNoChange() { // Read image var image = PEImage.FromBytes(Properties.Resources.HelloWorld_X64); // Rebuild var builder = new ManagedPEFileBuilder(); var peFile = builder.CreateFile(image); // Verify _fixture .GetRunner <FrameworkPERunner>() .RebuildAndRun(peFile, "HelloWorld", "Hello World!" + Environment.NewLine); }
#pragma warning restore CS8618 // Non-nullable field is uninitialized. public override bool Execute() { if (string.IsNullOrWhiteSpace(OutputFile)) { Log.LogMessageFromText(nameof(OutputFile) + " is an empty string", MessageImportance.High); return(false); } if (string.IsNullOrWhiteSpace(TargetSubSystem)) { Log.LogMessageFromText(nameof(TargetSubSystem) + " is an empty string", MessageImportance.High); return(false); } if (!File.Exists(OutputFile)) { Log.LogMessageFromText("Specified output file does not exist", MessageImportance.High); return(false); } if (!Enum.TryParse <Subsystem>(TargetSubSystem, out var targetSubSystem)) { Log.LogMessageFromText("Specifed SubSystem is invalid", MessageImportance.High); return(false); } var exeFile = Path.ChangeExtension(OutputFile, "exe"); if (!File.Exists(exeFile)) { Log.LogMessageFromText("Apphost for specified output file does not exist", MessageImportance.High); return(false); } uint subSystemOffset; using (var peImage = new PEImage(exeFile, verify: true)) { // 68 = offset from start of optional header to SubSystem value. subSystemOffset = (uint)peImage.ImageNTHeaders.OptionalHeader.StartOffset + 68; } using (var fs = File.Open(exeFile, FileMode.Open, FileAccess.Write)) { fs.Position = subSystemOffset; var subSystemBytes = BitConverter.GetBytes((ushort)targetSubSystem); fs.Write(subSystemBytes, 0, sizeof(ushort)); } return(true); }
static uint GetEntryPointToken(string filename, out string otherModuleName) { otherModuleName = null; IImageStream cor20HeaderStream = null; try { using (var peImage = new PEImage(filename)) { var dotNetDir = peImage.ImageNTHeaders.OptionalHeader.DataDirectories[14]; if (dotNetDir.VirtualAddress == 0) { return(0); } if (dotNetDir.Size < 0x48) { return(0); } var cor20Header = new ImageCor20Header(cor20HeaderStream = peImage.CreateStream(dotNetDir.VirtualAddress, 0x48), true); if ((cor20Header.Flags & ComImageFlags.NativeEntryPoint) != 0) { return(0); } uint token = cor20Header.EntryPointToken_or_RVA; if ((Table)(token >> 24) != Table.File) { return(token); } using (var mod = ModuleDefMD.Load(peImage)) { var file = mod.ResolveFile(token & 0x00FFFFFF); if (file == null || !file.ContainsMetaData) { return(0); } otherModuleName = file.Name; return(token); } } } catch { } finally { if (cor20HeaderStream != null) { cor20HeaderStream.Dispose(); } } return(0); }
/// <summary> /// Create a <see cref="DotNetFile"/> instance /// </summary> /// <param name="addr">Address of a .NET file in memory</param> /// <param name="imageLayout">Image layout of the file in memory</param> /// <returns>A new <see cref="DotNetFile"/> instance</returns> public static DotNetFile Load(IntPtr addr, ImageLayout imageLayout) { IPEImage peImage = null; try { return(Load(peImage = new PEImage(addr, imageLayout, true))); } catch { if (peImage != null) { peImage.Dispose(); } throw; } }
internal static MetadataBase Load(string fileName, CLRRuntimeReaderKind runtime) { IPEImage peImage = null; try { return(Load(peImage = new PEImage(fileName), runtime)); } catch { if (peImage is not null) { peImage.Dispose(); } throw; } }
public void ReadRow_SmallString_Small_Extends_SmallField_SmallMethod() { var peImage = PEImage.FromBytes(Properties.Resources.HelloWorld); var tablesStream = peImage.DotNetDirectory.Metadata.GetStream <TablesStream>(); var typeDefTable = tablesStream.GetTable <TypeDefinitionRow>(); Assert.Equal(2, typeDefTable.Count); Assert.Equal( new TypeDefinitionRow(0, 0x0001, 0x0000, 0x0000, 0x0001, 0x0001), typeDefTable[0]); Assert.Equal( new TypeDefinitionRow((TypeAttributes)0x00100001, 0x016F, 0x013, 0x0031, 0x0001, 0x0001), typeDefTable[typeDefTable.Count - 1]); }
private static VTableFixupTable Load(IBinaryAccessor accessor, PEImage pe, int size) { var table = new VTableFixupTable(); long endOffset = accessor.Position + size; while (accessor.Position < endOffset) { var entry = VTableFixupEntry.Load(accessor, pe); entry._parent = table; table._list.Add(entry); } return(table); }
public void WindowsNativePdbTest() { // Load Windows' ntdll.dll var dllFileName = Path.Combine(Environment.SystemDirectory, "ntdll.dll"); using var winFileStream = new FileStream(dllFileName, FileMode.Open, FileAccess.Read); PEImage img = new PEImage(winFileStream); Assert.NotNull(img); PdbInfo imgPdb = img.DefaultPdb; Assert.NotNull(imgPdb); Assert.NotNull(imgPdb.Path); }
internal static MetadataBase Load(IntPtr addr, ImageLayout imageLayout, CLRRuntimeReaderKind runtime) { IPEImage peImage = null; try { return(Load(peImage = new PEImage(addr, imageLayout, true), runtime)); } catch { if (!(peImage is null)) { peImage.Dispose(); } throw; } }
public void ReadRow_SmallResolutionScope_SmallStrings() { var peImage = PEImage.FromBytes(Properties.Resources.HelloWorld); var tablesStream = peImage.DotNetDirectory.Metadata.GetStream <TablesStream>(); var typeRefTable = tablesStream.GetTable <TypeReferenceRow>(); Assert.Equal(13, typeRefTable.Count); Assert.Equal( new TypeReferenceRow(0x0006, 0x00D6, 0x01AE), typeRefTable[0]); Assert.Equal( new TypeReferenceRow(0x0006, 0x001E, 0x0177), typeRefTable[typeRefTable.Count - 1]); }
/// <summary> /// Create a <see cref="DotNetFile"/> instance /// </summary> /// <param name="data">The .NET file data</param> /// <returns>A new <see cref="DotNetFile"/> instance</returns> public static DotNetFile Load(byte[] data) { IPEImage peImage = null; try { return(Load(peImage = new PEImage(data))); } catch { if (peImage != null) { peImage.Dispose(); } throw; } }
/// <summary> /// Create a <see cref="DotNetFile"/> instance /// </summary> /// <param name="fileName">The file to load</param> /// <returns>A new <see cref="DotNetFile"/> instance</returns> public static DotNetFile Load(string fileName) { IPEImage peImage = null; try { return(Load(peImage = new PEImage(fileName))); } catch { if (peImage != null) { peImage.Dispose(); } throw; } }
internal static MetadataBase Load(byte[] data, CLRRuntimeReaderKind runtime) { IPEImage peImage = null; try { return(Load(peImage = new PEImage(data), runtime)); } catch { if (!(peImage is null)) { peImage.Dispose(); } throw; } }
/// <summary> /// Create a <see cref="MetadataBase"/> instance /// </summary> /// <param name="data">The .NET file data</param> /// <returns>A new <see cref="MetadataBase"/> instance</returns> internal static MetadataBase Load(byte[] data) { IPEImage peImage = null; try { return(Load(peImage = new PEImage(data))); } catch { if (peImage != null) { peImage.Dispose(); } throw; } }
/// <summary> /// Create a <see cref="MetadataBase"/> instance /// </summary> /// <param name="fileName">The file to load</param> /// <returns>A new <see cref="MetadataBase"/> instance</returns> internal static MetadataBase Load(string fileName) { IPEImage peImage = null; try { return(Load(peImage = new PEImage(fileName))); } catch { if (peImage != null) { peImage.Dispose(); } throw; } }
/// <summary> /// Create a <see cref="MetadataBase"/> instance /// </summary> /// <param name="addr">Address of a .NET file in memory</param> /// <param name="imageLayout">Image layout of the file in memory</param> /// <returns>A new <see cref="MetadataBase"/> instance</returns> internal static MetadataBase Load(IntPtr addr, ImageLayout imageLayout) { IPEImage peImage = null; try { return(Load(peImage = new PEImage(addr, imageLayout, true))); } catch { if (peImage != null) { peImage.Dispose(); } throw; } }
private void button2_Click(object sender, EventArgs e) { //Debug.WriteLine("[button2_Click]"); log.Log(LogType.Normal, "button2_Click"); if (this.txtFilePath.Text.Length > 0) { using (var a = new PEImage(File.ReadAllBytes(this.txtFilePath.Text))) { using (var frm = new frmSecView(a, this.txtFilePath.Text)) { frm.ShowDialog(); } } } }
static unsafe bool PatchCM(IntPtr addr, IntPtr origValue, IntPtr newValue) { var baseAddr = GetModuleHandle(addr); IntPtr patchAddr; using (var peImage = new PEImage(baseAddr)) patchAddr = FindCMAddress(peImage, baseAddr, origValue); if (patchAddr == IntPtr.Zero) { return(false); } *(IntPtr *)patchAddr = newValue; return(true); }
protected VersionData GetVersion() { VersionData versionData = null; PEImage peImage = GetPEInfo(); if (peImage != null) { FileVersionInfo fileVersionInfo = peImage.GetFileVersionInfo(); if (fileVersionInfo != null) { versionData = fileVersionInfo.VersionInfo.ToVersionData(); } } else { // If we can't get the version from the PE, search for version string embedded in the module data string versionString = VersionString; if (versionString != null) { int spaceIndex = versionString.IndexOf(' '); if (spaceIndex < 0) { // It is probably a private build version that doesn't end with a space (no commit id after) spaceIndex = versionString.Length; } if (spaceIndex > 0) { if (versionString[spaceIndex - 1] == '.') { spaceIndex--; } string versionToParse = versionString.Substring(0, spaceIndex); try { Version version = System.Version.Parse(versionToParse); versionData = new VersionData(version.Major, version.Minor, version.Build, version.Revision); } catch (ArgumentException ex) { Trace.TraceError($"Module.Version FAILURE: '{versionToParse}' '{versionString}' {ex}"); } } } } return(versionData); }
public static AssemblyReference GetAssemblyName(string filePath, bool throwOnFailure = false) { try { return(GetAssemblyName(PEImage.LoadFile(filePath))); } catch (Exception ex) { if (throwOnFailure) { throw new CodeModelException(string.Format(SR.AssemblyLoadError, filePath), ex); } return(null); } }