| 1 |
using System; |
| 2 |
using System.Collections.Generic; |
| 3 |
using System.Linq; |
| 4 |
using System.Text; |
| 5 |
using System.IO; |
| 6 |
using RomCheater.Logging; |
| 7 |
using System.Runtime.InteropServices; |
| 8 |
using System.Diagnostics; |
| 9 |
|
| 10 |
namespace Sojaner.MemoryScanner |
| 11 |
{ |
| 12 |
public class PEReader |
| 13 |
{ |
| 14 |
public PEReader(FileInfo fi) : this(fi.FullName) { } |
| 15 |
public PEReader(string filename) { this.Read(filename); } |
| 16 |
|
| 17 |
#region marshalling |
| 18 |
private void Read(string filename) |
| 19 |
{ |
| 20 |
logger.Debug.WriteLine("Reading Exe: {0}", filename); |
| 21 |
|
| 22 |
using (FileStream fs = new FileStream(filename, FileMode.Open, FileAccess.Read, FileShare.Read)) |
| 23 |
{ |
| 24 |
byte[] data = new byte[] { }; |
| 25 |
GCHandle pinnedPacket = new GCHandle(); |
| 26 |
int size = 0; |
| 27 |
BinaryReader br = new BinaryReader(fs); |
| 28 |
|
| 29 |
#region IMAGE_DOS_HEADER |
| 30 |
size = Marshal.SizeOf(typeof(IMAGE_DOS_HEADER)); |
| 31 |
data = br.ReadBytes(size); |
| 32 |
pinnedPacket = GCHandle.Alloc(data, GCHandleType.Pinned); |
| 33 |
IMAGE_DOS_HEADER DOS_HEADER = (IMAGE_DOS_HEADER)Marshal.PtrToStructure(pinnedPacket.AddrOfPinnedObject(), typeof(IMAGE_DOS_HEADER)); |
| 34 |
pinnedPacket.Free(); |
| 35 |
#endregion |
| 36 |
|
| 37 |
// skip the old dos stub |
| 38 |
br.BaseStream.Seek(DOS_HEADER.e_lfanew, SeekOrigin.Begin); |
| 39 |
|
| 40 |
#region IMAGE_NT_HEADERS |
| 41 |
size = Marshal.SizeOf(typeof(IMAGE_NT_HEADERS)); |
| 42 |
data = br.ReadBytes(size); |
| 43 |
pinnedPacket = GCHandle.Alloc(data, GCHandleType.Pinned); |
| 44 |
IMAGE_NT_HEADERS NT_HEADER = (IMAGE_NT_HEADERS)Marshal.PtrToStructure(pinnedPacket.AddrOfPinnedObject(), typeof(IMAGE_NT_HEADERS)); |
| 45 |
pinnedPacket.Free(); |
| 46 |
#endregion |
| 47 |
|
| 48 |
|
| 49 |
br.Close(); |
| 50 |
} |
| 51 |
|
| 52 |
|
| 53 |
} |
| 54 |
#endregion |
| 55 |
|
| 56 |
#region header support |
| 57 |
#region IMAGE_DATA_DIRECTORY |
| 58 |
[StructLayout(LayoutKind.Sequential)] |
| 59 |
public struct IMAGE_DATA_DIRECTORY |
| 60 |
{ |
| 61 |
public UInt32 VirtualAddress; |
| 62 |
public UInt32 Size; |
| 63 |
public bool HasAddress { get { return (VirtualAddress != 0); } } |
| 64 |
public bool HasSize { get { return (Size > 0); } } |
| 65 |
} |
| 66 |
#endregion |
| 67 |
#region IMAGE_FILE_HEADER |
| 68 |
[StructLayout(LayoutKind.Sequential)] |
| 69 |
public struct IMAGE_FILE_HEADER |
| 70 |
{ |
| 71 |
public MachineType Machine; |
| 72 |
public UInt16 NumberOfSections; |
| 73 |
public UInt32 TimeDateStamp; |
| 74 |
public UInt32 PointerToSymbolTable; |
| 75 |
public UInt32 NumberOfSymbols; |
| 76 |
public UInt16 SizeOfOptionalHeader; |
| 77 |
public DllCharacteristicsType Characteristics; |
| 78 |
} |
| 79 |
#endregion |
| 80 |
#region IMAGE_DOS_HEADER |
| 81 |
[StructLayout(LayoutKind.Sequential)] |
| 82 |
public struct IMAGE_DOS_HEADER |
| 83 |
{ |
| 84 |
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 2)] |
| 85 |
public char[] e_magic; // Magic number |
| 86 |
public UInt16 e_cblp; // Bytes on last page of file |
| 87 |
public UInt16 e_cp; // Pages in file |
| 88 |
public UInt16 e_crlc; // Relocations |
| 89 |
public UInt16 e_cparhdr; // Size of header in paragraphs |
| 90 |
public UInt16 e_minalloc; // Minimum extra paragraphs needed |
| 91 |
public UInt16 e_maxalloc; // Maximum extra paragraphs needed |
| 92 |
public UInt16 e_ss; // Initial (relative) SS value |
| 93 |
public UInt16 e_sp; // Initial SP value |
| 94 |
public UInt16 e_csum; // Checksum |
| 95 |
public UInt16 e_ip; // Initial IP value |
| 96 |
public UInt16 e_cs; // Initial (relative) CS value |
| 97 |
public UInt16 e_lfarlc; // File address of relocation table |
| 98 |
public UInt16 e_ovno; // Overlay number |
| 99 |
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 4)] |
| 100 |
public UInt16[] e_res1; // Reserved words |
| 101 |
public UInt16 e_oemid; // OEM identifier (for e_oeminfo) |
| 102 |
public UInt16 e_oeminfo; // OEM information; e_oemid specific |
| 103 |
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 10)] |
| 104 |
public UInt16[] e_res2; // Reserved words |
| 105 |
public Int32 e_lfanew; // File address of new exe header |
| 106 |
private string _e_magic |
| 107 |
{ |
| 108 |
get { return new string(e_magic); } |
| 109 |
} |
| 110 |
public bool isValid |
| 111 |
{ |
| 112 |
get { return _e_magic == "MZ"; } |
| 113 |
} |
| 114 |
} |
| 115 |
#endregion |
| 116 |
#region IMAGE_NT_HEADERS |
| 117 |
[StructLayout(LayoutKind.Explicit)] |
| 118 |
public struct IMAGE_NT_HEADERS |
| 119 |
{ |
| 120 |
[FieldOffset(0)] |
| 121 |
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 4)] |
| 122 |
public char[] Signature; |
| 123 |
|
| 124 |
[FieldOffset(4)] |
| 125 |
public IMAGE_FILE_HEADER FileHeader; |
| 126 |
|
| 127 |
[FieldOffset(24)] |
| 128 |
public IMAGE_OPTIONAL_HEADER OptionalHeader; |
| 129 |
|
| 130 |
private string _Signature |
| 131 |
{ |
| 132 |
get { return new string(Signature); } |
| 133 |
} |
| 134 |
|
| 135 |
public bool isValid |
| 136 |
{ |
| 137 |
get { return _Signature == "PE\0\0" && (OptionalHeader.Magic == MagicType.IMAGE_NT_OPTIONAL_HDR32_MAGIC || OptionalHeader.Magic == MagicType.IMAGE_NT_OPTIONAL_HDR64_MAGIC); } |
| 138 |
} |
| 139 |
} |
| 140 |
#endregion |
| 141 |
#region MachineType |
| 142 |
public enum MachineType : ushort |
| 143 |
{ |
| 144 |
Native = 0, |
| 145 |
I386 = 0x014c, |
| 146 |
Itanium = 0x0200, |
| 147 |
x64 = 0x8664 |
| 148 |
} |
| 149 |
#endregion |
| 150 |
#region MagicType |
| 151 |
public enum MagicType : ushort |
| 152 |
{ |
| 153 |
IMAGE_NT_OPTIONAL_HDR32_MAGIC = 0x10b, |
| 154 |
IMAGE_NT_OPTIONAL_HDR64_MAGIC = 0x20b |
| 155 |
} |
| 156 |
#endregion |
| 157 |
#region SubSystemType |
| 158 |
public enum SubSystemType : ushort |
| 159 |
{ |
| 160 |
IMAGE_SUBSYSTEM_UNKNOWN = 0, |
| 161 |
IMAGE_SUBSYSTEM_NATIVE = 1, |
| 162 |
IMAGE_SUBSYSTEM_WINDOWS_GUI = 2, |
| 163 |
IMAGE_SUBSYSTEM_WINDOWS_CUI = 3, |
| 164 |
IMAGE_SUBSYSTEM_POSIX_CUI = 7, |
| 165 |
IMAGE_SUBSYSTEM_WINDOWS_CE_GUI = 9, |
| 166 |
IMAGE_SUBSYSTEM_EFI_APPLICATION = 10, |
| 167 |
IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER = 11, |
| 168 |
IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER = 12, |
| 169 |
IMAGE_SUBSYSTEM_EFI_ROM = 13, |
| 170 |
IMAGE_SUBSYSTEM_XBOX = 14 |
| 171 |
|
| 172 |
} |
| 173 |
#endregion |
| 174 |
#region DllCharacteristicsType |
| 175 |
[Flags] |
| 176 |
public enum DllCharacteristicsType : ushort |
| 177 |
{ |
| 178 |
RES_0 = 0x0001, |
| 179 |
RES_1 = 0x0002, |
| 180 |
RES_2 = 0x0004, |
| 181 |
RES_3 = 0x0008, |
| 182 |
IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE = 0x0040, |
| 183 |
IMAGE_DLL_CHARACTERISTICS_FORCE_INTEGRITY = 0x0080, |
| 184 |
IMAGE_DLL_CHARACTERISTICS_NX_COMPAT = 0x0100, |
| 185 |
IMAGE_DLLCHARACTERISTICS_NO_ISOLATION = 0x0200, |
| 186 |
IMAGE_DLLCHARACTERISTICS_NO_SEH = 0x0400, |
| 187 |
IMAGE_DLLCHARACTERISTICS_NO_BIND = 0x0800, |
| 188 |
RES_4 = 0x1000, |
| 189 |
IMAGE_DLLCHARACTERISTICS_WDM_DRIVER = 0x2000, |
| 190 |
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE = 0x8000 |
| 191 |
} |
| 192 |
#endregion |
| 193 |
#region IMAGE_OPTIONAL_HEADER |
| 194 |
[StructLayout(LayoutKind.Explicit)] |
| 195 |
public struct IMAGE_OPTIONAL_HEADER |
| 196 |
{ |
| 197 |
[FieldOffset(0)] |
| 198 |
public MagicType Magic; |
| 199 |
|
| 200 |
[FieldOffset(2)] |
| 201 |
public byte MajorLinkerVersion; |
| 202 |
|
| 203 |
[FieldOffset(3)] |
| 204 |
public byte MinorLinkerVersion; |
| 205 |
|
| 206 |
[FieldOffset(4)] |
| 207 |
public uint SizeOfCode; |
| 208 |
|
| 209 |
[FieldOffset(8)] |
| 210 |
public uint SizeOfInitializedData; |
| 211 |
|
| 212 |
[FieldOffset(12)] |
| 213 |
public uint SizeOfUninitializedData; |
| 214 |
|
| 215 |
[FieldOffset(16)] |
| 216 |
public uint AddressOfEntryPoint; |
| 217 |
|
| 218 |
[FieldOffset(20)] |
| 219 |
public uint BaseOfCode; |
| 220 |
|
| 221 |
// PE32 contains this additional field |
| 222 |
[FieldOffset(24)] |
| 223 |
public uint BaseOfData; |
| 224 |
|
| 225 |
[FieldOffset(28)] |
| 226 |
public uint ImageBase; |
| 227 |
|
| 228 |
[FieldOffset(32)] |
| 229 |
public uint SectionAlignment; |
| 230 |
|
| 231 |
[FieldOffset(36)] |
| 232 |
public uint FileAlignment; |
| 233 |
|
| 234 |
[FieldOffset(40)] |
| 235 |
public ushort MajorOperatingSystemVersion; |
| 236 |
|
| 237 |
[FieldOffset(42)] |
| 238 |
public ushort MinorOperatingSystemVersion; |
| 239 |
|
| 240 |
[FieldOffset(44)] |
| 241 |
public ushort MajorImageVersion; |
| 242 |
|
| 243 |
[FieldOffset(46)] |
| 244 |
public ushort MinorImageVersion; |
| 245 |
|
| 246 |
[FieldOffset(48)] |
| 247 |
public ushort MajorSubsystemVersion; |
| 248 |
|
| 249 |
[FieldOffset(50)] |
| 250 |
public ushort MinorSubsystemVersion; |
| 251 |
|
| 252 |
[FieldOffset(52)] |
| 253 |
public uint Win32VersionValue; |
| 254 |
|
| 255 |
[FieldOffset(56)] |
| 256 |
public uint SizeOfImage; |
| 257 |
|
| 258 |
[FieldOffset(60)] |
| 259 |
public uint SizeOfHeaders; |
| 260 |
|
| 261 |
[FieldOffset(64)] |
| 262 |
public uint CheckSum; |
| 263 |
|
| 264 |
[FieldOffset(68)] |
| 265 |
public SubSystemType Subsystem; |
| 266 |
|
| 267 |
[FieldOffset(70)] |
| 268 |
public DllCharacteristicsType DllCharacteristics; |
| 269 |
|
| 270 |
[FieldOffset(72)] |
| 271 |
public uint SizeOfStackReserve; |
| 272 |
|
| 273 |
[FieldOffset(76)] |
| 274 |
public uint SizeOfStackCommit; |
| 275 |
|
| 276 |
[FieldOffset(80)] |
| 277 |
public uint SizeOfHeapReserve; |
| 278 |
|
| 279 |
[FieldOffset(84)] |
| 280 |
public uint SizeOfHeapCommit; |
| 281 |
|
| 282 |
[FieldOffset(88)] |
| 283 |
public uint LoaderFlags; |
| 284 |
|
| 285 |
[FieldOffset(92)] |
| 286 |
public uint NumberOfRvaAndSizes; |
| 287 |
|
| 288 |
[FieldOffset(96)] |
| 289 |
public IMAGE_DATA_DIRECTORY ExportTable; |
| 290 |
|
| 291 |
[FieldOffset(104)] |
| 292 |
public IMAGE_DATA_DIRECTORY ImportTable; |
| 293 |
|
| 294 |
[FieldOffset(112)] |
| 295 |
public IMAGE_DATA_DIRECTORY ResourceTable; |
| 296 |
|
| 297 |
[FieldOffset(120)] |
| 298 |
public IMAGE_DATA_DIRECTORY ExceptionTable; |
| 299 |
|
| 300 |
[FieldOffset(128)] |
| 301 |
public IMAGE_DATA_DIRECTORY CertificateTable; |
| 302 |
|
| 303 |
[FieldOffset(136)] |
| 304 |
public IMAGE_DATA_DIRECTORY BaseRelocationTable; |
| 305 |
|
| 306 |
[FieldOffset(144)] |
| 307 |
public IMAGE_DATA_DIRECTORY Debug; |
| 308 |
|
| 309 |
[FieldOffset(152)] |
| 310 |
public IMAGE_DATA_DIRECTORY Architecture; |
| 311 |
|
| 312 |
[FieldOffset(160)] |
| 313 |
public IMAGE_DATA_DIRECTORY GlobalPtr; |
| 314 |
|
| 315 |
[FieldOffset(168)] |
| 316 |
public IMAGE_DATA_DIRECTORY TLSTable; |
| 317 |
|
| 318 |
[FieldOffset(176)] |
| 319 |
public IMAGE_DATA_DIRECTORY LoadConfigTable; |
| 320 |
|
| 321 |
[FieldOffset(184)] |
| 322 |
public IMAGE_DATA_DIRECTORY BoundImport; |
| 323 |
|
| 324 |
[FieldOffset(192)] |
| 325 |
public IMAGE_DATA_DIRECTORY IAT; |
| 326 |
|
| 327 |
[FieldOffset(200)] |
| 328 |
public IMAGE_DATA_DIRECTORY DelayImportDescriptor; |
| 329 |
|
| 330 |
[FieldOffset(208)] |
| 331 |
public IMAGE_DATA_DIRECTORY CLRRuntimeHeader; |
| 332 |
|
| 333 |
[FieldOffset(216)] |
| 334 |
public IMAGE_DATA_DIRECTORY Reserved; |
| 335 |
} |
| 336 |
#endregion |
| 337 |
#region IMAGE_EXPORT_DIRECTORY |
| 338 |
[StructLayout(LayoutKind.Sequential)] |
| 339 |
public struct IMAGE_EXPORT_DIRECTORY |
| 340 |
{ |
| 341 |
public UInt32 Characteristics; |
| 342 |
public UInt32 TimeDateStamp; |
| 343 |
public UInt16 MajorVersion; |
| 344 |
public UInt16 MinorVersion; |
| 345 |
public UInt32 Name; |
| 346 |
public UInt32 Base; |
| 347 |
public UInt32 NumberOfFunctions; |
| 348 |
public UInt32 NumberOfNames; |
| 349 |
public UInt32 AddressOfFunctions; // RVA from base of image |
| 350 |
public UInt32 AddressOfNames; // RVA from base of image |
| 351 |
public UInt32 AddressOfNameOrdinals; // RVA from base of image |
| 352 |
} |
| 353 |
#endregion |
| 354 |
#endregion |
| 355 |
} |
| 356 |
} |
