Win32/Sojaner.MemoryScanner/PEReader.cs

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.IO;
using RomCheater.Logging;
using System.Runtime.InteropServices;
using System.Diagnostics;

namespace Sojaner.MemoryScanner
{
    public class PEReader
    {
        public PEReader(FileInfo fi) : this(fi.FullName) { }
        public PEReader(string filename) { this.Read(filename); }

        #region marshalling
        private void Read(string filename)
        {
            logger.Debug.WriteLine("Reading Exe: {0}", filename);

            using (FileStream fs = new FileStream(filename, FileMode.Open, FileAccess.Read, FileShare.Read))
            {
                byte[] data = new byte[] { };
                GCHandle pinnedPacket = new GCHandle();
                int size = 0;
                BinaryReader br = new BinaryReader(fs);

                #region IMAGE_DOS_HEADER
                size = Marshal.SizeOf(typeof(IMAGE_DOS_HEADER));
                data = br.ReadBytes(size);
                pinnedPacket = GCHandle.Alloc(data, GCHandleType.Pinned);
                IMAGE_DOS_HEADER IMAGE_DOS_HEADER = (IMAGE_DOS_HEADER)Marshal.PtrToStructure(pinnedPacket.AddrOfPinnedObject(), typeof(IMAGE_DOS_HEADER));
                pinnedPacket.Free();
                #endregion

                // skip the old dos stub
                br.BaseStream.Seek(IMAGE_DOS_HEADER.e_lfanew, SeekOrigin.Begin);

                #region IMAGE_NT_HEADERS
                size = Marshal.SizeOf(typeof(IMAGE_NT_HEADERS));
                data = br.ReadBytes(size);
                pinnedPacket = GCHandle.Alloc(data, GCHandleType.Pinned);
                IMAGE_NT_HEADERS IMAGE_NT_HEADERS = (IMAGE_NT_HEADERS)Marshal.PtrToStructure(pinnedPacket.AddrOfPinnedObject(), typeof(IMAGE_NT_HEADERS));
                pinnedPacket.Free();
                #endregion


                br.Close();
            }

 
        }
        #endregion

        #region header support
        #region IMAGE_DATA_DIRECTORY
        [StructLayout(LayoutKind.Sequential)]
        public struct IMAGE_DATA_DIRECTORY
        {
            public UInt32 VirtualAddress;
            public UInt32 Size;
        }
        #endregion
        #region IMAGE_FILE_HEADER
        [StructLayout(LayoutKind.Sequential)]
        public struct IMAGE_FILE_HEADER
        {
            public MachineType Machine;
            public UInt16 NumberOfSections;
            public UInt32 TimeDateStamp;
            public UInt32 PointerToSymbolTable;
            public UInt32 NumberOfSymbols;
            public UInt16 SizeOfOptionalHeader;
            public DllCharacteristicsType Characteristics;
        }
        #endregion
        #region IMAGE_DOS_HEADER
        [StructLayout(LayoutKind.Sequential)]
        public struct IMAGE_DOS_HEADER
        {
            [MarshalAs(UnmanagedType.ByValArray, SizeConst = 2)]
            public char[] e_magic;       // Magic number
            public UInt16 e_cblp;    // Bytes on last page of file
            public UInt16 e_cp;      // Pages in file
            public UInt16 e_crlc;    // Relocations
            public UInt16 e_cparhdr;     // Size of header in paragraphs
            public UInt16 e_minalloc;    // Minimum extra paragraphs needed
            public UInt16 e_maxalloc;    // Maximum extra paragraphs needed
            public UInt16 e_ss;      // Initial (relative) SS value
            public UInt16 e_sp;      // Initial SP value
            public UInt16 e_csum;    // Checksum
            public UInt16 e_ip;      // Initial IP value
            public UInt16 e_cs;      // Initial (relative) CS value
            public UInt16 e_lfarlc;      // File address of relocation table
            public UInt16 e_ovno;    // Overlay number
            [MarshalAs(UnmanagedType.ByValArray, SizeConst = 4)]
            public UInt16[] e_res1;    // Reserved words
            public UInt16 e_oemid;       // OEM identifier (for e_oeminfo)
            public UInt16 e_oeminfo;     // OEM information; e_oemid specific
            [MarshalAs(UnmanagedType.ByValArray, SizeConst = 10)]
            public UInt16[] e_res2;    // Reserved words
            public Int32 e_lfanew;      // File address of new exe header
            private string _e_magic
            {
                get { return new string(e_magic); }
            }
            public bool isValid
            {
                get { return _e_magic == "MZ"; }
            }
        }
        #endregion
        #region IMAGE_NT_HEADERS
        [StructLayout(LayoutKind.Explicit)]
        public struct IMAGE_NT_HEADERS
        {
            [FieldOffset(0)]
            [MarshalAs(UnmanagedType.ByValArray, SizeConst = 4)]
            public char[] Signature;

            [FieldOffset(4)]
            public IMAGE_FILE_HEADER FileHeader;

            [FieldOffset(24)]
            public IMAGE_OPTIONAL_HEADER OptionalHeader;

            private string _Signature
            {
                get { return new string(Signature); }
            }

            public bool isValid
            {
                get { return _Signature == "PE\0\0" && (OptionalHeader.Magic == MagicType.IMAGE_NT_OPTIONAL_HDR32_MAGIC || OptionalHeader.Magic == MagicType.IMAGE_NT_OPTIONAL_HDR64_MAGIC); }
            }
        }
        #endregion
        #region MachineType
        public enum MachineType : ushort
        {
            Native = 0,
            I386 = 0x014c,
            Itanium = 0x0200,
            x64 = 0x8664
        }
        #endregion
        #region MagicType
        public enum MagicType : ushort
        {
            IMAGE_NT_OPTIONAL_HDR32_MAGIC = 0x10b,
            IMAGE_NT_OPTIONAL_HDR64_MAGIC = 0x20b
        }
        #endregion
        #region SubSystemType
        public enum SubSystemType : ushort
        {
            IMAGE_SUBSYSTEM_UNKNOWN = 0,
            IMAGE_SUBSYSTEM_NATIVE = 1,
            IMAGE_SUBSYSTEM_WINDOWS_GUI = 2,
            IMAGE_SUBSYSTEM_WINDOWS_CUI = 3,
            IMAGE_SUBSYSTEM_POSIX_CUI = 7,
            IMAGE_SUBSYSTEM_WINDOWS_CE_GUI = 9,
            IMAGE_SUBSYSTEM_EFI_APPLICATION = 10,
            IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER = 11,
            IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER = 12,
            IMAGE_SUBSYSTEM_EFI_ROM = 13,
            IMAGE_SUBSYSTEM_XBOX = 14

        }
        #endregion
        #region DllCharacteristicsType
        [Flags]
        public enum DllCharacteristicsType : ushort
        {
            RES_0 = 0x0001,
            RES_1 = 0x0002,
            RES_2 = 0x0004,
            RES_3 = 0x0008,
            IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE = 0x0040,
            IMAGE_DLL_CHARACTERISTICS_FORCE_INTEGRITY = 0x0080,
            IMAGE_DLL_CHARACTERISTICS_NX_COMPAT = 0x0100,
            IMAGE_DLLCHARACTERISTICS_NO_ISOLATION = 0x0200,
            IMAGE_DLLCHARACTERISTICS_NO_SEH = 0x0400,
            IMAGE_DLLCHARACTERISTICS_NO_BIND = 0x0800,
            RES_4 = 0x1000,
            IMAGE_DLLCHARACTERISTICS_WDM_DRIVER = 0x2000,
            IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE = 0x8000
        }
        #endregion
        #region IMAGE_OPTIONAL_HEADER
        [StructLayout(LayoutKind.Explicit)]
        public struct IMAGE_OPTIONAL_HEADER
        {
            [FieldOffset(0)]
            public MagicType Magic;

            [FieldOffset(2)]
            public byte MajorLinkerVersion;

            [FieldOffset(3)]
            public byte MinorLinkerVersion;

            [FieldOffset(4)]
            public uint SizeOfCode;

            [FieldOffset(8)]
            public uint SizeOfInitializedData;

            [FieldOffset(12)]
            public uint SizeOfUninitializedData;

            [FieldOffset(16)]
            public uint AddressOfEntryPoint;

            [FieldOffset(20)]
            public uint BaseOfCode;

            // PE32 contains this additional field
            [FieldOffset(24)]
            public uint BaseOfData;

            [FieldOffset(28)]
            public uint ImageBase;

            [FieldOffset(32)]
            public uint SectionAlignment;

            [FieldOffset(36)]
            public uint FileAlignment;

            [FieldOffset(40)]
            public ushort MajorOperatingSystemVersion;

            [FieldOffset(42)]
            public ushort MinorOperatingSystemVersion;

            [FieldOffset(44)]
            public ushort MajorImageVersion;

            [FieldOffset(46)]
            public ushort MinorImageVersion;

            [FieldOffset(48)]
            public ushort MajorSubsystemVersion;

            [FieldOffset(50)]
            public ushort MinorSubsystemVersion;

            [FieldOffset(52)]
            public uint Win32VersionValue;

            [FieldOffset(56)]
            public uint SizeOfImage;

            [FieldOffset(60)]
            public uint SizeOfHeaders;

            [FieldOffset(64)]
            public uint CheckSum;

            [FieldOffset(68)]
            public SubSystemType Subsystem;

            [FieldOffset(70)]
            public DllCharacteristicsType DllCharacteristics;

            [FieldOffset(72)]
            public uint SizeOfStackReserve;

            [FieldOffset(76)]
            public uint SizeOfStackCommit;

            [FieldOffset(80)]
            public uint SizeOfHeapReserve;

            [FieldOffset(84)]
            public uint SizeOfHeapCommit;

            [FieldOffset(88)]
            public uint LoaderFlags;

            [FieldOffset(92)]
            public uint NumberOfRvaAndSizes;

            [FieldOffset(96)]
            public IMAGE_DATA_DIRECTORY ExportTable;

            [FieldOffset(104)]
            public IMAGE_DATA_DIRECTORY ImportTable;

            [FieldOffset(112)]
            public IMAGE_DATA_DIRECTORY ResourceTable;

            [FieldOffset(120)]
            public IMAGE_DATA_DIRECTORY ExceptionTable;

            [FieldOffset(128)]
            public IMAGE_DATA_DIRECTORY CertificateTable;

            [FieldOffset(136)]
            public IMAGE_DATA_DIRECTORY BaseRelocationTable;

            [FieldOffset(144)]
            public IMAGE_DATA_DIRECTORY Debug;

            [FieldOffset(152)]
            public IMAGE_DATA_DIRECTORY Architecture;

            [FieldOffset(160)]
            public IMAGE_DATA_DIRECTORY GlobalPtr;

            [FieldOffset(168)]
            public IMAGE_DATA_DIRECTORY TLSTable;

            [FieldOffset(176)]
            public IMAGE_DATA_DIRECTORY LoadConfigTable;

            [FieldOffset(184)]
            public IMAGE_DATA_DIRECTORY BoundImport;

            [FieldOffset(192)]
            public IMAGE_DATA_DIRECTORY IAT;

            [FieldOffset(200)]
            public IMAGE_DATA_DIRECTORY DelayImportDescriptor;

            [FieldOffset(208)]
            public IMAGE_DATA_DIRECTORY CLRRuntimeHeader;

            [FieldOffset(216)]
            public IMAGE_DATA_DIRECTORY Reserved;
        }
        #endregion
        #region IMAGE_EXPORT_DIRECTORY
        [StructLayout(LayoutKind.Sequential)]
        public struct IMAGE_EXPORT_DIRECTORY
        {
            public UInt32 Characteristics;
            public UInt32 TimeDateStamp;
            public UInt16 MajorVersion;
            public UInt16 MinorVersion;
            public UInt32 Name;
            public UInt32 Base;
            public UInt32 NumberOfFunctions;
            public UInt32 NumberOfNames;
            public UInt32 AddressOfFunctions;     // RVA from base of image
            public UInt32 AddressOfNames;     // RVA from base of image
            public UInt32 AddressOfNameOrdinals;  // RVA from base of image
        }
        #endregion
        #endregion
    }
}
Revision:	160
Committed:	Mon May 28 05:30:14 2012 UTC (11 years, 4 months ago) by william
File size:	12023 byte(s)
Log Message:	Force the use of the enum values for these types public struct IMAGE_FILE_HEADER { public MachineType Machine; public DllCharacteristicsType Characteristics; }
#	User	Rev	Content
1	william	159	using System;
2			using System.Collections.Generic;
3			using System.Linq;
4			using System.Text;
5			using System.IO;
6			using RomCheater.Logging;
7			using System.Runtime.InteropServices;
8			using System.Diagnostics;
9
10			namespace Sojaner.MemoryScanner
11			{
12			public class PEReader
13			{
14			public PEReader(FileInfo fi) : this(fi.FullName) { }
15			public PEReader(string filename) { this.Read(filename); }
16
17			#region marshalling
18			private void Read(string filename)
19			{
20			logger.Debug.WriteLine("Reading Exe: {0}", filename);
21
22			using (FileStream fs = new FileStream(filename, FileMode.Open, FileAccess.Read, FileShare.Read))
23			{
24			byte[] data = new byte[] { };
25			GCHandle pinnedPacket = new GCHandle();
26			int size = 0;
27			BinaryReader br = new BinaryReader(fs);
28
29			#region IMAGE_DOS_HEADER
30			size = Marshal.SizeOf(typeof(IMAGE_DOS_HEADER));
31			data = br.ReadBytes(size);
32			pinnedPacket = GCHandle.Alloc(data, GCHandleType.Pinned);
33			IMAGE_DOS_HEADER IMAGE_DOS_HEADER = (IMAGE_DOS_HEADER)Marshal.PtrToStructure(pinnedPacket.AddrOfPinnedObject(), typeof(IMAGE_DOS_HEADER));
34			pinnedPacket.Free();
35			#endregion
36
37			// skip the old dos stub
38			br.BaseStream.Seek(IMAGE_DOS_HEADER.e_lfanew, SeekOrigin.Begin);
39
40			#region IMAGE_NT_HEADERS
41			size = Marshal.SizeOf(typeof(IMAGE_NT_HEADERS));
42			data = br.ReadBytes(size);
43			pinnedPacket = GCHandle.Alloc(data, GCHandleType.Pinned);
44			IMAGE_NT_HEADERS IMAGE_NT_HEADERS = (IMAGE_NT_HEADERS)Marshal.PtrToStructure(pinnedPacket.AddrOfPinnedObject(), typeof(IMAGE_NT_HEADERS));
45			pinnedPacket.Free();
46			#endregion
47
48	william	160
49
50	william	159	br.Close();
51			}
52
53
54			}
55			#endregion
56
57			#region header support
58			#region IMAGE_DATA_DIRECTORY
59			[StructLayout(LayoutKind.Sequential)]
60			public struct IMAGE_DATA_DIRECTORY
61			{
62			public UInt32 VirtualAddress;
63			public UInt32 Size;
64			}
65			#endregion
66			#region IMAGE_FILE_HEADER
67			[StructLayout(LayoutKind.Sequential)]
68			public struct IMAGE_FILE_HEADER
69			{
70	william	160	public MachineType Machine;
71	william	159	public UInt16 NumberOfSections;
72			public UInt32 TimeDateStamp;
73			public UInt32 PointerToSymbolTable;
74			public UInt32 NumberOfSymbols;
75			public UInt16 SizeOfOptionalHeader;
76	william	160	public DllCharacteristicsType Characteristics;
77	william	159	}
78			#endregion
79			#region IMAGE_DOS_HEADER
80			[StructLayout(LayoutKind.Sequential)]
81			public struct IMAGE_DOS_HEADER
82			{
83			[MarshalAs(UnmanagedType.ByValArray, SizeConst = 2)]
84			public char[] e_magic; // Magic number
85			public UInt16 e_cblp; // Bytes on last page of file
86			public UInt16 e_cp; // Pages in file
87			public UInt16 e_crlc; // Relocations
88			public UInt16 e_cparhdr; // Size of header in paragraphs
89			public UInt16 e_minalloc; // Minimum extra paragraphs needed
90			public UInt16 e_maxalloc; // Maximum extra paragraphs needed
91			public UInt16 e_ss; // Initial (relative) SS value
92			public UInt16 e_sp; // Initial SP value
93			public UInt16 e_csum; // Checksum
94			public UInt16 e_ip; // Initial IP value
95			public UInt16 e_cs; // Initial (relative) CS value
96			public UInt16 e_lfarlc; // File address of relocation table
97			public UInt16 e_ovno; // Overlay number
98			[MarshalAs(UnmanagedType.ByValArray, SizeConst = 4)]
99			public UInt16[] e_res1; // Reserved words
100			public UInt16 e_oemid; // OEM identifier (for e_oeminfo)
101			public UInt16 e_oeminfo; // OEM information; e_oemid specific
102			[MarshalAs(UnmanagedType.ByValArray, SizeConst = 10)]
103			public UInt16[] e_res2; // Reserved words
104			public Int32 e_lfanew; // File address of new exe header
105			private string _e_magic
106			{
107			get { return new string(e_magic); }
108			}
109			public bool isValid
110			{
111			get { return _e_magic == "MZ"; }
112			}
113			}
114			#endregion
115			#region IMAGE_NT_HEADERS
116			[StructLayout(LayoutKind.Explicit)]
117			public struct IMAGE_NT_HEADERS
118			{
119			[FieldOffset(0)]
120			[MarshalAs(UnmanagedType.ByValArray, SizeConst = 4)]
121			public char[] Signature;
122
123			[FieldOffset(4)]
124			public IMAGE_FILE_HEADER FileHeader;
125
126			[FieldOffset(24)]
127			public IMAGE_OPTIONAL_HEADER OptionalHeader;
128
129			private string _Signature
130			{
131			get { return new string(Signature); }
132			}
133
134			public bool isValid
135			{
136			get { return _Signature == "PE\0\0" && (OptionalHeader.Magic == MagicType.IMAGE_NT_OPTIONAL_HDR32_MAGIC \|\| OptionalHeader.Magic == MagicType.IMAGE_NT_OPTIONAL_HDR64_MAGIC); }
137			}
138			}
139			#endregion
140			#region MachineType
141			public enum MachineType : ushort
142			{
143			Native = 0,
144			I386 = 0x014c,
145			Itanium = 0x0200,
146			x64 = 0x8664
147			}
148			#endregion
149			#region MagicType
150			public enum MagicType : ushort
151			{
152			IMAGE_NT_OPTIONAL_HDR32_MAGIC = 0x10b,
153			IMAGE_NT_OPTIONAL_HDR64_MAGIC = 0x20b
154			}
155			#endregion
156			#region SubSystemType
157			public enum SubSystemType : ushort
158			{
159			IMAGE_SUBSYSTEM_UNKNOWN = 0,
160			IMAGE_SUBSYSTEM_NATIVE = 1,
161			IMAGE_SUBSYSTEM_WINDOWS_GUI = 2,
162			IMAGE_SUBSYSTEM_WINDOWS_CUI = 3,
163			IMAGE_SUBSYSTEM_POSIX_CUI = 7,
164			IMAGE_SUBSYSTEM_WINDOWS_CE_GUI = 9,
165			IMAGE_SUBSYSTEM_EFI_APPLICATION = 10,
166			IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER = 11,
167			IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER = 12,
168			IMAGE_SUBSYSTEM_EFI_ROM = 13,
169			IMAGE_SUBSYSTEM_XBOX = 14
170
171			}
172			#endregion
173			#region DllCharacteristicsType
174	william	160	[Flags]
175	william	159	public enum DllCharacteristicsType : ushort
176			{
177			RES_0 = 0x0001,
178			RES_1 = 0x0002,
179			RES_2 = 0x0004,
180			RES_3 = 0x0008,
181			IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE = 0x0040,
182			IMAGE_DLL_CHARACTERISTICS_FORCE_INTEGRITY = 0x0080,
183			IMAGE_DLL_CHARACTERISTICS_NX_COMPAT = 0x0100,
184			IMAGE_DLLCHARACTERISTICS_NO_ISOLATION = 0x0200,
185			IMAGE_DLLCHARACTERISTICS_NO_SEH = 0x0400,
186			IMAGE_DLLCHARACTERISTICS_NO_BIND = 0x0800,
187			RES_4 = 0x1000,
188			IMAGE_DLLCHARACTERISTICS_WDM_DRIVER = 0x2000,
189			IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE = 0x8000
190			}
191			#endregion
192			#region IMAGE_OPTIONAL_HEADER
193			[StructLayout(LayoutKind.Explicit)]
194			public struct IMAGE_OPTIONAL_HEADER
195			{
196			[FieldOffset(0)]
197			public MagicType Magic;
198
199			[FieldOffset(2)]
200			public byte MajorLinkerVersion;
201
202			[FieldOffset(3)]
203			public byte MinorLinkerVersion;
204
205			[FieldOffset(4)]
206			public uint SizeOfCode;
207
208			[FieldOffset(8)]
209			public uint SizeOfInitializedData;
210
211			[FieldOffset(12)]
212			public uint SizeOfUninitializedData;
213
214			[FieldOffset(16)]
215			public uint AddressOfEntryPoint;
216
217			[FieldOffset(20)]
218			public uint BaseOfCode;
219
220			// PE32 contains this additional field
221			[FieldOffset(24)]
222			public uint BaseOfData;
223
224			[FieldOffset(28)]
225			public uint ImageBase;
226
227			[FieldOffset(32)]
228			public uint SectionAlignment;
229
230			[FieldOffset(36)]
231			public uint FileAlignment;
232
233			[FieldOffset(40)]
234			public ushort MajorOperatingSystemVersion;
235
236			[FieldOffset(42)]
237			public ushort MinorOperatingSystemVersion;
238
239			[FieldOffset(44)]
240			public ushort MajorImageVersion;
241
242			[FieldOffset(46)]
243			public ushort MinorImageVersion;
244
245			[FieldOffset(48)]
246			public ushort MajorSubsystemVersion;
247
248			[FieldOffset(50)]
249			public ushort MinorSubsystemVersion;
250
251			[FieldOffset(52)]
252			public uint Win32VersionValue;
253
254			[FieldOffset(56)]
255			public uint SizeOfImage;
256
257			[FieldOffset(60)]
258			public uint SizeOfHeaders;
259
260			[FieldOffset(64)]
261			public uint CheckSum;
262
263			[FieldOffset(68)]
264			public SubSystemType Subsystem;
265
266			[FieldOffset(70)]
267			public DllCharacteristicsType DllCharacteristics;
268
269			[FieldOffset(72)]
270			public uint SizeOfStackReserve;
271
272			[FieldOffset(76)]
273			public uint SizeOfStackCommit;
274
275			[FieldOffset(80)]
276			public uint SizeOfHeapReserve;
277
278			[FieldOffset(84)]
279			public uint SizeOfHeapCommit;
280
281			[FieldOffset(88)]
282			public uint LoaderFlags;
283
284			[FieldOffset(92)]
285			public uint NumberOfRvaAndSizes;
286
287			[FieldOffset(96)]
288			public IMAGE_DATA_DIRECTORY ExportTable;
289
290			[FieldOffset(104)]
291			public IMAGE_DATA_DIRECTORY ImportTable;
292
293			[FieldOffset(112)]
294			public IMAGE_DATA_DIRECTORY ResourceTable;
295
296			[FieldOffset(120)]
297			public IMAGE_DATA_DIRECTORY ExceptionTable;
298
299			[FieldOffset(128)]
300			public IMAGE_DATA_DIRECTORY CertificateTable;
301
302			[FieldOffset(136)]
303			public IMAGE_DATA_DIRECTORY BaseRelocationTable;
304
305			[FieldOffset(144)]
306			public IMAGE_DATA_DIRECTORY Debug;
307
308			[FieldOffset(152)]
309			public IMAGE_DATA_DIRECTORY Architecture;
310
311			[FieldOffset(160)]
312			public IMAGE_DATA_DIRECTORY GlobalPtr;
313
314			[FieldOffset(168)]
315			public IMAGE_DATA_DIRECTORY TLSTable;
316
317			[FieldOffset(176)]
318			public IMAGE_DATA_DIRECTORY LoadConfigTable;
319
320			[FieldOffset(184)]
321			public IMAGE_DATA_DIRECTORY BoundImport;
322
323			[FieldOffset(192)]
324			public IMAGE_DATA_DIRECTORY IAT;
325
326			[FieldOffset(200)]
327			public IMAGE_DATA_DIRECTORY DelayImportDescriptor;
328
329			[FieldOffset(208)]
330			public IMAGE_DATA_DIRECTORY CLRRuntimeHeader;
331
332			[FieldOffset(216)]
333			public IMAGE_DATA_DIRECTORY Reserved;
334			}
335			#endregion
336			#region IMAGE_EXPORT_DIRECTORY
337			[StructLayout(LayoutKind.Sequential)]
338			public struct IMAGE_EXPORT_DIRECTORY
339			{
340			public UInt32 Characteristics;
341			public UInt32 TimeDateStamp;
342			public UInt16 MajorVersion;
343			public UInt16 MinorVersion;
344			public UInt32 Name;
345			public UInt32 Base;
346			public UInt32 NumberOfFunctions;
347			public UInt32 NumberOfNames;
348			public UInt32 AddressOfFunctions; // RVA from base of image
349			public UInt32 AddressOfNames; // RVA from base of image
350			public UInt32 AddressOfNameOrdinals; // RVA from base of image
351			}
352			#endregion
353			#endregion
354			}
355			}