/[RomCheater]/trunk/Win32/Sojaner.MemoryScanner/PEReader.cs
ViewVC logotype

Diff of /trunk/Win32/Sojaner.MemoryScanner/PEReader.cs

Parent Directory Parent Directory | Revision Log Revision Log | View Patch Patch

--- trunk/Win32/Sojaner.MemoryScanner/PEReader.cs	2012/06/05 17:57:37	318
+++ trunk/Win32/Sojaner.MemoryScanner/PEReader.cs	2012/06/05 18:39:06	319
@@ -15,6 +15,26 @@
     {
         // Code (C) Sergey utilized from: http://www.sergeyakopov.com/2010/11/03/reading-pe-format-using-data-marshalling-in-net/
         #region Structs
+
+        [Flags]
+        public enum MachineTypeFlags
+        {
+            x86 = 0x14C,
+            Alpha = 0x184,
+            ARM = 0x1C0,
+            MIPS16R3000 = 0x162,
+            MIPS16R4000 = 0x166,
+            MIPS16R10000 = 0x168,
+            PowerPCLE = 0x1F0,
+            PowerPCBE = 0x1F2,
+            Itanium = 0x200,
+            MIPS16 = 0x266,
+            Alpha64 = 0x284,
+            MIPSFPU = 0x366,
+            MIPSFPU16 = 0x466,
+            x64 = 0x8664,
+        }
+
         [TypeConverter(typeof(ExpandableObjectConverter))]
         [StructLayout(LayoutKind.Sequential)]
         public struct IMAGE_DOS_HEADER
@@ -61,27 +81,79 @@
             public ushort[] e_res2 { get { return _e_res2; } }
             public string e_lfanew { get { return string.Format("0x{0:x8}", _e_lfanew); } }
 
+            public override string ToString()
+            {
+                return Encoding.UTF8.GetString(BitConverter.GetBytes(_e_magic));
+            }
         }
         [TypeConverter(typeof(ExpandableObjectConverter))]
         [StructLayout(LayoutKind.Sequential)]
         public struct IMAGE_NT_HEADERS
         {
-            public UInt32 Signature;
-            public IMAGE_FILE_HEADER FileHeader;
-            public IMAGE_OPTIONAL_HEADER32 OptionalHeader32;
-            public IMAGE_OPTIONAL_HEADER64 OptionalHeader64;
+            public UInt32 _Signature;
+            public IMAGE_FILE_HEADER _FileHeader;
+            public IMAGE_OPTIONAL_HEADER32 _OptionalHeader32;
+            public IMAGE_OPTIONAL_HEADER64 _OptionalHeader64;
+
+            public string Signature { get { return string.Format("0x{0:x8}", _Signature); } }
+            public IMAGE_FILE_HEADER FileHeader { get { return _FileHeader; } }
+            public IMAGE_OPTIONAL_HEADER32 OptionalHeader32 { get { return _OptionalHeader32;} }
+            public IMAGE_OPTIONAL_HEADER64 OptionalHeader64 { get { return _OptionalHeader64;} }
+
+            public override string ToString()
+            {
+                return Encoding.UTF8.GetString(BitConverter.GetBytes(_Signature));
+            }
         }
         [TypeConverter(typeof(ExpandableObjectConverter))]
         [StructLayout(LayoutKind.Sequential)]
         public struct IMAGE_FILE_HEADER
         {
-            public UInt16 Machine;
-            public UInt16 NumberOfSections;
-            public UInt32 TimeDateStamp;
-            public UInt32 PointerToSymbolTable;
-            public UInt32 NumberOfSymbols;
-            public UInt16 SizeOfOptionalHeader;
-            public UInt16 Characteristics;
+            public UInt16 _MachineType;
+            public UInt16 _NumberOfSections;
+            public UInt32 _TimeDateStamp;
+            public UInt32 _PointerToSymbolTable;
+            public UInt32 _NumberOfSymbols;
+            public UInt16 _SizeOfOptionalHeader;
+            public UInt16 _Characteristics;
+
+
+            public string MachineType { get { return ((MachineTypeFlags)_MachineType).ToString(); } }
+            public string NumberOfSections { get { return string.Format("0x{0:x4}", _NumberOfSections); } }
+            public string TimeDateStamp { get { return string.Format("{0} (0x{1:x8})", GetDateTimeFromDosDateTime(_TimeDateStamp).ToString(), _TimeDateStamp); } }
+            public string PointerToSymbolTable { get { return string.Format("0x{0:x8}", _PointerToSymbolTable); } }
+            public string NumberOfSymbols { get { return string.Format("0x{0:x8}", _NumberOfSymbols); } }
+            public string SizeOfOptionalHeader { get { return string.Format("0x{0:x4}", _SizeOfOptionalHeader); } }
+            public string Characteristics { get { return string.Format("0x{0:x4}", _Characteristics); } }
+            public override string ToString()
+            {
+                return MachineType;
+            }
+
+            private DateTime GetDateTimeFromDosDateTime(UInt32 i32TimeDate)
+            {
+                UInt16 i16Time = (UInt16)(i32TimeDate & 0xFFFF);
+                UInt16 i16Date = (UInt16)((i32TimeDate & 0xFFFF0000) >> 16);
+                return GetDateTimeFromDosDateTime(i16Time, i16Date);
+            }
+            private DateTime GetDateTimeFromDosDateTime(UInt16 i16Time, UInt16 i16Date)
+            {
+                int iYear = 0;
+                int iMonth = 1;
+                int iDay = 1;
+                int iHour = 0;
+                int iMinute = 0;
+                int iSecond = 0;
+                iDay = (i16Date & 0x1F);
+                iMonth = ((i16Date & 0x01E0) >> 5);
+                iYear = 1980 + ((i16Date & 0xFE00) >> 9);
+                iSecond = (i16Time & 0x1F) * 2;
+                iMinute = ((i16Time & 0x07E0) >> 5);
+                iHour = ((i16Time & 0x0F800) >> 11);
+                return new DateTime(iYear, iMonth, iDay, iHour, iMinute, iSecond);
+
+            }
+
         }
         [TypeConverter(typeof(ExpandableObjectConverter))]
         [StructLayout(LayoutKind.Sequential)]
@@ -168,25 +240,44 @@
         public struct IMAGE_SECTION_HEADER
         {
             [MarshalAs(UnmanagedType.ByValTStr, SizeConst = 8)]
-            public string Name;
-            public Misc Misc;
-            public UInt32 VirtualAddress;
-            public UInt32 SizeOfRawData;
-            public UInt32 PointerToRawData;
-            public UInt32 PointerToRelocations;
-            public UInt32 PointerToLinenumbers;
-            public UInt16 NumberOfRelocations;
-            public UInt16 NumberOfLinenumbers;
-            public UInt32 Characteristics;
+            public string _Name;
+            public Misc _Misc;
+            public UInt32 _VirtualAddress;
+            public UInt32 _SizeOfRawData;
+            public UInt32 _PointerToRawData;
+            public UInt32 _PointerToRelocations;
+            public UInt32 _PointerToLinenumbers;
+            public UInt16 _NumberOfRelocations;
+            public UInt16 _NumberOfLinenumbers;
+            public UInt32 _Characteristics;
+
+            public string Name { get { return _Name; } }
+            public Misc Misc { get { return _Misc; } }
+            public string VirtualAddress { get { return string.Format("0x{0:x8}", _VirtualAddress); } }
+            public string SizeOfRawData { get { return string.Format("0x{0:x8}", _SizeOfRawData); } }
+            public string PointerToRawData { get { return string.Format("0x{0:x8}", _PointerToRawData); } }
+            public string PointerToRelocations { get { return string.Format("0x{0:x8}", _PointerToRelocations); } }
+            public string PointerToLinenumbers { get { return string.Format("0x{0:x8}", _PointerToLinenumbers); } }
+            public string NumberOfRelocations { get { return string.Format("0x{0:x4}", _NumberOfRelocations); } }
+            public string NumberOfLinenumbers { get { return string.Format("0x{0:x4}", _NumberOfLinenumbers); } }
+            public string Characteristics { get { return string.Format("0x{0:x8}", _Characteristics); } }
+            public override string ToString()
+            {
+                return Name;
+            }
         }
         [TypeConverter(typeof(ExpandableObjectConverter))]
         [StructLayout(LayoutKind.Explicit)]
         public struct Misc
         {
             [FieldOffset(0)]
-            public UInt32 PhysicalAddress;
+            public UInt32 _PhysicalAddress;
             [FieldOffset(0)]
-            public UInt32 VirtualSize;
+            public UInt32 _VirtualSize;
+
+            public string PhysicalAddress { get { return string.Format("0x{0:x8}", _PhysicalAddress); } }
+            public string VirtualSize { get { return string.Format("0x{0:x8}", _VirtualSize); } }
+
         }
 
         #endregion
@@ -242,15 +333,15 @@
         {
             get 
             {
-                PEData _data = new PEData(_dosHeader, _ntHeaders, _sectionHeaders);
+                PEData _data = new PEData(_dosHeader, _ntHeaders, _sectionHeaders.ToArray());
                 return _data;
             }
         }
         #region t
         public class PEData
         {
-            public PEData():this(new IMAGE_DOS_HEADER(),new IMAGE_NT_HEADERS(),new List<IMAGE_SECTION_HEADER>())            {            }
-            public PEData(IMAGE_DOS_HEADER DosHeader, IMAGE_NT_HEADERS NTHeader, IList<IMAGE_SECTION_HEADER> SectionHeaders)
+            public PEData() : this(new IMAGE_DOS_HEADER(), new IMAGE_NT_HEADERS(), new IMAGE_SECTION_HEADER[] { }) { }
+            public PEData(IMAGE_DOS_HEADER DosHeader, IMAGE_NT_HEADERS NTHeader, IMAGE_SECTION_HEADER[] SectionHeaders)
             {
                 this.DosHeader = DosHeader;
                 this.NTHeader = NTHeader;
@@ -258,7 +349,7 @@
             }
             public IMAGE_DOS_HEADER DosHeader { get; private set; }
             public IMAGE_NT_HEADERS NTHeader { get; private set; }
-            public IList<IMAGE_SECTION_HEADER> SectionHeaders { get; private set; }
+            public IMAGE_SECTION_HEADER[] SectionHeaders { get; private set; }
         }
 
         #endregion
@@ -288,15 +379,15 @@
                     reader.BaseStream.Seek(_dosHeader._e_lfanew, SeekOrigin.Begin);
 
                     // Read NT Headers
-                    _ntHeaders.Signature = MarshalBytesTo<UInt32>(reader);
+                    _ntHeaders._Signature = MarshalBytesTo<UInt32>(reader);
 
                     // Make sure we have 'PE' in the pe signature
-                    if (_ntHeaders.Signature != 0x4550)
+                    if (_ntHeaders._Signature != 0x4550)
                     {
                         throw new InvalidOperationException("Invalid portable executable signature in NT header.");
                     }
 
-                    _ntHeaders.FileHeader = MarshalBytesTo<IMAGE_FILE_HEADER>(reader);                    
+                    _ntHeaders._FileHeader = MarshalBytesTo<IMAGE_FILE_HEADER>(reader);                    
                     // Read optional headers
                     if (Is32bitAssembly())
                     {
@@ -323,10 +414,10 @@
                         log.verbose.debug.writeline("\t\tPointer To Raw Data: 0x{0:x8}", header.PointerToRawData);
 
                         // Skip to beginning of a section
-                        reader.BaseStream.Seek(header.PointerToRawData, SeekOrigin.Begin);
+                        reader.BaseStream.Seek(header._PointerToRawData, SeekOrigin.Begin);
 
                         // Read section data... and do something with it
-                        byte[] sectiondata = reader.ReadBytes((int)header.SizeOfRawData);
+                        byte[] sectiondata = reader.ReadBytes((int)header._SizeOfRawData);
                     }
                     reader.Close();
                 }
@@ -350,7 +441,7 @@
 
         public UInt32 GetPESignature()
         {
-            return _ntHeaders.Signature;
+            return _ntHeaders._Signature;
         }
 
         public IMAGE_FILE_HEADER GetFileHeader()
@@ -375,12 +466,12 @@
 
         public bool Is32bitAssembly()
         {
-            return ((_ntHeaders.FileHeader.Characteristics & 0x0100) == 0x0100);
+            return ((_ntHeaders.FileHeader._Characteristics & 0x0100) == 0x0100);
         }
 
         private void Load64bitOptionalHeaders(BinaryReader reader)
         {
-            _ntHeaders.OptionalHeader64 = MarshalBytesTo<IMAGE_OPTIONAL_HEADER64>(reader);
+            _ntHeaders._OptionalHeader64 = MarshalBytesTo<IMAGE_OPTIONAL_HEADER64>(reader);
 
             // Should have 10 data directories
             if (_ntHeaders.OptionalHeader64.NumberOfRvaAndSizes != 0x10)
@@ -400,7 +491,7 @@
 
         private void Load32bitOptionalHeaders(BinaryReader reader)
         {
-            _ntHeaders.OptionalHeader32 = MarshalBytesTo<IMAGE_OPTIONAL_HEADER32>(reader);
+            _ntHeaders._OptionalHeader32 = MarshalBytesTo<IMAGE_OPTIONAL_HEADER32>(reader);
 
             // Should have 10 data directories
             if (_ntHeaders.OptionalHeader32.NumberOfRvaAndSizes != 0x10)

 

  ViewVC Help
Powered by ViewVC 1.1.22