ViewVC Help
View File | Revision Log | Show Annotations | Download File | View Changeset | Root Listing
root/RomCheater/trunk/Win32/Sojaner.MemoryScanner/PEReader.cs
Revision: 161
Committed: Mon May 28 05:55:59 2012 UTC (11 years, 4 months ago) by william
File size: 12144 byte(s)
Log Message:

File Contents

# User Rev Content
1 william 159 using System;
2     using System.Collections.Generic;
3     using System.Linq;
4     using System.Text;
5     using System.IO;
6     using RomCheater.Logging;
7     using System.Runtime.InteropServices;
8     using System.Diagnostics;
9    
10     namespace Sojaner.MemoryScanner
11     {
12     public class PEReader
13     {
14     public PEReader(FileInfo fi) : this(fi.FullName) { }
15     public PEReader(string filename) { this.Read(filename); }
16    
17     #region marshalling
18     private void Read(string filename)
19     {
20     logger.Debug.WriteLine("Reading Exe: {0}", filename);
21    
22     using (FileStream fs = new FileStream(filename, FileMode.Open, FileAccess.Read, FileShare.Read))
23     {
24     byte[] data = new byte[] { };
25     GCHandle pinnedPacket = new GCHandle();
26     int size = 0;
27     BinaryReader br = new BinaryReader(fs);
28    
29     #region IMAGE_DOS_HEADER
30     size = Marshal.SizeOf(typeof(IMAGE_DOS_HEADER));
31     data = br.ReadBytes(size);
32     pinnedPacket = GCHandle.Alloc(data, GCHandleType.Pinned);
33 william 161 IMAGE_DOS_HEADER DOS_HEADER = (IMAGE_DOS_HEADER)Marshal.PtrToStructure(pinnedPacket.AddrOfPinnedObject(), typeof(IMAGE_DOS_HEADER));
34 william 159 pinnedPacket.Free();
35     #endregion
36    
37     // skip the old dos stub
38 william 161 br.BaseStream.Seek(DOS_HEADER.e_lfanew, SeekOrigin.Begin);
39 william 159
40     #region IMAGE_NT_HEADERS
41     size = Marshal.SizeOf(typeof(IMAGE_NT_HEADERS));
42     data = br.ReadBytes(size);
43     pinnedPacket = GCHandle.Alloc(data, GCHandleType.Pinned);
44 william 161 IMAGE_NT_HEADERS NT_HEADER = (IMAGE_NT_HEADERS)Marshal.PtrToStructure(pinnedPacket.AddrOfPinnedObject(), typeof(IMAGE_NT_HEADERS));
45 william 159 pinnedPacket.Free();
46     #endregion
47    
48 william 160
49 william 159 br.Close();
50     }
51    
52    
53     }
54     #endregion
55    
56     #region header support
57     #region IMAGE_DATA_DIRECTORY
58     [StructLayout(LayoutKind.Sequential)]
59     public struct IMAGE_DATA_DIRECTORY
60     {
61     public UInt32 VirtualAddress;
62     public UInt32 Size;
63 william 161 public bool HasAddress { get { return (VirtualAddress != 0); } }
64     public bool HasSize { get { return (Size > 0); } }
65 william 159 }
66     #endregion
67     #region IMAGE_FILE_HEADER
68     [StructLayout(LayoutKind.Sequential)]
69     public struct IMAGE_FILE_HEADER
70     {
71 william 160 public MachineType Machine;
72 william 159 public UInt16 NumberOfSections;
73     public UInt32 TimeDateStamp;
74     public UInt32 PointerToSymbolTable;
75     public UInt32 NumberOfSymbols;
76     public UInt16 SizeOfOptionalHeader;
77 william 160 public DllCharacteristicsType Characteristics;
78 william 159 }
79     #endregion
80     #region IMAGE_DOS_HEADER
81     [StructLayout(LayoutKind.Sequential)]
82     public struct IMAGE_DOS_HEADER
83     {
84     [MarshalAs(UnmanagedType.ByValArray, SizeConst = 2)]
85     public char[] e_magic; // Magic number
86     public UInt16 e_cblp; // Bytes on last page of file
87     public UInt16 e_cp; // Pages in file
88     public UInt16 e_crlc; // Relocations
89     public UInt16 e_cparhdr; // Size of header in paragraphs
90     public UInt16 e_minalloc; // Minimum extra paragraphs needed
91     public UInt16 e_maxalloc; // Maximum extra paragraphs needed
92     public UInt16 e_ss; // Initial (relative) SS value
93     public UInt16 e_sp; // Initial SP value
94     public UInt16 e_csum; // Checksum
95     public UInt16 e_ip; // Initial IP value
96     public UInt16 e_cs; // Initial (relative) CS value
97     public UInt16 e_lfarlc; // File address of relocation table
98     public UInt16 e_ovno; // Overlay number
99     [MarshalAs(UnmanagedType.ByValArray, SizeConst = 4)]
100     public UInt16[] e_res1; // Reserved words
101     public UInt16 e_oemid; // OEM identifier (for e_oeminfo)
102     public UInt16 e_oeminfo; // OEM information; e_oemid specific
103     [MarshalAs(UnmanagedType.ByValArray, SizeConst = 10)]
104     public UInt16[] e_res2; // Reserved words
105     public Int32 e_lfanew; // File address of new exe header
106     private string _e_magic
107     {
108     get { return new string(e_magic); }
109     }
110     public bool isValid
111     {
112     get { return _e_magic == "MZ"; }
113     }
114     }
115     #endregion
116     #region IMAGE_NT_HEADERS
117     [StructLayout(LayoutKind.Explicit)]
118     public struct IMAGE_NT_HEADERS
119     {
120     [FieldOffset(0)]
121     [MarshalAs(UnmanagedType.ByValArray, SizeConst = 4)]
122     public char[] Signature;
123    
124     [FieldOffset(4)]
125     public IMAGE_FILE_HEADER FileHeader;
126    
127     [FieldOffset(24)]
128     public IMAGE_OPTIONAL_HEADER OptionalHeader;
129    
130     private string _Signature
131     {
132     get { return new string(Signature); }
133     }
134    
135     public bool isValid
136     {
137     get { return _Signature == "PE\0\0" && (OptionalHeader.Magic == MagicType.IMAGE_NT_OPTIONAL_HDR32_MAGIC || OptionalHeader.Magic == MagicType.IMAGE_NT_OPTIONAL_HDR64_MAGIC); }
138     }
139     }
140     #endregion
141     #region MachineType
142     public enum MachineType : ushort
143     {
144     Native = 0,
145     I386 = 0x014c,
146     Itanium = 0x0200,
147     x64 = 0x8664
148     }
149     #endregion
150     #region MagicType
151     public enum MagicType : ushort
152     {
153     IMAGE_NT_OPTIONAL_HDR32_MAGIC = 0x10b,
154     IMAGE_NT_OPTIONAL_HDR64_MAGIC = 0x20b
155     }
156     #endregion
157     #region SubSystemType
158     public enum SubSystemType : ushort
159     {
160     IMAGE_SUBSYSTEM_UNKNOWN = 0,
161     IMAGE_SUBSYSTEM_NATIVE = 1,
162     IMAGE_SUBSYSTEM_WINDOWS_GUI = 2,
163     IMAGE_SUBSYSTEM_WINDOWS_CUI = 3,
164     IMAGE_SUBSYSTEM_POSIX_CUI = 7,
165     IMAGE_SUBSYSTEM_WINDOWS_CE_GUI = 9,
166     IMAGE_SUBSYSTEM_EFI_APPLICATION = 10,
167     IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER = 11,
168     IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER = 12,
169     IMAGE_SUBSYSTEM_EFI_ROM = 13,
170     IMAGE_SUBSYSTEM_XBOX = 14
171    
172     }
173     #endregion
174     #region DllCharacteristicsType
175 william 160 [Flags]
176 william 159 public enum DllCharacteristicsType : ushort
177     {
178     RES_0 = 0x0001,
179     RES_1 = 0x0002,
180     RES_2 = 0x0004,
181     RES_3 = 0x0008,
182     IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE = 0x0040,
183     IMAGE_DLL_CHARACTERISTICS_FORCE_INTEGRITY = 0x0080,
184     IMAGE_DLL_CHARACTERISTICS_NX_COMPAT = 0x0100,
185     IMAGE_DLLCHARACTERISTICS_NO_ISOLATION = 0x0200,
186     IMAGE_DLLCHARACTERISTICS_NO_SEH = 0x0400,
187     IMAGE_DLLCHARACTERISTICS_NO_BIND = 0x0800,
188     RES_4 = 0x1000,
189     IMAGE_DLLCHARACTERISTICS_WDM_DRIVER = 0x2000,
190     IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE = 0x8000
191     }
192     #endregion
193     #region IMAGE_OPTIONAL_HEADER
194     [StructLayout(LayoutKind.Explicit)]
195     public struct IMAGE_OPTIONAL_HEADER
196     {
197     [FieldOffset(0)]
198     public MagicType Magic;
199    
200     [FieldOffset(2)]
201     public byte MajorLinkerVersion;
202    
203     [FieldOffset(3)]
204     public byte MinorLinkerVersion;
205    
206     [FieldOffset(4)]
207     public uint SizeOfCode;
208    
209     [FieldOffset(8)]
210     public uint SizeOfInitializedData;
211    
212     [FieldOffset(12)]
213     public uint SizeOfUninitializedData;
214    
215     [FieldOffset(16)]
216     public uint AddressOfEntryPoint;
217    
218     [FieldOffset(20)]
219     public uint BaseOfCode;
220    
221     // PE32 contains this additional field
222     [FieldOffset(24)]
223     public uint BaseOfData;
224    
225     [FieldOffset(28)]
226     public uint ImageBase;
227    
228     [FieldOffset(32)]
229     public uint SectionAlignment;
230    
231     [FieldOffset(36)]
232     public uint FileAlignment;
233    
234     [FieldOffset(40)]
235     public ushort MajorOperatingSystemVersion;
236    
237     [FieldOffset(42)]
238     public ushort MinorOperatingSystemVersion;
239    
240     [FieldOffset(44)]
241     public ushort MajorImageVersion;
242    
243     [FieldOffset(46)]
244     public ushort MinorImageVersion;
245    
246     [FieldOffset(48)]
247     public ushort MajorSubsystemVersion;
248    
249     [FieldOffset(50)]
250     public ushort MinorSubsystemVersion;
251    
252     [FieldOffset(52)]
253     public uint Win32VersionValue;
254    
255     [FieldOffset(56)]
256     public uint SizeOfImage;
257    
258     [FieldOffset(60)]
259     public uint SizeOfHeaders;
260    
261     [FieldOffset(64)]
262     public uint CheckSum;
263    
264     [FieldOffset(68)]
265     public SubSystemType Subsystem;
266    
267     [FieldOffset(70)]
268     public DllCharacteristicsType DllCharacteristics;
269    
270     [FieldOffset(72)]
271     public uint SizeOfStackReserve;
272    
273     [FieldOffset(76)]
274     public uint SizeOfStackCommit;
275    
276     [FieldOffset(80)]
277     public uint SizeOfHeapReserve;
278    
279     [FieldOffset(84)]
280     public uint SizeOfHeapCommit;
281    
282     [FieldOffset(88)]
283     public uint LoaderFlags;
284    
285     [FieldOffset(92)]
286     public uint NumberOfRvaAndSizes;
287    
288     [FieldOffset(96)]
289     public IMAGE_DATA_DIRECTORY ExportTable;
290    
291     [FieldOffset(104)]
292     public IMAGE_DATA_DIRECTORY ImportTable;
293    
294     [FieldOffset(112)]
295     public IMAGE_DATA_DIRECTORY ResourceTable;
296    
297     [FieldOffset(120)]
298     public IMAGE_DATA_DIRECTORY ExceptionTable;
299    
300     [FieldOffset(128)]
301     public IMAGE_DATA_DIRECTORY CertificateTable;
302    
303     [FieldOffset(136)]
304     public IMAGE_DATA_DIRECTORY BaseRelocationTable;
305    
306     [FieldOffset(144)]
307     public IMAGE_DATA_DIRECTORY Debug;
308    
309     [FieldOffset(152)]
310     public IMAGE_DATA_DIRECTORY Architecture;
311    
312     [FieldOffset(160)]
313     public IMAGE_DATA_DIRECTORY GlobalPtr;
314    
315     [FieldOffset(168)]
316     public IMAGE_DATA_DIRECTORY TLSTable;
317    
318     [FieldOffset(176)]
319     public IMAGE_DATA_DIRECTORY LoadConfigTable;
320    
321     [FieldOffset(184)]
322     public IMAGE_DATA_DIRECTORY BoundImport;
323    
324     [FieldOffset(192)]
325     public IMAGE_DATA_DIRECTORY IAT;
326    
327     [FieldOffset(200)]
328     public IMAGE_DATA_DIRECTORY DelayImportDescriptor;
329    
330     [FieldOffset(208)]
331     public IMAGE_DATA_DIRECTORY CLRRuntimeHeader;
332    
333     [FieldOffset(216)]
334     public IMAGE_DATA_DIRECTORY Reserved;
335     }
336     #endregion
337     #region IMAGE_EXPORT_DIRECTORY
338     [StructLayout(LayoutKind.Sequential)]
339     public struct IMAGE_EXPORT_DIRECTORY
340     {
341     public UInt32 Characteristics;
342     public UInt32 TimeDateStamp;
343     public UInt16 MajorVersion;
344     public UInt16 MinorVersion;
345     public UInt32 Name;
346     public UInt32 Base;
347     public UInt32 NumberOfFunctions;
348     public UInt32 NumberOfNames;
349     public UInt32 AddressOfFunctions; // RVA from base of image
350     public UInt32 AddressOfNames; // RVA from base of image
351     public UInt32 AddressOfNameOrdinals; // RVA from base of image
352     }
353     #endregion
354     #endregion
355     }
356     }