ViewVC Help
View File | Revision Log | Show Annotations | Download File | View Changeset | Root Listing
root/RomCheater/trunk/Win32/Sojaner.MemoryScanner/PEReader.cs
Revision: 340
Committed: Fri Jun 8 01:12:08 2012 UTC (10 years, 6 months ago) by william
File size: 49626 byte(s)
Log Message:
+ wip for data direcory tables

File Contents

# User Rev Content
1 william 299 #define ENABLE_LOGGING
2     using System;
3 william 159 using System.Collections.Generic;
4     using System.Linq;
5     using System.Text;
6     using System.IO;
7     using RomCheater.Logging;
8     using System.Runtime.InteropServices;
9     using System.Diagnostics;
10 william 318 using System.ComponentModel;
11 william 323 using RomCheater.PluginFramework.Events;
12     using Sojaner.MemoryScanner;
13 william 159
14 william 323 namespace RomCheater.PluginFramework.Events
15     {
16     public interface IAcceptPEData
17     {
18     void SetPEViewerData(PEReader.PEData peData);
19     }
20     public interface IAcceptsPEData
21     {
22     event BaseEventHandler<PEViewerDataUpdatedEvent> OnPEDataUpdated;
23     }
24     public interface IPEViewerDataUpdatedEvent
25     {
26     PEReader.PEData PEData { get; }
27     }
28     public class PEViewerDataUpdatedEvent : BaseEventArgs, IPEViewerDataUpdatedEvent
29     {
30     public PEViewerDataUpdatedEvent() : this(new PEReader.PEData()) { }
31     public PEViewerDataUpdatedEvent(object sender) : this(sender, new PEReader.PEData()) { }
32     public PEViewerDataUpdatedEvent(PEReader.PEData peData) : base() { this.PEData = peData; }
33     public PEViewerDataUpdatedEvent(object sender, PEReader.PEData peData) : base(sender) { this.PEData = peData; }
34     #region IPEViewerDataUpdatedEvent members
35     public PEReader.PEData PEData { get; private set; }
36     #endregion
37     }
38     }
39 william 159 namespace Sojaner.MemoryScanner
40     {
41     public class PEReader
42     {
43 william 294 // Code (C) Sergey utilized from: http://www.sergeyakopov.com/2010/11/03/reading-pe-format-using-data-marshalling-in-net/
44     #region Structs
45 william 319
46     [Flags]
47     public enum MachineTypeFlags
48     {
49     x86 = 0x14C,
50     Alpha = 0x184,
51     ARM = 0x1C0,
52     MIPS16R3000 = 0x162,
53     MIPS16R4000 = 0x166,
54     MIPS16R10000 = 0x168,
55     PowerPCLE = 0x1F0,
56     PowerPCBE = 0x1F2,
57     Itanium = 0x200,
58     MIPS16 = 0x266,
59     Alpha64 = 0x284,
60     MIPSFPU = 0x366,
61     MIPSFPU16 = 0x466,
62     x64 = 0x8664,
63     }
64 william 320 public enum MagicType : ushort
65     {
66     NT_OPTIONAL_HEADER_NOT_PRESENT, // 0
67     NT_OPTIONAL_HEADER_32 = 0x10b,
68     NT_OPTIONAL_HEADER_64 = 0x20b
69     }
70     public enum SubSystemType : ushort
71     {
72     IMAGE_SUBSYSTEM_UNKNOWN = 0,
73     IMAGE_SUBSYSTEM_NATIVE = 1,
74     IMAGE_SUBSYSTEM_WINDOWS_GUI = 2,
75     IMAGE_SUBSYSTEM_WINDOWS_CUI = 3,
76     IMAGE_SUBSYSTEM_POSIX_CUI = 7,
77     IMAGE_SUBSYSTEM_WINDOWS_CE_GUI = 9,
78     IMAGE_SUBSYSTEM_EFI_APPLICATION = 10,
79     IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER = 11,
80     IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER = 12,
81     IMAGE_SUBSYSTEM_EFI_ROM = 13,
82     IMAGE_SUBSYSTEM_XBOX = 14
83 william 319
84 william 320 }
85     public enum DllCharacteristicsType : ushort
86     {
87     RES_0 = 0x0001,
88     RES_1 = 0x0002,
89     RES_2 = 0x0004,
90     RES_3 = 0x0008,
91     IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE = 0x0040,
92     IMAGE_DLL_CHARACTERISTICS_FORCE_INTEGRITY = 0x0080,
93     IMAGE_DLL_CHARACTERISTICS_NX_COMPAT = 0x0100,
94     IMAGE_DLLCHARACTERISTICS_NO_ISOLATION = 0x0200,
95     IMAGE_DLLCHARACTERISTICS_NO_SEH = 0x0400,
96     IMAGE_DLLCHARACTERISTICS_NO_BIND = 0x0800,
97     RES_4 = 0x1000,
98     IMAGE_DLLCHARACTERISTICS_WDM_DRIVER = 0x2000,
99     IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE = 0x8000
100     }
101 william 340 [Flags]
102     public enum DataSectionFlags : uint
103     {
104     /// <summary>
105     /// Reserved for future use.
106     /// </summary>
107     TypeReg = 0x00000000,
108     /// <summary>
109     /// Reserved for future use.
110     /// </summary>
111     TypeDsect = 0x00000001,
112     /// <summary>
113     /// Reserved for future use.
114     /// </summary>
115     TypeNoLoad = 0x00000002,
116     /// <summary>
117     /// Reserved for future use.
118     /// </summary>
119     TypeGroup = 0x00000004,
120     /// <summary>
121     /// The section should not be padded to the next boundary. This flag is obsolete and is replaced by IMAGE_SCN_ALIGN_1BYTES. This is valid only for object files.
122     /// </summary>
123     TypeNoPadded = 0x00000008,
124     /// <summary>
125     /// Reserved for future use.
126     /// </summary>
127     TypeCopy = 0x00000010,
128     /// <summary>
129     /// The section contains executable code.
130     /// </summary>
131     ContentCode = 0x00000020,
132     /// <summary>
133     /// The section contains initialized data.
134     /// </summary>
135     ContentInitializedData = 0x00000040,
136     /// <summary>
137     /// The section contains uninitialized data.
138     /// </summary>
139     ContentUninitializedData = 0x00000080,
140     /// <summary>
141     /// Reserved for future use.
142     /// </summary>
143     LinkOther = 0x00000100,
144     /// <summary>
145     /// The section contains comments or other information. The .drectve section has this type. This is valid for object files only.
146     /// </summary>
147     LinkInfo = 0x00000200,
148     /// <summary>
149     /// Reserved for future use.
150     /// </summary>
151     TypeOver = 0x00000400,
152     /// <summary>
153     /// The section will not become part of the image. This is valid only for object files.
154     /// </summary>
155     LinkRemove = 0x00000800,
156     /// <summary>
157     /// The section contains COMDAT data. For more information, see section 5.5.6, COMDAT Sections (Object Only). This is valid only for object files.
158     /// </summary>
159     LinkComDat = 0x00001000,
160     /// <summary>
161     /// Reset speculative exceptions handling bits in the TLB entries for this section.
162     /// </summary>
163     NoDeferSpecExceptions = 0x00004000,
164     /// <summary>
165     /// The section contains data referenced through the global pointer (GP).
166     /// </summary>
167     RelativeGP = 0x00008000,
168     /// <summary>
169     /// Reserved for future use.
170     /// </summary>
171     MemPurgeable = 0x00020000,
172     /// <summary>
173     /// Reserved for future use.
174     /// </summary>
175     Memory16Bit = 0x00020000,
176     /// <summary>
177     /// Reserved for future use.
178     /// </summary>
179     MemoryLocked = 0x00040000,
180     /// <summary>
181     /// Reserved for future use.
182     /// </summary>
183     MemoryPreload = 0x00080000,
184     /// <summary>
185     /// Align data on a 1-byte boundary. Valid only for object files.
186     /// </summary>
187     Align1Bytes = 0x00100000,
188     /// <summary>
189     /// Align data on a 2-byte boundary. Valid only for object files.
190     /// </summary>
191     Align2Bytes = 0x00200000,
192     /// <summary>
193     /// Align data on a 4-byte boundary. Valid only for object files.
194     /// </summary>
195     Align4Bytes = 0x00300000,
196     /// <summary>
197     /// Align data on an 8-byte boundary. Valid only for object files.
198     /// </summary>
199     Align8Bytes = 0x00400000,
200     /// <summary>
201     /// Align data on a 16-byte boundary. Valid only for object files.
202     /// </summary>
203     Align16Bytes = 0x00500000,
204     /// <summary>
205     /// Align data on a 32-byte boundary. Valid only for object files.
206     /// </summary>
207     Align32Bytes = 0x00600000,
208     /// <summary>
209     /// Align data on a 64-byte boundary. Valid only for object files.
210     /// </summary>
211     Align64Bytes = 0x00700000,
212     /// <summary>
213     /// Align data on a 128-byte boundary. Valid only for object files.
214     /// </summary>
215     Align128Bytes = 0x00800000,
216     /// <summary>
217     /// Align data on a 256-byte boundary. Valid only for object files.
218     /// </summary>
219     Align256Bytes = 0x00900000,
220     /// <summary>
221     /// Align data on a 512-byte boundary. Valid only for object files.
222     /// </summary>
223     Align512Bytes = 0x00A00000,
224     /// <summary>
225     /// Align data on a 1024-byte boundary. Valid only for object files.
226     /// </summary>
227     Align1024Bytes = 0x00B00000,
228     /// <summary>
229     /// Align data on a 2048-byte boundary. Valid only for object files.
230     /// </summary>
231     Align2048Bytes = 0x00C00000,
232     /// <summary>
233     /// Align data on a 4096-byte boundary. Valid only for object files.
234     /// </summary>
235     Align4096Bytes = 0x00D00000,
236     /// <summary>
237     /// Align data on an 8192-byte boundary. Valid only for object files.
238     /// </summary>
239     Align8192Bytes = 0x00E00000,
240     /// <summary>
241     /// The section contains extended relocations.
242     /// </summary>
243     LinkExtendedRelocationOverflow = 0x01000000,
244     /// <summary>
245     /// The section can be discarded as needed.
246     /// </summary>
247     MemoryDiscardable = 0x02000000,
248     /// <summary>
249     /// The section cannot be cached.
250     /// </summary>
251     MemoryNotCached = 0x04000000,
252     /// <summary>
253     /// The section is not pageable.
254     /// </summary>
255     MemoryNotPaged = 0x08000000,
256     /// <summary>
257     /// The section can be shared in memory.
258     /// </summary>
259     MemoryShared = 0x10000000,
260     /// <summary>
261     /// The section can be executed as code.
262     /// </summary>
263     MemoryExecute = 0x20000000,
264     /// <summary>
265     /// The section can be read.
266     /// </summary>
267     MemoryRead = 0x40000000,
268     /// <summary>
269     /// The section can be written to.
270     /// </summary>
271     MemoryWrite = 0x80000000
272     }
273 william 318 [TypeConverter(typeof(ExpandableObjectConverter))]
274 william 294 [StructLayout(LayoutKind.Sequential)]
275     public struct IMAGE_DOS_HEADER
276 william 290 {
277 william 318 public UInt16 _e_magic;
278     public UInt16 _e_cblp;
279     public UInt16 _e_cp;
280     public UInt16 _e_crlc;
281     public UInt16 _e_cparhdr;
282     public UInt16 _e_minalloc;
283     public UInt16 _e_maxalloc;
284     public UInt16 _e_ss;
285     public UInt16 _e_sp;
286     public UInt16 _e_csum;
287     public UInt16 _e_ip;
288     public UInt16 _e_cs;
289     public UInt16 _e_lfarlc;
290     public UInt16 _e_ovno;
291 william 294 [MarshalAs(UnmanagedType.ByValArray, SizeConst = 4)]
292 william 318 public UInt16[] _e_res1;
293     public UInt16 _e_oemid;
294     public UInt16 _e_oeminfo;
295 william 294 [MarshalAs(UnmanagedType.ByValArray, SizeConst = 10)]
296 william 318 public UInt16[] _e_res2;
297     public UInt32 _e_lfanew;
298    
299     public string e_magic { get { return string.Format("0x{0:x4}", _e_magic); } }
300     public string e_cblp { get { return string.Format("0x{0:x4}", _e_cblp); } }
301     public string e_cp { get { return string.Format("0x{0:x4}", _e_cp); } }
302     public string e_crlc { get { return string.Format("0x{0:x4}", _e_crlc); } }
303     public string e_cparhdr { get { return string.Format("0x{0:x4}", _e_cparhdr); } }
304     public string e_minalloc { get { return string.Format("0x{0:x4}", _e_minalloc); } }
305     public string e_maxalloc { get { return string.Format("0x{0:x4}", _e_maxalloc); } }
306     public string e_ss { get { return string.Format("0x{0:x4}", _e_ss); } }
307     public string e_sp { get { return string.Format("0x{0:x4}", _e_sp); } }
308     public string e_csum { get { return string.Format("0x{0:x4}", _e_csum); } }
309     public string e_ip { get { return string.Format("0x{0:x4}", _e_ip); } }
310     public string e_cs { get { return string.Format("0x{0:x4}", _e_cs); } }
311     public string e_lfarlc { get { return string.Format("0x{0:x4}", _e_lfarlc); } }
312     public string e_ovno { get { return string.Format("0x{0:x4}", _e_ovno); } }
313     public ushort[] e_res1 { get { return _e_res1; } }
314     public string e_oemid { get { return string.Format("0x{0:x4}", _e_oemid); } }
315     public string e_oeminfo { get { return string.Format("0x{0:x4}", _e_oeminfo); } }
316     public ushort[] e_res2 { get { return _e_res2; } }
317     public string e_lfanew { get { return string.Format("0x{0:x8}", _e_lfanew); } }
318    
319 william 319 public override string ToString()
320     {
321     return Encoding.UTF8.GetString(BitConverter.GetBytes(_e_magic));
322     }
323 william 290 }
324 william 318 [TypeConverter(typeof(ExpandableObjectConverter))]
325 william 294 [StructLayout(LayoutKind.Sequential)]
326     public struct IMAGE_NT_HEADERS
327 william 159 {
328 william 319 public UInt32 _Signature;
329     public IMAGE_FILE_HEADER _FileHeader;
330     public IMAGE_OPTIONAL_HEADER32 _OptionalHeader32;
331     public IMAGE_OPTIONAL_HEADER64 _OptionalHeader64;
332    
333     public string Signature { get { return string.Format("0x{0:x8}", _Signature); } }
334     public IMAGE_FILE_HEADER FileHeader { get { return _FileHeader; } }
335     public IMAGE_OPTIONAL_HEADER32 OptionalHeader32 { get { return _OptionalHeader32;} }
336     public IMAGE_OPTIONAL_HEADER64 OptionalHeader64 { get { return _OptionalHeader64;} }
337    
338     public override string ToString()
339     {
340     return Encoding.UTF8.GetString(BitConverter.GetBytes(_Signature));
341     }
342 william 159 }
343 william 318 [TypeConverter(typeof(ExpandableObjectConverter))]
344 william 159 [StructLayout(LayoutKind.Sequential)]
345     public struct IMAGE_FILE_HEADER
346     {
347 william 319 public UInt16 _MachineType;
348     public UInt16 _NumberOfSections;
349 william 322 public Int32 _TimeDateStamp;
350 william 319 public UInt32 _PointerToSymbolTable;
351     public UInt32 _NumberOfSymbols;
352     public UInt16 _SizeOfOptionalHeader;
353     public UInt16 _Characteristics;
354    
355    
356     public string MachineType { get { return ((MachineTypeFlags)_MachineType).ToString(); } }
357     public string NumberOfSections { get { return string.Format("0x{0:x4}", _NumberOfSections); } }
358     public string TimeDateStamp { get { return string.Format("{0} (0x{1:x8})", GetDateTimeFromDosDateTime(_TimeDateStamp).ToString(), _TimeDateStamp); } }
359     public string PointerToSymbolTable { get { return string.Format("0x{0:x8}", _PointerToSymbolTable); } }
360     public string NumberOfSymbols { get { return string.Format("0x{0:x8}", _NumberOfSymbols); } }
361     public string SizeOfOptionalHeader { get { return string.Format("0x{0:x4}", _SizeOfOptionalHeader); } }
362     public string Characteristics { get { return string.Format("0x{0:x4}", _Characteristics); } }
363     public override string ToString()
364     {
365     return MachineType;
366     }
367    
368 william 322 private DateTime GetDateTimeFromDosDateTime(Int32 i32TimeDate)
369 william 319 {
370 william 322 Int16 i16Time = (Int16)(i32TimeDate & 0xFFFF);
371     Int16 i16Date = (Int16)((i32TimeDate & 0xFFFF0000) >> 16);
372 william 319 return GetDateTimeFromDosDateTime(i16Time, i16Date);
373     }
374 william 322 private DateTime GetDateTimeFromDosDateTime(Int16 i16Time, Int16 i16Date)
375 william 319 {
376 william 322 try
377     {
378     int iYear = 0;
379     int iMonth = 1;
380     int iDay = 1;
381     int iHour = 0;
382     int iMinute = 0;
383     int iSecond = 0;
384     iDay = (i16Date & 0x1F);
385     iMonth = ((i16Date & 0x01E0) >> 5);
386     iYear = 1980 + ((i16Date & 0xFE00) >> 9);
387     iSecond = (i16Time & 0x1F) * 2;
388     iMinute = ((i16Time & 0x07E0) >> 5);
389     iHour = ((i16Time & 0x0F800) >> 11);
390     return new DateTime(iYear, iMonth, iDay, iHour, iMinute, iSecond);
391     }
392     catch
393     {
394     return new DateTime();
395     }
396 william 319 }
397    
398 william 159 }
399 william 318 [TypeConverter(typeof(ExpandableObjectConverter))]
400 william 340 [StructLayout(LayoutKind.Explicit)]
401 william 294 public struct IMAGE_OPTIONAL_HEADER32
402 william 159 {
403 william 340 [FieldOffset(0)]
404     public MagicType _Magic;
405     [FieldOffset(2)]
406     public byte _MajorLinkerVersion;
407     [FieldOffset(3)]
408     public byte _MinorLinkerVersion;
409     [FieldOffset(4)]
410     public uint _SizeOfCode;
411     [FieldOffset(8)]
412     public uint _SizeOfInitializedData;
413     [FieldOffset(12)]
414     public uint _SizeOfUninitializedData;
415     [FieldOffset(16)]
416     public uint _AddressOfEntryPoint;
417     [FieldOffset(20)]
418     public uint _BaseOfCode;
419     // PE32 contains this additional field
420     [FieldOffset(24)]
421     public uint _BaseOfData;
422     [FieldOffset(28)]
423     public uint _ImageBase;
424     [FieldOffset(32)]
425     public uint _SectionAlignment;
426     [FieldOffset(36)]
427     public uint _FileAlignment;
428     [FieldOffset(40)]
429     public ushort _MajorOperatingSystemVersion;
430     [FieldOffset(42)]
431     public ushort _MinorOperatingSystemVersion;
432     [FieldOffset(44)]
433     public ushort _MajorImageVersion;
434     [FieldOffset(46)]
435     public ushort _MinorImageVersion;
436     [FieldOffset(48)]
437     public ushort _MajorSubsystemVersion;
438     [FieldOffset(50)]
439     public ushort _MinorSubsystemVersion;
440     [FieldOffset(52)]
441     public uint _Win32VersionValue;
442     [FieldOffset(56)]
443     public uint _SizeOfImage;
444     [FieldOffset(60)]
445     public uint _SizeOfHeaders;
446     [FieldOffset(64)]
447     public uint _CheckSum;
448     [FieldOffset(68)]
449     public SubSystemType _Subsystem;
450     [FieldOffset(70)]
451     public DllCharacteristicsType _DllCharacteristics;
452     [FieldOffset(72)]
453     public uint _SizeOfStackReserve;
454     [FieldOffset(76)]
455     public uint _SizeOfStackCommit;
456     [FieldOffset(80)]
457     public uint _SizeOfHeapReserve;
458     [FieldOffset(84)]
459     public uint _SizeOfHeapCommit;
460     [FieldOffset(88)]
461     public uint _LoaderFlags;
462     [FieldOffset(92)]
463     public uint _NumberOfRvaAndSizes;
464     //[MarshalAs(UnmanagedType.ByValArray, SizeConst = 16)]
465     //public IMAGE_DATA_DIRECTORY[] _DataDirectory;
466 william 320
467 william 340 /*
468     * Offset (PE/PE32+) Description
469     96/112 Export table address and size
470     104/120 Import table address and size
471     112/128 Resource table address and size
472     120/136 Exception table address and size
473     128/144 Certificate table address and size
474     136/152 Base relocation table address and size
475     144/160 Debugging information starting address and size
476     152/168 Architecture-specific data address and size
477     160/176 Global pointer register relative virtual address
478     168/184 Thread local storage (TLS) table address and size
479     176/192 Load configuration table address and size
480     184/200 Bound import table address and size
481     192/208 Import address table address and size
482     200/216 Delay import descriptor address and size
483     208/224 The CLR header address and size
484     216/232 Reserved
485     */
486     [FieldOffset(96)]
487     public IMAGE_DATA_DIRECTORY _ExportTable;
488     public IMAGE_DATA_DIRECTORY ExportTable { get { return _ExportTable; } }
489     [FieldOffset(104)]
490     public IMAGE_DATA_DIRECTORY _ImportTable;
491     public IMAGE_DATA_DIRECTORY ImportTable { get { return _ImportTable; } }
492     [FieldOffset(112)]
493     public IMAGE_DATA_DIRECTORY _ResourceTable;
494     public IMAGE_DATA_DIRECTORY ResourceTable { get { return _ResourceTable; } }
495     [FieldOffset(120)]
496     public IMAGE_DATA_DIRECTORY _ExceptionTable;
497     public IMAGE_DATA_DIRECTORY ExceptionTable { get { return _ExceptionTable; } }
498     [FieldOffset(128)]
499     public IMAGE_DATA_DIRECTORY _CertificateTable;
500     public IMAGE_DATA_DIRECTORY CertificateTable { get { return _CertificateTable; } }
501     [FieldOffset(136)]
502     public IMAGE_DATA_DIRECTORY _BaseRelocationTable;
503     public IMAGE_DATA_DIRECTORY BaseRelocationTable { get { return _BaseRelocationTable; } }
504     [FieldOffset(144)]
505     public IMAGE_DATA_DIRECTORY _Debug;
506     public IMAGE_DATA_DIRECTORY Debug { get { return _Debug; } }
507     [FieldOffset(152)]
508     public IMAGE_DATA_DIRECTORY _Architecture;
509     public IMAGE_DATA_DIRECTORY Architecture { get { return _Architecture; } }
510     [FieldOffset(160)]
511     public IMAGE_DATA_DIRECTORY _GlobalPtr;
512     public IMAGE_DATA_DIRECTORY GlobalPtr { get { return _GlobalPtr; } }
513     [FieldOffset(168)]
514     public IMAGE_DATA_DIRECTORY _TLSTable;
515     public IMAGE_DATA_DIRECTORY TLSTable { get { return _TLSTable; } }
516     [FieldOffset(176)]
517     public IMAGE_DATA_DIRECTORY _LoadConfigTable;
518     public IMAGE_DATA_DIRECTORY LoadConfigTable { get { return _LoadConfigTable; } }
519     [FieldOffset(184)]
520     public IMAGE_DATA_DIRECTORY _BoundImport;
521     public IMAGE_DATA_DIRECTORY BoundImport { get { return _BoundImport; } }
522     [FieldOffset(192)]
523     public IMAGE_DATA_DIRECTORY _IAT;
524     public IMAGE_DATA_DIRECTORY IAT { get { return _IAT; } }
525     [FieldOffset(200)]
526     public IMAGE_DATA_DIRECTORY _DelayImportDescriptor;
527     public IMAGE_DATA_DIRECTORY DelayImportDescriptor { get { return _DelayImportDescriptor; } }
528     [FieldOffset(208)]
529     public IMAGE_DATA_DIRECTORY _CLRRuntimeHeader;
530     public IMAGE_DATA_DIRECTORY CLRRuntimeHeader { get { return _CLRRuntimeHeader; } }
531     [FieldOffset(216)]
532     public IMAGE_DATA_DIRECTORY _Reserved;
533     public IMAGE_DATA_DIRECTORY Reserved { get { return _ExportTable; } }
534 william 320
535 william 340
536 william 320 public string Magic { get { return ((MagicType)_Magic).ToString(); } }
537     public string MajorLinkerVersion { get { return string.Format("0x{0:x2}", _MajorLinkerVersion); } }
538     public string MinorLinkerVersion { get { return string.Format("0x{0:x2}", _MajorLinkerVersion); } }
539    
540     public string SizeOfCode { get { return string.Format("0x{0:x2}", _SizeOfCode); } }
541     public string SizeOfInitializedData { get { return string.Format("0x{0:x8}", _SizeOfInitializedData); } }
542     public string SizeOfUninitializedData { get { return string.Format("0x{0:x8}", _SizeOfUninitializedData); } }
543     public string AddressOfEntryPoint { get { return string.Format("0x{0:x8}", _AddressOfEntryPoint); } }
544     public string BaseOfCode { get { return string.Format("0x{0:x8}", _BaseOfCode); } }
545     public string BaseOfData { get { return string.Format("0x{0:x8}", _BaseOfData); } }
546     public string ImageBase { get { return string.Format("0x{0:x16}", _ImageBase); } }
547    
548 william 337 public string SectionAlignment { get { return _SectionAlignment.ToString();} }
549 william 336 public string FileAlignment { get { return _FileAlignment.ToString(); } }
550 william 320
551     public string MajorOperatingSystemVersion { get { return string.Format("0x{0:x4}", _MajorOperatingSystemVersion); } }
552     public string MinorOperatingSystemVersion { get { return string.Format("0x{0:x4}", _MinorOperatingSystemVersion); } }
553     public string MajorImageVersion { get { return string.Format("0x{0:x4}", _MajorImageVersion); } }
554     public string MinorImageVersion { get { return string.Format("0x{0:x4}", _MinorImageVersion); } }
555     public string MajorSubsystemVersion { get { return string.Format("0x{0:x4}", _MajorSubsystemVersion); } }
556     public string MinorSubsystemVersion { get { return string.Format("0x{0:x4}", _MinorSubsystemVersion); } }
557    
558     public string Win32VersionValue { get { return string.Format("0x{0:x8}", _Win32VersionValue); } }
559     public string SizeOfImage { get { return string.Format("0x{0:x8}", _SizeOfImage); } }
560     public string SizeOfHeaders { get { return string.Format("0x{0:x8}", _SizeOfHeaders); } }
561     public string CheckSum { get { return string.Format("0x{0:x8}", _CheckSum); } }
562    
563     public string Subsystem { get { return ((SubSystemType)_Subsystem).ToString(); } }
564 william 340 public string DllCharacteristics { get { return ((DllCharacteristicsType)_DllCharacteristics).ToString(); } }
565 william 320
566     public string SizeOfStackReserve { get { return string.Format("0x{0:x16}", _SizeOfStackReserve); } }
567     public string SizeOfStackCommit { get { return string.Format("0x{0:x16}", _SizeOfStackCommit); } }
568     public string SizeOfHeapReserve { get { return string.Format("0x{0:x16}", _SizeOfHeapReserve); } }
569     public string SizeOfHeapCommit { get { return string.Format("0x{0:x16}", _SizeOfHeapCommit); } }
570    
571     public string LoaderFlags { get { return string.Format("0x{0:x8}", _LoaderFlags); } }
572     public string NumberOfRvaAndSizes { get { return string.Format("0x{0:x8}", _NumberOfRvaAndSizes); } }
573     public override string ToString()
574     {
575     return Magic;
576     }
577 william 159 }
578 william 318 [TypeConverter(typeof(ExpandableObjectConverter))]
579 william 340 [StructLayout(LayoutKind.Explicit)]
580 william 294 public struct IMAGE_OPTIONAL_HEADER64
581 william 159 {
582 william 340 [FieldOffset(0)]
583     public MagicType _Magic;
584     [FieldOffset(2)]
585     public byte _MajorLinkerVersion;
586     [FieldOffset(3)]
587     public byte _MinorLinkerVersion;
588     [FieldOffset(4)]
589     public uint _SizeOfCode;
590     [FieldOffset(8)]
591     public uint _SizeOfInitializedData;
592     [FieldOffset(12)]
593     public uint _SizeOfUninitializedData;
594     [FieldOffset(16)]
595     public uint _AddressOfEntryPoint;
596     [FieldOffset(20)]
597     public uint _BaseOfCode;
598     //// PE32 contains this additional field
599     //[FieldOffset(24)]
600     //public uint _BaseOfData;
601     [FieldOffset(24)]
602     public uint _ImageBase;
603     [FieldOffset(28)]
604     public uint _SectionAlignment;
605     [FieldOffset(32)]
606     public uint _FileAlignment;
607     [FieldOffset(36)]
608     public ushort _MajorOperatingSystemVersion;
609     [FieldOffset(40)]
610     public ushort _MinorOperatingSystemVersion;
611     [FieldOffset(42)]
612     public ushort _MajorImageVersion;
613     [FieldOffset(44)]
614     public ushort _MinorImageVersion;
615     [FieldOffset(46)]
616     public ushort _MajorSubsystemVersion;
617     [FieldOffset(38)]
618     public ushort _MinorSubsystemVersion;
619     [FieldOffset(50)]
620     public uint _Win32VersionValue;
621     [FieldOffset(52)]
622     public uint _SizeOfImage;
623     [FieldOffset(56)]
624     public uint _SizeOfHeaders;
625     [FieldOffset(60)]
626     public uint _CheckSum;
627     [FieldOffset(64)]
628     public SubSystemType _Subsystem;
629     [FieldOffset(68)]
630     public DllCharacteristicsType _DllCharacteristics;
631     [FieldOffset(70)]
632     public uint _SizeOfStackReserve;
633     [FieldOffset(72)]
634     public uint _SizeOfStackCommit;
635     [FieldOffset(76)]
636     public uint _SizeOfHeapReserve;
637     [FieldOffset(80)]
638     public uint _SizeOfHeapCommit;
639     [FieldOffset(84)]
640     public uint _LoaderFlags;
641     [FieldOffset(88)]
642     public uint _NumberOfRvaAndSizes;
643     //[MarshalAs(UnmanagedType.ByValArray, SizeConst = 16)]
644     //public IMAGE_DATA_DIRECTORY[] _DataDirectory;
645 william 320
646 william 340 [FieldOffset(112)]
647     public IMAGE_DATA_DIRECTORY _ExportTable;
648     public IMAGE_DATA_DIRECTORY ExportTable { get { return _ExportTable; } }
649     [FieldOffset(120)]
650     public IMAGE_DATA_DIRECTORY _ImportTable;
651     public IMAGE_DATA_DIRECTORY ImportTable { get { return _ImportTable; } }
652     [FieldOffset(128)]
653     public IMAGE_DATA_DIRECTORY _ResourceTable;
654     public IMAGE_DATA_DIRECTORY ResourceTable { get { return _ResourceTable; } }
655     [FieldOffset(136)]
656     public IMAGE_DATA_DIRECTORY _ExceptionTable;
657     public IMAGE_DATA_DIRECTORY ExceptionTable { get { return _ExceptionTable; } }
658     [FieldOffset(144)]
659     public IMAGE_DATA_DIRECTORY _CertificateTable;
660     public IMAGE_DATA_DIRECTORY CertificateTable { get { return _CertificateTable; } }
661     [FieldOffset(152)]
662     public IMAGE_DATA_DIRECTORY _BaseRelocationTable;
663     public IMAGE_DATA_DIRECTORY BaseRelocationTable { get { return _BaseRelocationTable; } }
664     [FieldOffset(160)]
665     public IMAGE_DATA_DIRECTORY _Debug;
666     public IMAGE_DATA_DIRECTORY Debug { get { return _Debug; } }
667     [FieldOffset(168)]
668     public IMAGE_DATA_DIRECTORY _Architecture;
669     public IMAGE_DATA_DIRECTORY Architecture { get { return _Architecture; } }
670     [FieldOffset(176)]
671     public IMAGE_DATA_DIRECTORY _GlobalPtr;
672     public IMAGE_DATA_DIRECTORY GlobalPtr { get { return _GlobalPtr; } }
673     [FieldOffset(184)]
674     public IMAGE_DATA_DIRECTORY _TLSTable;
675     public IMAGE_DATA_DIRECTORY TLSTable { get { return _TLSTable; } }
676     [FieldOffset(192)]
677     public IMAGE_DATA_DIRECTORY _LoadConfigTable;
678     public IMAGE_DATA_DIRECTORY LoadConfigTable { get { return _LoadConfigTable; } }
679     [FieldOffset(200)]
680     public IMAGE_DATA_DIRECTORY _BoundImport;
681     public IMAGE_DATA_DIRECTORY BoundImport { get { return _BoundImport; } }
682     [FieldOffset(208)]
683     public IMAGE_DATA_DIRECTORY _IAT;
684     public IMAGE_DATA_DIRECTORY IAT { get { return _IAT; } }
685     [FieldOffset(216)]
686     public IMAGE_DATA_DIRECTORY _DelayImportDescriptor;
687     public IMAGE_DATA_DIRECTORY DelayImportDescriptor { get { return _DelayImportDescriptor; } }
688     [FieldOffset(224)]
689     public IMAGE_DATA_DIRECTORY _CLRRuntimeHeader;
690     public IMAGE_DATA_DIRECTORY CLRRuntimeHeader { get { return _CLRRuntimeHeader; } }
691     [FieldOffset(232)]
692     public IMAGE_DATA_DIRECTORY _Reserved;
693     public IMAGE_DATA_DIRECTORY Reserved { get { return _ExportTable; } }
694 william 320
695     public string Magic { get { return ((MagicType)_Magic).ToString(); } }
696     public string MajorLinkerVersion { get { return string.Format("0x{0:x2}", _MajorLinkerVersion); } }
697     public string MinorLinkerVersion { get { return string.Format("0x{0:x2}", _MajorLinkerVersion); } }
698    
699     public string SizeOfCode { get { return string.Format("0x{0:x2}", _SizeOfCode); } }
700     public string SizeOfInitializedData { get { return string.Format("0x{0:x8}", _SizeOfInitializedData); } }
701     public string SizeOfUninitializedData { get { return string.Format("0x{0:x8}", _SizeOfUninitializedData); } }
702     public string AddressOfEntryPoint { get { return string.Format("0x{0:x8}", _AddressOfEntryPoint); } }
703     public string BaseOfCode { get { return string.Format("0x{0:x8}", _BaseOfCode); } }
704    
705     public string ImageBase { get { return string.Format("0x{0:x16}", _ImageBase); } }
706    
707     public string SectionAlignment { get { return string.Format("0x{0:x8}", _SectionAlignment); } }
708     public string FileAlignment { get { return string.Format("0x{0:x8}", _FileAlignment); } }
709    
710     public string MajorOperatingSystemVersion { get { return string.Format("0x{0:x4}", _MajorOperatingSystemVersion); } }
711     public string MinorOperatingSystemVersion { get { return string.Format("0x{0:x4}", _MinorOperatingSystemVersion); } }
712     public string MajorImageVersion { get { return string.Format("0x{0:x4}", _MajorImageVersion); } }
713     public string MinorImageVersion { get { return string.Format("0x{0:x4}", _MinorImageVersion); } }
714     public string MajorSubsystemVersion { get { return string.Format("0x{0:x4}", _MajorSubsystemVersion); } }
715     public string MinorSubsystemVersion { get { return string.Format("0x{0:x4}", _MinorSubsystemVersion); } }
716    
717     public string Win32VersionValue { get { return string.Format("0x{0:x8}", _Win32VersionValue); } }
718     public string SizeOfImage { get { return string.Format("0x{0:x8}", _SizeOfImage); } }
719     public string SizeOfHeaders { get { return string.Format("0x{0:x8}", _SizeOfHeaders); } }
720     public string CheckSum { get { return string.Format("0x{0:x8}", _CheckSum); } }
721    
722     public string Subsystem { get { return ((SubSystemType)_Subsystem).ToString(); } }
723     public string DllCharacteristics { get { return string.Format("0x{0:x4}", _DllCharacteristics); } }
724    
725     public string SizeOfStackReserve { get { return string.Format("0x{0:x16}", _SizeOfStackReserve); } }
726     public string SizeOfStackCommit { get { return string.Format("0x{0:x16}", _SizeOfStackCommit); } }
727     public string SizeOfHeapReserve { get { return string.Format("0x{0:x16}", _SizeOfHeapReserve); } }
728     public string SizeOfHeapCommit { get { return string.Format("0x{0:x16}", _SizeOfHeapCommit); } }
729    
730     public string LoaderFlags { get { return string.Format("0x{0:x8}", _LoaderFlags); } }
731     public string NumberOfRvaAndSizes { get { return string.Format("0x{0:x8}", _NumberOfRvaAndSizes); } }
732    
733     public override string ToString()
734     {
735     return Magic;
736     }
737 william 159 }
738 william 318 [TypeConverter(typeof(ExpandableObjectConverter))]
739 william 294 [StructLayout(LayoutKind.Sequential)]
740     public struct IMAGE_DATA_DIRECTORY
741 william 159 {
742 william 320 public UInt32 _VirtualAddress;
743     public UInt32 _Size;
744    
745     public string VirtualAddress { get { return string.Format("0x{0:x8}", _VirtualAddress); } }
746     public string Size { get { return string.Format("0x{0:x8}", _Size); } }
747 william 339
748     public override string ToString()
749     {
750     return string.Format("(Size={0}) (VirtualAddress={1})", Size, VirtualAddress);
751     }
752    
753 william 159 }
754 william 318 [TypeConverter(typeof(ExpandableObjectConverter))]
755 william 294 [StructLayout(LayoutKind.Sequential)]
756     public struct IMAGE_SECTION_HEADER
757 william 159 {
758 william 294 [MarshalAs(UnmanagedType.ByValTStr, SizeConst = 8)]
759 william 319 public string _Name;
760     public Misc _Misc;
761     public UInt32 _VirtualAddress;
762     public UInt32 _SizeOfRawData;
763     public UInt32 _PointerToRawData;
764     public UInt32 _PointerToRelocations;
765     public UInt32 _PointerToLinenumbers;
766     public UInt16 _NumberOfRelocations;
767     public UInt16 _NumberOfLinenumbers;
768     public UInt32 _Characteristics;
769    
770     public string Name { get { return _Name; } }
771     public Misc Misc { get { return _Misc; } }
772     public string VirtualAddress { get { return string.Format("0x{0:x8}", _VirtualAddress); } }
773     public string SizeOfRawData { get { return string.Format("0x{0:x8}", _SizeOfRawData); } }
774     public string PointerToRawData { get { return string.Format("0x{0:x8}", _PointerToRawData); } }
775     public string PointerToRelocations { get { return string.Format("0x{0:x8}", _PointerToRelocations); } }
776     public string PointerToLinenumbers { get { return string.Format("0x{0:x8}", _PointerToLinenumbers); } }
777     public string NumberOfRelocations { get { return string.Format("0x{0:x4}", _NumberOfRelocations); } }
778     public string NumberOfLinenumbers { get { return string.Format("0x{0:x4}", _NumberOfLinenumbers); } }
779 william 340 public DataSectionFlags Characteristics { get { return (DataSectionFlags) _Characteristics; } }
780 william 319 public override string ToString()
781     {
782     return Name;
783     }
784 william 159 }
785 william 318 [TypeConverter(typeof(ExpandableObjectConverter))]
786 william 159 [StructLayout(LayoutKind.Explicit)]
787 william 294 public struct Misc
788 william 159 {
789     [FieldOffset(0)]
790 william 319 public UInt32 _PhysicalAddress;
791 william 294 [FieldOffset(0)]
792 william 319 public UInt32 _VirtualSize;
793    
794     public string PhysicalAddress { get { return string.Format("0x{0:x8}", _PhysicalAddress); } }
795     public string VirtualSize { get { return string.Format("0x{0:x8}", _VirtualSize); } }
796    
797 william 294 }
798 william 159
799 william 294 #endregion
800 william 159
801 william 294 #region Fields
802 william 159
803 william 294 private readonly IMAGE_DOS_HEADER _dosHeader;
804     private IMAGE_NT_HEADERS _ntHeaders;
805     private readonly IList<IMAGE_SECTION_HEADER> _sectionHeaders = new List<IMAGE_SECTION_HEADER>();
806     #endregion
807 william 159
808 william 299 #region logging implementation
809     private static class log
810     {
811     public static class verbose
812     {
813     public static class debug
814     {
815     public static void writeline(string format, params object[] args)
816     {
817     #if ENABLE_LOGGING
818     logger.VerboseDebug.WriteLine(format, args);
819     #endif
820     }
821     public static void write(string format, params object[] args)
822     {
823     #if ENABLE_LOGGING
824     logger.VerboseDebug.Write(format, args);
825     #endif
826     }
827     }
828     public static class error
829     {
830     public static void writeline(string format, params object[] args)
831     {
832     #if ENABLE_LOGGING
833     logger.VerboseError.WriteLine(format, args);
834     #endif
835     }
836     public static void write(string format, params object[] args)
837     {
838     #if ENABLE_LOGGING
839     logger.VerboseError.Write(format, args);
840     #endif
841     }
842     }
843     }
844     }
845     #endregion
846    
847    
848 william 323 public PEData GetPEData
849 william 318 {
850     get
851     {
852 william 319 PEData _data = new PEData(_dosHeader, _ntHeaders, _sectionHeaders.ToArray());
853 william 318 return _data;
854     }
855     }
856 william 323 #region PEData
857 william 318 public class PEData
858     {
859 william 319 public PEData() : this(new IMAGE_DOS_HEADER(), new IMAGE_NT_HEADERS(), new IMAGE_SECTION_HEADER[] { }) { }
860     public PEData(IMAGE_DOS_HEADER DosHeader, IMAGE_NT_HEADERS NTHeader, IMAGE_SECTION_HEADER[] SectionHeaders)
861 william 318 {
862     this.DosHeader = DosHeader;
863     this.NTHeader = NTHeader;
864     this.SectionHeaders = SectionHeaders;
865     }
866     public IMAGE_DOS_HEADER DosHeader { get; private set; }
867     public IMAGE_NT_HEADERS NTHeader { get; private set; }
868 william 319 public IMAGE_SECTION_HEADER[] SectionHeaders { get; private set; }
869 william 324
870     public bool Is32bitAssembly()
871     {
872     return ((NTHeader.FileHeader._Characteristics & 0x0100) == 0x0100);
873     }
874 william 318 }
875    
876     #endregion
877    
878 william 294 public PEReader(FileInfo fi) : this(fi.FullName) { }
879     public PEReader(string filename)
880 william 299 {
881 william 294 Exception ErrorInfo = null;
882     using (FileStream fs = new FileStream(filename, FileMode.Open, FileAccess.Read))
883     {
884     try
885     {
886 william 299 log.verbose.debug.writeline("Reading PE Format from: {0}", filename);
887 william 294 BinaryReader reader = new BinaryReader(fs);
888     // Reset reader position, just in case
889     reader.BaseStream.Seek(0, SeekOrigin.Begin);
890 william 159
891 william 294 // Read MS-DOS header section
892     _dosHeader = MarshalBytesTo<IMAGE_DOS_HEADER>(reader);
893     // MS-DOS magic number should read 'MZ'
894 william 318 if (_dosHeader._e_magic != 0x5a4d)
895 william 294 {
896     throw new InvalidOperationException("File is not a portable executable.");
897     }
898 william 159
899 william 294 // Skip MS-DOS stub and seek reader to NT Headers
900 william 318 reader.BaseStream.Seek(_dosHeader._e_lfanew, SeekOrigin.Begin);
901 william 159
902 william 294 // Read NT Headers
903 william 319 _ntHeaders._Signature = MarshalBytesTo<UInt32>(reader);
904 william 159
905 william 294 // Make sure we have 'PE' in the pe signature
906 william 319 if (_ntHeaders._Signature != 0x4550)
907 william 294 {
908     throw new InvalidOperationException("Invalid portable executable signature in NT header.");
909     }
910 william 159
911 william 319 _ntHeaders._FileHeader = MarshalBytesTo<IMAGE_FILE_HEADER>(reader);
912 william 294 // Read optional headers
913     if (Is32bitAssembly())
914     {
915 william 299 log.verbose.debug.writeline("\tDetected a 32Bit PE Executable");
916 william 294 Load32bitOptionalHeaders(reader);
917     }
918     else
919     {
920 william 299 log.verbose.debug.writeline("\tDetected a 64Bit PE Executable");
921 william 294 Load64bitOptionalHeaders(reader);
922     }
923 william 159
924 william 294 // Read section data
925 william 299 log.verbose.debug.writeline("\tTotal Section Headers: {0}", _sectionHeaders.Count);
926 william 339 List<int> section_header_indexes_to_remove = new List<int>();
927     for (int i = 0; i < _sectionHeaders.Count; i++)
928     {
929     if (_sectionHeaders[i]._VirtualAddress == 0)
930     section_header_indexes_to_remove.Add(i);
931     }
932     foreach (int i in section_header_indexes_to_remove)
933     {
934     _sectionHeaders.RemoveAt(i);
935     }
936 william 294 foreach (IMAGE_SECTION_HEADER header in _sectionHeaders)
937     {
938     int section_index = _sectionHeaders.IndexOf(header) + 1;
939 william 299 log.verbose.debug.writeline("\tSection Header: {0} of {1}", section_index, _sectionHeaders.Count);
940     log.verbose.debug.writeline("\t\tName: {0}", header.Name);
941     log.verbose.debug.writeline("\t\tVirtual Address: 0x{0:x8}", header.VirtualAddress);
942     log.verbose.debug.writeline("\t\tPhysical Address: 0x{0:x8}", header.Misc.PhysicalAddress);
943     log.verbose.debug.writeline("\t\tVirtual Size: 0x{0:x8}", header.Misc.VirtualSize);
944     log.verbose.debug.writeline("\t\tRaw Data Size: 0x{0:x8}", header.SizeOfRawData);
945     log.verbose.debug.writeline("\t\tPointer To Raw Data: 0x{0:x8}", header.PointerToRawData);
946 william 159
947 william 294 // Skip to beginning of a section
948 william 319 reader.BaseStream.Seek(header._PointerToRawData, SeekOrigin.Begin);
949 william 159
950 william 294 // Read section data... and do something with it
951 william 319 byte[] sectiondata = reader.ReadBytes((int)header._SizeOfRawData);
952 william 294 }
953     reader.Close();
954     }
955     catch (Exception ex)
956     {
957     ErrorInfo = ex;
958     throw ErrorInfo;
959     }
960     }
961     if (ErrorInfo != null)
962     {
963 william 299 log.verbose.error.writeline("Error Reading PE Format from: {0}", filename);
964     log.verbose.error.writeline(ErrorInfo.ToString());
965 william 294 }
966     }
967 william 159
968 william 294 public IMAGE_DOS_HEADER GetDOSHeader()
969     {
970     return _dosHeader;
971     }
972 william 159
973 william 294 public UInt32 GetPESignature()
974     {
975 william 319 return _ntHeaders._Signature;
976 william 294 }
977 william 159
978 william 294 public IMAGE_FILE_HEADER GetFileHeader()
979     {
980     return _ntHeaders.FileHeader;
981     }
982 william 159
983 william 294 public IMAGE_OPTIONAL_HEADER32 GetOptionalHeaders32()
984     {
985     return _ntHeaders.OptionalHeader32;
986     }
987 william 159
988 william 294 public IMAGE_OPTIONAL_HEADER64 GetOptionalHeaders64()
989     {
990     return _ntHeaders.OptionalHeader64;
991     }
992 william 159
993 william 294 public IList<IMAGE_SECTION_HEADER> GetSectionHeaders()
994     {
995     return _sectionHeaders;
996     }
997 william 159
998 william 294 public bool Is32bitAssembly()
999 william 159 {
1000 william 319 return ((_ntHeaders.FileHeader._Characteristics & 0x0100) == 0x0100);
1001 william 159 }
1002 william 294
1003     private void Load64bitOptionalHeaders(BinaryReader reader)
1004 william 293 {
1005 william 319 _ntHeaders._OptionalHeader64 = MarshalBytesTo<IMAGE_OPTIONAL_HEADER64>(reader);
1006 william 293
1007 william 294 // Should have 10 data directories
1008 william 320 if (_ntHeaders.OptionalHeader64._NumberOfRvaAndSizes != 0x10)
1009 william 294 {
1010     throw new InvalidOperationException("Invalid number of data directories in NT header");
1011     }
1012 william 293
1013 william 339 List<IMAGE_DATA_DIRECTORY> idds = new List<IMAGE_DATA_DIRECTORY>();
1014 william 294 // Scan data directories and load section headers
1015 william 340 //for (int i = 0; i < _ntHeaders.OptionalHeader64._NumberOfRvaAndSizes; i++)
1016     //{
1017     // IMAGE_DATA_DIRECTORY idd = _ntHeaders.OptionalHeader64._DataDirectory[i];
1018     // uint size = idd._Size;
1019     // uint va = idd._VirtualAddress;
1020 william 339
1021 william 340 // if (size != 0 && va != 0) { idds.Add(idd); }
1022     //}
1023     //foreach (IMAGE_DATA_DIRECTORY idd in idds)
1024     //{
1025     // if (idd._Size != 0 && idd._VirtualAddress != 0)
1026     // _sectionHeaders.Add(MarshalBytesTo<IMAGE_SECTION_HEADER>(reader));
1027     //}
1028 william 294 }
1029 william 293
1030 william 294 private void Load32bitOptionalHeaders(BinaryReader reader)
1031     {
1032 william 319 _ntHeaders._OptionalHeader32 = MarshalBytesTo<IMAGE_OPTIONAL_HEADER32>(reader);
1033 william 293
1034 william 294 // Should have 10 data directories
1035 william 320 if (_ntHeaders.OptionalHeader32._NumberOfRvaAndSizes != 0x10)
1036 william 294 {
1037     throw new InvalidOperationException("Invalid number of data directories in NT header");
1038     }
1039 william 340 //List<IMAGE_DATA_DIRECTORY> idds = new List<IMAGE_DATA_DIRECTORY>();
1040     //// Scan data directories and load section headers
1041     //for (int i = 0; i < _ntHeaders.OptionalHeader32._NumberOfRvaAndSizes; i++)
1042     //{
1043     // IMAGE_DATA_DIRECTORY idd = _ntHeaders.OptionalHeader32._DataDirectory[i];
1044     // uint size = idd._Size;
1045     // uint va = idd._VirtualAddress;
1046     // if (size != 0 && va != 0) { idds.Add(idd); }
1047     //}
1048     //foreach (IMAGE_DATA_DIRECTORY idd in idds)
1049     //{
1050     // if(idd._Size != 0 && idd._VirtualAddress != 0)
1051     // _sectionHeaders.Add(MarshalBytesTo<IMAGE_SECTION_HEADER>(reader));
1052     //}
1053 william 339
1054 william 294 }
1055 william 293
1056 william 294 private static T MarshalBytesTo<T>(BinaryReader reader)
1057     {
1058     // Unmanaged data
1059     byte[] bytes = reader.ReadBytes(Marshal.SizeOf(typeof(T)));
1060 william 293
1061 william 294 // Create a pointer to the unmanaged data pinned in memory to be accessed by unmanaged code
1062     GCHandle handle = GCHandle.Alloc(bytes, GCHandleType.Pinned);
1063 william 293
1064 william 294 // Use our previously created pointer to unmanaged data and marshal to the specified type
1065     T theStructure = (T)Marshal.PtrToStructure(handle.AddrOfPinnedObject(), typeof(T));
1066 william 293
1067 william 294 // Deallocate pointer
1068     handle.Free();
1069 william 293
1070 william 294 return theStructure;
1071 william 293 }
1072 william 159 }
1073     }