Exemplo n.º 1
0
        private static PEInfomation vLoad(PEInfomation info, IntPtr baseAddress)
        {
            IntPtr handle = info.GetProcessHandle();

            if (handle == IntPtr.Zero)
            {
                throw new ArgumentException("Invalid process", "ProcessID");
            }

            info.DosHeader = StructFromMemory <IMAGE_DOS_HEADER>(handle, baseAddress);
            IntPtr imageBase = new IntPtr(info.DosHeader.e_lfanew + (uint)baseAddress);

            info.FileHeader       = StructFromMemory <IMAGE_FILE_HEADER>(handle, imageBase);
            info.OptionalHeader32 = StructFromMemory <IMAGE_OPTIONAL_HEADER32>(handle, imageBase + Marshal.SizeOf(info.FileHeader));
            info.DataDirectories  = StructFromMemory <IMAGE_DATA_DIRECTORIES>(handle, imageBase + Marshal.SizeOf(info.FileHeader) + Marshal.SizeOf(info.OptionalHeader32));

            info.Sections = new IMAGE_SECTION_HEADER[info.FileHeader.NumberOfSections];
            IntPtr sectionsBase  = imageBase + Marshal.SizeOf(info.FileHeader) + Marshal.SizeOf(info.OptionalHeader32) + Marshal.SizeOf(info.DataDirectories);
            int    sizeOfSection = Marshal.SizeOf(typeof(IMAGE_SECTION_HEADER));

            for (int i = 0; i < info.Sections.Length; i++)
            {
                IntPtr sectionLocation = sectionsBase + (sizeOfSection * i);
                info.Sections[i] = StructFromMemory <IMAGE_SECTION_HEADER>(handle, sectionLocation);
            }

            if (info.IsNet)
            {
                //is .net
                info.NetStructures.COR20Header = StructFromMemory <COR20_HEADER>(handle, new IntPtr((uint)baseAddress + info.DataDirectories.CLRRuntimeHeaderRva));

                byte[] data = new byte[info.NetStructures.COR20Header.MetaDataSize];
                NativeMethods.ReadProcessMemory(handle, new IntPtr((uint)baseAddress + info.NetStructures.COR20Header.MetaDataRva), data, data.Length, 0);

                LoadNetMetaData(info, data);
            }

            info.CloseProcessHandle();

            info.WriteOverview();
            return(info);
        }
Exemplo n.º 2
0
        public static PEInfomation Load(byte[] data, string path)
        {
            if (data == null)
            {
                throw new ArgumentNullException("data");
            }

            PEInfomation info = new PEInfomation(data, path);

            info.DosHeader        = StructFromBytes <IMAGE_DOS_HEADER>(data, 0);
            info.FileHeader       = StructFromBytes <IMAGE_FILE_HEADER>(data, Convert.ToInt32(info.DosHeader.e_lfanew));
            info.OptionalHeader32 = StructFromBytes <IMAGE_OPTIONAL_HEADER32>(data, Convert.ToInt32(info.DosHeader.e_lfanew) + Marshal.SizeOf(info.FileHeader));
            info.DataDirectories  = StructFromBytes <IMAGE_DATA_DIRECTORIES>(data, Convert.ToInt32(info.DosHeader.e_lfanew) + Marshal.SizeOf(info.FileHeader) + Marshal.SizeOf(info.OptionalHeader32));

            info.Sections = new IMAGE_SECTION_HEADER[info.FileHeader.NumberOfSections];
            int sectionsBase  = Convert.ToInt32(info.DosHeader.e_lfanew) + Marshal.SizeOf(info.FileHeader) + Marshal.SizeOf(info.OptionalHeader32) + Marshal.SizeOf(info.DataDirectories);
            int sizeOfSection = Marshal.SizeOf(typeof(IMAGE_SECTION_HEADER));

            for (int i = 0; i < info.Sections.Length; i++)
            {
                int sectionLocation = sectionsBase + (sizeOfSection * i);
                info.Sections[i] = StructFromBytes <IMAGE_SECTION_HEADER>(data, sectionLocation);
            }

            if (info.IsNet)
            {
                //is .net
                info.NetStructures.NetOffsets.COR20RawAddress = Convert.ToInt32(info.DataDirectories.CLRRuntimeHeaderRva - info.Sections[0].VirtualAddress + info.Sections[0].PointerToRawData);
                info.NetStructures.COR20Header = StructFromBytes <COR20_HEADER>(data, info.NetStructures.NetOffsets.COR20RawAddress);

                info.NetStructures.NetOffsets.MetaDataRawAddress = Convert.ToInt32(info.NetStructures.COR20Header.MetaDataRva - info.Sections[0].VirtualAddress + info.Sections[0].PointerToRawData);

                LoadNetMetaData(info, data);
            }

            info.WriteOverview();
            return(info);
        }