public void ImageDosHeaderConstructorWorks_Test() { var idh = new IMAGE_DOS_HEADER(RawStructures.RawDosHeader, 0); Assert.AreEqual((uint) 0x1100, idh.e_magic); Assert.AreEqual((uint) 0x3322, idh.e_cblp); Assert.AreEqual((uint) 0x5544, idh.e_cp); Assert.AreEqual((uint) 0x7766, idh.e_crlc); Assert.AreEqual((uint) 0x9988, idh.e_cparhdr); Assert.AreEqual((uint) 0xbbaa, idh.e_minalloc); Assert.AreEqual((uint) 0xddcc, idh.e_maxalloc); Assert.AreEqual((uint) 0x00ff, idh.e_ss); Assert.AreEqual((uint) 0x2211, idh.e_sp); Assert.AreEqual((uint) 0x4433, idh.e_csum); Assert.AreEqual((uint) 0x6655, idh.e_ip); Assert.AreEqual((uint) 0x8877, idh.e_cs); Assert.AreEqual((uint) 0xaa99, idh.e_lfarlc); Assert.AreEqual((uint) 0xccbb, idh.e_ovno); AssertEqual(new ushort[] { 0xeedd, 0x00ff, 0x2211, 0x4433 }, idh.e_res); Assert.AreEqual((uint) 0x6655, idh.e_oemid); Assert.AreEqual((uint) 0x8877, idh.e_oeminfo); AssertEqual(new ushort[] { 0xaa99, 0xccbb, 0xeedd, 0x11ff, 0x3322, 0x5544, 0x7766, 0x9988, 0xbbaa, 0xbbcc }, idh.e_res2); }
/// <summary> /// Tests is a file is a PE file based on the MZ /// header. It is not checked if the PE file is correct /// in all other parts. /// </summary> /// <param name="file">Path to a possible PE file.</param> /// <returns>True if the MZ header is set.</returns> public static bool IsPEFile(string file) { var buff = File.ReadAllBytes(file); IMAGE_DOS_HEADER dosHeader = null; try { dosHeader = new IMAGE_DOS_HEADER(buff, 0); } catch (Exception) { return false; } try { return dosHeader.e_magic == 0x5a4d; } catch (Exception) { return false; } }
/// <summary> /// Returns if the file is a PE file and 64 Bit. /// </summary> /// <param name="file">Path to a possible PE file.</param> /// <returns>True if file is PE and x64.</returns> public static bool Is64BitPeFile(string file) { var buff = File.ReadAllBytes(file); IMAGE_DOS_HEADER dosHeader; bool is64; try { dosHeader = new IMAGE_DOS_HEADER(buff, 0); is64 = buff.BytesToUInt16(dosHeader.e_lfanew + 0x4) == (ushort) Constants.FileHeaderMachine.IMAGE_FILE_MACHINE_AMD64; } catch (Exception) { return false; } return (dosHeader.e_magic == 0x5a4d) && is64; }