public void ImageCor20HeaderConstructorWorks_Test() { var imageCor20Header = new ImageCor20Header(new BufferFile(RawDotNetStructures.RawImageCor20Header), 3); Assert.Equal((uint)0x33221100, imageCor20Header.Cb); Assert.Equal((uint)0x5544, imageCor20Header.MajorRuntimeVersion); Assert.Equal((uint)0x7766, imageCor20Header.MinorRuntimeVersion); Assert.Equal((uint)0xbbaa9988, imageCor20Header.MetaData.VirtualAddress); Assert.Equal((uint)0xffeeddcc, imageCor20Header.MetaData.Size); Assert.True(imageCor20Header.Flags.HasFlag(ComFlagsType.IlLibrary)); Assert.True(imageCor20Header.Flags.HasFlag(ComFlagsType.TrackDebugData)); Assert.False(imageCor20Header.Flags.HasFlag(ComFlagsType.BitRequired32)); Assert.Equal((uint)0x88776655, imageCor20Header.EntryPointToken); Assert.Equal((uint)0x88776655, imageCor20Header.EntryPointRva); Assert.Equal((uint)0xccbbaa99, imageCor20Header.Resources.VirtualAddress); Assert.Equal((uint)0x11ffeedd, imageCor20Header.Resources.Size); Assert.Equal((uint)0xddccbbaa, imageCor20Header.StrongNameSignature.VirtualAddress); Assert.Equal((uint)0x2211ffee, imageCor20Header.StrongNameSignature.Size); Assert.Equal((uint)0xeeddccbb, imageCor20Header.CodeManagerTable.VirtualAddress); Assert.Equal((uint)0x332211ff, imageCor20Header.CodeManagerTable.Size); Assert.Equal((uint)0xffeeddcc, imageCor20Header.VTableFixups.VirtualAddress); Assert.Equal((uint)0x44332211, imageCor20Header.VTableFixups.Size); Assert.Equal((uint)0x11ffeedd, imageCor20Header.ExportAddressTableJumps.VirtualAddress); Assert.Equal((uint)0x55443322, imageCor20Header.ExportAddressTableJumps.Size); Assert.Equal((uint)0x2211ffee, imageCor20Header.ManagedNativeHeader.VirtualAddress); Assert.Equal((uint)0x66554433, imageCor20Header.ManagedNativeHeader.Size); }
static uint GetEntryPointToken(string?filename) { try { using (var peImage = new PEImage(filename)) { var dotNetDir = peImage.ImageNTHeaders.OptionalHeader.DataDirectories[14]; if (dotNetDir.VirtualAddress == 0) { return(0); } if (dotNetDir.Size < 0x48) { return(0); } var cor20HeaderReader = peImage.CreateReader(dotNetDir.VirtualAddress, 0x48); var cor20Header = new ImageCor20Header(ref cor20HeaderReader, true); if ((cor20Header.Flags & ComImageFlags.NativeEntryPoint) != 0) { return(0); } uint token = cor20Header.EntryPointToken_or_RVA; if ((Table)(token >> 24) == Table.Method && (token & 0x00FFFFFF) != 0) { return(token); } } } catch { } return(0); }
public void ResolveComFlags_Single_Test() { Assert.Equal("IlOnly", ImageCor20Header.ResolveComFlags(ComFlagsType.IlOnly).First()); Assert.Equal("BitRequired32", ImageCor20Header.ResolveComFlags(ComFlagsType.BitRequired32).First()); Assert.Equal("IlLibrary", ImageCor20Header.ResolveComFlags(ComFlagsType.IlLibrary).First()); Assert.Equal("StrongNameSigned", ImageCor20Header.ResolveComFlags(ComFlagsType.StrongNameSigned).First()); Assert.Equal("NativeEntrypoint", ImageCor20Header.ResolveComFlags(ComFlagsType.NativeEntrypoint).First()); Assert.Equal("TrackDebugData", ImageCor20Header.ResolveComFlags(ComFlagsType.TrackDebugData).First()); }
public void ResolveComFlags_Multiple_Test() { const uint flags = 0x00010005; var resolved = ImageCor20Header.ResolveComFlags((ComFlagsType)flags); Assert.Equal(3, resolved.Count); Assert.Equal("IlOnly", resolved[0]); Assert.Equal("IlLibrary", resolved[1]); Assert.Equal("TrackDebugData", resolved[2]); }
static uint GetEntryPointToken(string filename, out string otherModuleName) { otherModuleName = null; IImageStream cor20HeaderStream = null; try { using (var peImage = new PEImage(filename)) { var dotNetDir = peImage.ImageNTHeaders.OptionalHeader.DataDirectories[14]; if (dotNetDir.VirtualAddress == 0) { return(0); } if (dotNetDir.Size < 0x48) { return(0); } var cor20Header = new ImageCor20Header(cor20HeaderStream = peImage.CreateStream(dotNetDir.VirtualAddress, 0x48), true); if ((cor20Header.Flags & ComImageFlags.NativeEntryPoint) != 0) { return(0); } uint token = cor20Header.EntryPointToken_or_RVA; if ((Table)(token >> 24) != Table.File) { return(token); } using (var mod = ModuleDefMD.Load(peImage)) { var file = mod.ResolveFile(token & 0x00FFFFFF); if (file == null || !file.ContainsMetaData) { return(0); } otherModuleName = file.Name; return(token); } } } catch { } finally { if (cor20HeaderStream != null) { cor20HeaderStream.Dispose(); } } return(0); }
unsafe (IntPtr metadataAddress, int metadataSize) GetMetadataInfo() { try { var peImage = new PEImage(address, size, isFileLayout ? ImageLayout.File : ImageLayout.Memory, true); var dotNetDir = peImage.ImageNTHeaders.OptionalHeader.DataDirectories[14]; if (dotNetDir.VirtualAddress != 0 && dotNetDir.Size >= 0x48) { var cor20 = new ImageCor20Header(peImage.CreateStream(dotNetDir.VirtualAddress, 0x48), true); var mdStart = (long)peImage.ToFileOffset(cor20.MetaData.VirtualAddress); var mdAddr = new IntPtr((byte *)address + mdStart); var mdSize = (int)cor20.MetaData.Size; return(mdAddr, mdSize); } } catch (Exception ex) when(ex is IOException || ex is BadImageFormatException) { Debug.Fail("Couldn't read .NET metadata"); } return(IntPtr.Zero, 0); }
public unsafe DbgRawMetadataImpl(DbgProcess process, bool isFileLayout, ulong moduleAddress, int moduleSize) { lockObj = new object(); referenceCounter = 1; this.isFileLayout = isFileLayout; size = moduleSize; try { // Prevent allocation on the LOH. We'll also be able to free the memory as soon as it's not needed. address = NativeMethods.VirtualAlloc(IntPtr.Zero, new IntPtr(moduleSize), NativeMethods.MEM_COMMIT, NativeMethods.PAGE_READWRITE); if (address == IntPtr.Zero) { throw new OutOfMemoryException(); } process.ReadMemory(moduleAddress, (byte *)address.ToPointer(), size); try { var peImage = new PEImage(address, size, isFileLayout ? ImageLayout.File : ImageLayout.Memory, true); var dotNetDir = peImage.ImageNTHeaders.OptionalHeader.DataDirectories[14]; if (dotNetDir.VirtualAddress != 0 && dotNetDir.Size >= 0x48) { var cor20 = new ImageCor20Header(peImage.CreateStream(dotNetDir.VirtualAddress, 0x48), true); var mdStart = (long)peImage.ToFileOffset(cor20.MetaData.VirtualAddress); metadataAddress = new IntPtr((byte *)address + mdStart); metadataSize = (int)cor20.MetaData.Size; } } catch (Exception ex) when(ex is IOException || ex is BadImageFormatException) { Debug.Fail("Couldn't read .NET metadata"); } } catch { Dispose(); throw; } }
void CreateChunks() { peHeaders = new PEHeaders(Options.PEHeadersOptions); if (!Options.Is64Bit) { importAddressTable = new ImportAddressTable(); importDirectory = new ImportDirectory(); startupStub = new StartupStub(); relocDirectory = new RelocDirectory(); } CreateStrongNameSignature(); imageCor20Header = new ImageCor20Header(Options.Cor20HeaderOptions); CreateMetaDataChunks(module); CreateDebugDirectory(); if (importDirectory != null) importDirectory.IsExeFile = Options.IsExeFile; peHeaders.IsExeFile = Options.IsExeFile; }
public PECLIModel(IPEImage image, ImageCor20Header header) { Image = image; CLIHeader = header; }
void CreateChunks() { bool hasDebugDirectory = false; peHeaders = new PEHeaders(Options.PEHeadersOptions); if (!Options.Is64Bit) { importAddressTable = new ImportAddressTable(); importDirectory = new ImportDirectory(); startupStub = new StartupStub(); relocDirectory = new RelocDirectory(); } if (Options.StrongNameKey != null) strongNameSignature = new StrongNameSignature(Options.StrongNameKey.SignatureSize); else if (module.Assembly != null && !PublicKeyBase.IsNullOrEmpty2(module.Assembly.PublicKey)) { int len = module.Assembly.PublicKey.Data.Length - 0x20; strongNameSignature = new StrongNameSignature(len > 0 ? len : 0x80); } else if (((Options.Cor20HeaderOptions.Flags ?? module.Cor20HeaderFlags) & ComImageFlags.StrongNameSigned) != 0) strongNameSignature = new StrongNameSignature(0x80); imageCor20Header = new ImageCor20Header(Options.Cor20HeaderOptions); CreateMetaDataChunks(module); if (hasDebugDirectory) debugDirectory = new DebugDirectory(); if (importDirectory != null) importDirectory.IsExeFile = Options.IsExeFile; peHeaders.IsExeFile = Options.IsExeFile; }
static void Main(string[] args) { string dllPath = String.Empty; if (args.Length > 0) { dllPath = args[0]; if (File.Exists(dllPath)) { ModuleContext context = ModuleDef.CreateModuleContext(); ModuleDefMD module = ModuleDefMD.Load(dllPath); Metadata metadata = module.Metadata; //MetaHeader MetadataHeader metadataHeader = metadata.MetadataHeader; //存储流Header数量 int count = metadataHeader.StreamHeaders.Count; //Cor20头 ImageCor20Header imageCor20Header = metadata.ImageCor20Header; int cbOffeset = 0x208; //cb偏移 int Metadata_VirtualAddress = (int)imageCor20Header.Metadata.VirtualAddress; //Metadata RVA int MetadataOffeset = Metadata_VirtualAddress - 0x1E00; //metadata文件偏移 int stringHeaderSize = 0; //stringHeader size int iMajorVerOffeset = MetadataOffeset + 0x4; int iMinorVerOffeset = iMajorVerOffeset + 0x2; int VersionStringLOffeset = MetadataOffeset + 0xC; int stringHeaderOffeset = MetadataOffeset + 0x30; int pe1 = 0x82; int pe2 = 0x83; int nrs = 0xF4; for (int i = 0; i < count; i++) { StreamHeader header = metadataHeader.StreamHeaders[i]; if (header.Name.Contains("Strings")) { stringHeaderSize = (int)header.StreamSize; } } byte[] buffer = File.ReadAllBytes(dllPath); buffer[pe1] = 0x2E; buffer[pe2] = 0x2E; buffer[nrs] = 0xF; buffer[cbOffeset] = 0x88; buffer[iMajorVerOffeset] = 0x2; buffer[iMinorVerOffeset] = 0x2; buffer[VersionStringLOffeset] = 0xB; byte temp = buffer[stringHeaderOffeset]; buffer[stringHeaderOffeset] = buffer[stringHeaderOffeset + 1]; buffer[stringHeaderOffeset + 1] = buffer[stringHeaderOffeset + 2]; buffer[stringHeaderOffeset + 2] = temp; string savePath = dllPath.Replace(".dll", "_encrypt.dll"); File.WriteAllBytes(savePath, buffer); Console.ReadKey(); } else { Console.WriteLine("文件不存在!\n按任意键退出!"); Console.ReadLine(); } } else { Console.WriteLine("文件输入有误!\n按任意键退出!"); Console.ReadLine(); } }
public PEImageModel(IPEImage peImage, ImageCor20Header cliHeader) { Image = peImage; CLIHeader = cliHeader; Text = "PE Image"; }
private PEInfo(string filename) { _filename = filename; try { IsPEBinary = true; _executableInfo = new Lazy <ExecutableInfo>(() => { var result = IsManaged ? ExecutableInfo.managed : ExecutableInfo.native; if (IsAny) { result |= ExecutableInfo.any; } else { switch (CoffHeader.Machine) { case 0x01c0: result |= ExecutableInfo.arm; break; case 0x014c: result |= ExecutableInfo.x86; break; case 0x0200: result |= ExecutableInfo.ia64; break; case 0x8664: result |= ExecutableInfo.x64; break; default: throw new ClrPlusException("Unrecognized Executable Machine Type."); } } return(result); }); _fileVersionInfo = new Lazy <FileVersionInfo>(() => FileVersionInfo.GetVersionInfo(_filename)); _fileVersionString = new Lazy <string>( () => string.Format("{0}.{1}.{2}.{3}", _fileVersionInfo.Value.FileMajorPart, _fileVersionInfo.Value.FileMinorPart, _fileVersionInfo.Value.FileBuildPart, _fileVersionInfo.Value.FilePrivatePart)); _fileVersionLong = new Lazy <ulong>( () => (((ulong)_fileVersionInfo.Value.FileMajorPart) << 48) + (((ulong)_fileVersionInfo.Value.FileMinorPart) << 32) + (((ulong)_fileVersionInfo.Value.FileBuildPart) << 16) + (ulong)_fileVersionInfo.Value.FilePrivatePart); #if TODO DependencyInformation = new CacheEnumerable <DependencyInformation>(DependencyInformationImpl); #endif using (var reader = new BinaryReader(File.OpenRead(_filename))) { // Skip DOS Header and seek to PE signature if (reader.ReadUInt16() != 0x5A4D) { // Logger.Warning("File '{0}' does not have a valid PE Header", _filename); throw new ClrPlusException("Invalid DOS header.", true); } reader.ReadBytes(58); reader.BaseStream.Position = reader.ReadUInt32(); // Read "PE\0\0" signature if (reader.ReadUInt32() != 0x00004550) { throw new ClrPlusException("File is not a portable executable."); } // Read COFF header CoffHeader = new ImageCoffHeader { Machine = reader.ReadUInt16(), NumberOfSections = reader.ReadUInt16(), TimeDateStamp = reader.ReadUInt32(), SymbolTablePointer = reader.ReadUInt32(), NumberOfSymbols = reader.ReadUInt32(), OptionalHeaderSize = reader.ReadUInt16(), Characteristics = reader.ReadUInt16() }; // Compute data sections offset var dataSectionsOffset = reader.BaseStream.Position + CoffHeader.OptionalHeaderSize; // Read NT-specific fields NtHeader = new ImageOptionalHeaderNt(); NtHeader.Magic = reader.ReadUInt16(); NtHeader.MajorLinkerVersion = reader.ReadByte(); NtHeader.MinorLinkerVersion = reader.ReadByte(); NtHeader.SizeOfCode = reader.ReadUInt32(); NtHeader.SizeOfInitializedData = reader.ReadUInt32(); NtHeader.SizeOfUninitializedData = reader.ReadUInt32(); NtHeader.AddressOfEntryPoint = reader.ReadUInt32(); NtHeader.BaseOfCode = reader.ReadUInt32(); if (Is32BitPE) { NtHeader.BaseOfData_32bit = reader.ReadUInt32(); NtHeader.ImageBase_32bit = reader.ReadUInt32(); } if (Is64BitPE) { NtHeader.ImageBase_64bit = reader.ReadUInt64(); } NtHeader.SectionAlignment = reader.ReadUInt32(); NtHeader.FileAlignment = reader.ReadUInt32(); NtHeader.OsMajor = reader.ReadUInt16(); NtHeader.OsMinor = reader.ReadUInt16(); NtHeader.UserMajor = reader.ReadUInt16(); NtHeader.UserMinor = reader.ReadUInt16(); NtHeader.SubSysMajor = reader.ReadUInt16(); NtHeader.SubSysMinor = reader.ReadUInt16(); NtHeader.Reserved = reader.ReadUInt32(); NtHeader.ImageSize = reader.ReadUInt32(); NtHeader.HeaderSize = reader.ReadUInt32(); NtHeader.FileChecksum = reader.ReadUInt32(); NtHeader.SubSystem = reader.ReadUInt16(); NtHeader.DllFlags = reader.ReadUInt16(); if (Is32BitPE) { NtHeader.StackReserveSize_32bit = reader.ReadUInt32(); NtHeader.StackCommitSize_32bit = reader.ReadUInt32(); NtHeader.HeapReserveSize_32bit = reader.ReadUInt32(); NtHeader.HeapCommitSize_32bit = reader.ReadUInt32(); } if (Is64BitPE) { NtHeader.StackReserveSize_64bit = reader.ReadUInt64(); NtHeader.StackCommitSize_64bit = reader.ReadUInt64(); NtHeader.HeapReserveSize_64bit = reader.ReadUInt64(); NtHeader.HeapCommitSize_64bit = reader.ReadUInt64(); } NtHeader.LoaderFlags = reader.ReadUInt32(); NtHeader.NumberOfDataDirectories = reader.ReadUInt32(); if (NtHeader.NumberOfDataDirectories < 16) { return; } // Read data directories _exportTable = ReadDataDirectory(reader); _importTable = ReadDataDirectory(reader); _resourceTable = ReadDataDirectory(reader); _exceptionTable = ReadDataDirectory(reader); _certificateTable = ReadDataDirectory(reader); _baseRelocationTable = ReadDataDirectory(reader); _debug = ReadDataDirectory(reader); _copyright = ReadDataDirectory(reader); _globalPtr = ReadDataDirectory(reader); _tlsTable = ReadDataDirectory(reader); _loadConfigTable = ReadDataDirectory(reader); _boundImport = ReadDataDirectory(reader); _iat = ReadDataDirectory(reader); _delayImportDescriptor = ReadDataDirectory(reader); _runtimeHeader = ReadDataDirectory(reader); _reserved = ReadDataDirectory(reader); if (_runtimeHeader.Size == 0) { return; } // Read data sections reader.BaseStream.Position = dataSectionsOffset; SectionHeaders = new ImageSectionHeader[CoffHeader.NumberOfSections]; for (var i = 0; i < SectionHeaders.Length; i++) { reader.ReadBytes(12); SectionHeaders[i].VirtualAddress = reader.ReadUInt32(); SectionHeaders[i].SizeOfRawData = reader.ReadUInt32(); SectionHeaders[i].PointerToRawData = reader.ReadUInt32(); reader.ReadBytes(16); } // Read COR20 Header reader.BaseStream.Position = RvaToVa(_runtimeHeader.Rva); CorHeader = new ImageCor20Header { Size = reader.ReadUInt32(), MajorRuntimeVersion = reader.ReadUInt16(), MinorRuntimeVersion = reader.ReadUInt16(), MetaData = ReadDataDirectory(reader), Flags = reader.ReadUInt32(), EntryPointToken = reader.ReadUInt32(), Resources = ReadDataDirectory(reader), StrongNameSignature = ReadDataDirectory(reader), CodeManagerTable = ReadDataDirectory(reader), VTableFixups = ReadDataDirectory(reader), ExportAddressTableJumps = ReadDataDirectory(reader) }; } } catch { IsPEBinary = false; } }
private PEInfo(string filename) { _filename = filename; try { IsPEBinary = true; _executableInfo = new Lazy<ExecutableInfo>(() => { var result = IsManaged ? ExecutableInfo.managed : ExecutableInfo.native; if (IsAny) { result |= ExecutableInfo.any; } else { switch (CoffHeader.Machine) { case 0x01c0: result |= ExecutableInfo.arm; break; case 0x014c: result |= ExecutableInfo.x86; break; case 0x0200: result |= ExecutableInfo.ia64; break; case 0x8664: result |= ExecutableInfo.x64; break; default: throw new ClrPlusException("Unrecognized Executable Machine Type."); } } return result; }); _fileVersionInfo = new Lazy<FileVersionInfo>(() => FileVersionInfo.GetVersionInfo(_filename)); _fileVersionString = new Lazy<string>( () => string.Format("{0}.{1}.{2}.{3}", _fileVersionInfo.Value.FileMajorPart, _fileVersionInfo.Value.FileMinorPart, _fileVersionInfo.Value.FileBuildPart, _fileVersionInfo.Value.FilePrivatePart)); _fileVersionLong = new Lazy<ulong>( () => (((ulong)_fileVersionInfo.Value.FileMajorPart) << 48) + (((ulong)_fileVersionInfo.Value.FileMinorPart) << 32) + (((ulong)_fileVersionInfo.Value.FileBuildPart) << 16) + (ulong)_fileVersionInfo.Value.FilePrivatePart); #if TODO DependencyInformation = new CacheEnumerable<DependencyInformation>(DependencyInformationImpl); #endif using (var reader = new BinaryReader(File.OpenRead(_filename))) { // Skip DOS Header and seek to PE signature if (reader.ReadUInt16() != 0x5A4D) { // Logger.Warning("File '{0}' does not have a valid PE Header", _filename); throw new ClrPlusException("Invalid DOS header.", true); } reader.ReadBytes(58); reader.BaseStream.Position = reader.ReadUInt32(); // Read "PE\0\0" signature if (reader.ReadUInt32() != 0x00004550) { throw new ClrPlusException("File is not a portable executable."); } // Read COFF header CoffHeader = new ImageCoffHeader { Machine = reader.ReadUInt16(), NumberOfSections = reader.ReadUInt16(), TimeDateStamp = reader.ReadUInt32(), SymbolTablePointer = reader.ReadUInt32(), NumberOfSymbols = reader.ReadUInt32(), OptionalHeaderSize = reader.ReadUInt16(), Characteristics = reader.ReadUInt16() }; // Compute data sections offset var dataSectionsOffset = reader.BaseStream.Position + CoffHeader.OptionalHeaderSize; // Read NT-specific fields NtHeader = new ImageOptionalHeaderNt(); NtHeader.Magic = reader.ReadUInt16(); NtHeader.MajorLinkerVersion = reader.ReadByte(); NtHeader.MinorLinkerVersion = reader.ReadByte(); NtHeader.SizeOfCode = reader.ReadUInt32(); NtHeader.SizeOfInitializedData = reader.ReadUInt32(); NtHeader.SizeOfUninitializedData = reader.ReadUInt32(); NtHeader.AddressOfEntryPoint = reader.ReadUInt32(); NtHeader.BaseOfCode = reader.ReadUInt32(); if (Is32BitPE) { NtHeader.BaseOfData_32bit = reader.ReadUInt32(); NtHeader.ImageBase_32bit = reader.ReadUInt32(); } if (Is64BitPE) { NtHeader.ImageBase_64bit = reader.ReadUInt64(); } NtHeader.SectionAlignment = reader.ReadUInt32(); NtHeader.FileAlignment = reader.ReadUInt32(); NtHeader.OsMajor = reader.ReadUInt16(); NtHeader.OsMinor = reader.ReadUInt16(); NtHeader.UserMajor = reader.ReadUInt16(); NtHeader.UserMinor = reader.ReadUInt16(); NtHeader.SubSysMajor = reader.ReadUInt16(); NtHeader.SubSysMinor = reader.ReadUInt16(); NtHeader.Reserved = reader.ReadUInt32(); NtHeader.ImageSize = reader.ReadUInt32(); NtHeader.HeaderSize = reader.ReadUInt32(); NtHeader.FileChecksum = reader.ReadUInt32(); NtHeader.SubSystem = reader.ReadUInt16(); NtHeader.DllFlags = reader.ReadUInt16(); if (Is32BitPE) { NtHeader.StackReserveSize_32bit = reader.ReadUInt32(); NtHeader.StackCommitSize_32bit = reader.ReadUInt32(); NtHeader.HeapReserveSize_32bit = reader.ReadUInt32(); NtHeader.HeapCommitSize_32bit = reader.ReadUInt32(); } if (Is64BitPE) { NtHeader.StackReserveSize_64bit = reader.ReadUInt64(); NtHeader.StackCommitSize_64bit = reader.ReadUInt64(); NtHeader.HeapReserveSize_64bit = reader.ReadUInt64(); NtHeader.HeapCommitSize_64bit = reader.ReadUInt64(); } NtHeader.LoaderFlags = reader.ReadUInt32(); NtHeader.NumberOfDataDirectories = reader.ReadUInt32(); if (NtHeader.NumberOfDataDirectories < 16) { return; } // Read data directories _exportTable = ReadDataDirectory(reader); _importTable = ReadDataDirectory(reader); _resourceTable = ReadDataDirectory(reader); _exceptionTable = ReadDataDirectory(reader); _certificateTable = ReadDataDirectory(reader); _baseRelocationTable = ReadDataDirectory(reader); _debug = ReadDataDirectory(reader); _copyright = ReadDataDirectory(reader); _globalPtr = ReadDataDirectory(reader); _tlsTable = ReadDataDirectory(reader); _loadConfigTable = ReadDataDirectory(reader); _boundImport = ReadDataDirectory(reader); _iat = ReadDataDirectory(reader); _delayImportDescriptor = ReadDataDirectory(reader); _runtimeHeader = ReadDataDirectory(reader); _reserved = ReadDataDirectory(reader); if (_runtimeHeader.Size == 0) { return; } // Read data sections reader.BaseStream.Position = dataSectionsOffset; SectionHeaders = new ImageSectionHeader[CoffHeader.NumberOfSections]; for (var i = 0; i < SectionHeaders.Length; i++) { reader.ReadBytes(12); SectionHeaders[i].VirtualAddress = reader.ReadUInt32(); SectionHeaders[i].SizeOfRawData = reader.ReadUInt32(); SectionHeaders[i].PointerToRawData = reader.ReadUInt32(); reader.ReadBytes(16); } // Read COR20 Header reader.BaseStream.Position = RvaToVa(_runtimeHeader.Rva); CorHeader = new ImageCor20Header { Size = reader.ReadUInt32(), MajorRuntimeVersion = reader.ReadUInt16(), MinorRuntimeVersion = reader.ReadUInt16(), MetaData = ReadDataDirectory(reader), Flags = reader.ReadUInt32(), EntryPointToken = reader.ReadUInt32(), Resources = ReadDataDirectory(reader), StrongNameSignature = ReadDataDirectory(reader), CodeManagerTable = ReadDataDirectory(reader), VTableFixups = ReadDataDirectory(reader), ExportAddressTableJumps = ReadDataDirectory(reader) }; } } catch { IsPEBinary = false; } }
public PeReader(string fPath) { try { m_fPath = fPath; m_peImage = new PEImage(File.ReadAllBytes(fPath)); if (m_peImage.ImageNTHeaders.OptionalHeader.DataDirectories.Length >= 14) { ImageDataDirectory DotNetDir = m_peImage.ImageNTHeaders.OptionalHeader.DataDirectories[14]; if (m_peImage.ToFileOffset(DotNetDir.VirtualAddress) != 0 && DotNetDir.Size >= 72) { m_cor20Header = new ImageCor20Header(m_peImage.CreateStream(m_peImage.ToFileOffset(DotNetDir.VirtualAddress), 0x48), false); if (m_peImage.ToFileOffset(m_cor20Header.MetaData.VirtualAddress) != 0 && m_cor20Header.MetaData.Size >= 16) { m_isManaged = true; uint mdSize = m_cor20Header.MetaData.Size; RVA mdRva = m_cor20Header.MetaData.VirtualAddress; MetaDataHeader mdHeader = new MetaDataHeader(m_peImage.CreateStream(m_peImage.ToFileOffset(mdRva), mdSize), false); m_RunTimeVersion = mdHeader.VersionString; } } } if (m_isManaged == true) { ImageSectionHeader sect = m_peImage.ImageSectionHeaders.Where(f => f.DisplayName == ".rsrc").FirstOrDefault(); if ((sect != null)) { ImageDataDirectory resourceTable = m_peImage.ImageNTHeaders.OptionalHeader.DataDirectories[2]; if ((resourceTable != null)) { uint rva = (uint)resourceTable.VirtualAddress; uint size = sect.VirtualSize > 0 ? sect.VirtualSize : sect.SizeOfRawData; if (rva >= (uint)sect.VirtualAddress && rva < (uint)sect.VirtualAddress + size) { Stream StreamRead = m_peImage.CreateFullStream().CreateStream(); long baseAddress = StreamRead.Seek(sect.PointerToRawData + (rva - (uint)sect.VirtualAddress), SeekOrigin.Begin); ResourceDirectory dirInfo = new ResourceDirectory(StreamRead, baseAddress); if ((dirInfo != null)) { using (BinaryReader reader = new BinaryReader(StreamRead)) { dirInfo.Read(reader, true, 0); ResourceEntry IconGroup = null; List <ResourceEntry> IconImages = new List <ResourceEntry>(); foreach (ResourceDirectory dir in dirInfo.Directorys) { if (dir.DirectoryEntry.Name == Convert.ToUInt32(Win32ResourceType.RT_GROUP_ICON)) { IconGroup = dir.GetFirstEntry(); break; } } foreach (ResourceDirectory dir in dirInfo.Directorys) { if (dir.DirectoryEntry.Name == Convert.ToUInt32(Win32ResourceType.RT_ICON)) { IconImages = dir.GetAllEntrys(); IconImages.Reverse(); break; } } if (IconGroup != null) { IconResource icon = new IconResource(StreamRead, IconGroup.DataAddress, sect.PointerToRawData, (uint)sect.VirtualAddress); icon.Seek(); if (!icon.Read(reader, IconImages)) { m_MainIcon = null; } m_MainIcon = icon.GetIcon(reader); } } } } } } } } catch (Exception ex) { Interaction.MsgBox(ex); } }
private Task LoadPEInfo() { return _loadingPeInfo ?? (_loadingPeInfo = _tasks.Start(() => { // load PE data from working file using (var reader = new BinaryReader(File.Open(WorkingCopy, FileMode.Open, FileAccess.Read, FileShare.Read))) { // Skip DOS Header and seek to PE signature if (reader.ReadUInt16() != 0x5A4D) { IsPEFile.Value = false; Is64BitPE.Value = false; Is32BitPE.Value = false; IsManaged.Value = false; IsNative.Value = false; Is32Bit.Value = false; return; } reader.ReadBytes(58); reader.BaseStream.Position = reader.ReadUInt32(); // Read "PE\0\0" signature if (reader.ReadUInt32() != 0x00004550) { IsPEFile.Value = false; Is64BitPE.Value = false; Is32BitPE.Value = false; IsManaged.Value = false; IsNative.Value = false; Is32Bit.Value = false; return; } // Read COFF header CoffHeader = new ImageCoffHeader { Machine = reader.ReadUInt16(), NumberOfSections = reader.ReadUInt16(), TimeDateStamp = reader.ReadUInt32(), SymbolTablePointer = reader.ReadUInt32(), NumberOfSymbols = reader.ReadUInt32(), OptionalHeaderSize = reader.ReadUInt16(), Characteristics = reader.ReadUInt16() }; // Compute data sections offset var dataSectionsOffset = reader.BaseStream.Position + CoffHeader.OptionalHeaderSize; // Read NT-specific fields NtHeader = new ImageOptionalHeaderNt(); NtHeader.Magic = reader.ReadUInt16(); NtHeader.MajorLinkerVersion = reader.ReadByte(); NtHeader.MinorLinkerVersion = reader.ReadByte(); NtHeader.SizeOfCode = reader.ReadUInt32(); NtHeader.SizeOfInitializedData = reader.ReadUInt32(); NtHeader.SizeOfUninitializedData = reader.ReadUInt32(); NtHeader.AddressOfEntryPoint = reader.ReadUInt32(); NtHeader.BaseOfCode = reader.ReadUInt32(); // identify this as 64bit or 32bit binary Is64BitPE.Value = NtHeader.Magic == 0x20b; Is32BitPE.Value = NtHeader.Magic == 0x10b; IsPEFile.Value = true; if (Is32BitPE) { NtHeader.BaseOfData_32bit = reader.ReadUInt32(); NtHeader.ImageBase_32bit = reader.ReadUInt32(); } if (Is64BitPE) { NtHeader.ImageBase_64bit = reader.ReadUInt64(); } NtHeader.SectionAlignment = reader.ReadUInt32(); NtHeader.FileAlignment = reader.ReadUInt32(); NtHeader.OsMajor = reader.ReadUInt16(); NtHeader.OsMinor = reader.ReadUInt16(); NtHeader.UserMajor = reader.ReadUInt16(); NtHeader.UserMinor = reader.ReadUInt16(); NtHeader.SubSysMajor = reader.ReadUInt16(); NtHeader.SubSysMinor = reader.ReadUInt16(); NtHeader.Reserved = reader.ReadUInt32(); NtHeader.ImageSize = reader.ReadUInt32(); NtHeader.HeaderSize = reader.ReadUInt32(); NtHeader.FileChecksum = reader.ReadUInt32(); NtHeader.SubSystem = reader.ReadUInt16(); NtHeader.DllFlags = reader.ReadUInt16(); if (Is32BitPE) { NtHeader.StackReserveSize_32bit = reader.ReadUInt32(); NtHeader.StackCommitSize_32bit = reader.ReadUInt32(); NtHeader.HeapReserveSize_32bit = reader.ReadUInt32(); NtHeader.HeapCommitSize_32bit = reader.ReadUInt32(); } if (Is64BitPE) { NtHeader.StackReserveSize_64bit = reader.ReadUInt64(); NtHeader.StackCommitSize_64bit = reader.ReadUInt64(); NtHeader.HeapReserveSize_64bit = reader.ReadUInt64(); NtHeader.HeapCommitSize_64bit = reader.ReadUInt64(); } NtHeader.LoaderFlags = reader.ReadUInt32(); NtHeader.NumberOfDataDirectories = reader.ReadUInt32(); if (NtHeader.NumberOfDataDirectories < 16) { IsManaged.Value = false; IsNative.Value = true; Is32Bit.Value = Is32BitPE; return; } // Read data directories _exportTable = ReadDataDirectory(reader); _importTable = ReadDataDirectory(reader); _resourceTable = ReadDataDirectory(reader); _exceptionTable = ReadDataDirectory(reader); _certificateTable = ReadDataDirectory(reader); _baseRelocationTable = ReadDataDirectory(reader); _debug = ReadDataDirectory(reader); _copyright = ReadDataDirectory(reader); _globalPtr = ReadDataDirectory(reader); _tlsTable = ReadDataDirectory(reader); _loadConfigTable = ReadDataDirectory(reader); _boundImport = ReadDataDirectory(reader); _iat = ReadDataDirectory(reader); _delayImportDescriptor = ReadDataDirectory(reader); _runtimeHeader = ReadDataDirectory(reader); _reserved = ReadDataDirectory(reader); if (_runtimeHeader.Size == 0) { IsManaged.Value = false; IsNative.Value = true; Is32Bit.Value = Is32BitPE; return; } // Read data sections reader.BaseStream.Position = dataSectionsOffset; SectionHeaders = new ImageSectionHeader[CoffHeader.NumberOfSections]; for (var i = 0; i < SectionHeaders.Length; i++) { reader.ReadBytes(12); SectionHeaders[i].VirtualAddress = reader.ReadUInt32(); SectionHeaders[i].SizeOfRawData = reader.ReadUInt32(); SectionHeaders[i].PointerToRawData = reader.ReadUInt32(); reader.ReadBytes(16); } // Read COR20 Header reader.BaseStream.Position = RvaToVa(_runtimeHeader.Rva); CorHeader = new ImageCor20Header { Size = reader.ReadUInt32(), MajorRuntimeVersion = reader.ReadUInt16(), MinorRuntimeVersion = reader.ReadUInt16(), MetaData = ReadDataDirectory(reader), Flags = reader.ReadUInt32(), EntryPointToken = reader.ReadUInt32(), Resources = ReadDataDirectory(reader), StrongNameSignature = ReadDataDirectory(reader), CodeManagerTable = ReadDataDirectory(reader), VTableFixups = ReadDataDirectory(reader), ExportAddressTableJumps = ReadDataDirectory(reader) }; // we got a CorHeader -- we must be managed. IsManaged.Value = true; IsNative.Value = false; Is32Bit.Value = (CorHeader.Flags & 0x0002) != 0; } })); }