public formStorageStreamView(PEInfomation _pe)
{
InitializeComponent();
LoadedPE = _pe;
foreach (var section in LoadedPE.NetStructures.StorageStreamHeaders)
{
lvSections.Items.Add(new NetStorageListViewItem(section));
}
}
public formViewStorageStream(PEInfomation pe, STORAGE_STREAM_HEADER targetStream)
{
InitializeComponent();
this.Text += string.Format(" ({0})", new string(targetStream.rcName).Replace("\0", ""));
try
{
rtbStorageData.Text = Encoding.UTF8.GetString(pe.ReadStorageStream(targetStream)).Replace("\0", "");//temp
}
catch
{
rtbStorageData.Text = "Failed.";
}
}
public formSectionView(PEInfomation info)
{
InitializeComponent();
LoadedPE = info;
foreach(var section in LoadedPE.Sections)
{
ListViewItem i = new ListViewItem(new string(section.Name));
i.SubItems.Add(string.Format("0x{0:x2}", section.VirtualSize));
i.SubItems.Add(string.Format("0x{0:x2}", section.VirtualAddress));
i.SubItems.Add(string.Format("0x{0:x2}", section.SizeOfRawData));
i.SubItems.Add(string.Format("0x{0:x2}", section.PointerToRawData));
lvSections.Items.Add(i);
}
}
public ModuleListViewItem(int procID, IntPtr _handle)
{
ModuleInfomation = PELoader.Load(procID, _handle);
Handle = _handle;
ProcessHandle = ModuleInfomation.GetProcessHandle();
StringBuilder sb = new StringBuilder(255);
NativeMethods.GetModuleFileNameEx(ProcessHandle, Handle, sb, 255);
ModulePath = sb.ToString();
Text = Path.GetFileName(ModulePath);
SubItems.Add(string.Format("0x{0:x2}", IntPtr.Size == 4 ? _handle.ToInt32() : _handle.ToInt64()));
SubItems.Add(ModuleInfomation.Overview.SizeOfImage.ToString());
if(!string.IsNullOrEmpty(Text))
SubItems.Add(ModulePath);
else
SubItems.Add("Byte loaded");
}
private static PEInfomation vLoad(PEInfomation info, IntPtr baseAddress)
{
IntPtr handle = info.GetProcessHandle();
if (handle == IntPtr.Zero)
{
throw new ArgumentException("Invalid process", "ProcessID");
}
info.DosHeader = StructFromMemory <IMAGE_DOS_HEADER>(handle, baseAddress);
IntPtr imageBase = new IntPtr(info.DosHeader.e_lfanew + (uint)baseAddress);
info.FileHeader = StructFromMemory <IMAGE_FILE_HEADER>(handle, imageBase);
info.OptionalHeader32 = StructFromMemory <IMAGE_OPTIONAL_HEADER32>(handle, imageBase + Marshal.SizeOf(info.FileHeader));
info.DataDirectories = StructFromMemory <IMAGE_DATA_DIRECTORIES>(handle, imageBase + Marshal.SizeOf(info.FileHeader) + Marshal.SizeOf(info.OptionalHeader32));
info.Sections = new IMAGE_SECTION_HEADER[info.FileHeader.NumberOfSections];
IntPtr sectionsBase = imageBase + Marshal.SizeOf(info.FileHeader) + Marshal.SizeOf(info.OptionalHeader32) + Marshal.SizeOf(info.DataDirectories);
int sizeOfSection = Marshal.SizeOf(typeof(IMAGE_SECTION_HEADER));
for (int i = 0; i < info.Sections.Length; i++)
{
IntPtr sectionLocation = sectionsBase + (sizeOfSection * i);
info.Sections[i] = StructFromMemory <IMAGE_SECTION_HEADER>(handle, sectionLocation);
}
if (info.IsNet)
{
//is .net
info.NetStructures.COR20Header = StructFromMemory <COR20_HEADER>(handle, new IntPtr((uint)baseAddress + info.DataDirectories.CLRRuntimeHeaderRva));
byte[] data = new byte[info.NetStructures.COR20Header.MetaDataSize];
NativeMethods.ReadProcessMemory(handle, new IntPtr((uint)baseAddress + info.NetStructures.COR20Header.MetaDataRva), data, data.Length, 0);
LoadNetMetaData(info, data);
}
info.CloseProcessHandle();
info.WriteOverview();
return(info);
}
public static PEInfomation Load(byte[] data, string path)
{
if (data == null)
{
throw new ArgumentNullException("data");
}
PEInfomation info = new PEInfomation(data, path);
info.DosHeader = StructFromBytes <IMAGE_DOS_HEADER>(data, 0);
info.FileHeader = StructFromBytes <IMAGE_FILE_HEADER>(data, Convert.ToInt32(info.DosHeader.e_lfanew));
info.OptionalHeader32 = StructFromBytes <IMAGE_OPTIONAL_HEADER32>(data, Convert.ToInt32(info.DosHeader.e_lfanew) + Marshal.SizeOf(info.FileHeader));
info.DataDirectories = StructFromBytes <IMAGE_DATA_DIRECTORIES>(data, Convert.ToInt32(info.DosHeader.e_lfanew) + Marshal.SizeOf(info.FileHeader) + Marshal.SizeOf(info.OptionalHeader32));
info.Sections = new IMAGE_SECTION_HEADER[info.FileHeader.NumberOfSections];
int sectionsBase = Convert.ToInt32(info.DosHeader.e_lfanew) + Marshal.SizeOf(info.FileHeader) + Marshal.SizeOf(info.OptionalHeader32) + Marshal.SizeOf(info.DataDirectories);
int sizeOfSection = Marshal.SizeOf(typeof(IMAGE_SECTION_HEADER));
for (int i = 0; i < info.Sections.Length; i++)
{
int sectionLocation = sectionsBase + (sizeOfSection * i);
info.Sections[i] = StructFromBytes <IMAGE_SECTION_HEADER>(data, sectionLocation);
}
if (info.IsNet)
{
//is .net
info.NetStructures.NetOffsets.COR20RawAddress = Convert.ToInt32(info.DataDirectories.CLRRuntimeHeaderRva - info.Sections[0].VirtualAddress + info.Sections[0].PointerToRawData);
info.NetStructures.COR20Header = StructFromBytes <COR20_HEADER>(data, info.NetStructures.NetOffsets.COR20RawAddress);
info.NetStructures.NetOffsets.MetaDataRawAddress = Convert.ToInt32(info.NetStructures.COR20Header.MetaDataRva - info.Sections[0].VirtualAddress + info.Sections[0].PointerToRawData);
LoadNetMetaData(info, data);
}
info.WriteOverview();
return(info);
}
private static void LoadNetMetaData(PEInfomation info, byte[] MetaDataHeaderBytes)
{
info.NetStructures.MetaDataHeader.Signature = BitConverter.ToUInt32(MetaDataHeaderBytes, info.NetStructures.NetOffsets.MetaDataRawAddress);
info.NetStructures.MetaDataHeader.MajorVersion = BitConverter.ToUInt16(MetaDataHeaderBytes, info.NetStructures.NetOffsets.MetaDataRawAddress + 4);
info.NetStructures.MetaDataHeader.MinorVersion = BitConverter.ToUInt16(MetaDataHeaderBytes, info.NetStructures.NetOffsets.MetaDataRawAddress + 6);
info.NetStructures.MetaDataHeader.Reserved = BitConverter.ToUInt32(MetaDataHeaderBytes, info.NetStructures.NetOffsets.MetaDataRawAddress + 8);
info.NetStructures.MetaDataHeader.VersionLength = BitConverter.ToUInt32(MetaDataHeaderBytes, info.NetStructures.NetOffsets.MetaDataRawAddress + 12);
info.NetStructures.MetaDataHeader.VersionString = new char[info.NetStructures.MetaDataHeader.VersionLength];
info.NetStructures.MetaDataHeader.VersionString = Encoding.ASCII.GetString(MetaDataHeaderBytes, info.NetStructures.NetOffsets.MetaDataRawAddress + 16, info.NetStructures.MetaDataHeader.VersionString.Length).ToCharArray();
info.NetStructures.MetaDataHeader.Flags = BitConverter.ToUInt16(MetaDataHeaderBytes, info.NetStructures.NetOffsets.MetaDataRawAddress + 16 + Convert.ToInt32(info.NetStructures.MetaDataHeader.VersionLength));
info.NetStructures.MetaDataHeader.NumberOfStreams = BitConverter.ToUInt16(MetaDataHeaderBytes, info.NetStructures.NetOffsets.MetaDataRawAddress + 18 + Convert.ToInt32(info.NetStructures.MetaDataHeader.VersionLength));
int metaDataHeaderSize = 20 + Convert.ToInt32(info.NetStructures.MetaDataHeader.VersionLength);
int offset = 0;
info.NetStructures.StorageStreamHeaders = new STORAGE_STREAM_HEADER[5];
int[] nameLengths = new int[] { 4, 12, 4, 8, 8 };
for (int i = 0; i < nameLengths.Length; i++)
{
info.NetStructures.StorageStreamHeaders[i].iOffset = BitConverter.ToUInt32(MetaDataHeaderBytes, info.NetStructures.NetOffsets.MetaDataRawAddress + metaDataHeaderSize + offset);
info.NetStructures.StorageStreamHeaders[i].iSize = BitConverter.ToUInt32(MetaDataHeaderBytes, info.NetStructures.NetOffsets.MetaDataRawAddress + metaDataHeaderSize + 4 + offset);
info.NetStructures.StorageStreamHeaders[i].rcName = new char[nameLengths[i]];
info.NetStructures.StorageStreamHeaders[i].rcName = Encoding.ASCII.GetString(MetaDataHeaderBytes, info.NetStructures.NetOffsets.MetaDataRawAddress + metaDataHeaderSize + 8 + offset, info.NetStructures.StorageStreamHeaders[i].rcName.Length).ToCharArray();
offset += 8 + nameLengths[i];
}
info.NetStructures.SizeOfSotrageStreamHeaders = offset;
info.NetStructures.NetOffsets.RawAddressOfTableStreams = info.NetStructures.NetOffsets.MetaDataRawAddress + Convert.ToInt32(info.NetStructures.StorageStreamHeaders[0].iOffset);
info.NetStructures.TableStreamHeader = StructFromBytes <TABLE_STREAM_HEADER>(MetaDataHeaderBytes, info.NetStructures.NetOffsets.RawAddressOfTableStreams);
}
void DumpModule(PEInfomation procPE, string path)
{
byte[] buffer = new byte[procPE.Overview.SizeOfImage];
IntPtr procHandle = procPE.GetProcessHandle();
NativeMethods.ReadProcessMemory(procHandle, procPE.ModuleBaseAddress, buffer, Convert.ToInt32(procPE.Overview.SizeOfHeaders), 0);
foreach (IMAGE_SECTION_HEADER section in procPE.Sections)
{
if (section.SizeOfRawData == 0)
continue;
byte[] sData = new byte[section.SizeOfRawData];
NativeMethods.ReadProcessMemory(procHandle, new IntPtr(procPE.Overview.ImageBase + section.VirtualAddress), sData, sData.Length, 0);
Buffer.BlockCopy(sData, 0, buffer, Convert.ToInt32(section.PointerToRawData), sData.Length);
}
File.WriteAllBytes(path, buffer);
procPE.CloseProcessHandle();
}
public static PEInfomation Load(IntPtr procHandle, IntPtr moduleAddress)
{
PEInfomation info = new PEInfomation(procHandle, moduleAddress);
return(vLoad(info, moduleAddress));
}
public static PEInfomation Load(int ProcessID, IntPtr moduleAddress)
{
PEInfomation info = new PEInfomation(ProcessID, moduleAddress);
return(vLoad(info, moduleAddress));
}