Win32/Sojaner.MemoryScanner/PEReader.cs

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.IO;
using RomCheater.Logging;
using System.Runtime.InteropServices;
using System.Diagnostics;

namespace Sojaner.MemoryScanner
{
    public class PEReader
    {
        public PEReader(FileInfo fi) : this(fi.FullName) { }
        public PEReader(string filename) { this.Read(filename); }

        #region marshalling
        private void Read(string filename)
        {
            logger.Debug.WriteLine("Reading Exe: {0}", filename);

            using (FileStream fs = new FileStream(filename, FileMode.Open, FileAccess.Read, FileShare.Read))
            {
                byte[] data = new byte[] { };
                GCHandle pinnedPacket = new GCHandle();
                int size = 0;
                BinaryReader br = new BinaryReader(fs);

                #region IMAGE_DOS_HEADER
                size = Marshal.SizeOf(typeof(IMAGE_DOS_HEADER));
                data = br.ReadBytes(size);
                pinnedPacket = GCHandle.Alloc(data, GCHandleType.Pinned);
                IMAGE_DOS_HEADER IMAGE_DOS_HEADER = (IMAGE_DOS_HEADER)Marshal.PtrToStructure(pinnedPacket.AddrOfPinnedObject(), typeof(IMAGE_DOS_HEADER));
                pinnedPacket.Free();
                #endregion

                // skip the old dos stub
                br.BaseStream.Seek(IMAGE_DOS_HEADER.e_lfanew, SeekOrigin.Begin);

                #region IMAGE_NT_HEADERS
                size = Marshal.SizeOf(typeof(IMAGE_NT_HEADERS));
                data = br.ReadBytes(size);
                pinnedPacket = GCHandle.Alloc(data, GCHandleType.Pinned);
                IMAGE_NT_HEADERS IMAGE_NT_HEADERS = (IMAGE_NT_HEADERS)Marshal.PtrToStructure(pinnedPacket.AddrOfPinnedObject(), typeof(IMAGE_NT_HEADERS));
                pinnedPacket.Free();
                #endregion


                br.Close();
            }

 
        }
        #endregion

        #region header support
        #region IMAGE_DATA_DIRECTORY
        [StructLayout(LayoutKind.Sequential)]
        public struct IMAGE_DATA_DIRECTORY
        {
            public UInt32 VirtualAddress;
            public UInt32 Size;
        }
        #endregion
        #region IMAGE_FILE_HEADER
        [StructLayout(LayoutKind.Sequential)]
        public struct IMAGE_FILE_HEADER
        {
            public MachineType Machine;
            public UInt16 NumberOfSections;
            public UInt32 TimeDateStamp;
            public UInt32 PointerToSymbolTable;
            public UInt32 NumberOfSymbols;
            public UInt16 SizeOfOptionalHeader;
            public DllCharacteristicsType Characteristics;
        }
        #endregion
        #region IMAGE_DOS_HEADER
        [StructLayout(LayoutKind.Sequential)]
        public struct IMAGE_DOS_HEADER
        {
            [MarshalAs(UnmanagedType.ByValArray, SizeConst = 2)]
            public char[] e_magic;       // Magic number
            public UInt16 e_cblp;    // Bytes on last page of file
            public UInt16 e_cp;      // Pages in file
            public UInt16 e_crlc;    // Relocations
            public UInt16 e_cparhdr;     // Size of header in paragraphs
            public UInt16 e_minalloc;    // Minimum extra paragraphs needed
            public UInt16 e_maxalloc;    // Maximum extra paragraphs needed
            public UInt16 e_ss;      // Initial (relative) SS value
            public UInt16 e_sp;      // Initial SP value
            public UInt16 e_csum;    // Checksum
            public UInt16 e_ip;      // Initial IP value
            public UInt16 e_cs;      // Initial (relative) CS value
            public UInt16 e_lfarlc;      // File address of relocation table
            public UInt16 e_ovno;    // Overlay number
            [MarshalAs(UnmanagedType.ByValArray, SizeConst = 4)]
            public UInt16[] e_res1;    // Reserved words
            public UInt16 e_oemid;       // OEM identifier (for e_oeminfo)
            public UInt16 e_oeminfo;     // OEM information; e_oemid specific
            [MarshalAs(UnmanagedType.ByValArray, SizeConst = 10)]
            public UInt16[] e_res2;    // Reserved words
            public Int32 e_lfanew;      // File address of new exe header
            private string _e_magic
            {
                get { return new string(e_magic); }
            }
            public bool isValid
            {
                get { return _e_magic == "MZ"; }
            }
        }
        #endregion
        #region IMAGE_NT_HEADERS
        [StructLayout(LayoutKind.Explicit)]
        public struct IMAGE_NT_HEADERS
        {
            [FieldOffset(0)]
            [MarshalAs(UnmanagedType.ByValArray, SizeConst = 4)]
            public char[] Signature;

            [FieldOffset(4)]
            public IMAGE_FILE_HEADER FileHeader;

            [FieldOffset(24)]
            public IMAGE_OPTIONAL_HEADER OptionalHeader;

            private string _Signature
            {
                get { return new string(Signature); }
            }

            public bool isValid
            {
                get { return _Signature == "PE\0\0" && (OptionalHeader.Magic == MagicType.IMAGE_NT_OPTIONAL_HDR32_MAGIC || OptionalHeader.Magic == MagicType.IMAGE_NT_OPTIONAL_HDR64_MAGIC); }
            }
        }
        #endregion
        #region MachineType
        public enum MachineType : ushort
        {
            Native = 0,
            I386 = 0x014c,
            Itanium = 0x0200,
            x64 = 0x8664
        }
        #endregion
        #region MagicType
        public enum MagicType : ushort
        {
            IMAGE_NT_OPTIONAL_HDR32_MAGIC = 0x10b,
            IMAGE_NT_OPTIONAL_HDR64_MAGIC = 0x20b
        }
        #endregion
        #region SubSystemType
        public enum SubSystemType : ushort
        {
            IMAGE_SUBSYSTEM_UNKNOWN = 0,
            IMAGE_SUBSYSTEM_NATIVE = 1,
            IMAGE_SUBSYSTEM_WINDOWS_GUI = 2,
            IMAGE_SUBSYSTEM_WINDOWS_CUI = 3,
            IMAGE_SUBSYSTEM_POSIX_CUI = 7,
            IMAGE_SUBSYSTEM_WINDOWS_CE_GUI = 9,
            IMAGE_SUBSYSTEM_EFI_APPLICATION = 10,
            IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER = 11,
            IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER = 12,
            IMAGE_SUBSYSTEM_EFI_ROM = 13,
            IMAGE_SUBSYSTEM_XBOX = 14

        }
        #endregion
        #region DllCharacteristicsType
        [Flags]
        public enum DllCharacteristicsType : ushort
        {
            RES_0 = 0x0001,
            RES_1 = 0x0002,
            RES_2 = 0x0004,
            RES_3 = 0x0008,
            IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE = 0x0040,
            IMAGE_DLL_CHARACTERISTICS_FORCE_INTEGRITY = 0x0080,
            IMAGE_DLL_CHARACTERISTICS_NX_COMPAT = 0x0100,
            IMAGE_DLLCHARACTERISTICS_NO_ISOLATION = 0x0200,
            IMAGE_DLLCHARACTERISTICS_NO_SEH = 0x0400,
            IMAGE_DLLCHARACTERISTICS_NO_BIND = 0x0800,
            RES_4 = 0x1000,
            IMAGE_DLLCHARACTERISTICS_WDM_DRIVER = 0x2000,
            IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE = 0x8000
        }
        #endregion
        #region IMAGE_OPTIONAL_HEADER
        [StructLayout(LayoutKind.Explicit)]
        public struct IMAGE_OPTIONAL_HEADER
        {
            [FieldOffset(0)]
            public MagicType Magic;

            [FieldOffset(2)]
            public byte MajorLinkerVersion;

            [FieldOffset(3)]
            public byte MinorLinkerVersion;

            [FieldOffset(4)]
            public uint SizeOfCode;

            [FieldOffset(8)]
            public uint SizeOfInitializedData;

            [FieldOffset(12)]
            public uint SizeOfUninitializedData;

            [FieldOffset(16)]
            public uint AddressOfEntryPoint;

            [FieldOffset(20)]
            public uint BaseOfCode;

            // PE32 contains this additional field
            [FieldOffset(24)]
            public uint BaseOfData;

            [FieldOffset(28)]
            public uint ImageBase;

            [FieldOffset(32)]
            public uint SectionAlignment;

            [FieldOffset(36)]
            public uint FileAlignment;

            [FieldOffset(40)]
            public ushort MajorOperatingSystemVersion;

            [FieldOffset(42)]
            public ushort MinorOperatingSystemVersion;

            [FieldOffset(44)]
            public ushort MajorImageVersion;

            [FieldOffset(46)]
            public ushort MinorImageVersion;

            [FieldOffset(48)]
            public ushort MajorSubsystemVersion;

            [FieldOffset(50)]
            public ushort MinorSubsystemVersion;

            [FieldOffset(52)]
            public uint Win32VersionValue;

            [FieldOffset(56)]
            public uint SizeOfImage;

            [FieldOffset(60)]
            public uint SizeOfHeaders;

            [FieldOffset(64)]
            public uint CheckSum;

            [FieldOffset(68)]
            public SubSystemType Subsystem;

            [FieldOffset(70)]
            public DllCharacteristicsType DllCharacteristics;

            [FieldOffset(72)]
            public uint SizeOfStackReserve;

            [FieldOffset(76)]
            public uint SizeOfStackCommit;

            [FieldOffset(80)]
            public uint SizeOfHeapReserve;

            [FieldOffset(84)]
            public uint SizeOfHeapCommit;

            [FieldOffset(88)]
            public uint LoaderFlags;

            [FieldOffset(92)]
            public uint NumberOfRvaAndSizes;

            [FieldOffset(96)]
            public IMAGE_DATA_DIRECTORY ExportTable;

            [FieldOffset(104)]
            public IMAGE_DATA_DIRECTORY ImportTable;

            [FieldOffset(112)]
            public IMAGE_DATA_DIRECTORY ResourceTable;

            [FieldOffset(120)]
            public IMAGE_DATA_DIRECTORY ExceptionTable;

            [FieldOffset(128)]
            public IMAGE_DATA_DIRECTORY CertificateTable;

            [FieldOffset(136)]
            public IMAGE_DATA_DIRECTORY BaseRelocationTable;

            [FieldOffset(144)]
            public IMAGE_DATA_DIRECTORY Debug;

            [FieldOffset(152)]
            public IMAGE_DATA_DIRECTORY Architecture;

            [FieldOffset(160)]
            public IMAGE_DATA_DIRECTORY GlobalPtr;

            [FieldOffset(168)]
            public IMAGE_DATA_DIRECTORY TLSTable;

            [FieldOffset(176)]
            public IMAGE_DATA_DIRECTORY LoadConfigTable;

            [FieldOffset(184)]
            public IMAGE_DATA_DIRECTORY BoundImport;

            [FieldOffset(192)]
            public IMAGE_DATA_DIRECTORY IAT;

            [FieldOffset(200)]
            public IMAGE_DATA_DIRECTORY DelayImportDescriptor;

            [FieldOffset(208)]
            public IMAGE_DATA_DIRECTORY CLRRuntimeHeader;

            [FieldOffset(216)]
            public IMAGE_DATA_DIRECTORY Reserved;
        }
        #endregion
        #region IMAGE_EXPORT_DIRECTORY
        [StructLayout(LayoutKind.Sequential)]
        public struct IMAGE_EXPORT_DIRECTORY
        {
            public UInt32 Characteristics;
            public UInt32 TimeDateStamp;
            public UInt16 MajorVersion;
            public UInt16 MinorVersion;
            public UInt32 Name;
            public UInt32 Base;
            public UInt32 NumberOfFunctions;
            public UInt32 NumberOfNames;
            public UInt32 AddressOfFunctions;     // RVA from base of image
            public UInt32 AddressOfNames;     // RVA from base of image
            public UInt32 AddressOfNameOrdinals;  // RVA from base of image
        }
        #endregion
        #endregion
    }
}
Revision:	160
Committed:	Mon May 28 05:30:14 2012 UTC (11 years ago) by william
File size:	12023 byte(s)
Log Message:	Force the use of the enum values for these types public struct IMAGE_FILE_HEADER { public MachineType Machine; public DllCharacteristicsType Characteristics; }
#	Content
1	using System;
2	using System.Collections.Generic;
3	using System.Linq;
4	using System.Text;
5	using System.IO;
6	using RomCheater.Logging;
7	using System.Runtime.InteropServices;
8	using System.Diagnostics;
9
10	namespace Sojaner.MemoryScanner
11	{
12	public class PEReader
13	{
14	public PEReader(FileInfo fi) : this(fi.FullName) { }
15	public PEReader(string filename) { this.Read(filename); }
16
17	#region marshalling
18	private void Read(string filename)
19	{
20	logger.Debug.WriteLine("Reading Exe: {0}", filename);
21
22	using (FileStream fs = new FileStream(filename, FileMode.Open, FileAccess.Read, FileShare.Read))
23	{
24	byte[] data = new byte[] { };
25	GCHandle pinnedPacket = new GCHandle();
26	int size = 0;
27	BinaryReader br = new BinaryReader(fs);
28
29	#region IMAGE_DOS_HEADER
30	size = Marshal.SizeOf(typeof(IMAGE_DOS_HEADER));
31	data = br.ReadBytes(size);
32	pinnedPacket = GCHandle.Alloc(data, GCHandleType.Pinned);
33	IMAGE_DOS_HEADER IMAGE_DOS_HEADER = (IMAGE_DOS_HEADER)Marshal.PtrToStructure(pinnedPacket.AddrOfPinnedObject(), typeof(IMAGE_DOS_HEADER));
34	pinnedPacket.Free();
35	#endregion
36
37	// skip the old dos stub
38	br.BaseStream.Seek(IMAGE_DOS_HEADER.e_lfanew, SeekOrigin.Begin);
39
40	#region IMAGE_NT_HEADERS
41	size = Marshal.SizeOf(typeof(IMAGE_NT_HEADERS));
42	data = br.ReadBytes(size);
43	pinnedPacket = GCHandle.Alloc(data, GCHandleType.Pinned);
44	IMAGE_NT_HEADERS IMAGE_NT_HEADERS = (IMAGE_NT_HEADERS)Marshal.PtrToStructure(pinnedPacket.AddrOfPinnedObject(), typeof(IMAGE_NT_HEADERS));
45	pinnedPacket.Free();
46	#endregion
47
48
49
50	br.Close();
51	}
52
53
54	}
55	#endregion
56
57	#region header support
58	#region IMAGE_DATA_DIRECTORY
59	[StructLayout(LayoutKind.Sequential)]
60	public struct IMAGE_DATA_DIRECTORY
61	{
62	public UInt32 VirtualAddress;
63	public UInt32 Size;
64	}
65	#endregion
66	#region IMAGE_FILE_HEADER
67	[StructLayout(LayoutKind.Sequential)]
68	public struct IMAGE_FILE_HEADER
69	{
70	public MachineType Machine;
71	public UInt16 NumberOfSections;
72	public UInt32 TimeDateStamp;
73	public UInt32 PointerToSymbolTable;
74	public UInt32 NumberOfSymbols;
75	public UInt16 SizeOfOptionalHeader;
76	public DllCharacteristicsType Characteristics;
77	}
78	#endregion
79	#region IMAGE_DOS_HEADER
80	[StructLayout(LayoutKind.Sequential)]
81	public struct IMAGE_DOS_HEADER
82	{
83	[MarshalAs(UnmanagedType.ByValArray, SizeConst = 2)]
84	public char[] e_magic; // Magic number
85	public UInt16 e_cblp; // Bytes on last page of file
86	public UInt16 e_cp; // Pages in file
87	public UInt16 e_crlc; // Relocations
88	public UInt16 e_cparhdr; // Size of header in paragraphs
89	public UInt16 e_minalloc; // Minimum extra paragraphs needed
90	public UInt16 e_maxalloc; // Maximum extra paragraphs needed
91	public UInt16 e_ss; // Initial (relative) SS value
92	public UInt16 e_sp; // Initial SP value
93	public UInt16 e_csum; // Checksum
94	public UInt16 e_ip; // Initial IP value
95	public UInt16 e_cs; // Initial (relative) CS value
96	public UInt16 e_lfarlc; // File address of relocation table
97	public UInt16 e_ovno; // Overlay number
98	[MarshalAs(UnmanagedType.ByValArray, SizeConst = 4)]
99	public UInt16[] e_res1; // Reserved words
100	public UInt16 e_oemid; // OEM identifier (for e_oeminfo)
101	public UInt16 e_oeminfo; // OEM information; e_oemid specific
102	[MarshalAs(UnmanagedType.ByValArray, SizeConst = 10)]
103	public UInt16[] e_res2; // Reserved words
104	public Int32 e_lfanew; // File address of new exe header
105	private string _e_magic
106	{
107	get { return new string(e_magic); }
108	}
109	public bool isValid
110	{
111	get { return _e_magic == "MZ"; }
112	}
113	}
114	#endregion
115	#region IMAGE_NT_HEADERS
116	[StructLayout(LayoutKind.Explicit)]
117	public struct IMAGE_NT_HEADERS
118	{
119	[FieldOffset(0)]
120	[MarshalAs(UnmanagedType.ByValArray, SizeConst = 4)]
121	public char[] Signature;
122
123	[FieldOffset(4)]
124	public IMAGE_FILE_HEADER FileHeader;
125
126	[FieldOffset(24)]
127	public IMAGE_OPTIONAL_HEADER OptionalHeader;
128
129	private string _Signature
130	{
131	get { return new string(Signature); }
132	}
133
134	public bool isValid
135	{
136	get { return _Signature == "PE\0\0" && (OptionalHeader.Magic == MagicType.IMAGE_NT_OPTIONAL_HDR32_MAGIC \|\| OptionalHeader.Magic == MagicType.IMAGE_NT_OPTIONAL_HDR64_MAGIC); }
137	}
138	}
139	#endregion
140	#region MachineType
141	public enum MachineType : ushort
142	{
143	Native = 0,
144	I386 = 0x014c,
145	Itanium = 0x0200,
146	x64 = 0x8664
147	}
148	#endregion
149	#region MagicType
150	public enum MagicType : ushort
151	{
152	IMAGE_NT_OPTIONAL_HDR32_MAGIC = 0x10b,
153	IMAGE_NT_OPTIONAL_HDR64_MAGIC = 0x20b
154	}
155	#endregion
156	#region SubSystemType
157	public enum SubSystemType : ushort
158	{
159	IMAGE_SUBSYSTEM_UNKNOWN = 0,
160	IMAGE_SUBSYSTEM_NATIVE = 1,
161	IMAGE_SUBSYSTEM_WINDOWS_GUI = 2,
162	IMAGE_SUBSYSTEM_WINDOWS_CUI = 3,
163	IMAGE_SUBSYSTEM_POSIX_CUI = 7,
164	IMAGE_SUBSYSTEM_WINDOWS_CE_GUI = 9,
165	IMAGE_SUBSYSTEM_EFI_APPLICATION = 10,
166	IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER = 11,
167	IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER = 12,
168	IMAGE_SUBSYSTEM_EFI_ROM = 13,
169	IMAGE_SUBSYSTEM_XBOX = 14
170
171	}
172	#endregion
173	#region DllCharacteristicsType
174	[Flags]
175	public enum DllCharacteristicsType : ushort
176	{
177	RES_0 = 0x0001,
178	RES_1 = 0x0002,
179	RES_2 = 0x0004,
180	RES_3 = 0x0008,
181	IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE = 0x0040,
182	IMAGE_DLL_CHARACTERISTICS_FORCE_INTEGRITY = 0x0080,
183	IMAGE_DLL_CHARACTERISTICS_NX_COMPAT = 0x0100,
184	IMAGE_DLLCHARACTERISTICS_NO_ISOLATION = 0x0200,
185	IMAGE_DLLCHARACTERISTICS_NO_SEH = 0x0400,
186	IMAGE_DLLCHARACTERISTICS_NO_BIND = 0x0800,
187	RES_4 = 0x1000,
188	IMAGE_DLLCHARACTERISTICS_WDM_DRIVER = 0x2000,
189	IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE = 0x8000
190	}
191	#endregion
192	#region IMAGE_OPTIONAL_HEADER
193	[StructLayout(LayoutKind.Explicit)]
194	public struct IMAGE_OPTIONAL_HEADER
195	{
196	[FieldOffset(0)]
197	public MagicType Magic;
198
199	[FieldOffset(2)]
200	public byte MajorLinkerVersion;
201
202	[FieldOffset(3)]
203	public byte MinorLinkerVersion;
204
205	[FieldOffset(4)]
206	public uint SizeOfCode;
207
208	[FieldOffset(8)]
209	public uint SizeOfInitializedData;
210
211	[FieldOffset(12)]
212	public uint SizeOfUninitializedData;
213
214	[FieldOffset(16)]
215	public uint AddressOfEntryPoint;
216
217	[FieldOffset(20)]
218	public uint BaseOfCode;
219
220	// PE32 contains this additional field
221	[FieldOffset(24)]
222	public uint BaseOfData;
223
224	[FieldOffset(28)]
225	public uint ImageBase;
226
227	[FieldOffset(32)]
228	public uint SectionAlignment;
229
230	[FieldOffset(36)]
231	public uint FileAlignment;
232
233	[FieldOffset(40)]
234	public ushort MajorOperatingSystemVersion;
235
236	[FieldOffset(42)]
237	public ushort MinorOperatingSystemVersion;
238
239	[FieldOffset(44)]
240	public ushort MajorImageVersion;
241
242	[FieldOffset(46)]
243	public ushort MinorImageVersion;
244
245	[FieldOffset(48)]
246	public ushort MajorSubsystemVersion;
247
248	[FieldOffset(50)]
249	public ushort MinorSubsystemVersion;
250
251	[FieldOffset(52)]
252	public uint Win32VersionValue;
253
254	[FieldOffset(56)]
255	public uint SizeOfImage;
256
257	[FieldOffset(60)]
258	public uint SizeOfHeaders;
259
260	[FieldOffset(64)]
261	public uint CheckSum;
262
263	[FieldOffset(68)]
264	public SubSystemType Subsystem;
265
266	[FieldOffset(70)]
267	public DllCharacteristicsType DllCharacteristics;
268
269	[FieldOffset(72)]
270	public uint SizeOfStackReserve;
271
272	[FieldOffset(76)]
273	public uint SizeOfStackCommit;
274
275	[FieldOffset(80)]
276	public uint SizeOfHeapReserve;
277
278	[FieldOffset(84)]
279	public uint SizeOfHeapCommit;
280
281	[FieldOffset(88)]
282	public uint LoaderFlags;
283
284	[FieldOffset(92)]
285	public uint NumberOfRvaAndSizes;
286
287	[FieldOffset(96)]
288	public IMAGE_DATA_DIRECTORY ExportTable;
289
290	[FieldOffset(104)]
291	public IMAGE_DATA_DIRECTORY ImportTable;
292
293	[FieldOffset(112)]
294	public IMAGE_DATA_DIRECTORY ResourceTable;
295
296	[FieldOffset(120)]
297	public IMAGE_DATA_DIRECTORY ExceptionTable;
298
299	[FieldOffset(128)]
300	public IMAGE_DATA_DIRECTORY CertificateTable;
301
302	[FieldOffset(136)]
303	public IMAGE_DATA_DIRECTORY BaseRelocationTable;
304
305	[FieldOffset(144)]
306	public IMAGE_DATA_DIRECTORY Debug;
307
308	[FieldOffset(152)]
309	public IMAGE_DATA_DIRECTORY Architecture;
310
311	[FieldOffset(160)]
312	public IMAGE_DATA_DIRECTORY GlobalPtr;
313
314	[FieldOffset(168)]
315	public IMAGE_DATA_DIRECTORY TLSTable;
316
317	[FieldOffset(176)]
318	public IMAGE_DATA_DIRECTORY LoadConfigTable;
319
320	[FieldOffset(184)]
321	public IMAGE_DATA_DIRECTORY BoundImport;
322
323	[FieldOffset(192)]
324	public IMAGE_DATA_DIRECTORY IAT;
325
326	[FieldOffset(200)]
327	public IMAGE_DATA_DIRECTORY DelayImportDescriptor;
328
329	[FieldOffset(208)]
330	public IMAGE_DATA_DIRECTORY CLRRuntimeHeader;
331
332	[FieldOffset(216)]
333	public IMAGE_DATA_DIRECTORY Reserved;
334	}
335	#endregion
336	#region IMAGE_EXPORT_DIRECTORY
337	[StructLayout(LayoutKind.Sequential)]
338	public struct IMAGE_EXPORT_DIRECTORY
339	{
340	public UInt32 Characteristics;
341	public UInt32 TimeDateStamp;
342	public UInt16 MajorVersion;
343	public UInt16 MinorVersion;
344	public UInt32 Name;
345	public UInt32 Base;
346	public UInt32 NumberOfFunctions;
347	public UInt32 NumberOfNames;
348	public UInt32 AddressOfFunctions; // RVA from base of image
349	public UInt32 AddressOfNames; // RVA from base of image
350	public UInt32 AddressOfNameOrdinals; // RVA from base of image
351	}
352	#endregion
353	#endregion
354	}
355	}