private static BytesToUInt64 ( byte b1, byte b2, byte b3, byte b4, byte b5, byte b6, byte b7, byte b8 ) : ulong | ||
b1 | byte | Highest byte. |
b2 | byte | Second byte. |
b3 | byte | Third byte. |
b4 | byte | Fourth byte. |
b5 | byte | Fifth byte. |
b6 | byte | Sixth byte. |
b7 | byte | Seventh byte. |
b8 | byte | Lowest byte. |
return | ulong |
public IMAGE_THUNK_DATA(byte[] buff, UInt32 offset, IMAGE_SECTION_HEADER[] sh, bool is32Bit) { if (is32Bit) { Ordinal = Utility.BytesToUInt32(buff, Utility.RVAtoFileMapping(offset, sh)); // Check if import by name or by ordinal. // If it is an import by ordinal, the most significant bit of "Ordinal" is "1" and the ordinal can // be extracted from the least significant bits. // Else it is an import by name and the link to the IMAGE_IMPORT_BY_NAME has to be followed if ((Ordinal & 0x80000000) == 0x80000000) { Ordinal = (Ordinal & 0x7FFFFFFF); } else { var ordinal = Utility.RVAtoFileMapping((UInt32)Ordinal, sh); ImageImportByName = ParseImageImportByName(nextItdAddress, mode2, buff, st); } } else { Ordinal = Utility.BytesToUInt64(buff, Utility.RVAtoFileMapping(offset, sh)); if ((Ordinal & 0x8000000000000000) == 0x8000000000000000) { Ordinal = (Ordinal & 0x7FFFFFFFFFFFFFFF); } else { var ordinal = Utility.RVAtoFileMapping(Ordinal, sh); ImageImportByName = ParseImageImportByName(nextItdAddress, mode2, buff, st); } }
public IMAGE_OPTIONAL_HEADER(byte [] buff, UInt32 offset, bool is32Bit) { Magic = Utility.BytesToUshort(buff, offset); MajorLinkerVersion = buff[offset + 2]; MinorLinkerVersion = buff[offset + 3]; SizeOfCode = Utility.BytesToUInt32(buff, offset + 4); SizeOfInitializedData = Utility.BytesToUInt32(buff, offset + 8); SizeOfUninitializedData = Utility.BytesToUInt32(buff, offset + 0xC); AddressOfEntryPoint = Utility.BytesToUInt32(buff, offset + 0x10); BaseOfCode = Utility.BytesToUInt32(buff, offset + 0x14); BaseOfData = (is32Bit) ? Utility.BytesToUInt32(buff, offset + 0x18) : 0; ImageBase = (is32Bit) ? Utility.BytesToUInt32(buff, offset + 0x1c) : Utility.BytesToUInt64(buff, offset + 0x18); SectionAlignment = Utility.BytesToUInt32(buff, offset + 0x20); FileAlignment = Utility.BytesToUInt32(buff, offset + 0x24); MajorOSVersion = Utility.BytesToUshort(buff, offset + 0x28); MinorOSVersion = Utility.BytesToUshort(buff, offset + 0x2a); MajorImageVersion = Utility.BytesToUshort(buff, offset + 0x2c); MinorImageVersion = Utility.BytesToUshort(buff, offset + 0x2e); MajorSubSystemVersion = Utility.BytesToUshort(buff, offset + 0x30); MinorSubSystemVersion = Utility.BytesToUshort(buff, offset + 0x32); Win32VersionValue = Utility.BytesToUInt32(buff, offset + 0x34); SizeOfImage = Utility.BytesToUInt32(buff, offset + 0x38); SizeOfHeaders = Utility.BytesToUInt32(buff, offset + 0x3c); Checksum = Utility.BytesToUInt32(buff, offset + 0x40); Subsystem = Utility.BytesToUshort(buff, offset + 0x44); DllCharacteristics = Utility.BytesToUshort(buff, offset + 0x46); SizeOfStackReverse = (is32Bit) ? Utility.BytesToUInt32(buff, offset + 0x48) : Utility.BytesToUInt64(buff, offset + 0x48); SizeOfStackCommit = (is32Bit) ? Utility.BytesToUInt32(buff, offset + 0x4c) : Utility.BytesToUInt64(buff, offset + 0x50); SizeOfHeapReverse = (is32Bit) ? Utility.BytesToUInt32(buff, offset + 0x50) : Utility.BytesToUInt64(buff, offset + 0x58); SizeOfHeapCommit = (is32Bit) ? Utility.BytesToUInt32(buff, offset + 0x54) : Utility.BytesToUInt64(buff, offset + 0x60); LoaderFlags = (is32Bit) ? Utility.BytesToUInt32(buff, offset + 0x58) : Utility.BytesToUInt32(buff, offset + 0x68); NumberOfRVAandSizes = (is32Bit) ? Utility.BytesToUInt32(buff, offset + 0x5c) : Utility.BytesToUInt32(buff, offset + 0x6c); ImageDataDirectory = (is32Bit) ? new IMAGE_DATA_DIRECTORY(buff, offset + 0x60, is32Bit) : new IMAGE_DATA_DIRECTORY(buff, offset + 0x70, is32Bit); }