public IReadable Read()
{
var peHeaderReader = (PeHeaderReader) new PeHeaderReader(_filePath).Read();
BaseRelocationTable = peHeaderReader.Is32BitPeHeader
? peHeaderReader.PeHeader32.OptionalHeader.BaseRelocationTable
: peHeaderReader.PeHeader64.OptionalHeader.BaseRelocationTable;
var address = RvaToRawFormatConverter.RvaToOffset32(BaseRelocationTable.VirtualAddress,
peHeaderReader.SectionHeaders,
peHeaderReader.Is32BitPeHeader
? peHeaderReader.PeHeader32.OptionalHeader.SectionAlignment
: peHeaderReader.PeHeader64.OptionalHeader.SectionAlignment);
using var fs = new FileStream(_filePath, FileMode.Open, FileAccess.Read);
var br = new BinaryReader(fs);
fs.Seek(address, SeekOrigin.Begin);
Int32 currentSize;
for (var i = 0; i < BaseRelocationTable.Size; i += currentSize)
{
currentSize = 0;
var relocationBlock = new RelocationBlock
{
PageRva = br.ReadUInt32(),
BlockSize = br.ReadUInt32()
};
currentSize += Marshal.SizeOf(relocationBlock.PageRva);
currentSize += Marshal.SizeOf(relocationBlock.BlockSize);
for (var j = 0; j < (relocationBlock.BlockSize - 8) / 2; j++)
{
var relocationSectionInfo = br.ReadUInt16();
var relocationSection = new RelocationSection
{
Type = (RelocationType)((relocationSectionInfo & 0xf000) >> 12),
Offset = (UInt16)(relocationSectionInfo & 0x0fff)
};
relocationBlock.RelocationSections.Add(relocationSection);
currentSize += Marshal.SizeOf(relocationSection.Offset);
}
RelocationBlocks.Add(relocationBlock);
}
br.Dispose();
br.Close();
return(this);
}
public IReadable Read()
{
var peHeaderReader = (PeHeaderReader) new PeHeaderReader(_filePath).Read();
ImportTableDirectory = peHeaderReader.Is32BitPeHeader
? peHeaderReader.PeHeader32.OptionalHeader.ImportTable
: peHeaderReader.PeHeader64.OptionalHeader.ImportTable;
var address = RvaToRawFormatConverter.RvaToOffset32(ImportTableDirectory.VirtualAddress,
peHeaderReader.SectionHeaders,
peHeaderReader.Is32BitPeHeader
? peHeaderReader.PeHeader32.OptionalHeader.SectionAlignment
: peHeaderReader.PeHeader64.OptionalHeader.SectionAlignment);
using var fs = new FileStream(_filePath, FileMode.Open, FileAccess.Read);
var br = new BinaryReader(fs);
fs.Seek(address, SeekOrigin.Begin);
while (true)
{
var importDescriptor = PeBlockToStructConverter.ConvertTo <ImportDescriptor>(br);
if (importDescriptor.OriginalFirstThunk == 0 &&
importDescriptor.ForwarderChain == 0 &&
importDescriptor.Name == 0 &&
importDescriptor.FirstThunk == 0)
{
break;
}
ImportTable.Add(importDescriptor);
}
for (var i = 0; i < ImportTable.Count; i++)
{
var importFunction = new ImportFunction();
// Getting DLL name
var dllNameAddress = RvaToRawFormatConverter.RvaToOffset32(ImportTable[i].Name,
peHeaderReader.SectionHeaders,
peHeaderReader.Is32BitPeHeader
? peHeaderReader.PeHeader32.OptionalHeader.SectionAlignment
: peHeaderReader.PeHeader64.OptionalHeader.SectionAlignment);
var currentPosition = fs.Position;
importFunction.DllName = ByteArrayToAsciiStringConverter.ConvertToString(fs, dllNameAddress);
fs.Seek(currentPosition, SeekOrigin.Begin);
importFunction.TimeDateStamp = TimeDateStampToDateTimeConverter.ConvertTimeDateStamp(ImportTable[i].TimeDateStamp);
var ilt = RvaToRawFormatConverter.RvaToOffset32(ImportTable[i].OriginalFirstThunk,
peHeaderReader.SectionHeaders,
peHeaderReader.Is32BitPeHeader
? peHeaderReader.PeHeader32.OptionalHeader.SectionAlignment
: peHeaderReader.PeHeader64.OptionalHeader.SectionAlignment);
fs.Seek(ilt, SeekOrigin.Begin);
if (peHeaderReader.Is32BitPeHeader)
{
while (true)
{
var thunkData32 = PeBlockToStructConverter.ConvertTo <ThunkData32>(br);
if (thunkData32.Function == 0)
{
break;
}
var currentPosition2 = fs.Position;
if ((thunkData32.AddressOfData & (UInt32)1 << 31) == 0)
{
var functionAddress = RvaToRawFormatConverter.RvaToOffset32(thunkData32.Function,
peHeaderReader.SectionHeaders, peHeaderReader.PeHeader32.OptionalHeader.SectionAlignment);
fs.Seek(functionAddress, SeekOrigin.Begin);
var hint = br.ReadUInt16();
var byteList = new List <Byte>();
while (true)
{
var b = br.ReadByte();
if (b == 0x00)
{
break;
}
byteList.Add(b);
}
var name = Encoding.ASCII.GetString(byteList.ToArray());
importFunction.Functions.Add(new ImportFunctionInfo()
{
Hint = hint,
Name = name
});
fs.Seek(currentPosition2, SeekOrigin.Begin);
}
else
{
importFunction.Functions.Add(new ImportFunctionInfo()
{
Name = null,
Ordinal64 = null,
Ordinal32 = (thunkData32.Ordinal & (((UInt32)1 << 31) - 1))
});
}
}
}
else
{
while (true)
{
var thunkData64 = PeBlockToStructConverter.ConvertTo <ThunkData64>(br);
if (thunkData64.Function == 0)
{
break;
}
var currentPosition2 = fs.Position;
if ((thunkData64.AddressOfData & ((UInt64)1 << 63)) == 0)
{
var functionAddress = RvaToRawFormatConverter.RvaToOffset64(thunkData64.Function,
peHeaderReader.SectionHeaders, peHeaderReader.PeHeader64.OptionalHeader.SectionAlignment);
fs.Seek(functionAddress, SeekOrigin.Begin);
var hint = br.ReadUInt16();
var byteList = new List <Byte>();
while (true)
{
var b = br.ReadByte();
if (b == 0x00)
{
break;
}
byteList.Add(b);
}
var name = Encoding.ASCII.GetString(byteList.ToArray());
importFunction.Functions.Add(new ImportFunctionInfo()
{
Hint = hint,
Name = name
});
fs.Seek(currentPosition2, SeekOrigin.Begin);
}
else
{
importFunction.Functions.Add(new ImportFunctionInfo()
{
Name = null,
Ordinal32 = null,
Ordinal64 = (thunkData64.Ordinal & (((UInt64)1 << 63) - 1))
});
}
}
}
ImportFunctions.Add(importFunction);
}
return(this);
}
public IReadable Read()
{
var peHeaderReader = (PeHeaderReader) new PeHeaderReader(_filePath).Read();
ExportTableDirectory = peHeaderReader.Is32BitPeHeader
? peHeaderReader.PeHeader32.OptionalHeader.ExportTable
: peHeaderReader.PeHeader64.OptionalHeader.ExportTable;
var address = RvaToRawFormatConverter.RvaToOffset32(ExportTableDirectory.VirtualAddress,
peHeaderReader.SectionHeaders,
peHeaderReader.Is32BitPeHeader
? peHeaderReader.PeHeader32.OptionalHeader.SectionAlignment
: peHeaderReader.PeHeader64.OptionalHeader.SectionAlignment);
using var fs = new FileStream(_filePath, FileMode.Open, FileAccess.Read);
var br = new BinaryReader(fs);
fs.Seek(address, SeekOrigin.Begin);
ExportTable = PeBlockToStructConverter.ConvertTo <ExportTable>(br);
var ordinalsTableAddress = RvaToRawFormatConverter.RvaToOffset32(ExportTable.AddressOfNameOrdinals,
peHeaderReader.SectionHeaders,
peHeaderReader.Is32BitPeHeader
? peHeaderReader.PeHeader32.OptionalHeader.SectionAlignment
: peHeaderReader.PeHeader64.OptionalHeader.SectionAlignment);
var functionsTableAddress = RvaToRawFormatConverter.RvaToOffset32(ExportTable.AddressOfFunctions,
peHeaderReader.SectionHeaders,
peHeaderReader.Is32BitPeHeader
? peHeaderReader.PeHeader32.OptionalHeader.SectionAlignment
: peHeaderReader.PeHeader64.OptionalHeader.SectionAlignment);
var namesTableAddress = RvaToRawFormatConverter.RvaToOffset32(ExportTable.AddressOfNames,
peHeaderReader.SectionHeaders,
peHeaderReader.Is32BitPeHeader
? peHeaderReader.PeHeader32.OptionalHeader.SectionAlignment
: peHeaderReader.PeHeader64.OptionalHeader.SectionAlignment);
fs.Seek(functionsTableAddress, SeekOrigin.Begin);
for (UInt32 i = 0; i < ExportTable.NumberOfFunctions; i++)
{
var ordinal = ExportTable.Base + i;
var exportFunctionAddress = br.ReadUInt32();
ExportFunctions.Add(new ExportFunction()
{
Address = exportFunctionAddress,
Ordinal = (UInt16)ordinal
});
}
fs.Seek(namesTableAddress, SeekOrigin.Begin);
for (UInt32 i = 0; i < ExportTable.NumberOfNames; i++)
{
var nameRva = br.ReadUInt32();
var nameAddress = RvaToRawFormatConverter.RvaToOffset32(nameRva,
peHeaderReader.SectionHeaders,
peHeaderReader.Is32BitPeHeader
? peHeaderReader.PeHeader32.OptionalHeader.SectionAlignment
: peHeaderReader.PeHeader64.OptionalHeader.SectionAlignment);
var currentPosition = fs.Position;
fs.Seek(ordinalsTableAddress + sizeof(UInt16) * i, SeekOrigin.Begin);
var ordinalIndex = br.ReadUInt16();
fs.Seek(currentPosition, SeekOrigin.Begin);
String name = ByteArrayToAsciiStringConverter.ConvertToString(fs, nameAddress);
fs.Seek(currentPosition, SeekOrigin.Begin);
if (RedirectionRva(ExportFunctions[ordinalIndex].Address))
{
var redirectionNameAddress = RvaToRawFormatConverter.RvaToOffset32(ExportFunctions[ordinalIndex].Address,
peHeaderReader.SectionHeaders,
peHeaderReader.Is32BitPeHeader
? peHeaderReader.PeHeader32.OptionalHeader.SectionAlignment
: peHeaderReader.PeHeader64.OptionalHeader.SectionAlignment);
String redirectionName = ByteArrayToAsciiStringConverter.ConvertToString(fs, redirectionNameAddress);
fs.Seek(currentPosition, SeekOrigin.Begin);
ExportFunctions[ordinalIndex].Name = null;
ExportFunctions[ordinalIndex].RedirectionName = redirectionName;
}
else
{
ExportFunctions[ordinalIndex].Name = name;
}
}
return(this);
}
