DumpedMethods CreateDumpedMethods(MyPEImage peImage, byte[] fileData, byte[] methodsData) {
var dumpedMethods = new DumpedMethods();
var methodsDataReader = MemoryImageStream.Create(methodsData);
var fileDataReader = MemoryImageStream.Create(fileData);
var methodDef = peImage.MetaData.TablesStream.MethodTable;
for (uint rid = 1; rid <= methodDef.Rows; rid++) {
var dm = new DumpedMethod();
peImage.ReadMethodTableRowTo(dm, rid);
if (dm.mdRVA == 0)
continue;
uint bodyOffset = peImage.RvaToOffset(dm.mdRVA);
byte b = peImage.OffsetReadByte(bodyOffset);
uint codeOffset;
if ((b & 3) == 2) {
if (b != 2)
continue; // not zero byte code size
dm.mhFlags = 2;
dm.mhMaxStack = 8;
dm.mhLocalVarSigTok = 0;
codeOffset = bodyOffset + 1;
}
else {
if (peImage.OffsetReadUInt32(bodyOffset + 4) != 0)
continue; // not zero byte code size
dm.mhFlags = peImage.OffsetReadUInt16(bodyOffset);
dm.mhMaxStack = peImage.OffsetReadUInt16(bodyOffset + 2);
dm.mhLocalVarSigTok = peImage.OffsetReadUInt32(bodyOffset + 8);
codeOffset = bodyOffset + (uint)(dm.mhFlags >> 12) * 4;
}
fileDataReader.Position = codeOffset;
if (!decrypter.Decrypt(fileDataReader, dm))
continue;
dumpedMethods.Add(dm);
}
return dumpedMethods;
}
static void ClearDllBit(byte[] peImageData) {
using (var mainPeImage = new MyPEImage(peImageData)) {
uint characteristicsOffset = (uint)mainPeImage.PEImage.ImageNTHeaders.FileHeader.StartOffset + 18;
ushort characteristics = mainPeImage.OffsetReadUInt16(characteristicsOffset);
characteristics &= 0xDFFF;
characteristics |= 2;
mainPeImage.OffsetWriteUInt16(characteristicsOffset, characteristics);
}
}
short ReadInt16(uint offset)
{
return((short)peImage.OffsetReadUInt16(methodInfosOffset + offset));
}