Parent Directory
| 
Revision Log
| 
Patch
--- trunk/Win32/Sojaner.MemoryScanner/PEReader.cs 2012/06/05 18:39:06 319
+++ trunk/Win32/Sojaner.MemoryScanner/PEReader.cs 2012/06/05 23:20:12 322
@@ -34,7 +34,43 @@
MIPSFPU16 = 0x466,
x64 = 0x8664,
}
-
+ public enum MagicType : ushort
+ {
+ NT_OPTIONAL_HEADER_NOT_PRESENT, // 0
+ NT_OPTIONAL_HEADER_32 = 0x10b,
+ NT_OPTIONAL_HEADER_64 = 0x20b
+ }
+ public enum SubSystemType : ushort
+ {
+ IMAGE_SUBSYSTEM_UNKNOWN = 0,
+ IMAGE_SUBSYSTEM_NATIVE = 1,
+ IMAGE_SUBSYSTEM_WINDOWS_GUI = 2,
+ IMAGE_SUBSYSTEM_WINDOWS_CUI = 3,
+ IMAGE_SUBSYSTEM_POSIX_CUI = 7,
+ IMAGE_SUBSYSTEM_WINDOWS_CE_GUI = 9,
+ IMAGE_SUBSYSTEM_EFI_APPLICATION = 10,
+ IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER = 11,
+ IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER = 12,
+ IMAGE_SUBSYSTEM_EFI_ROM = 13,
+ IMAGE_SUBSYSTEM_XBOX = 14
+
+ }
+ public enum DllCharacteristicsType : ushort
+ {
+ RES_0 = 0x0001,
+ RES_1 = 0x0002,
+ RES_2 = 0x0004,
+ RES_3 = 0x0008,
+ IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE = 0x0040,
+ IMAGE_DLL_CHARACTERISTICS_FORCE_INTEGRITY = 0x0080,
+ IMAGE_DLL_CHARACTERISTICS_NX_COMPAT = 0x0100,
+ IMAGE_DLLCHARACTERISTICS_NO_ISOLATION = 0x0200,
+ IMAGE_DLLCHARACTERISTICS_NO_SEH = 0x0400,
+ IMAGE_DLLCHARACTERISTICS_NO_BIND = 0x0800,
+ RES_4 = 0x1000,
+ IMAGE_DLLCHARACTERISTICS_WDM_DRIVER = 0x2000,
+ IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE = 0x8000
+ }
[TypeConverter(typeof(ExpandableObjectConverter))]
[StructLayout(LayoutKind.Sequential)]
public struct IMAGE_DOS_HEADER
@@ -111,7 +147,7 @@
{
public UInt16 _MachineType;
public UInt16 _NumberOfSections;
- public UInt32 _TimeDateStamp;
+ public Int32 _TimeDateStamp;
public UInt32 _PointerToSymbolTable;
public UInt32 _NumberOfSymbols;
public UInt16 _SizeOfOptionalHeader;
@@ -130,28 +166,34 @@
return MachineType;
}
- private DateTime GetDateTimeFromDosDateTime(UInt32 i32TimeDate)
+ private DateTime GetDateTimeFromDosDateTime(Int32 i32TimeDate)
{
- UInt16 i16Time = (UInt16)(i32TimeDate & 0xFFFF);
- UInt16 i16Date = (UInt16)((i32TimeDate & 0xFFFF0000) >> 16);
+ Int16 i16Time = (Int16)(i32TimeDate & 0xFFFF);
+ Int16 i16Date = (Int16)((i32TimeDate & 0xFFFF0000) >> 16);
return GetDateTimeFromDosDateTime(i16Time, i16Date);
}
- private DateTime GetDateTimeFromDosDateTime(UInt16 i16Time, UInt16 i16Date)
+ private DateTime GetDateTimeFromDosDateTime(Int16 i16Time, Int16 i16Date)
{
- int iYear = 0;
- int iMonth = 1;
- int iDay = 1;
- int iHour = 0;
- int iMinute = 0;
- int iSecond = 0;
- iDay = (i16Date & 0x1F);
- iMonth = ((i16Date & 0x01E0) >> 5);
- iYear = 1980 + ((i16Date & 0xFE00) >> 9);
- iSecond = (i16Time & 0x1F) * 2;
- iMinute = ((i16Time & 0x07E0) >> 5);
- iHour = ((i16Time & 0x0F800) >> 11);
- return new DateTime(iYear, iMonth, iDay, iHour, iMinute, iSecond);
-
+ try
+ {
+ int iYear = 0;
+ int iMonth = 1;
+ int iDay = 1;
+ int iHour = 0;
+ int iMinute = 0;
+ int iSecond = 0;
+ iDay = (i16Date & 0x1F);
+ iMonth = ((i16Date & 0x01E0) >> 5);
+ iYear = 1980 + ((i16Date & 0xFE00) >> 9);
+ iSecond = (i16Time & 0x1F) * 2;
+ iMinute = ((i16Time & 0x07E0) >> 5);
+ iHour = ((i16Time & 0x0F800) >> 11);
+ return new DateTime(iYear, iMonth, iDay, iHour, iMinute, iSecond);
+ }
+ catch
+ {
+ return new DateTime();
+ }
}
}
@@ -159,81 +201,171 @@
[StructLayout(LayoutKind.Sequential)]
public struct IMAGE_OPTIONAL_HEADER32
{
- public UInt16 Magic;
- public Byte MajorLinkerVersion;
- public Byte MinorLinkerVersion;
- public UInt32 SizeOfCode;
- public UInt32 SizeOfInitializedData;
- public UInt32 SizeOfUninitializedData;
- public UInt32 AddressOfEntryPoint;
- public UInt32 BaseOfCode;
- public UInt32 BaseOfData;
- public UInt32 ImageBase;
- public UInt32 SectionAlignment;
- public UInt32 FileAlignment;
- public UInt16 MajorOperatingSystemVersion;
- public UInt16 MinorOperatingSystemVersion;
- public UInt16 MajorImageVersion;
- public UInt16 MinorImageVersion;
- public UInt16 MajorSubsystemVersion;
- public UInt16 MinorSubsystemVersion;
- public UInt32 Win32VersionValue;
- public UInt32 SizeOfImage;
- public UInt32 SizeOfHeaders;
- public UInt32 CheckSum;
- public UInt16 Subsystem;
- public UInt16 DllCharacteristics;
- public UInt32 SizeOfStackReserve;
- public UInt32 SizeOfStackCommit;
- public UInt32 SizeOfHeapReserve;
- public UInt32 SizeOfHeapCommit;
- public UInt32 LoaderFlags;
- public UInt32 NumberOfRvaAndSizes;
+ public UInt16 _Magic;
+ public Byte _MajorLinkerVersion;
+ public Byte _MinorLinkerVersion;
+ public UInt32 _SizeOfCode;
+ public UInt32 _SizeOfInitializedData;
+ public UInt32 _SizeOfUninitializedData;
+ public UInt32 _AddressOfEntryPoint;
+ public UInt32 _BaseOfCode;
+ public UInt32 _BaseOfData; // 32-but specific
+ public UInt32 _ImageBase;
+ public UInt32 _SectionAlignment;
+ public UInt32 _FileAlignment;
+ public UInt16 _MajorOperatingSystemVersion;
+ public UInt16 _MinorOperatingSystemVersion;
+ public UInt16 _MajorImageVersion;
+ public UInt16 _MinorImageVersion;
+ public UInt16 _MajorSubsystemVersion;
+ public UInt16 _MinorSubsystemVersion;
+ public UInt32 _Win32VersionValue;
+ public UInt32 _SizeOfImage;
+ public UInt32 _SizeOfHeaders;
+ public UInt32 _CheckSum;
+ public UInt16 _Subsystem;
+ public UInt16 _DllCharacteristics;
+ public UInt32 _SizeOfStackReserve;
+ public UInt32 _SizeOfStackCommit;
+ public UInt32 _SizeOfHeapReserve;
+ public UInt32 _SizeOfHeapCommit;
+ public UInt32 _LoaderFlags;
+ public UInt32 _NumberOfRvaAndSizes;
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 16)]
- public IMAGE_DATA_DIRECTORY[] DataDirectory;
+ public IMAGE_DATA_DIRECTORY[] _DataDirectory;
+
+
+ public string Magic { get { return ((MagicType)_Magic).ToString(); } }
+ public string MajorLinkerVersion { get { return string.Format("0x{0:x2}", _MajorLinkerVersion); } }
+ public string MinorLinkerVersion { get { return string.Format("0x{0:x2}", _MajorLinkerVersion); } }
+
+ public string SizeOfCode { get { return string.Format("0x{0:x2}", _SizeOfCode); } }
+ public string SizeOfInitializedData { get { return string.Format("0x{0:x8}", _SizeOfInitializedData); } }
+ public string SizeOfUninitializedData { get { return string.Format("0x{0:x8}", _SizeOfUninitializedData); } }
+ public string AddressOfEntryPoint { get { return string.Format("0x{0:x8}", _AddressOfEntryPoint); } }
+ public string BaseOfCode { get { return string.Format("0x{0:x8}", _BaseOfCode); } }
+ public string BaseOfData { get { return string.Format("0x{0:x8}", _BaseOfData); } }
+ public string ImageBase { get { return string.Format("0x{0:x16}", _ImageBase); } }
+
+ public string SectionAlignment { get { return string.Format("0x{0:x8}", _SectionAlignment); } }
+ public string FileAlignment { get { return string.Format("0x{0:x8}", _FileAlignment); } }
+
+ public string MajorOperatingSystemVersion { get { return string.Format("0x{0:x4}", _MajorOperatingSystemVersion); } }
+ public string MinorOperatingSystemVersion { get { return string.Format("0x{0:x4}", _MinorOperatingSystemVersion); } }
+ public string MajorImageVersion { get { return string.Format("0x{0:x4}", _MajorImageVersion); } }
+ public string MinorImageVersion { get { return string.Format("0x{0:x4}", _MinorImageVersion); } }
+ public string MajorSubsystemVersion { get { return string.Format("0x{0:x4}", _MajorSubsystemVersion); } }
+ public string MinorSubsystemVersion { get { return string.Format("0x{0:x4}", _MinorSubsystemVersion); } }
+
+ public string Win32VersionValue { get { return string.Format("0x{0:x8}", _Win32VersionValue); } }
+ public string SizeOfImage { get { return string.Format("0x{0:x8}", _SizeOfImage); } }
+ public string SizeOfHeaders { get { return string.Format("0x{0:x8}", _SizeOfHeaders); } }
+ public string CheckSum { get { return string.Format("0x{0:x8}", _CheckSum); } }
+
+ public string Subsystem { get { return ((SubSystemType)_Subsystem).ToString(); } }
+ public string DllCharacteristics { get { return string.Format("0x{0:x4}", _DllCharacteristics); } }
+
+ public string SizeOfStackReserve { get { return string.Format("0x{0:x16}", _SizeOfStackReserve); } }
+ public string SizeOfStackCommit { get { return string.Format("0x{0:x16}", _SizeOfStackCommit); } }
+ public string SizeOfHeapReserve { get { return string.Format("0x{0:x16}", _SizeOfHeapReserve); } }
+ public string SizeOfHeapCommit { get { return string.Format("0x{0:x16}", _SizeOfHeapCommit); } }
+
+ public string LoaderFlags { get { return string.Format("0x{0:x8}", _LoaderFlags); } }
+ public string NumberOfRvaAndSizes { get { return string.Format("0x{0:x8}", _NumberOfRvaAndSizes); } }
+ public override string ToString()
+ {
+ return Magic;
+ }
}
[TypeConverter(typeof(ExpandableObjectConverter))]
[StructLayout(LayoutKind.Sequential)]
public struct IMAGE_OPTIONAL_HEADER64
{
- public UInt16 Magic;
- public Byte MajorLinkerVersion;
- public Byte MinorLinkerVersion;
- public UInt32 SizeOfCode;
- public UInt32 SizeOfInitializedData;
- public UInt32 SizeOfUninitializedData;
- public UInt32 AddressOfEntryPoint;
- public UInt32 BaseOfCode;
- public UInt64 ImageBase;
- public UInt32 SectionAlignment;
- public UInt32 FileAlignment;
- public UInt16 MajorOperatingSystemVersion;
- public UInt16 MinorOperatingSystemVersion;
- public UInt16 MajorImageVersion;
- public UInt16 MinorImageVersion;
- public UInt16 MajorSubsystemVersion;
- public UInt16 MinorSubsystemVersion;
- public UInt32 Win32VersionValue;
- public UInt32 SizeOfImage;
- public UInt32 SizeOfHeaders;
- public UInt32 CheckSum;
- public UInt16 Subsystem;
- public UInt16 DllCharacteristics;
- public UInt64 SizeOfStackReserve;
- public UInt64 SizeOfStackCommit;
- public UInt64 SizeOfHeapReserve;
- public UInt64 SizeOfHeapCommit;
- public UInt32 LoaderFlags;
- public UInt32 NumberOfRvaAndSizes;
+ public UInt16 _Magic;
+ public Byte _MajorLinkerVersion;
+ public Byte _MinorLinkerVersion;
+ public UInt32 _SizeOfCode;
+ public UInt32 _SizeOfInitializedData;
+ public UInt32 _SizeOfUninitializedData;
+ public UInt32 _AddressOfEntryPoint;
+ public UInt32 _BaseOfCode;
+ public UInt64 _ImageBase;
+ public UInt32 _SectionAlignment;
+ public UInt32 _FileAlignment;
+ public UInt16 _MajorOperatingSystemVersion;
+ public UInt16 _MinorOperatingSystemVersion;
+ public UInt16 _MajorImageVersion;
+ public UInt16 _MinorImageVersion;
+ public UInt16 _MajorSubsystemVersion;
+ public UInt16 _MinorSubsystemVersion;
+ public UInt32 _Win32VersionValue;
+ public UInt32 _SizeOfImage;
+ public UInt32 _SizeOfHeaders;
+ public UInt32 _CheckSum;
+ public UInt16 _Subsystem;
+ public UInt16 _DllCharacteristics;
+ public UInt64 _SizeOfStackReserve;
+ public UInt64 _SizeOfStackCommit;
+ public UInt64 _SizeOfHeapReserve;
+ public UInt64 _SizeOfHeapCommit;
+ public UInt32 _LoaderFlags;
+ public UInt32 _NumberOfRvaAndSizes;
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 16)]
- public IMAGE_DATA_DIRECTORY[] DataDirectory;
+ public IMAGE_DATA_DIRECTORY[] _DataDirectory;
+
+
+ public string Magic { get { return ((MagicType)_Magic).ToString(); } }
+ public string MajorLinkerVersion { get { return string.Format("0x{0:x2}", _MajorLinkerVersion); } }
+ public string MinorLinkerVersion { get { return string.Format("0x{0:x2}", _MajorLinkerVersion); } }
+
+ public string SizeOfCode { get { return string.Format("0x{0:x2}", _SizeOfCode); } }
+ public string SizeOfInitializedData { get { return string.Format("0x{0:x8}", _SizeOfInitializedData); } }
+ public string SizeOfUninitializedData { get { return string.Format("0x{0:x8}", _SizeOfUninitializedData); } }
+ public string AddressOfEntryPoint { get { return string.Format("0x{0:x8}", _AddressOfEntryPoint); } }
+ public string BaseOfCode { get { return string.Format("0x{0:x8}", _BaseOfCode); } }
+
+ public string ImageBase { get { return string.Format("0x{0:x16}", _ImageBase); } }
+
+ public string SectionAlignment { get { return string.Format("0x{0:x8}", _SectionAlignment); } }
+ public string FileAlignment { get { return string.Format("0x{0:x8}", _FileAlignment); } }
+
+ public string MajorOperatingSystemVersion { get { return string.Format("0x{0:x4}", _MajorOperatingSystemVersion); } }
+ public string MinorOperatingSystemVersion { get { return string.Format("0x{0:x4}", _MinorOperatingSystemVersion); } }
+ public string MajorImageVersion { get { return string.Format("0x{0:x4}", _MajorImageVersion); } }
+ public string MinorImageVersion { get { return string.Format("0x{0:x4}", _MinorImageVersion); } }
+ public string MajorSubsystemVersion { get { return string.Format("0x{0:x4}", _MajorSubsystemVersion); } }
+ public string MinorSubsystemVersion { get { return string.Format("0x{0:x4}", _MinorSubsystemVersion); } }
+
+ public string Win32VersionValue { get { return string.Format("0x{0:x8}", _Win32VersionValue); } }
+ public string SizeOfImage { get { return string.Format("0x{0:x8}", _SizeOfImage); } }
+ public string SizeOfHeaders { get { return string.Format("0x{0:x8}", _SizeOfHeaders); } }
+ public string CheckSum { get { return string.Format("0x{0:x8}", _CheckSum); } }
+
+ public string Subsystem { get { return ((SubSystemType)_Subsystem).ToString(); } }
+ public string DllCharacteristics { get { return string.Format("0x{0:x4}", _DllCharacteristics); } }
+
+ public string SizeOfStackReserve { get { return string.Format("0x{0:x16}", _SizeOfStackReserve); } }
+ public string SizeOfStackCommit { get { return string.Format("0x{0:x16}", _SizeOfStackCommit); } }
+ public string SizeOfHeapReserve { get { return string.Format("0x{0:x16}", _SizeOfHeapReserve); } }
+ public string SizeOfHeapCommit { get { return string.Format("0x{0:x16}", _SizeOfHeapCommit); } }
+
+ public string LoaderFlags { get { return string.Format("0x{0:x8}", _LoaderFlags); } }
+ public string NumberOfRvaAndSizes { get { return string.Format("0x{0:x8}", _NumberOfRvaAndSizes); } }
+
+ public override string ToString()
+ {
+ return Magic;
+ }
}
[TypeConverter(typeof(ExpandableObjectConverter))]
[StructLayout(LayoutKind.Sequential)]
public struct IMAGE_DATA_DIRECTORY
{
- public UInt32 VirtualAddress;
- public UInt32 Size;
+ public UInt32 _VirtualAddress;
+ public UInt32 _Size;
+
+ public string VirtualAddress { get { return string.Format("0x{0:x8}", _VirtualAddress); } }
+ public string Size { get { return string.Format("0x{0:x8}", _Size); } }
}
[TypeConverter(typeof(ExpandableObjectConverter))]
[StructLayout(LayoutKind.Sequential)]
@@ -474,15 +606,15 @@
_ntHeaders._OptionalHeader64 = MarshalBytesTo<IMAGE_OPTIONAL_HEADER64>(reader);
// Should have 10 data directories
- if (_ntHeaders.OptionalHeader64.NumberOfRvaAndSizes != 0x10)
+ if (_ntHeaders.OptionalHeader64._NumberOfRvaAndSizes != 0x10)
{
throw new InvalidOperationException("Invalid number of data directories in NT header");
}
// Scan data directories and load section headers
- for (int i = 0; i < _ntHeaders.OptionalHeader64.NumberOfRvaAndSizes; i++)
+ for (int i = 0; i < _ntHeaders.OptionalHeader64._NumberOfRvaAndSizes; i++)
{
- if (_ntHeaders.OptionalHeader64.DataDirectory[i].Size > 0)
+ if (_ntHeaders._OptionalHeader64._DataDirectory[i]._Size > 0)
{
_sectionHeaders.Add(MarshalBytesTo<IMAGE_SECTION_HEADER>(reader));
}
@@ -494,15 +626,15 @@
_ntHeaders._OptionalHeader32 = MarshalBytesTo<IMAGE_OPTIONAL_HEADER32>(reader);
// Should have 10 data directories
- if (_ntHeaders.OptionalHeader32.NumberOfRvaAndSizes != 0x10)
+ if (_ntHeaders.OptionalHeader32._NumberOfRvaAndSizes != 0x10)
{
throw new InvalidOperationException("Invalid number of data directories in NT header");
}
// Scan data directories and load section headers
- for (int i = 0; i < _ntHeaders.OptionalHeader32.NumberOfRvaAndSizes; i++)
+ for (int i = 0; i < _ntHeaders.OptionalHeader32._NumberOfRvaAndSizes; i++)
{
- if (_ntHeaders.OptionalHeader32.DataDirectory[i].Size > 0)
+ if (_ntHeaders._OptionalHeader32._DataDirectory[i]._Size > 0)
{
_sectionHeaders.Add(MarshalBytesTo<IMAGE_SECTION_HEADER>(reader));
}
| ViewVC Help | |
| Powered by ViewVC 1.1.22 |