/[RomCheater]/trunk/Win32/Sojaner.MemoryScanner/PEData.cs
ViewVC logotype

Contents of /trunk/Win32/Sojaner.MemoryScanner/PEData.cs

Parent Directory Parent Directory | Revision Log Revision Log


Revision 607 - (show annotations) (download)
Sat Jun 8 02:13:11 2013 UTC (7 years, 2 months ago) by william
File size: 27255 byte(s)

1 #region Logging Defines
2 // include this any class or method that required logging, and comment-out what is not needed
3
4 #region Enabled logging levels
5 #define LOGGING_ENABLE_INFO
6 #define LOGGING_ENABLE_WARN
7 #define LOGGING_ENABLE_DEBUG
8 //#define LOGGING_ENABLE_VERBOSEDEBUG
9 #define LOGGING_ENABLE_ERROR
10 #define LOGGING_ENABLE_VERBOSEERROR
11 #define LOGGING_ENABLE_PROFILER
12 #endregion
13 #endregion
14
15 using System;
16 using System.Collections.Generic;
17 using System.Runtime.InteropServices;
18 using System.IO;
19 using System.Diagnostics;
20 using RomCheater.PluginFramework.Interfaces;
21
22 namespace Sojaner.MemoryScanner
23 {
24 public interface IPEDData
25 {
26 IMAGE_DOS_HEADER DosHeader { get; }
27 IMAGE_FILE_HEADER FileHeader { get; }
28 IMAGE_OPTIONAL_HEADER32 OptionalHeader32 { get; }
29 IMAGE_OPTIONAL_HEADER64 OptionalHeader64 { get; }
30 //IMAGE_SECTION_HEADER[] SectionHeaders { get; }
31 bool Is32bitAssembly();
32 }
33
34 public class PEData : IPEDData
35 {
36 #region IPEDData Members
37 public IMAGE_DOS_HEADER DosHeader { get { if (reader == null) { return new IMAGE_DOS_HEADER(); } else { return reader.DosHeader; } } }
38 public UInt32 NTSignature { get { if (reader == null) { return 0; } else { return reader.NTSignature; } } }
39 public IMAGE_FILE_HEADER FileHeader { get { if (reader == null) { return new IMAGE_FILE_HEADER(); } else { return reader.FileHeader; } } }
40 public IMAGE_OPTIONAL_HEADER32 OptionalHeader32 { get { if (reader == null) { return new IMAGE_OPTIONAL_HEADER32(); } else { return reader.OptionalHeader32; } } }
41 public IMAGE_OPTIONAL_HEADER64 OptionalHeader64 { get { if (reader == null) { return new IMAGE_OPTIONAL_HEADER64(); } else { return reader.OptionalHeader64; } } }
42 public Boolean Is32bitAssembly() { if (reader == null) { return true; } else { return reader.Is32BitHeader; } }
43 #endregion
44
45 private PeHeaderReader reader = null;
46
47 public static readonly IPEDData Empty = new PEData();
48
49 protected PEData() { }
50 public PEData(IAcceptsProcess iap)
51 {
52 if (iap == null) { throw new ArgumentNullException("iap", "The selected process cannot be null"); }
53 Process p = iap.AcceptedProcess;
54 string filename = p.MainModule.FileName;
55 reader = new PeHeaderReader(filename);
56 }
57 public PEData(IAcceptsProcessAndConfig iapc) : this((IAcceptsProcess)iapc) { }
58 }
59
60 #region File Header Structures
61
62 public struct IMAGE_DOS_HEADER
63 { // DOS .EXE header
64 public UInt16 e_magic; // Magic number
65 public UInt16 e_cblp; // Bytes on last page of file
66 public UInt16 e_cp; // Pages in file
67 public UInt16 e_crlc; // Relocations
68 public UInt16 e_cparhdr; // Size of header in paragraphs
69 public UInt16 e_minalloc; // Minimum extra paragraphs needed
70 public UInt16 e_maxalloc; // Maximum extra paragraphs needed
71 public UInt16 e_ss; // Initial (relative) SS value
72 public UInt16 e_sp; // Initial SP value
73 public UInt16 e_csum; // Checksum
74 public UInt16 e_ip; // Initial IP value
75 public UInt16 e_cs; // Initial (relative) CS value
76 public UInt16 e_lfarlc; // File address of relocation table
77 public UInt16 e_ovno; // Overlay number
78 public UInt16 e_res_0; // Reserved words
79 public UInt16 e_res_1; // Reserved words
80 public UInt16 e_res_2; // Reserved words
81 public UInt16 e_res_3; // Reserved words
82 public UInt16 e_oemid; // OEM identifier (for e_oeminfo)
83 public UInt16 e_oeminfo; // OEM information; e_oemid specific
84 public UInt16 e_res2_0; // Reserved words
85 public UInt16 e_res2_1; // Reserved words
86 public UInt16 e_res2_2; // Reserved words
87 public UInt16 e_res2_3; // Reserved words
88 public UInt16 e_res2_4; // Reserved words
89 public UInt16 e_res2_5; // Reserved words
90 public UInt16 e_res2_6; // Reserved words
91 public UInt16 e_res2_7; // Reserved words
92 public UInt16 e_res2_8; // Reserved words
93 public UInt16 e_res2_9; // Reserved words
94 public UInt32 e_lfanew; // File address of new exe header
95 }
96
97 [StructLayout(LayoutKind.Sequential)]
98 public struct IMAGE_DATA_DIRECTORY
99 {
100 public UInt32 VirtualAddress;
101 public UInt32 Size;
102 }
103
104 [StructLayout(LayoutKind.Sequential, Pack = 1)]
105 public struct IMAGE_OPTIONAL_HEADER32
106 {
107 public UInt16 Magic;
108 public Byte MajorLinkerVersion;
109 public Byte MinorLinkerVersion;
110 public UInt32 SizeOfCode;
111 public UInt32 SizeOfInitializedData;
112 public UInt32 SizeOfUninitializedData;
113 public UInt32 AddressOfEntryPoint;
114 public UInt32 BaseOfCode;
115 public UInt32 BaseOfData;
116 public UInt32 ImageBase;
117 public UInt32 SectionAlignment;
118 public UInt32 FileAlignment;
119 public UInt16 MajorOperatingSystemVersion;
120 public UInt16 MinorOperatingSystemVersion;
121 public UInt16 MajorImageVersion;
122 public UInt16 MinorImageVersion;
123 public UInt16 MajorSubsystemVersion;
124 public UInt16 MinorSubsystemVersion;
125 public UInt32 Win32VersionValue;
126 public UInt32 SizeOfImage;
127 public UInt32 SizeOfHeaders;
128 public UInt32 CheckSum;
129 public SubSystemType Subsystem;
130 public DllCharacteristicsType DllCharacteristics;
131 public UInt32 SizeOfStackReserve;
132 public UInt32 SizeOfStackCommit;
133 public UInt32 SizeOfHeapReserve;
134 public UInt32 SizeOfHeapCommit;
135 public UInt32 LoaderFlags;
136 public UInt32 NumberOfRvaAndSizes;
137
138 public IMAGE_DATA_DIRECTORY ExportTable;
139 public IMAGE_DATA_DIRECTORY ImportTable;
140 public IMAGE_DATA_DIRECTORY ResourceTable;
141 public IMAGE_DATA_DIRECTORY ExceptionTable;
142 public IMAGE_DATA_DIRECTORY CertificateTable;
143 public IMAGE_DATA_DIRECTORY BaseRelocationTable;
144 public IMAGE_DATA_DIRECTORY Debug;
145 public IMAGE_DATA_DIRECTORY Architecture;
146 public IMAGE_DATA_DIRECTORY GlobalPtr;
147 public IMAGE_DATA_DIRECTORY TLSTable;
148 public IMAGE_DATA_DIRECTORY LoadConfigTable;
149 public IMAGE_DATA_DIRECTORY BoundImport;
150 public IMAGE_DATA_DIRECTORY IAT;
151 public IMAGE_DATA_DIRECTORY DelayImportDescriptor;
152 public IMAGE_DATA_DIRECTORY CLRRuntimeHeader;
153 public IMAGE_DATA_DIRECTORY Reserved;
154 }
155
156 [StructLayout(LayoutKind.Sequential, Pack = 1)]
157 public struct IMAGE_OPTIONAL_HEADER64
158 {
159 public UInt16 Magic;
160 public Byte MajorLinkerVersion;
161 public Byte MinorLinkerVersion;
162 public UInt32 SizeOfCode;
163 public UInt32 SizeOfInitializedData;
164 public UInt32 SizeOfUninitializedData;
165 public UInt32 AddressOfEntryPoint;
166 public UInt32 BaseOfCode;
167 public UInt64 ImageBase;
168 public UInt32 SectionAlignment;
169 public UInt32 FileAlignment;
170 public UInt16 MajorOperatingSystemVersion;
171 public UInt16 MinorOperatingSystemVersion;
172 public UInt16 MajorImageVersion;
173 public UInt16 MinorImageVersion;
174 public UInt16 MajorSubsystemVersion;
175 public UInt16 MinorSubsystemVersion;
176 public UInt32 Win32VersionValue;
177 public UInt32 SizeOfImage;
178 public UInt32 SizeOfHeaders;
179 public UInt32 CheckSum;
180 public UInt16 Subsystem;
181 public DllCharacteristicsType DllCharacteristics;
182 public UInt64 SizeOfStackReserve;
183 public UInt64 SizeOfStackCommit;
184 public UInt64 SizeOfHeapReserve;
185 public UInt64 SizeOfHeapCommit;
186 public UInt32 LoaderFlags;
187 public UInt32 NumberOfRvaAndSizes;
188
189 public IMAGE_DATA_DIRECTORY ExportTable;
190 public IMAGE_DATA_DIRECTORY ImportTable;
191 public IMAGE_DATA_DIRECTORY ResourceTable;
192 public IMAGE_DATA_DIRECTORY ExceptionTable;
193 public IMAGE_DATA_DIRECTORY CertificateTable;
194 public IMAGE_DATA_DIRECTORY BaseRelocationTable;
195 public IMAGE_DATA_DIRECTORY Debug;
196 public IMAGE_DATA_DIRECTORY Architecture;
197 public IMAGE_DATA_DIRECTORY GlobalPtr;
198 public IMAGE_DATA_DIRECTORY TLSTable;
199 public IMAGE_DATA_DIRECTORY LoadConfigTable;
200 public IMAGE_DATA_DIRECTORY BoundImport;
201 public IMAGE_DATA_DIRECTORY IAT;
202 public IMAGE_DATA_DIRECTORY DelayImportDescriptor;
203 public IMAGE_DATA_DIRECTORY CLRRuntimeHeader;
204 public IMAGE_DATA_DIRECTORY Reserved;
205 }
206
207 [StructLayout(LayoutKind.Sequential, Pack = 1)]
208 public struct IMAGE_FILE_HEADER
209 {
210 public MachineTypeFlags Machine;
211 public UInt16 NumberOfSections;
212 public UInt32 TimeDateStamp;
213 public UInt32 PointerToSymbolTable;
214 public UInt32 NumberOfSymbols;
215 public UInt16 SizeOfOptionalHeader;
216 public FileCharacteristicType Characteristics;
217 }
218
219 // Grabbed the following 2 definitions from http://www.pinvoke.net/default.aspx/Structures/IMAGE_SECTION_HEADER.html
220
221 [StructLayout(LayoutKind.Explicit)]
222 public struct IMAGE_SECTION_HEADER
223 {
224 [FieldOffset(0)]
225 [MarshalAs(UnmanagedType.ByValArray, SizeConst = 8)]
226 public char[] Name;
227 [FieldOffset(8)]
228 public UInt32 VirtualSize;
229 [FieldOffset(12)]
230 public UInt32 VirtualAddress;
231 [FieldOffset(16)]
232 public UInt32 SizeOfRawData;
233 [FieldOffset(20)]
234 public UInt32 PointerToRawData;
235 [FieldOffset(24)]
236 public UInt32 PointerToRelocations;
237 [FieldOffset(28)]
238 public UInt32 PointerToLinenumbers;
239 [FieldOffset(32)]
240 public UInt16 NumberOfRelocations;
241 [FieldOffset(34)]
242 public UInt16 NumberOfLinenumbers;
243 [FieldOffset(36)]
244 public DataSectionFlags Characteristics;
245
246 public string Section
247 {
248 get { return new string(Name); }
249 }
250 }
251 #endregion File Header Structures
252
253
254 #region code
255 #region helpers
256 [Flags]
257 public enum MachineTypeFlags
258 {
259 x86 = 0x14C,
260 Alpha = 0x184,
261 ARM = 0x1C0,
262 MIPS16R3000 = 0x162,
263 MIPS16R4000 = 0x166,
264 MIPS16R10000 = 0x168,
265 PowerPCLE = 0x1F0,
266 PowerPCBE = 0x1F2,
267 Itanium = 0x200,
268 MIPS16 = 0x266,
269 Alpha64 = 0x284,
270 MIPSFPU = 0x366,
271 MIPSFPU16 = 0x466,
272 x64 = 0x8664,
273 }
274 public enum MagicType : ushort
275 {
276 NT_OPTIONAL_HEADER_NOT_PRESENT, // 0
277 NT_OPTIONAL_HEADER_32 = 0x10b,
278 NT_OPTIONAL_HEADER_64 = 0x20b
279 }
280 public enum SubSystemType : ushort
281 {
282 IMAGE_SUBSYSTEM_UNKNOWN = 0,
283 IMAGE_SUBSYSTEM_NATIVE = 1,
284 IMAGE_SUBSYSTEM_WINDOWS_GUI = 2,
285 IMAGE_SUBSYSTEM_WINDOWS_CUI = 3,
286 IMAGE_SUBSYSTEM_POSIX_CUI = 7,
287 IMAGE_SUBSYSTEM_WINDOWS_CE_GUI = 9,
288 IMAGE_SUBSYSTEM_EFI_APPLICATION = 10,
289 IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER = 11,
290 IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER = 12,
291 IMAGE_SUBSYSTEM_EFI_ROM = 13,
292 IMAGE_SUBSYSTEM_XBOX = 14
293
294 }
295 public enum DllCharacteristicsType : ushort
296 {
297 RES_0 = 0x0001,
298 RES_1 = 0x0002,
299 RES_2 = 0x0004,
300 RES_3 = 0x0008,
301 IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE = 0x0040,
302 IMAGE_DLL_CHARACTERISTICS_FORCE_INTEGRITY = 0x0080,
303 IMAGE_DLL_CHARACTERISTICS_NX_COMPAT = 0x0100,
304 IMAGE_DLLCHARACTERISTICS_NO_ISOLATION = 0x0200,
305 IMAGE_DLLCHARACTERISTICS_NO_SEH = 0x0400,
306 IMAGE_DLLCHARACTERISTICS_NO_BIND = 0x0800,
307 RES_4 = 0x1000,
308 IMAGE_DLLCHARACTERISTICS_WDM_DRIVER = 0x2000,
309 IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE = 0x8000
310 }
311 [Flags]
312 public enum FileCharacteristicType : ushort
313 {
314 RelocationInformationStrippedFromFile = 0x1,
315 Executable = 0x2,
316 LineNumbersStripped = 0x4,
317 SymbolTableStripped = 0x8,
318 AggresiveTrimWorkingSet = 0x10,
319 LargeAddressAware = 0x20,
320 Supports16Bit = 0x40,
321 ReservedBytesWo = 0x80,
322 Supports32Bit = 0x100,
323 DebugInfoStripped = 0x200,
324 RunFromSwapIfInRemovableMedia = 0x400,
325 RunFromSwapIfInNetworkMedia = 0x800,
326 IsSytemFile = 0x1000,
327 IsDLL = 0x2000,
328 IsOnlyForSingleCoreProcessor = 0x4000,
329 BytesOfWordReserved = 0x8000,
330 }
331 #region DataSectionFlags
332 [Flags]
333 public enum DataSectionFlags : uint
334 {
335 /// <summary>
336 /// Reserved for future use.
337 /// </summary>
338 TypeReg = 0x00000000,
339 /// <summary>
340 /// Reserved for future use.
341 /// </summary>
342 TypeDsect = 0x00000001,
343 /// <summary>
344 /// Reserved for future use.
345 /// </summary>
346 TypeNoLoad = 0x00000002,
347 /// <summary>
348 /// Reserved for future use.
349 /// </summary>
350 TypeGroup = 0x00000004,
351 /// <summary>
352 /// The section should not be padded to the next boundary. This flag is obsolete and is replaced by IMAGE_SCN_ALIGN_1BYTES. This is valid only for object files.
353 /// </summary>
354 TypeNoPadded = 0x00000008,
355 /// <summary>
356 /// Reserved for future use.
357 /// </summary>
358 TypeCopy = 0x00000010,
359 /// <summary>
360 /// The section contains executable code.
361 /// </summary>
362 ContentCode = 0x00000020,
363 /// <summary>
364 /// The section contains initialized data.
365 /// </summary>
366 ContentInitializedData = 0x00000040,
367 /// <summary>
368 /// The section contains uninitialized data.
369 /// </summary>
370 ContentUninitializedData = 0x00000080,
371 /// <summary>
372 /// Reserved for future use.
373 /// </summary>
374 LinkOther = 0x00000100,
375 /// <summary>
376 /// The section contains comments or other information. The .drectve section has this type. This is valid for object files only.
377 /// </summary>
378 LinkInfo = 0x00000200,
379 /// <summary>
380 /// Reserved for future use.
381 /// </summary>
382 TypeOver = 0x00000400,
383 /// <summary>
384 /// The section will not become part of the image. This is valid only for object files.
385 /// </summary>
386 LinkRemove = 0x00000800,
387 /// <summary>
388 /// The section contains COMDAT data. For more information, see section 5.5.6, COMDAT Sections (Object Only). This is valid only for object files.
389 /// </summary>
390 LinkComDat = 0x00001000,
391 /// <summary>
392 /// Reset speculative exceptions handling bits in the TLB entries for this section.
393 /// </summary>
394 NoDeferSpecExceptions = 0x00004000,
395 /// <summary>
396 /// The section contains data referenced through the global pointer (GP).
397 /// </summary>
398 RelativeGP = 0x00008000,
399 /// <summary>
400 /// Reserved for future use.
401 /// </summary>
402 MemPurgeable = 0x00020000,
403 /// <summary>
404 /// Reserved for future use.
405 /// </summary>
406 Memory16Bit = 0x00020000,
407 /// <summary>
408 /// Reserved for future use.
409 /// </summary>
410 MemoryLocked = 0x00040000,
411 /// <summary>
412 /// Reserved for future use.
413 /// </summary>
414 MemoryPreload = 0x00080000,
415 /// <summary>
416 /// Align data on a 1-byte boundary. Valid only for object files.
417 /// </summary>
418 Align1Bytes = 0x00100000,
419 /// <summary>
420 /// Align data on a 2-byte boundary. Valid only for object files.
421 /// </summary>
422 Align2Bytes = 0x00200000,
423 /// <summary>
424 /// Align data on a 4-byte boundary. Valid only for object files.
425 /// </summary>
426 Align4Bytes = 0x00300000,
427 /// <summary>
428 /// Align data on an 8-byte boundary. Valid only for object files.
429 /// </summary>
430 Align8Bytes = 0x00400000,
431 /// <summary>
432 /// Align data on a 16-byte boundary. Valid only for object files.
433 /// </summary>
434 Align16Bytes = 0x00500000,
435 /// <summary>
436 /// Align data on a 32-byte boundary. Valid only for object files.
437 /// </summary>
438 Align32Bytes = 0x00600000,
439 /// <summary>
440 /// Align data on a 64-byte boundary. Valid only for object files.
441 /// </summary>
442 Align64Bytes = 0x00700000,
443 /// <summary>
444 /// Align data on a 128-byte boundary. Valid only for object files.
445 /// </summary>
446 Align128Bytes = 0x00800000,
447 /// <summary>
448 /// Align data on a 256-byte boundary. Valid only for object files.
449 /// </summary>
450 Align256Bytes = 0x00900000,
451 /// <summary>
452 /// Align data on a 512-byte boundary. Valid only for object files.
453 /// </summary>
454 Align512Bytes = 0x00A00000,
455 /// <summary>
456 /// Align data on a 1024-byte boundary. Valid only for object files.
457 /// </summary>
458 Align1024Bytes = 0x00B00000,
459 /// <summary>
460 /// Align data on a 2048-byte boundary. Valid only for object files.
461 /// </summary>
462 Align2048Bytes = 0x00C00000,
463 /// <summary>
464 /// Align data on a 4096-byte boundary. Valid only for object files.
465 /// </summary>
466 Align4096Bytes = 0x00D00000,
467 /// <summary>
468 /// Align data on an 8192-byte boundary. Valid only for object files.
469 /// </summary>
470 Align8192Bytes = 0x00E00000,
471 /// <summary>
472 /// The section contains extended relocations.
473 /// </summary>
474 LinkExtendedRelocationOverflow = 0x01000000,
475 /// <summary>
476 /// The section can be discarded as needed.
477 /// </summary>
478 MemoryDiscardable = 0x02000000,
479 /// <summary>
480 /// The section cannot be cached.
481 /// </summary>
482 MemoryNotCached = 0x04000000,
483 /// <summary>
484 /// The section is not pageable.
485 /// </summary>
486 MemoryNotPaged = 0x08000000,
487 /// <summary>
488 /// The section can be shared in memory.
489 /// </summary>
490 MemoryShared = 0x10000000,
491 /// <summary>
492 /// The section can be executed as code.
493 /// </summary>
494 MemoryExecute = 0x20000000,
495 /// <summary>
496 /// The section can be read.
497 /// </summary>
498 MemoryRead = 0x40000000,
499 /// <summary>
500 /// The section can be written to.
501 /// </summary>
502 MemoryWrite = 0x80000000
503 }
504 #endregion
505 #endregion
506 /// <summary>
507 /// Reads in the header information of the Portable Executable format.
508 /// Provides information such as the date the assembly was compiled.
509 /// </summary>
510 public class PeHeaderReader
511 {
512
513
514 #region Private Fields
515
516 private UInt32 ntSignature;
517 /// <summary>
518 /// The DOS header
519 /// </summary>
520 private IMAGE_DOS_HEADER dosHeader;
521 /// <summary>
522 /// The file header
523 /// </summary>
524 private IMAGE_FILE_HEADER fileHeader;
525 /// <summary>
526 /// Optional 32 bit file header
527 /// </summary>
528 private IMAGE_OPTIONAL_HEADER32 optionalHeader32;
529 /// <summary>
530 /// Optional 64 bit file header
531 /// </summary>
532 private IMAGE_OPTIONAL_HEADER64 optionalHeader64;
533 /// <summary>
534 /// Image Section headers. Number of sections is in the file header.
535 /// </summary>
536 private IMAGE_SECTION_HEADER[] imageSectionHeaders;
537
538 #endregion Private Fields
539
540 #region Public Methods
541
542 public PeHeaderReader(string filePath)
543 {
544 // Read in the DLL or EXE and get the timestamp
545 using (FileStream stream = new FileStream(filePath, System.IO.FileMode.Open, System.IO.FileAccess.Read))
546 {
547 BinaryReader reader = new BinaryReader(stream);
548 dosHeader = FromBinaryReader<IMAGE_DOS_HEADER>(reader);
549
550 // Add 4 bytes to the offset
551 stream.Seek(dosHeader.e_lfanew, SeekOrigin.Begin);
552
553 UInt32 ntHeadersSignature = reader.ReadUInt32();
554 ntSignature = ntHeadersSignature;
555 fileHeader = FromBinaryReader<IMAGE_FILE_HEADER>(reader);
556 if (this.Is32BitHeader)
557 {
558 optionalHeader32 = FromBinaryReader<IMAGE_OPTIONAL_HEADER32>(reader);
559 }
560 else
561 {
562 optionalHeader64 = FromBinaryReader<IMAGE_OPTIONAL_HEADER64>(reader);
563 }
564
565 imageSectionHeaders = new IMAGE_SECTION_HEADER[fileHeader.NumberOfSections];
566 for (int headerNo = 0; headerNo < imageSectionHeaders.Length; ++headerNo)
567 {
568 imageSectionHeaders[headerNo] = FromBinaryReader<IMAGE_SECTION_HEADER>(reader);
569 }
570
571 }
572 }
573
574 /// <summary>
575 /// Gets the header of the .NET assembly that called this function
576 /// </summary>
577 /// <returns></returns>
578 public static PeHeaderReader GetCallingAssemblyHeader()
579 {
580 // Get the path to the calling assembly, which is the path to the
581 // DLL or EXE that we want the time of
582 string filePath = System.Reflection.Assembly.GetCallingAssembly().Location;
583
584 // Get and return the timestamp
585 return new PeHeaderReader(filePath);
586 }
587
588 /// <summary>
589 /// Gets the header of the .NET assembly that called this function
590 /// </summary>
591 /// <returns></returns>
592 public static PeHeaderReader GetAssemblyHeader()
593 {
594 // Get the path to the calling assembly, which is the path to the
595 // DLL or EXE that we want the time of
596 string filePath = System.Reflection.Assembly.GetAssembly(typeof(PeHeaderReader)).Location;
597
598 // Get and return the timestamp
599 return new PeHeaderReader(filePath);
600 }
601
602 /// <summary>
603 /// Reads in a block from a file and converts it to the struct
604 /// type specified by the template parameter
605 /// </summary>
606 /// <typeparam name="T"></typeparam>
607 /// <param name="reader"></param>
608 /// <returns></returns>
609 public static T FromBinaryReader<T>(BinaryReader reader)
610 {
611 // Read in a byte array
612 byte[] bytes = reader.ReadBytes(Marshal.SizeOf(typeof(T)));
613
614 // Pin the managed memory while, copy it out the data, then unpin it
615 GCHandle handle = GCHandle.Alloc(bytes, GCHandleType.Pinned);
616 T theStructure = (T)Marshal.PtrToStructure(handle.AddrOfPinnedObject(), typeof(T));
617 handle.Free();
618
619 return theStructure;
620 }
621
622 #endregion Public Methods
623
624 #region Properties
625
626 /// <summary>
627 /// Gets if the file header is 32 bit or not
628 /// </summary>
629 public bool Is32BitHeader
630 {
631 get
632 {
633 return FileHeader.Characteristics.HasFlag(FileCharacteristicType.Supports32Bit);
634 }
635 }
636
637 /// <summary>
638 /// Gets the file header
639 /// </summary>
640 public IMAGE_FILE_HEADER FileHeader
641 {
642 get
643 {
644 return fileHeader;
645 }
646 }
647 /// <summary>
648 /// Gets the file header
649 /// </summary>
650 public UInt32 NTSignature
651 {
652 get
653 {
654 return ntSignature;
655 }
656 }
657 /// <summary>
658 /// Gets the file header
659 /// </summary>
660 public IMAGE_DOS_HEADER DosHeader
661 {
662 get
663 {
664 return dosHeader;
665 }
666 }
667 /// <summary>
668 /// Gets the optional header
669 /// </summary>
670 public IMAGE_OPTIONAL_HEADER32 OptionalHeader32
671 {
672 get
673 {
674 return optionalHeader32;
675 }
676 }
677
678 /// <summary>
679 /// Gets the optional header
680 /// </summary>
681 public IMAGE_OPTIONAL_HEADER64 OptionalHeader64
682 {
683 get
684 {
685 return optionalHeader64;
686 }
687 }
688
689 public IMAGE_SECTION_HEADER[] ImageSectionHeaders
690 {
691 get
692 {
693 return imageSectionHeaders;
694 }
695 }
696
697 /// <summary>
698 /// Gets the timestamp from the file header
699 /// </summary>
700 public DateTime TimeStamp
701 {
702 get
703 {
704 // Timestamp is a date offset from 1970
705 DateTime returnValue = new DateTime(1970, 1, 1, 0, 0, 0);
706
707 // Add in the number of seconds since 1970/1/1
708 returnValue = returnValue.AddSeconds(fileHeader.TimeDateStamp);
709 // Adjust to local timezone
710 returnValue += TimeZone.CurrentTimeZone.GetUtcOffset(returnValue);
711
712 return returnValue;
713 }
714 }
715
716 #endregion Properties
717 }
718 #endregion
719 }

  ViewVC Help
Powered by ViewVC 1.1.22