Пример #1
0
        // private MemoryBlock _win32ResourceBlock;

        private void ReadOptionalHeaderDirectoryEntries(MemoryReader memReader) {
            // ExportTableDirectory
            // ImportTableDirectory
            memReader.SeekRelative(2 * 2 * sizeof(uint));

            _optionalHeaderDirectoryEntries.ResourceTableDirectory.RelativeVirtualAddress = memReader.ReadUInt32();
            _optionalHeaderDirectoryEntries.ResourceTableDirectory.Size = memReader.ReadUInt32();

            // ExceptionTableDirectory
            // CertificateTableDirectory
            // BaseRelocationTableDirectory
            // DebugTableDirectory
            // CopyrightTableDirectory
            // GlobalPointerTableDirectory
            // ThreadLocalStorageTableDirectory
            // LoadConfigTableDirectory
            // BoundImportTableDirectory
            // ImportAddressTableDirectory
            // DelayImportTableDirectory
            memReader.SeekRelative(11 * 2 * sizeof(uint));

            _optionalHeaderDirectoryEntries.COR20HeaderTableDirectory.RelativeVirtualAddress = memReader.ReadUInt32();
            _optionalHeaderDirectoryEntries.COR20HeaderTableDirectory.Size = memReader.ReadUInt32();

            // ReservedDirectory
            memReader.SeekRelative(1 * 2 * sizeof(uint));
        }
Пример #2
0
        private void ReadSectionHeaders(MemoryReader memReader) {
            if (memReader.RemainingBytes < _numberOfSections * PEFileConstants.SizeofSectionHeader) {
                throw new BadImageFormatException();
            }

            _sectionHeaders = new SectionHeader[_numberOfSections];
            SectionHeader[] sectionHeaderArray = _sectionHeaders;
            for (int i = 0; i < _numberOfSections; i++) {
                memReader.SeekRelative(PEFileConstants.SizeofSectionName);

                sectionHeaderArray[i].VirtualSize = memReader.ReadUInt32();
                sectionHeaderArray[i].VirtualAddress = memReader.ReadUInt32();
                sectionHeaderArray[i].SizeOfRawData = memReader.ReadUInt32();
                sectionHeaderArray[i].OffsetToRawData = memReader.ReadUInt32();

                //sectionHeaderArray[i].RVAToRelocations = memReader.ReadInt32();
                //sectionHeaderArray[i].PointerToLineNumbers = memReader.ReadInt32();
                //sectionHeaderArray[i].NumberOfRelocations = memReader.ReadUInt16();
                //sectionHeaderArray[i].NumberOfLineNumbers = memReader.ReadUInt16();
                //sectionHeaderArray[i].SectionCharacteristics = (SectionCharacteristics)memReader.ReadUInt32();
                memReader.SeekRelative(2 * sizeof(int) + 2 * sizeof(ushort) + sizeof(uint));
            }
        }
Пример #3
0
        private void ReadPEFileLevelData() {
            if (_image.Length < PEFileConstants.BasicPEHeaderSize) {
                throw new BadImageFormatException();
            }

            MemoryReader memReader = new MemoryReader(_image);

            //  Look for DOS Signature "MZ"
            ushort dosSig = _image.ReadUInt16(0);
            if (dosSig != PEFileConstants.DosSignature) {
                throw new BadImageFormatException();
            }

            //  Skip the DOS Header
            int ntHeaderOffset = _image.ReadInt32(PEFileConstants.PESignatureOffsetLocation);
            memReader.Seek(ntHeaderOffset);

            //  Look for PESignature "PE\0\0"
            uint signature = memReader.ReadUInt32();
            if (signature != PEFileConstants.PESignature) {
                throw new BadImageFormatException();
            }

            //  Read the COFF Header
            _numberOfSections = memReader.Block.ReadUInt16(memReader.Position + sizeof(ushort));
            memReader.SeekRelative(PEFileConstants.SizeofCOFFFileHeader);

            //  Read the magic to determine if its PE or PE+
            switch ((PEMagic)memReader.ReadUInt16()) {
                case PEMagic.PEMagic32:
                    memReader.SeekRelative(PEFileConstants.SizeofOptionalHeaderStandardFields32 - sizeof(ushort));
                    memReader.SeekRelative(PEFileConstants.SizeofOptionalHeaderNTAdditionalFields32);
                    break;

                case PEMagic.PEMagic64:
                    memReader.SeekRelative(PEFileConstants.SizeofOptionalHeaderStandardFields64 - sizeof(ushort));
                    memReader.SeekRelative(PEFileConstants.SizeofOptionalHeaderNTAdditionalFields64);
                    break;

                default:
                    throw new BadImageFormatException();
            }

            ReadOptionalHeaderDirectoryEntries(memReader);
            ReadSectionHeaders(memReader);

            // _win32ResourceBlock = DirectoryToMemoryBlock(_optionalHeaderDirectoryEntries.ResourceTableDirectory);
        }
Пример #4
0
        private void ReadMetadataLevelData() {
            MemoryReader memReader = new MemoryReader(_metadataTableStream);

            ReadMetadataTableInformation(memReader);
            ProcessAndCacheMetadataTableBlocks(memReader.GetRemainingBlock());

            if (ModuleTable.NumberOfRows != 1) {
                throw new BadImageFormatException();
            }
        }
Пример #5
0
        private void ReadMetadataTableInformation(MemoryReader memReader) {
            if (memReader.RemainingBytes < MetadataStreamConstants.SizeOfMetadataTableHeader) {
                throw new BadImageFormatException();
            }

            // Reserved
            memReader.SeekRelative(sizeof(uint));

            _metadataTableHeader.MajorVersion = memReader.ReadByte();
            _metadataTableHeader.MinorVersion = memReader.ReadByte();
            _metadataTableHeader.HeapSizeFlags = (HeapSizeFlag)memReader.ReadByte();
            
            // Rid
            memReader.SeekRelative(sizeof(byte));

            _metadataTableHeader.ValidTables = (TableMask)memReader.ReadUInt64();
            _metadataTableHeader.SortedTables = (TableMask)memReader.ReadUInt64();
            ulong presentTables = (ulong)_metadataTableHeader.ValidTables;
            ulong validTablesForVersion = 0;

            int version = _metadataTableHeader.MajorVersion << 8 | _metadataTableHeader.MinorVersion;
            switch (version) {
                case 0x0100:
                    validTablesForVersion = (ulong)TableMask.V1_0_TablesMask;
                    break;

                case 0x0101:
                    validTablesForVersion = (ulong)TableMask.V1_1_TablesMask;
                    break;

                case 0x0200:
                    validTablesForVersion = (ulong)TableMask.V2_0_TablesMask;
                    break;

                default:
                    throw new BadImageFormatException();
            }

            if ((presentTables & ~validTablesForVersion) != 0) {
                throw new BadImageFormatException();
            }

            if (_metadataStreamKind == MetadataStreamKind.Compressed && (presentTables & (ulong)TableMask.CompressedStreamNotAllowedMask) != 0) {
                throw new BadImageFormatException();
            }

            ulong requiredSortedTables = presentTables & validTablesForVersion & (ulong)TableMask.SortedTablesMask;
            if ((requiredSortedTables & (ulong)_metadataTableHeader.SortedTables) != requiredSortedTables) {
                throw new BadImageFormatException();
            }

            int numberOfTables = _metadataTableHeader.GetNumberOfTablesPresent();
            if (memReader.RemainingBytes < numberOfTables * sizeof(Int32)) {
                throw new BadImageFormatException();
            }

            int[] metadataTableRowCount = _metadataTableHeader.CompressedMetadataTableRowCount = new int[numberOfTables];
            for (int i = 0; i < numberOfTables; i++) {
                uint rowCount = memReader.ReadUInt32();
                if (rowCount > 0x00ffffff) {
                    throw new BadImageFormatException();
                }
                metadataTableRowCount[i] = (int)rowCount;
            }
        }
Пример #6
0
        private void ReadCORModuleLevelData() {
            ReadCOR20Header();

            MemoryBlock metadataRoot = DirectoryToMemoryBlock(_cor20Header.MetaDataDirectory);
            if (metadataRoot == null || metadataRoot.Length < _cor20Header.MetaDataDirectory.Size) {
                throw new BadImageFormatException();
            }

            MemoryReader memReader = new MemoryReader(metadataRoot);

            ReadMetadataHeader(memReader);
            ReadStorageHeader(memReader);
            ReadStreamHeaders(memReader);
            ProcessAndCacheStreams(metadataRoot);

            // _resourceMemoryBlock = DirectoryToMemoryBlock(_cor20Header.ResourcesDirectory);
            // _strongNameSignatureBlock = DirectoryToMemoryBlock(_cor20Header.StrongNameSignatureDirectory);
        }
Пример #7
0
        private void ReadStreamHeaders(MemoryReader memReader) {
            int numberOfStreams = _storageHeader.NumberOfStreams;
            _streamHeaders = new StreamHeader[numberOfStreams];
            StreamHeader[] streamHeaders = _streamHeaders;
            for (int i = 0; i < numberOfStreams; i++) {
                if (memReader.RemainingBytes < COR20Constants.MinimumSizeofStreamHeader) {
	                throw new BadImageFormatException();
                }

                streamHeaders[i].Offset = memReader.ReadUInt32();
                streamHeaders[i].Size = memReader.ReadUInt32();
                streamHeaders[i].Name = memReader.ReadAscii(32);
                memReader.Align(4);
            }
        }
Пример #8
0
 private void ReadStorageHeader(MemoryReader memReader) {
     _storageHeader.Flags = memReader.ReadUInt16();
     _storageHeader.NumberOfStreams = memReader.ReadUInt16();
 }
Пример #9
0
        private void ReadMetadataHeader(MemoryReader memReader) {
            uint signature = memReader.ReadUInt32();
            if (signature != COR20Constants.COR20MetadataSignature) {
                throw new BadImageFormatException();
            }

            // MajorVersion = memReader.ReadUInt16();
            // MinorVersion = memReader.ReadUInt16();
            memReader.SeekRelative(2 * sizeof(ushort));
            
            uint reserved = memReader.ReadUInt32();
            if (reserved != 0) {
                throw new BadImageFormatException();
            }

            int versionStringSize = memReader.ReadInt32();
            memReader.SeekRelative(versionStringSize);
        }
Пример #10
0
        // private MemoryBlock _resourceMemoryBlock;
        // private MemoryBlock _strongNameSignatureBlock;

        private void ReadCOR20Header() {
            MemoryBlock memBlock = DirectoryToMemoryBlock(_optionalHeaderDirectoryEntries.COR20HeaderTableDirectory);
            if (memBlock == null || memBlock.Length < _optionalHeaderDirectoryEntries.COR20HeaderTableDirectory.Size) {
                throw new BadImageFormatException();
            }

            MemoryReader memReader = new MemoryReader(memBlock);
            // CountBytes = memReader.ReadInt32();
            // MajorRuntimeVersion = memReader.ReadUInt16();
            // MinorRuntimeVersion = memReader.ReadUInt16();
            memReader.SeekRelative(sizeof(int) + 2 * sizeof(short));

            _cor20Header.MetaDataDirectory.RelativeVirtualAddress = memReader.ReadUInt32();
            _cor20Header.MetaDataDirectory.Size = memReader.ReadUInt32();
            
            // COR20Header.COR20Flags = (COR20Flags)memReader.ReadUInt32();
            // COR20Header.EntryPointTokenOrRVA = memReader.ReadUInt32();
            memReader.SeekRelative(2 * sizeof(uint));

            _cor20Header.ResourcesDirectory.RelativeVirtualAddress = memReader.ReadUInt32();
            _cor20Header.ResourcesDirectory.Size = memReader.ReadUInt32();
            _cor20Header.StrongNameSignatureDirectory.RelativeVirtualAddress = memReader.ReadUInt32();
            _cor20Header.StrongNameSignatureDirectory.Size = memReader.ReadUInt32();

            // CodeManagerTableDirectory
            // VtableFixupsDirectory
            // ExportAddressTableJumpsDirectory
            // ManagedNativeHeaderDirectory
            memReader.SeekRelative(4 * 2 * sizeof(uint));
        }