Win32/Sojaner.MemoryScanner/PEReader.cs

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.IO;
using RomCheater.Logging;
using System.Runtime.InteropServices;
using System.Diagnostics;

namespace Sojaner.MemoryScanner
{
    public class PEReader
    {
        public PEReader(FileInfo fi) : this(fi.FullName) { }
        public PEReader(string filename) { this.Read(filename); }

        #region marshalling
        private void Read(string filename)
        {
            logger.Debug.WriteLine("Reading Exe: {0}", filename);

            using (FileStream fs = new FileStream(filename, FileMode.Open, FileAccess.Read, FileShare.Read))
            {
                byte[] data = new byte[] { };
                GCHandle pinnedPacket = new GCHandle();
                int size = 0;
                BinaryReader br = new BinaryReader(fs);

                #region IMAGE_DOS_HEADER
                size = Marshal.SizeOf(typeof(IMAGE_DOS_HEADER));
                data = br.ReadBytes(size);
                pinnedPacket = GCHandle.Alloc(data, GCHandleType.Pinned);
                IMAGE_DOS_HEADER IMAGE_DOS_HEADER = (IMAGE_DOS_HEADER)Marshal.PtrToStructure(pinnedPacket.AddrOfPinnedObject(), typeof(IMAGE_DOS_HEADER));
                pinnedPacket.Free();
                #endregion

                // skip the old dos stub
                br.BaseStream.Seek(IMAGE_DOS_HEADER.e_lfanew, SeekOrigin.Begin);

                #region IMAGE_NT_HEADERS
                size = Marshal.SizeOf(typeof(IMAGE_NT_HEADERS));
                data = br.ReadBytes(size);
                pinnedPacket = GCHandle.Alloc(data, GCHandleType.Pinned);
                IMAGE_NT_HEADERS IMAGE_NT_HEADERS = (IMAGE_NT_HEADERS)Marshal.PtrToStructure(pinnedPacket.AddrOfPinnedObject(), typeof(IMAGE_NT_HEADERS));
                pinnedPacket.Free();
                #endregion

                br.Close();
            }

 
        }
        #endregion

        #region header support
        #region IMAGE_DATA_DIRECTORY
        [StructLayout(LayoutKind.Sequential)]
        public struct IMAGE_DATA_DIRECTORY
        {
            public UInt32 VirtualAddress;
            public UInt32 Size;
        }
        #endregion
        #region IMAGE_FILE_HEADER
        [StructLayout(LayoutKind.Sequential)]
        public struct IMAGE_FILE_HEADER
        {
            public UInt16 Machine;
            public UInt16 NumberOfSections;
            public UInt32 TimeDateStamp;
            public UInt32 PointerToSymbolTable;
            public UInt32 NumberOfSymbols;
            public UInt16 SizeOfOptionalHeader;
            public UInt16 Characteristics;
        }
        #endregion
        #region IMAGE_DOS_HEADER
        [StructLayout(LayoutKind.Sequential)]
        public struct IMAGE_DOS_HEADER
        {
            [MarshalAs(UnmanagedType.ByValArray, SizeConst = 2)]
            public char[] e_magic;       // Magic number
            public UInt16 e_cblp;    // Bytes on last page of file
            public UInt16 e_cp;      // Pages in file
            public UInt16 e_crlc;    // Relocations
            public UInt16 e_cparhdr;     // Size of header in paragraphs
            public UInt16 e_minalloc;    // Minimum extra paragraphs needed
            public UInt16 e_maxalloc;    // Maximum extra paragraphs needed
            public UInt16 e_ss;      // Initial (relative) SS value
            public UInt16 e_sp;      // Initial SP value
            public UInt16 e_csum;    // Checksum
            public UInt16 e_ip;      // Initial IP value
            public UInt16 e_cs;      // Initial (relative) CS value
            public UInt16 e_lfarlc;      // File address of relocation table
            public UInt16 e_ovno;    // Overlay number
            [MarshalAs(UnmanagedType.ByValArray, SizeConst = 4)]
            public UInt16[] e_res1;    // Reserved words
            public UInt16 e_oemid;       // OEM identifier (for e_oeminfo)
            public UInt16 e_oeminfo;     // OEM information; e_oemid specific
            [MarshalAs(UnmanagedType.ByValArray, SizeConst = 10)]
            public UInt16[] e_res2;    // Reserved words
            public Int32 e_lfanew;      // File address of new exe header
            private string _e_magic
            {
                get { return new string(e_magic); }
            }
            public bool isValid
            {
                get { return _e_magic == "MZ"; }
            }
        }
        #endregion
        #region IMAGE_NT_HEADERS
        [StructLayout(LayoutKind.Explicit)]
        public struct IMAGE_NT_HEADERS
        {
            [FieldOffset(0)]
            [MarshalAs(UnmanagedType.ByValArray, SizeConst = 4)]
            public char[] Signature;

            [FieldOffset(4)]
            public IMAGE_FILE_HEADER FileHeader;

            [FieldOffset(24)]
            public IMAGE_OPTIONAL_HEADER OptionalHeader;

            private string _Signature
            {
                get { return new string(Signature); }
            }

            public bool isValid
            {
                get { return _Signature == "PE\0\0" && (OptionalHeader.Magic == MagicType.IMAGE_NT_OPTIONAL_HDR32_MAGIC || OptionalHeader.Magic == MagicType.IMAGE_NT_OPTIONAL_HDR64_MAGIC); }
            }
        }
        #endregion
        #region MachineType
        public enum MachineType : ushort
        {
            Native = 0,
            I386 = 0x014c,
            Itanium = 0x0200,
            x64 = 0x8664
        }
        #endregion
        #region MagicType
        public enum MagicType : ushort
        {
            IMAGE_NT_OPTIONAL_HDR32_MAGIC = 0x10b,
            IMAGE_NT_OPTIONAL_HDR64_MAGIC = 0x20b
        }
        #endregion
        #region SubSystemType
        public enum SubSystemType : ushort
        {
            IMAGE_SUBSYSTEM_UNKNOWN = 0,
            IMAGE_SUBSYSTEM_NATIVE = 1,
            IMAGE_SUBSYSTEM_WINDOWS_GUI = 2,
            IMAGE_SUBSYSTEM_WINDOWS_CUI = 3,
            IMAGE_SUBSYSTEM_POSIX_CUI = 7,
            IMAGE_SUBSYSTEM_WINDOWS_CE_GUI = 9,
            IMAGE_SUBSYSTEM_EFI_APPLICATION = 10,
            IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER = 11,
            IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER = 12,
            IMAGE_SUBSYSTEM_EFI_ROM = 13,
            IMAGE_SUBSYSTEM_XBOX = 14

        }
        #endregion
        #region DllCharacteristicsType
        public enum DllCharacteristicsType : ushort
        {
            RES_0 = 0x0001,
            RES_1 = 0x0002,
            RES_2 = 0x0004,
            RES_3 = 0x0008,
            IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE = 0x0040,
            IMAGE_DLL_CHARACTERISTICS_FORCE_INTEGRITY = 0x0080,
            IMAGE_DLL_CHARACTERISTICS_NX_COMPAT = 0x0100,
            IMAGE_DLLCHARACTERISTICS_NO_ISOLATION = 0x0200,
            IMAGE_DLLCHARACTERISTICS_NO_SEH = 0x0400,
            IMAGE_DLLCHARACTERISTICS_NO_BIND = 0x0800,
            RES_4 = 0x1000,
            IMAGE_DLLCHARACTERISTICS_WDM_DRIVER = 0x2000,
            IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE = 0x8000
        }
        #endregion
        #region IMAGE_OPTIONAL_HEADER
        [StructLayout(LayoutKind.Explicit)]
        public struct IMAGE_OPTIONAL_HEADER
        {
            [FieldOffset(0)]
            public MagicType Magic;

            [FieldOffset(2)]
            public byte MajorLinkerVersion;

            [FieldOffset(3)]
            public byte MinorLinkerVersion;

            [FieldOffset(4)]
            public uint SizeOfCode;

            [FieldOffset(8)]
            public uint SizeOfInitializedData;

            [FieldOffset(12)]
            public uint SizeOfUninitializedData;

            [FieldOffset(16)]
            public uint AddressOfEntryPoint;

            [FieldOffset(20)]
            public uint BaseOfCode;

            // PE32 contains this additional field
            [FieldOffset(24)]
            public uint BaseOfData;

            [FieldOffset(28)]
            public uint ImageBase;

            [FieldOffset(32)]
            public uint SectionAlignment;

            [FieldOffset(36)]
            public uint FileAlignment;

            [FieldOffset(40)]
            public ushort MajorOperatingSystemVersion;

            [FieldOffset(42)]
            public ushort MinorOperatingSystemVersion;

            [FieldOffset(44)]
            public ushort MajorImageVersion;

            [FieldOffset(46)]
            public ushort MinorImageVersion;

            [FieldOffset(48)]
            public ushort MajorSubsystemVersion;

            [FieldOffset(50)]
            public ushort MinorSubsystemVersion;

            [FieldOffset(52)]
            public uint Win32VersionValue;

            [FieldOffset(56)]
            public uint SizeOfImage;

            [FieldOffset(60)]
            public uint SizeOfHeaders;

            [FieldOffset(64)]
            public uint CheckSum;

            [FieldOffset(68)]
            public SubSystemType Subsystem;

            [FieldOffset(70)]
            public DllCharacteristicsType DllCharacteristics;

            [FieldOffset(72)]
            public uint SizeOfStackReserve;

            [FieldOffset(76)]
            public uint SizeOfStackCommit;

            [FieldOffset(80)]
            public uint SizeOfHeapReserve;

            [FieldOffset(84)]
            public uint SizeOfHeapCommit;

            [FieldOffset(88)]
            public uint LoaderFlags;

            [FieldOffset(92)]
            public uint NumberOfRvaAndSizes;

            [FieldOffset(96)]
            public IMAGE_DATA_DIRECTORY ExportTable;

            [FieldOffset(104)]
            public IMAGE_DATA_DIRECTORY ImportTable;

            [FieldOffset(112)]
            public IMAGE_DATA_DIRECTORY ResourceTable;

            [FieldOffset(120)]
            public IMAGE_DATA_DIRECTORY ExceptionTable;

            [FieldOffset(128)]
            public IMAGE_DATA_DIRECTORY CertificateTable;

            [FieldOffset(136)]
            public IMAGE_DATA_DIRECTORY BaseRelocationTable;

            [FieldOffset(144)]
            public IMAGE_DATA_DIRECTORY Debug;

            [FieldOffset(152)]
            public IMAGE_DATA_DIRECTORY Architecture;

            [FieldOffset(160)]
            public IMAGE_DATA_DIRECTORY GlobalPtr;

            [FieldOffset(168)]
            public IMAGE_DATA_DIRECTORY TLSTable;

            [FieldOffset(176)]
            public IMAGE_DATA_DIRECTORY LoadConfigTable;

            [FieldOffset(184)]
            public IMAGE_DATA_DIRECTORY BoundImport;

            [FieldOffset(192)]
            public IMAGE_DATA_DIRECTORY IAT;

            [FieldOffset(200)]
            public IMAGE_DATA_DIRECTORY DelayImportDescriptor;

            [FieldOffset(208)]
            public IMAGE_DATA_DIRECTORY CLRRuntimeHeader;

            [FieldOffset(216)]
            public IMAGE_DATA_DIRECTORY Reserved;
        }
        #endregion
        #region IMAGE_EXPORT_DIRECTORY
        [StructLayout(LayoutKind.Sequential)]
        public struct IMAGE_EXPORT_DIRECTORY
        {
            public UInt32 Characteristics;
            public UInt32 TimeDateStamp;
            public UInt16 MajorVersion;
            public UInt16 MinorVersion;
            public UInt32 Name;
            public UInt32 Base;
            public UInt32 NumberOfFunctions;
            public UInt32 NumberOfNames;
            public UInt32 AddressOfFunctions;     // RVA from base of image
            public UInt32 AddressOfNames;     // RVA from base of image
            public UInt32 AddressOfNameOrdinals;  // RVA from base of image
        }
        #endregion
        #endregion
    }
}
Revision:	159
Committed:	Mon May 28 05:22:28 2012 UTC (11 years, 4 months ago) by william
File size:	11981 byte(s)
Log Message:	+ add support to parse an exe
#	User	Rev	Content
1	william	159	using System;
2			using System.Collections.Generic;
3			using System.Linq;
4			using System.Text;
5			using System.IO;
6			using RomCheater.Logging;
7			using System.Runtime.InteropServices;
8			using System.Diagnostics;
9
10			namespace Sojaner.MemoryScanner
11			{
12			public class PEReader
13			{
14			public PEReader(FileInfo fi) : this(fi.FullName) { }
15			public PEReader(string filename) { this.Read(filename); }
16
17			#region marshalling
18			private void Read(string filename)
19			{
20			logger.Debug.WriteLine("Reading Exe: {0}", filename);
21
22			using (FileStream fs = new FileStream(filename, FileMode.Open, FileAccess.Read, FileShare.Read))
23			{
24			byte[] data = new byte[] { };
25			GCHandle pinnedPacket = new GCHandle();
26			int size = 0;
27			BinaryReader br = new BinaryReader(fs);
28
29			#region IMAGE_DOS_HEADER
30			size = Marshal.SizeOf(typeof(IMAGE_DOS_HEADER));
31			data = br.ReadBytes(size);
32			pinnedPacket = GCHandle.Alloc(data, GCHandleType.Pinned);
33			IMAGE_DOS_HEADER IMAGE_DOS_HEADER = (IMAGE_DOS_HEADER)Marshal.PtrToStructure(pinnedPacket.AddrOfPinnedObject(), typeof(IMAGE_DOS_HEADER));
34			pinnedPacket.Free();
35			#endregion
36
37			// skip the old dos stub
38			br.BaseStream.Seek(IMAGE_DOS_HEADER.e_lfanew, SeekOrigin.Begin);
39
40			#region IMAGE_NT_HEADERS
41			size = Marshal.SizeOf(typeof(IMAGE_NT_HEADERS));
42			data = br.ReadBytes(size);
43			pinnedPacket = GCHandle.Alloc(data, GCHandleType.Pinned);
44			IMAGE_NT_HEADERS IMAGE_NT_HEADERS = (IMAGE_NT_HEADERS)Marshal.PtrToStructure(pinnedPacket.AddrOfPinnedObject(), typeof(IMAGE_NT_HEADERS));
45			pinnedPacket.Free();
46			#endregion
47
48			br.Close();
49			}
50
51
52			}
53			#endregion
54
55			#region header support
56			#region IMAGE_DATA_DIRECTORY
57			[StructLayout(LayoutKind.Sequential)]
58			public struct IMAGE_DATA_DIRECTORY
59			{
60			public UInt32 VirtualAddress;
61			public UInt32 Size;
62			}
63			#endregion
64			#region IMAGE_FILE_HEADER
65			[StructLayout(LayoutKind.Sequential)]
66			public struct IMAGE_FILE_HEADER
67			{
68			public UInt16 Machine;
69			public UInt16 NumberOfSections;
70			public UInt32 TimeDateStamp;
71			public UInt32 PointerToSymbolTable;
72			public UInt32 NumberOfSymbols;
73			public UInt16 SizeOfOptionalHeader;
74			public UInt16 Characteristics;
75			}
76			#endregion
77			#region IMAGE_DOS_HEADER
78			[StructLayout(LayoutKind.Sequential)]
79			public struct IMAGE_DOS_HEADER
80			{
81			[MarshalAs(UnmanagedType.ByValArray, SizeConst = 2)]
82			public char[] e_magic; // Magic number
83			public UInt16 e_cblp; // Bytes on last page of file
84			public UInt16 e_cp; // Pages in file
85			public UInt16 e_crlc; // Relocations
86			public UInt16 e_cparhdr; // Size of header in paragraphs
87			public UInt16 e_minalloc; // Minimum extra paragraphs needed
88			public UInt16 e_maxalloc; // Maximum extra paragraphs needed
89			public UInt16 e_ss; // Initial (relative) SS value
90			public UInt16 e_sp; // Initial SP value
91			public UInt16 e_csum; // Checksum
92			public UInt16 e_ip; // Initial IP value
93			public UInt16 e_cs; // Initial (relative) CS value
94			public UInt16 e_lfarlc; // File address of relocation table
95			public UInt16 e_ovno; // Overlay number
96			[MarshalAs(UnmanagedType.ByValArray, SizeConst = 4)]
97			public UInt16[] e_res1; // Reserved words
98			public UInt16 e_oemid; // OEM identifier (for e_oeminfo)
99			public UInt16 e_oeminfo; // OEM information; e_oemid specific
100			[MarshalAs(UnmanagedType.ByValArray, SizeConst = 10)]
101			public UInt16[] e_res2; // Reserved words
102			public Int32 e_lfanew; // File address of new exe header
103			private string _e_magic
104			{
105			get { return new string(e_magic); }
106			}
107			public bool isValid
108			{
109			get { return _e_magic == "MZ"; }
110			}
111			}
112			#endregion
113			#region IMAGE_NT_HEADERS
114			[StructLayout(LayoutKind.Explicit)]
115			public struct IMAGE_NT_HEADERS
116			{
117			[FieldOffset(0)]
118			[MarshalAs(UnmanagedType.ByValArray, SizeConst = 4)]
119			public char[] Signature;
120
121			[FieldOffset(4)]
122			public IMAGE_FILE_HEADER FileHeader;
123
124			[FieldOffset(24)]
125			public IMAGE_OPTIONAL_HEADER OptionalHeader;
126
127			private string _Signature
128			{
129			get { return new string(Signature); }
130			}
131
132			public bool isValid
133			{
134			get { return _Signature == "PE\0\0" && (OptionalHeader.Magic == MagicType.IMAGE_NT_OPTIONAL_HDR32_MAGIC \|\| OptionalHeader.Magic == MagicType.IMAGE_NT_OPTIONAL_HDR64_MAGIC); }
135			}
136			}
137			#endregion
138			#region MachineType
139			public enum MachineType : ushort
140			{
141			Native = 0,
142			I386 = 0x014c,
143			Itanium = 0x0200,
144			x64 = 0x8664
145			}
146			#endregion
147			#region MagicType
148			public enum MagicType : ushort
149			{
150			IMAGE_NT_OPTIONAL_HDR32_MAGIC = 0x10b,
151			IMAGE_NT_OPTIONAL_HDR64_MAGIC = 0x20b
152			}
153			#endregion
154			#region SubSystemType
155			public enum SubSystemType : ushort
156			{
157			IMAGE_SUBSYSTEM_UNKNOWN = 0,
158			IMAGE_SUBSYSTEM_NATIVE = 1,
159			IMAGE_SUBSYSTEM_WINDOWS_GUI = 2,
160			IMAGE_SUBSYSTEM_WINDOWS_CUI = 3,
161			IMAGE_SUBSYSTEM_POSIX_CUI = 7,
162			IMAGE_SUBSYSTEM_WINDOWS_CE_GUI = 9,
163			IMAGE_SUBSYSTEM_EFI_APPLICATION = 10,
164			IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER = 11,
165			IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER = 12,
166			IMAGE_SUBSYSTEM_EFI_ROM = 13,
167			IMAGE_SUBSYSTEM_XBOX = 14
168
169			}
170			#endregion
171			#region DllCharacteristicsType
172			public enum DllCharacteristicsType : ushort
173			{
174			RES_0 = 0x0001,
175			RES_1 = 0x0002,
176			RES_2 = 0x0004,
177			RES_3 = 0x0008,
178			IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE = 0x0040,
179			IMAGE_DLL_CHARACTERISTICS_FORCE_INTEGRITY = 0x0080,
180			IMAGE_DLL_CHARACTERISTICS_NX_COMPAT = 0x0100,
181			IMAGE_DLLCHARACTERISTICS_NO_ISOLATION = 0x0200,
182			IMAGE_DLLCHARACTERISTICS_NO_SEH = 0x0400,
183			IMAGE_DLLCHARACTERISTICS_NO_BIND = 0x0800,
184			RES_4 = 0x1000,
185			IMAGE_DLLCHARACTERISTICS_WDM_DRIVER = 0x2000,
186			IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE = 0x8000
187			}
188			#endregion
189			#region IMAGE_OPTIONAL_HEADER
190			[StructLayout(LayoutKind.Explicit)]
191			public struct IMAGE_OPTIONAL_HEADER
192			{
193			[FieldOffset(0)]
194			public MagicType Magic;
195
196			[FieldOffset(2)]
197			public byte MajorLinkerVersion;
198
199			[FieldOffset(3)]
200			public byte MinorLinkerVersion;
201
202			[FieldOffset(4)]
203			public uint SizeOfCode;
204
205			[FieldOffset(8)]
206			public uint SizeOfInitializedData;
207
208			[FieldOffset(12)]
209			public uint SizeOfUninitializedData;
210
211			[FieldOffset(16)]
212			public uint AddressOfEntryPoint;
213
214			[FieldOffset(20)]
215			public uint BaseOfCode;
216
217			// PE32 contains this additional field
218			[FieldOffset(24)]
219			public uint BaseOfData;
220
221			[FieldOffset(28)]
222			public uint ImageBase;
223
224			[FieldOffset(32)]
225			public uint SectionAlignment;
226
227			[FieldOffset(36)]
228			public uint FileAlignment;
229
230			[FieldOffset(40)]
231			public ushort MajorOperatingSystemVersion;
232
233			[FieldOffset(42)]
234			public ushort MinorOperatingSystemVersion;
235
236			[FieldOffset(44)]
237			public ushort MajorImageVersion;
238
239			[FieldOffset(46)]
240			public ushort MinorImageVersion;
241
242			[FieldOffset(48)]
243			public ushort MajorSubsystemVersion;
244
245			[FieldOffset(50)]
246			public ushort MinorSubsystemVersion;
247
248			[FieldOffset(52)]
249			public uint Win32VersionValue;
250
251			[FieldOffset(56)]
252			public uint SizeOfImage;
253
254			[FieldOffset(60)]
255			public uint SizeOfHeaders;
256
257			[FieldOffset(64)]
258			public uint CheckSum;
259
260			[FieldOffset(68)]
261			public SubSystemType Subsystem;
262
263			[FieldOffset(70)]
264			public DllCharacteristicsType DllCharacteristics;
265
266			[FieldOffset(72)]
267			public uint SizeOfStackReserve;
268
269			[FieldOffset(76)]
270			public uint SizeOfStackCommit;
271
272			[FieldOffset(80)]
273			public uint SizeOfHeapReserve;
274
275			[FieldOffset(84)]
276			public uint SizeOfHeapCommit;
277
278			[FieldOffset(88)]
279			public uint LoaderFlags;
280
281			[FieldOffset(92)]
282			public uint NumberOfRvaAndSizes;
283
284			[FieldOffset(96)]
285			public IMAGE_DATA_DIRECTORY ExportTable;
286
287			[FieldOffset(104)]
288			public IMAGE_DATA_DIRECTORY ImportTable;
289
290			[FieldOffset(112)]
291			public IMAGE_DATA_DIRECTORY ResourceTable;
292
293			[FieldOffset(120)]
294			public IMAGE_DATA_DIRECTORY ExceptionTable;
295
296			[FieldOffset(128)]
297			public IMAGE_DATA_DIRECTORY CertificateTable;
298
299			[FieldOffset(136)]
300			public IMAGE_DATA_DIRECTORY BaseRelocationTable;
301
302			[FieldOffset(144)]
303			public IMAGE_DATA_DIRECTORY Debug;
304
305			[FieldOffset(152)]
306			public IMAGE_DATA_DIRECTORY Architecture;
307
308			[FieldOffset(160)]
309			public IMAGE_DATA_DIRECTORY GlobalPtr;
310
311			[FieldOffset(168)]
312			public IMAGE_DATA_DIRECTORY TLSTable;
313
314			[FieldOffset(176)]
315			public IMAGE_DATA_DIRECTORY LoadConfigTable;
316
317			[FieldOffset(184)]
318			public IMAGE_DATA_DIRECTORY BoundImport;
319
320			[FieldOffset(192)]
321			public IMAGE_DATA_DIRECTORY IAT;
322
323			[FieldOffset(200)]
324			public IMAGE_DATA_DIRECTORY DelayImportDescriptor;
325
326			[FieldOffset(208)]
327			public IMAGE_DATA_DIRECTORY CLRRuntimeHeader;
328
329			[FieldOffset(216)]
330			public IMAGE_DATA_DIRECTORY Reserved;
331			}
332			#endregion
333			#region IMAGE_EXPORT_DIRECTORY
334			[StructLayout(LayoutKind.Sequential)]
335			public struct IMAGE_EXPORT_DIRECTORY
336			{
337			public UInt32 Characteristics;
338			public UInt32 TimeDateStamp;
339			public UInt16 MajorVersion;
340			public UInt16 MinorVersion;
341			public UInt32 Name;
342			public UInt32 Base;
343			public UInt32 NumberOfFunctions;
344			public UInt32 NumberOfNames;
345			public UInt32 AddressOfFunctions; // RVA from base of image
346			public UInt32 AddressOfNames; // RVA from base of image
347			public UInt32 AddressOfNameOrdinals; // RVA from base of image
348			}
349			#endregion
350			#endregion
351			}
352			}