/// <summary> /// 获得DOS头 /// </summary> private void LoadDosHeader() { _DosHeader = new DosHeader(); _DosHeader.FileStarIndex = PEFileIndex; Loadbyte(ref _DosHeader.e_magic); Loadbyte(ref _DosHeader.e_cblp); Loadbyte(ref _DosHeader.e_cp); Loadbyte(ref _DosHeader.e_crlc); Loadbyte(ref _DosHeader.e_cparhdr); Loadbyte(ref _DosHeader.e_minalloc); Loadbyte(ref _DosHeader.e_maxalloc); Loadbyte(ref _DosHeader.e_ss); Loadbyte(ref _DosHeader.e_sp); Loadbyte(ref _DosHeader.e_csum); Loadbyte(ref _DosHeader.e_ip); Loadbyte(ref _DosHeader.e_cs); Loadbyte(ref _DosHeader.e_rva); Loadbyte(ref _DosHeader.e_fg); Loadbyte(ref _DosHeader.e_bl1); Loadbyte(ref _DosHeader.e_oemid); Loadbyte(ref _DosHeader.e_oeminfo); Loadbyte(ref _DosHeader.e_bl2); Loadbyte(ref _DosHeader.e_PESTAR); _DosHeader.FileEndIndex = PEFileIndex; }
/// <summary> /// Reads a PE file from an input stream. /// </summary> /// <param name="reader">The input stream.</param> /// <param name="mode">Indicates how the input PE file is mapped.</param> /// <exception cref="BadImageFormatException">Occurs when the input stream is malformed.</exception> public SerializedPEFile(IBinaryStreamReader reader, PEMappingMode mode) { _reader = reader ?? throw new ArgumentNullException(nameof(reader)); MappingMode = mode; // DOS header. DosHeader = DosHeader.FromReader(reader); reader.Offset = DosHeader.Offset + DosHeader.NextHeaderOffset; uint signature = reader.ReadUInt32(); if (signature != ValidPESignature) { throw new BadImageFormatException(); } // Read NT headers. FileHeader = FileHeader.FromReader(reader); OptionalHeader = OptionalHeader.FromReader(reader); // Read section headers. reader.Offset = OptionalHeader.Offset + FileHeader.SizeOfOptionalHeader; _sectionHeaders = new List <SectionHeader>(FileHeader.NumberOfSections); for (int i = 0; i < FileHeader.NumberOfSections; i++) { _sectionHeaders.Add(SectionHeader.FromReader(reader)); } // Data between section headers and sections. int extraSectionDataLength = (int)(DosHeader.Offset + OptionalHeader.SizeOfHeaders - reader.Offset); if (extraSectionDataLength != 0) { ExtraSectionData = DataSegment.FromReader(reader, extraSectionDataLength); } }
/// <summary> /// 读取基本信息 /// </summary> public void ReadInfo(BinaryReader reader) { //Seek(reader, 0x3c); //PEoffset = reader.ReadInt32(); //Seek(reader, PEoffset + 0x34); //ImageBase = reader.ReadUInt32(); //Seek(reader, PEoffset + 0x28); //PEEntry = reader.ReadUInt32() + ImageBase; //KernelWin.WriteLine("PEEntry:0x{0:X}", PEEntry); //PEEntry = Entry.GetEntryPoint(Entry.GetEntryOrdinal(0)); //KernelWin.WriteLine("EntryOrdinal:0x{0:X}", Entry.GetEntryOrdinal(0)); //KernelWin.WriteLine("PEEntry:0x{0:X}", PEEntry); DosHeader dosHeader = new DosHeader(); dosHeader.Read(reader); PEoffset = dosHeader.NewExeHeader; ImageBase = (UInt32)dosHeader.OptionalHeader.ImageBase; ExportDirectory export = dosHeader.OptionalHeader.Export; Int32 address = 0; if (export != null) { Seek(reader, export.AddressOfFunctions); address = reader.ReadInt32(); } else { address = dosHeader.OptionalHeader.AddressOfEntryPoint; } PEEntry = (UInt32)address + ImageBase; Seek(reader, PEEntry - ImageBase); long temp = reader.ReadByte(); if (temp == 0x68) { temp = PEEntry + 1 - ImageBase; } else if (temp == 0x58) { temp = PEEntry + 2 - ImageBase; } Seek(reader, temp); Header = reader.ReadUInt32(); //VBSig = IDCFunction.EvalAndReturnLong("Dword(" + VBHeader + ")"); //VBSig = Bytes.Dword(Header); if (Header - ImageBase > reader.BaseStream.Length) { throw new Exception("非VB文件格式!"); } Seek(reader, Header - ImageBase); VBSig = reader.ReadUInt32(); if (VBSig != 0x21354256) //VB5 { throw new Exception(String.Format("错误VB签名:0x{0:X}", VBSig)); } //temp = IDCFunction.EvalAndReturnLong("Word(" + VBHeader + "+0x22)"); //temp = Bytes.Word((UInt32)Header + 0x22); Seek(reader, Header + 0x22 - ImageBase); temp = reader.ReadInt16(); if (temp < 0x0a) { throw new Exception("不是VB6程序!"); } Seek(reader, Header - ImageBase); VBHeader header = new VBHeader(); header.Info = this; header.Read(reader); HeaderInfo = header; }
protected void ConstructPEImage(FileStream file, bool partialConstruct) { this._partialConstruct = partialConstruct; this._dosHeader = new DosHeader(file); long size = this._dosHeader.NtHeaderPosition - (this._dosHeader.Address + this._dosHeader.Size); if (size < 0L) { throw new Win32Exception(11, Resources.GetString("Ex_InvalidPEFormat")); } this._dosStub = new DosStub(file, this._dosHeader.Address + this._dosHeader.Size, size); this._ntSignature = new NtSignature(file, (long) this._dosHeader.NtHeaderPosition); this._fileHeader = new FileHeader(file, this._ntSignature.Address + this._ntSignature.Size); this._optionalHeader = new OptionalHeader(file, this._fileHeader.Address + this._fileHeader.Size); long address = this._optionalHeader.Address + this._optionalHeader.Size; int num3 = 0; for (num3 = 0; num3 < this._optionalHeader.NumberOfRvaAndSizes; num3++) { DataDirectory directory = new DataDirectory(file, address); address += directory.Size; this._dataDirectories.Add(directory); } if (this._fileHeader.SizeOfOptionalHeader < (((ulong) this._optionalHeader.Size) + (this._optionalHeader.NumberOfRvaAndSizes * Marshal.SizeOf(typeof(IMAGE_DATA_DIRECTORY))))) { throw new Win32Exception(11, Resources.GetString("Ex_InvalidPEFormat")); } bool flag = false; uint virtualAddress = 0; if (this._optionalHeader.NumberOfRvaAndSizes > 2) { virtualAddress = ((DataDirectory) this._dataDirectories[2]).VirtualAddress; flag = true; } long num5 = this._optionalHeader.Address + this._fileHeader.SizeOfOptionalHeader; for (num3 = 0; num3 < this._fileHeader.NumberOfSections; num3++) { SectionHeader sectionHeader = new SectionHeader(file, num5); Section section = null; if (flag && (sectionHeader.VirtualAddress == virtualAddress)) { section = this._resourceSection = new ResourceSection(file, sectionHeader, partialConstruct); } else { section = new Section(file, sectionHeader); } sectionHeader.Section = section; this._sectionHeaders.Add(sectionHeader); this._sections.Add(section); num5 += sectionHeader.Size; } this.ConstructStream(); ArrayList c = new ArrayList(); long num6 = 0L; foreach (PEComponent component in this._streamComponents) { if (component.Address < num6) { throw new Win32Exception(11, Resources.GetString("Ex_InvalidPEFormat")); } if (component.Address > num6) { PEComponent component2 = new PEComponent(file, num6, component.Address - num6); c.Add(component2); } num6 = component.Address + component.Size; } if (num6 < file.Length) { PEComponent component3 = new PEComponent(file, num6, file.Length - num6); c.Add(component3); } this._streamComponents.AddRange(c); this._streamComponents.Sort(new PEComponentComparer()); this._canRead = true; this._canSeek = true; this._length = file.Length; this._position = 0L; }
protected void ConstructPEImage(FileStream file, bool partialConstruct) { this._partialConstruct = partialConstruct; this._dosHeader = new DosHeader(file); long size = this._dosHeader.NtHeaderPosition - (this._dosHeader.Address + this._dosHeader.Size); if (size < 0L) { throw new Win32Exception(11, Resources.GetString("Ex_InvalidPEFormat")); } this._dosStub = new DosStub(file, this._dosHeader.Address + this._dosHeader.Size, size); this._ntSignature = new NtSignature(file, (long)this._dosHeader.NtHeaderPosition); this._fileHeader = new FileHeader(file, this._ntSignature.Address + this._ntSignature.Size); this._optionalHeader = new OptionalHeader(file, this._fileHeader.Address + this._fileHeader.Size); long address = this._optionalHeader.Address + this._optionalHeader.Size; int num3 = 0; for (num3 = 0; num3 < this._optionalHeader.NumberOfRvaAndSizes; num3++) { DataDirectory directory = new DataDirectory(file, address); address += directory.Size; this._dataDirectories.Add(directory); } if (this._fileHeader.SizeOfOptionalHeader < (((ulong)this._optionalHeader.Size) + (this._optionalHeader.NumberOfRvaAndSizes * Marshal.SizeOf(typeof(IMAGE_DATA_DIRECTORY))))) { throw new Win32Exception(11, Resources.GetString("Ex_InvalidPEFormat")); } bool flag = false; uint virtualAddress = 0; if (this._optionalHeader.NumberOfRvaAndSizes > 2) { virtualAddress = ((DataDirectory)this._dataDirectories[2]).VirtualAddress; flag = true; } long num5 = this._optionalHeader.Address + this._fileHeader.SizeOfOptionalHeader; for (num3 = 0; num3 < this._fileHeader.NumberOfSections; num3++) { SectionHeader sectionHeader = new SectionHeader(file, num5); Section section = null; if (flag && (sectionHeader.VirtualAddress == virtualAddress)) { section = this._resourceSection = new ResourceSection(file, sectionHeader, partialConstruct); } else { section = new Section(file, sectionHeader); } sectionHeader.Section = section; this._sectionHeaders.Add(sectionHeader); this._sections.Add(section); num5 += sectionHeader.Size; } this.ConstructStream(); ArrayList c = new ArrayList(); long num6 = 0L; foreach (PEComponent component in this._streamComponents) { if (component.Address < num6) { throw new Win32Exception(11, Resources.GetString("Ex_InvalidPEFormat")); } if (component.Address > num6) { PEComponent component2 = new PEComponent(file, num6, component.Address - num6); c.Add(component2); } num6 = component.Address + component.Size; } if (num6 < file.Length) { PEComponent component3 = new PEComponent(file, num6, file.Length - num6); c.Add(component3); } this._streamComponents.AddRange(c); this._streamComponents.Sort(new PEComponentComparer()); this._canRead = true; this._canSeek = true; this._length = file.Length; this._position = 0L; }