public static void GetImageHeaders(byte[] rawImage, out NT.IMAGE_DOS_HEADER dosHeader, out NT.IMAGE_FILE_HEADER fileHeader, out NT.IMAGE_OPTIONAL_HEADER64 optionalHeader) { fixed(byte *imagePointer = &rawImage[0]) { dosHeader = *(NT.IMAGE_DOS_HEADER *)imagePointer; NT.IMAGE_NT_HEADERS *ntHeader = (NT.IMAGE_NT_HEADERS *)(imagePointer + dosHeader.e_lfanew); fileHeader = ntHeader->FileHeader; optionalHeader = ntHeader->OptionalHeader; } }
public void WriteImageSections(byte[] rawImage, NT.IMAGE_DOS_HEADER dosHeader, ulong localImage, int numberOfSections) { // GET POINTER TO FIRST MEMORY SECTION - LOCATED RIGHT AFTER HEADERS NT.IMAGE_SECTION_HEADER *sections = Tools.GetFirstSection(localImage, dosHeader); // ITERATE PE SECTIONS for (int index = 0; index < numberOfSections; index++) { if (sections[index].SizeOfRawData > 0) { ulong localSectionPointer = localImage + sections[index].VirtualAddress; Marshal.Copy(rawImage, (int)sections[index].PointerToRawData, (IntPtr)localSectionPointer, (int)sections[index].SizeOfRawData); //Log.LogInfo($"{sections[index].SectionName} - {sections[index].SizeOfRawData}"); } } }
// SAME TBH public static NT.IMAGE_SECTION_HEADER *GetFirstSection(ulong localImage, NT.IMAGE_DOS_HEADER dosHeader) => (NT.IMAGE_SECTION_HEADER *)(localImage + (uint)dosHeader.e_lfanew /*START OF NTHEADER*/ + (uint)Marshal.SizeOf <NT.IMAGE_NT_HEADERS>());