public formStorageStreamView(PEInfomation _pe)
 {
     InitializeComponent();
     LoadedPE = _pe;
     foreach (var section in LoadedPE.NetStructures.StorageStreamHeaders)
     {
         lvSections.Items.Add(new NetStorageListViewItem(section));
     }
 }
 public formViewStorageStream(PEInfomation pe, STORAGE_STREAM_HEADER targetStream)
 {
     InitializeComponent();
     this.Text += string.Format(" ({0})", new string(targetStream.rcName).Replace("\0", ""));
     try
     {
         rtbStorageData.Text = Encoding.UTF8.GetString(pe.ReadStorageStream(targetStream)).Replace("\0", "");//temp
     }
     catch
     {
         rtbStorageData.Text = "Failed.";
     }
 }
示例#3
0
        public formSectionView(PEInfomation info)
        {
            InitializeComponent();
            LoadedPE = info;

            foreach(var section in LoadedPE.Sections)
            {
                ListViewItem i = new ListViewItem(new string(section.Name));
                i.SubItems.Add(string.Format("0x{0:x2}", section.VirtualSize));
                i.SubItems.Add(string.Format("0x{0:x2}", section.VirtualAddress));
                i.SubItems.Add(string.Format("0x{0:x2}", section.SizeOfRawData));
                i.SubItems.Add(string.Format("0x{0:x2}", section.PointerToRawData));
                lvSections.Items.Add(i);
            }

        }
        public ModuleListViewItem(int procID, IntPtr _handle)
        {
            ModuleInfomation = PELoader.Load(procID, _handle);
            Handle = _handle;
            ProcessHandle = ModuleInfomation.GetProcessHandle();

            StringBuilder sb = new StringBuilder(255);

            NativeMethods.GetModuleFileNameEx(ProcessHandle, Handle, sb, 255);
            ModulePath = sb.ToString();

            Text = Path.GetFileName(ModulePath);
            SubItems.Add(string.Format("0x{0:x2}", IntPtr.Size == 4 ? _handle.ToInt32() : _handle.ToInt64()));
            SubItems.Add(ModuleInfomation.Overview.SizeOfImage.ToString());
            if(!string.IsNullOrEmpty(Text))
                SubItems.Add(ModulePath);
            else
                SubItems.Add("Byte loaded");
        }
示例#5
0
        private static PEInfomation vLoad(PEInfomation info, IntPtr baseAddress)
        {
            IntPtr handle = info.GetProcessHandle();

            if (handle == IntPtr.Zero)
            {
                throw new ArgumentException("Invalid process", "ProcessID");
            }

            info.DosHeader = StructFromMemory <IMAGE_DOS_HEADER>(handle, baseAddress);
            IntPtr imageBase = new IntPtr(info.DosHeader.e_lfanew + (uint)baseAddress);

            info.FileHeader       = StructFromMemory <IMAGE_FILE_HEADER>(handle, imageBase);
            info.OptionalHeader32 = StructFromMemory <IMAGE_OPTIONAL_HEADER32>(handle, imageBase + Marshal.SizeOf(info.FileHeader));
            info.DataDirectories  = StructFromMemory <IMAGE_DATA_DIRECTORIES>(handle, imageBase + Marshal.SizeOf(info.FileHeader) + Marshal.SizeOf(info.OptionalHeader32));

            info.Sections = new IMAGE_SECTION_HEADER[info.FileHeader.NumberOfSections];
            IntPtr sectionsBase  = imageBase + Marshal.SizeOf(info.FileHeader) + Marshal.SizeOf(info.OptionalHeader32) + Marshal.SizeOf(info.DataDirectories);
            int    sizeOfSection = Marshal.SizeOf(typeof(IMAGE_SECTION_HEADER));

            for (int i = 0; i < info.Sections.Length; i++)
            {
                IntPtr sectionLocation = sectionsBase + (sizeOfSection * i);
                info.Sections[i] = StructFromMemory <IMAGE_SECTION_HEADER>(handle, sectionLocation);
            }

            if (info.IsNet)
            {
                //is .net
                info.NetStructures.COR20Header = StructFromMemory <COR20_HEADER>(handle, new IntPtr((uint)baseAddress + info.DataDirectories.CLRRuntimeHeaderRva));

                byte[] data = new byte[info.NetStructures.COR20Header.MetaDataSize];
                NativeMethods.ReadProcessMemory(handle, new IntPtr((uint)baseAddress + info.NetStructures.COR20Header.MetaDataRva), data, data.Length, 0);

                LoadNetMetaData(info, data);
            }

            info.CloseProcessHandle();

            info.WriteOverview();
            return(info);
        }
示例#6
0
        public static PEInfomation Load(byte[] data, string path)
        {
            if (data == null)
            {
                throw new ArgumentNullException("data");
            }

            PEInfomation info = new PEInfomation(data, path);

            info.DosHeader        = StructFromBytes <IMAGE_DOS_HEADER>(data, 0);
            info.FileHeader       = StructFromBytes <IMAGE_FILE_HEADER>(data, Convert.ToInt32(info.DosHeader.e_lfanew));
            info.OptionalHeader32 = StructFromBytes <IMAGE_OPTIONAL_HEADER32>(data, Convert.ToInt32(info.DosHeader.e_lfanew) + Marshal.SizeOf(info.FileHeader));
            info.DataDirectories  = StructFromBytes <IMAGE_DATA_DIRECTORIES>(data, Convert.ToInt32(info.DosHeader.e_lfanew) + Marshal.SizeOf(info.FileHeader) + Marshal.SizeOf(info.OptionalHeader32));

            info.Sections = new IMAGE_SECTION_HEADER[info.FileHeader.NumberOfSections];
            int sectionsBase  = Convert.ToInt32(info.DosHeader.e_lfanew) + Marshal.SizeOf(info.FileHeader) + Marshal.SizeOf(info.OptionalHeader32) + Marshal.SizeOf(info.DataDirectories);
            int sizeOfSection = Marshal.SizeOf(typeof(IMAGE_SECTION_HEADER));

            for (int i = 0; i < info.Sections.Length; i++)
            {
                int sectionLocation = sectionsBase + (sizeOfSection * i);
                info.Sections[i] = StructFromBytes <IMAGE_SECTION_HEADER>(data, sectionLocation);
            }

            if (info.IsNet)
            {
                //is .net
                info.NetStructures.NetOffsets.COR20RawAddress = Convert.ToInt32(info.DataDirectories.CLRRuntimeHeaderRva - info.Sections[0].VirtualAddress + info.Sections[0].PointerToRawData);
                info.NetStructures.COR20Header = StructFromBytes <COR20_HEADER>(data, info.NetStructures.NetOffsets.COR20RawAddress);

                info.NetStructures.NetOffsets.MetaDataRawAddress = Convert.ToInt32(info.NetStructures.COR20Header.MetaDataRva - info.Sections[0].VirtualAddress + info.Sections[0].PointerToRawData);

                LoadNetMetaData(info, data);
            }

            info.WriteOverview();
            return(info);
        }
示例#7
0
        private static void LoadNetMetaData(PEInfomation info, byte[] MetaDataHeaderBytes)
        {
            info.NetStructures.MetaDataHeader.Signature     = BitConverter.ToUInt32(MetaDataHeaderBytes, info.NetStructures.NetOffsets.MetaDataRawAddress);
            info.NetStructures.MetaDataHeader.MajorVersion  = BitConverter.ToUInt16(MetaDataHeaderBytes, info.NetStructures.NetOffsets.MetaDataRawAddress + 4);
            info.NetStructures.MetaDataHeader.MinorVersion  = BitConverter.ToUInt16(MetaDataHeaderBytes, info.NetStructures.NetOffsets.MetaDataRawAddress + 6);
            info.NetStructures.MetaDataHeader.Reserved      = BitConverter.ToUInt32(MetaDataHeaderBytes, info.NetStructures.NetOffsets.MetaDataRawAddress + 8);
            info.NetStructures.MetaDataHeader.VersionLength = BitConverter.ToUInt32(MetaDataHeaderBytes, info.NetStructures.NetOffsets.MetaDataRawAddress + 12);

            info.NetStructures.MetaDataHeader.VersionString = new char[info.NetStructures.MetaDataHeader.VersionLength];
            info.NetStructures.MetaDataHeader.VersionString = Encoding.ASCII.GetString(MetaDataHeaderBytes, info.NetStructures.NetOffsets.MetaDataRawAddress + 16, info.NetStructures.MetaDataHeader.VersionString.Length).ToCharArray();

            info.NetStructures.MetaDataHeader.Flags           = BitConverter.ToUInt16(MetaDataHeaderBytes, info.NetStructures.NetOffsets.MetaDataRawAddress + 16 + Convert.ToInt32(info.NetStructures.MetaDataHeader.VersionLength));
            info.NetStructures.MetaDataHeader.NumberOfStreams = BitConverter.ToUInt16(MetaDataHeaderBytes, info.NetStructures.NetOffsets.MetaDataRawAddress + 18 + Convert.ToInt32(info.NetStructures.MetaDataHeader.VersionLength));


            int metaDataHeaderSize = 20 + Convert.ToInt32(info.NetStructures.MetaDataHeader.VersionLength);
            int offset             = 0;

            info.NetStructures.StorageStreamHeaders = new STORAGE_STREAM_HEADER[5];

            int[] nameLengths = new int[] { 4, 12, 4, 8, 8 };

            for (int i = 0; i < nameLengths.Length; i++)
            {
                info.NetStructures.StorageStreamHeaders[i].iOffset = BitConverter.ToUInt32(MetaDataHeaderBytes, info.NetStructures.NetOffsets.MetaDataRawAddress + metaDataHeaderSize + offset);
                info.NetStructures.StorageStreamHeaders[i].iSize   = BitConverter.ToUInt32(MetaDataHeaderBytes, info.NetStructures.NetOffsets.MetaDataRawAddress + metaDataHeaderSize + 4 + offset);

                info.NetStructures.StorageStreamHeaders[i].rcName = new char[nameLengths[i]];
                info.NetStructures.StorageStreamHeaders[i].rcName = Encoding.ASCII.GetString(MetaDataHeaderBytes, info.NetStructures.NetOffsets.MetaDataRawAddress + metaDataHeaderSize + 8 + offset, info.NetStructures.StorageStreamHeaders[i].rcName.Length).ToCharArray();
                offset += 8 + nameLengths[i];
            }
            info.NetStructures.SizeOfSotrageStreamHeaders = offset;

            info.NetStructures.NetOffsets.RawAddressOfTableStreams = info.NetStructures.NetOffsets.MetaDataRawAddress + Convert.ToInt32(info.NetStructures.StorageStreamHeaders[0].iOffset);
            info.NetStructures.TableStreamHeader = StructFromBytes <TABLE_STREAM_HEADER>(MetaDataHeaderBytes, info.NetStructures.NetOffsets.RawAddressOfTableStreams);
        }
示例#8
0
        void DumpModule(PEInfomation procPE, string path)
        {

            byte[] buffer = new byte[procPE.Overview.SizeOfImage];

            IntPtr procHandle = procPE.GetProcessHandle();
            NativeMethods.ReadProcessMemory(procHandle, procPE.ModuleBaseAddress, buffer, Convert.ToInt32(procPE.Overview.SizeOfHeaders), 0);

            foreach (IMAGE_SECTION_HEADER section in procPE.Sections)
            {
                if (section.SizeOfRawData == 0)
                    continue;

                byte[] sData = new byte[section.SizeOfRawData];
                NativeMethods.ReadProcessMemory(procHandle, new IntPtr(procPE.Overview.ImageBase + section.VirtualAddress), sData, sData.Length, 0);

                Buffer.BlockCopy(sData, 0, buffer, Convert.ToInt32(section.PointerToRawData), sData.Length);
            }

            File.WriteAllBytes(path, buffer);
            procPE.CloseProcessHandle();
        }
示例#9
0
        public static PEInfomation Load(IntPtr procHandle, IntPtr moduleAddress)
        {
            PEInfomation info = new PEInfomation(procHandle, moduleAddress);

            return(vLoad(info, moduleAddress));
        }
示例#10
0
        public static PEInfomation Load(int ProcessID, IntPtr moduleAddress)
        {
            PEInfomation info = new PEInfomation(ProcessID, moduleAddress);

            return(vLoad(info, moduleAddress));
        }