ViewVC Help
View File | Revision Log | Show Annotations | Download File | View Changeset | Root Listing
root/RomCheater/trunk/Win32/Sojaner.MemoryScanner/PEReader.cs
(Generate patch)

Comparing trunk/Win32/Sojaner.MemoryScanner/PEReader.cs (file contents):
Revision 356 by william, Fri Jun 8 04:23:30 2012 UTC vs.
Revision 357 by william, Sun Jun 10 00:47:58 2012 UTC

# Line 17 | Line 17 | namespace RomCheater.PluginFramework.Eve
17   {
18      public interface IAcceptPEData
19      {
20 <        void SetPEViewerData(PEReader.PEData peData);
20 >        void SetPEViewerData(IPEDData peData);
21      }
22      public interface IAcceptsPEData
23      {
# Line 25 | Line 25 | namespace RomCheater.PluginFramework.Eve
25      }
26      public interface IPEViewerDataUpdatedEvent
27      {
28 <        PEReader.PEData PEData { get; }
28 >        IPEDData peData { get; }
29      }
30      public class PEViewerDataUpdatedEvent : BaseEventArgs, IPEViewerDataUpdatedEvent
31      {
32 <        public PEViewerDataUpdatedEvent() : this(new PEReader.PEData()) { }
33 <        public PEViewerDataUpdatedEvent(object sender) : this(sender, new PEReader.PEData()) { }
34 <        public PEViewerDataUpdatedEvent(PEReader.PEData peData) : base() { this.PEData = peData; }
35 <        public PEViewerDataUpdatedEvent(object sender, PEReader.PEData peData) : base(sender) { this.PEData = peData; }
32 >        public PEViewerDataUpdatedEvent() : this(PEData.Empty) { }
33 >        public PEViewerDataUpdatedEvent(object sender) : this(sender, PEData.Empty) { }
34 >        public PEViewerDataUpdatedEvent(IPEDData peData) : base() { this.peData = peData; }
35 >        public PEViewerDataUpdatedEvent(object sender, IPEDData peData) : base(sender) { this.peData = peData; }
36          #region IPEViewerDataUpdatedEvent members
37 <        public PEReader.PEData PEData { get; private set; }
37 >        public IPEDData peData { get; private set; }
38          #endregion
39      }
40   }
41   namespace Sojaner.MemoryScanner
42   {
43 <    public class PEReader
43 >
44 >    #region Structs
45 >    #region helpers
46 >    [Flags]
47 >    public enum MachineTypeFlags
48      {
49 <        // Code (C) Sergey utilized from: http://www.sergeyakopov.com/2010/11/03/reading-pe-format-using-data-marshalling-in-net/
50 <        #region Structs
51 <        #region helpers
52 <        [Flags]
53 <        public enum MachineTypeFlags
54 <        {
55 <            x86 = 0x14C,
56 <            Alpha = 0x184,
57 <            ARM = 0x1C0,
58 <            MIPS16R3000 = 0x162,
59 <            MIPS16R4000 = 0x166,
60 <            MIPS16R10000 = 0x168,
61 <            PowerPCLE = 0x1F0,
62 <            PowerPCBE = 0x1F2,
63 <            Itanium = 0x200,
64 <            MIPS16 = 0x266,
65 <            Alpha64 = 0x284,
66 <            MIPSFPU = 0x366,
67 <            MIPSFPU16 = 0x466,
68 <            x64 = 0x8664,
69 <        }
70 <        public enum MagicType : ushort
71 <        {
72 <            NT_OPTIONAL_HEADER_NOT_PRESENT, // 0    
73 <            NT_OPTIONAL_HEADER_32 = 0x10b,
74 <            NT_OPTIONAL_HEADER_64 = 0x20b
75 <        }
76 <        public enum SubSystemType : ushort
77 <        {
78 <            IMAGE_SUBSYSTEM_UNKNOWN = 0,
79 <            IMAGE_SUBSYSTEM_NATIVE = 1,
80 <            IMAGE_SUBSYSTEM_WINDOWS_GUI = 2,
81 <            IMAGE_SUBSYSTEM_WINDOWS_CUI = 3,
82 <            IMAGE_SUBSYSTEM_POSIX_CUI = 7,
83 <            IMAGE_SUBSYSTEM_WINDOWS_CE_GUI = 9,
84 <            IMAGE_SUBSYSTEM_EFI_APPLICATION = 10,
85 <            IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER = 11,
86 <            IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER = 12,
87 <            IMAGE_SUBSYSTEM_EFI_ROM = 13,
88 <            IMAGE_SUBSYSTEM_XBOX = 14
89 <
90 <        }
91 <        public enum DllCharacteristicsType : ushort
92 <        {
93 <            RES_0 = 0x0001,
94 <            RES_1 = 0x0002,
95 <            RES_2 = 0x0004,
96 <            RES_3 = 0x0008,
97 <            IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE = 0x0040,
98 <            IMAGE_DLL_CHARACTERISTICS_FORCE_INTEGRITY = 0x0080,
99 <            IMAGE_DLL_CHARACTERISTICS_NX_COMPAT = 0x0100,
100 <            IMAGE_DLLCHARACTERISTICS_NO_ISOLATION = 0x0200,
101 <            IMAGE_DLLCHARACTERISTICS_NO_SEH = 0x0400,
102 <            IMAGE_DLLCHARACTERISTICS_NO_BIND = 0x0800,
103 <            RES_4 = 0x1000,
104 <            IMAGE_DLLCHARACTERISTICS_WDM_DRIVER = 0x2000,
105 <            IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE = 0x8000
106 <        }
107 <        [Flags]
108 <        public enum FileCharacteristicType : ushort
109 <        {
110 <            RelocationInformationStrippedFromFile = 0x1,
111 <            Executable = 0x2,
112 <            LineNumbersStripped = 0x4,
113 <            SymbolTableStripped = 0x8,
114 <            AggresiveTrimWorkingSet = 0x10,
115 <            LargeAddressAware = 0x20,
116 <            Supports16Bit = 0x40,
117 <            ReservedBytesWo = 0x80,
118 <            Supports32Bit = 0x100,
119 <            DebugInfoStripped = 0x200,
120 <            RunFromSwapIfInRemovableMedia = 0x400,
121 <            RunFromSwapIfInNetworkMedia = 0x800,
122 <            IsSytemFile = 0x1000,
123 <            IsDLL = 0x2000,
124 <            IsOnlyForSingleCoreProcessor = 0x4000,
125 <            BytesOfWordReserved = 0x8000,
126 <   }
127 <        #region DataSectionFlags
128 <        [Flags]
129 <        public enum DataSectionFlags : uint
130 <        {
131 <            /// <summary>
132 <            /// Reserved for future use.
133 <            /// </summary>
134 <            TypeReg = 0x00000000,
135 <            /// <summary>
136 <            /// Reserved for future use.
137 <            /// </summary>
138 <            TypeDsect = 0x00000001,
139 <            /// <summary>
140 <            /// Reserved for future use.
141 <            /// </summary>
142 <            TypeNoLoad = 0x00000002,
143 <            /// <summary>
144 <            /// Reserved for future use.
145 <            /// </summary>
146 <            TypeGroup = 0x00000004,
147 <            /// <summary>
148 <            /// The section should not be padded to the next boundary. This flag is obsolete and is replaced by IMAGE_SCN_ALIGN_1BYTES. This is valid only for object files.
149 <            /// </summary>
150 <            TypeNoPadded = 0x00000008,
151 <            /// <summary>
152 <            /// Reserved for future use.
153 <            /// </summary>
154 <            TypeCopy = 0x00000010,
155 <            /// <summary>
156 <            /// The section contains executable code.
157 <            /// </summary>
158 <            ContentCode = 0x00000020,
159 <            /// <summary>
160 <            /// The section contains initialized data.
161 <            /// </summary>
162 <            ContentInitializedData = 0x00000040,
163 <            /// <summary>
164 <            /// The section contains uninitialized data.
165 <            /// </summary>
166 <            ContentUninitializedData = 0x00000080,
167 <            /// <summary>
168 <            /// Reserved for future use.
169 <            /// </summary>
170 <            LinkOther = 0x00000100,
171 <            /// <summary>
172 <            /// The section contains comments or other information. The .drectve section has this type. This is valid for object files only.
173 <            /// </summary>
174 <            LinkInfo = 0x00000200,
175 <            /// <summary>
176 <            /// Reserved for future use.
177 <            /// </summary>
178 <            TypeOver = 0x00000400,
179 <            /// <summary>
180 <            /// The section will not become part of the image. This is valid only for object files.
181 <            /// </summary>
182 <            LinkRemove = 0x00000800,
183 <            /// <summary>
184 <            /// The section contains COMDAT data. For more information, see section 5.5.6, COMDAT Sections (Object Only). This is valid only for object files.
185 <            /// </summary>
186 <            LinkComDat = 0x00001000,
187 <            /// <summary>
188 <            /// Reset speculative exceptions handling bits in the TLB entries for this section.
189 <            /// </summary>
190 <            NoDeferSpecExceptions = 0x00004000,
191 <            /// <summary>
192 <            /// The section contains data referenced through the global pointer (GP).
193 <            /// </summary>
194 <            RelativeGP = 0x00008000,
195 <            /// <summary>
196 <            /// Reserved for future use.
197 <            /// </summary>
198 <            MemPurgeable = 0x00020000,
199 <            /// <summary>
200 <            /// Reserved for future use.
201 <            /// </summary>
202 <            Memory16Bit = 0x00020000,
203 <            /// <summary>
204 <            /// Reserved for future use.
205 <            /// </summary>
206 <            MemoryLocked = 0x00040000,
207 <            /// <summary>
208 <            /// Reserved for future use.
209 <            /// </summary>
210 <            MemoryPreload = 0x00080000,
211 <            /// <summary>
212 <            /// Align data on a 1-byte boundary. Valid only for object files.
213 <            /// </summary>
214 <            Align1Bytes = 0x00100000,
215 <            /// <summary>
216 <            /// Align data on a 2-byte boundary. Valid only for object files.
217 <            /// </summary>
218 <            Align2Bytes = 0x00200000,
219 <            /// <summary>
220 <            /// Align data on a 4-byte boundary. Valid only for object files.
221 <            /// </summary>
222 <            Align4Bytes = 0x00300000,
223 <            /// <summary>
224 <            /// Align data on an 8-byte boundary. Valid only for object files.
225 <            /// </summary>
226 <            Align8Bytes = 0x00400000,
227 <            /// <summary>
228 <            /// Align data on a 16-byte boundary. Valid only for object files.
229 <            /// </summary>
230 <            Align16Bytes = 0x00500000,
231 <            /// <summary>
232 <            /// Align data on a 32-byte boundary. Valid only for object files.
233 <            /// </summary>
234 <            Align32Bytes = 0x00600000,
235 <            /// <summary>
236 <            /// Align data on a 64-byte boundary. Valid only for object files.
237 <            /// </summary>
238 <            Align64Bytes = 0x00700000,
239 <            /// <summary>
240 <            /// Align data on a 128-byte boundary. Valid only for object files.
241 <            /// </summary>
242 <            Align128Bytes = 0x00800000,
243 <            /// <summary>
244 <            /// Align data on a 256-byte boundary. Valid only for object files.
245 <            /// </summary>
246 <            Align256Bytes = 0x00900000,
247 <            /// <summary>
248 <            /// Align data on a 512-byte boundary. Valid only for object files.
249 <            /// </summary>
250 <            Align512Bytes = 0x00A00000,
251 <            /// <summary>
252 <            /// Align data on a 1024-byte boundary. Valid only for object files.
253 <            /// </summary>
254 <            Align1024Bytes = 0x00B00000,
255 <            /// <summary>
256 <            /// Align data on a 2048-byte boundary. Valid only for object files.
257 <            /// </summary>
258 <            Align2048Bytes = 0x00C00000,
259 <            /// <summary>
260 <            /// Align data on a 4096-byte boundary. Valid only for object files.
261 <            /// </summary>
262 <            Align4096Bytes = 0x00D00000,
263 <            /// <summary>
264 <            /// Align data on an 8192-byte boundary. Valid only for object files.
265 <            /// </summary>
266 <            Align8192Bytes = 0x00E00000,
267 <            /// <summary>
268 <            /// The section contains extended relocations.
269 <            /// </summary>
270 <            LinkExtendedRelocationOverflow = 0x01000000,
271 <            /// <summary>
272 <            /// The section can be discarded as needed.
273 <            /// </summary>
274 <            MemoryDiscardable = 0x02000000,
275 <            /// <summary>
276 <            /// The section cannot be cached.
277 <            /// </summary>
278 <            MemoryNotCached = 0x04000000,
279 <            /// <summary>
280 <            /// The section is not pageable.
281 <            /// </summary>
282 <            MemoryNotPaged = 0x08000000,
283 <            /// <summary>
284 <            /// The section can be shared in memory.
285 <            /// </summary>
286 <            MemoryShared = 0x10000000,
287 <            /// <summary>
288 <            /// The section can be executed as code.
289 <            /// </summary>
290 <            MemoryExecute = 0x20000000,
291 <            /// <summary>
292 <            /// The section can be read.
293 <            /// </summary>
294 <            MemoryRead = 0x40000000,
295 <            /// <summary>
296 <            /// The section can be written to.
297 <            /// </summary>
298 <            MemoryWrite = 0x80000000
49 >        x86 = 0x14C,
50 >        Alpha = 0x184,
51 >        ARM = 0x1C0,
52 >        MIPS16R3000 = 0x162,
53 >        MIPS16R4000 = 0x166,
54 >        MIPS16R10000 = 0x168,
55 >        PowerPCLE = 0x1F0,
56 >        PowerPCBE = 0x1F2,
57 >        Itanium = 0x200,
58 >        MIPS16 = 0x266,
59 >        Alpha64 = 0x284,
60 >        MIPSFPU = 0x366,
61 >        MIPSFPU16 = 0x466,
62 >        x64 = 0x8664,
63 >    }
64 >    public enum MagicType : ushort
65 >    {
66 >        NT_OPTIONAL_HEADER_NOT_PRESENT, // 0    
67 >        NT_OPTIONAL_HEADER_32 = 0x10b,
68 >        NT_OPTIONAL_HEADER_64 = 0x20b
69 >    }
70 >    public enum SubSystemType : ushort
71 >    {
72 >        IMAGE_SUBSYSTEM_UNKNOWN = 0,
73 >        IMAGE_SUBSYSTEM_NATIVE = 1,
74 >        IMAGE_SUBSYSTEM_WINDOWS_GUI = 2,
75 >        IMAGE_SUBSYSTEM_WINDOWS_CUI = 3,
76 >        IMAGE_SUBSYSTEM_POSIX_CUI = 7,
77 >        IMAGE_SUBSYSTEM_WINDOWS_CE_GUI = 9,
78 >        IMAGE_SUBSYSTEM_EFI_APPLICATION = 10,
79 >        IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER = 11,
80 >        IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER = 12,
81 >        IMAGE_SUBSYSTEM_EFI_ROM = 13,
82 >        IMAGE_SUBSYSTEM_XBOX = 14
83 >
84 >    }
85 >    public enum DllCharacteristicsType : ushort
86 >    {
87 >        RES_0 = 0x0001,
88 >        RES_1 = 0x0002,
89 >        RES_2 = 0x0004,
90 >        RES_3 = 0x0008,
91 >        IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE = 0x0040,
92 >        IMAGE_DLL_CHARACTERISTICS_FORCE_INTEGRITY = 0x0080,
93 >        IMAGE_DLL_CHARACTERISTICS_NX_COMPAT = 0x0100,
94 >        IMAGE_DLLCHARACTERISTICS_NO_ISOLATION = 0x0200,
95 >        IMAGE_DLLCHARACTERISTICS_NO_SEH = 0x0400,
96 >        IMAGE_DLLCHARACTERISTICS_NO_BIND = 0x0800,
97 >        RES_4 = 0x1000,
98 >        IMAGE_DLLCHARACTERISTICS_WDM_DRIVER = 0x2000,
99 >        IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE = 0x8000
100 >    }
101 >    [Flags]
102 >    public enum FileCharacteristicType : ushort
103 >    {
104 >        RelocationInformationStrippedFromFile = 0x1,
105 >        Executable = 0x2,
106 >        LineNumbersStripped = 0x4,
107 >        SymbolTableStripped = 0x8,
108 >        AggresiveTrimWorkingSet = 0x10,
109 >        LargeAddressAware = 0x20,
110 >        Supports16Bit = 0x40,
111 >        ReservedBytesWo = 0x80,
112 >        Supports32Bit = 0x100,
113 >        DebugInfoStripped = 0x200,
114 >        RunFromSwapIfInRemovableMedia = 0x400,
115 >        RunFromSwapIfInNetworkMedia = 0x800,
116 >        IsSytemFile = 0x1000,
117 >        IsDLL = 0x2000,
118 >        IsOnlyForSingleCoreProcessor = 0x4000,
119 >        BytesOfWordReserved = 0x8000,
120 >    }
121 >    #region DataSectionFlags
122 >    [Flags]
123 >    public enum DataSectionFlags : uint
124 >    {
125 >        /// <summary>
126 >        /// Reserved for future use.
127 >        /// </summary>
128 >        TypeReg = 0x00000000,
129 >        /// <summary>
130 >        /// Reserved for future use.
131 >        /// </summary>
132 >        TypeDsect = 0x00000001,
133 >        /// <summary>
134 >        /// Reserved for future use.
135 >        /// </summary>
136 >        TypeNoLoad = 0x00000002,
137 >        /// <summary>
138 >        /// Reserved for future use.
139 >        /// </summary>
140 >        TypeGroup = 0x00000004,
141 >        /// <summary>
142 >        /// The section should not be padded to the next boundary. This flag is obsolete and is replaced by IMAGE_SCN_ALIGN_1BYTES. This is valid only for object files.
143 >        /// </summary>
144 >        TypeNoPadded = 0x00000008,
145 >        /// <summary>
146 >        /// Reserved for future use.
147 >        /// </summary>
148 >        TypeCopy = 0x00000010,
149 >        /// <summary>
150 >        /// The section contains executable code.
151 >        /// </summary>
152 >        ContentCode = 0x00000020,
153 >        /// <summary>
154 >        /// The section contains initialized data.
155 >        /// </summary>
156 >        ContentInitializedData = 0x00000040,
157 >        /// <summary>
158 >        /// The section contains uninitialized data.
159 >        /// </summary>
160 >        ContentUninitializedData = 0x00000080,
161 >        /// <summary>
162 >        /// Reserved for future use.
163 >        /// </summary>
164 >        LinkOther = 0x00000100,
165 >        /// <summary>
166 >        /// The section contains comments or other information. The .drectve section has this type. This is valid for object files only.
167 >        /// </summary>
168 >        LinkInfo = 0x00000200,
169 >        /// <summary>
170 >        /// Reserved for future use.
171 >        /// </summary>
172 >        TypeOver = 0x00000400,
173 >        /// <summary>
174 >        /// The section will not become part of the image. This is valid only for object files.
175 >        /// </summary>
176 >        LinkRemove = 0x00000800,
177 >        /// <summary>
178 >        /// The section contains COMDAT data. For more information, see section 5.5.6, COMDAT Sections (Object Only). This is valid only for object files.
179 >        /// </summary>
180 >        LinkComDat = 0x00001000,
181 >        /// <summary>
182 >        /// Reset speculative exceptions handling bits in the TLB entries for this section.
183 >        /// </summary>
184 >        NoDeferSpecExceptions = 0x00004000,
185 >        /// <summary>
186 >        /// The section contains data referenced through the global pointer (GP).
187 >        /// </summary>
188 >        RelativeGP = 0x00008000,
189 >        /// <summary>
190 >        /// Reserved for future use.
191 >        /// </summary>
192 >        MemPurgeable = 0x00020000,
193 >        /// <summary>
194 >        /// Reserved for future use.
195 >        /// </summary>
196 >        Memory16Bit = 0x00020000,
197 >        /// <summary>
198 >        /// Reserved for future use.
199 >        /// </summary>
200 >        MemoryLocked = 0x00040000,
201 >        /// <summary>
202 >        /// Reserved for future use.
203 >        /// </summary>
204 >        MemoryPreload = 0x00080000,
205 >        /// <summary>
206 >        /// Align data on a 1-byte boundary. Valid only for object files.
207 >        /// </summary>
208 >        Align1Bytes = 0x00100000,
209 >        /// <summary>
210 >        /// Align data on a 2-byte boundary. Valid only for object files.
211 >        /// </summary>
212 >        Align2Bytes = 0x00200000,
213 >        /// <summary>
214 >        /// Align data on a 4-byte boundary. Valid only for object files.
215 >        /// </summary>
216 >        Align4Bytes = 0x00300000,
217 >        /// <summary>
218 >        /// Align data on an 8-byte boundary. Valid only for object files.
219 >        /// </summary>
220 >        Align8Bytes = 0x00400000,
221 >        /// <summary>
222 >        /// Align data on a 16-byte boundary. Valid only for object files.
223 >        /// </summary>
224 >        Align16Bytes = 0x00500000,
225 >        /// <summary>
226 >        /// Align data on a 32-byte boundary. Valid only for object files.
227 >        /// </summary>
228 >        Align32Bytes = 0x00600000,
229 >        /// <summary>
230 >        /// Align data on a 64-byte boundary. Valid only for object files.
231 >        /// </summary>
232 >        Align64Bytes = 0x00700000,
233 >        /// <summary>
234 >        /// Align data on a 128-byte boundary. Valid only for object files.
235 >        /// </summary>
236 >        Align128Bytes = 0x00800000,
237 >        /// <summary>
238 >        /// Align data on a 256-byte boundary. Valid only for object files.
239 >        /// </summary>
240 >        Align256Bytes = 0x00900000,
241 >        /// <summary>
242 >        /// Align data on a 512-byte boundary. Valid only for object files.
243 >        /// </summary>
244 >        Align512Bytes = 0x00A00000,
245 >        /// <summary>
246 >        /// Align data on a 1024-byte boundary. Valid only for object files.
247 >        /// </summary>
248 >        Align1024Bytes = 0x00B00000,
249 >        /// <summary>
250 >        /// Align data on a 2048-byte boundary. Valid only for object files.
251 >        /// </summary>
252 >        Align2048Bytes = 0x00C00000,
253 >        /// <summary>
254 >        /// Align data on a 4096-byte boundary. Valid only for object files.
255 >        /// </summary>
256 >        Align4096Bytes = 0x00D00000,
257 >        /// <summary>
258 >        /// Align data on an 8192-byte boundary. Valid only for object files.
259 >        /// </summary>
260 >        Align8192Bytes = 0x00E00000,
261 >        /// <summary>
262 >        /// The section contains extended relocations.
263 >        /// </summary>
264 >        LinkExtendedRelocationOverflow = 0x01000000,
265 >        /// <summary>
266 >        /// The section can be discarded as needed.
267 >        /// </summary>
268 >        MemoryDiscardable = 0x02000000,
269 >        /// <summary>
270 >        /// The section cannot be cached.
271 >        /// </summary>
272 >        MemoryNotCached = 0x04000000,
273 >        /// <summary>
274 >        /// The section is not pageable.
275 >        /// </summary>
276 >        MemoryNotPaged = 0x08000000,
277 >        /// <summary>
278 >        /// The section can be shared in memory.
279 >        /// </summary>
280 >        MemoryShared = 0x10000000,
281 >        /// <summary>
282 >        /// The section can be executed as code.
283 >        /// </summary>
284 >        MemoryExecute = 0x20000000,
285 >        /// <summary>
286 >        /// The section can be read.
287 >        /// </summary>
288 >        MemoryRead = 0x40000000,
289 >        /// <summary>
290 >        /// The section can be written to.
291 >        /// </summary>
292 >        MemoryWrite = 0x80000000
293 >    }
294 >    #endregion
295 >    #endregion
296 >    [TypeConverter(typeof(ExpandableObjectConverter))]
297 >    [StructLayout(LayoutKind.Sequential)]
298 >    public struct IMAGE_DOS_HEADER
299 >    {
300 >        public UInt16 _e_magic;
301 >        public UInt16 _e_cblp;
302 >        public UInt16 _e_cp;
303 >        public UInt16 _e_crlc;
304 >        public UInt16 _e_cparhdr;
305 >        public UInt16 _e_minalloc;
306 >        public UInt16 _e_maxalloc;
307 >        public UInt16 _e_ss;
308 >        public UInt16 _e_sp;
309 >        public UInt16 _e_csum;
310 >        public UInt16 _e_ip;
311 >        public UInt16 _e_cs;
312 >        public UInt16 _e_lfarlc;
313 >        public UInt16 _e_ovno;
314 >        [MarshalAs(UnmanagedType.ByValArray, SizeConst = 4)]
315 >        public UInt16[] _e_res1;
316 >        public UInt16 _e_oemid;
317 >        public UInt16 _e_oeminfo;
318 >        [MarshalAs(UnmanagedType.ByValArray, SizeConst = 10)]
319 >        public UInt16[] _e_res2;
320 >        public UInt32 _e_lfanew;
321 >
322 >        public string e_magic { get { return string.Format("0x{0:x4}", _e_magic); } }
323 >        public string e_cblp { get { return string.Format("0x{0:x4}", _e_cblp); } }
324 >        public string e_cp { get { return string.Format("0x{0:x4}", _e_cp); } }
325 >        public string e_crlc { get { return string.Format("0x{0:x4}", _e_crlc); } }
326 >        public string e_cparhdr { get { return string.Format("0x{0:x4}", _e_cparhdr); } }
327 >        public string e_minalloc { get { return string.Format("0x{0:x4}", _e_minalloc); } }
328 >        public string e_maxalloc { get { return string.Format("0x{0:x4}", _e_maxalloc); } }
329 >        public string e_ss { get { return string.Format("0x{0:x4}", _e_ss); } }
330 >        public string e_sp { get { return string.Format("0x{0:x4}", _e_sp); } }
331 >        public string e_csum { get { return string.Format("0x{0:x4}", _e_csum); } }
332 >        public string e_ip { get { return string.Format("0x{0:x4}", _e_ip); } }
333 >        public string e_cs { get { return string.Format("0x{0:x4}", _e_cs); } }
334 >        public string e_lfarlc { get { return string.Format("0x{0:x4}", _e_lfarlc); } }
335 >        public string e_ovno { get { return string.Format("0x{0:x4}", _e_ovno); } }
336 >        public ushort[] e_res1 { get { return _e_res1; } }
337 >        public string e_oemid { get { return string.Format("0x{0:x4}", _e_oemid); } }
338 >        public string e_oeminfo { get { return string.Format("0x{0:x4}", _e_oeminfo); } }
339 >        public ushort[] e_res2 { get { return _e_res2; } }
340 >        public string e_lfanew { get { return string.Format("0x{0:x8}", _e_lfanew); } }
341 >
342 >        public override string ToString()
343 >        {
344 >            return Encoding.UTF8.GetString(BitConverter.GetBytes(_e_magic));
345          }
346 < #endregion
347 <        #endregion
348 <        [TypeConverter(typeof(ExpandableObjectConverter))]
349 <        [StructLayout(LayoutKind.Sequential)]
350 <        public struct IMAGE_DOS_HEADER
351 <        {
352 <            public UInt16 _e_magic;
353 <            public UInt16 _e_cblp;
354 <            public UInt16 _e_cp;
355 <            public UInt16 _e_crlc;
356 <            public UInt16 _e_cparhdr;
357 <            public UInt16 _e_minalloc;
358 <            public UInt16 _e_maxalloc;
359 <            public UInt16 _e_ss;
310 <            public UInt16 _e_sp;
311 <            public UInt16 _e_csum;
312 <            public UInt16 _e_ip;
313 <            public UInt16 _e_cs;
314 <            public UInt16 _e_lfarlc;
315 <            public UInt16 _e_ovno;
316 <            [MarshalAs(UnmanagedType.ByValArray, SizeConst = 4)]
317 <            public UInt16[] _e_res1;
318 <            public UInt16 _e_oemid;
319 <            public UInt16 _e_oeminfo;
320 <            [MarshalAs(UnmanagedType.ByValArray, SizeConst = 10)]
321 <            public UInt16[] _e_res2;
322 <            public UInt32 _e_lfanew;
323 <
324 <            public string e_magic { get { return string.Format("0x{0:x4}", _e_magic); } }
325 <            public string e_cblp { get { return string.Format("0x{0:x4}", _e_cblp); } }
326 <            public string e_cp { get { return string.Format("0x{0:x4}", _e_cp); } }
327 <            public string e_crlc { get { return string.Format("0x{0:x4}", _e_crlc); } }
328 <            public string e_cparhdr { get { return string.Format("0x{0:x4}", _e_cparhdr); } }
329 <            public string e_minalloc { get { return string.Format("0x{0:x4}", _e_minalloc); } }
330 <            public string e_maxalloc { get { return string.Format("0x{0:x4}", _e_maxalloc); } }
331 <            public string e_ss { get { return string.Format("0x{0:x4}", _e_ss); } }
332 <            public string e_sp { get { return string.Format("0x{0:x4}", _e_sp); } }
333 <            public string e_csum { get { return string.Format("0x{0:x4}", _e_csum); } }
334 <            public string e_ip { get { return string.Format("0x{0:x4}", _e_ip); } }
335 <            public string e_cs { get { return string.Format("0x{0:x4}", _e_cs); } }
336 <            public string e_lfarlc { get { return string.Format("0x{0:x4}", _e_lfarlc); } }
337 <            public string e_ovno { get { return string.Format("0x{0:x4}", _e_ovno); } }
338 <            public ushort[] e_res1 { get { return _e_res1; } }
339 <            public string e_oemid { get { return string.Format("0x{0:x4}", _e_oemid); } }
340 <            public string e_oeminfo { get { return string.Format("0x{0:x4}", _e_oeminfo); } }
341 <            public ushort[] e_res2 { get { return _e_res2; } }
342 <            public string e_lfanew { get { return string.Format("0x{0:x8}", _e_lfanew); } }
346 >    }
347 >    [TypeConverter(typeof(ExpandableObjectConverter))]
348 >    [StructLayout(LayoutKind.Sequential)]
349 >    public struct IMAGE_NT_HEADERS
350 >    {
351 >        public UInt32 _Signature;
352 >        public IMAGE_FILE_HEADER _FileHeader;
353 >        public IMAGE_OPTIONAL_HEADER32 _OptionalHeader32;
354 >        public IMAGE_OPTIONAL_HEADER64 _OptionalHeader64;
355 >
356 >        public string Signature { get { return string.Format("0x{0:x8}", _Signature); } }
357 >        public IMAGE_FILE_HEADER FileHeader { get { return _FileHeader; } }
358 >        public IMAGE_OPTIONAL_HEADER32 OptionalHeader32 { get { return _OptionalHeader32; } }
359 >        public IMAGE_OPTIONAL_HEADER64 OptionalHeader64 { get { return _OptionalHeader64; } }
360  
361 <            public override string ToString()
361 >        public override string ToString()
362 >        {
363 >            return Encoding.UTF8.GetString(BitConverter.GetBytes(_Signature));
364 >        }
365 >    }
366 >    [TypeConverter(typeof(ExpandableObjectConverter))]
367 >    [StructLayout(LayoutKind.Sequential)]
368 >    public struct IMAGE_FILE_HEADER
369 >    {
370 >        public UInt16 _MachineType;
371 >        public UInt16 _NumberOfSections;
372 >        public Int32 _TimeDateStamp;
373 >        public UInt32 _PointerToSymbolTable;
374 >        public UInt32 _NumberOfSymbols;
375 >        public UInt16 _SizeOfOptionalHeader;
376 >        public FileCharacteristicType _Characteristics;
377 >
378 >
379 >        public string MachineType { get { return ((MachineTypeFlags)_MachineType).ToString(); } }
380 >        public string NumberOfSections { get { return string.Format("0x{0:x4}", _NumberOfSections); } }
381 >        public string TimeDateStamp { get { return string.Format("{0} (0x{1:x8})", GetDateTimeFromDosDateTime(_TimeDateStamp).ToString(), _TimeDateStamp); } }
382 >        public string PointerToSymbolTable { get { return string.Format("0x{0:x8}", _PointerToSymbolTable); } }
383 >        public string NumberOfSymbols { get { return string.Format("0x{0:x8}", _NumberOfSymbols); } }
384 >        public string SizeOfOptionalHeader { get { return string.Format("0x{0:x4}", _SizeOfOptionalHeader); } }
385 >        public FileCharacteristicType Characteristics { get { return _Characteristics; } }
386 >        public override string ToString()
387 >        {
388 >            return MachineType;
389 >        }
390 >
391 >        private DateTime GetDateTimeFromDosDateTime(Int32 i32TimeDate)
392 >        {
393 >            Int16 i16Time = (Int16)(i32TimeDate & 0xFFFF);
394 >            Int16 i16Date = (Int16)((i32TimeDate & 0xFFFF0000) >> 16);
395 >            return GetDateTimeFromDosDateTime(i16Time, i16Date);
396 >        }
397 >        private DateTime GetDateTimeFromDosDateTime(Int16 i16Time, Int16 i16Date)
398 >        {
399 >            try
400 >            {
401 >                int iYear = 0;
402 >                int iMonth = 1;
403 >                int iDay = 1;
404 >                int iHour = 0;
405 >                int iMinute = 0;
406 >                int iSecond = 0;
407 >                iDay = (i16Date & 0x1F);
408 >                iMonth = ((i16Date & 0x01E0) >> 5);
409 >                iYear = 1980 + ((i16Date & 0xFE00) >> 9);
410 >                iSecond = (i16Time & 0x1F) * 2;
411 >                iMinute = ((i16Time & 0x07E0) >> 5);
412 >                iHour = ((i16Time & 0x0F800) >> 11);
413 >                return new DateTime(iYear, iMonth, iDay, iHour, iMinute, iSecond);
414 >            }
415 >            catch
416              {
417 <                return Encoding.UTF8.GetString(BitConverter.GetBytes(_e_magic));
417 >                return new DateTime();
418              }
419          }
349        [TypeConverter(typeof(ExpandableObjectConverter))]
350        [StructLayout(LayoutKind.Sequential)]
351        public struct IMAGE_NT_HEADERS
352        {
353            public UInt32 _Signature;
354            public IMAGE_FILE_HEADER _FileHeader;
355            public IMAGE_OPTIONAL_HEADER32 _OptionalHeader32;
356            public IMAGE_OPTIONAL_HEADER64 _OptionalHeader64;
357
358            public string Signature { get { return string.Format("0x{0:x8}", _Signature); } }
359            public IMAGE_FILE_HEADER FileHeader { get { return _FileHeader; } }
360            public IMAGE_OPTIONAL_HEADER32 OptionalHeader32 { get { return _OptionalHeader32; } }
361            public IMAGE_OPTIONAL_HEADER64 OptionalHeader64 { get { return _OptionalHeader64; } }
420  
421 <            public override string ToString()
422 <            {
423 <                return Encoding.UTF8.GetString(BitConverter.GetBytes(_Signature));
424 <            }
421 >    }
422 >    [TypeConverter(typeof(ExpandableObjectConverter))]
423 >    [StructLayout(LayoutKind.Sequential)]
424 >    public struct IMAGE_OPTIONAL_HEADER32
425 >    {
426 >        public UInt16 _Magic;
427 >        public Byte _MajorLinkerVersion;
428 >        public Byte _MinorLinkerVersion;
429 >        public UInt32 _SizeOfCode;
430 >        public UInt32 _SizeOfInitializedData;
431 >        public UInt32 _SizeOfUninitializedData;
432 >        public UInt32 _AddressOfEntryPoint;
433 >        public UInt32 _BaseOfCode;
434 >        public UInt32 _BaseOfData; // 32-but specific
435 >        public UInt32 _ImageBase;
436 >        public UInt32 _SectionAlignment;
437 >        public UInt32 _FileAlignment;
438 >        public UInt16 _MajorOperatingSystemVersion;
439 >        public UInt16 _MinorOperatingSystemVersion;
440 >        public UInt16 _MajorImageVersion;
441 >        public UInt16 _MinorImageVersion;
442 >        public UInt16 _MajorSubsystemVersion;
443 >        public UInt16 _MinorSubsystemVersion;
444 >        public UInt32 _Win32VersionValue;
445 >        public UInt32 _SizeOfImage;
446 >        public UInt32 _SizeOfHeaders;
447 >        public UInt32 _CheckSum;
448 >        public UInt16 _Subsystem;
449 >        public UInt16 _DllCharacteristics;
450 >        public UInt32 _SizeOfStackReserve;
451 >        public UInt32 _SizeOfStackCommit;
452 >        public UInt32 _SizeOfHeapReserve;
453 >        public UInt32 _SizeOfHeapCommit;
454 >        public UInt32 _LoaderFlags;
455 >        public UInt32 _NumberOfRvaAndSizes;
456 >        [MarshalAs(UnmanagedType.ByValArray, SizeConst = 16)]
457 >        public IMAGE_DATA_DIRECTORY[] _DataDirectory;
458 >
459 >
460 >        public string Magic { get { return ((MagicType)_Magic).ToString(); } }
461 >        public string MajorLinkerVersion { get { return string.Format("0x{0:x2}", _MajorLinkerVersion); } }
462 >        public string MinorLinkerVersion { get { return string.Format("0x{0:x2}", _MajorLinkerVersion); } }
463 >
464 >        public string SizeOfCode { get { return string.Format("0x{0:x2}", _SizeOfCode); } }
465 >        public string SizeOfInitializedData { get { return string.Format("0x{0:x8}", _SizeOfInitializedData); } }
466 >        public string SizeOfUninitializedData { get { return string.Format("0x{0:x8}", _SizeOfUninitializedData); } }
467 >        public string AddressOfEntryPoint { get { return string.Format("0x{0:x8}", _AddressOfEntryPoint); } }
468 >        public string BaseOfCode { get { return string.Format("0x{0:x8}", _BaseOfCode); } }
469 >        public string BaseOfData { get { return string.Format("0x{0:x8}", _BaseOfData); } }
470 >        public string ImageBase { get { return string.Format("0x{0:x16}", _ImageBase); } }
471 >
472 >        public string SectionAlignment { get { return string.Format("0x{0:x8}", _SectionAlignment); } }
473 >        public string FileAlignment { get { return string.Format("0x{0:x8}", _FileAlignment); } }
474 >
475 >        public string MajorOperatingSystemVersion { get { return string.Format("0x{0:x4}", _MajorOperatingSystemVersion); } }
476 >        public string MinorOperatingSystemVersion { get { return string.Format("0x{0:x4}", _MinorOperatingSystemVersion); } }
477 >        public string MajorImageVersion { get { return string.Format("0x{0:x4}", _MajorImageVersion); } }
478 >        public string MinorImageVersion { get { return string.Format("0x{0:x4}", _MinorImageVersion); } }
479 >        public string MajorSubsystemVersion { get { return string.Format("0x{0:x4}", _MajorSubsystemVersion); } }
480 >        public string MinorSubsystemVersion { get { return string.Format("0x{0:x4}", _MinorSubsystemVersion); } }
481 >
482 >        public string Win32VersionValue { get { return string.Format("0x{0:x8}", _Win32VersionValue); } }
483 >        public string SizeOfImage { get { return string.Format("0x{0:x8}", _SizeOfImage); } }
484 >        public string SizeOfHeaders { get { return string.Format("0x{0:x8}", _SizeOfHeaders); } }
485 >        public string CheckSum { get { return string.Format("0x{0:x8}", _CheckSum); } }
486 >
487 >        public string Subsystem { get { return ((SubSystemType)_Subsystem).ToString(); } }
488 >        public string DllCharacteristics { get { return string.Format("0x{0:x4}", _DllCharacteristics); } }
489 >
490 >        public string SizeOfStackReserve { get { return string.Format("0x{0:x16}", _SizeOfStackReserve); } }
491 >        public string SizeOfStackCommit { get { return string.Format("0x{0:x16}", _SizeOfStackCommit); } }
492 >        public string SizeOfHeapReserve { get { return string.Format("0x{0:x16}", _SizeOfHeapReserve); } }
493 >        public string SizeOfHeapCommit { get { return string.Format("0x{0:x16}", _SizeOfHeapCommit); } }
494 >
495 >        public string LoaderFlags { get { return string.Format("0x{0:x8}", _LoaderFlags); } }
496 >        public string NumberOfRvaAndSizes { get { return string.Format("0x{0:x8}", _NumberOfRvaAndSizes); } }
497 >        public override string ToString()
498 >        {
499 >            return Magic;
500          }
501 <        [TypeConverter(typeof(ExpandableObjectConverter))]
502 <        [StructLayout(LayoutKind.Sequential)]
503 <        public struct IMAGE_FILE_HEADER
504 <        {
505 <            public UInt16 _MachineType;
506 <            public UInt16 _NumberOfSections;
507 <            public Int32 _TimeDateStamp;
508 <            public UInt32 _PointerToSymbolTable;
509 <            public UInt32 _NumberOfSymbols;
510 <            public UInt16 _SizeOfOptionalHeader;
511 <            public FileCharacteristicType _Characteristics;
512 <
513 <
514 <            public string MachineType { get { return ((MachineTypeFlags)_MachineType).ToString(); } }
515 <            public string NumberOfSections { get { return string.Format("0x{0:x4}", _NumberOfSections); } }
516 <            public string TimeDateStamp { get { return string.Format("{0} (0x{1:x8})", GetDateTimeFromDosDateTime(_TimeDateStamp).ToString(), _TimeDateStamp); } }
517 <            public string PointerToSymbolTable { get { return string.Format("0x{0:x8}", _PointerToSymbolTable); } }
518 <            public string NumberOfSymbols { get { return string.Format("0x{0:x8}", _NumberOfSymbols); } }
519 <            public string SizeOfOptionalHeader { get { return string.Format("0x{0:x4}", _SizeOfOptionalHeader); } }
520 <            public FileCharacteristicType Characteristics { get { return _Characteristics; } }
521 <            public override string ToString()
522 <            {
523 <                return MachineType;
524 <            }
501 >    }
502 >    [TypeConverter(typeof(ExpandableObjectConverter))]
503 >    [StructLayout(LayoutKind.Sequential)]
504 >    public struct IMAGE_OPTIONAL_HEADER64
505 >    {
506 >        public UInt16 _Magic;
507 >        public Byte _MajorLinkerVersion;
508 >        public Byte _MinorLinkerVersion;
509 >        public UInt32 _SizeOfCode;
510 >        public UInt32 _SizeOfInitializedData;
511 >        public UInt32 _SizeOfUninitializedData;
512 >        public UInt32 _AddressOfEntryPoint;
513 >        public UInt32 _BaseOfCode;
514 >        public UInt64 _ImageBase;
515 >        public UInt32 _SectionAlignment;
516 >        public UInt32 _FileAlignment;
517 >        public UInt16 _MajorOperatingSystemVersion;
518 >        public UInt16 _MinorOperatingSystemVersion;
519 >        public UInt16 _MajorImageVersion;
520 >        public UInt16 _MinorImageVersion;
521 >        public UInt16 _MajorSubsystemVersion;
522 >        public UInt16 _MinorSubsystemVersion;
523 >        public UInt32 _Win32VersionValue;
524 >        public UInt32 _SizeOfImage;
525 >        public UInt32 _SizeOfHeaders;
526 >        public UInt32 _CheckSum;
527 >        public UInt16 _Subsystem;
528 >        public UInt16 _DllCharacteristics;
529 >        public UInt64 _SizeOfStackReserve;
530 >        public UInt64 _SizeOfStackCommit;
531 >        public UInt64 _SizeOfHeapReserve;
532 >        public UInt64 _SizeOfHeapCommit;
533 >        public UInt32 _LoaderFlags;
534 >        public UInt32 _NumberOfRvaAndSizes;
535 >        [MarshalAs(UnmanagedType.ByValArray, SizeConst = 16)]
536 >        public IMAGE_DATA_DIRECTORY[] _DataDirectory;
537 >
538 >
539 >        public string Magic { get { return ((MagicType)_Magic).ToString(); } }
540 >        public string MajorLinkerVersion { get { return string.Format("0x{0:x2}", _MajorLinkerVersion); } }
541 >        public string MinorLinkerVersion { get { return string.Format("0x{0:x2}", _MajorLinkerVersion); } }
542 >
543 >        public string SizeOfCode { get { return string.Format("0x{0:x2}", _SizeOfCode); } }
544 >        public string SizeOfInitializedData { get { return string.Format("0x{0:x8}", _SizeOfInitializedData); } }
545 >        public string SizeOfUninitializedData { get { return string.Format("0x{0:x8}", _SizeOfUninitializedData); } }
546 >        public string AddressOfEntryPoint { get { return string.Format("0x{0:x8}", _AddressOfEntryPoint); } }
547 >        public string BaseOfCode { get { return string.Format("0x{0:x8}", _BaseOfCode); } }
548 >
549 >        public string ImageBase { get { return string.Format("0x{0:x16}", _ImageBase); } }
550 >
551 >        public string SectionAlignment { get { return string.Format("0x{0:x8}", _SectionAlignment); } }
552 >        public string FileAlignment { get { return string.Format("0x{0:x8}", _FileAlignment); } }
553 >
554 >        public string MajorOperatingSystemVersion { get { return string.Format("0x{0:x4}", _MajorOperatingSystemVersion); } }
555 >        public string MinorOperatingSystemVersion { get { return string.Format("0x{0:x4}", _MinorOperatingSystemVersion); } }
556 >        public string MajorImageVersion { get { return string.Format("0x{0:x4}", _MajorImageVersion); } }
557 >        public string MinorImageVersion { get { return string.Format("0x{0:x4}", _MinorImageVersion); } }
558 >        public string MajorSubsystemVersion { get { return string.Format("0x{0:x4}", _MajorSubsystemVersion); } }
559 >        public string MinorSubsystemVersion { get { return string.Format("0x{0:x4}", _MinorSubsystemVersion); } }
560 >
561 >        public string Win32VersionValue { get { return string.Format("0x{0:x8}", _Win32VersionValue); } }
562 >        public string SizeOfImage { get { return string.Format("0x{0:x8}", _SizeOfImage); } }
563 >        public string SizeOfHeaders { get { return string.Format("0x{0:x8}", _SizeOfHeaders); } }
564 >        public string CheckSum { get { return string.Format("0x{0:x8}", _CheckSum); } }
565 >
566 >        public string Subsystem { get { return ((SubSystemType)_Subsystem).ToString(); } }
567 >        public string DllCharacteristics { get { return string.Format("0x{0:x4}", _DllCharacteristics); } }
568 >
569 >        public string SizeOfStackReserve { get { return string.Format("0x{0:x16}", _SizeOfStackReserve); } }
570 >        public string SizeOfStackCommit { get { return string.Format("0x{0:x16}", _SizeOfStackCommit); } }
571 >        public string SizeOfHeapReserve { get { return string.Format("0x{0:x16}", _SizeOfHeapReserve); } }
572 >        public string SizeOfHeapCommit { get { return string.Format("0x{0:x16}", _SizeOfHeapCommit); } }
573  
574 <            private DateTime GetDateTimeFromDosDateTime(Int32 i32TimeDate)
575 <            {
395 <                Int16 i16Time = (Int16)(i32TimeDate & 0xFFFF);
396 <                Int16 i16Date = (Int16)((i32TimeDate & 0xFFFF0000) >> 16);
397 <                return GetDateTimeFromDosDateTime(i16Time, i16Date);
398 <            }
399 <            private DateTime GetDateTimeFromDosDateTime(Int16 i16Time, Int16 i16Date)
400 <            {
401 <                try
402 <                {
403 <                    int iYear = 0;
404 <                    int iMonth = 1;
405 <                    int iDay = 1;
406 <                    int iHour = 0;
407 <                    int iMinute = 0;
408 <                    int iSecond = 0;
409 <                    iDay = (i16Date & 0x1F);
410 <                    iMonth = ((i16Date & 0x01E0) >> 5);
411 <                    iYear = 1980 + ((i16Date & 0xFE00) >> 9);
412 <                    iSecond = (i16Time & 0x1F) * 2;
413 <                    iMinute = ((i16Time & 0x07E0) >> 5);
414 <                    iHour = ((i16Time & 0x0F800) >> 11);
415 <                    return new DateTime(iYear, iMonth, iDay, iHour, iMinute, iSecond);
416 <                }
417 <                catch
418 <                {
419 <                    return new DateTime();
420 <                }
421 <            }
574 >        public string LoaderFlags { get { return string.Format("0x{0:x8}", _LoaderFlags); } }
575 >        public string NumberOfRvaAndSizes { get { return string.Format("0x{0:x8}", _NumberOfRvaAndSizes); } }
576  
577 +        public override string ToString()
578 +        {
579 +            return Magic;
580          }
581 <        [TypeConverter(typeof(ExpandableObjectConverter))]
582 <        [StructLayout(LayoutKind.Sequential)]
583 <        public struct IMAGE_OPTIONAL_HEADER32
584 <        {
585 <            public UInt16 _Magic;
586 <            public Byte _MajorLinkerVersion;
587 <            public Byte _MinorLinkerVersion;
588 <            public UInt32 _SizeOfCode;
589 <            public UInt32 _SizeOfInitializedData;
590 <            public UInt32 _SizeOfUninitializedData;
591 <            public UInt32 _AddressOfEntryPoint;
592 <            public UInt32 _BaseOfCode;
593 <            public UInt32 _BaseOfData; // 32-but specific
594 <            public UInt32 _ImageBase;
595 <            public UInt32 _SectionAlignment;
596 <            public UInt32 _FileAlignment;
597 <            public UInt16 _MajorOperatingSystemVersion;
598 <            public UInt16 _MinorOperatingSystemVersion;
599 <            public UInt16 _MajorImageVersion;
600 <            public UInt16 _MinorImageVersion;
601 <            public UInt16 _MajorSubsystemVersion;
602 <            public UInt16 _MinorSubsystemVersion;
603 <            public UInt32 _Win32VersionValue;
604 <            public UInt32 _SizeOfImage;
605 <            public UInt32 _SizeOfHeaders;
606 <            public UInt32 _CheckSum;
607 <            public UInt16 _Subsystem;
608 <            public UInt16 _DllCharacteristics;
609 <            public UInt32 _SizeOfStackReserve;
610 <            public UInt32 _SizeOfStackCommit;
611 <            public UInt32 _SizeOfHeapReserve;
612 <            public UInt32 _SizeOfHeapCommit;
613 <            public UInt32 _LoaderFlags;
614 <            public UInt32 _NumberOfRvaAndSizes;
615 <            [MarshalAs(UnmanagedType.ByValArray, SizeConst = 16)]
616 <            public IMAGE_DATA_DIRECTORY[] _DataDirectory;
617 <
618 <
619 <            public string Magic { get { return ((MagicType)_Magic).ToString(); } }
620 <            public string MajorLinkerVersion { get { return string.Format("0x{0:x2}", _MajorLinkerVersion); } }
464 <            public string MinorLinkerVersion { get { return string.Format("0x{0:x2}", _MajorLinkerVersion); } }
465 <
466 <            public string SizeOfCode { get { return string.Format("0x{0:x2}", _SizeOfCode); } }
467 <            public string SizeOfInitializedData { get { return string.Format("0x{0:x8}", _SizeOfInitializedData); } }
468 <            public string SizeOfUninitializedData { get { return string.Format("0x{0:x8}", _SizeOfUninitializedData); } }
469 <            public string AddressOfEntryPoint { get { return string.Format("0x{0:x8}", _AddressOfEntryPoint); } }
470 <            public string BaseOfCode { get { return string.Format("0x{0:x8}", _BaseOfCode); } }
471 <            public string BaseOfData { get { return string.Format("0x{0:x8}", _BaseOfData); } }
472 <            public string ImageBase { get { return string.Format("0x{0:x16}", _ImageBase); } }
473 <
474 <            public string SectionAlignment { get { return string.Format("0x{0:x8}", _SectionAlignment); } }
475 <            public string FileAlignment { get { return string.Format("0x{0:x8}", _FileAlignment); } }
476 <
477 <            public string MajorOperatingSystemVersion { get { return string.Format("0x{0:x4}", _MajorOperatingSystemVersion); } }
478 <            public string MinorOperatingSystemVersion { get { return string.Format("0x{0:x4}", _MinorOperatingSystemVersion); } }
479 <            public string MajorImageVersion { get { return string.Format("0x{0:x4}", _MajorImageVersion); } }
480 <            public string MinorImageVersion { get { return string.Format("0x{0:x4}", _MinorImageVersion); } }
481 <            public string MajorSubsystemVersion { get { return string.Format("0x{0:x4}", _MajorSubsystemVersion); } }
482 <            public string MinorSubsystemVersion { get { return string.Format("0x{0:x4}", _MinorSubsystemVersion); } }
483 <
484 <            public string Win32VersionValue { get { return string.Format("0x{0:x8}", _Win32VersionValue); } }
485 <            public string SizeOfImage { get { return string.Format("0x{0:x8}", _SizeOfImage); } }
486 <            public string SizeOfHeaders { get { return string.Format("0x{0:x8}", _SizeOfHeaders); } }
487 <            public string CheckSum { get { return string.Format("0x{0:x8}", _CheckSum); } }
488 <
489 <            public string Subsystem { get { return ((SubSystemType)_Subsystem).ToString(); } }
490 <            public string DllCharacteristics { get { return string.Format("0x{0:x4}", _DllCharacteristics); } }
491 <
492 <            public string SizeOfStackReserve { get { return string.Format("0x{0:x16}", _SizeOfStackReserve); } }
493 <            public string SizeOfStackCommit { get { return string.Format("0x{0:x16}", _SizeOfStackCommit); } }
494 <            public string SizeOfHeapReserve { get { return string.Format("0x{0:x16}", _SizeOfHeapReserve); } }
495 <            public string SizeOfHeapCommit { get { return string.Format("0x{0:x16}", _SizeOfHeapCommit); } }
496 <
497 <            public string LoaderFlags { get { return string.Format("0x{0:x8}", _LoaderFlags); } }
498 <            public string NumberOfRvaAndSizes { get { return string.Format("0x{0:x8}", _NumberOfRvaAndSizes); } }
499 <            public override string ToString()
500 <            {
501 <                return Magic;
502 <            }
581 >    }
582 >    [TypeConverter(typeof(ExpandableObjectConverter))]
583 >    [StructLayout(LayoutKind.Sequential)]
584 >    public struct IMAGE_DATA_DIRECTORY
585 >    {
586 >        public UInt32 _VirtualAddress;
587 >        public UInt32 _Size;
588 >
589 >        public string VirtualAddress { get { return string.Format("0x{0:x8}", _VirtualAddress); } }
590 >        public string Size { get { return string.Format("0x{0:x8}", _Size); } }
591 >    }
592 >    [TypeConverter(typeof(ExpandableObjectConverter))]
593 >    [StructLayout(LayoutKind.Sequential)]
594 >    public struct IMAGE_SECTION_HEADER
595 >    {
596 >        [MarshalAs(UnmanagedType.ByValTStr, SizeConst = 8)]
597 >        public string _Name;
598 >        public Misc _Misc;
599 >        public UInt32 _VirtualAddress;
600 >        public UInt32 _SizeOfRawData;
601 >        public UInt32 _PointerToRawData;
602 >        public UInt32 _PointerToRelocations;
603 >        public UInt32 _PointerToLinenumbers;
604 >        public UInt16 _NumberOfRelocations;
605 >        public UInt16 _NumberOfLinenumbers;
606 >        public DataSectionFlags _Characteristics;
607 >
608 >        public string Name { get { return _Name; } }
609 >        public Misc Misc { get { return _Misc; } }
610 >        public string VirtualAddress { get { return string.Format("0x{0:x8}", _VirtualAddress); } }
611 >        public string SizeOfRawData { get { return string.Format("0x{0:x8}", _SizeOfRawData); } }
612 >        public string PointerToRawData { get { return string.Format("0x{0:x8}", _PointerToRawData); } }
613 >        public string PointerToRelocations { get { return string.Format("0x{0:x8}", _PointerToRelocations); } }
614 >        public string PointerToLinenumbers { get { return string.Format("0x{0:x8}", _PointerToLinenumbers); } }
615 >        public string NumberOfRelocations { get { return string.Format("0x{0:x4}", _NumberOfRelocations); } }
616 >        public string NumberOfLinenumbers { get { return string.Format("0x{0:x4}", _NumberOfLinenumbers); } }
617 >        public string Characteristics { get { return _Characteristics.ToString(); } }
618 >        public override string ToString()
619 >        {
620 >            return Name;
621          }
622 <        [TypeConverter(typeof(ExpandableObjectConverter))]
623 <        [StructLayout(LayoutKind.Sequential)]
624 <        public struct IMAGE_OPTIONAL_HEADER64
625 <        {
626 <            public UInt16 _Magic;
627 <            public Byte _MajorLinkerVersion;
628 <            public Byte _MinorLinkerVersion;
629 <            public UInt32 _SizeOfCode;
630 <            public UInt32 _SizeOfInitializedData;
513 <            public UInt32 _SizeOfUninitializedData;
514 <            public UInt32 _AddressOfEntryPoint;
515 <            public UInt32 _BaseOfCode;
516 <            public UInt64 _ImageBase;
517 <            public UInt32 _SectionAlignment;
518 <            public UInt32 _FileAlignment;
519 <            public UInt16 _MajorOperatingSystemVersion;
520 <            public UInt16 _MinorOperatingSystemVersion;
521 <            public UInt16 _MajorImageVersion;
522 <            public UInt16 _MinorImageVersion;
523 <            public UInt16 _MajorSubsystemVersion;
524 <            public UInt16 _MinorSubsystemVersion;
525 <            public UInt32 _Win32VersionValue;
526 <            public UInt32 _SizeOfImage;
527 <            public UInt32 _SizeOfHeaders;
528 <            public UInt32 _CheckSum;
529 <            public UInt16 _Subsystem;
530 <            public UInt16 _DllCharacteristics;
531 <            public UInt64 _SizeOfStackReserve;
532 <            public UInt64 _SizeOfStackCommit;
533 <            public UInt64 _SizeOfHeapReserve;
534 <            public UInt64 _SizeOfHeapCommit;
535 <            public UInt32 _LoaderFlags;
536 <            public UInt32 _NumberOfRvaAndSizes;
537 <            [MarshalAs(UnmanagedType.ByValArray, SizeConst = 16)]
538 <            public IMAGE_DATA_DIRECTORY[] _DataDirectory;
539 <
540 <
541 <            public string Magic { get { return ((MagicType)_Magic).ToString(); } }
542 <            public string MajorLinkerVersion { get { return string.Format("0x{0:x2}", _MajorLinkerVersion); } }
543 <            public string MinorLinkerVersion { get { return string.Format("0x{0:x2}", _MajorLinkerVersion); } }
544 <
545 <            public string SizeOfCode { get { return string.Format("0x{0:x2}", _SizeOfCode); } }
546 <            public string SizeOfInitializedData { get { return string.Format("0x{0:x8}", _SizeOfInitializedData); } }
547 <            public string SizeOfUninitializedData { get { return string.Format("0x{0:x8}", _SizeOfUninitializedData); } }
548 <            public string AddressOfEntryPoint { get { return string.Format("0x{0:x8}", _AddressOfEntryPoint); } }
549 <            public string BaseOfCode { get { return string.Format("0x{0:x8}", _BaseOfCode); } }
550 <
551 <            public string ImageBase { get { return string.Format("0x{0:x16}", _ImageBase); } }
552 <
553 <            public string SectionAlignment { get { return string.Format("0x{0:x8}", _SectionAlignment); } }
554 <            public string FileAlignment { get { return string.Format("0x{0:x8}", _FileAlignment); } }
555 <
556 <            public string MajorOperatingSystemVersion { get { return string.Format("0x{0:x4}", _MajorOperatingSystemVersion); } }
557 <            public string MinorOperatingSystemVersion { get { return string.Format("0x{0:x4}", _MinorOperatingSystemVersion); } }
558 <            public string MajorImageVersion { get { return string.Format("0x{0:x4}", _MajorImageVersion); } }
559 <            public string MinorImageVersion { get { return string.Format("0x{0:x4}", _MinorImageVersion); } }
560 <            public string MajorSubsystemVersion { get { return string.Format("0x{0:x4}", _MajorSubsystemVersion); } }
561 <            public string MinorSubsystemVersion { get { return string.Format("0x{0:x4}", _MinorSubsystemVersion); } }
562 <
563 <            public string Win32VersionValue { get { return string.Format("0x{0:x8}", _Win32VersionValue); } }
564 <            public string SizeOfImage { get { return string.Format("0x{0:x8}", _SizeOfImage); } }
565 <            public string SizeOfHeaders { get { return string.Format("0x{0:x8}", _SizeOfHeaders); } }
566 <            public string CheckSum { get { return string.Format("0x{0:x8}", _CheckSum); } }
567 <
568 <            public string Subsystem { get { return ((SubSystemType)_Subsystem).ToString(); } }
569 <            public string DllCharacteristics { get { return string.Format("0x{0:x4}", _DllCharacteristics); } }
570 <
571 <            public string SizeOfStackReserve { get { return string.Format("0x{0:x16}", _SizeOfStackReserve); } }
572 <            public string SizeOfStackCommit { get { return string.Format("0x{0:x16}", _SizeOfStackCommit); } }
573 <            public string SizeOfHeapReserve { get { return string.Format("0x{0:x16}", _SizeOfHeapReserve); } }
574 <            public string SizeOfHeapCommit { get { return string.Format("0x{0:x16}", _SizeOfHeapCommit); } }
622 >    }
623 >    [TypeConverter(typeof(ExpandableObjectConverter))]
624 >    [StructLayout(LayoutKind.Explicit)]
625 >    public struct Misc
626 >    {
627 >        [FieldOffset(0)]
628 >        public UInt32 _PhysicalAddress;
629 >        [FieldOffset(0)]
630 >        public UInt32 _VirtualSize;
631  
632 <            public string LoaderFlags { get { return string.Format("0x{0:x8}", _LoaderFlags); } }
633 <            public string NumberOfRvaAndSizes { get { return string.Format("0x{0:x8}", _NumberOfRvaAndSizes); } }
632 >        public string PhysicalAddress { get { return string.Format("0x{0:x8}", _PhysicalAddress); } }
633 >        public string VirtualSize { get { return string.Format("0x{0:x8}", _VirtualSize); } }
634  
635 <            public override string ToString()
636 <            {
637 <                return Magic;
638 <            }
635 >    }
636 >
637 >    #endregion
638 >    #region SECTION_DATA_ARRAY
639 >    [TypeConverter(typeof(ExpandableObjectConverter))]
640 >    public class SECTION_DATA_ARRAY
641 >    {
642 >        public SECTION_DATA_ARRAY() { Name = ""; Data = new byte[] { }; _Address = 0; _PointerToData = 0; }
643 >        public SECTION_DATA_ARRAY(string name, int address, int pointertodata, byte[] data)
644 >        {
645 >            Name = name;
646 >            _Address = address;
647 >            _PointerToData = pointertodata;
648 >            Data = data;
649 >        }
650 >
651 >        public string Name { get; private set; }
652 >        private int _Address;
653 >        public string Address { get { return string.Format("0x{0:x8}", _Address); } }
654 >        private int _PointerToData;
655 >        public string PointerToData { get { return string.Format("0x{0:x8}", _PointerToData); } }
656 >        public byte[] Data { get; set; }
657 >        public override string ToString()
658 >        {
659 >            return string.Format("{0} ({1}) ({2}) {3}", Name, Address, PointerToData, Data.Count());
660 >        }
661 >    }
662 >    #endregion
663 >    #region IMAGE_SECTION_DATA
664 >    public class IMAGE_SECTION_DATA
665 >    {
666 >        private List<SECTION_DATA_ARRAY> sdas = new List<SECTION_DATA_ARRAY>();
667 >        public IMAGE_SECTION_DATA() { }
668 >        public void AddData(string SectionName, int SectionAddress, int PointerToData, byte[] SectionData)
669 >        {
670 >            SECTION_DATA_ARRAY sda = new SECTION_DATA_ARRAY(SectionName, SectionAddress, PointerToData, SectionData);
671 >            sdas.Add(sda);
672          }
673 <        [TypeConverter(typeof(ExpandableObjectConverter))]
674 <        [StructLayout(LayoutKind.Sequential)]
675 <        public struct IMAGE_DATA_DIRECTORY
587 <        {
588 <            public UInt32 _VirtualAddress;
589 <            public UInt32 _Size;
590 <
591 <            public string VirtualAddress { get { return string.Format("0x{0:x8}", _VirtualAddress); } }
592 <            public string Size { get { return string.Format("0x{0:x8}", _Size); } }
593 <        }
594 <        [TypeConverter(typeof(ExpandableObjectConverter))]
595 <        [StructLayout(LayoutKind.Sequential)]
596 <        public struct IMAGE_SECTION_HEADER
597 <        {
598 <            [MarshalAs(UnmanagedType.ByValTStr, SizeConst = 8)]
599 <            public string _Name;
600 <            public Misc _Misc;
601 <            public UInt32 _VirtualAddress;
602 <            public UInt32 _SizeOfRawData;
603 <            public UInt32 _PointerToRawData;
604 <            public UInt32 _PointerToRelocations;
605 <            public UInt32 _PointerToLinenumbers;
606 <            public UInt16 _NumberOfRelocations;
607 <            public UInt16 _NumberOfLinenumbers;
608 <            public DataSectionFlags _Characteristics;
609 <
610 <            public string Name { get { return _Name; } }
611 <            public Misc Misc { get { return _Misc; } }
612 <            public string VirtualAddress { get { return string.Format("0x{0:x8}", _VirtualAddress); } }
613 <            public string SizeOfRawData { get { return string.Format("0x{0:x8}", _SizeOfRawData); } }
614 <            public string PointerToRawData { get { return string.Format("0x{0:x8}", _PointerToRawData); } }
615 <            public string PointerToRelocations { get { return string.Format("0x{0:x8}", _PointerToRelocations); } }
616 <            public string PointerToLinenumbers { get { return string.Format("0x{0:x8}", _PointerToLinenumbers); } }
617 <            public string NumberOfRelocations { get { return string.Format("0x{0:x4}", _NumberOfRelocations); } }
618 <            public string NumberOfLinenumbers { get { return string.Format("0x{0:x4}", _NumberOfLinenumbers); } }
619 <            public string Characteristics { get { return _Characteristics.ToString(); } }
620 <            public override string ToString()
673 >        public SECTION_DATA_ARRAY[] SectionData
674 >        {
675 >            get
676              {
677 <                return Name;
677 >                return sdas.ToArray();
678              }
679          }
680 <        [TypeConverter(typeof(ExpandableObjectConverter))]
681 <        [StructLayout(LayoutKind.Explicit)]
627 <        public struct Misc
628 <        {
629 <            [FieldOffset(0)]
630 <            public UInt32 _PhysicalAddress;
631 <            [FieldOffset(0)]
632 <            public UInt32 _VirtualSize;
680 >    }
681 >    #endregion
682  
634            public string PhysicalAddress { get { return string.Format("0x{0:x8}", _PhysicalAddress); } }
635            public string VirtualSize { get { return string.Format("0x{0:x8}", _VirtualSize); } }
683  
684 +    #region PEData
685 +    public interface IPEDData
686 +    {
687 +        IMAGE_DOS_HEADER DosHeader { get; }
688 +        IMAGE_NT_HEADERS NTHeader { get; }
689 +        IMAGE_SECTION_HEADER[] SectionHeaders { get; }
690 +        SECTION_DATA_ARRAY[] SectionData { get; }
691 +        bool Is32bitAssembly();
692 +    }
693 +    public class PEDataWrapper
694 +    {
695 +        #region static members
696 +        public static IPEDData GetPEData(IAcceptsProcessAndConfig p) { return GetPEData((IAcceptsProcess)p.AcceptedProcess); }
697 +        public static IPEDData GetPEData(IAcceptsProcess p) { return GetPEData(p.AcceptedProcess); }
698 +        public static IPEDData GetPEData(Process p)
699 +        {
700 +            if (p == null)
701 +                return PEData.Empty;
702 +            return new PEData(p);
703          }
704 <
704 >        public static IPEDData GetPEData()
705 >        {
706 >            return PEData.Empty;
707 >        }        
708          #endregion
709 +    }
710 +    internal class PEData : IPEDData
711 +    {
712 +        //public PEData() : this(new IMAGE_DOS_HEADER(), new IMAGE_NT_HEADERS(), new IMAGE_SECTION_HEADER[] { }, new IMAGE_SECTION_DATA()) { }
713 +        //public PEData(IMAGE_DOS_HEADER DosHeader, IMAGE_NT_HEADERS NTHeader, IMAGE_SECTION_HEADER[] SectionHeaders, IMAGE_SECTION_DATA isd)
714 +        //{
715 +        //    this.DosHeader = DosHeader;
716 +        //    this.NTHeader = NTHeader;
717 +        //    this.SectionHeaders = SectionHeaders;
718 +        //    this.isd = isd;
719 +        //}
720 +        public static readonly IPEDData Empty = new PEData();
721 +        public PEData()
722 +        {
723 +            SourceProcess = null;
724 +            DosHeader = new IMAGE_DOS_HEADER();
725 +            NTHeader = new IMAGE_NT_HEADERS();
726 +            SectionHeaders = new IMAGE_SECTION_HEADER[] { };
727 +            isd = new IMAGE_SECTION_DATA();
728 +        }
729 +        public PEData(IAcceptsProcessAndConfig p) : this((IAcceptsProcess)p.AcceptedProcess) { }
730 +        public PEData(IAcceptsProcess p) : this(p.AcceptedProcess) { }
731 +        public PEData(Process p)
732 +        {
733 +            SourceProcess = p;
734 +            if (SourceProcess == null)
735 +                throw new NullReferenceException("Supplied process cannot be null");
736 +            PEReader reader = new PEReader(SourceProcess);
737 +            this.DosHeader = reader._dosHeader;
738 +            this.NTHeader = reader._ntHeaders;
739 +            this.SectionHeaders = reader._sectionHeaders.ToArray();
740 +            isd = reader._SectionData;
741 +        }
742 +        private Process SourceProcess { get; set; }
743 +        #region IPEDData members
744 +        public IMAGE_DOS_HEADER DosHeader { get; private set; }
745 +        public IMAGE_NT_HEADERS NTHeader { get; private set; }
746 +        public IMAGE_SECTION_HEADER[] SectionHeaders { get; private set; }
747 +        private IMAGE_SECTION_DATA isd;
748 +        public SECTION_DATA_ARRAY[] SectionData { get { return isd.SectionData; } }
749 +        public bool Is32bitAssembly()
750 +        {
751 +            return NTHeader.FileHeader._Characteristics.HasFlag(FileCharacteristicType.Supports32Bit);
752 +        }
753 +        #endregion      
754 +    }
755 +    #endregion
756 +
757 +    internal class PEReader
758 +    {
759 +        // Code (C) Sergey utilized from: http://www.sergeyakopov.com/2010/11/03/reading-pe-format-using-data-marshalling-in-net/
760  
761          #region Fields
762  
763 <        private readonly IMAGE_DOS_HEADER _dosHeader;
764 <        private IMAGE_NT_HEADERS _ntHeaders;
765 <        private readonly IList<IMAGE_SECTION_HEADER> _sectionHeaders = new List<IMAGE_SECTION_HEADER>();
766 <        private readonly IMAGE_SECTION_DATA _SectionData = new IMAGE_SECTION_DATA();
763 >        internal readonly IMAGE_DOS_HEADER _dosHeader;
764 >        internal IMAGE_NT_HEADERS _ntHeaders;
765 >        internal readonly IList<IMAGE_SECTION_HEADER> _sectionHeaders = new List<IMAGE_SECTION_HEADER>();
766 >        internal readonly IMAGE_SECTION_DATA _SectionData = new IMAGE_SECTION_DATA();
767          #endregion
648
649        [TypeConverter(typeof(ExpandableObjectConverter))]
650        public class SECTION_DATA_ARRAY
651        {
652            public SECTION_DATA_ARRAY() { Name = ""; Data = new byte[] { }; _Address = 0; _PointerToData = 0; }
653            public SECTION_DATA_ARRAY(string name, int address, int pointertodata, byte[] data)
654            {
655                Name = name;
656                _Address = address;
657                _PointerToData = pointertodata;
658                Data = data;
659            }
660            
661            public string Name { get; private set; }
662            private int _Address;
663            public string Address { get { return string.Format("0x{0:x8}", _Address); }}
664            private int _PointerToData;
665            public string PointerToData { get { return string.Format("0x{0:x8}", _PointerToData); } }
666            public byte[] Data { get; set; }
667            public override string ToString()
668            {
669                return string.Format("{0} ({1}) ({2}) {3}", Name, Address, PointerToData, Data.Count());
670            }
671        }
672        public class IMAGE_SECTION_DATA
673        {
674            private List<SECTION_DATA_ARRAY> sdas = new List<SECTION_DATA_ARRAY>();
675            public IMAGE_SECTION_DATA() { }
676            public void AddData(string SectionName, int SectionAddress, int PointerToData, byte[] SectionData)
677            {
678                SECTION_DATA_ARRAY sda = new SECTION_DATA_ARRAY(SectionName, SectionAddress, PointerToData, SectionData);
679                sdas.Add(sda);
680            }
681            public SECTION_DATA_ARRAY[] SectionData
682            {
683                get
684                {
685                    return sdas.ToArray();
686                }
687            }
688        }
689
768          #region logging implementation
769          private static class log
770          {
# Line 727 | Line 805 | namespace Sojaner.MemoryScanner
805          #endregion
806  
807  
808 <        public PEData GetPEData
731 <        {
732 <            get
733 <            {
734 <                PEData _data = new PEData(_dosHeader, _ntHeaders, _sectionHeaders.ToArray(), _SectionData);
735 <                return _data;
736 <            }
737 <        }
738 <        #region PEData
739 <        public class PEData
740 <        {
741 <            public PEData() : this(new IMAGE_DOS_HEADER(), new IMAGE_NT_HEADERS(), new IMAGE_SECTION_HEADER[] { }, new IMAGE_SECTION_DATA()) { }
742 <            public PEData(IMAGE_DOS_HEADER DosHeader, IMAGE_NT_HEADERS NTHeader, IMAGE_SECTION_HEADER[] SectionHeaders, IMAGE_SECTION_DATA isd)
743 <            {
744 <                this.DosHeader = DosHeader;
745 <                this.NTHeader = NTHeader;
746 <                this.SectionHeaders = SectionHeaders;
747 <                this.isd = isd;
748 <            }
749 <            public IMAGE_DOS_HEADER DosHeader { get; private set; }
750 <            public IMAGE_NT_HEADERS NTHeader { get; private set; }
751 <            public IMAGE_SECTION_HEADER[] SectionHeaders { get; private set; }
752 <
753 <            private IMAGE_SECTION_DATA isd;
754 <            public SECTION_DATA_ARRAY[] SectionData { get { return isd.SectionData; } }
755 <            public bool Is32bitAssembly()
756 <            {
757 <                return NTHeader.FileHeader._Characteristics.HasFlag(FileCharacteristicType.Supports32Bit);
758 <            }
759 <        }
760 <
761 <        #endregion
762 <
763 <        public PEReader(FileInfo fi, IAcceptsProcessAndConfig pconfig) : this(fi.FullName, pconfig) { }
764 <        public PEReader(string filename, IAcceptsProcessAndConfig pconfig)
808 >        public PEReader(Process p)
809          {
810 +            string filename = p.MainModule.FileName;
811              Exception ErrorInfo = null;
812              _SectionData = new IMAGE_SECTION_DATA();
813              using (FileStream fs = new FileStream(filename, FileMode.Open, FileAccess.Read))
# Line 846 | Line 891 | namespace Sojaner.MemoryScanner
891                          //provider.CloseProvider();
892  
893                          // Skip to beginning of a section
894 <                        reader.BaseStream.Seek(header._PointerToRawData, SeekOrigin.Begin);    
894 >                        reader.BaseStream.Seek(header._PointerToRawData, SeekOrigin.Begin);
895                          // Read section data... and do something with it
896                          byte[] sectiondata = reader.ReadBytes((int)header._SizeOfRawData);
897                          _SectionData.AddData(header.Name, (int)header._VirtualAddress + image_base, (int)header._PointerToRawData, sectiondata);

Diff Legend

Removed lines
+ Added lines
< Changed lines
> Changed lines