public IMAGE_OPTIONAL_HEADER(byte [] buff, UInt32 offset, bool is32Bit)
{
Magic = Utility.BytesToUshort(buff, offset);
MajorLinkerVersion = buff[offset + 2];
MinorLinkerVersion = buff[offset + 3];
SizeOfCode = Utility.BytesToUInt32(buff, offset + 4);
SizeOfInitializedData = Utility.BytesToUInt32(buff, offset + 8);
SizeOfUninitializedData = Utility.BytesToUInt32(buff, offset + 0xC);
AddressOfEntryPoint = Utility.BytesToUInt32(buff, offset + 0x10);
BaseOfCode = Utility.BytesToUInt32(buff, offset + 0x14);
BaseOfData = (is32Bit) ? Utility.BytesToUInt32(buff, offset + 0x18) : 0;
ImageBase = (is32Bit) ? Utility.BytesToUInt32(buff, offset + 0x1c) : Utility.BytesToUInt64(buff, offset + 0x18);
SectionAlignment = Utility.BytesToUInt32(buff, offset + 0x20);
FileAlignment = Utility.BytesToUInt32(buff, offset + 0x24);
MajorOSVersion = Utility.BytesToUshort(buff, offset + 0x28);
MinorOSVersion = Utility.BytesToUshort(buff, offset + 0x2a);
MajorImageVersion = Utility.BytesToUshort(buff, offset + 0x2c);
MinorImageVersion = Utility.BytesToUshort(buff, offset + 0x2e);
MajorSubSystemVersion = Utility.BytesToUshort(buff, offset + 0x30);
MinorSubSystemVersion = Utility.BytesToUshort(buff, offset + 0x32);
Win32VersionValue = Utility.BytesToUInt32(buff, offset + 0x34);
SizeOfImage = Utility.BytesToUInt32(buff, offset + 0x38);
SizeOfHeaders = Utility.BytesToUInt32(buff, offset + 0x3c);
Checksum = Utility.BytesToUInt32(buff, offset + 0x40);
Subsystem = Utility.BytesToUshort(buff, offset + 0x44);
DllCharacteristics = Utility.BytesToUshort(buff, offset + 0x46);
SizeOfStackReverse = (is32Bit) ? Utility.BytesToUInt32(buff, offset + 0x48) : Utility.BytesToUInt64(buff, offset + 0x48);
SizeOfStackCommit = (is32Bit) ? Utility.BytesToUInt32(buff, offset + 0x4c) : Utility.BytesToUInt64(buff, offset + 0x50);
SizeOfHeapReverse = (is32Bit) ? Utility.BytesToUInt32(buff, offset + 0x50) : Utility.BytesToUInt64(buff, offset + 0x58);
SizeOfHeapCommit = (is32Bit) ? Utility.BytesToUInt32(buff, offset + 0x54) : Utility.BytesToUInt64(buff, offset + 0x60);
LoaderFlags = (is32Bit) ? Utility.BytesToUInt32(buff, offset + 0x58) : Utility.BytesToUInt32(buff, offset + 0x68);
NumberOfRVAandSizes = (is32Bit) ? Utility.BytesToUInt32(buff, offset + 0x5c) : Utility.BytesToUInt32(buff, offset + 0x6c);
ImageDataDirectory = (is32Bit) ? new IMAGE_DATA_DIRECTORY(buff, offset + 0x60, is32Bit) : new IMAGE_DATA_DIRECTORY(buff, offset + 0x70, is32Bit);
}
public IMAGE_FILE_HEADER(byte [] buff, UInt32 offset)
{
Machine = Utility.BytesToUshort(buff, offset);
NumberOfSections = Utility.BytesToUshort(buff, offset + 2);
TimeDateStamp = Utility.BytesToUInt32(buff, offset + 4);
PointerToSymbolTable = Utility.BytesToUInt32(buff, offset + 8);
NumberOfSymbols = Utility.BytesToUInt32(buff, offset + 12);
SizeOfOptionalHeaders = Utility.BytesToUshort(buff, offset + 16);
Characteristics = Utility.BytesToUshort(buff, offset + 18);
}
public IMAGE_EXPORT_DIRECTORY(byte[] buff, UInt32 offset)
{
Characteristics = Utility.BytesToUInt32(buff, offset);
TimeDateStamp = Utility.BytesToUInt32(buff, offset + 4);
MajorVersion = Utility.BytesToUshort(buff, offset + 8);
MinorVersion = Utility.BytesToUshort(buff, offset + 0x0A);
Name = Utility.BytesToUInt32(buff, offset + 0x0C);
Base = Utility.BytesToUInt32(buff, offset + 0x10);
NumberOfFuncions = Utility.BytesToUInt32(buff, offset + 0x14);
NumberOfNames = Utility.BytesToUInt32(buff, offset + 0x18);
AddressOfFunctions = Utility.BytesToUInt32(buff, offset + 0x1C);
AddressOfNames = Utility.BytesToUInt32(buff, offset + 0x20);
AddressOfNameOrdinals = Utility.BytesToUInt32(buff, offset + 0x24);
}
public IMAGE_SECTION_HEADER(byte[] buff, UInt32 offset)
{
SectionHeaderName = new byte[8];
Array.Copy(buff, offset, SectionHeaderName, (UInt32)0, (UInt32)8);
VirtualSize = Utility.BytesToUInt32(buff, offset + 8);
VirutalAddress = Utility.BytesToUInt32(buff, offset + 12);
SizeOfRawData = Utility.BytesToUInt32(buff, offset + 16);
PointerToRawData = Utility.BytesToUInt32(buff, offset + 20);
PointerToRelocations = Utility.BytesToUInt32(buff, offset + 24);
PointerToLineNumbers = Utility.BytesToUInt32(buff, offset + 30);
NumberOfRelocations = Utility.BytesToUshort(buff, offset + 32);
NumberofLineNumbers = Utility.BytesToUshort(buff, offset + 34);
SectionFlags = Utility.BytesToUInt32(buff, offset + 38);
}
} // Offset to the PE signature (IMAGE_NT_HEADERS)
public IMAGE_DOS_HEADER(byte[] buff)
{
e_magic = Utility.BytesToUshort(buff, 0);
e_cblp = Utility.BytesToUshort(buff, 2);
e_cp = Utility.BytesToUshort(buff, 4);
e_crlc = Utility.BytesToUshort(buff, 6);
e_cparhdr = Utility.BytesToUshort(buff, 8);
e_minalloc = Utility.BytesToUshort(buff, 0xA);
e_maxalloc = Utility.BytesToUshort(buff, 0xC);
e_ss = Utility.BytesToUshort(buff, 0xE);
e_sp = Utility.BytesToUshort(buff, 0x10);
e_csum = Utility.BytesToUshort(buff, 0x12);
e_ip = Utility.BytesToUshort(buff, 0x14);
e_cs = Utility.BytesToUshort(buff, 0x16);
e_lfaric = Utility.BytesToUshort(buff, 0x18);
e_ovno = Utility.BytesToUshort(buff, 0x1A);
e_oemid = Utility.BytesToUshort(buff, 0x24);
e_oeminfo = Utility.BytesToUshort(buff, 0x26);
e_lfanew = Utility.BytesToUInt32(buff, 0x3C);
}
